mongo 2.20.2 → 2.21.0

data/spec/integration/client_side_encryption/on_demand_aws_credentials_spec.rb

@@ -37,7 +37,7 @@ describe 'On-demand AWS Credentials' do
     it 'raises an error' do
       expect_any_instance_of(
         Mongo::Auth::Aws::CredentialsRetriever
-      ).to receive(:credentials).with(no_args).once.and_raise(
+      ).to receive(:credentials).with(kind_of(Mongo::CsotTimeoutHolder)).once.and_raise(
         Mongo::Auth::Aws::CredentialsNotFound
       )
 

data/spec/integration/client_side_encryption/range_explicit_encryption_prose_spec.rb

@@ -6,9 +6,7 @@ require 'spec_helper'
 # be revisited if these tests ever need to be significantly modified.
 # rubocop:disable RSpec/ExampleLength
 describe 'Range Explicit Encryption' do
-  min_server_version '7.0.0-rc0'
-  # https://jira.mongodb.org/browse/RUBY-3457
-  max_server_version '7.99.99'
+  min_server_version '8.0.0-rc18'
 
   require_libmongocrypt
   include_context 'define shared FLE helpers'
@@ -56,7 +54,7 @@ describe 'Range Explicit Encryption' do
         value,
         {
           key_id: key1_id,
-          algorithm: 'RangePreview',
+          algorithm: 'Range',
           contention_factor: 0,
           range_opts: range_opts
         }
@@ -76,8 +74,8 @@ describe 'Range Explicit Encryption' do
         expr,
         {
           key_id: key1_id,
-          algorithm: 'RangePreview',
-          query_type: 'rangePreview',
+          algorithm: 'Range',
+          query_type: 'range',
           contention_factor: 0,
           range_opts: range_opts
         }
@@ -100,8 +98,8 @@ describe 'Range Explicit Encryption' do
         expr,
         {
           key_id: key1_id,
-          algorithm: 'RangePreview',
-          query_type: 'rangePreview',
+          algorithm: 'Range',
+          query_type: 'range',
           contention_factor: 0,
           range_opts: range_opts
         }
@@ -123,8 +121,8 @@ describe 'Range Explicit Encryption' do
         expr,
         {
           key_id: key1_id,
-          algorithm: 'RangePreview',
-          query_type: 'rangePreview',
+          algorithm: 'Range',
+          query_type: 'range',
           contention_factor: 0,
           range_opts: range_opts
         }
@@ -140,8 +138,8 @@ describe 'Range Explicit Encryption' do
         expr,
         {
           key_id: key1_id,
-          algorithm: 'RangePreview',
-          query_type: 'rangePreview',
+          algorithm: 'Range',
+          query_type: 'range',
           contention_factor: 0,
           range_opts: range_opts
         }
@@ -163,7 +161,7 @@ describe 'Range Explicit Encryption' do
           value_converter.call(201),
           {
             key_id: key1_id,
-            algorithm: 'RangePreview',
+            algorithm: 'Range',
             contention_factor: 0,
             range_opts: range_opts
           }
@@ -183,7 +181,7 @@ describe 'Range Explicit Encryption' do
           value,
           {
             key_id: key1_id,
-            algorithm: 'RangePreview',
+            algorithm: 'Range',
             contention_factor: 0,
             range_opts: range_opts
           }
@@ -198,7 +196,7 @@ describe 'Range Explicit Encryption' do
           value_converter.call(6),
           {
             key_id: key1_id,
-            algorithm: 'RangePreview',
+            algorithm: 'Range',
             contention_factor: 0,
             range_opts: {
               min: value_converter.call(0),
@@ -244,7 +242,7 @@ describe 'Range Explicit Encryption' do
         insert_payload = client_encryption.encrypt(
           num,
           key_id: key1_id,
-          algorithm: 'RangePreview',
+          algorithm: 'Range',
           contention_factor: 0,
           range_opts: range_opts
         )
@@ -290,7 +288,7 @@ describe 'Range Explicit Encryption' do
         insert_payload = client_encryption.encrypt(
           BSON::Int64.new(num),
           key_id: key1_id,
-          algorithm: 'RangePreview',
+          algorithm: 'Range',
           contention_factor: 0,
           range_opts: range_opts
         )
@@ -337,7 +335,7 @@ describe 'Range Explicit Encryption' do
         insert_payload = client_encryption.encrypt(
           num,
           key_id: key1_id,
-          algorithm: 'RangePreview',
+          algorithm: 'Range',
           contention_factor: 0,
           range_opts: range_opts
         )
@@ -381,7 +379,7 @@ describe 'Range Explicit Encryption' do
         insert_payload = client_encryption.encrypt(
           num,
           key_id: key1_id,
-          algorithm: 'RangePreview',
+          algorithm: 'Range',
           contention_factor: 0,
           range_opts: range_opts
         )
@@ -427,7 +425,7 @@ describe 'Range Explicit Encryption' do
         insert_payload = client_encryption.encrypt(
           Time.new(num),
           key_id: key1_id,
-          algorithm: 'RangePreview',
+          algorithm: 'Range',
           contention_factor: 0,
           range_opts: range_opts
         )
@@ -476,7 +474,7 @@ describe 'Range Explicit Encryption' do
         insert_payload = client_encryption.encrypt(
           BSON::Decimal128.new(num),
           key_id: key1_id,
-          algorithm: 'RangePreview',
+          algorithm: 'Range',
           contention_factor: 0,
           range_opts: range_opts
         )
@@ -522,7 +520,7 @@ describe 'Range Explicit Encryption' do
         insert_payload = client_encryption.encrypt(
           BSON::Decimal128.new(num),
           key_id: key1_id,
-          algorithm: 'RangePreview',
+          algorithm: 'Range',
           contention_factor: 0,
           range_opts: range_opts
         )
@@ -535,5 +533,51 @@ describe 'Range Explicit Encryption' do
 
     include_examples 'common cases'
   end
+
+  describe 'Range Explicit Encryption applies defaults' do
+    let(:payload_defaults) do
+      client_encryption.encrypt(
+        123,
+        key_id: key1_id,
+        algorithm: 'Range',
+        contention_factor: 0,
+        range_opts: {
+          min: 0,
+          max: 1000
+        }
+      )
+    end
+
+    it 'uses libmongocrypt default' do
+      payload = client_encryption.encrypt(
+        123,
+        key_id: key1_id,
+        algorithm: 'Range',
+        contention_factor: 0,
+        range_opts: {
+          min: 0,
+          max: 1000,
+          sparsity: 2,
+          trim_factor: 6
+        }
+      )
+      expect(payload.to_s.size).to eq(payload_defaults.to_s.size)
+    end
+
+    it 'accepts trim_factor 0' do
+      payload = client_encryption.encrypt(
+        123,
+        key_id: key1_id,
+        algorithm: 'Range',
+        contention_factor: 0,
+        range_opts: {
+          min: 0,
+          max: 1000,
+          trim_factor: 0
+        }
+      )
+      expect(payload.to_s.size).to eq(payload_defaults.to_s.size)
+    end
+  end
 end
 # rubocop:enable RSpec/ExampleLength

data/spec/integration/client_side_operations_timeout/encryption_prose_spec.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'CSOT for encryption' do
+  require_libmongocrypt
+  require_no_multi_mongos
+  min_server_fcv '4.2'
+
+  include_context 'define shared FLE helpers'
+  include_context 'with local kms_providers'
+
+  let(:subscriber) { Mrss::EventSubscriber.new }
+
+  describe 'mongocryptd' do
+    before do
+      Process.spawn(
+        'mongocryptd',
+        '--pidfilepath=bypass-spawning-mongocryptd.pid', '--port=23000', '--idleShutdownTimeoutSecs=60',
+        %i[ out err ] => '/dev/null'
+      )
+    end
+
+    let(:client) do
+      Mongo::Client.new('mongodb://localhost:23000/?timeoutMS=1000').tap do |client|
+        client.subscribe(Mongo::Monitoring::COMMAND, subscriber)
+      end
+    end
+
+    let(:ping_command) do
+      subscriber.started_events.find do |event|
+        event.command_name == 'ping'
+      end&.command
+    end
+
+    after do
+      client.close
+    end
+
+    it 'does not set maxTimeMS for commands sent to mongocryptd' do
+      expect do
+        client.use('admin').command(ping: 1)
+      end.to raise_error(Mongo::Error::OperationFailure)
+
+      expect(ping_command).not_to have_key('maxTimeMS')
+    end
+  end
+
+  describe 'ClientEncryption' do
+    let(:key_vault_client) do
+      ClientRegistry.instance.new_local_client(
+        SpecConfig.instance.addresses,
+        SpecConfig.instance.test_options.merge(timeout_ms: 20)
+      )
+    end
+
+    let(:client_encryption) do
+      Mongo::ClientEncryption.new(
+        key_vault_client,
+        key_vault_namespace: key_vault_namespace,
+        kms_providers: local_kms_providers
+      )
+    end
+
+    describe '#createDataKey' do
+      before do
+        authorized_client.use(key_vault_db)[key_vault_coll].drop
+        authorized_client.use(key_vault_db)[key_vault_coll].create
+        authorized_client.use(:admin).command({
+                                                configureFailPoint: 'failCommand',
+                                                mode: {
+                                                  times: 1
+                                                },
+                                                data: {
+                                                  failCommands: [ 'insert' ],
+                                                  blockConnection: true,
+                                                  blockTimeMS: 30
+                                                }
+                                              })
+      end
+
+      after do
+        authorized_client.use(:admin).command({
+                                                configureFailPoint: 'failCommand',
+                                                mode: 'off',
+                                              })
+        key_vault_client.close
+      end
+
+      it 'fails with timeout error' do
+        expect do
+          client_encryption.create_data_key('local')
+        end.to raise_error(Mongo::Error::TimeoutError)
+      end
+    end
+
+    describe '#encrypt' do
+      let!(:data_key_id) do
+        client_encryption.create_data_key('local')
+      end
+
+      before do
+        authorized_client.use(:admin).command({
+                                                configureFailPoint: 'failCommand',
+                                                mode: {
+                                                  times: 1
+                                                },
+                                                data: {
+                                                  failCommands: [ 'find' ],
+                                                  blockConnection: true,
+                                                  blockTimeMS: 30
+                                                }
+                                              })
+      end
+
+      after do
+        authorized_client.use(:admin).command({
+                                                configureFailPoint: 'failCommand',
+                                                mode: 'off',
+                                              })
+      end
+
+      it 'fails with timeout error' do
+        expect do
+          client_encryption.encrypt('hello', key_id: data_key_id,
+                                             algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic')
+        end.to raise_error(Mongo::Error::TimeoutError)
+      end
+    end
+  end
+end

data/spec/integration/connection_pool_populator_spec.rb

@@ -26,6 +26,8 @@ describe 'Connection pool populator integration' do
 
   declare_topology_double
 
+  retry_test
+
   let(:app_metadata) do
     Mongo::Server::AppMetadata.new(options)
   end

data/spec/integration/cursor_pinning_spec.rb

@@ -52,73 +52,28 @@ describe 'Cursor pinning' do
   context 'lb' do
     require_topology :load_balanced
 
-    # In load-balanced topology, we cannot create new connections to a
-    # particular service.
+    # In load-balanced topology, a cursor retains the connection used to create
+    # it until the cursor is closed.
 
-    context 'when no connection is available' do
+    context 'when connection is available' do
+      require_multi_mongos
 
-      it 'raises ConnectionCheckOutTimeout' do
-        server.pool.size.should == 0
+      let(:client) { authorized_client.with(max_pool_size: 2) }
 
+      it 'does not return connection to the pool if cursor not drained' do
+        expect(server.pool).not_to receive(:check_in)
         enum = collection.find({}, batch_size: 1).to_enum
-        # Still zero because we haven't iterated
-        server.pool.size.should == 0
-
+        # Get the first element only; cursor is not drained, so there should
+        # be no check_in of the connection.
         enum.next
-        server.pool.size.should == 1
-
-        # Grab the connection that was used
-        server.with_connection do
-          # This requires a new connection, but we cannot make one.
-          lambda do
-            enum.next
-          end.should raise_error(Mongo::Error::ConnectionCheckOutTimeout)
-
-          server.pool.size.should == 1
-        end
       end
-    end
-
-    context 'when connection is available' do
-      require_multi_mongos
-
-      let(:client) { authorized_client.with(max_pool_size: 4) }
-
-      it 'uses the available connection' do
-        server.pool.size.should == 0
-
-        # Create 4 connections.
-
-        enums = []
-        connections = []
-        connection_ids = []
-
-        4.times do
-          view = collection.find({}, batch_size: 1)
-          enum = view.to_enum
-
-          enum.next
-
-          enums << enum
-          connection_ids << view.cursor.initial_result.connection_global_id
-          connections << server.pool.check_out
-        end
-
-        connection_ids.uniq.length.should be > 1
-
-        server.pool.size.should == 4
-
-        connections.each do |c|
-          server.pool.check_in(c)
-        end
 
-        # At this point, in theory, all connections are equally likely to
-        # be chosen, but we have cursors referencing more than one
-        # distinct service.
-        # Iterate each cursor to ensure they all continue to work.
-        enums.each do |enum|
-          enum.next
-        end
+      it 'returns connection to the pool when cursor is drained' do
+        view = collection.find({}, batch_size: 1)
+        enum = view.to_enum
+        expect_any_instance_of(Mongo::Cursor).to receive(:check_in_connection)
+        # Drain the cursor
+        enum.each { |it| it.nil? }
       end
     end
   end

data/spec/integration/cursor_reaping_spec.rb

@@ -24,7 +24,7 @@ describe 'Cursor reaping' do
   let(:subscriber) { Mrss::EventSubscriber.new }
 
   let(:client) do
-    authorized_client.tap do |client|
+    authorized_client.with(max_pool_size: 10).tap do |client|
       client.subscribe(Mongo::Monitoring::COMMAND, subscriber)
     end
   end

data/spec/integration/docs_examples_spec.rb

@@ -9,7 +9,7 @@ describe 'aggregation examples in Ruby' do
     # the tests in this file.
     begin
       ClientRegistry.instance.global_client('authorized')['_placeholder'].create
-    rescue Mongo::Error::OperationFailure => e
+    rescue Mongo::Error::OperationFailure::Family => e
       # Collection already exists
       if e.code != 48
         raise

data/spec/integration/ocsp_verifier_spec.rb

@@ -9,21 +9,6 @@ describe Mongo::Socket::OcspVerifier do
   with_openssl_debug
   retry_test sleep: 5
 
-  def self.with_ocsp_responder(port = 8100, path = '/', &setup)
-    around do |example|
-      server = WEBrick::HTTPServer.new(Port: port)
-      server.mount_proc path, &setup
-      Thread.new { server.start }
-      begin
-        example.run
-      ensure
-        server.shutdown
-      end
-
-      ::Utils.wait_for_port_free(port, 5)
-    end
-  end
-
   shared_examples 'verifies' do
     context 'mri' do
       fails_on_jruby
@@ -188,10 +173,21 @@ describe Mongo::Socket::OcspVerifier do
 
     context 'one time' do
 
-      with_ocsp_responder do |req, res|
-        res.status = 303
-        res['locAtion'] = "http://localhost:8101#{req.path}"
-        res.body = "See http://localhost:8101#{req.path}"
+      around do |example|
+        server = WEBrick::HTTPServer.new(Port: 8100)
+        server.mount_proc '/' do |req, res|
+          res.status = 303
+          res['locAtion'] = "http://localhost:8101#{req.path}"
+          res.body = "See http://localhost:8101#{req.path}"
+        end
+        Thread.new { server.start }
+        begin
+          example.run
+        ensure
+          server.shutdown
+        end
+
+        ::Utils.wait_for_port_free(8100, 5)
       end
 
       include_context 'verifier', algorithm: algorithm
@@ -252,10 +248,21 @@ describe Mongo::Socket::OcspVerifier do
         port: 8101,
       )
 
-      with_ocsp_responder do |req, res|
-        res.status = 303
-        res['locAtion'] = req.path
-        res.body = "See #{req.path} indefinitely"
+      around do |example|
+        server = WEBrick::HTTPServer.new(Port: 8100)
+        server.mount_proc '/' do |req, res|
+          res.status = 303
+          res['locAtion'] = req.path
+          res.body = "See #{req.path} indefinitely"
+        end
+        Thread.new { server.start }
+        begin
+          example.run
+        ensure
+          server.shutdown
+        end
+
+        ::Utils.wait_for_port_free(8100, 5)
       end
 
       include_context 'verifier', algorithm: algorithm
@@ -267,23 +274,85 @@ describe Mongo::Socket::OcspVerifier do
 
     include_context 'verifier', algorithm: 'rsa'
 
-    [400, 404, 500, 503].each do |code|
-      context "code #{code}" do
-        with_ocsp_responder do |req, res|
+    context '40x / 50x' do
+      around do |example|
+        server = WEBrick::HTTPServer.new(Port: 8100)
+        server.mount_proc '/' do |req, res|
           res.status = code
           res.body = "HTTP #{code}"
         end
+        Thread.new { server.start }
+        begin
+          example.run
+        ensure
+          server.shutdown
+        end
+
+        ::Utils.wait_for_port_free(8100, 5)
+      end
+
+      [400, 404, 500, 503].each do |_code|
+        context "code #{_code}" do
+          let(:code) { _code }
+          include_examples 'does not verify'
+        end
+      end
+    end
+
+    context '204' do
+      around do |example|
+        server = WEBrick::HTTPServer.new(Port: 8100)
+        server.mount_proc '/' do |req, res|
+          res.status = 204
+        end
+        Thread.new { server.start }
+        begin
+          example.run
+        ensure
+          server.shutdown
+        end
 
+        ::Utils.wait_for_port_free(8100, 5)
+      end
+
+      context "code 204" do
+        let(:code) { 204 }
         include_examples 'does not verify'
       end
     end
+  end
+
+  context 'responder URI has no path' do
+    require_external_connectivity
+
+    # https://github.com/jruby/jruby-openssl/issues/210
+    fails_on_jruby
 
-    context 'code 204' do
-      with_ocsp_responder do |req, res|
-        res.status = 204
+    include_context 'basic verifier'
+
+    # The fake certificates all have paths in them for use with the ocsp mock.
+    # Use real certificates retrieved from Atlas for this test as they don't
+    # have a path in the OCSP URI (which the test also asserts).
+    # Note that these certificates expire in 3 months and need to be replaced
+    # with a more permanent solution.
+    # Use the spec/support/certificates/retrieve-atlas-cert script to retrieve
+    # current certificates from Atlas.
+    let(:cert_path) { File.join(File.dirname(__FILE__), '../support/certificates/atlas-ocsp.crt') }
+    let(:ca_cert_path) { File.join(File.dirname(__FILE__), '../support/certificates/atlas-ocsp-ca.crt') }
+    let(:cert_store) do
+      OpenSSL::X509::Store.new.tap do |store|
+        store.set_default_paths
       end
+    end
 
-      include_examples 'does not verify'
+    before do
+      verifier.ocsp_uris.length.should > 0
+      URI.parse(verifier.ocsp_uris.first).path.should == ''
+    end
+
+    it 'verifies' do
+      # TODO This test will fail if the certificate expires
+      expect(verifier.verify).to be(true), "If atlas-ocsp certificates have expired, run spec/support/certificates/retrieve-atlas-cert to get a new ones"
     end
   end
 end

data/spec/integration/operation_failure_code_spec.rb

@@ -17,7 +17,7 @@ describe 'OperationFailure code' do
         collection.insert_one(_id: 1)
         collection.insert_one(_id: 1)
         fail('Should have raised')
-      rescue Mongo::Error::OperationFailure => e
+      rescue Mongo::Error::OperationFailure::Family => e
         expect(e.code).to eq(11000)
         # 4.0 and 4.2 sharded clusters set code name.
         # 4.0 and 4.2 replica sets and standalones do not,

data/spec/integration/operation_failure_message_spec.rb

@@ -22,7 +22,7 @@ describe 'OperationFailure message' do
           begin
             client.command(bogus_command: nil)
             fail('Should have raised')
-          rescue Mongo::Error::OperationFailure => e
+          rescue Mongo::Error::OperationFailure::Family => e
             e.code_name.should == 'CommandNotFound'
             e.message.should =~ %r,\A\[59:CommandNotFound\]: no such (?:command|cmd): '?bogus_command'?,
           end
@@ -36,7 +36,7 @@ describe 'OperationFailure message' do
           begin
             client.command(bogus_command: nil)
             fail('Should have raised')
-          rescue Mongo::Error::OperationFailure => e
+          rescue Mongo::Error::OperationFailure::Family => e
             e.code_name.should be nil
             e.message.should =~ %r,\A\[59\]: no such (?:command|cmd): '?bogus_command'?,
           end
@@ -53,7 +53,7 @@ describe 'OperationFailure message' do
           collection.insert_one(_id: 1)
           collection.insert_one(_id: 1)
           fail('Should have raised')
-        rescue Mongo::Error::OperationFailure => e
+        rescue Mongo::Error::OperationFailure::Family => e
           e.code_name.should be nil
           e.message.should =~ %r,\A\[11000\]: (?:insertDocument :: caused by :: 11000 )?E11000 duplicate key error (?:collection|index):,
         end