description: createDataKey schemaVersion: "1.8" runOnRequirements: - csfle: true createEntities: - client: id: &client0 client0 observeEvents: - commandStartedEvent - clientEncryption: id: &clientEncryption0 clientEncryption0 clientEncryptionOpts: keyVaultClient: *client0 keyVaultNamespace: keyvault.datakeys kmsProviders: aws: { accessKeyId: { $$placeholder: 1 }, secretAccessKey: { $$placeholder: 1 } } azure: { tenantId: { $$placeholder: 1 }, clientId: { $$placeholder: 1 }, clientSecret: { $$placeholder: 1 } } gcp: { email: { $$placeholder: 1 }, privateKey: { $$placeholder: 1 } } kmip: { endpoint: { $$placeholder: 1 } } local: { key: { $$placeholder: 1 } } - database: id: &database0 database0 client: *client0 databaseName: &database0Name keyvault - collection: id: &collection0 collection0 database: *database0 collectionName: &collection0Name datakeys initialData: - databaseName: *database0Name collectionName: *collection0Name documents: [] tests: - description: create data key with AWS KMS provider operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: aws opts: masterKey: &new_aws_masterkey key: arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0 region: us-east-1 expectResult: { $$type: binData } expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$exists: true } masterKey: provider: aws <<: *new_aws_masterkey writeConcern: { w: majority } - description: create datakey with Azure KMS provider operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: azure opts: masterKey: &new_azure_masterkey keyVaultEndpoint: key-vault-csfle.vault.azure.net keyName: key-name-csfle expectResult: { $$type: binData } expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$exists: true } masterKey: provider: azure <<: *new_azure_masterkey writeConcern: { w: majority } - description: create datakey with GCP KMS provider operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: gcp opts: masterKey: &new_gcp_masterkey projectId: devprod-drivers location: global keyRing: key-ring-csfle keyName: key-name-csfle expectResult: { $$type: binData } expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$exists: true } masterKey: provider: gcp <<: *new_gcp_masterkey writeConcern: { w: majority } - description: create datakey with KMIP KMS provider operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: kmip expectResult: { $$type: binData } expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$exists: true } masterKey: provider: kmip keyId: { $$type: string } writeConcern: { w: majority } - description: create datakey with local KMS provider operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: local expectResult: { $$type: binData } expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$exists: true } masterKey: provider: local writeConcern: { w: majority } - description: create datakey with no keyAltName operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: local opts: keyAltNames: [] expectResult: { $$type: binData } expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } # keyAltNames field should not exist if no keyAltNames are given. keyAltNames: { $$exists: false } keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$type: int } masterKey: { $$type: object } writeConcern: { w: majority } - description: create datakey with single keyAltName operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: local opts: keyAltNames: ["local_key"] expectResult: { $$type: binData } expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } keyAltNames: [local_key] keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$type: int } masterKey: { $$type: object } writeConcern: { w: majority } - description: create datakey with multiple keyAltNames operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: local opts: keyAltNames: ["abc", "def"] expectResult: { $$type: binData } - name: aggregate object: *collection0 arguments: # Need to use pipeline to sort keyAltNames for deterministic matching # because keyAltNames is not required to be sorted. pipeline: - $project: { _id: 0, keyAltNames: 1 } - $unwind: $keyAltNames - $sort: { keyAltNames: 1 } expectResult: - keyAltNames: abc - keyAltNames: def expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } keyAltNames: { $$type: array } keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$type: int } masterKey: { $$type: object } writeConcern: { w: majority } - commandStartedEvent: { commandName: aggregate } - description: create datakey with custom key material operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: local opts: # "key_material" repeated 8 times. keyMaterial: &custom_key_material { $binary: { base64: a2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFs, subType: "00" } } expectResult: { $$type: binData } expectEvents: - client: *client0 events: - commandStartedEvent: databaseName: *database0Name command: insert: *collection0Name documents: - _id: { $$type: binData } # Cannot match exact value of encrypted key material. keyMaterial: { $$type: binData } creationDate: { $$type: date } updateDate: { $$type: date } status: { $$type: int } masterKey: { $$type: object } writeConcern: { w: majority } - description: create datakey with invalid custom key material (too short) operations: - name: createDataKey object: *clientEncryption0 arguments: kmsProvider: local opts: # "key_material" repeated only 7 times (key material length == 84). keyMaterial: { $binary: { base64: a2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFsa2V5X21hdGVyaWFs, subType: "00" } } expectError: isClientError: true expectEvents: - client: *client0 events: []