1description: createDataKey
2
3schemaVersion: "1.8"
4
5runOnRequirements:
6 - csfle: true
7
8createEntities:
9 - client:
10 id: &client0 client0
11 observeEvents:
12 - commandStartedEvent
13 - clientEncryption:
14 id: &clientEncryption0 clientEncryption0
15 clientEncryptionOpts:
16 keyVaultClient: *client0
17 keyVaultNamespace: keyvault.datakeys
18 kmsProviders:
19 aws: { accessKeyId: { $$placeholder: 1 }, secretAccessKey: { $$placeholder: 1 } }
20 azure: { tenantId: { $$placeholder: 1 }, clientId: { $$placeholder: 1 }, clientSecret: { $$placeholder: 1 } }
21 gcp: { email: { $$placeholder: 1 }, privateKey: { $$placeholder: 1 } }
22 kmip: { endpoint: { $$placeholder: 1 } }
23 local: { key: { $$placeholder: 1 } }
24 - database:
25 id: &database0 database0
26 client: *client0
27 databaseName: &database0Name keyvault
28 - collection:
29 id: &collection0 collection0
30 database: *database0
31 collectionName: &collection0Name datakeys
32
33initialData:
34 - databaseName: *database0Name
35 collectionName: *collection0Name
36 documents: []
37
38tests:
39 - description: create data key with AWS KMS provider
40 operations:
41 - name: createDataKey
42 object: *clientEncryption0
43 arguments:
44 kmsProvider: aws
45 opts:
46 masterKey: &new_aws_masterkey
47 key: arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0
48 region: us-east-1
49 expectResult: { $$type: binData }
50 expectEvents:
51 - client: *client0
52 events:
53 - commandStartedEvent:
54 databaseName: *database0Name
55 command:
56 insert: *collection0Name
57 documents:
58 - _id: { $$type: binData }
59 keyMaterial: { $$type: binData }
60 creationDate: { $$type: date }
61 updateDate: { $$type: date }
62 status: { $$exists: true }
63 masterKey:
64 provider: aws
65 <<: *new_aws_masterkey
66 writeConcern: { w: majority }
67
68 - description: create datakey with Azure KMS provider
69 operations:
70 - name: createDataKey
71 object: *clientEncryption0
72 arguments:
73 kmsProvider: azure
74 opts:
75 masterKey: &new_azure_masterkey
76 keyVaultEndpoint: key-vault-csfle.vault.azure.net
77 keyName: key-name-csfle
78 expectResult: { $$type: binData }
79 expectEvents:
80 - client: *client0
81 events:
82 - commandStartedEvent:
83 databaseName: *database0Name
84 command:
85 insert: *collection0Name
86 documents:
87 - _id: { $$type: binData }
88 keyMaterial: { $$type: binData }
89 creationDate: { $$type: date }
90 updateDate: { $$type: date }
91 status: { $$exists: true }
92 masterKey:
93 provider: azure
94 <<: *new_azure_masterkey
95 writeConcern: { w: majority }
96
97 - description: create datakey with GCP KMS provider
98 operations:
99 - name: createDataKey
100 object: *clientEncryption0
101 arguments:
102 kmsProvider: gcp
103 opts:
104 masterKey: &new_gcp_masterkey
105 projectId: devprod-drivers
106 location: global
107 keyRing: key-ring-csfle
108 keyName: key-name-csfle
109 expectResult: { $$type: binData }
110 expectEvents:
111 - client: *client0
112 events:
113 - commandStartedEvent:
114 databaseName: *database0Name
115 command:
116 insert: *collection0Name
117 documents:
118 - _id: { $$type: binData }
119 keyMaterial: { $$type: binData }
120 creationDate: { $$type: date }
121 updateDate: { $$type: date }
122 status: { $$exists: true }
123 masterKey:
124 provider: gcp
125 <<: *new_gcp_masterkey
126 writeConcern: { w: majority }
127
128 - description: create datakey with KMIP KMS provider
129 operations:
130 - name: createDataKey
131 object: *clientEncryption0
132 arguments:
133 kmsProvider: kmip
134 expectResult: { $$type: binData }
135 expectEvents:
136 - client: *client0
137 events:
138 - commandStartedEvent:
139 databaseName: *database0Name
140 command:
141 insert: *collection0Name
142 documents:
143 - _id: { $$type: binData }
144 keyMaterial: { $$type: binData }
145 creationDate: { $$type: date }
146 updateDate: { $$type: date }
147 status: { $$exists: true }
148 masterKey:
149 provider: kmip
150 keyId: { $$type: string }
151 writeConcern: { w: majority }
152
153 - description: create datakey with local KMS provider
154 operations:
155 - name: createDataKey
156 object: *clientEncryption0
157 arguments:
158 kmsProvider: local
159 expectResult: { $$type: binData }
160 expectEvents:
161 - client: *client0
162 events:
163 - commandStartedEvent:
164 databaseName: *database0Name
165 command:
166 insert: *collection0Name
167 documents:
168 - _id: { $$type: binData }
169 keyMaterial: { $$type: binData }
170 creationDate: { $$type: date }
171 updateDate: { $$type: date }
172 status: { $$exists: true }
173 masterKey:
174 provider: local
175 writeConcern: { w: majority }
176
177 - description: create datakey with no keyAltName
178 operations:
179 - name: createDataKey
180 object: *clientEncryption0
181 arguments:
182 kmsProvider: local
183 opts:
184 keyAltNames: []
185 expectResult: { $$type: binData }
186 expectEvents:
187 - client: *client0
188 events:
189 - commandStartedEvent:
190 databaseName: *database0Name
191 command:
192 insert: *collection0Name
193 documents:
194 - _id: { $$type: binData }
195 # keyAltNames field should not exist if no keyAltNames are given.
196 keyAltNames: { $$exists: false }
197 keyMaterial: { $$type: binData }
198 creationDate: { $$type: date }
199 updateDate: { $$type: date }
200 status: { $$type: int }
201 masterKey: { $$type: object }
202 writeConcern: { w: majority }
203
204 - description: create datakey with single keyAltName
205 operations:
206 - name: createDataKey
207 object: *clientEncryption0
208 arguments:
209 kmsProvider: local
210 opts:
211 keyAltNames: ["local_key"]
212 expectResult: { $$type: binData }
213 expectEvents:
214 - client: *client0
215 events:
216 - commandStartedEvent:
217 databaseName: *database0Name
218 command:
219 insert: *collection0Name
220 documents:
221 - _id: { $$type: binData }
222 keyAltNames: [local_key]
223 keyMaterial: { $$type: binData }
224 creationDate: { $$type: date }
225 updateDate: { $$type: date }
226 status: { $$type: int }
227 masterKey: { $$type: object }
228 writeConcern: { w: majority }
229
230 - description: create datakey with multiple keyAltNames
231 operations:
232 - name: createDataKey
233 object: *clientEncryption0
234 arguments:
235 kmsProvider: local
236 opts:
237 keyAltNames: ["abc", "def"]
238 expectResult: { $$type: binData }
239 - name: aggregate
240 object: *collection0
241 arguments:
242 # Need to use pipeline to sort keyAltNames for deterministic matching
243 # because keyAltNames is not required to be sorted.
244 pipeline:
245 - $project: { _id: 0, keyAltNames: 1 }
246 - $unwind: $keyAltNames
247 - $sort: { keyAltNames: 1 }
248 expectResult:
249 - keyAltNames: abc
250 - keyAltNames: def
251 expectEvents:
252 - client: *client0
253 events:
254 - commandStartedEvent:
255 databaseName: *database0Name
256 command:
257 insert: *collection0Name
258 documents:
259 - _id: { $$type: binData }
260 keyAltNames: { $$type: array }
261 keyMaterial: { $$type: binData }
262 creationDate: { $$type: date }
263 updateDate: { $$type: date }
264 status: { $$type: int }
265 masterKey: { $$type: object }
266 writeConcern: { w: majority }
267 - commandStartedEvent: { commandName: aggregate }
268
269 - description: create datakey with custom key material
270 operations:
271 - name: createDataKey
272 object: *clientEncryption0
273 arguments:
274 kmsProvider: local
275 opts:
276 # "key_material" repeated 8 times.
277 keyMaterial: &custom_key_material { $binary: { base64: a2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFs, subType: "00" } }
278 expectResult: { $$type: binData }
279 expectEvents:
280 - client: *client0
281 events:
282 - commandStartedEvent:
283 databaseName: *database0Name
284 command:
285 insert: *collection0Name
286 documents:
287 - _id: { $$type: binData }
288 # Cannot match exact value of encrypted key material.
289 keyMaterial: { $$type: binData }
290 creationDate: { $$type: date }
291 updateDate: { $$type: date }
292 status: { $$type: int }
293 masterKey: { $$type: object }
294 writeConcern: { w: majority }
295
296 - description: create datakey with invalid custom key material (too short)
297 operations:
298 - name: createDataKey
299 object: *clientEncryption0
300 arguments:
301 kmsProvider: local
302 opts:
303 # "key_material" repeated only 7 times (key material length == 84).
304 keyMaterial: { $binary: { base64: a2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFs, subType: "00" } }
305 expectError:
306 isClientError: true
307 expectEvents:
308 - client: *client0
309 events: []
View as plain text