1runOn:
2 - minServerVersion: "4.1.10"
3database_name: &database_name "default"
4collection_name: &collection_name "default"
5
6data:
7 - &doc0_encrypted { _id: 1, encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} }
8 - &doc1_encrypted { _id: 2, encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==', 'subType': '06'}} , random: {'$binary': {'base64': 'AgAAAAAAAAAAAAAAAAAAAAACyfp+lXvKOi7f5vh6ZsCijLEaXFKq1X06RmyS98ZvmMQGixTw8HM1f/bGxZjGwvYwjXOkIEb7Exgb8p2KCDI5TQ==', 'subType': '06'}} }
9json_schema: {'properties': {'encrypted_w_altname': {'encrypt': {'keyId': '/altname', 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'}}, 'encrypted_string': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'random': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'}}, 'encrypted_string_equivalent': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
10key_vault_data: [{'status': 1, '_id': {'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'masterKey': {'provider': 'aws', 'key': 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0', 'region': 'us-east-1'}, 'updateDate': {'$date': {'$numberLong': '1552949630483'}}, 'keyMaterial': {'$binary': {'base64': 'AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEqnsxXlR51T5EbEVezUqqKAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDHa4jo6yp0Z18KgbUgIBEIB74sKxWtV8/YHje5lv5THTl0HIbhSwM6EqRlmBiFFatmEWaeMk4tO4xBX65eq670I5TWPSLMzpp8ncGHMmvHqRajNBnmFtbYxN3E3/WjxmdbOOe+OXpnGJPcGsftc7cB2shRfA4lICPnE26+oVNXT6p0Lo20nY5XC7jyCO', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1552949630483'}}, 'keyAltNames': ['altname', 'another_altname']}]
11
12tests:
13 - description: "Find with deterministic encryption"
14 clientOptions:
15 autoEncryptOpts:
16 kmsProviders:
17 aws: {} # Credentials filled in from environment.
18 operations:
19 - name: find
20 arguments:
21 filter:
22 { encrypted_string: "string0" }
23 result:
24 - &doc0 { _id: 1, encrypted_string: "string0" }
25 expectations:
26 # Auto encryption will request the collection info.
27 - command_started_event:
28 command:
29 listCollections: 1
30 filter:
31 name: *collection_name
32 command_name: listCollections
33 # Then key is fetched from the key vault.
34 - command_started_event:
35 command:
36 find: datakeys
37 filter: {"$or": [{"_id": {"$in": [ {'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}} ] }}, {"keyAltNames": {"$in": []}}]}
38 $db: keyvault
39 readConcern: { level: "majority" }
40 command_name: find
41 - command_started_event:
42 command:
43 find: *collection_name
44 filter:
45 { encrypted_string: { $eq: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} } }
46 command_name: find
47 outcome:
48 collection:
49 # Outcome is checked using a separate MongoClient without auto encryption.
50 data:
51 - *doc0_encrypted
52 - *doc1_encrypted
53 - description: "Find with $in with deterministic encryption"
54 clientOptions:
55 autoEncryptOpts:
56 kmsProviders:
57 aws: {} # Credentials filled in from environment.
58 operations:
59 - name: find
60 arguments:
61 filter:
62 { encrypted_string: { $in: [ "string0", "string1" ] } }
63 result:
64 - { _id: 1, encrypted_string: "string0" }
65 - &doc1 { _id: 2, encrypted_string: "string1", random: "abc" }
66 expectations:
67 # Auto encryption will request the collection info.
68 - command_started_event:
69 command:
70 listCollections: 1
71 filter:
72 name: *collection_name
73 command_name: listCollections
74 # Then key is fetched from the key vault.
75 - command_started_event:
76 command:
77 find: datakeys
78 filter: {"$or": [{"_id": {"$in": [ {'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}} ] }}, {"keyAltNames": {"$in": []}}]}
79 $db: keyvault
80 readConcern: { level: "majority" }
81 command_name: find
82 - command_started_event:
83 command:
84 find: *collection_name
85 filter:
86 # Note, the values are re-ordered, but this is logically equivalent.
87 { encrypted_string: { $in: [ {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}}, {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==', 'subType': '06'}} ] } }
88 command_name: find
89 outcome:
90 collection:
91 # Outcome is checked using a separate MongoClient without auto encryption.
92 data:
93 - *doc0_encrypted
94 - *doc1_encrypted
95 - description: "Find fails when filtering on a random encrypted field"
96 clientOptions:
97 autoEncryptOpts:
98 kmsProviders:
99 aws: {} # Credentials filled in from environment
100 operations:
101 - name: find
102 arguments:
103 filter: { random: "abc" }
104 result:
105 errorContains: "Cannot query on fields encrypted with the randomized encryption"View as plain text