1# To ensure consistent ordering for expectResult matching purposes, find
2# commands sort the resulting documents in ascending order by the single-element
3# keyAltNames array to ensure alphabetic order by original KMS provider as
4# defined in initialData.
5description: rewrapManyDataKey
6
7schemaVersion: "1.8"
8
9runOnRequirements:
10 - csfle: true
11
12createEntities:
13 - client:
14 id: &client0 client0
15 observeEvents:
16 - commandStartedEvent
17 - clientEncryption:
18 id: &clientEncryption0 clientEncryption0
19 clientEncryptionOpts:
20 keyVaultClient: *client0
21 keyVaultNamespace: keyvault.datakeys
22 kmsProviders:
23 aws: { accessKeyId: { $$placeholder: 1 }, secretAccessKey: { $$placeholder: 1 } }
24 azure: { tenantId: { $$placeholder: 1 }, clientId: { $$placeholder: 1 }, clientSecret: { $$placeholder: 1 } }
25 gcp: { email: { $$placeholder: 1 }, privateKey: { $$placeholder: 1 } }
26 kmip: { endpoint: { $$placeholder: 1 } }
27 local: { key: { $$placeholder: 1 } }
28 - database:
29 id: &database0 database0
30 client: *client0
31 databaseName: &database0Name keyvault
32 - collection:
33 id: &collection0 collection0
34 database: *database0
35 collectionName: &collection0Name datakeys
36
37initialData:
38 - databaseName: *database0Name
39 collectionName: *collection0Name
40 documents:
41 - _id: &aws_key_id { $binary: { base64: YXdzYXdzYXdzYXdzYXdzYQ==, subType: "04" } }
42 keyAltNames: ["aws_key"]
43 keyMaterial: { $binary: { base64: AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gFXJqbF0Fy872MD7xl56D/2AAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDO7HPisPUlGzaio9vgIBEIB7/Qow46PMh/8JbEUbdXgTGhLfXPE+KIVW7T8s6YEMlGiRvMu7TV0QCIUJlSHPKZxzlJ2iwuz5yXeOag+EdY+eIQ0RKrsJ3b8UTisZYzGjfzZnxUKLzLoeXremtRCm3x47wCuHKd1dhh6FBbYt5TL2tDaj+vL2GBrKat2L, subType: "00" } }
44 creationDate: { $date: { $numberLong: "1641024000000" } }
45 updateDate: { $date: { $numberLong: "1641024000000" } }
46 status: 1
47 masterKey: &aws_masterkey
48 provider: aws
49 key: arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0
50 region: us-east-1
51 - _id: &azure_key_id { $binary: { base64: YXp1cmVhenVyZWF6dXJlYQ==, subType: "04" } }
52 keyAltNames: ["azure_key"]
53 keyMaterial: { $binary: { base64: pr01l7qDygUkFE/0peFwpnNlv3iIy8zrQK38Q9i12UCN2jwZHDmfyx8wokiIKMb9kAleeY+vnt3Cf1MKu9kcDmI+KxbNDd+V3ytAAGzOVLDJr77CiWjF9f8ntkXRHrAY9WwnVDANYkDwXlyU0Y2GQFTiW65jiQhUtYLYH63Tk48SsJuQvnWw1Q+PzY8ga+QeVec8wbcThwtm+r2IHsCFnc72Gv73qq7weISw+O4mN08z3wOp5FOS2ZM3MK7tBGmPdBcktW7F8ODGsOQ1FU53OrWUnyX2aTi2ftFFFMWVHqQo7EYuBZHru8RRODNKMyQk0BFfKovAeTAVRv9WH9QU7g==, subType: "00" } }
54 creationDate: { $date: { $numberLong: "1641024000000" } }
55 updateDate: { $date: { $numberLong: "1641024000000" } }
56 status: 1
57 masterKey: &azure_masterkey
58 provider: azure
59 keyVaultEndpoint: key-vault-csfle.vault.azure.net
60 keyName: key-name-csfle
61 - _id: &gcp_key_id { $binary: { base64: Z2NwZ2NwZ2NwZ2NwZ2NwZw==, subType: "04" } }
62 keyAltNames: ["gcp_key"]
63 keyMaterial: { $binary: { base64: CiQAIgLj0USbQtof/pYRLQO96yg/JEtZbD1UxKueaC37yzT5tTkSiQEAhClWB5ZCSgzHgxv8raWjNB4r7e8ePGdsmSuYTYmLC5oHHS/BdQisConzNKFaobEQZHamTCjyhy5NotKF8MWoo+dyfQApwI29+vAGyrUIQCXzKwRnNdNQ+lb3vJtS5bqvLTvSxKHpVca2kqyC9nhonV+u4qru5Q2bAqUgVFc8fL4pBuvlowZFTQ==, subType: "00" } }
64 creationDate: { $date: { $numberLong: "1641024000000" } }
65 updateDate: { $date: { $numberLong: "1641024000000" } }
66 status: 1
67 masterKey: &gcp_masterkey
68 provider: gcp
69 projectId: devprod-drivers
70 location: global
71 keyRing: key-ring-csfle
72 keyName: key-name-csfle
73 - _id: &kmip_key_id { $binary: { base64: a21pcGttaXBrbWlwa21pcA==, subType: "04" } }
74 keyAltNames: ["kmip_key"]
75 keyMaterial: { $binary: { base64: CklVctHzke4mcytd0TxGqvepkdkQN8NUF4+jV7aZQITAKdz6WjdDpq3lMt9nSzWGG2vAEfvRb3mFEVjV57qqGqxjq2751gmiMRHXz0btStbIK3mQ5xbY9kdye4tsixlCryEwQONr96gwlwKKI9Nubl9/8+uRF6tgYjje7Q7OjauEf1SrJwKcoQ3WwnjZmEqAug0kImCpJ/irhdqPzivRiA==, subType: "00" } }
76 creationDate: { $date: { $numberLong: "1641024000000" } }
77 updateDate: { $date: { $numberLong: "1641024000000" } }
78 status: 1
79 masterKey: &kmip_masterkey
80 provider: kmip
81 keyId: "1"
82 - _id: &local_key_id { $binary: { base64: bG9jYWxrZXlsb2NhbGtleQ==, subType: "04" } }
83 keyAltNames: ["local_key"]
84 keyMaterial: { $binary: { base64: ABKBldDEoDW323yejOnIRk6YQmlD9d3eQthd16scKL75nz2LjNL9fgPDZWrFFOlqlhMCFaSrNJfGrFUjYk5JFDO7soG5Syb50k1niJoKg4ilsj0L4mpimFUtTpOr2nzZOeQtvAksEXc7gsFgq8gV7t/U3lsaXPY7I0t42DfSE8EGlPdxRjFdHnxh+OR8h7U9b8Qs5K5UuhgyeyxaBZ1Hgw==, subType: "00" } }
85 creationDate: { $date: { $numberLong: "1641024000000" } }
86 updateDate: { $date: { $numberLong: "1641024000000" } }
87 status: 1
88 masterKey: &local_masterkey
89 provider: local
90
91tests:
92 - description: "no keys to rewrap due to no filter matches"
93 operations:
94 - name: rewrapManyDataKey
95 object: *clientEncryption0
96 arguments:
97 filter: { keyAltNames: no_matching_keys }
98 opts:
99 provider: local
100 expectResult:
101 # If no bulk write operation, then no bulk write result.
102 bulkWriteResult: { $$exists: false }
103 expectEvents:
104 - client: *client0
105 events:
106 - commandStartedEvent:
107 databaseName: *database0Name
108 command:
109 find: *collection0Name
110 filter: { keyAltNames: no_matching_keys }
111 readConcern: { level: majority }
112
113 - description: "rewrap with new AWS KMS provider"
114 operations:
115 - name: rewrapManyDataKey
116 object: *clientEncryption0
117 arguments:
118 filter: { keyAltNames: { $ne: aws_key } }
119 opts:
120 provider: aws
121 # Different key: 89fcc2c4-08b0-4bd9-9f25-e30687b580d0 -> 061334ae-07a8-4ceb-a813-8135540e837d.
122 masterKey: &new_aws_masterkey
123 key: arn:aws:kms:us-east-1:579766882180:key/061334ae-07a8-4ceb-a813-8135540e837d
124 region: us-east-1
125 expectResult:
126 bulkWriteResult:
127 insertedCount: 0
128 matchedCount: 4
129 modifiedCount: 4
130 deletedCount: 0
131 upsertedCount: 0
132 upsertedIds: {}
133 insertedIds: { $$unsetOrMatches: {} }
134 expectEvents:
135 - client: *client0
136 events:
137 - commandStartedEvent:
138 databaseName: *database0Name
139 command:
140 find: *collection0Name
141 filter: { keyAltNames: { $ne: aws_key } }
142 readConcern: { level: majority }
143 - commandStartedEvent:
144 databaseName: *database0Name
145 command:
146 update: *collection0Name
147 ordered: true
148 updates:
149 - q: { _id: { $$type: binData } }
150 u: { $set: { masterKey: { provider: aws, <<: *new_aws_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
151 multi: { $$unsetOrMatches: false }
152 upsert: { $$unsetOrMatches: false }
153 - q: { _id: { $$type: binData } }
154 u: { $set: { masterKey: { provider: aws, <<: *new_aws_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
155 multi: { $$unsetOrMatches: false }
156 upsert: { $$unsetOrMatches: false }
157 - q: { _id: { $$type: binData } }
158 u: { $set: { masterKey: { provider: aws, <<: *new_aws_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
159 multi: { $$unsetOrMatches: false }
160 upsert: { $$unsetOrMatches: false }
161 - q: { _id: { $$type: binData } }
162 u: { $set: { masterKey: { provider: aws, <<: *new_aws_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
163 multi: { $$unsetOrMatches: false }
164 upsert: { $$unsetOrMatches: false }
165 writeConcern: { w: majority }
166
167 - description: "rewrap with new Azure KMS provider"
168 operations:
169 - name: rewrapManyDataKey
170 object: *clientEncryption0
171 arguments:
172 filter: { keyAltNames: { $ne: azure_key } }
173 opts:
174 provider: azure
175 masterKey: &new_azure_masterkey
176 keyVaultEndpoint: key-vault-csfle.vault.azure.net
177 keyName: key-name-csfle
178 expectResult:
179 bulkWriteResult:
180 insertedCount: 0
181 matchedCount: 4
182 modifiedCount: 4
183 deletedCount: 0
184 upsertedCount: 0
185 upsertedIds: {}
186 insertedIds: { $$unsetOrMatches: {} }
187 expectEvents:
188 - client: *client0
189 events:
190 - commandStartedEvent:
191 databaseName: *database0Name
192 command:
193 find: *collection0Name
194 filter: { keyAltNames: { $ne: azure_key } }
195 readConcern: { level: majority }
196 - commandStartedEvent:
197 databaseName: *database0Name
198 command:
199 update: *collection0Name
200 ordered: true
201 updates:
202 - q: { _id: { $$type: binData } }
203 u: { $set: { masterKey: { provider: azure, <<: *new_azure_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
204 multi: { $$unsetOrMatches: false }
205 upsert: { $$unsetOrMatches: false }
206 - q: { _id: { $$type: binData } }
207 u: { $set: { masterKey: { provider: azure, <<: *new_azure_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
208 multi: { $$unsetOrMatches: false }
209 upsert: { $$unsetOrMatches: false }
210 - q: { _id: { $$type: binData } }
211 u: { $set: { masterKey: { provider: azure, <<: *new_azure_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
212 multi: { $$unsetOrMatches: false }
213 upsert: { $$unsetOrMatches: false }
214 - q: { _id: { $$type: binData } }
215 u: { $set: { masterKey: { provider: azure, <<: *new_azure_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
216 multi: { $$unsetOrMatches: false }
217 upsert: { $$unsetOrMatches: false }
218 writeConcern: { w: majority }
219
220 - description: "rewrap with new GCP KMS provider"
221 operations:
222 - name: rewrapManyDataKey
223 object: *clientEncryption0
224 arguments:
225 filter: { keyAltNames: { $ne: gcp_key } }
226 opts:
227 provider: gcp
228 masterKey: &new_gcp_masterkey
229 projectId: devprod-drivers
230 location: global
231 keyRing: key-ring-csfle
232 keyName: key-name-csfle
233 expectResult:
234 bulkWriteResult:
235 insertedCount: 0
236 matchedCount: 4
237 modifiedCount: 4
238 deletedCount: 0
239 upsertedCount: 0
240 upsertedIds: {}
241 insertedIds: { $$unsetOrMatches: {} }
242 expectEvents:
243 - client: *client0
244 events:
245 - commandStartedEvent:
246 databaseName: *database0Name
247 command:
248 find: *collection0Name
249 filter: { keyAltNames: { $ne: gcp_key } }
250 readConcern: { level: majority }
251 - commandStartedEvent:
252 databaseName: *database0Name
253 command:
254 update: *collection0Name
255 ordered: true
256 updates:
257 - q: { _id: { $$type: binData } }
258 u: { $set: { masterKey: { provider: gcp, <<: *new_gcp_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
259 multi: { $$unsetOrMatches: false }
260 upsert: { $$unsetOrMatches: false }
261 - q: { _id: { $$type: binData } }
262 u: { $set: { masterKey: { provider: gcp, <<: *new_gcp_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
263 multi: { $$unsetOrMatches: false }
264 upsert: { $$unsetOrMatches: false }
265 - q: { _id: { $$type: binData } }
266 u: { $set: { masterKey: { provider: gcp, <<: *new_gcp_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
267 multi: { $$unsetOrMatches: false }
268 upsert: { $$unsetOrMatches: false }
269 - q: { _id: { $$type: binData } }
270 u: { $set: { masterKey: { provider: gcp, <<: *new_gcp_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
271 multi: { $$unsetOrMatches: false }
272 upsert: { $$unsetOrMatches: false }
273 writeConcern: { w: majority }
274
275 - description: "rewrap with new KMIP KMS provider"
276 operations:
277 - name: rewrapManyDataKey
278 object: *clientEncryption0
279 arguments:
280 filter: { keyAltNames: { $ne: kmip_key } }
281 opts:
282 provider: kmip
283 expectResult:
284 bulkWriteResult:
285 insertedCount: 0
286 matchedCount: 4
287 modifiedCount: 4
288 deletedCount: 0
289 upsertedCount: 0
290 upsertedIds: {}
291 insertedIds: { $$unsetOrMatches: {} }
292 expectEvents:
293 - client: *client0
294 events:
295 - commandStartedEvent:
296 databaseName: *database0Name
297 command:
298 find: *collection0Name
299 filter: { keyAltNames: { $ne: kmip_key } }
300 readConcern: { level: majority }
301 - commandStartedEvent:
302 databaseName: *database0Name
303 command:
304 update: *collection0Name
305 ordered: true
306 updates:
307 - q: { _id: { $$type: binData } }
308 u: { $set: { masterKey: { provider: kmip, keyId: { $$type: string } }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
309 multi: { $$unsetOrMatches: false }
310 upsert: { $$unsetOrMatches: false }
311 - q: { _id: { $$type: binData } }
312 u: { $set: { masterKey: { provider: kmip, keyId: { $$type: string } }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
313 multi: { $$unsetOrMatches: false }
314 upsert: { $$unsetOrMatches: false }
315 - q: { _id: { $$type: binData } }
316 u: { $set: { masterKey: { provider: kmip, keyId: { $$type: string } }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
317 multi: { $$unsetOrMatches: false }
318 upsert: { $$unsetOrMatches: false }
319 - q: { _id: { $$type: binData } }
320 u: { $set: { masterKey: { provider: kmip, keyId: { $$type: string } }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
321 multi: { $$unsetOrMatches: false }
322 upsert: { $$unsetOrMatches: false }
323 writeConcern: { w: majority }
324
325 - description: "rewrap with new local KMS provider"
326 operations:
327 - name: rewrapManyDataKey
328 object: *clientEncryption0
329 arguments:
330 filter: { keyAltNames: { $ne: local_key } }
331 opts:
332 provider: local
333 expectResult:
334 bulkWriteResult:
335 insertedCount: 0
336 matchedCount: 4
337 modifiedCount: 4
338 deletedCount: 0
339 upsertedCount: 0
340 upsertedIds: {}
341 insertedIds: { $$unsetOrMatches: {} }
342 expectEvents:
343 - client: *client0
344 events:
345 - commandStartedEvent:
346 databaseName: *database0Name
347 command:
348 find: *collection0Name
349 filter: { keyAltNames: { $ne: local_key } }
350 readConcern: { level: majority }
351 - commandStartedEvent:
352 databaseName: *database0Name
353 command:
354 update: *collection0Name
355 ordered: true
356 updates:
357 - q: { _id: { $$type: binData } }
358 u: { $set: { masterKey: { provider: local }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
359 multi: { $$unsetOrMatches: false }
360 upsert: { $$unsetOrMatches: false }
361 - q: { _id: { $$type: binData } }
362 u: { $set: { masterKey: { provider: local }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
363 multi: { $$unsetOrMatches: false }
364 upsert: { $$unsetOrMatches: false }
365 - q: { _id: { $$type: binData } }
366 u: { $set: { masterKey: { provider: local }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
367 multi: { $$unsetOrMatches: false }
368 upsert: { $$unsetOrMatches: false }
369 - q: { _id: { $$type: binData } }
370 u: { $set: { masterKey: { provider: local }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
371 multi: { $$unsetOrMatches: false }
372 upsert: { $$unsetOrMatches: false }
373 writeConcern: { w: majority }
374
375 - description: "rewrap with current KMS provider"
376 operations:
377 - name: rewrapManyDataKey
378 object: *clientEncryption0
379 arguments:
380 filter: {}
381 expectResult:
382 bulkWriteResult:
383 insertedCount: 0
384 matchedCount: 5
385 modifiedCount: 5
386 deletedCount: 0
387 upsertedCount: 0
388 upsertedIds: {}
389 insertedIds: { $$unsetOrMatches: {} }
390 - name: find
391 object: *collection0
392 arguments:
393 filter: {}
394 projection: { masterKey: 1 }
395 sort: { keyAltNames: 1 }
396 expectResult:
397 - { _id: *aws_key_id, masterKey: *aws_masterkey }
398 - { _id: *azure_key_id, masterKey: *azure_masterkey }
399 - { _id: *gcp_key_id, masterKey: *gcp_masterkey }
400 - { _id: *kmip_key_id, masterKey: *kmip_masterkey }
401 - { _id: *local_key_id, masterKey: *local_masterkey }
402 expectEvents:
403 - client: *client0
404 events:
405 - commandStartedEvent:
406 databaseName: *database0Name
407 command:
408 find: *collection0Name
409 filter: {}
410 readConcern: { level: majority }
411 - commandStartedEvent:
412 databaseName: *database0Name
413 command:
414 update: *collection0Name
415 ordered: true
416 updates:
417 - q: { _id: { $$type: binData } }
418 u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
419 multi: { $$unsetOrMatches: false }
420 upsert: { $$unsetOrMatches: false }
421 - q: { _id: { $$type: binData } }
422 u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
423 multi: { $$unsetOrMatches: false }
424 upsert: { $$unsetOrMatches: false }
425 - q: { _id: { $$type: binData } }
426 u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
427 multi: { $$unsetOrMatches: false }
428 upsert: { $$unsetOrMatches: false }
429 - q: { _id: { $$type: binData } }
430 u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
431 multi: { $$unsetOrMatches: false }
432 upsert: { $$unsetOrMatches: false }
433 - q: { _id: { $$type: binData } }
434 u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
435 multi: { $$unsetOrMatches: false }
436 upsert: { $$unsetOrMatches: false }
437 writeConcern: { w: majority }
438 - commandStartedEvent: { commandName: find }
View as plain text