Skip to content

Commit

Permalink
feat(NODE-5853): support delegated KMIP data key option (#4129)
Browse files Browse the repository at this point in the history
  • Loading branch information
baileympearson authored Jun 6, 2024
1 parent 65c9267 commit aa429f8
Show file tree
Hide file tree
Showing 15 changed files with 907 additions and 38 deletions.
7 changes: 7 additions & 0 deletions src/client-side-encryption/client_encryption.ts
Original file line number Diff line number Diff line change
Expand Up @@ -902,6 +902,13 @@ export interface KMIPEncryptionKeyOptions {
* Host with optional port.
*/
endpoint?: string;

/**
* If true, this key should be decrypted by the KMIP server.
*
* Requires `mongodb-client-encryption>=6.0.1`.
*/
delegated?: boolean;
}

/**
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import * as path from 'path';

import { loadSpecTests } from '../../spec';
import { ClientSideEncryptionFilter } from '../../tools/runner/filters/client_encryption_filter';
import { installNodeDNSWorkaroundHooks } from '../../tools/runner/hooks/configuration';
import {
gatherTestSuites,
Expand Down Expand Up @@ -60,6 +61,8 @@ const SKIPPED_TESTS = new Set([

const isServerless = !!process.env.SERVERLESS;

const filter = new ClientSideEncryptionFilter();

describe('Client Side Encryption (Legacy)', function () {
const testContext = new TestRunnerContext({ requiresCSFLE: true });
const testSuites = gatherTestSuites(
Expand All @@ -75,6 +78,10 @@ describe('Client Side Encryption (Legacy)', function () {
return testContext.setup(this.configuration);
});

before(async function () {
await filter.initializeFilter({} as any, {});
});

generateTopologyTests(testSuites, testContext, ({ description }) => {
if (SKIPPED_TESTS.has(description)) {
return false;
Expand All @@ -89,13 +96,51 @@ describe('Client Side Encryption (Legacy)', function () {
return !isSkippedTest;
}

if (
description === 'Insert a document with auto encryption using KMIP delegated KMS provider'
) {
if (
typeof filter.filter({
metadata: { requires: { clientSideEncryption: '>=6.0.1' } }
}) === 'string'
) {
return false;
}
}

return true;
});
});

describe('Client Side Encryption (Unified)', function () {
installNodeDNSWorkaroundHooks();
runUnifiedSuite(loadSpecTests(path.join('client-side-encryption', 'tests', 'unified')), () =>
isServerless ? 'Unified CSFLE tests to not run on serverless' : false

before(async function () {
await filter.initializeFilter({} as any, {});
});

runUnifiedSuite(
loadSpecTests(path.join('client-side-encryption', 'tests', 'unified')),
({ description }) => {
const delegatedKMIPTests = [
'rewrap with current KMS provider',
'rewrap with new local KMS provider',
'rewrap with new KMIP delegated KMS provider',
'rewrap with new KMIP KMS provider',
'rewrap with new GCP KMS provider',
'rewrap with new Azure KMS provider',
'rewrap with new AWS KMS provider',
'create datakey with KMIP delegated KMS provider',
'Insert a document with auto encryption using KMIP delegated KMS provider'
];
if (delegatedKMIPTests.includes(description)) {
const shouldSkip = filter.filter({
metadata: { requires: { clientSideEncryption: '>=6.0.1' } }
});
if (typeof shouldSkip === 'string') return shouldSkip;
}

return isServerless ? 'Unified CSFLE tests to not run on serverless' : false;
}
);
});
11 changes: 11 additions & 0 deletions test/spec/client-side-encryption/tests/legacy/azureKMS.json
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,17 @@
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
}
},
"encrypted_string_kmip_delegated": {
"encrypt": {
"keyId": [
{
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
}
],
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
}
}
},
"bsonType": "object"
Expand Down
2 changes: 1 addition & 1 deletion test/spec/client-side-encryption/tests/legacy/azureKMS.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ database_name: &database_name "default"
collection_name: &collection_name "default"

data: []
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip_delegated': {'encrypt': {'keyId': [{'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
key_vault_data: [{'_id': {'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'n+HWZ0ZSVOYA3cvQgP7inN4JSXfOH85IngmeQxRpQHjCCcqT3IFqEWNlrsVHiz3AELimHhX4HKqOLWMUeSIT6emUDDoQX9BAv8DR1+E1w4nGs/NyEneac78EYFkK3JysrFDOgl2ypCCTKAypkn9CkAx1if4cfgQE93LW4kczcyHdGiH36CIxrCDGv1UzAvERN5Qa47DVwsM6a+hWsF2AAAJVnF0wYLLJU07TuRHdMrrphPWXZsFgyV+lRqJ7DDpReKNO8nMPLV/mHqHBHGPGQiRdb9NoJo8CvokGz4+KE8oLwzKf6V24dtwZmRkrsDV4iOhvROAzz+Euo1ypSkL3mw==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1601573901680'}}, 'updateDate': {'$date': {'$numberLong': '1601573901680'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'azure', 'keyVaultEndpoint': 'key-vault-csfle.vault.azure.net', 'keyName': 'key-name-csfle'}, 'keyAltNames': ['altname', 'azure_altname']}]

tests:
Expand Down
11 changes: 11 additions & 0 deletions test/spec/client-side-encryption/tests/legacy/gcpKMS.json
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,17 @@
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
}
},
"encrypted_string_kmip_delegated": {
"encrypt": {
"keyId": [
{
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
}
],
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
}
}
},
"bsonType": "object"
Expand Down
2 changes: 1 addition & 1 deletion test/spec/client-side-encryption/tests/legacy/gcpKMS.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ database_name: &database_name "default"
collection_name: &collection_name "default"

data: []
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip_delegated': {'encrypt': {'keyId': [{'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
key_vault_data: [{'_id': {'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'CiQAIgLj0WyktnB4dfYHo5SLZ41K4ASQrjJUaSzl5vvVH0G12G0SiQEAjlV8XPlbnHDEDFbdTO4QIe8ER2/172U1ouLazG0ysDtFFIlSvWX5ZnZUrRMmp/R2aJkzLXEt/zf8Mn4Lfm+itnjgo5R9K4pmPNvvPKNZX5C16lrPT+aA+rd+zXFSmlMg3i5jnxvTdLHhg3G7Q/Uv1ZIJskKt95bzLoe0tUVzRWMYXLIEcohnQg==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1601574333107'}}, 'updateDate': {'$date': {'$numberLong': '1601574333107'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'gcp', 'projectId': 'devprod-drivers', 'location': 'global', 'keyRing': 'key-ring-csfle', 'keyName': 'key-name-csfle'}, 'keyAltNames': ['altname', 'gcp_altname']}]

tests:
Expand Down
139 changes: 139 additions & 0 deletions test/spec/client-side-encryption/tests/legacy/kmipKMS.json
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,17 @@
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
}
},
"encrypted_string_kmip_delegated": {
"encrypt": {
"keyId": [
{
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
}
],
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
}
}
},
"bsonType": "object"
Expand Down Expand Up @@ -117,6 +128,38 @@
"altname",
"kmip_altname"
]
},
{
"_id": {
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
},
"keyMaterial": {
"$binary": {
"base64": "5TLMFWlguBWe5GUESTvOVtkdBsCrynhnV72XRyZ66/nk+EP9/1oEp1t1sg0+vwCTqULHjBiUE6DRx2mYD/Eup1+u2Jgz9/+1sV1drXeOPALNPkSgiZiDbIb67zRi+wTABEcKcegJH+FhmSGxwUoQAiHCsCbcvia5P8tN1lt98YQ=",
"subType": "00"
}
},
"creationDate": {
"$date": {
"$numberLong": "1634220190041"
}
},
"updateDate": {
"$date": {
"$numberLong": "1634220190041"
}
},
"status": {
"$numberInt": "0"
},
"masterKey": {
"provider": "kmip",
"delegated": true,
"keyId": "11"
},
"keyAltNames": [
"delegated"
]
}
],
"tests": [
Expand Down Expand Up @@ -218,6 +261,102 @@
]
}
}
},
{
"description": "Insert a document with auto encryption using KMIP delegated KMS provider",
"clientOptions": {
"autoEncryptOpts": {
"kmsProviders": {
"kmip": {}
}
}
},
"operations": [
{
"name": "insertOne",
"arguments": {
"document": {
"_id": 1,
"encrypted_string_kmip_delegated": "string0"
}
}
}
],
"expectations": [
{
"command_started_event": {
"command": {
"listCollections": 1,
"filter": {
"name": "default"
}
},
"command_name": "listCollections"
}
},
{
"command_started_event": {
"command": {
"find": "datakeys",
"filter": {
"$or": [
{
"_id": {
"$in": [
{
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
}
]
}
},
{
"keyAltNames": {
"$in": []
}
}
]
},
"$db": "keyvault"
},
"command_name": "find"
}
},
{
"command_started_event": {
"command": {
"insert": "default",
"documents": [
{
"_id": 1,
"encrypted_string_kmip_delegated": {
"$binary": {
"base64": "AXQR6a/GiE33gUNeYK6Wy6YCkB+8NVfAAjIbvLqyXIg6g1a8tXrym92DPoqmxpcdQyH0vQM3aFNMz7tZwQBimKs29ztZV/LWjM633HhO5ACl9A==",
"subType": "06"
}
}
}
],
"ordered": true
},
"command_name": "insert"
}
}
],
"outcome": {
"collection": {
"data": [
{
"_id": 1,
"encrypted_string_kmip_delegated": {
"$binary": {
"base64": "AXQR6a/GiE33gUNeYK6Wy6YCkB+8NVfAAjIbvLqyXIg6g1a8tXrym92DPoqmxpcdQyH0vQM3aFNMz7tZwQBimKs29ztZV/LWjM633HhO5ACl9A==",
"subType": "06"
}
}
}
]
}
}
}
]
}
Loading

0 comments on commit aa429f8

Please sign in to comment.