Split MasterKey and KmsProvider options to a distinct config

Author: GromNaN

lib/Doctrine/ODM/MongoDB/Configuration.php

@@ -26,6 +26,8 @@
 use InvalidArgumentException;
 use Jean85\PrettyVersions;
 use LogicException;
+use MongoDB\Client;
+use MongoDB\Driver\Manager;
 use MongoDB\Driver\WriteConcern;
 use ProxyManager\Configuration as ProxyManagerConfiguration;
 use ProxyManager\Factory\LazyLoadingGhostFactory;
@@ -36,12 +38,10 @@
 use Throwable;
 
 use function array_diff_key;
+use function array_intersect_key;
 use function array_key_exists;
-use function array_key_first;
 use function class_exists;
-use function count;
 use function interface_exists;
-use function is_array;
 use function is_string;
 use function sprintf;
 use function trigger_deprecation;
@@ -58,14 +58,7 @@
  *     $dm = DocumentManager::create(new Connection(), $config);
  *
  * @phpstan-import-type CommitOptions from UnitOfWork
- * @phpstan-type AutoEncryptionOptions array{
- *     keyVaultNamespace: string,
- *     kmsProviders: array<string, array<string, mixed>>,
- *     kmsProvider?: string,
- *     masterKey?: array<string, mixed>|null,
- *     tlsOptions?: array{kmip: array{tlsCAFile: string, tlsCertificateKeyFile: string}},
- *     ...
- * }
+ * @phpstan-type KmsProvider array{name: string, ...}
  */
 class Configuration
 {
@@ -138,7 +131,9 @@ class Configuration
      *      proxyDir?: string,
      *      proxyNamespace?: string,
      *      repositoryFactory?: RepositoryFactory,
-     *      autoEncryption?: AutoEncryptionOptions,
+     *      kmsProvider?: KmsProvider,
+     *      defaultMasterKey?: array<string, mixed>|null,
+     *      autoEncryption?: array<string, mixed>,
      * }
      */
     private array $attributes = [];
@@ -168,16 +163,34 @@ public function getDriverOptions(): array
             ],
         ];
 
-        if (isset($this->attributes['autoEncryption'])) {
-            $driverOptions['autoEncryption'] = array_diff_key(
-                $this->attributes['autoEncryption'],
-                ['kmsProvider' => 0, 'masterKey' => 0],
-            );
+        if (isset($this->attributes['kmsProvider'])) {
+            $driverOptions['autoEncryption'] = $this->getAutoEncryptionOptions();
         }
 
         return $driverOptions;
     }
 
+    /**
+     * Get options to create a ClientEncryption instance.
+     *
+     * @see https://www.php.net/manual/en/mongodb-driver-clientencryption.construct.php
+     *
+     * @return array{keyVaultClient?: Client|Manager, keyVaultNamespace: string, kmsProviders: array<string, mixed>, tlsOptions?: array<string, mixed>}
+     */
+    public function getClientEncryptionOptions(): array
+    {
+        if (! isset($this->attributes['kmsProvider'])) {
+            throw new ConfigurationException('MongoDB client encryption options are not set in configuration');
+        }
+
+        return array_intersect_key($this->getAutoEncryptionOptions(), [
+            'keyVaultClient' => 1,
+            'keyVaultNamespace' => 1,
+            'kmsProviders' => 1,
+            'tlsOptions' => 1,
+        ]);
+    }
+
     /**
      * Adds a namespace under a certain alias.
      */
@@ -696,69 +709,72 @@ public function isLazyGhostObjectEnabled(): bool
     }
 
     /**
-     * Set the options for auto-encryption.
+     * Set the KMS provider to use for auto-encryption. The name of the KMS provider
+     * must be specified in the 'name' key of the array.
      *
      * @see https://www.php.net/manual/en/mongodb-driver-clientencryption.construct.php
      *
-     * @phpstan-param AutoEncryptionOptions $options
-     *
-     * @throws InvalidArgumentException If the options are invalid.
+     * @param KmsProvider $kmsProvider
      */
-    public function setAutoEncryption(array $options): void
+    public function setKmsProvider(array $kmsProvider): void
     {
-        if (! isset($options['keyVaultNamespace']) || ! is_string($options['keyVaultNamespace'])) {
-            throw new InvalidArgumentException('The "keyVaultNamespace" encryption option is required.');
-        }
-
-        if (! is_array($options['kmsProviders'] ?? null) || count($options['kmsProviders']) === 0) {
-            throw new InvalidArgumentException('The "kmsProviders" encryption option is required and must be a non-empty.');
+        if (! isset($kmsProvider['name'])) {
+            throw new ConfigurationException('The "name" KMS provider option is required.');
         }
 
-        if (! isset($options['kmsProvider']) && count($options['kmsProviders']) > 1) {
-            throw new InvalidArgumentException('The "kmsProvider" encryption option is required when multiple KMS providers are specified.');
+        if (! is_string($kmsProvider['name'])) {
+            throw new ConfigurationException('The "name" KMS provider option must be a non-empty string.');
         }
 
-        $options['kmsProvider'] ??= array_key_first($options['kmsProviders']);
-
-        if (! array_key_exists($options['kmsProvider'], $options['kmsProviders'])) {
-            throw new InvalidArgumentException(sprintf('The "kmsProvider" encryption option "%s" is not defined in the "kmsProviders" option.', $options['kmsProvider']));
-        }
-
-        if ($options['kmsProvider'] !== 'local' && ! isset($options['masterKey'])) {
-            throw new InvalidArgumentException('The "masterKey" option is required when the KMS provider is not "local".');
-        }
+        $this->attributes['kmsProvider'] = $kmsProvider;
+    }
 
-        $this->attributes['autoEncryption'] = $options;
+    /**
+     * Set the default master key to use when creating encrypted collections.
+     *
+     * @param array<string, mixed>|null $masterKey
+     */
+    public function setDefaultMasterKey(?array $masterKey): void
+    {
+        $this->attributes['defaultMasterKey'] = $masterKey;
     }
 
     /**
-     * Get the options for auto-encryption.
+     * Set the options for auto-encryption.
      *
-     * @see https://www.php.net/manual/en/mongodb-driver-clientencryption.construct.php
+     * @see https://www.php.net/manual/en/mongodb-driver-manager.construct.php
      *
-     * @phpstan-return AutoEncryptionOptions
+     * @param array{ keyVaultClient?: Client|Manager, keyVaultNamespace?: string, tlsOptions?: array<string, mixed>, schemaMap?: array<string, mixed>, encryptedFieldsMap?: array<string, mixed>, extraOptions?: array<string, mixed>} $options
      */
-    public function getAutoEncryption(): ?array
+    public function setAutoEncryption(array $options): void
     {
-        return $this->attributes['autoEncryption'] ?? null;
+        if (isset($options['kmsProviders'])) {
+            throw new ConfigurationException('The "kmsProviders" encryption option must be set using the "setKmsProvider()" method.');
+        }
+
+        $this->attributes['autoEncryption'] = $options;
     }
 
     /**
-     * Get the KMS provider name used for auto-encryption.
+     * Get the default KMS provider name used when creating encrypted collections.
      */
-    public function getKmsProvider(): ?string
+    public function getDefaultKmsProvider(): ?string
     {
-        return $this->attributes['autoEncryption']['kmsProvider'] ?? null;
+        return $this->attributes['kmsProvider']['name'] ?? null;
     }
 
     /**
-     * Get the master key used for auto-encryption.
+     * Get the default master key used when creating encrypted collections.
      *
      * @return array<string, mixed>|null
      */
-    public function getMasterKey(): ?array
+    public function getDefaultMasterKey(): ?array
     {
-        return $this->attributes['autoEncryption']['masterKey'] ?? null;
+        if (! isset($this->attributes['kmsProvider']) || $this->attributes['kmsProvider']['name'] === 'local') {
+            return null;
+        }
+
+        return $this->attributes['defaultMasterKey'] ?? throw new ConfigurationException(sprintf('The "masterKey" configuration is required for the KMS provider "%s".', $this->attributes['kmsProvider']['name']));
     }
 
     private static function getVersion(): string
@@ -773,6 +789,16 @@ private static function getVersion(): string
 
         return self::$version;
     }
+
+    /** @return array<string, mixed> */
+    private function getAutoEncryptionOptions(): array
+    {
+        return [
+            'kmsProviders' => [$this->attributes['kmsProvider']['name'] => array_diff_key($this->attributes['kmsProvider'], ['name' => 0])],
+            'keyVaultNamespace' => $this->getDefaultDB() . '.datakeys',
+            ...$this->attributes['autoEncryption'] ?? [],
+        ];
+    }
 }
 
 interface_exists(MappingDriver::class);

lib/Doctrine/ODM/MongoDB/ConfigurationException.php

@@ -27,4 +27,9 @@ public static function proxyDirMissing(): self
     {
         return new self('No proxy directory was configured. Please set a target directory first!');
     }
+
+    public static function kmsProvidersNotSupported(): self
+    {
+        return new self('Setting multiple KMS providers is not supported. Please set a single KMS provider in your configuration.');
+    }
 }

lib/Doctrine/ODM/MongoDB/DocumentManager.php

@@ -223,17 +223,17 @@ public function getClient(): Client
     /** @internal */
     public function getClientEncryption(): ClientEncryption
     {
-        $autoEncryptionOptions = $this->config->getAutoEncryption();
+        if (isset($this->clientEncryption)) {
+            return $this->clientEncryption;
+        }
+
+        $options = $this->config->getClientEncryptionOptions();
 
-        if (! $autoEncryptionOptions) {
+        if (! $options) {
             throw new RuntimeException('Auto-encryption is not enabled.');
         }
 
-        return $this->clientEncryption ??= $this->client->createClientEncryption([
-            'keyVaultNamespace' => $autoEncryptionOptions['keyVaultNamespace'],
-            'kmsProviders' => $autoEncryptionOptions['kmsProviders'],
-            'tlsOptions' => $autoEncryptionOptions['tlsOptions'] ?? [],
-        ]);
+        return $this->clientEncryption = $this->client->createClientEncryption($options);
     }
 
     /** Gets the metadata factory used to gather the metadata of classes. */

lib/Doctrine/ODM/MongoDB/SchemaManager.php

@@ -645,7 +645,7 @@ public function createDocumentCollection(string $documentName, ?int $maxTimeMs =
         }
 
         // Encryption is enabled only if the KMS provider is set and at least one field is encrypted
-        if ($this->dm->getConfiguration()->getAutoEncryption()) {
+        if ($this->dm->getConfiguration()->getDefaultKmsProvider()) {
             $encryptedFields = (new EncryptionFieldMap($this->dm->getMetadataFactory()))->getEncryptionFieldMap($class->name);
 
             if ($encryptedFields) {
@@ -657,8 +657,8 @@ public function createDocumentCollection(string $documentName, ?int $maxTimeMs =
             $this->dm->getDocumentDatabase($documentName)->createEncryptedCollection(
                 $class->getCollection(),
                 $this->dm->getClientEncryption(),
-                $this->dm->getConfiguration()->getKmsProvider(),
-                $this->dm->getConfiguration()->getMasterKey(),
+                $this->dm->getConfiguration()->getDefaultKmsProvider(),
+                $this->dm->getConfiguration()->getDefaultMasterKey(),
                 $this->getWriteOptions($maxTimeMs, $writeConcern, $options),
             );
         } else {