1runOn:
2 - minServerVersion: "4.1.10"
3database_name: &database_name "default"
4collection_name: &collection_name "default"
5
6data:
7 - &doc0_encrypted { _id: 1, encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} }
8 - &doc1_encrypted { _id: 2, encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==', 'subType': '06'}} }
9json_schema: {'properties': {'encrypted_w_altname': {'encrypt': {'keyId': '/altname', 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'}}, 'encrypted_string': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'random': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'}}, 'encrypted_string_equivalent': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
10key_vault_data: [{'status': 1, '_id': {'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'masterKey': {'provider': 'aws', 'key': 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0', 'region': 'us-east-1'}, 'updateDate': {'$date': {'$numberLong': '1552949630483'}}, 'keyMaterial': {'$binary': {'base64': 'AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEqnsxXlR51T5EbEVezUqqKAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDHa4jo6yp0Z18KgbUgIBEIB74sKxWtV8/YHje5lv5THTl0HIbhSwM6EqRlmBiFFatmEWaeMk4tO4xBX65eq670I5TWPSLMzpp8ncGHMmvHqRajNBnmFtbYxN3E3/WjxmdbOOe+OXpnGJPcGsftc7cB2shRfA4lICPnE26+oVNXT6p0Lo20nY5XC7jyCO', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1552949630483'}}, 'keyAltNames': ['altname', 'another_altname']}]
11
12# TODO: I could see an argument against having these tests of mongocryptd as part
13# of driver tests. When mongocryptd introduces support for these operators, these
14# tests will fail. But it's also easy enough to remove these tests when that happens.
15
16tests:
17 - description: "$text unconditionally fails"
18 clientOptions:
19 autoEncryptOpts:
20 kmsProviders:
21 aws: {} # Credentials filled in from environment.
22 operations:
23 - name: find
24 arguments:
25 filter:
26 { $text: { $search: "search text" } }
27 result:
28 errorContains: "Unsupported match expression operator for encryption"
29 - description: "$where unconditionally fails"
30 clientOptions:
31 autoEncryptOpts:
32 kmsProviders:
33 aws: {} # Credentials filled in from environment.
34 operations:
35 - name: find
36 arguments:
37 filter:
38 { $where: { $code: "function() { return true }" } }
39 result:
40 errorContains: "Unsupported match expression operator for encryption"
41 - description: "$bit operators succeed on unencrypted, error on encrypted"
42 clientOptions:
43 autoEncryptOpts:
44 kmsProviders:
45 aws: {} # Credentials filled in from environment.
46 operations:
47 - name: find
48 arguments:
49 filter: { unencrypted: { $bitsAllClear: 35 }}
50 result: []
51 - name: find
52 arguments:
53 filter: { encrypted_string: { $bitsAllClear: 35 }}
54 result:
55 errorContains: "Invalid match expression operator on encrypted field"
56 - name: find
57 arguments:
58 filter: { unencrypted: { $bitsAllSet: 35 }}
59 result: []
60 - name: find
61 arguments:
62 filter: { encrypted_string: { $bitsAllSet: 35 }}
63 result:
64 errorContains: "Invalid match expression operator on encrypted field"
65 - name: find
66 arguments:
67 filter: { unencrypted: { $bitsAnyClear: 35 }}
68 result: []
69 - name: find
70 arguments:
71 filter: { encrypted_string: { $bitsAnyClear: 35 }}
72 result:
73 errorContains: "Invalid match expression operator on encrypted field"
74 - name: find
75 arguments:
76 filter: { unencrypted: { $bitsAnySet: 35 }}
77 result: []
78 - name: find
79 arguments:
80 filter: { encrypted_string: { $bitsAnySet: 35 }}
81 result:
82 errorContains: "Invalid match expression operator on encrypted field"
83 - description: "geo operators succeed on unencrypted, error on encrypted"
84 clientOptions:
85 autoEncryptOpts:
86 kmsProviders:
87 aws: {} # Credentials filled in from environment.
88 operations:
89 - name: find
90 arguments:
91 filter: { unencrypted: { $near: [0,0] }}
92 result:
93 # Still an error because no geo index, but from mongod - not mongocryptd.
94 errorContains: "unable to find index"
95 - name: find
96 arguments:
97 filter: { encrypted_string: { $near: [0,0] }}
98 result:
99 errorContains: "Invalid match expression operator on encrypted field"
100 - name: find
101 arguments:
102 filter: { unencrypted: { $nearSphere: [0,0] }}
103 result:
104 # Still an error because no geo index, but from mongod - not mongocryptd.
105 errorContains: "unable to find index"
106 - name: find
107 arguments:
108 filter: { encrypted_string: { $nearSphere: [0,0] }}
109 result:
110 errorContains: "Invalid match expression operator on encrypted field"
111 - name: find
112 arguments:
113 filter: { unencrypted: { $geoIntersects: { $geometry: { type: "Polygon", coordinates: [[ [0,0], [1,0], [1,1], [0,0] ]] }} }}
114 result: []
115 - name: find
116 arguments:
117 filter: { encrypted_string: { $geoIntersects: { $geometry: { type: "Polygon", coordinates: [[ [0,0], [1,0], [1,1], [0,0] ]] }} }}
118 result:
119 errorContains: "Invalid match expression operator on encrypted field"
120 - name: find
121 arguments:
122 filter: { unencrypted: { $geoWithin: { $geometry: { type: "Polygon", coordinates: [[ [0,0], [1,0], [1,1], [0,0] ]] }} }}
123 result: []
124 - name: find
125 arguments:
126 filter: { encrypted_string: { $geoWithin: { $geometry: { type: "Polygon", coordinates: [[ [0,0], [1,0], [1,1], [0,0] ]] }} }}
127 result:
128 errorContains: "Invalid match expression operator on encrypted field"
129 - description: "inequality operators succeed on unencrypted, error on encrypted"
130 clientOptions:
131 autoEncryptOpts:
132 kmsProviders:
133 aws: {} # Credentials filled in from environment.
134 operations:
135 - name: find
136 arguments:
137 filter: { unencrypted: { $gt: 1 }}
138 result: []
139 - name: find
140 arguments:
141 filter: { encrypted_string: { $gt: 1 }}
142 result:
143 errorContains: "Invalid match expression operator on encrypted field"
144 - name: find
145 arguments:
146 filter: { unencrypted: { $lt: 1 }}
147 result: []
148 - name: find
149 arguments:
150 filter: { encrypted_string: { $lt: 1 }}
151 result:
152 errorContains: "Invalid match expression operator on encrypted field"
153 - name: find
154 arguments:
155 filter: { unencrypted: { $gte: 1 }}
156 result: []
157 - name: find
158 arguments:
159 filter: { encrypted_string: { $gte: 1 }}
160 result:
161 errorContains: "Invalid match expression operator on encrypted field"
162 - name: find
163 arguments:
164 filter: { unencrypted: { $lte: 1 }}
165 result: []
166 - name: find
167 arguments:
168 filter: { encrypted_string: { $lte: 1 }}
169 result:
170 errorContains: "Invalid match expression operator on encrypted field"
171 - description: "other misc operators succeed on unencrypted, error on encrypted"
172 clientOptions:
173 autoEncryptOpts:
174 kmsProviders:
175 aws: {} # Credentials filled in from environment.
176 operations:
177 - name: find
178 arguments:
179 filter: { unencrypted: { $mod: [3, 1] }}
180 result: []
181 - name: find
182 arguments:
183 filter: { encrypted_string: { $mod: [3, 1] }}
184 result:
185 errorContains: "Invalid match expression operator on encrypted field"
186 - name: find
187 arguments:
188 filter: { unencrypted: { $regex: "pattern", $options: "" }}
189 result: []
190 - name: find
191 arguments:
192 filter: { encrypted_string: { $regex: "pattern", $options: "" }}
193 result:
194 errorContains: "Invalid match expression operator on encrypted field"
195 - name: find
196 arguments:
197 filter: { unencrypted: { $size: 2 }}
198 result: []
199 - name: find
200 arguments:
201 filter: { encrypted_string: { $size: 2 }}
202 result:
203 errorContains: "Invalid match expression operator on encrypted field"
204 - name: find
205 arguments:
206 filter: { unencrypted: { $type: 2 }}
207 result: []
208 - name: find
209 arguments:
210 filter: { encrypted_string: { $type: 2 }}
211 result:
212 errorContains: "Invalid match expression operator on encrypted field"
213 - name: find
214 arguments:
215 filter: { unencrypted: { $eq: null }}
216 result:
217 - &doc0 { _id: 1, encrypted_string: "string0" }
218 - &doc1 { _id: 2, encrypted_string: "string1" }
219 - name: find
220 arguments:
221 filter: { encrypted_string: { $eq: null }}
222 result:
223 errorContains: "Illegal equality to null predicate for encrypted field"
224 - name: find
225 arguments:
226 filter: { unencrypted: { $in: [null] }}
227 result:
228 - *doc0
229 - *doc1
230 - name: find
231 arguments:
232 filter: { encrypted_string: { $in: [null] }}
233 result:
234 errorContains: "Illegal equality to null inside $in against an encrypted field"
235 - description: "$addToSet succeeds on unencrypted, error on encrypted"
236 clientOptions:
237 autoEncryptOpts:
238 kmsProviders:
239 aws: {} # Credentials filled in from environment.
240 operations:
241 - name: updateOne
242 arguments:
243 filter: { }
244 update: { $addToSet: { "unencrypted": ["a"]}}
245 result:
246 matchedCount: 1
247 modifiedCount: 1
248 upsertedCount: 0
249 - name: updateOne
250 arguments:
251 filter: { }
252 update: { $addToSet: { "encrypted_string": ["a"]}}
253 result:
254 errorContains: "$addToSet not allowed on encrypted values"
255 - description: "$inc succeeds on unencrypted, error on encrypted"
256 clientOptions:
257 autoEncryptOpts:
258 kmsProviders:
259 aws: {} # Credentials filled in from environment.
260 operations:
261 - name: updateOne
262 arguments:
263 filter: { }
264 update: { $inc: { "unencrypted": 1}}
265 result:
266 matchedCount: 1
267 modifiedCount: 1
268 upsertedCount: 0
269 - name: updateOne
270 arguments:
271 filter: { }
272 update: { $inc: { "encrypted_string": 1}}
273 result:
274 errorContains: "$inc and $mul not allowed on encrypted values"
275 - description: "$mul succeeds on unencrypted, error on encrypted"
276 clientOptions:
277 autoEncryptOpts:
278 kmsProviders:
279 aws: {} # Credentials filled in from environment.
280 operations:
281 - name: updateOne
282 arguments:
283 filter: { }
284 update: { $mul: { "unencrypted": 1}}
285 result:
286 matchedCount: 1
287 modifiedCount: 1
288 upsertedCount: 0
289 - name: updateOne
290 arguments:
291 filter: { }
292 update: { $mul: { "encrypted_string": 1}}
293 result:
294 errorContains: "$inc and $mul not allowed on encrypted values"
295 - description: "$max succeeds on unencrypted, error on encrypted"
296 clientOptions:
297 autoEncryptOpts:
298 kmsProviders:
299 aws: {} # Credentials filled in from environment.
300 operations:
301 - name: updateOne
302 arguments:
303 filter: { }
304 update: { $max: { "unencrypted": 1}}
305 result:
306 matchedCount: 1
307 modifiedCount: 1
308 upsertedCount: 0
309 - name: updateOne
310 arguments:
311 filter: { }
312 update: { $max: { "encrypted_string": 1}}
313 result:
314 errorContains: "$max and $min not allowed on encrypted values"
315 - description: "$min succeeds on unencrypted, error on encrypted"
316 clientOptions:
317 autoEncryptOpts:
318 kmsProviders:
319 aws: {} # Credentials filled in from environment.
320 operations:
321 - name: updateOne
322 arguments:
323 filter: { }
324 update: { $min: { "unencrypted": 1}}
325 result:
326 matchedCount: 1
327 modifiedCount: 1
328 upsertedCount: 0
329 - name: updateOne
330 arguments:
331 filter: { }
332 update: { $min: { "encrypted_string": 1}}
333 result:
334 errorContains: "$max and $min not allowed on encrypted values"
335 - description: "$currentDate succeeds on unencrypted, error on encrypted"
336 clientOptions:
337 autoEncryptOpts:
338 kmsProviders:
339 aws: {} # Credentials filled in from environment.
340 operations:
341 - name: updateOne
342 arguments:
343 filter: { }
344 update: { $currentDate: { "unencrypted": true}}
345 result:
346 matchedCount: 1
347 modifiedCount: 1
348 upsertedCount: 0
349 - name: updateOne
350 arguments:
351 filter: { }
352 update: { $currentDate: { "encrypted_string": true }}
353 result:
354 errorContains: "$currentDate not allowed on encrypted values"
355 - description: "$pop succeeds on unencrypted, error on encrypted"
356 clientOptions:
357 autoEncryptOpts:
358 kmsProviders:
359 aws: {} # Credentials filled in from environment.
360 operations:
361 - name: updateOne
362 arguments:
363 filter: { }
364 update: { $pop: { "unencrypted": 1}}
365 result:
366 matchedCount: 1
367 modifiedCount: 0
368 upsertedCount: 0
369 - name: updateOne
370 arguments:
371 filter: { }
372 update: { $pop: { "encrypted_string": 1 }}
373 result:
374 errorContains: "$pop not allowed on encrypted values"
375 - description: "$pull succeeds on unencrypted, error on encrypted"
376 clientOptions:
377 autoEncryptOpts:
378 kmsProviders:
379 aws: {} # Credentials filled in from environment.
380 operations:
381 - name: updateOne
382 arguments:
383 filter: { }
384 update: { $pull: { "unencrypted": 1}}
385 result:
386 matchedCount: 1
387 modifiedCount: 0
388 upsertedCount: 0
389 - name: updateOne
390 arguments:
391 filter: { }
392 update: { $pull: { "encrypted_string": 1 }}
393 result:
394 errorContains: "$pull not allowed on encrypted values"
395 - description: "$pullAll succeeds on unencrypted, error on encrypted"
396 clientOptions:
397 autoEncryptOpts:
398 kmsProviders:
399 aws: {} # Credentials filled in from environment.
400 operations:
401 - name: updateOne
402 arguments:
403 filter: { }
404 update: { $pullAll: { "unencrypted": [1] }}
405 result:
406 matchedCount: 1
407 modifiedCount: 0
408 upsertedCount: 0
409 - name: updateOne
410 arguments:
411 filter: { }
412 update: { $pullAll: { "encrypted_string": [1] }}
413 result:
414 errorContains: "$pullAll not allowed on encrypted values"
415 - description: "$push succeeds on unencrypted, error on encrypted"
416 clientOptions:
417 autoEncryptOpts:
418 kmsProviders:
419 aws: {} # Credentials filled in from environment.
420 operations:
421 - name: updateOne
422 arguments:
423 filter: { }
424 update: { $push: { "unencrypted": 1}}
425 result:
426 matchedCount: 1
427 modifiedCount: 1
428 upsertedCount: 0
429 - name: updateOne
430 arguments:
431 filter: { }
432 update: { $push: { "encrypted_string": 1 }}
433 result:
434 errorContains: "$push not allowed on encrypted values"
435 - description: "array filters on encrypted fields does not error in mongocryptd, but errors in mongod"
436 clientOptions:
437 autoEncryptOpts:
438 kmsProviders:
439 aws: {} # Credentials filled in from environment.
440 operations:
441 - name: updateOne
442 arguments:
443 filter: { }
444 update: { $set : { "encrypted_string.$[i].x": 1 }}
445 arrayFilters: [{ i.x: 1 }]
446 result:
447 errorContains: "Array update operations not allowed on encrypted values"
448 - description: "positional operator succeeds on unencrypted, errors on encrypted"
449 clientOptions:
450 autoEncryptOpts:
451 kmsProviders:
452 aws: {} # Credentials filled in from environment.
453 operations:
454 - name: updateOne
455 arguments:
456 filter: { "unencrypted": 1 }
457 update: { $set : { "unencrypted.$": 1 }}
458 result:
459 matchedCount: 0
460 modifiedCount: 0
461 upsertedCount: 0
462 - name: updateOne
463 arguments:
464 filter: { "encrypted_string": "abc" }
465 update: { $set : { "encrypted_string.$": "abc" }}
466 result:
467 errorContains: "Cannot encrypt fields below '$' positional update operator"
468 - description: "an update that would produce an array on an encrypted field errors"
469 clientOptions:
470 autoEncryptOpts:
471 kmsProviders:
472 aws: {} # Credentials filled in from environment.
473 operations:
474 - name: updateOne
475 arguments:
476 filter: { }
477 update: { $set : { "encrypted_string": [1,2] }}
478 result:
479 # DRIVERS-2272: The expected error message changed in mongocryptd 6.0. Before it was:
480 # "Cannot encrypt element of type array because schema requires that type is one of: [ string ]"
481 # After it is:
482 # "Cannot encrypt element of type: array"
483 # Only check for the common prefix.
484 errorContains: "Cannot encrypt element of type"
485 - description: "an insert with encrypted field on _id errors"
486 clientOptions:
487 autoEncryptOpts:
488 kmsProviders:
489 aws: {} # Credentials filled in from environment.
490 schemaMap:
491 "default.default": {'properties': {'_id': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}}
492 operations:
493 - name: insertOne
494 arguments:
495 document: { _id: 1 }
496 result:
497 errorContains: "Invalid schema containing the 'encrypt' keyword."
498 - description: "an insert with an array value for an encrypted field fails"
499 clientOptions:
500 autoEncryptOpts:
501 kmsProviders:
502 aws: {} # Credentials filled in from environment.
503 operations:
504 - name: insertOne
505 arguments:
506 document: { encrypted_string: [ "123", "456"] }
507 result:
508 # DRIVERS-2272: The expected error message changed in mongocryptd 6.0. Before it was:
509 # "Cannot encrypt element of type array because schema requires that type is one of: [ string ]"
510 # After it is:
511 # "Cannot encrypt element of type: array"
512 # Only check for the common prefix.
513 errorContains: "Cannot encrypt element of type"
514 - description: "an insert with a Timestamp(0,0) value in the top-level fails"
515 clientOptions:
516 autoEncryptOpts:
517 kmsProviders:
518 aws: {} # Credentials filled in from environment.
519 operations:
520 - name: insertOne
521 arguments:
522 document: { random: {"$timestamp": {"t": 0, "i": 0 }} }
523 result:
524 errorContains: "A command that inserts cannot supply Timestamp(0, 0) for an encrypted"
525 - description: "distinct with the key referring to a field where the keyID is a JSON Pointer errors"
526 clientOptions:
527 autoEncryptOpts:
528 kmsProviders:
529 aws: {} # Credentials filled in from environment.
530 operations:
531 - name: distinct
532 arguments:
533 filter: {}
534 fieldName: "encrypted_w_altname"
535 result:
536 errorContains: "The distinct key is not allowed to be marked for encryption with a non-UUID keyId"View as plain text