Skip to content

Commit aa429f8

Browse files
baileympearsonbaileympearson
authored
feat(NODE-5853): support delegated KMIP data key option (#4129)
1 parent 65c9267 commit aa429f8

File tree

15 files changed

+907
-38
lines changed

15 files changed

+907
-38
lines changed

src/client-side-encryption/client_encryption.ts

+7
Original file line numberDiff line numberDiff line change
@@ -902,6 +902,13 @@ export interface KMIPEncryptionKeyOptions {
902902
* Host with optional port.
903903
*/
904904
endpoint?: string;
905+
906+
/**
907+
* If true, this key should be decrypted by the KMIP server.
908+
*
909+
* Requires `mongodb-client-encryption>=6.0.1`.
910+
*/
911+
delegated?: boolean;
905912
}
906913

907914
/**

test/integration/client-side-encryption/client_side_encryption.spec.test.ts

+47-2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
import * as path from 'path';
22

33
import { loadSpecTests } from '../../spec';
4+
import { ClientSideEncryptionFilter } from '../../tools/runner/filters/client_encryption_filter';
45
import { installNodeDNSWorkaroundHooks } from '../../tools/runner/hooks/configuration';
56
import {
67
gatherTestSuites,
@@ -60,6 +61,8 @@ const SKIPPED_TESTS = new Set([
6061

6162
const isServerless = !!process.env.SERVERLESS;
6263

64+
const filter = new ClientSideEncryptionFilter();
65+
6366
describe('Client Side Encryption (Legacy)', function () {
6467
const testContext = new TestRunnerContext({ requiresCSFLE: true });
6568
const testSuites = gatherTestSuites(
@@ -75,6 +78,10 @@ describe('Client Side Encryption (Legacy)', function () {
7578
return testContext.setup(this.configuration);
7679
});
7780

81+
before(async function () {
82+
await filter.initializeFilter({} as any, {});
83+
});
84+
7885
generateTopologyTests(testSuites, testContext, ({ description }) => {
7986
if (SKIPPED_TESTS.has(description)) {
8087
return false;
@@ -89,13 +96,51 @@ describe('Client Side Encryption (Legacy)', function () {
8996
return !isSkippedTest;
9097
}
9198

99+
if (
100+
description === 'Insert a document with auto encryption using KMIP delegated KMS provider'
101+
) {
102+
if (
103+
typeof filter.filter({
104+
metadata: { requires: { clientSideEncryption: '>=6.0.1' } }
105+
}) === 'string'
106+
) {
107+
return false;
108+
}
109+
}
110+
92111
return true;
93112
});
94113
});
95114

96115
describe('Client Side Encryption (Unified)', function () {
97116
installNodeDNSWorkaroundHooks();
98-
runUnifiedSuite(loadSpecTests(path.join('client-side-encryption', 'tests', 'unified')), () =>
99-
isServerless ? 'Unified CSFLE tests to not run on serverless' : false
117+
118+
before(async function () {
119+
await filter.initializeFilter({} as any, {});
120+
});
121+
122+
runUnifiedSuite(
123+
loadSpecTests(path.join('client-side-encryption', 'tests', 'unified')),
124+
({ description }) => {
125+
const delegatedKMIPTests = [
126+
'rewrap with current KMS provider',
127+
'rewrap with new local KMS provider',
128+
'rewrap with new KMIP delegated KMS provider',
129+
'rewrap with new KMIP KMS provider',
130+
'rewrap with new GCP KMS provider',
131+
'rewrap with new Azure KMS provider',
132+
'rewrap with new AWS KMS provider',
133+
'create datakey with KMIP delegated KMS provider',
134+
'Insert a document with auto encryption using KMIP delegated KMS provider'
135+
];
136+
if (delegatedKMIPTests.includes(description)) {
137+
const shouldSkip = filter.filter({
138+
metadata: { requires: { clientSideEncryption: '>=6.0.1' } }
139+
});
140+
if (typeof shouldSkip === 'string') return shouldSkip;
141+
}
142+
143+
return isServerless ? 'Unified CSFLE tests to not run on serverless' : false;
144+
}
100145
);
101146
});

test/spec/client-side-encryption/tests/legacy/azureKMS.json

+11
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,17 @@
7878
"bsonType": "string",
7979
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
8080
}
81+
},
82+
"encrypted_string_kmip_delegated": {
83+
"encrypt": {
84+
"keyId": [
85+
{
86+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
87+
}
88+
],
89+
"bsonType": "string",
90+
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
91+
}
8192
}
8293
},
8394
"bsonType": "object"

test/spec/client-side-encryption/tests/legacy/azureKMS.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ database_name: &database_name "default"
44
collection_name: &collection_name "default"
55

66
data: []
7-
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
7+
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip_delegated': {'encrypt': {'keyId': [{'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
88
key_vault_data: [{'_id': {'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'n+HWZ0ZSVOYA3cvQgP7inN4JSXfOH85IngmeQxRpQHjCCcqT3IFqEWNlrsVHiz3AELimHhX4HKqOLWMUeSIT6emUDDoQX9BAv8DR1+E1w4nGs/NyEneac78EYFkK3JysrFDOgl2ypCCTKAypkn9CkAx1if4cfgQE93LW4kczcyHdGiH36CIxrCDGv1UzAvERN5Qa47DVwsM6a+hWsF2AAAJVnF0wYLLJU07TuRHdMrrphPWXZsFgyV+lRqJ7DDpReKNO8nMPLV/mHqHBHGPGQiRdb9NoJo8CvokGz4+KE8oLwzKf6V24dtwZmRkrsDV4iOhvROAzz+Euo1ypSkL3mw==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1601573901680'}}, 'updateDate': {'$date': {'$numberLong': '1601573901680'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'azure', 'keyVaultEndpoint': 'key-vault-csfle.vault.azure.net', 'keyName': 'key-name-csfle'}, 'keyAltNames': ['altname', 'azure_altname']}]
99

1010
tests:

test/spec/client-side-encryption/tests/legacy/gcpKMS.json

+11
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,17 @@
7878
"bsonType": "string",
7979
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
8080
}
81+
},
82+
"encrypted_string_kmip_delegated": {
83+
"encrypt": {
84+
"keyId": [
85+
{
86+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
87+
}
88+
],
89+
"bsonType": "string",
90+
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
91+
}
8192
}
8293
},
8394
"bsonType": "object"

test/spec/client-side-encryption/tests/legacy/gcpKMS.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ database_name: &database_name "default"
44
collection_name: &collection_name "default"
55

66
data: []
7-
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
7+
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip_delegated': {'encrypt': {'keyId': [{'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
88
key_vault_data: [{'_id': {'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'CiQAIgLj0WyktnB4dfYHo5SLZ41K4ASQrjJUaSzl5vvVH0G12G0SiQEAjlV8XPlbnHDEDFbdTO4QIe8ER2/172U1ouLazG0ysDtFFIlSvWX5ZnZUrRMmp/R2aJkzLXEt/zf8Mn4Lfm+itnjgo5R9K4pmPNvvPKNZX5C16lrPT+aA+rd+zXFSmlMg3i5jnxvTdLHhg3G7Q/Uv1ZIJskKt95bzLoe0tUVzRWMYXLIEcohnQg==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1601574333107'}}, 'updateDate': {'$date': {'$numberLong': '1601574333107'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'gcp', 'projectId': 'devprod-drivers', 'location': 'global', 'keyRing': 'key-ring-csfle', 'keyName': 'key-name-csfle'}, 'keyAltNames': ['altname', 'gcp_altname']}]
99

1010
tests:

test/spec/client-side-encryption/tests/legacy/kmipKMS.json

+139
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,17 @@
7878
"bsonType": "string",
7979
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
8080
}
81+
},
82+
"encrypted_string_kmip_delegated": {
83+
"encrypt": {
84+
"keyId": [
85+
{
86+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
87+
}
88+
],
89+
"bsonType": "string",
90+
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
91+
}
8192
}
8293
},
8394
"bsonType": "object"
@@ -117,6 +128,38 @@
117128
"altname",
118129
"kmip_altname"
119130
]
131+
},
132+
{
133+
"_id": {
134+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
135+
},
136+
"keyMaterial": {
137+
"$binary": {
138+
"base64": "5TLMFWlguBWe5GUESTvOVtkdBsCrynhnV72XRyZ66/nk+EP9/1oEp1t1sg0+vwCTqULHjBiUE6DRx2mYD/Eup1+u2Jgz9/+1sV1drXeOPALNPkSgiZiDbIb67zRi+wTABEcKcegJH+FhmSGxwUoQAiHCsCbcvia5P8tN1lt98YQ=",
139+
"subType": "00"
140+
}
141+
},
142+
"creationDate": {
143+
"$date": {
144+
"$numberLong": "1634220190041"
145+
}
146+
},
147+
"updateDate": {
148+
"$date": {
149+
"$numberLong": "1634220190041"
150+
}
151+
},
152+
"status": {
153+
"$numberInt": "0"
154+
},
155+
"masterKey": {
156+
"provider": "kmip",
157+
"delegated": true,
158+
"keyId": "11"
159+
},
160+
"keyAltNames": [
161+
"delegated"
162+
]
120163
}
121164
],
122165
"tests": [
@@ -218,6 +261,102 @@
218261
]
219262
}
220263
}
264+
},
265+
{
266+
"description": "Insert a document with auto encryption using KMIP delegated KMS provider",
267+
"clientOptions": {
268+
"autoEncryptOpts": {
269+
"kmsProviders": {
270+
"kmip": {}
271+
}
272+
}
273+
},
274+
"operations": [
275+
{
276+
"name": "insertOne",
277+
"arguments": {
278+
"document": {
279+
"_id": 1,
280+
"encrypted_string_kmip_delegated": "string0"
281+
}
282+
}
283+
}
284+
],
285+
"expectations": [
286+
{
287+
"command_started_event": {
288+
"command": {
289+
"listCollections": 1,
290+
"filter": {
291+
"name": "default"
292+
}
293+
},
294+
"command_name": "listCollections"
295+
}
296+
},
297+
{
298+
"command_started_event": {
299+
"command": {
300+
"find": "datakeys",
301+
"filter": {
302+
"$or": [
303+
{
304+
"_id": {
305+
"$in": [
306+
{
307+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
308+
}
309+
]
310+
}
311+
},
312+
{
313+
"keyAltNames": {
314+
"$in": []
315+
}
316+
}
317+
]
318+
},
319+
"$db": "keyvault"
320+
},
321+
"command_name": "find"
322+
}
323+
},
324+
{
325+
"command_started_event": {
326+
"command": {
327+
"insert": "default",
328+
"documents": [
329+
{
330+
"_id": 1,
331+
"encrypted_string_kmip_delegated": {
332+
"$binary": {
333+
"base64": "AXQR6a/GiE33gUNeYK6Wy6YCkB+8NVfAAjIbvLqyXIg6g1a8tXrym92DPoqmxpcdQyH0vQM3aFNMz7tZwQBimKs29ztZV/LWjM633HhO5ACl9A==",
334+
"subType": "06"
335+
}
336+
}
337+
}
338+
],
339+
"ordered": true
340+
},
341+
"command_name": "insert"
342+
}
343+
}
344+
],
345+
"outcome": {
346+
"collection": {
347+
"data": [
348+
{
349+
"_id": 1,
350+
"encrypted_string_kmip_delegated": {
351+
"$binary": {
352+
"base64": "AXQR6a/GiE33gUNeYK6Wy6YCkB+8NVfAAjIbvLqyXIg6g1a8tXrym92DPoqmxpcdQyH0vQM3aFNMz7tZwQBimKs29ztZV/LWjM633HhO5ACl9A==",
353+
"subType": "06"
354+
}
355+
}
356+
}
357+
]
358+
}
359+
}
221360
}
222361
]
223362
}

0 commit comments

Comments
 (0)