1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
runOn:
- minServerVersion: "4.1.10"
database_name: &database_name "default"
collection_name: &collection_name "default"
data:
- &doc0_encrypted { _id: 1, encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} }
json_schema: {'properties': {'encrypted_w_altname': {'encrypt': {'keyId': '/altname', 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'}}, 'encrypted_string': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'random': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'}}, 'encrypted_string_equivalent': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
key_vault_data: [{'status': 1, '_id': {'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'masterKey': {'provider': 'aws', 'key': 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0', 'region': 'us-east-1'}, 'updateDate': {'$date': {'$numberLong': '1552949630483'}}, 'keyMaterial': {'$binary': {'base64': 'AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEqnsxXlR51T5EbEVezUqqKAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDHa4jo6yp0Z18KgbUgIBEIB74sKxWtV8/YHje5lv5THTl0HIbhSwM6EqRlmBiFFatmEWaeMk4tO4xBX65eq670I5TWPSLMzpp8ncGHMmvHqRajNBnmFtbYxN3E3/WjxmdbOOe+OXpnGJPcGsftc7cB2shRfA4lICPnE26+oVNXT6p0Lo20nY5XC7jyCO', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1552949630483'}}, 'keyAltNames': ['altname', 'another_altname']}]
tests:
- description: "updateOne with deterministic encryption"
clientOptions:
autoEncryptOpts:
kmsProviders:
aws: {} # Credentials filled in from environment.
operations:
- name: updateOne
arguments:
filter: { encrypted_string: "string0" }
update: { $set: { encrypted_string: "string1", random: "abc" } }
result:
matchedCount: 1
modifiedCount: 1
upsertedCount: 0
expectations:
# Auto encryption will request the collection info.
- command_started_event:
command:
listCollections: 1
filter:
name: *collection_name
command_name: listCollections
# Then key is fetched from the key vault.
- command_started_event:
command:
find: datakeys
filter: {"$or": [{"_id": {"$in": [ {'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}} ] }}, {"keyAltNames": {"$in": []}}]}
$db: keyvault
readConcern: { level: "majority" }
command_name: find
- command_started_event:
command:
update: *collection_name
updates:
- q: { encrypted_string: { $eq: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} } }
u: { $set: {encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==', 'subType': '06'}}, random: { $$type: "binData" } } }
ordered: true
command_name: update
outcome:
collection:
# Outcome is checked using a separate MongoClient without auto encryption.
data:
- { _id: 1, encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==', 'subType': '06'}}, random: { $$type: "binData"} }
- description: "updateOne fails when filtering on a random field"
clientOptions:
autoEncryptOpts:
kmsProviders:
aws: {} # Credentials filled in from environment.
operations:
- name: updateOne
arguments:
filter: { random: "abc" }
update: { $set: { encrypted_string: "string1" } }
result:
errorContains: "Cannot query on fields encrypted with the randomized encryption"
- description: "$unset works with an encrypted field"
clientOptions:
autoEncryptOpts:
kmsProviders:
aws: {} # Credentials filled in from environment.
operations:
- name: updateOne
arguments:
filter: { }
update: { $unset: { encrypted_string: "" } }
result:
matchedCount: 1
modifiedCount: 1
upsertedCount: 0
expectations:
# Auto encryption will request the collection info.
- command_started_event:
command:
listCollections: 1
filter:
name: *collection_name
command_name: listCollections
- command_started_event:
command:
update: *collection_name
updates:
- q: { }
u: { $unset: {encrypted_string: "" } }
ordered: true
command_name: update
outcome:
collection:
# Outcome is checked using a separate MongoClient without auto encryption.
data:
- { _id: 1 }
- description: "$rename works if target value has same encryption options"
clientOptions:
autoEncryptOpts:
kmsProviders:
aws: {} # Credentials filled in from environment.
operations:
- name: updateOne
arguments:
filter: { }
update: { $rename: { encrypted_string: "encrypted_string_equivalent" } }
result:
matchedCount: 1
modifiedCount: 1
upsertedCount: 0
expectations:
# Auto encryption will request the collection info.
- command_started_event:
command:
listCollections: 1
filter:
name: *collection_name
command_name: listCollections
- command_started_event:
command:
update: *collection_name
updates:
- q: { }
u: { $rename: {encrypted_string: "encrypted_string_equivalent" } }
ordered: true
command_name: update
outcome:
collection:
# Outcome is checked using a separate MongoClient without auto encryption.
data:
- { _id: 1, encrypted_string_equivalent: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} }
- description: "$rename fails if target value has different encryption options"
clientOptions:
autoEncryptOpts:
kmsProviders:
aws: {} # Credentials filled in from environment.
operations:
- name: updateOne
arguments:
filter: { }
update: { $rename: { encrypted_string: "random" } }
result:
errorContains: "$rename between two encrypted fields must have the same metadata or both be unencrypted"
- description: "an invalid update (no $ operators) is validated and errors"
clientOptions:
autoEncryptOpts:
kmsProviders:
aws: {} # Credentials filled in from environment.
operations:
- name: updateOne
arguments:
filter: { }
update: { encrypted_string: "random" }
result:
errorContains: "" # Note, drivers differ in the error message. Just ensure an error is thrown.
|
