1runOn:
2 - minServerVersion: "4.1.10"
3database_name: &database_name "default"
4collection_name: &collection_name "default"
5
6data:
7 - &doc0_encrypted { _id: 1, encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} }
8json_schema: {'properties': {'encrypted_w_altname': {'encrypt': {'keyId': '/altname', 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'}}, 'encrypted_string': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'random': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'}}, 'encrypted_string_equivalent': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
9key_vault_data: [{'status': 1, '_id': {'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'masterKey': {'provider': 'aws', 'key': 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0', 'region': 'us-east-1'}, 'updateDate': {'$date': {'$numberLong': '1552949630483'}}, 'keyMaterial': {'$binary': {'base64': 'AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEqnsxXlR51T5EbEVezUqqKAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDHa4jo6yp0Z18KgbUgIBEIB74sKxWtV8/YHje5lv5THTl0HIbhSwM6EqRlmBiFFatmEWaeMk4tO4xBX65eq670I5TWPSLMzpp8ncGHMmvHqRajNBnmFtbYxN3E3/WjxmdbOOe+OXpnGJPcGsftc7cB2shRfA4lICPnE26+oVNXT6p0Lo20nY5XC7jyCO', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1552949630483'}}, 'keyAltNames': ['altname', 'another_altname']}]
10
11tests:
12 - description: "updateOne with deterministic encryption"
13 clientOptions:
14 autoEncryptOpts:
15 kmsProviders:
16 aws: {} # Credentials filled in from environment.
17 operations:
18 - name: updateOne
19 arguments:
20 filter: { encrypted_string: "string0" }
21 update: { $set: { encrypted_string: "string1", random: "abc" } }
22 result:
23 matchedCount: 1
24 modifiedCount: 1
25 upsertedCount: 0
26 expectations:
27 # Auto encryption will request the collection info.
28 - command_started_event:
29 command:
30 listCollections: 1
31 filter:
32 name: *collection_name
33 command_name: listCollections
34 # Then key is fetched from the key vault.
35 - command_started_event:
36 command:
37 find: datakeys
38 filter: {"$or": [{"_id": {"$in": [ {'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}} ] }}, {"keyAltNames": {"$in": []}}]}
39 $db: keyvault
40 readConcern: { level: "majority" }
41 command_name: find
42 - command_started_event:
43 command:
44 update: *collection_name
45 updates:
46 - q: { encrypted_string: { $eq: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} } }
47 u: { $set: {encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==', 'subType': '06'}}, random: { $$type: "binData" } } }
48 ordered: true
49 command_name: update
50 outcome:
51 collection:
52 # Outcome is checked using a separate MongoClient without auto encryption.
53 data:
54 - { _id: 1, encrypted_string: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==', 'subType': '06'}}, random: { $$type: "binData"} }
55 - description: "updateOne fails when filtering on a random field"
56 clientOptions:
57 autoEncryptOpts:
58 kmsProviders:
59 aws: {} # Credentials filled in from environment.
60 operations:
61 - name: updateOne
62 arguments:
63 filter: { random: "abc" }
64 update: { $set: { encrypted_string: "string1" } }
65 result:
66 errorContains: "Cannot query on fields encrypted with the randomized encryption"
67 - description: "$unset works with an encrypted field"
68 clientOptions:
69 autoEncryptOpts:
70 kmsProviders:
71 aws: {} # Credentials filled in from environment.
72 operations:
73 - name: updateOne
74 arguments:
75 filter: { }
76 update: { $unset: { encrypted_string: "" } }
77 result:
78 matchedCount: 1
79 modifiedCount: 1
80 upsertedCount: 0
81 expectations:
82 # Auto encryption will request the collection info.
83 - command_started_event:
84 command:
85 listCollections: 1
86 filter:
87 name: *collection_name
88 command_name: listCollections
89 - command_started_event:
90 command:
91 update: *collection_name
92 updates:
93 - q: { }
94 u: { $unset: {encrypted_string: "" } }
95 ordered: true
96 command_name: update
97 outcome:
98 collection:
99 # Outcome is checked using a separate MongoClient without auto encryption.
100 data:
101 - { _id: 1 }
102 - description: "$rename works if target value has same encryption options"
103 clientOptions:
104 autoEncryptOpts:
105 kmsProviders:
106 aws: {} # Credentials filled in from environment.
107 operations:
108 - name: updateOne
109 arguments:
110 filter: { }
111 update: { $rename: { encrypted_string: "encrypted_string_equivalent" } }
112 result:
113 matchedCount: 1
114 modifiedCount: 1
115 upsertedCount: 0
116 expectations:
117 # Auto encryption will request the collection info.
118 - command_started_event:
119 command:
120 listCollections: 1
121 filter:
122 name: *collection_name
123 command_name: listCollections
124 - command_started_event:
125 command:
126 update: *collection_name
127 updates:
128 - q: { }
129 u: { $rename: {encrypted_string: "encrypted_string_equivalent" } }
130 ordered: true
131 command_name: update
132 outcome:
133 collection:
134 # Outcome is checked using a separate MongoClient without auto encryption.
135 data:
136 - { _id: 1, encrypted_string_equivalent: {'$binary': {'base64': 'AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==', 'subType': '06'}} }
137 - description: "$rename fails if target value has different encryption options"
138 clientOptions:
139 autoEncryptOpts:
140 kmsProviders:
141 aws: {} # Credentials filled in from environment.
142 operations:
143 - name: updateOne
144 arguments:
145 filter: { }
146 update: { $rename: { encrypted_string: "random" } }
147 result:
148 errorContains: "$rename between two encrypted fields must have the same metadata or both be unencrypted"
149 - description: "an invalid update (no $ operators) is validated and errors"
150 clientOptions:
151 autoEncryptOpts:
152 kmsProviders:
153 aws: {} # Credentials filled in from environment.
154 operations:
155 - name: updateOne
156 arguments:
157 filter: { }
158 update: { encrypted_string: "random" }
159 result:
160 errorContains: "" # Note, drivers differ in the error message. Just ensure an error is thrown.View as plain text