1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
description: rewrapManyDataKey-encrypt_failure
schemaVersion: "1.8"
runOnRequirements:
- csfle: true
createEntities:
- client:
id: &client0 client0
observeEvents:
- commandStartedEvent
- clientEncryption:
id: &clientEncryption0 clientEncryption0
clientEncryptionOpts:
keyVaultClient: *client0
keyVaultNamespace: keyvault.datakeys
kmsProviders:
aws: { accessKeyId: { $$placeholder: 1 }, secretAccessKey: { $$placeholder: 1 } }
azure: { tenantId: { $$placeholder: 1 }, clientId: { $$placeholder: 1 }, clientSecret: { $$placeholder: 1 } }
gcp: { email: { $$placeholder: 1 }, privateKey: { $$placeholder: 1 } }
kmip: { endpoint: { $$placeholder: 1 } }
local: { key: { $$placeholder: 1 } }
- database:
id: &database0 database0
client: *client0
databaseName: &database0Name keyvault
- collection:
id: &collection0 collection0
database: *database0
collectionName: &collection0Name datakeys
initialData:
- databaseName: *database0Name
collectionName: *collection0Name
documents:
- _id: { $binary: { base64: bG9jYWxrZXlsb2NhbGtleQ==, subType: "04" } }
keyAltNames: ["local_key"]
keyMaterial: { $binary: { base64: ABKBldDEoDW323yejOnIRk6YQmlD9d3eQthd16scKL75nz2LjNL9fgPDZWrFFOlqlhMCFaSrNJfGrFUjYk5JFDO7soG5Syb50k1niJoKg4ilsj0L4mpimFUtTpOr2nzZOeQtvAksEXc7gsFgq8gV7t/U3lsaXPY7I0t42DfSE8EGlPdxRjFdHnxh+OR8h7U9b8Qs5K5UuhgyeyxaBZ1Hgw==, subType: "00" } }
creationDate: { $date: { $numberLong: "1641024000000" } }
updateDate: { $date: { $numberLong: "1641024000000" } }
status: 1
masterKey:
provider: local
tests:
- description: "rewrap with invalid masterKey for AWS KMS provider"
operations:
- name: rewrapManyDataKey
object: *clientEncryption0
arguments:
filter: {}
opts:
provider: aws
masterKey:
# "us-east-1" changed to "us-east-2" in both key and region.
key: arn:aws:kms:us-east-2:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0
region: us-east-2
expectError:
isClientError: true
expectEvents:
- client: *client0
events:
- commandStartedEvent:
commandName: find
databaseName: *database0Name
command:
find: *collection0Name
filter: {}
readConcern: { level: majority }
- description: "rewrap with invalid masterKey for Azure KMS provider"
operations:
- name: rewrapManyDataKey
object: *clientEncryption0
arguments:
filter: {}
opts:
provider: azure
masterKey:
# "key" changed to "invalid" in both keyVaultEndpoint and keyName.
keyVaultEndpoint: invalid-vault-csfle.vault.azure.net
keyName: invalid-name-csfle
expectError:
isClientError: true
expectEvents:
- client: *client0
events:
- commandStartedEvent:
commandName: find
databaseName: *database0Name
command:
find: *collection0Name
filter: {}
readConcern: { level: majority }
- description: "rewrap with invalid masterKey for GCP KMS provider"
operations:
- name: rewrapManyDataKey
object: *clientEncryption0
arguments:
filter: {}
opts:
provider: gcp
masterKey:
# "key" changed to "invalid" in both keyRing and keyName.
projectId: devprod-drivers
location: global
keyRing: invalid-ring-csfle
keyName: invalid-name-csfle
expectError:
isClientError: true
expectEvents:
- client: *client0
events:
- commandStartedEvent:
commandName: find
databaseName: *database0Name
command:
find: *collection0Name
filter: {}
readConcern: { level: majority }
|
