From 50478fac71822bef9c7d513f1f9f7149db13b279 Mon Sep 17 00:00:00 2001 From: Ezra Chung <88335979+eramongodb@users.noreply.github.com> Date: Wed, 7 Sep 2022 13:32:58 -0500 Subject: [PATCH] CXX-2410 Add support for KMIP KMS provider (#894) * Add support for setting TLS options for client encryption * Add support for setting TLS options for auto encryption * Make mongocxx::client_encryption moveable * Add KMIP provider and TLS options to basic CSE test helpers * Add test case sections to Prose Test 7 - Custom Endpoint Test * Update Prose Test 2 - Data Key and Double Encryption with KMIP * Update Prose Test 6 - Corpus Test with KMIP * Update Prose Test 7 - Custom Endpoint Test with KMIP * Add CSE Prose Test 11 - KMS TLS Options Tests * Add CAFile and tlsCertificateKeyFile env vars to Evergreen * Add !mayfail to KMS TLS Options Tests due to CDRIVER-4181 * Update client_encryption::create_data_key docs to include supported KMS providers * Update options::data_key docs to include KMIP * Add new MONGOCXX_TEST_* env vars to should_run_client_side_encryption_test * Add KMIP support for legacy runner in autoEncryptionOpts * Sync legacy CSE spec tests with 61b81891 * CXX-2155 Sync legacy CSE spec tests with 947be4cf * CXX-2410 Sync legacy CSE spec tests with 5964c134 * CXX-2488 Sync legacy CSE spec tests with 6a7158d5 * CXX-2487 Sync legacy CSE spec tests with 02b4275d * Divide CSE legacy test runner into sections by file and test description * Improve error message on unexpected exception --- .mci.yml | 27 +- data/client_side_encryption/aggregate.json | 24 - data/client_side_encryption/azureKMS.json | 26 +- data/client_side_encryption/badQueries.json | 1446 +++++++++++++ data/client_side_encryption/basic.json | 24 - data/client_side_encryption/bulk.json | 12 - .../corpus/corpus-encrypted.json | 1830 +++++++++++++++++ .../corpus/corpus-key-kmip.json | 32 + .../corpus/corpus-schema.json | 1266 ++++++++++++ .../client_side_encryption/corpus/corpus.json | 1662 +++++++++++++++ data/client_side_encryption/count.json | 12 - .../countDocuments.json | 12 - data/client_side_encryption/delete.json | 24 - data/client_side_encryption/distinct.json | 12 - data/client_side_encryption/explain.json | 12 - data/client_side_encryption/find.json | 24 - .../findOneAndDelete.json | 12 - .../findOneAndReplace.json | 12 - .../findOneAndUpdate.json | 12 - data/client_side_encryption/gcpKMS.json | 26 +- data/client_side_encryption/getMore.json | 12 - data/client_side_encryption/insert.json | 24 - data/client_side_encryption/keyAltName.json | 12 - data/client_side_encryption/kmipKMS.json | 223 ++ data/client_side_encryption/localKMS.json | 12 - data/client_side_encryption/localSchema.json | 12 - .../maxWireVersion.json | 3 + data/client_side_encryption/missingKey.json | 12 - data/client_side_encryption/noSchema.json | 67 + data/client_side_encryption/replaceOne.json | 12 - data/client_side_encryption/test_files.txt | 5 +- data/client_side_encryption/types.json | 96 - data/client_side_encryption/updateMany.json | 12 - data/client_side_encryption/updateOne.json | 12 - src/mongocxx/client_encryption.cpp | 2 + src/mongocxx/client_encryption.hpp | 17 +- src/mongocxx/options/auto_encryption.cpp | 14 + src/mongocxx/options/auto_encryption.hpp | 37 +- src/mongocxx/options/client_encryption.cpp | 14 + src/mongocxx/options/client_encryption.hpp | 37 +- src/mongocxx/options/data_key.hpp | 9 + src/mongocxx/private/libmongoc_symbols.hh | 2 + src/mongocxx/test/client_side_encryption.cpp | 647 ++++-- .../test/spec/client_side_encryption.cpp | 261 ++- src/mongocxx/test/spec/monitoring.cpp | 19 +- src/mongocxx/test/spec/util.cpp | 8 +- src/mongocxx/test_util/client_helpers.cpp | 18 +- 47 files changed, 7397 insertions(+), 709 deletions(-) create mode 100644 data/client_side_encryption/badQueries.json create mode 100644 data/client_side_encryption/corpus/corpus-key-kmip.json create mode 100644 data/client_side_encryption/kmipKMS.json create mode 100644 data/client_side_encryption/noSchema.json diff --git a/.mci.yml b/.mci.yml index 7a9816967a..14724bc075 100644 --- a/.mci.yml +++ b/.mci.yml @@ -406,11 +406,28 @@ functions: export MONGODB_API_VERSION="${MONGODB_API_VERSION}" + pushd ../../ + cd drivers-evergreen-tools + export DRIVERS_TOOLS=$(pwd) + if [ "Windows_NT" == "$OS" ]; then + export DRIVERS_TOOLS=$(cygpath -m $DRIVERS_TOOLS) + fi + popd + if [ "$(uname -m)" == "ppc64le" ]; then echo "Skipping CSFLE test setup (CDRIVER-4246/CXX-2423)" else # export environment variables for encryption tests set +o errexit + + if [ "Windows_NT" == "$OS"]; then + export MONGOCXX_TEST_CSFLE_TLS_CA_FILE=$DRIVERS_TOOLS\.evergreen\x509gen\ca.pem + export MONGOCXX_TEST_CSFLE_TLS_CERTIFICATE_KEY_FILE=$DRIVERS_TOOLS\.evergreen\x509gen\client.pem + else + export MONGOCXX_TEST_CSFLE_TLS_CA_FILE=$DRIVERS_TOOLS/.evergreen/x509gen/ca.pem + export MONGOCXX_TEST_CSFLE_TLS_CERTIFICATE_KEY_FILE=$DRIVERS_TOOLS/.evergreen/x509gen/client.pem + fi + export MONGOCXX_TEST_AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" export MONGOCXX_TEST_AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" export MONGOCXX_TEST_AZURE_TENANT_ID="${cse_azure_tenant_id}" @@ -418,17 +435,9 @@ functions: export MONGOCXX_TEST_AZURE_CLIENT_SECRET="${cse_azure_client_secret}" export MONGOCXX_TEST_GCP_EMAIL="${cse_gcp_email}" export MONGOCXX_TEST_GCP_PRIVATEKEY="${cse_gcp_privatekey}" - - set -o errexit - fi - pushd ../../ - cd drivers-evergreen-tools - export DRIVERS_TOOLS=$(pwd) - if [ "Windows_NT" == "$OS" ]; then - export DRIVERS_TOOLS=$(cygpath -m $DRIVERS_TOOLS) + set -o errexit fi - popd if [ "$(uname -m)" == "ppc64le" ]; then echo "Skipping CSFLE test setup (CDRIVER-4246/CXX-2423)" diff --git a/data/client_side_encryption/aggregate.json b/data/client_side_encryption/aggregate.json index a9e79f9edb..7de725b71d 100644 --- a/data/client_side_encryption/aggregate.json +++ b/data/client_side_encryption/aggregate.json @@ -150,18 +150,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -273,18 +261,6 @@ "command_name": "aggregate" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/azureKMS.json b/data/client_side_encryption/azureKMS.json index 97af4c8ecf..afecf40b0a 100644 --- a/data/client_side_encryption/azureKMS.json +++ b/data/client_side_encryption/azureKMS.json @@ -64,6 +64,20 @@ "bsonType": "string", "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" } + }, + "encrypted_string_kmip": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "dBHpr8aITfeBQ15grpbLpQ==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } } }, "bsonType": "object" @@ -139,18 +153,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/badQueries.json b/data/client_side_encryption/badQueries.json new file mode 100644 index 0000000000..4968307ba3 --- /dev/null +++ b/data/client_side_encryption/badQueries.json @@ -0,0 +1,1446 @@ +{ + "runOn": [ + { + "minServerVersion": "4.1.10" + } + ], + "database_name": "default", + "collection_name": "default", + "data": [ + { + "_id": 1, + "encrypted_string": { + "$binary": { + "base64": "AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==", + "subType": "06" + } + } + }, + { + "_id": 2, + "encrypted_string": { + "$binary": { + "base64": "AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==", + "subType": "06" + } + } + } + ], + "json_schema": { + "properties": { + "encrypted_w_altname": { + "encrypt": { + "keyId": "/altname", + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random" + } + }, + "encrypted_string": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "AAAAAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } + }, + "random": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "AAAAAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random" + } + }, + "encrypted_string_equivalent": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "AAAAAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } + } + }, + "bsonType": "object" + }, + "key_vault_data": [ + { + "status": 1, + "_id": { + "$binary": { + "base64": "AAAAAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + }, + "masterKey": { + "provider": "aws", + "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + "region": "us-east-1" + }, + "updateDate": { + "$date": { + "$numberLong": "1552949630483" + } + }, + "keyMaterial": { + "$binary": { + "base64": "AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEqnsxXlR51T5EbEVezUqqKAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDHa4jo6yp0Z18KgbUgIBEIB74sKxWtV8/YHje5lv5THTl0HIbhSwM6EqRlmBiFFatmEWaeMk4tO4xBX65eq670I5TWPSLMzpp8ncGHMmvHqRajNBnmFtbYxN3E3/WjxmdbOOe+OXpnGJPcGsftc7cB2shRfA4lICPnE26+oVNXT6p0Lo20nY5XC7jyCO", + "subType": "00" + } + }, + "creationDate": { + "$date": { + "$numberLong": "1552949630483" + } + }, + "keyAltNames": [ + "altname", + "another_altname" + ] + } + ], + "tests": [ + { + "description": "$text unconditionally fails", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "find", + "arguments": { + "filter": { + "$text": { + "$search": "search text" + } + } + }, + "result": { + "errorContains": "Unsupported match expression operator for encryption" + } + } + ] + }, + { + "description": "$where unconditionally fails", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "find", + "arguments": { + "filter": { + "$where": { + "$code": "function() { return true }" + } + } + }, + "result": { + "errorContains": "Unsupported match expression operator for encryption" + } + } + ] + }, + { + "description": "$bit operators succeed on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$bitsAllClear": 35 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$bitsAllClear": 35 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$bitsAllSet": 35 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$bitsAllSet": 35 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$bitsAnyClear": 35 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$bitsAnyClear": 35 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$bitsAnySet": 35 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$bitsAnySet": 35 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + } + ] + }, + { + "description": "geo operators succeed on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$near": [ + 0, + 0 + ] + } + } + }, + "result": { + "errorContains": "unable to find index" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$near": [ + 0, + 0 + ] + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$nearSphere": [ + 0, + 0 + ] + } + } + }, + "result": { + "errorContains": "unable to find index" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$nearSphere": [ + 0, + 0 + ] + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$geoIntersects": { + "$geometry": { + "type": "Polygon", + "coordinates": [ + [ + [ + 0, + 0 + ], + [ + 1, + 0 + ], + [ + 1, + 1 + ], + [ + 0, + 0 + ] + ] + ] + } + } + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$geoIntersects": { + "$geometry": { + "type": "Polygon", + "coordinates": [ + [ + [ + 0, + 0 + ], + [ + 1, + 0 + ], + [ + 1, + 1 + ], + [ + 0, + 0 + ] + ] + ] + } + } + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$geoWithin": { + "$geometry": { + "type": "Polygon", + "coordinates": [ + [ + [ + 0, + 0 + ], + [ + 1, + 0 + ], + [ + 1, + 1 + ], + [ + 0, + 0 + ] + ] + ] + } + } + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$geoWithin": { + "$geometry": { + "type": "Polygon", + "coordinates": [ + [ + [ + 0, + 0 + ], + [ + 1, + 0 + ], + [ + 1, + 1 + ], + [ + 0, + 0 + ] + ] + ] + } + } + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + } + ] + }, + { + "description": "inequality operators succeed on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$gt": 1 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$gt": 1 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$lt": 1 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$lt": 1 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$gte": 1 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$gte": 1 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$lte": 1 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$lte": 1 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + } + ] + }, + { + "description": "other misc operators succeed on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$mod": [ + 3, + 1 + ] + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$mod": [ + 3, + 1 + ] + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$regex": "pattern", + "$options": "" + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$regex": "pattern", + "$options": "" + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$size": 2 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$size": 2 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$type": 2 + } + } + }, + "result": [] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$type": 2 + } + } + }, + "result": { + "errorContains": "Invalid match expression operator on encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$eq": null + } + } + }, + "result": [ + { + "_id": 1, + "encrypted_string": "string0" + }, + { + "_id": 2, + "encrypted_string": "string1" + } + ] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$eq": null + } + } + }, + "result": { + "errorContains": "Illegal equality to null predicate for encrypted field" + } + }, + { + "name": "find", + "arguments": { + "filter": { + "unencrypted": { + "$in": [ + null + ] + } + } + }, + "result": [ + { + "_id": 1, + "encrypted_string": "string0" + }, + { + "_id": 2, + "encrypted_string": "string1" + } + ] + }, + { + "name": "find", + "arguments": { + "filter": { + "encrypted_string": { + "$in": [ + null + ] + } + } + }, + "result": { + "errorContains": "Illegal equality to null inside $in against an encrypted field" + } + } + ] + }, + { + "description": "$addToSet succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$addToSet": { + "unencrypted": [ + "a" + ] + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 1, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$addToSet": { + "encrypted_string": [ + "a" + ] + } + } + }, + "result": { + "errorContains": "$addToSet not allowed on encrypted values" + } + } + ] + }, + { + "description": "$inc succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$inc": { + "unencrypted": 1 + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 1, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$inc": { + "encrypted_string": 1 + } + } + }, + "result": { + "errorContains": "$inc and $mul not allowed on encrypted values" + } + } + ] + }, + { + "description": "$mul succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$mul": { + "unencrypted": 1 + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 1, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$mul": { + "encrypted_string": 1 + } + } + }, + "result": { + "errorContains": "$inc and $mul not allowed on encrypted values" + } + } + ] + }, + { + "description": "$max succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$max": { + "unencrypted": 1 + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 1, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$max": { + "encrypted_string": 1 + } + } + }, + "result": { + "errorContains": "$max and $min not allowed on encrypted values" + } + } + ] + }, + { + "description": "$min succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$min": { + "unencrypted": 1 + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 1, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$min": { + "encrypted_string": 1 + } + } + }, + "result": { + "errorContains": "$max and $min not allowed on encrypted values" + } + } + ] + }, + { + "description": "$currentDate succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$currentDate": { + "unencrypted": true + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 1, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$currentDate": { + "encrypted_string": true + } + } + }, + "result": { + "errorContains": "$currentDate not allowed on encrypted values" + } + } + ] + }, + { + "description": "$pop succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$pop": { + "unencrypted": 1 + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 0, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$pop": { + "encrypted_string": 1 + } + } + }, + "result": { + "errorContains": "$pop not allowed on encrypted values" + } + } + ] + }, + { + "description": "$pull succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$pull": { + "unencrypted": 1 + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 0, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$pull": { + "encrypted_string": 1 + } + } + }, + "result": { + "errorContains": "$pull not allowed on encrypted values" + } + } + ] + }, + { + "description": "$pullAll succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$pullAll": { + "unencrypted": [ + 1 + ] + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 0, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$pullAll": { + "encrypted_string": [ + 1 + ] + } + } + }, + "result": { + "errorContains": "$pullAll not allowed on encrypted values" + } + } + ] + }, + { + "description": "$push succeeds on unencrypted, error on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$push": { + "unencrypted": 1 + } + } + }, + "result": { + "matchedCount": 1, + "modifiedCount": 1, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$push": { + "encrypted_string": 1 + } + } + }, + "result": { + "errorContains": "$push not allowed on encrypted values" + } + } + ] + }, + { + "description": "array filters on encrypted fields does not error in mongocryptd, but errors in mongod", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$set": { + "encrypted_string.$[i].x": 1 + } + }, + "arrayFilters": [ + { + "i.x": 1 + } + ] + }, + "result": { + "errorContains": "Array update operations not allowed on encrypted values" + } + } + ] + }, + { + "description": "positional operator succeeds on unencrypted, errors on encrypted", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": { + "unencrypted": 1 + }, + "update": { + "$set": { + "unencrypted.$": 1 + } + } + }, + "result": { + "matchedCount": 0, + "modifiedCount": 0, + "upsertedCount": 0 + } + }, + { + "name": "updateOne", + "arguments": { + "filter": { + "encrypted_string": "abc" + }, + "update": { + "$set": { + "encrypted_string.$": "abc" + } + } + }, + "result": { + "errorContains": "Cannot encrypt fields below '$' positional update operator" + } + } + ] + }, + { + "description": "an update that would produce an array on an encrypted field errors", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "updateOne", + "arguments": { + "filter": {}, + "update": { + "$set": { + "encrypted_string": [ + 1, + 2 + ] + } + } + }, + "result": { + "errorContains": "Cannot encrypt element of type" + } + } + ] + }, + { + "description": "an insert with encrypted field on _id errors", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + }, + "schemaMap": { + "default.default": { + "properties": { + "_id": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "AAAAAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } + } + } + } + } + } + }, + "operations": [ + { + "name": "insertOne", + "arguments": { + "document": { + "_id": 1 + } + }, + "result": { + "errorContains": "Invalid schema containing the 'encrypt' keyword." + } + } + ] + }, + { + "description": "an insert with an array value for an encrypted field fails", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "insertOne", + "arguments": { + "document": { + "encrypted_string": [ + "123", + "456" + ] + } + }, + "result": { + "errorContains": "Cannot encrypt element of type" + } + } + ] + }, + { + "description": "an insert with a Timestamp(0,0) value in the top-level fails", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "insertOne", + "arguments": { + "document": { + "random": { + "$timestamp": { + "t": 0, + "i": 0 + } + } + } + }, + "result": { + "errorContains": "A command that inserts cannot supply Timestamp(0, 0) for an encrypted" + } + } + ] + }, + { + "description": "distinct with the key referring to a field where the keyID is a JSON Pointer errors", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "distinct", + "arguments": { + "filter": {}, + "fieldName": "encrypted_w_altname" + }, + "result": { + "errorContains": "The distinct key is not allowed to be marked for encryption with a non-UUID keyId" + } + } + ] + } + ] +} diff --git a/data/client_side_encryption/basic.json b/data/client_side_encryption/basic.json index 3f9895fd5d..3ed066f530 100644 --- a/data/client_side_encryption/basic.json +++ b/data/client_side_encryption/basic.json @@ -144,18 +144,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -283,18 +271,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/bulk.json b/data/client_side_encryption/bulk.json index ead90985a1..1b62e5e8ab 100644 --- a/data/client_side_encryption/bulk.json +++ b/data/client_side_encryption/bulk.json @@ -178,18 +178,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/corpus/corpus-encrypted.json b/data/client_side_encryption/corpus/corpus-encrypted.json index a11682688a..1b72aa8a39 100644 --- a/data/client_side_encryption/corpus/corpus-encrypted.json +++ b/data/client_side_encryption/corpus/corpus-encrypted.json @@ -7681,5 +7681,1835 @@ "value": { "$maxKey": 1 } + }, + "kmip_double_rand_auto_id": { + "kms": "kmip", + "type": "double", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAB1hL/nPkpQtqxQUANbIJr30PQ98vPvaoy4JWUoElOL+cCnrSra3o7W+12dydy0rCS2EKrVm7Fw0C8L9nf1hpWjw==", + "subType": "06" + } + } + }, + "kmip_double_rand_auto_altname": { + "kms": "kmip", + "type": "double", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAABxlcphy2SxXlkRBvO1Z3nNUqchmeOhIhkdYBbbW7CwYeLVRDciXFsZN73Nb9Bm+W4IpUNpo6mqFEtfjevIjtFyg==", + "subType": "06" + } + } + }, + "kmip_double_rand_explicit_id": { + "kms": "kmip", + "type": "double", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAABx5AfRSiblFc1DGwxRIaUSP2kaM76ryzPUKL9KnEgnX1kjIlFz5B15uMht2cxdrntHFe1qZZk8V9PxTBpWZhJ8Q==", + "subType": "06" + } + } + }, + "kmip_double_rand_explicit_altname": { + "kms": "kmip", + "type": "double", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAABXUC9v9HPrmU9tINzFmr2sQM9f7GHDus+y5T4pWX28PRtfnTysN/ANCfB9RosoR/wuKsbznwwD2JfSzOvlKo3PQ==", + "subType": "06" + } + } + }, + "kmip_double_det_explicit_id": { + "kms": "kmip", + "type": "double", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$numberDouble": "1.2339999999999999858" + } + }, + "kmip_double_det_explicit_altname": { + "kms": "kmip", + "type": "double", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$numberDouble": "1.2339999999999999858" + } + }, + "kmip_string_rand_auto_id": { + "kms": "kmip", + "type": "string", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAACGHmqW1qbfqVlfB0x0CkXCk9smhs3yXsxJ/8eypSgbDQqVLSW2nf5bbHpnoCHHNtQ7I7ZBXzPzDLH2GgMJpopeQ==", + "subType": "06" + } + } + }, + "kmip_string_rand_auto_altname": { + "kms": "kmip", + "type": "string", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAC9BJTD1pEMbslAjbJYt7yx/jzKkcZF3axu96+NYwp8afUCjXG5TOUZzODOwkbJuWgr7DBxa2GkZTvaAEk86h+Ow==", + "subType": "06" + } + } + }, + "kmip_string_rand_explicit_id": { + "kms": "kmip", + "type": "string", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAACQlG28ECy8KHXC7GEPdC8+raBo2RMJwl5pofcPaTGkPUEbkreguMd1mYctNb90vXxby1nNeJY4o5zJJCMiNhNXg==", + "subType": "06" + } + } + }, + "kmip_string_rand_explicit_altname": { + "kms": "kmip", + "type": "string", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAACbWuK+3nzeKSNVjmgHb0Ii7rA+CsAd+gYubPiMiHXZwE/o6i9FYWN+t/VK3p4K0CwIi6q3cycrMb2IgcvM27Q7Q==", + "subType": "06" + } + } + }, + "kmip_string_det_auto_id": { + "kms": "kmip", + "type": "string", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAC5OZgr9keCXOIj5Fi06i4win1xt7gpsyPA4Os+HdFn1MIP9tnktvWNRb8Rqhuj2O9KO83brx74Hu3EQ4nT6uCMw==", + "subType": "06" + } + } + }, + "kmip_string_det_explicit_id": { + "kms": "kmip", + "type": "string", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAC5OZgr9keCXOIj5Fi06i4win1xt7gpsyPA4Os+HdFn1MIP9tnktvWNRb8Rqhuj2O9KO83brx74Hu3EQ4nT6uCMw==", + "subType": "06" + } + } + }, + "kmip_string_det_explicit_altname": { + "kms": "kmip", + "type": "string", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAC5OZgr9keCXOIj5Fi06i4win1xt7gpsyPA4Os+HdFn1MIP9tnktvWNRb8Rqhuj2O9KO83brx74Hu3EQ4nT6uCMw==", + "subType": "06" + } + } + }, + "kmip_object_rand_auto_id": { + "kms": "kmip", + "type": "object", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAADh2nGqaAUwHDRVjqYpj8JAPH7scmiHp1Z9SGBZQ6Fapxm+zWDdTBHyitM9U69BctJ5DaaafyqFOj5yr6sJ+ebJQ==", + "subType": "06" + } + } + }, + "kmip_object_rand_auto_altname": { + "kms": "kmip", + "type": "object", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAD1YhOKyNle4y0Qbeio1HlCULLeTCALCLgKSITd50bilD+oDyqQawixJAwphcdjhLdFzbFwst5RWqpsiWMPHx4hQ==", + "subType": "06" + } + } + }, + "kmip_object_rand_explicit_id": { + "kms": "kmip", + "type": "object", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAADveILoWFgX7AhUWCv8UL52TUa75qHuoNadnTQydJlqd6PVmtRKj+8vS7VwxNWPaH4wB1Tk7emMyFEbZpvvzjxqQ==", + "subType": "06" + } + } + }, + "kmip_object_rand_explicit_altname": { + "kms": "kmip", + "type": "object", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAADB/LN9V/4SROJn+ESHRLM7wwcUltQUx3+LbbYXjPDXiiV14HK76Iyy6ZxJ+M5qC9bRj3afhTKuWLBblB8WwksOg==", + "subType": "06" + } + } + }, + "kmip_object_det_explicit_id": { + "kms": "kmip", + "type": "object", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "x": { + "$numberInt": "1" + } + } + }, + "kmip_object_det_explicit_altname": { + "kms": "kmip", + "type": "object", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "x": { + "$numberInt": "1" + } + } + }, + "kmip_array_rand_auto_id": { + "kms": "kmip", + "type": "array", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAEasWXQam8XtOkSO0nEttMCQ0iZ4V8DDmhMKyQDFDsiNHyF2h98Ya/xFv4ZSlbpGWXPBvBATEGgov/PDg2vhVi53y4Pk33RHfY60hABuksp3o=", + "subType": "06" + } + } + }, + "kmip_array_rand_auto_altname": { + "kms": "kmip", + "type": "array", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAEj3A1DYSEHm/3SlEmusA+pewxRPUoZ2NAjs60ioEBlCw9n6yiiB+X8d/w40TKsjZcOSfh05NC0z3gnpqQvrNolkxkvi9dmFiZeiiv5vBZUPI=", + "subType": "06" + } + } + }, + "kmip_array_rand_explicit_id": { + "kms": "kmip", + "type": "array", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAEqeJW+L6lP0bn5QcD0FMI0C8vv2n5kV7SKgqKi1o5mxaxmp3Cjlspf7yumfSiQ5js6G9yJVAvHuxlqv14UFyR9RgXS0PIA8WzsAqkL0sJSw0=", + "subType": "06" + } + } + }, + "kmip_array_rand_explicit_altname": { + "kms": "kmip", + "type": "array", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAEnPlPwy0B1VKuNum1GzkZwQjZia5jNYL5bf/k+PbfhnToTRWGxx8+E3R7XXp6YT/rFkjPlzU8ww9+iZNo2oqNpYuHdrIC8ybhO6HZAlvcERo=", + "subType": "06" + } + } + }, + "kmip_array_det_explicit_id": { + "kms": "kmip", + "type": "array", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": [ + { + "$numberInt": "1" + }, + { + "$numberInt": "2" + }, + { + "$numberInt": "3" + } + ] + }, + "kmip_array_det_explicit_altname": { + "kms": "kmip", + "type": "array", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": [ + { + "$numberInt": "1" + }, + { + "$numberInt": "2" + }, + { + "$numberInt": "3" + } + ] + }, + "kmip_binData=00_rand_auto_id": { + "kms": "kmip", + "type": "binData=00", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAFliNDZ6DmjoVcYQBCKDI9njpBsDELg+TD6XLF7xbZnMaJCCHLHr7w3x2/xFfrFSN44CtGAKOniYPCMAspaxHqOA==", + "subType": "06" + } + } + }, + "kmip_binData=00_rand_auto_altname": { + "kms": "kmip", + "type": "binData=00", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAF/P8LPmHKGgG0l5/Xi7jdkwfxpGPxoY0417suCvN6zjM3JNdufytzkektrm9CbBb1SnZCGYF9c0FCMzFG+tN/dg==", + "subType": "06" + } + } + }, + "kmip_binData=00_rand_explicit_id": { + "kms": "kmip", + "type": "binData=00", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAFWI0N4RbnYdEiFrzNpbRN9p+bSLm8Lthiu4K3/CvBg6GQpLMVQFhjW01Bud0lxpT2ohRnOK+ASUhiFcUU/t/lWQ==", + "subType": "06" + } + } + }, + "kmip_binData=00_rand_explicit_altname": { + "kms": "kmip", + "type": "binData=00", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAFQZvAtpY4cjEr1rJWVoUGaZKmzocSJ0muHose7Tk5kRDczjFa4Jcu4hN7JLM9qz2z4g+WJC3KQTdW4ZBXStke/Q==", + "subType": "06" + } + } + }, + "kmip_binData=00_det_auto_id": { + "kms": "kmip", + "type": "binData=00", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAFohIHrvzu8xLxVHsnYEDhZmv8BpEoEtFSjMUQzvBLUInvvTuU/rOzlVL88CkAEII7M3hcvrz8FKY7b7lC1veoYg==", + "subType": "06" + } + } + }, + "kmip_binData=00_det_explicit_id": { + "kms": "kmip", + "type": "binData=00", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAFohIHrvzu8xLxVHsnYEDhZmv8BpEoEtFSjMUQzvBLUInvvTuU/rOzlVL88CkAEII7M3hcvrz8FKY7b7lC1veoYg==", + "subType": "06" + } + } + }, + "kmip_binData=00_det_explicit_altname": { + "kms": "kmip", + "type": "binData=00", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAFohIHrvzu8xLxVHsnYEDhZmv8BpEoEtFSjMUQzvBLUInvvTuU/rOzlVL88CkAEII7M3hcvrz8FKY7b7lC1veoYg==", + "subType": "06" + } + } + }, + "kmip_binData=04_rand_auto_id": { + "kms": "kmip", + "type": "binData=04", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAFn7rhdO8tYq77uVxcqd9Qjz84Yg7JnJMYf0ULTMTh1vJHacckkhXw+8fIMMiAKwuOVwGkMAtu5RBvrFqdfxryCg8RLTxu1YYVthufiClEIS0=", + "subType": "06" + } + } + }, + "kmip_binData=04_rand_auto_altname": { + "kms": "kmip", + "type": "binData=04", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAFwwXQx9dKyoyHq7GBMmHzYe9ysoJK/f/ZWzA6nErau9MtX1gqi7VRsYqkamb47/zVbsLZwPMmdgNyPxEh3kqbV2D61t5RG2A3VeqhO1pTF8c=", + "subType": "06" + } + } + }, + "kmip_binData=04_rand_explicit_id": { + "kms": "kmip", + "type": "binData=04", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAFALeGeinJ8DE+WZniLdCIW2gfJUj445Ukp9PvRLgBXLGedl8mIXlLF2eu3BA9vP6s5y9w6peQjhn+oEofrsUVYD2duyzeIRMKgNiNchjf6TU=", + "subType": "06" + } + } + }, + "kmip_binData=04_rand_explicit_altname": { + "kms": "kmip", + "type": "binData=04", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAF06Fx8CO3OSKE3fGri0VwK0e22YiG9LH2QkDTsRdFbT2lBm+bDD9FrEY8vKWS5RljMuysaxjBOzZ98d2LEs6k8LMOm83Nz/RESe4ZbbcfdQ0=", + "subType": "06" + } + } + }, + "kmip_binData=04_det_auto_id": { + "kms": "kmip", + "type": "binData=04", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAFzmZI909fJgxOykJtvOlv5LsX8z6BxUX2Xg5TsIwOxJMPSC8usm/zR7sZawoVBOuJxtNVLY/8oNP/4pFtAmQo02bUOtTo1yxNz/IZa9x+Q5E=", + "subType": "06" + } + } + }, + "kmip_binData=04_det_explicit_id": { + "kms": "kmip", + "type": "binData=04", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAFzmZI909fJgxOykJtvOlv5LsX8z6BxUX2Xg5TsIwOxJMPSC8usm/zR7sZawoVBOuJxtNVLY/8oNP/4pFtAmQo02bUOtTo1yxNz/IZa9x+Q5E=", + "subType": "06" + } + } + }, + "kmip_binData=04_det_explicit_altname": { + "kms": "kmip", + "type": "binData=04", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAFzmZI909fJgxOykJtvOlv5LsX8z6BxUX2Xg5TsIwOxJMPSC8usm/zR7sZawoVBOuJxtNVLY/8oNP/4pFtAmQo02bUOtTo1yxNz/IZa9x+Q5E=", + "subType": "06" + } + } + }, + "kmip_undefined_rand_explicit_id": { + "kms": "kmip", + "type": "undefined", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$undefined": true + } + }, + "kmip_undefined_rand_explicit_altname": { + "kms": "kmip", + "type": "undefined", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$undefined": true + } + }, + "kmip_undefined_det_explicit_id": { + "kms": "kmip", + "type": "undefined", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$undefined": true + } + }, + "kmip_undefined_det_explicit_altname": { + "kms": "kmip", + "type": "undefined", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$undefined": true + } + }, + "kmip_objectId_rand_auto_id": { + "kms": "kmip", + "type": "objectId", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAHZFzE908RuO5deEt3t2QQdT12ybwqbm8D+sMJrdKt2Wp4kVPsw4ocAGGsRYN6VXe46P5fmyG5HqVWn0hkflZnQg==", + "subType": "06" + } + } + }, + "kmip_objectId_rand_auto_altname": { + "kms": "kmip", + "type": "objectId", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAH3dPKyCCStvOtVGzlgIS33fsl8OAwQblt9i21pOVuLiliY1Tup9EtkSic88+nNEtXnq9gRknRzLthXv/k1ql+7Q==", + "subType": "06" + } + } + }, + "kmip_objectId_rand_explicit_id": { + "kms": "kmip", + "type": "objectId", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAHcEjxVfHDSfLzFxAuK/rs/Pn/XV7jLkgKXZYeY0PNlRi1MHojN2AvQqI3J2rOvAjuYfikGcpvGPp/goqUbV9HYw==", + "subType": "06" + } + } + }, + "kmip_objectId_rand_explicit_altname": { + "kms": "kmip", + "type": "objectId", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAHX65sNHnRYpx3VbWPCdQyFe7u0Y5ItabLEduqDeVsPk/iK4X3GjCSHQfw1yPi+CA+/veVpgdonwws6RiYV4ZZ5Q==", + "subType": "06" + } + } + }, + "kmip_objectId_det_auto_id": { + "kms": "kmip", + "type": "objectId", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAHKU7mcdGEq2WGrDB6TicipLQstAk6G3PkiNt5F3bMavpKLjz04UBrd8aWGVG2gJTTON1UKRztiYFgRvb8f+LK/Q==", + "subType": "06" + } + } + }, + "kmip_objectId_det_explicit_id": { + "kms": "kmip", + "type": "objectId", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAHKU7mcdGEq2WGrDB6TicipLQstAk6G3PkiNt5F3bMavpKLjz04UBrd8aWGVG2gJTTON1UKRztiYFgRvb8f+LK/Q==", + "subType": "06" + } + } + }, + "kmip_objectId_det_explicit_altname": { + "kms": "kmip", + "type": "objectId", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAHKU7mcdGEq2WGrDB6TicipLQstAk6G3PkiNt5F3bMavpKLjz04UBrd8aWGVG2gJTTON1UKRztiYFgRvb8f+LK/Q==", + "subType": "06" + } + } + }, + "kmip_bool_rand_auto_id": { + "kms": "kmip", + "type": "bool", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAIw/xgJlKEvErmVtue3X3RFsOI2sttAbxnzh1INc9GUQ2vok1VwYt9k88RxMPiOwMAZG7P1MlAdx7zt865onPKOw==", + "subType": "06" + } + } + }, + "kmip_bool_rand_auto_altname": { + "kms": "kmip", + "type": "bool", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAIn8IuzlNHbpTgXOd1wEp364zJOBxj2Zf7a9B5osUV1sDY0G1OVpEnuDvZeUsdiUSyRjTTxzyuD/KZlKZ3+qrnrA==", + "subType": "06" + } + } + }, + "kmip_bool_rand_explicit_id": { + "kms": "kmip", + "type": "bool", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAI3Nz9PdjUYQRGfTtvYSR8EQuUKFL0wdlEdfSCTBmMBhBPuuF9KxqCgy+ldVu1DRRgg3346DOKEEtE9BJPPInJ6Q==", + "subType": "06" + } + } + }, + "kmip_bool_rand_explicit_altname": { + "kms": "kmip", + "type": "bool", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAIEGjqoerIZBk8Rw+YTO7jFKWzagDS8mEpD+9Wm1Q0r0ZHUmV0dQZcIqRV4oUk8U8uHUn0N3t2qGLr+rhUs4GH/g==", + "subType": "06" + } + } + }, + "kmip_bool_det_explicit_id": { + "kms": "kmip", + "type": "bool", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": true + }, + "kmip_bool_det_explicit_altname": { + "kms": "kmip", + "type": "bool", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": true + }, + "kmip_date_rand_auto_id": { + "kms": "kmip", + "type": "date", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAJgr0v4xetUXjlLcPcyKv/rzjtWOKp9CZJcm23Noglu5RR/rXJS0qKI+W9MmJ64TMf27KvaJ0UXwfTRrvOC1plCg==", + "subType": "06" + } + } + }, + "kmip_date_rand_auto_altname": { + "kms": "kmip", + "type": "date", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAJoeysAaiPsVK+JL1P1vD/9xF92m5kKidUdn6yklPlSKN4VVEBTymDetTLujULs1u1TlrS71jVLxo3xEwpG/KQvg==", + "subType": "06" + } + } + }, + "kmip_date_rand_explicit_id": { + "kms": "kmip", + "type": "date", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAJVwu4+Su0DktpnZvzTBHYpWbWTq5gho/SLijrcIrFJcvq4YrjjPCXv+odCl95tkH+J1RlJdQ5Cr0umEIazLa6GA==", + "subType": "06" + } + } + }, + "kmip_date_rand_explicit_altname": { + "kms": "kmip", + "type": "date", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAJWTYpjbDkIf82QXHMGrvd0SqhP8cBIakfYJf5aNcNrs86vxRhiG3KwETWPeOOlPZ6n1WjE2bOLB+DJTAxmJvahA==", + "subType": "06" + } + } + }, + "kmip_date_det_auto_id": { + "kms": "kmip", + "type": "date", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAJ/+sQrUqQh+JADSVIKM0d68gDUhDy37M1z1uvROzQw6hUAbQeD0DWdztADKg560UTPM4uOgH4NAyhLyBLMrWWHg==", + "subType": "06" + } + } + }, + "kmip_date_det_explicit_id": { + "kms": "kmip", + "type": "date", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAJ/+sQrUqQh+JADSVIKM0d68gDUhDy37M1z1uvROzQw6hUAbQeD0DWdztADKg560UTPM4uOgH4NAyhLyBLMrWWHg==", + "subType": "06" + } + } + }, + "kmip_date_det_explicit_altname": { + "kms": "kmip", + "type": "date", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAJ/+sQrUqQh+JADSVIKM0d68gDUhDy37M1z1uvROzQw6hUAbQeD0DWdztADKg560UTPM4uOgH4NAyhLyBLMrWWHg==", + "subType": "06" + } + } + }, + "kmip_null_rand_explicit_id": { + "kms": "kmip", + "type": "null", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": null + }, + "kmip_null_rand_explicit_altname": { + "kms": "kmip", + "type": "null", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": null + }, + "kmip_null_det_explicit_id": { + "kms": "kmip", + "type": "null", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": null + }, + "kmip_null_det_explicit_altname": { + "kms": "kmip", + "type": "null", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": null + }, + "kmip_regex_rand_auto_id": { + "kms": "kmip", + "type": "regex", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAALi8avMfpxSlDsSTqdxO8O2B1M79gOElyUIdXySQo7mvgHlf4oHQ7r94lL9dnsA2t/jmUmBKoGypaUQUSQE+9x+A==", + "subType": "06" + } + } + }, + "kmip_regex_rand_auto_altname": { + "kms": "kmip", + "type": "regex", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAALfHerZ/KolaBrb5qi3SpeNVW+i/nh5mkcdtQg5f1pHePr68KryHucM/XDAzbMqrPlag2/41STGYdJqzYO7Mbppg==", + "subType": "06" + } + } + }, + "kmip_regex_rand_explicit_id": { + "kms": "kmip", + "type": "regex", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAALOhKDVAN5cuDyB1EuRFWgKKt0wGJ63E5pPY8Tq2TXMNgCxUUc5O+TE+Ux4ls/uMyOBA3gPzND0CZKiru0i7ACUQ==", + "subType": "06" + } + } + }, + "kmip_regex_rand_explicit_altname": { + "kms": "kmip", + "type": "regex", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAALK3Hg8xX9gX+d3vKh7aosRP9CS2CIFeG9sapZv3OAPv1eWjY62Cp/G16kJ0BQt33RYD+DzD3gWupfUSyNZR0gng==", + "subType": "06" + } + } + }, + "kmip_regex_det_auto_id": { + "kms": "kmip", + "type": "regex", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAALaQXA8rItT7ELVxO8XtAWdHuiXFFPmnMhS5PMrUy/6mRtbq4fvU9dascW7ozonKOh8ad6+MIT7B/STv9dVBF4Kw==", + "subType": "06" + } + } + }, + "kmip_regex_det_explicit_id": { + "kms": "kmip", + "type": "regex", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAALaQXA8rItT7ELVxO8XtAWdHuiXFFPmnMhS5PMrUy/6mRtbq4fvU9dascW7ozonKOh8ad6+MIT7B/STv9dVBF4Kw==", + "subType": "06" + } + } + }, + "kmip_regex_det_explicit_altname": { + "kms": "kmip", + "type": "regex", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAALaQXA8rItT7ELVxO8XtAWdHuiXFFPmnMhS5PMrUy/6mRtbq4fvU9dascW7ozonKOh8ad6+MIT7B/STv9dVBF4Kw==", + "subType": "06" + } + } + }, + "kmip_dbPointer_rand_auto_id": { + "kms": "kmip", + "type": "dbPointer", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAMoGkfmmUWTI+0aW7jVyCJ5Dgru1SCXBUmJSRzDL0D57pNruQ+79tVVcI6Uz5j87DhZFxShHbPjj583vLOOBNM3WGzZCpqH3serhHTWvXK+NM=", + "subType": "06" + } + } + }, + "kmip_dbPointer_rand_auto_altname": { + "kms": "kmip", + "type": "dbPointer", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAMwu1WaRhhv43xgxLNxuenbND9M6mxGtCs9o4J5+yfL95XNB9Daie3RcLlyngz0pncBie6IqjhTycXsxTLQ94Jdg6m5GD5cU541LYKvhbv5f4=", + "subType": "06" + } + } + }, + "kmip_dbPointer_rand_explicit_id": { + "kms": "kmip", + "type": "dbPointer", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAM+CIoCAisUwhhJtWQLolxQGQWafniwYyvaJQHmJC94Uwbf1gPfhMR42v2VtrmIVP0J0BaP/xf0cco2/qWRdKGZpgkK2CK6M972NtnZ/2x03A=", + "subType": "06" + } + } + }, + "kmip_dbPointer_rand_explicit_altname": { + "kms": "kmip", + "type": "dbPointer", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAMjbeE9+EaJYjGfeAuxsV8teOdsW8bfnlkvji/tE11Zq89UMGx+oUsZzeLjUgVZ5nxsZKCZjEAq+DPnwFVC+MgqNeqWL7fRChODFlPGH2ZC+8=", + "subType": "06" + } + } + }, + "kmip_dbPointer_det_auto_id": { + "kms": "kmip", + "type": "dbPointer", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAM5B+fjbjYCZzCYUu4N/pJI3srCCXN+OCCHweeweqmpIEmB7yw87bQRIMGtCm6HuekcZ5J5q+nY5AQb0du/wh1YIoOrC3u4w7ZcLHkDmuAJPg=", + "subType": "06" + } + } + }, + "kmip_dbPointer_det_explicit_id": { + "kms": "kmip", + "type": "dbPointer", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAM5B+fjbjYCZzCYUu4N/pJI3srCCXN+OCCHweeweqmpIEmB7yw87bQRIMGtCm6HuekcZ5J5q+nY5AQb0du/wh1YIoOrC3u4w7ZcLHkDmuAJPg=", + "subType": "06" + } + } + }, + "kmip_dbPointer_det_explicit_altname": { + "kms": "kmip", + "type": "dbPointer", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAM5B+fjbjYCZzCYUu4N/pJI3srCCXN+OCCHweeweqmpIEmB7yw87bQRIMGtCm6HuekcZ5J5q+nY5AQb0du/wh1YIoOrC3u4w7ZcLHkDmuAJPg=", + "subType": "06" + } + } + }, + "kmip_javascript_rand_auto_id": { + "kms": "kmip", + "type": "javascript", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAANuzlkWs/c8xArrAxPgYuCeShjj1zCfIMHOTPohspcyNofo9iY3P5MlhEOprZDiS8dBFg6EB7fZDzDdczx6VCN2A==", + "subType": "06" + } + } + }, + "kmip_javascript_rand_auto_altname": { + "kms": "kmip", + "type": "javascript", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAANwJ72y7UqCBJh1NwVRiE3vU1ex7FMv/X5YWCMuO9MHPMo4g1V5eaO4KfOr+K8+9NtkflgMpeDkvwP92rfR5ud5Q==", + "subType": "06" + } + } + }, + "kmip_javascript_rand_explicit_id": { + "kms": "kmip", + "type": "javascript", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAANj5q+888itRnLsw9PNGsBLhgqpvem5IJBOE2292r6zwjVueoEK/2I2PesRnn0esnkwdia1ADoMkcLUegwcFRkWQ==", + "subType": "06" + } + } + }, + "kmip_javascript_rand_explicit_altname": { + "kms": "kmip", + "type": "javascript", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAANnvbnmApys7OIe8LGTsZKDG1F1G1SI/rfZVmF6q1fq5U7feYPp1ejb2t2S2+v7LfcOHytsQWGcYuWCDcl+vosvQ==", + "subType": "06" + } + } + }, + "kmip_javascript_det_auto_id": { + "kms": "kmip", + "type": "javascript", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAANOR9R/Da8j5iVxllLiGFlv4U/bVn/PyN9/5WeGJkGJeE/j/osKrKx6IL1igI0YVI+pKKzsINqJGIv+bJX0s7MNw==", + "subType": "06" + } + } + }, + "kmip_javascript_det_explicit_id": { + "kms": "kmip", + "type": "javascript", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAANOR9R/Da8j5iVxllLiGFlv4U/bVn/PyN9/5WeGJkGJeE/j/osKrKx6IL1igI0YVI+pKKzsINqJGIv+bJX0s7MNw==", + "subType": "06" + } + } + }, + "kmip_javascript_det_explicit_altname": { + "kms": "kmip", + "type": "javascript", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAANOR9R/Da8j5iVxllLiGFlv4U/bVn/PyN9/5WeGJkGJeE/j/osKrKx6IL1igI0YVI+pKKzsINqJGIv+bJX0s7MNw==", + "subType": "06" + } + } + }, + "kmip_symbol_rand_auto_id": { + "kms": "kmip", + "type": "symbol", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAOe+vXpJSkmBM3WkxZrn4ea9/C6iNyMXWUzkQIzIYlnbkyu8od8nfOdhobUhoFxcKnvdaxN1s5NhJ1FA97RN/upGYN+AI/7cTCElmFSpdSvkI=", + "subType": "06" + } + } + }, + "kmip_symbol_rand_auto_altname": { + "kms": "kmip", + "type": "symbol", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAOPpCgK6Hc/M2elOJkwIU9J7PZa+h1chody2yvfDu/UlB6T5sxnEZ6aEY/ISNLhJlhsRzuApSgFOmnrcG6Eg9VnSKin2yK0ll+VFxQEDHAcSA=", + "subType": "06" + } + } + }, + "kmip_symbol_rand_explicit_id": { + "kms": "kmip", + "type": "symbol", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAOVoHX9GaOn71L5D9TpZmmxkx/asr0FHCLG5ZgLLA04yIhZHsDjt2DiVGGO/Mf4KwvoBn7Cf08qMhW7rQh2LgvvSLBO3zbw5l+MZ/bSn+Jylo=", + "subType": "06" + } + } + }, + "kmip_symbol_rand_explicit_altname": { + "kms": "kmip", + "type": "symbol", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAOPobmcO/I4QObtCUEmGWpSCJ6tlYyhbO59q78LZBucSNl7DSkf/13tOJ9t+WKXACcMKVMmfPoFsgHbVj1nKWULBT07n1OWWDTZkuMD6C2+Fc=", + "subType": "06" + } + } + }, + "kmip_symbol_det_auto_id": { + "kms": "kmip", + "type": "symbol", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAOPpwX4mafoQJYHuzYfbKW1JunpjpB7Nd2slTC3n8Hsas9wQYf9VkModQhe5M4wZHOIXpehaODRcjKKfKRmpnNBOURSLm/ORJvy+UxtSLsnqo=", + "subType": "06" + } + } + }, + "kmip_symbol_det_explicit_id": { + "kms": "kmip", + "type": "symbol", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAOPpwX4mafoQJYHuzYfbKW1JunpjpB7Nd2slTC3n8Hsas9wQYf9VkModQhe5M4wZHOIXpehaODRcjKKfKRmpnNBOURSLm/ORJvy+UxtSLsnqo=", + "subType": "06" + } + } + }, + "kmip_symbol_det_explicit_altname": { + "kms": "kmip", + "type": "symbol", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAOPpwX4mafoQJYHuzYfbKW1JunpjpB7Nd2slTC3n8Hsas9wQYf9VkModQhe5M4wZHOIXpehaODRcjKKfKRmpnNBOURSLm/ORJvy+UxtSLsnqo=", + "subType": "06" + } + } + }, + "kmip_javascriptWithScope_rand_auto_id": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAPW2VMMm+EvsYpVtJQhsxgxgvV35kr9nxqKxP2qqIOAOQ58R/1oyYScFkNwB/tw0A1/zdvhoo+ERa7c0tjLIojFrosXhX2N/8Z4VnbZruz0Nk=", + "subType": "06" + } + } + }, + "kmip_javascriptWithScope_rand_auto_altname": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAPjPq9BQR4EwG/CD+RthOJY04m99LCl/shY6HnaU/QL627kN1dbBAG5vs+MXfa+glg8waVTNgB94vm3j72FMV1ZOKvbl4faWF1Rl2EOpOlR9U=", + "subType": "06" + } + } + }, + "kmip_javascriptWithScope_rand_explicit_id": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAPtqebrCAidKzBMvp3B5/vBeetqeCoMKS+vo+hLAYooXrnBunWxwRHpr45XYUvroG3aqOMkLtVZSgw8sO6Y/3z1viO2G0sGQW1ZMoW0/PX5Uw=", + "subType": "06" + } + } + }, + "kmip_javascriptWithScope_rand_explicit_altname": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAPtkJwXKlq8Fx1f1+9HFofM4uKi6lHQRFRyiOyUFJYxxZY1LR/2WXXTqWz3MWtrcJFCB+QSVOb1N/ieC7AZUboPgIuPJISM3Hu5VU2x/Isbdc=", + "subType": "06" + } + } + }, + "kmip_javascriptWithScope_det_explicit_id": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$code": "x=1", + "$scope": {} + } + }, + "kmip_javascriptWithScope_det_explicit_altname": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$code": "x=1", + "$scope": {} + } + }, + "kmip_int_rand_auto_id": { + "kms": "kmip", + "type": "int", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAQ50kE7Tby9od2OsmIGZhp9k/mj4vy/YdnmF6YsSPxihbjV1vXGMraI/nGCr+0H1riwzq3m4sCT7aPw2VgiuwKMA==", + "subType": "06" + } + } + }, + "kmip_int_rand_auto_altname": { + "kms": "kmip", + "type": "int", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAQkNL14OSMX/bJbsLtB/UumRoat6QOY7fvwZxRrkXTS3VJVHigthI1cUX7Is/uUsY8oHOfk/ZuHklQkifmfdcklQ==", + "subType": "06" + } + } + }, + "kmip_int_rand_explicit_id": { + "kms": "kmip", + "type": "int", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAQtN2gNVU9Itoj+vgcK/4jEB5baSUH+Qz2WqTY7m0XaA3bPWGFCiWY4Sdw+qovednrSSSbC+azWi1QYclFRraldQ==", + "subType": "06" + } + } + }, + "kmip_int_rand_explicit_altname": { + "kms": "kmip", + "type": "int", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAQk6uBqwXXFF9zEM4bc124goI3pBy2Jdi8Cd0ycKkjXrPG7GVCUm2UMbO+zEzYODeVo35N11g2yMXcv9RVgjWtNA==", + "subType": "06" + } + } + }, + "kmip_int_det_auto_id": { + "kms": "kmip", + "type": "int", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAQgrkPEf+RBZMn/J7HZObqEfus8icYls6ecaUrlabI6v1ALgxLuv23WSIfTr6mqpQCounqdA14DWS/Wl3kSkVC0w==", + "subType": "06" + } + } + }, + "kmip_int_det_explicit_id": { + "kms": "kmip", + "type": "int", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAQgrkPEf+RBZMn/J7HZObqEfus8icYls6ecaUrlabI6v1ALgxLuv23WSIfTr6mqpQCounqdA14DWS/Wl3kSkVC0w==", + "subType": "06" + } + } + }, + "kmip_int_det_explicit_altname": { + "kms": "kmip", + "type": "int", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAQgrkPEf+RBZMn/J7HZObqEfus8icYls6ecaUrlabI6v1ALgxLuv23WSIfTr6mqpQCounqdA14DWS/Wl3kSkVC0w==", + "subType": "06" + } + } + }, + "kmip_timestamp_rand_auto_id": { + "kms": "kmip", + "type": "timestamp", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAAR2Cu3o2e/u5o69MndeZPJU5ngVA1G2MNYn00t+up/GlmaUC1ni1CVl0ZR0EVZ0gCDUrfxwPISPib8y23tNjbsog==", + "subType": "06" + } + } + }, + "kmip_timestamp_rand_auto_altname": { + "kms": "kmip", + "type": "timestamp", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAARgi8stgSQwqnN4Ws2ZBILOREsjreZcS1MBerL7dbGLVfzW99tqECglhGokkrE0aY69L0xMgcAUIaFRN4GanQAPg==", + "subType": "06" + } + } + }, + "kmip_timestamp_rand_explicit_id": { + "kms": "kmip", + "type": "timestamp", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAARPxEEI8L5Q3Jybu88BLdf31T3uYEUbijgSlKlkTt141RYrlE8nxtiYU5/5H9GXBis0Qq1s2C+MauD2h/cNijTCA==", + "subType": "06" + } + } + }, + "kmip_timestamp_rand_explicit_altname": { + "kms": "kmip", + "type": "timestamp", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAARh/QaU1dnGbii4LtXCpT5o6vencc8E2fzarjJFbSEd0ixW/UV1ppZdvD729d0umkaIwIEVA4q+XVvHfl/ckKPFg==", + "subType": "06" + } + } + }, + "kmip_timestamp_det_auto_id": { + "kms": "kmip", + "type": "timestamp", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAARqdpLb72mmzb75QBrE+ATMfS5LLqzAD/1g5ScT8zfgh0IHsZZBWCJlSVRNC12Sgr3zdXHMtYp8C3OZT6/tPkQGg==", + "subType": "06" + } + } + }, + "kmip_timestamp_det_explicit_id": { + "kms": "kmip", + "type": "timestamp", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAARqdpLb72mmzb75QBrE+ATMfS5LLqzAD/1g5ScT8zfgh0IHsZZBWCJlSVRNC12Sgr3zdXHMtYp8C3OZT6/tPkQGg==", + "subType": "06" + } + } + }, + "kmip_timestamp_det_explicit_altname": { + "kms": "kmip", + "type": "timestamp", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAARqdpLb72mmzb75QBrE+ATMfS5LLqzAD/1g5ScT8zfgh0IHsZZBWCJlSVRNC12Sgr3zdXHMtYp8C3OZT6/tPkQGg==", + "subType": "06" + } + } + }, + "kmip_long_rand_auto_id": { + "kms": "kmip", + "type": "long", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAASVv+ClXkh9spIaXWJYRV/o8UZjG+WWWrNpIjZ9LQn2bXakrKJ3REvdkrzGuxASmBhBYTplEyvxVCJwXuWRAGGYw==", + "subType": "06" + } + } + }, + "kmip_long_rand_auto_altname": { + "kms": "kmip", + "type": "long", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAASeAz/dK+Gc4/jx3W07B2rNFvQ0LoyCllFRvRVGu1Xf1NByc4cRZLOMzlr99syz/fifF6WY30bOi5Pani9QtFuGg==", + "subType": "06" + } + } + }, + "kmip_long_rand_explicit_id": { + "kms": "kmip", + "type": "long", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAASP1HD9uoDlwTldaznKxW71JUQcLsa4/cUWzeTnelQwdpohCbZsM8fBZBqgwwTWnjpYY/LBUipC6yhwLKfUXBoBQ==", + "subType": "06" + } + } + }, + "kmip_long_rand_explicit_altname": { + "kms": "kmip", + "type": "long", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAASnGPH77bS/ETB1hn+VTvsBrxEvIHA6EAb8Z2SEz6BHt7SVeI+I7DLERvRVpV5kNJFcKgXDrvRmD+Et0rhSmk9sw==", + "subType": "06" + } + } + }, + "kmip_long_det_auto_id": { + "kms": "kmip", + "type": "long", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAS+zKmtijSTPOEVlpwmaeMIOuzVNuZpV4Jw9zP8Yqa1xYtlItXDozqdibacRaA74KU49KNySdR1T7fxwxa2OOTrQ==", + "subType": "06" + } + } + }, + "kmip_long_det_explicit_id": { + "kms": "kmip", + "type": "long", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAS+zKmtijSTPOEVlpwmaeMIOuzVNuZpV4Jw9zP8Yqa1xYtlItXDozqdibacRaA74KU49KNySdR1T7fxwxa2OOTrQ==", + "subType": "06" + } + } + }, + "kmip_long_det_explicit_altname": { + "kms": "kmip", + "type": "long", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "ASjCDwAAAAAAAAAAAAAAAAAS+zKmtijSTPOEVlpwmaeMIOuzVNuZpV4Jw9zP8Yqa1xYtlItXDozqdibacRaA74KU49KNySdR1T7fxwxa2OOTrQ==", + "subType": "06" + } + } + }, + "kmip_decimal_rand_auto_id": { + "kms": "kmip", + "type": "decimal", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAATu/BbCc5Ti9SBlMR2B8zj3Q1yQ16Uob+10LWaT5QKS192IcnBGy4wmmNkIsTys060xUby9KKQF80dVPnjYfqJwEXCe/pVaPQZftE0DolKv78=", + "subType": "06" + } + } + }, + "kmip_decimal_rand_auto_altname": { + "kms": "kmip", + "type": "decimal", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAATpq6/dtxq2ZUZHrK10aB0YjjPalEaXYcyAyRZjfXWAYCLZdT9sIybjX3Axjxisim+VSHx0QU7oXkKUfcbLgHyjUXj8g9059FHxKFkUsNv4Z8=", + "subType": "06" + } + } + }, + "kmip_decimal_rand_explicit_id": { + "kms": "kmip", + "type": "decimal", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAATS++9KcfM7uiShZYxRpFPrBJquKv7dyvFRTjnxs6aaaPo0fiqpv6bco/cMLsldEVpWDEA/Tc2HtSXYPp4UJsMfASyBjoxCloL5SaRWyD9Ye8=", + "subType": "06" + } + } + }, + "kmip_decimal_rand_explicit_altname": { + "kms": "kmip", + "type": "decimal", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AijCDwAAAAAAAAAAAAAAAAATREcETS5KoAGyj/P45owPrdFfy5ng8Z1ND+F+780lLddOyPeDnIsa7yg6uvhTZ65mHfGLvKcFocclYenq/AX1dY4xdjLRg/AfT088A27ORUA=", + "subType": "06" + } + } + }, + "kmip_decimal_det_explicit_id": { + "kms": "kmip", + "type": "decimal", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$numberDecimal": "1.234" + } + }, + "kmip_decimal_det_explicit_altname": { + "kms": "kmip", + "type": "decimal", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$numberDecimal": "1.234" + } + }, + "kmip_minKey_rand_explicit_id": { + "kms": "kmip", + "type": "minKey", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$minKey": 1 + } + }, + "kmip_minKey_rand_explicit_altname": { + "kms": "kmip", + "type": "minKey", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$minKey": 1 + } + }, + "kmip_minKey_det_explicit_id": { + "kms": "kmip", + "type": "minKey", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$minKey": 1 + } + }, + "kmip_minKey_det_explicit_altname": { + "kms": "kmip", + "type": "minKey", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$minKey": 1 + } + }, + "kmip_maxKey_rand_explicit_id": { + "kms": "kmip", + "type": "maxKey", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$maxKey": 1 + } + }, + "kmip_maxKey_rand_explicit_altname": { + "kms": "kmip", + "type": "maxKey", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$maxKey": 1 + } + }, + "kmip_maxKey_det_explicit_id": { + "kms": "kmip", + "type": "maxKey", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$maxKey": 1 + } + }, + "kmip_maxKey_det_explicit_altname": { + "kms": "kmip", + "type": "maxKey", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$maxKey": 1 + } } } \ No newline at end of file diff --git a/data/client_side_encryption/corpus/corpus-key-kmip.json b/data/client_side_encryption/corpus/corpus-key-kmip.json new file mode 100644 index 0000000000..7c7069700e --- /dev/null +++ b/data/client_side_encryption/corpus/corpus-key-kmip.json @@ -0,0 +1,32 @@ +{ + "_id": { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + }, + "keyMaterial": { + "$binary": { + "base64": "eUYDyB0HuWb+lQgUwO+6qJQyTTDTY2gp9FbemL7ZFo0pvr0x6rm6Ff9OVUTGH6HyMKipaeHdiIJU1dzsLwvqKvi7Beh+U4iaIWX/K0oEg1GOsJc0+Z/in8gNHbGUYLmycHViM3LES3kdt7FdFSUl5rEBHrM71yoNEXImz17QJWMGOuT4x6yoi2pvnaRJwfrI4DjpmnnTrDMac92jgZehbg==", + "subType": "00" + } + }, + "creationDate": { + "$date": { + "$numberLong": "1634220190041" + } + }, + "updateDate": { + "$date": { + "$numberLong": "1634220190041" + } + }, + "status": { + "$numberInt": "0" + }, + "masterKey": { + "provider": "kmip", + "keyId": "1" + }, + "keyAltNames": ["kmip"] +} \ No newline at end of file diff --git a/data/client_side_encryption/corpus/corpus-schema.json b/data/client_side_encryption/corpus/corpus-schema.json index f145f712a4..e74bc914f5 100644 --- a/data/client_side_encryption/corpus/corpus-schema.json +++ b/data/client_side_encryption/corpus/corpus-schema.json @@ -5064,6 +5064,1272 @@ "bsonType": "binData" } } + }, + "kmip_double_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "double" + } + } + } + }, + "kmip_double_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "double" + } + } + } + }, + "kmip_double_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_double_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_string_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "string" + } + } + } + }, + "kmip_string_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "string" + } + } + } + }, + "kmip_string_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_string_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_string_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "string" + } + } + } + }, + "kmip_string_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_string_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_object_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "object" + } + } + } + }, + "kmip_object_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "object" + } + } + } + }, + "kmip_object_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_object_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_array_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "array" + } + } + } + }, + "kmip_array_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "array" + } + } + } + }, + "kmip_array_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_array_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_binData=00_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "binData" + } + } + } + }, + "kmip_binData=00_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "binData" + } + } + } + }, + "kmip_binData=00_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_binData=00_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_binData=00_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "binData" + } + } + } + }, + "kmip_binData=00_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_binData=00_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_binData=04_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "binData" + } + } + } + }, + "kmip_binData=04_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "binData" + } + } + } + }, + "kmip_binData=04_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_binData=04_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_binData=04_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "binData" + } + } + } + }, + "kmip_binData=04_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_binData=04_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_objectId_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "objectId" + } + } + } + }, + "kmip_objectId_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "objectId" + } + } + } + }, + "kmip_objectId_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_objectId_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_objectId_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "objectId" + } + } + } + }, + "kmip_objectId_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_objectId_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_bool_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "bool" + } + } + } + }, + "kmip_bool_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "bool" + } + } + } + }, + "kmip_bool_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_bool_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_date_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "date" + } + } + } + }, + "kmip_date_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "date" + } + } + } + }, + "kmip_date_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_date_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_date_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "date" + } + } + } + }, + "kmip_date_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_date_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_regex_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "regex" + } + } + } + }, + "kmip_regex_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "regex" + } + } + } + }, + "kmip_regex_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_regex_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_regex_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "regex" + } + } + } + }, + "kmip_regex_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_regex_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_dbPointer_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "dbPointer" + } + } + } + }, + "kmip_dbPointer_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "dbPointer" + } + } + } + }, + "kmip_dbPointer_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_dbPointer_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_dbPointer_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "dbPointer" + } + } + } + }, + "kmip_dbPointer_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_dbPointer_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_javascript_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "javascript" + } + } + } + }, + "kmip_javascript_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "javascript" + } + } + } + }, + "kmip_javascript_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_javascript_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_javascript_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "javascript" + } + } + } + }, + "kmip_javascript_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_javascript_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_symbol_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "symbol" + } + } + } + }, + "kmip_symbol_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "symbol" + } + } + } + }, + "kmip_symbol_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_symbol_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_symbol_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "symbol" + } + } + } + }, + "kmip_symbol_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_symbol_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_javascriptWithScope_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "javascriptWithScope" + } + } + } + }, + "kmip_javascriptWithScope_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "javascriptWithScope" + } + } + } + }, + "kmip_javascriptWithScope_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_javascriptWithScope_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_int_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "int" + } + } + } + }, + "kmip_int_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "int" + } + } + } + }, + "kmip_int_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_int_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_int_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "int" + } + } + } + }, + "kmip_int_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_int_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_timestamp_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "timestamp" + } + } + } + }, + "kmip_timestamp_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "timestamp" + } + } + } + }, + "kmip_timestamp_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_timestamp_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_timestamp_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "timestamp" + } + } + } + }, + "kmip_timestamp_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_timestamp_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_long_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "long" + } + } + } + }, + "kmip_long_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "long" + } + } + } + }, + "kmip_long_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_long_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_long_det_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + "bsonType": "long" + } + } + } + }, + "kmip_long_det_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_long_det_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_decimal_rand_auto_id": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "KMIPAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "decimal" + } + } + } + }, + "kmip_decimal_rand_auto_altname": { + "bsonType": "object", + "properties": { + "value": { + "encrypt": { + "keyId": "/altname_kmip", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random", + "bsonType": "decimal" + } + } + } + }, + "kmip_decimal_rand_explicit_id": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } + }, + "kmip_decimal_rand_explicit_altname": { + "bsonType": "object", + "properties": { + "value": { + "bsonType": "binData" + } + } } } } \ No newline at end of file diff --git a/data/client_side_encryption/corpus/corpus.json b/data/client_side_encryption/corpus/corpus.json index 55bbaf99c2..559711b347 100644 --- a/data/client_side_encryption/corpus/corpus.json +++ b/data/client_side_encryption/corpus/corpus.json @@ -4,6 +4,7 @@ "altname_local": "local", "altname_azure": "azure", "altname_gcp": "gcp", + "altname_kmip": "kmip", "aws_double_rand_auto_id": { "kms": "aws", "type": "double", @@ -6648,6 +6649,1667 @@ "$maxKey": 1 } }, + "kmip_double_rand_auto_id": { + "kms": "kmip", + "type": "double", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$numberDouble": "1.234" + } + }, + "kmip_double_rand_auto_altname": { + "kms": "kmip", + "type": "double", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$numberDouble": "1.234" + } + }, + "kmip_double_rand_explicit_id": { + "kms": "kmip", + "type": "double", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$numberDouble": "1.234" + } + }, + "kmip_double_rand_explicit_altname": { + "kms": "kmip", + "type": "double", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$numberDouble": "1.234" + } + }, + "kmip_double_det_explicit_id": { + "kms": "kmip", + "type": "double", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$numberDouble": "1.234" + } + }, + "kmip_double_det_explicit_altname": { + "kms": "kmip", + "type": "double", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$numberDouble": "1.234" + } + }, + "kmip_string_rand_auto_id": { + "kms": "kmip", + "type": "string", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": "mongodb" + }, + "kmip_string_rand_auto_altname": { + "kms": "kmip", + "type": "string", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": "mongodb" + }, + "kmip_string_rand_explicit_id": { + "kms": "kmip", + "type": "string", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": "mongodb" + }, + "kmip_string_rand_explicit_altname": { + "kms": "kmip", + "type": "string", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": "mongodb" + }, + "kmip_string_det_auto_id": { + "kms": "kmip", + "type": "string", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": "mongodb" + }, + "kmip_string_det_explicit_id": { + "kms": "kmip", + "type": "string", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": "mongodb" + }, + "kmip_string_det_explicit_altname": { + "kms": "kmip", + "type": "string", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": "mongodb" + }, + "kmip_object_rand_auto_id": { + "kms": "kmip", + "type": "object", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "x": { + "$numberInt": "1" + } + } + }, + "kmip_object_rand_auto_altname": { + "kms": "kmip", + "type": "object", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "x": { + "$numberInt": "1" + } + } + }, + "kmip_object_rand_explicit_id": { + "kms": "kmip", + "type": "object", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "x": { + "$numberInt": "1" + } + } + }, + "kmip_object_rand_explicit_altname": { + "kms": "kmip", + "type": "object", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "x": { + "$numberInt": "1" + } + } + }, + "kmip_object_det_explicit_id": { + "kms": "kmip", + "type": "object", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "x": { + "$numberInt": "1" + } + } + }, + "kmip_object_det_explicit_altname": { + "kms": "kmip", + "type": "object", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "x": { + "$numberInt": "1" + } + } + }, + "kmip_array_rand_auto_id": { + "kms": "kmip", + "type": "array", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": [ + { + "$numberInt": "1" + }, + { + "$numberInt": "2" + }, + { + "$numberInt": "3" + } + ] + }, + "kmip_array_rand_auto_altname": { + "kms": "kmip", + "type": "array", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": [ + { + "$numberInt": "1" + }, + { + "$numberInt": "2" + }, + { + "$numberInt": "3" + } + ] + }, + "kmip_array_rand_explicit_id": { + "kms": "kmip", + "type": "array", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": [ + { + "$numberInt": "1" + }, + { + "$numberInt": "2" + }, + { + "$numberInt": "3" + } + ] + }, + "kmip_array_rand_explicit_altname": { + "kms": "kmip", + "type": "array", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": [ + { + "$numberInt": "1" + }, + { + "$numberInt": "2" + }, + { + "$numberInt": "3" + } + ] + }, + "kmip_array_det_explicit_id": { + "kms": "kmip", + "type": "array", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": [ + { + "$numberInt": "1" + }, + { + "$numberInt": "2" + }, + { + "$numberInt": "3" + } + ] + }, + "kmip_array_det_explicit_altname": { + "kms": "kmip", + "type": "array", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": [ + { + "$numberInt": "1" + }, + { + "$numberInt": "2" + }, + { + "$numberInt": "3" + } + ] + }, + "kmip_binData=00_rand_auto_id": { + "kms": "kmip", + "type": "binData=00", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AQIDBA==", + "subType": "00" + } + } + }, + "kmip_binData=00_rand_auto_altname": { + "kms": "kmip", + "type": "binData=00", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AQIDBA==", + "subType": "00" + } + } + }, + "kmip_binData=00_rand_explicit_id": { + "kms": "kmip", + "type": "binData=00", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AQIDBA==", + "subType": "00" + } + } + }, + "kmip_binData=00_rand_explicit_altname": { + "kms": "kmip", + "type": "binData=00", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AQIDBA==", + "subType": "00" + } + } + }, + "kmip_binData=00_det_auto_id": { + "kms": "kmip", + "type": "binData=00", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AQIDBA==", + "subType": "00" + } + } + }, + "kmip_binData=00_det_explicit_id": { + "kms": "kmip", + "type": "binData=00", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AQIDBA==", + "subType": "00" + } + } + }, + "kmip_binData=00_det_explicit_altname": { + "kms": "kmip", + "type": "binData=00", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AQIDBA==", + "subType": "00" + } + } + }, + "kmip_binData=04_rand_auto_id": { + "kms": "kmip", + "type": "binData=04", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AAECAwQFBgcICQoLDA0ODw==", + "subType": "04" + } + } + }, + "kmip_binData=04_rand_auto_altname": { + "kms": "kmip", + "type": "binData=04", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AAECAwQFBgcICQoLDA0ODw==", + "subType": "04" + } + } + }, + "kmip_binData=04_rand_explicit_id": { + "kms": "kmip", + "type": "binData=04", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AAECAwQFBgcICQoLDA0ODw==", + "subType": "04" + } + } + }, + "kmip_binData=04_rand_explicit_altname": { + "kms": "kmip", + "type": "binData=04", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AAECAwQFBgcICQoLDA0ODw==", + "subType": "04" + } + } + }, + "kmip_binData=04_det_auto_id": { + "kms": "kmip", + "type": "binData=04", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AAECAwQFBgcICQoLDA0ODw==", + "subType": "04" + } + } + }, + "kmip_binData=04_det_explicit_id": { + "kms": "kmip", + "type": "binData=04", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$binary": { + "base64": "AAECAwQFBgcICQoLDA0ODw==", + "subType": "04" + } + } + }, + "kmip_binData=04_det_explicit_altname": { + "kms": "kmip", + "type": "binData=04", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$binary": { + "base64": "AAECAwQFBgcICQoLDA0ODw==", + "subType": "04" + } + } + }, + "kmip_undefined_rand_explicit_id": { + "kms": "kmip", + "type": "undefined", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$undefined": true + } + }, + "kmip_undefined_rand_explicit_altname": { + "kms": "kmip", + "type": "undefined", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$undefined": true + } + }, + "kmip_undefined_det_explicit_id": { + "kms": "kmip", + "type": "undefined", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$undefined": true + } + }, + "kmip_undefined_det_explicit_altname": { + "kms": "kmip", + "type": "undefined", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$undefined": true + } + }, + "kmip_objectId_rand_auto_id": { + "kms": "kmip", + "type": "objectId", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$oid": "01234567890abcdef0123456" + } + }, + "kmip_objectId_rand_auto_altname": { + "kms": "kmip", + "type": "objectId", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$oid": "01234567890abcdef0123456" + } + }, + "kmip_objectId_rand_explicit_id": { + "kms": "kmip", + "type": "objectId", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$oid": "01234567890abcdef0123456" + } + }, + "kmip_objectId_rand_explicit_altname": { + "kms": "kmip", + "type": "objectId", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$oid": "01234567890abcdef0123456" + } + }, + "kmip_objectId_det_auto_id": { + "kms": "kmip", + "type": "objectId", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$oid": "01234567890abcdef0123456" + } + }, + "kmip_objectId_det_explicit_id": { + "kms": "kmip", + "type": "objectId", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$oid": "01234567890abcdef0123456" + } + }, + "kmip_objectId_det_explicit_altname": { + "kms": "kmip", + "type": "objectId", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$oid": "01234567890abcdef0123456" + } + }, + "kmip_bool_rand_auto_id": { + "kms": "kmip", + "type": "bool", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": true + }, + "kmip_bool_rand_auto_altname": { + "kms": "kmip", + "type": "bool", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": true + }, + "kmip_bool_rand_explicit_id": { + "kms": "kmip", + "type": "bool", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": true + }, + "kmip_bool_rand_explicit_altname": { + "kms": "kmip", + "type": "bool", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": true + }, + "kmip_bool_det_explicit_id": { + "kms": "kmip", + "type": "bool", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": true + }, + "kmip_bool_det_explicit_altname": { + "kms": "kmip", + "type": "bool", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": true + }, + "kmip_date_rand_auto_id": { + "kms": "kmip", + "type": "date", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$date": { + "$numberLong": "12345" + } + } + }, + "kmip_date_rand_auto_altname": { + "kms": "kmip", + "type": "date", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$date": { + "$numberLong": "12345" + } + } + }, + "kmip_date_rand_explicit_id": { + "kms": "kmip", + "type": "date", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$date": { + "$numberLong": "12345" + } + } + }, + "kmip_date_rand_explicit_altname": { + "kms": "kmip", + "type": "date", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$date": { + "$numberLong": "12345" + } + } + }, + "kmip_date_det_auto_id": { + "kms": "kmip", + "type": "date", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$date": { + "$numberLong": "12345" + } + } + }, + "kmip_date_det_explicit_id": { + "kms": "kmip", + "type": "date", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$date": { + "$numberLong": "12345" + } + } + }, + "kmip_date_det_explicit_altname": { + "kms": "kmip", + "type": "date", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$date": { + "$numberLong": "12345" + } + } + }, + "kmip_null_rand_explicit_id": { + "kms": "kmip", + "type": "null", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": null + }, + "kmip_null_rand_explicit_altname": { + "kms": "kmip", + "type": "null", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": null + }, + "kmip_null_det_explicit_id": { + "kms": "kmip", + "type": "null", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": null + }, + "kmip_null_det_explicit_altname": { + "kms": "kmip", + "type": "null", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": null + }, + "kmip_regex_rand_auto_id": { + "kms": "kmip", + "type": "regex", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$regularExpression": { + "pattern": ".*", + "options": "" + } + } + }, + "kmip_regex_rand_auto_altname": { + "kms": "kmip", + "type": "regex", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$regularExpression": { + "pattern": ".*", + "options": "" + } + } + }, + "kmip_regex_rand_explicit_id": { + "kms": "kmip", + "type": "regex", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$regularExpression": { + "pattern": ".*", + "options": "" + } + } + }, + "kmip_regex_rand_explicit_altname": { + "kms": "kmip", + "type": "regex", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$regularExpression": { + "pattern": ".*", + "options": "" + } + } + }, + "kmip_regex_det_auto_id": { + "kms": "kmip", + "type": "regex", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$regularExpression": { + "pattern": ".*", + "options": "" + } + } + }, + "kmip_regex_det_explicit_id": { + "kms": "kmip", + "type": "regex", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$regularExpression": { + "pattern": ".*", + "options": "" + } + } + }, + "kmip_regex_det_explicit_altname": { + "kms": "kmip", + "type": "regex", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$regularExpression": { + "pattern": ".*", + "options": "" + } + } + }, + "kmip_dbPointer_rand_auto_id": { + "kms": "kmip", + "type": "dbPointer", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$dbPointer": { + "$ref": "db.example", + "$id": { + "$oid": "01234567890abcdef0123456" + } + } + } + }, + "kmip_dbPointer_rand_auto_altname": { + "kms": "kmip", + "type": "dbPointer", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$dbPointer": { + "$ref": "db.example", + "$id": { + "$oid": "01234567890abcdef0123456" + } + } + } + }, + "kmip_dbPointer_rand_explicit_id": { + "kms": "kmip", + "type": "dbPointer", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$dbPointer": { + "$ref": "db.example", + "$id": { + "$oid": "01234567890abcdef0123456" + } + } + } + }, + "kmip_dbPointer_rand_explicit_altname": { + "kms": "kmip", + "type": "dbPointer", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$dbPointer": { + "$ref": "db.example", + "$id": { + "$oid": "01234567890abcdef0123456" + } + } + } + }, + "kmip_dbPointer_det_auto_id": { + "kms": "kmip", + "type": "dbPointer", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$dbPointer": { + "$ref": "db.example", + "$id": { + "$oid": "01234567890abcdef0123456" + } + } + } + }, + "kmip_dbPointer_det_explicit_id": { + "kms": "kmip", + "type": "dbPointer", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$dbPointer": { + "$ref": "db.example", + "$id": { + "$oid": "01234567890abcdef0123456" + } + } + } + }, + "kmip_dbPointer_det_explicit_altname": { + "kms": "kmip", + "type": "dbPointer", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$dbPointer": { + "$ref": "db.example", + "$id": { + "$oid": "01234567890abcdef0123456" + } + } + } + }, + "kmip_javascript_rand_auto_id": { + "kms": "kmip", + "type": "javascript", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$code": "x=1" + } + }, + "kmip_javascript_rand_auto_altname": { + "kms": "kmip", + "type": "javascript", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$code": "x=1" + } + }, + "kmip_javascript_rand_explicit_id": { + "kms": "kmip", + "type": "javascript", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$code": "x=1" + } + }, + "kmip_javascript_rand_explicit_altname": { + "kms": "kmip", + "type": "javascript", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$code": "x=1" + } + }, + "kmip_javascript_det_auto_id": { + "kms": "kmip", + "type": "javascript", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$code": "x=1" + } + }, + "kmip_javascript_det_explicit_id": { + "kms": "kmip", + "type": "javascript", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$code": "x=1" + } + }, + "kmip_javascript_det_explicit_altname": { + "kms": "kmip", + "type": "javascript", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$code": "x=1" + } + }, + "kmip_symbol_rand_auto_id": { + "kms": "kmip", + "type": "symbol", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$symbol": "mongodb-symbol" + } + }, + "kmip_symbol_rand_auto_altname": { + "kms": "kmip", + "type": "symbol", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$symbol": "mongodb-symbol" + } + }, + "kmip_symbol_rand_explicit_id": { + "kms": "kmip", + "type": "symbol", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$symbol": "mongodb-symbol" + } + }, + "kmip_symbol_rand_explicit_altname": { + "kms": "kmip", + "type": "symbol", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$symbol": "mongodb-symbol" + } + }, + "kmip_symbol_det_auto_id": { + "kms": "kmip", + "type": "symbol", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$symbol": "mongodb-symbol" + } + }, + "kmip_symbol_det_explicit_id": { + "kms": "kmip", + "type": "symbol", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$symbol": "mongodb-symbol" + } + }, + "kmip_symbol_det_explicit_altname": { + "kms": "kmip", + "type": "symbol", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$symbol": "mongodb-symbol" + } + }, + "kmip_javascriptWithScope_rand_auto_id": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$code": "x=1", + "$scope": {} + } + }, + "kmip_javascriptWithScope_rand_auto_altname": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$code": "x=1", + "$scope": {} + } + }, + "kmip_javascriptWithScope_rand_explicit_id": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$code": "x=1", + "$scope": {} + } + }, + "kmip_javascriptWithScope_rand_explicit_altname": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$code": "x=1", + "$scope": {} + } + }, + "kmip_javascriptWithScope_det_explicit_id": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$code": "x=1", + "$scope": {} + } + }, + "kmip_javascriptWithScope_det_explicit_altname": { + "kms": "kmip", + "type": "javascriptWithScope", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$code": "x=1", + "$scope": {} + } + }, + "kmip_int_rand_auto_id": { + "kms": "kmip", + "type": "int", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$numberInt": "123" + } + }, + "kmip_int_rand_auto_altname": { + "kms": "kmip", + "type": "int", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$numberInt": "123" + } + }, + "kmip_int_rand_explicit_id": { + "kms": "kmip", + "type": "int", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$numberInt": "123" + } + }, + "kmip_int_rand_explicit_altname": { + "kms": "kmip", + "type": "int", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$numberInt": "123" + } + }, + "kmip_int_det_auto_id": { + "kms": "kmip", + "type": "int", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$numberInt": "123" + } + }, + "kmip_int_det_explicit_id": { + "kms": "kmip", + "type": "int", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$numberInt": "123" + } + }, + "kmip_int_det_explicit_altname": { + "kms": "kmip", + "type": "int", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$numberInt": "123" + } + }, + "kmip_timestamp_rand_auto_id": { + "kms": "kmip", + "type": "timestamp", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$timestamp": { + "t": 0, + "i": 12345 + } + } + }, + "kmip_timestamp_rand_auto_altname": { + "kms": "kmip", + "type": "timestamp", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$timestamp": { + "t": 0, + "i": 12345 + } + } + }, + "kmip_timestamp_rand_explicit_id": { + "kms": "kmip", + "type": "timestamp", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$timestamp": { + "t": 0, + "i": 12345 + } + } + }, + "kmip_timestamp_rand_explicit_altname": { + "kms": "kmip", + "type": "timestamp", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$timestamp": { + "t": 0, + "i": 12345 + } + } + }, + "kmip_timestamp_det_auto_id": { + "kms": "kmip", + "type": "timestamp", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$timestamp": { + "t": 0, + "i": 12345 + } + } + }, + "kmip_timestamp_det_explicit_id": { + "kms": "kmip", + "type": "timestamp", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$timestamp": { + "t": 0, + "i": 12345 + } + } + }, + "kmip_timestamp_det_explicit_altname": { + "kms": "kmip", + "type": "timestamp", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$timestamp": { + "t": 0, + "i": 12345 + } + } + }, + "kmip_long_rand_auto_id": { + "kms": "kmip", + "type": "long", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$numberLong": "456" + } + }, + "kmip_long_rand_auto_altname": { + "kms": "kmip", + "type": "long", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$numberLong": "456" + } + }, + "kmip_long_rand_explicit_id": { + "kms": "kmip", + "type": "long", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$numberLong": "456" + } + }, + "kmip_long_rand_explicit_altname": { + "kms": "kmip", + "type": "long", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$numberLong": "456" + } + }, + "kmip_long_det_auto_id": { + "kms": "kmip", + "type": "long", + "algo": "det", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$numberLong": "456" + } + }, + "kmip_long_det_explicit_id": { + "kms": "kmip", + "type": "long", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$numberLong": "456" + } + }, + "kmip_long_det_explicit_altname": { + "kms": "kmip", + "type": "long", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$numberLong": "456" + } + }, + "kmip_decimal_rand_auto_id": { + "kms": "kmip", + "type": "decimal", + "algo": "rand", + "method": "auto", + "identifier": "id", + "allowed": true, + "value": { + "$numberDecimal": "1.234" + } + }, + "kmip_decimal_rand_auto_altname": { + "kms": "kmip", + "type": "decimal", + "algo": "rand", + "method": "auto", + "identifier": "altname", + "allowed": true, + "value": { + "$numberDecimal": "1.234" + } + }, + "kmip_decimal_rand_explicit_id": { + "kms": "kmip", + "type": "decimal", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": true, + "value": { + "$numberDecimal": "1.234" + } + }, + "kmip_decimal_rand_explicit_altname": { + "kms": "kmip", + "type": "decimal", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": true, + "value": { + "$numberDecimal": "1.234" + } + }, + "kmip_decimal_det_explicit_id": { + "kms": "kmip", + "type": "decimal", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$numberDecimal": "1.234" + } + }, + "kmip_decimal_det_explicit_altname": { + "kms": "kmip", + "type": "decimal", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$numberDecimal": "1.234" + } + }, + "kmip_minKey_rand_explicit_id": { + "kms": "kmip", + "type": "minKey", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$minKey": 1 + } + }, + "kmip_minKey_rand_explicit_altname": { + "kms": "kmip", + "type": "minKey", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$minKey": 1 + } + }, + "kmip_minKey_det_explicit_id": { + "kms": "kmip", + "type": "minKey", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$minKey": 1 + } + }, + "kmip_minKey_det_explicit_altname": { + "kms": "kmip", + "type": "minKey", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$minKey": 1 + } + }, + "kmip_maxKey_rand_explicit_id": { + "kms": "kmip", + "type": "maxKey", + "algo": "rand", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$maxKey": 1 + } + }, + "kmip_maxKey_rand_explicit_altname": { + "kms": "kmip", + "type": "maxKey", + "algo": "rand", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$maxKey": 1 + } + }, + "kmip_maxKey_det_explicit_id": { + "kms": "kmip", + "type": "maxKey", + "algo": "det", + "method": "explicit", + "identifier": "id", + "allowed": false, + "value": { + "$maxKey": 1 + } + }, + "kmip_maxKey_det_explicit_altname": { + "kms": "kmip", + "type": "maxKey", + "algo": "det", + "method": "explicit", + "identifier": "altname", + "allowed": false, + "value": { + "$maxKey": 1 + } + }, "payload=0,algo=rand": { "kms": "local", "type": "string", diff --git a/data/client_side_encryption/count.json b/data/client_side_encryption/count.json index f906729371..fd0b3029c9 100644 --- a/data/client_side_encryption/count.json +++ b/data/client_side_encryption/count.json @@ -150,18 +150,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/countDocuments.json b/data/client_side_encryption/countDocuments.json index 3cf5fbca8b..07ff97f264 100644 --- a/data/client_side_encryption/countDocuments.json +++ b/data/client_side_encryption/countDocuments.json @@ -150,18 +150,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/delete.json b/data/client_side_encryption/delete.json index 30fb453a93..a6f4ffde91 100644 --- a/data/client_side_encryption/delete.json +++ b/data/client_side_encryption/delete.json @@ -151,18 +151,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -276,18 +264,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/distinct.json b/data/client_side_encryption/distinct.json index 7a5f75c4a5..9786b07814 100644 --- a/data/client_side_encryption/distinct.json +++ b/data/client_side_encryption/distinct.json @@ -161,18 +161,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/explain.json b/data/client_side_encryption/explain.json index 5ad46bc238..0e451e4818 100644 --- a/data/client_side_encryption/explain.json +++ b/data/client_side_encryption/explain.json @@ -155,18 +155,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/find.json b/data/client_side_encryption/find.json index b7c5258a13..1feddab0e3 100644 --- a/data/client_side_encryption/find.json +++ b/data/client_side_encryption/find.json @@ -160,18 +160,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -302,18 +290,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/findOneAndDelete.json b/data/client_side_encryption/findOneAndDelete.json index 6261d8601b..e418a4581b 100644 --- a/data/client_side_encryption/findOneAndDelete.json +++ b/data/client_side_encryption/findOneAndDelete.json @@ -148,18 +148,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/findOneAndReplace.json b/data/client_side_encryption/findOneAndReplace.json index d91bc05998..78baca8432 100644 --- a/data/client_side_encryption/findOneAndReplace.json +++ b/data/client_side_encryption/findOneAndReplace.json @@ -147,18 +147,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/findOneAndUpdate.json b/data/client_side_encryption/findOneAndUpdate.json index fad70609ad..1d85851151 100644 --- a/data/client_side_encryption/findOneAndUpdate.json +++ b/data/client_side_encryption/findOneAndUpdate.json @@ -149,18 +149,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/gcpKMS.json b/data/client_side_encryption/gcpKMS.json index a715a7d152..c2c08b8a23 100644 --- a/data/client_side_encryption/gcpKMS.json +++ b/data/client_side_encryption/gcpKMS.json @@ -64,6 +64,20 @@ "bsonType": "string", "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" } + }, + "encrypted_string_kmip": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "dBHpr8aITfeBQ15grpbLpQ==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } } }, "bsonType": "object" @@ -141,18 +155,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/getMore.json b/data/client_side_encryption/getMore.json index cf23442226..ee99bf7537 100644 --- a/data/client_side_encryption/getMore.json +++ b/data/client_side_encryption/getMore.json @@ -179,18 +179,6 @@ "command_name": "find" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/insert.json b/data/client_side_encryption/insert.json index 78fa8feba0..cf2910fd7a 100644 --- a/data/client_side_encryption/insert.json +++ b/data/client_side_encryption/insert.json @@ -131,18 +131,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -258,18 +246,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/keyAltName.json b/data/client_side_encryption/keyAltName.json index d062bed453..7f71b9dbeb 100644 --- a/data/client_side_encryption/keyAltName.json +++ b/data/client_side_encryption/keyAltName.json @@ -131,18 +131,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/kmipKMS.json b/data/client_side_encryption/kmipKMS.json new file mode 100644 index 0000000000..5749d21ab8 --- /dev/null +++ b/data/client_side_encryption/kmipKMS.json @@ -0,0 +1,223 @@ +{ + "runOn": [ + { + "minServerVersion": "4.1.10" + } + ], + "database_name": "default", + "collection_name": "default", + "data": [], + "json_schema": { + "properties": { + "encrypted_string_aws": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "AAAAAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } + }, + "encrypted_string_azure": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "AZURE+AAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } + }, + "encrypted_string_gcp": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "GCP+AAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } + }, + "encrypted_string_local": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "AAAAAAAAAAAAAAAAAAAAAA==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } + }, + "encrypted_string_kmip": { + "encrypt": { + "keyId": [ + { + "$binary": { + "base64": "dBHpr8aITfeBQ15grpbLpQ==", + "subType": "04" + } + } + ], + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + } + } + }, + "bsonType": "object" + }, + "key_vault_data": [ + { + "_id": { + "$binary": { + "base64": "dBHpr8aITfeBQ15grpbLpQ==", + "subType": "04" + } + }, + "keyMaterial": { + "$binary": { + "base64": "eUYDyB0HuWb+lQgUwO+6qJQyTTDTY2gp9FbemL7ZFo0pvr0x6rm6Ff9OVUTGH6HyMKipaeHdiIJU1dzsLwvqKvi7Beh+U4iaIWX/K0oEg1GOsJc0+Z/in8gNHbGUYLmycHViM3LES3kdt7FdFSUl5rEBHrM71yoNEXImz17QJWMGOuT4x6yoi2pvnaRJwfrI4DjpmnnTrDMac92jgZehbg==", + "subType": "00" + } + }, + "creationDate": { + "$date": { + "$numberLong": "1634220190041" + } + }, + "updateDate": { + "$date": { + "$numberLong": "1634220190041" + } + }, + "status": { + "$numberInt": "0" + }, + "masterKey": { + "provider": "kmip", + "keyId": "1" + }, + "keyAltNames": [ + "altname", + "kmip_altname" + ] + } + ], + "tests": [ + { + "description": "Insert a document with auto encryption using KMIP KMS provider", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "kmip": {} + } + } + }, + "operations": [ + { + "name": "insertOne", + "arguments": { + "document": { + "_id": 1, + "encrypted_string_kmip": "string0" + } + } + } + ], + "expectations": [ + { + "command_started_event": { + "command": { + "listCollections": 1, + "filter": { + "name": "default" + } + }, + "command_name": "listCollections" + } + }, + { + "command_started_event": { + "command": { + "find": "datakeys", + "filter": { + "$or": [ + { + "_id": { + "$in": [ + { + "$binary": { + "base64": "dBHpr8aITfeBQ15grpbLpQ==", + "subType": "04" + } + } + ] + } + }, + { + "keyAltNames": { + "$in": [] + } + } + ] + }, + "$db": "keyvault" + }, + "command_name": "find" + } + }, + { + "command_started_event": { + "command": { + "insert": "default", + "documents": [ + { + "_id": 1, + "encrypted_string_kmip": { + "$binary": { + "base64": "AXQR6a/GiE33gUNeYK6Wy6UCKCwtKFIsL8eKObDVxvqGupJNUk7kXswHhB7G5j/C1D+6no+Asra0KgSU43bTL3ooIBLVyIzbV5CDJYqzAsa4WQ==", + "subType": "06" + } + } + } + ], + "ordered": true + }, + "command_name": "insert" + } + } + ], + "outcome": { + "collection": { + "data": [ + { + "_id": 1, + "encrypted_string_kmip": { + "$binary": { + "base64": "AXQR6a/GiE33gUNeYK6Wy6UCKCwtKFIsL8eKObDVxvqGupJNUk7kXswHhB7G5j/C1D+6no+Asra0KgSU43bTL3ooIBLVyIzbV5CDJYqzAsa4WQ==", + "subType": "06" + } + } + } + ] + } + } + } + ] +} diff --git a/data/client_side_encryption/localKMS.json b/data/client_side_encryption/localKMS.json index e4d25309c4..67c4ba1308 100644 --- a/data/client_side_encryption/localKMS.json +++ b/data/client_side_encryption/localKMS.json @@ -114,18 +114,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/localSchema.json b/data/client_side_encryption/localSchema.json index 7071d6fefd..4698520f6f 100644 --- a/data/client_side_encryption/localSchema.json +++ b/data/client_side_encryption/localSchema.json @@ -136,18 +136,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/maxWireVersion.json b/data/client_side_encryption/maxWireVersion.json index 144786290d..c1088a0ecf 100644 --- a/data/client_side_encryption/maxWireVersion.json +++ b/data/client_side_encryption/maxWireVersion.json @@ -50,6 +50,9 @@ "autoEncryptOpts": { "kmsProviders": { "aws": {} + }, + "extraOptions": { + "mongocryptdBypassSpawn": true } } }, diff --git a/data/client_side_encryption/missingKey.json b/data/client_side_encryption/missingKey.json index ac8e8320b0..275147bb72 100644 --- a/data/client_side_encryption/missingKey.json +++ b/data/client_side_encryption/missingKey.json @@ -140,18 +140,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "different" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/noSchema.json b/data/client_side_encryption/noSchema.json new file mode 100644 index 0000000000..095434f886 --- /dev/null +++ b/data/client_side_encryption/noSchema.json @@ -0,0 +1,67 @@ +{ + "runOn": [ + { + "minServerVersion": "4.1.10" + } + ], + "database_name": "default", + "collection_name": "unencrypted", + "tests": [ + { + "description": "Insert on an unencrypted collection", + "clientOptions": { + "autoEncryptOpts": { + "kmsProviders": { + "aws": {} + } + } + }, + "operations": [ + { + "name": "insertOne", + "arguments": { + "document": { + "_id": 1 + } + } + } + ], + "expectations": [ + { + "command_started_event": { + "command": { + "listCollections": 1, + "filter": { + "name": "unencrypted" + } + }, + "command_name": "listCollections" + } + }, + { + "command_started_event": { + "command": { + "insert": "unencrypted", + "documents": [ + { + "_id": 1 + } + ], + "ordered": true + }, + "command_name": "insert" + } + } + ], + "outcome": { + "collection": { + "data": [ + { + "_id": 1 + } + ] + } + } + } + ] +} diff --git a/data/client_side_encryption/replaceOne.json b/data/client_side_encryption/replaceOne.json index 5cdb3d40f0..9757686819 100644 --- a/data/client_side_encryption/replaceOne.json +++ b/data/client_side_encryption/replaceOne.json @@ -148,18 +148,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/test_files.txt b/data/client_side_encryption/test_files.txt index 214b1b9cba..1a11d9afa8 100644 --- a/data/client_side_encryption/test_files.txt +++ b/data/client_side_encryption/test_files.txt @@ -1,12 +1,13 @@ aggregate.json azureKMS.json +badQueries.json badSchema.json basic.json bulk.json bypassAutoEncryption.json bypassedCommand.json -countDocuments.json count.json +countDocuments.json delete.json distinct.json explain.json @@ -18,11 +19,13 @@ gcpKMS.json getMore.json insert.json keyAltName.json +kmipKMS.json localKMS.json localSchema.json malformedCiphertext.json maxWireVersion.json missingKey.json +noSchema.json replaceOne.json types.json unsupportedCommand.json diff --git a/data/client_side_encryption/types.json b/data/client_side_encryption/types.json index 2b50872c9c..a6c6507e90 100644 --- a/data/client_side_encryption/types.json +++ b/data/client_side_encryption/types.json @@ -103,18 +103,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -254,18 +242,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -405,18 +381,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -656,18 +620,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -807,18 +759,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -1057,18 +997,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -1214,18 +1142,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { @@ -1369,18 +1285,6 @@ } ], "expectations": [ - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/updateMany.json b/data/client_side_encryption/updateMany.json index fd1f4d12bd..823909044b 100644 --- a/data/client_side_encryption/updateMany.json +++ b/data/client_side_encryption/updateMany.json @@ -164,18 +164,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/data/client_side_encryption/updateOne.json b/data/client_side_encryption/updateOne.json index bed763d720..23bada964f 100644 --- a/data/client_side_encryption/updateOne.json +++ b/data/client_side_encryption/updateOne.json @@ -150,18 +150,6 @@ "command_name": "listCollections" } }, - { - "command_started_event": { - "command": { - "listCollections": 1, - "filter": { - "name": "datakeys" - }, - "$db": "keyvault" - }, - "command_name": "listCollections" - } - }, { "command_started_event": { "command": { diff --git a/src/mongocxx/client_encryption.cpp b/src/mongocxx/client_encryption.cpp index 3521ace518..13e8040740 100644 --- a/src/mongocxx/client_encryption.cpp +++ b/src/mongocxx/client_encryption.cpp @@ -27,6 +27,8 @@ client_encryption::client_encryption(options::client_encryption opts) : _impl(stdx::make_unique(std::move(opts))) {} client_encryption::~client_encryption() noexcept = default; +client_encryption::client_encryption(client_encryption&&) = default; +client_encryption& client_encryption::operator=(client_encryption&&) = default; bsoncxx::types::bson_value::value client_encryption::create_data_key( std::string kms_provider, const options::data_key& opts) { diff --git a/src/mongocxx/client_encryption.hpp b/src/mongocxx/client_encryption.hpp index d667bb0fa7..4dd1af2b87 100644 --- a/src/mongocxx/client_encryption.hpp +++ b/src/mongocxx/client_encryption.hpp @@ -45,12 +45,25 @@ class MONGOCXX_API client_encryption { /// ~client_encryption() noexcept; + /// + /// Move-constructs a client_encryption object. + /// + client_encryption(client_encryption&&); + + /// + /// Move-assigns a client_encryption object. + /// + client_encryption& operator=(client_encryption&&); + + client_encryption(const client_encryption&) = delete; + client_encryption& operator=(const client_encryption&) = delete; + /// /// Creates a new key document and inserts into the key vault collection. /// /// @param kms_provider - /// A string identifying the KMS service to use to encrypt the datakey - /// (must be "aws" or "local") + /// A string identifying the KMS service to use to encrypt the datakey. + /// Must be one of "aws", "azure", "gcp", "kmip", or "local". /// @param opts /// Optional arguments, see options::data_key. /// diff --git a/src/mongocxx/options/auto_encryption.cpp b/src/mongocxx/options/auto_encryption.cpp index 1c5f386866..bf8f4f61fc 100644 --- a/src/mongocxx/options/auto_encryption.cpp +++ b/src/mongocxx/options/auto_encryption.cpp @@ -66,6 +66,15 @@ const stdx::optional& auto_encryption::kms_pro return _kms_providers; } +auto_encryption& auto_encryption::tls_opts(bsoncxx::document::view_or_value tls_opts) { + _tls_opts = std::move(tls_opts); + return *this; +} + +const stdx::optional& auto_encryption::tls_opts() const { + return _tls_opts; +} + auto_encryption& auto_encryption::schema_map(bsoncxx::document::view_or_value schema_map) { _schema_map = std::move(schema_map); return *this; @@ -128,6 +137,11 @@ void* auto_encryption::convert() const { kms_providers.bson()); } + if (_tls_opts) { + scoped_bson_t tls_opts{*_tls_opts}; + libmongoc::auto_encryption_opts_set_tls_opts(mongoc_auto_encrypt_opts, tls_opts.bson()); + } + if (_schema_map) { scoped_bson_t schema_map{*_schema_map}; libmongoc::auto_encryption_opts_set_schema_map(mongoc_auto_encrypt_opts, schema_map.bson()); diff --git a/src/mongocxx/options/auto_encryption.hpp b/src/mongocxx/options/auto_encryption.hpp index a6600c563f..ca516d4506 100644 --- a/src/mongocxx/options/auto_encryption.hpp +++ b/src/mongocxx/options/auto_encryption.hpp @@ -128,7 +128,7 @@ class MONGOCXX_API auto_encryption { /// Sets the KMS providers to use for client side encryption. /// /// Multiple KMS providers may be specified. The following KMS providers are - /// supported: "aws", "azure", "gcp", and "local". The kmsProviders map values differ + /// supported: "aws", "azure", "gcp", "kmip", and "local". The kmsProviders map values differ /// by provider: /// /// aws: { @@ -149,6 +149,10 @@ class MONGOCXX_API auto_encryption { /// endpoint: Optional // Defaults to oauth2.googleapis.com /// } /// + /// kmip: { + /// endpoint: String + /// } + /// /// local: { /// key: byte[96] // The master key used to encrypt/decrypt data keys. /// } @@ -171,6 +175,36 @@ class MONGOCXX_API auto_encryption { /// const stdx::optional& kms_providers() const; + /// + /// Sets the TLS options to use for client side encryption with a given KMS provider. + /// + /// Multiple KMS providers may be specified. Supported KMS providers are "aws", "azure", "gcp", + /// and "kmip". The map value has the same form for all supported providers: + /// + /// : { + /// tlsCaFile: Optional + /// tlsCertificateKeyFile: Optional + /// tlsCertificateKeyFilePassword: Optional + /// } + /// + /// @param tls_opts + /// A document containing the TLS options. + /// + /// @return + /// A reference to this object to facilitate method chaining. + /// + /// @see https://docs.mongodb.com/manual/core/security-client-side-encryption/ + /// + auto_encryption& tls_opts(bsoncxx::document::view_or_value tls_opts); + + /// + /// Gets the TLS options. + /// + /// @return + /// An optional document containing the TLS options. + /// + const stdx::optional& tls_opts() const; + /// /// Sets a local JSON schema. /// @@ -268,6 +302,7 @@ class MONGOCXX_API auto_encryption { stdx::optional _key_vault_pool; stdx::optional _key_vault_namespace; stdx::optional _kms_providers; + stdx::optional _tls_opts; stdx::optional _schema_map; stdx::optional _extra_options; }; diff --git a/src/mongocxx/options/client_encryption.cpp b/src/mongocxx/options/client_encryption.cpp index ab38c408c5..b7e2bbfa89 100644 --- a/src/mongocxx/options/client_encryption.cpp +++ b/src/mongocxx/options/client_encryption.cpp @@ -52,6 +52,15 @@ const stdx::optional& client_encryption::kms_p return _kms_providers; } +client_encryption& client_encryption::tls_opts(bsoncxx::document::view_or_value tls_opts) { + _tls_opts = std::move(tls_opts); + return *this; +} + +const stdx::optional& client_encryption::tls_opts() const { + return _tls_opts; +} + void* client_encryption::convert() const { mongoc_client_encryption_opts_t* opts_t = libmongoc::client_encryption_opts_new(); @@ -71,6 +80,11 @@ void* client_encryption::convert() const { libmongoc::client_encryption_opts_set_kms_providers(opts_t, kms_providers.bson()); } + if (_tls_opts) { + libbson::scoped_bson_t tls_opts{*_tls_opts}; + libmongoc::client_encryption_opts_set_tls_opts(opts_t, tls_opts.bson()); + } + return opts_t; } diff --git a/src/mongocxx/options/client_encryption.hpp b/src/mongocxx/options/client_encryption.hpp index 664c6174fd..bd8ada6758 100644 --- a/src/mongocxx/options/client_encryption.hpp +++ b/src/mongocxx/options/client_encryption.hpp @@ -90,7 +90,7 @@ class MONGOCXX_API client_encryption { /// Sets the KMS providers to use for client side encryption. /// /// Multiple KMS providers may be specified. Supported KMS providers are - /// "aws", "azure", "gcp", and "local". The kmsProviders map values differ + /// "aws", "azure", "gcp", "kmip", and "local". The kmsProviders map values differ /// by provider: /// /// aws: { @@ -111,6 +111,10 @@ class MONGOCXX_API client_encryption { /// endpoint: Optional // Defaults to oauth2.googleapis.com /// } /// + /// kmip: { + /// endpoint: String + /// } + /// /// local: { /// key: byte[96] // The master key used to encrypt/decrypt data keys. /// } @@ -133,6 +137,36 @@ class MONGOCXX_API client_encryption { /// const stdx::optional& kms_providers() const; + /// + /// Sets the TLS options to use for client side encryption with a given KMS provider. + /// + /// Multiple KMS providers may be specified. Supported KMS providers are "aws", "azure", "gcp", + /// and "kmip". The map value has the same form for all supported providers: + /// + /// : { + /// tlsCaFile: Optional + /// tlsCertificateKeyFile: Optional + /// tlsCertificateKeyFilePassword: Optional + /// } + /// + /// @param tls_opts + /// A document containing the TLS options. + /// + /// @return + /// A reference to this object to facilitate method chaining. + /// + /// @see https://docs.mongodb.com/manual/core/security-client-side-encryption/ + /// + client_encryption& tls_opts(bsoncxx::document::view_or_value tls_opts); + + /// + /// Gets the TLS options. + /// + /// @return + /// An optional document containing the TLS options. + /// + const stdx::optional& tls_opts() const; + private: friend class mongocxx::client_encryption; @@ -141,6 +175,7 @@ class MONGOCXX_API client_encryption { stdx::optional _key_vault_client; stdx::optional _key_vault_namespace; stdx::optional _kms_providers; + stdx::optional _tls_opts; }; } // namespace options diff --git a/src/mongocxx/options/data_key.hpp b/src/mongocxx/options/data_key.hpp index 61c258a569..530af2988e 100644 --- a/src/mongocxx/options/data_key.hpp +++ b/src/mongocxx/options/data_key.hpp @@ -69,6 +69,15 @@ class MONGOCXX_API data_key { /// "cloudkms.googleapis.com". /// } /// + /// If the KMS provider is "kmip" the masterKey is required and has the following fields: + /// + /// { + // keyId: Optional, // keyId is the KMIP Unique Identifier to a 96 byte KMIP Secret + // // Data managed object.If keyId is omitted, the driver creates a + // // random 96 byte KMIP Secret Data managed object. + // endpoint: Optional // Host with optional port. + /// } + /// /// If the KMS provider is "local" the masterKey is not applicable. /// /// @param master_key diff --git a/src/mongocxx/private/libmongoc_symbols.hh b/src/mongocxx/private/libmongoc_symbols.hh index e0463ebc8f..8048dc02de 100644 --- a/src/mongocxx/private/libmongoc_symbols.hh +++ b/src/mongocxx/private/libmongoc_symbols.hh @@ -97,6 +97,7 @@ MONGOCXX_LIBMONGOC_SYMBOL(auto_encryption_opts_set_keyvault_client_pool) MONGOCXX_LIBMONGOC_SYMBOL(auto_encryption_opts_set_keyvault_namespace) MONGOCXX_LIBMONGOC_SYMBOL(auto_encryption_opts_set_kms_providers) MONGOCXX_LIBMONGOC_SYMBOL(auto_encryption_opts_set_schema_map) +MONGOCXX_LIBMONGOC_SYMBOL(auto_encryption_opts_set_tls_opts) MONGOCXX_LIBMONGOC_SYMBOL(bulk_operation_destroy) MONGOCXX_LIBMONGOC_SYMBOL(bulk_operation_execute) MONGOCXX_LIBMONGOC_SYMBOL(bulk_operation_get_write_concern) @@ -139,6 +140,7 @@ MONGOCXX_LIBMONGOC_SYMBOL(client_encryption_opts_new) MONGOCXX_LIBMONGOC_SYMBOL(client_encryption_opts_set_keyvault_client) MONGOCXX_LIBMONGOC_SYMBOL(client_encryption_opts_set_keyvault_namespace) MONGOCXX_LIBMONGOC_SYMBOL(client_encryption_opts_set_kms_providers) +MONGOCXX_LIBMONGOC_SYMBOL(client_encryption_opts_set_tls_opts) MONGOCXX_LIBMONGOC_SYMBOL(client_encryption_new) MONGOCXX_LIBMONGOC_SYMBOL(client_find_databases_with_opts) MONGOCXX_LIBMONGOC_SYMBOL(client_get_collection) diff --git a/src/mongocxx/test/client_side_encryption.cpp b/src/mongocxx/test/client_side_encryption.cpp index 745ca1c802..9da9c0afaa 100644 --- a/src/mongocxx/test/client_side_encryption.cpp +++ b/src/mongocxx/test/client_side_encryption.cpp @@ -59,6 +59,9 @@ const auto kAzureKeyUUID = "\x01\x95\x11\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00 // This is the base64 encoding of GCPAAAAAAAAAAAAAAAAAAA==. const auto kGcpKeyUUID = "\x18\x23\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; +// This is the base64 encoding of KMIPAAAAAAAAAAAAAAAAAA==. +const auto kKmipKeyUUID = "\x28\xc2\x0f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; + using bsoncxx::builder::concatenate; using bsoncxx::builder::basic::kvp; @@ -131,6 +134,10 @@ bsoncxx::document::value _make_kms_doc(bool include_external = true) { subdoc.append( kvp("privateKey", test_util::getenv_or_fail("MONGOCXX_TEST_GCP_PRIVATEKEY"))); })); + + kms_doc.append(kvp("kmip", [&](sub_document subdoc) { + subdoc.append(kvp("endpoint", "localhost:5698")); + })); } char key_storage[96]; @@ -145,14 +152,30 @@ bsoncxx::document::value _make_kms_doc(bool include_external = true) { return {kms_doc.extract()}; } +bsoncxx::document::value _make_tls_opts() { + bsoncxx::builder::basic::document tls_opts; + + tls_opts.append(kvp("kmip", [&](sub_document subdoc) { + subdoc.append( + kvp("tlsCAFile", test_util::getenv_or_fail("MONGOCXX_TEST_CSFLE_TLS_CA_FILE"))); + subdoc.append( + kvp("tlsCertificateKeyFile", + test_util::getenv_or_fail("MONGOCXX_TEST_CSFLE_TLS_CERTIFICATE_KEY_FILE"))); + })); + + return tls_opts.extract(); +} + void _add_client_encrypted_opts(options::client* client_opts, bsoncxx::document::view_or_value schema_map, bsoncxx::document::view_or_value kms_doc, + bsoncxx::document::view_or_value tls_opts, class client* key_vault_client = nullptr) { options::auto_encryption auto_encrypt_opts{}; // KMS auto_encrypt_opts.kms_providers(std::move(kms_doc)); + auto_encrypt_opts.tls_opts(std::move(tls_opts)); auto_encrypt_opts.key_vault_namespace({"keyvault", "datakeys"}); if (!schema_map.view().empty()) { @@ -188,8 +211,10 @@ void _add_cse_opts(options::client_encryption* opts, class client* client, bool include_aws = true) { // KMS providers - auto kms = _make_kms_doc(include_aws); - opts->kms_providers(std::move(kms)); + opts->kms_providers(_make_kms_doc(include_aws)); + + // TLS options + opts->tls_opts(_make_tls_opts()); // Key vault client opts->key_vault_client(client); @@ -327,20 +352,22 @@ TEST_CASE("Datakey and double encryption", "[client_side_encryption]") { _setup_drop_collections(setup_client); // 3. Create and configure client_encrypted, client_encryption. - auto schema_map = document{} << "db.coll" << open_document << "bsonType" - << "object" - << "properties" << open_document << "encrypted_placeholder" - << open_document << "encrypt" << open_document << "keyId" - << "/placeholder" - << "bsonType" - << "string" - << "algorithm" - << "AEAD_AES_256_CBC_HMAC_SHA_512-Random" << close_document - << close_document << close_document << close_document << finalize; - options::client encrypted_client_opts; - auto kms_doc = _make_kms_doc(); - _add_client_encrypted_opts(&encrypted_client_opts, std::move(schema_map), std::move(kms_doc)); + _add_client_encrypted_opts( + &encrypted_client_opts, + document() << "db.coll" << open_document << "bsonType" + << "object" + << "properties" << open_document << "encrypted_placeholder" << open_document + << "encrypt" << open_document << "keyId" + << "/placeholder" + << "bsonType" + << "string" + << "algorithm" + << "AEAD_AES_256_CBC_HMAC_SHA_512-Random" << close_document << close_document + << close_document << close_document << finalize, + _make_kms_doc(), + _make_tls_opts()); + class client client_encrypted { uri{}, test_util::add_test_server_api(encrypted_client_opts), }; @@ -428,6 +455,25 @@ TEST_CASE("Datakey and double encryption", "[client_side_encryption]") { &client_encrypted, &client_encryption, &apm_checker); + + // Run with KMIP + run_datakey_and_double_encryption( + [&]() { + // 1. Call client_encryption.createDataKey() with the KMIP KMS provider + // and keyAltNames set to ["kmip_altname"]. + options::data_key data_key_opts; + data_key_opts.key_alt_names({"kmip_altname"}); + + auto doc = make_document(); + data_key_opts.master_key(doc.view()); + + return client_encryption.create_data_key("kmip", data_key_opts); + }, + "kmip", + &setup_client, + &client_encrypted, + &client_encryption, + &apm_checker); } void run_external_key_vault_test(bool with_external_key_vault) { @@ -460,16 +506,16 @@ void run_external_key_vault_test(bool with_external_key_vault) { // Create a MongoClient configured with auto encryption (referred to as client_encrypted), // that is configured with an external key vault client if with_external_key_vault is true options::client encrypted_client_opts; - auto kms_doc = _make_kms_doc(false); if (with_external_key_vault) { _add_client_encrypted_opts(&encrypted_client_opts, std::move(schema_map), - std::move(kms_doc), + _make_kms_doc(false), + _make_tls_opts(), &external_key_vault_client); } else { _add_client_encrypted_opts( - &encrypted_client_opts, std::move(schema_map), std::move(kms_doc)); + &encrypted_client_opts, std::move(schema_map), _make_kms_doc(false), _make_tls_opts()); } class client client_encrypted { @@ -583,10 +629,9 @@ TEST_CASE("BSON size limits and batch splitting", "[client_side_encryption]") { // with local KMS provider as follows: // { "local": { "key": } } // and with the keyVaultNamespace set to keyvault.datakeys. - auto kms_doc = _make_kms_doc(false); - options::client client_encrypted_opts; - _add_client_encrypted_opts(&client_encrypted_opts, limits_schema.view(), std::move(kms_doc)); + _add_client_encrypted_opts( + &client_encrypted_opts, limits_schema.view(), _make_kms_doc(false), _make_tls_opts()); // Add a counter to verify splits int n_inserts = 0; @@ -733,8 +778,7 @@ TEST_CASE("Views are prohibited", "[client_side_encryption]") { // { "local": { "key": } } // Configure with the keyVaultNamespace set to keyvault.datakeys. options::client opts; - auto kms_doc = _make_kms_doc(); - _add_client_encrypted_opts(&opts, {}, std::move(kms_doc)); + _add_client_encrypted_opts(&opts, {}, _make_kms_doc(), _make_tls_opts()); class client client_encrypted { uri{}, test_util::add_test_server_api(opts) }; @@ -761,6 +805,7 @@ void _run_corpus_test(bool use_schema_map) { auto corpus_key_aws = _doc_from_file("/corpus/corpus-key-aws.json"); auto corpus_key_azure = _doc_from_file("/corpus/corpus-key-azure.json"); auto corpus_key_gcp = _doc_from_file("/corpus/corpus-key-gcp.json"); + auto corpus_key_kmip = _doc_from_file("/corpus/corpus-key-kmip.json"); // Using client, drop and create the collection db.coll configured with the included // JSON schema corpus/corpus-schema.json. @@ -785,21 +830,27 @@ void _run_corpus_test(bool use_schema_map) { keyvault.insert_one(std::move(corpus_key_aws), insert_opts); keyvault.insert_one(std::move(corpus_key_azure), insert_opts); keyvault.insert_one(std::move(corpus_key_gcp), insert_opts); + keyvault.insert_one(std::move(corpus_key_kmip), insert_opts); // Configure kms credentials as follows: // { // "aws": { }, - // "local": { "key": } + // "azure": { }, + // "gcp": { }, + // "local": { "key": }, + // "kmip": { "endpoint": "localhost:5698" } // } char local_key_id_storage[16]; char aws_key_id_storage[16]; char azure_key_id_storage[16]; char gcp_key_id_storage[16]; + char kmip_key_id_storage[16]; memcpy(&(local_key_id_storage[0]), kLocalKeyUUID, 16); memcpy(&(aws_key_id_storage[0]), kAwsKeyUUID, 16); memcpy(&(azure_key_id_storage[0]), kAzureKeyUUID, 16); memcpy(&(gcp_key_id_storage[0]), kGcpKeyUUID, 16); + memcpy(&(kmip_key_id_storage[0]), kKmipKeyUUID, 16); bsoncxx::types::b_binary local_key_id{ bsoncxx::binary_sub_type::k_uuid, 16, (const uint8_t*)&local_key_id_storage}; @@ -809,22 +860,24 @@ void _run_corpus_test(bool use_schema_map) { bsoncxx::binary_sub_type::k_uuid, 16, (const uint8_t*)&azure_key_id_storage}; bsoncxx::types::b_binary gcp_key_id{ bsoncxx::binary_sub_type::k_uuid, 16, (const uint8_t*)&gcp_key_id_storage}; + bsoncxx::types::b_binary kmip_key_id{ + bsoncxx::binary_sub_type::k_uuid, 16, (const uint8_t*)&kmip_key_id_storage}; auto local_key_value = make_value(local_key_id); auto aws_key_value = make_value(aws_key_id); auto azure_key_value = make_value(azure_key_id); auto gcp_key_value = make_value(gcp_key_id); - - auto kms_doc = _make_kms_doc(); + auto kmip_key_value = make_value(kmip_key_id); // Create the following and configure both objects with keyVaultNamespace set to // keyvault.datakeys: // A MongoClient configured with auto encryption (referred to as client_encrypted) options::client client_encrypted_opts; if (use_schema_map) { - _add_client_encrypted_opts(&client_encrypted_opts, corpus_schema.view(), kms_doc.view()); + _add_client_encrypted_opts( + &client_encrypted_opts, corpus_schema.view(), _make_kms_doc(), _make_tls_opts()); } else { - _add_client_encrypted_opts(&client_encrypted_opts, {}, kms_doc.view()); + _add_client_encrypted_opts(&client_encrypted_opts, {}, _make_kms_doc(), _make_tls_opts()); } class client client_encrypted { @@ -833,7 +886,8 @@ void _run_corpus_test(bool use_schema_map) { // A ClientEncryption object (referred to as client_encryption) options::client_encryption cse_opts; - cse_opts.kms_providers(kms_doc.view()); + cse_opts.kms_providers(_make_kms_doc()); + cse_opts.tls_opts(_make_tls_opts()); cse_opts.key_vault_client(&client); cse_opts.key_vault_namespace({"keyvault", "datakeys"}); class client_encryption client_encryption { @@ -855,7 +909,7 @@ void _run_corpus_test(bool use_schema_map) { // If the field name is _id, altname_aws, altname_azure, altname_gcp, altname_local, copy // the field to corpus_copied. std::vector copied_fields = { - "_id", "altname_aws", "altname_azure", "altname_gcp", "altname_local"}; + "_id", "altname_aws", "altname_azure", "altname_gcp", "altname_kmip", "altname_local"}; if (std::find(copied_fields.begin(), copied_fields.end(), field_name) != copied_fields.end()) { corpus_copied_builder.append(kvp(field_name, ele.get_value())); @@ -915,6 +969,10 @@ void _run_corpus_test(bool use_schema_map) { // If kms is gcp set the key_id to the UUID with base64 value // GCPAAAAAAAAAAAAAAAAAAA==. encrypt_opts.key_id(gcp_key_value.view()); + } else if (kms == stdx::string_view("kmip")) { + // If kms is kmip set the key_id to the UUID with base64 value + // KMIPAAAAAAAAAAAAAAAAAA==. + encrypt_opts.key_id(kmip_key_value.view()); } else { throw exception{error_code::k_invalid_parameter, "unsupported kms identifier"}; } @@ -931,6 +989,9 @@ void _run_corpus_test(bool use_schema_map) { } else if (kms == stdx::string_view("gcp")) { // If kms is gcp set the key_alt_name to "gcp". encrypt_opts.key_alt_name("gcp"); + } else if (kms == stdx::string_view("kmip")) { + // If kms is kmip set the key_alt_name to "kmip". + encrypt_opts.key_alt_name("kmip"); } else { throw exception{error_code::k_invalid_parameter, "unsupported kms altname"}; } @@ -1080,6 +1141,7 @@ void _run_endpoint_test(mongocxx::client* setup_client, mongocxx::options::client_encryption ce_opts_invalid; bsoncxx::builder::basic::document kms_doc; bsoncxx::builder::basic::document kms_doc_invalid; + bsoncxx::builder::basic::document tls_opts; kms_doc.append(kvp("aws", [&](sub_document subdoc) { subdoc.append(kvp("secretAccessKey", @@ -1102,9 +1164,21 @@ void _run_endpoint_test(mongocxx::client* setup_client, subdoc.append(kvp("endpoint", "oauth2.googleapis.com:443")); })); + kms_doc.append(kvp( + "kmip", [&](sub_document subdoc) { subdoc.append(kvp("endpoint", "localhost:5698")); })); + + tls_opts.append(kvp("kmip", [&](sub_document subdoc) { + subdoc.append( + kvp("tlsCAFile", test_util::getenv_or_fail("MONGOCXX_TEST_CSFLE_TLS_CA_FILE"))); + subdoc.append( + kvp("tlsCertificateKeyFile", + test_util::getenv_or_fail("MONGOCXX_TEST_CSFLE_TLS_CERTIFICATE_KEY_FILE"))); + })); + ce_opts.key_vault_client(setup_client); ce_opts.key_vault_namespace({"keyvault", "datakeys"}); ce_opts.kms_providers(kms_doc.view()); + ce_opts.tls_opts(tls_opts.view()); mongocxx::client_encryption client_encryption{ce_opts}; kms_doc_invalid.append(kvp("azure", [&](sub_document subdoc) { @@ -1121,6 +1195,10 @@ void _run_endpoint_test(mongocxx::client* setup_client, subdoc.append(kvp("endpoint", "doesnotexist.invalid:443")); })); + kms_doc_invalid.append(kvp("kmip", [&](sub_document subdoc) { + subdoc.append(kvp("endpoint", "doesnotexist.local:5698")); + })); + ce_opts_invalid.key_vault_client(setup_client); ce_opts_invalid.key_vault_namespace({"keyvault", "datakeys"}); ce_opts_invalid.kms_providers(kms_doc_invalid.view()); @@ -1173,10 +1251,13 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // } // Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and // decrypt the string "test" to validate it works. - auto simple_masterkey = make_document( - kvp("region", "us-east-1"), - kvp("key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0")); - _run_endpoint_test(&setup_client, simple_masterkey.view(), "aws"); + SECTION("Test Case 1") { + auto simple_masterkey = make_document( + kvp("region", "us-east-1"), + kvp("key", + "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0")); + _run_endpoint_test(&setup_client, simple_masterkey.view(), "aws"); + } // Call client_encryption.createDataKey() with "aws" as the provider and the following // masterKey: @@ -1187,14 +1268,17 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // } // Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and // decrypt the string "test" to validate it works. - auto endpoint_masterkey = - document{} << "region" - << "us-east-1" - << "key" - << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - << "endpoint" - << "kms.us-east-1.amazonaws.com" << finalize; - _run_endpoint_test(&setup_client, endpoint_masterkey.view(), "aws"); + SECTION("Test Case 2") { + auto endpoint_masterkey = + document{} + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "kms.us-east-1.amazonaws.com" << finalize; + _run_endpoint_test(&setup_client, endpoint_masterkey.view(), "aws"); + } // Call client_encryption.createDataKey() with "aws" as the provider and the following // masterKey: @@ -1205,14 +1289,17 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // } // Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and // decrypt the string "test" to validate it works. - auto endpoint_masterkey2 = - document{} << "region" - << "us-east-1" - << "key" - << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - << "endpoint" - << "kms.us-east-1.amazonaws.com:443" << finalize; - _run_endpoint_test(&setup_client, endpoint_masterkey2.view(), "aws"); + SECTION("Test Case 3") { + auto endpoint_masterkey2 = + document{} + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "kms.us-east-1.amazonaws.com:443" << finalize; + _run_endpoint_test(&setup_client, endpoint_masterkey2.view(), "aws"); + } // Call client_encryption.createDataKey() with "aws" as the provider and the following // masterKey: @@ -1222,14 +1309,17 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // endpoint: "kms.us-east-1.amazonaws.com:12345" // } // Expect this to fail with a socket connection error. - auto socket_error_masterkey = - document{} << "region" - << "us-east-1" - << "key" - << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - << "endpoint" - << "kms.us-east-1.amazonaws.com:12345" << finalize; - _run_endpoint_test(&setup_client, socket_error_masterkey.view(), "aws", {{"error"}}); + SECTION("Test Case 4") { + auto socket_error_masterkey = + document{} + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "kms.us-east-1.amazonaws.com:12345" << finalize; + _run_endpoint_test(&setup_client, socket_error_masterkey.view(), "aws", {{"error"}}); + } // Call client_encryption.createDataKey() with "aws" as the provider and the following // masterKey: @@ -1239,14 +1329,17 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // endpoint: "kms.us-east-2.amazonaws.com" // } // Expect this to fail with an exception. - auto endpoint_error_masterkey = - document{} << "region" - << "us-east-1" - << "key" - << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - << "endpoint" - << "kms.us-east-2.amazonaws.com" << finalize; - _run_endpoint_test(&setup_client, endpoint_error_masterkey.view(), "aws", {{""}}); + SECTION("Test Case 5") { + auto endpoint_error_masterkey = + document{} + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "kms.us-east-2.amazonaws.com" << finalize; + _run_endpoint_test(&setup_client, endpoint_error_masterkey.view(), "aws", {{""}}); + } // Call client_encryption.createDataKey() with "aws" as the provider and the following // masterKey: @@ -1257,17 +1350,20 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // } // Expect this to fail with a network exception indicating failure to resolve // "doesnotexist.invalid". - auto parse_error_masterkey = - document{} << "region" - << "us-east-1" - << "key" - << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - << "endpoint" - << "doesnotexist.invalid" << finalize; - _run_endpoint_test(&setup_client, - parse_error_masterkey.view(), - "aws", - {{"Failed to resolve doesnotexist.invalid: generic server error"}}); + SECTION("Test Case 6") { + auto parse_error_masterkey = + document{} + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "doesnotexist.invalid" << finalize; + _run_endpoint_test(&setup_client, + parse_error_masterkey.view(), + "aws", + {{"Failed to resolve doesnotexist.invalid: generic server error"}}); + } // Call `client_encryption.createDataKey()` with "azure" as the provider and the following // masterKey: @@ -1280,15 +1376,17 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // with the same masterKey. // Expect this to fail with a network exception indicating failure to resolve // "doesnotexist.invalid". - auto azure_masterkey = document{} << "keyVaultEndpoint" - << "key-vault-csfle.vault.azure.net" - << "keyName" - << "key-name-csfle" << finalize; - _run_endpoint_test(&setup_client, - azure_masterkey.view(), - "azure", - stdx::nullopt, - {{"Failed to resolve doesnotexist.invalid: generic server error"}}); + SECTION("Test Case 7") { + auto azure_masterkey = document{} << "keyVaultEndpoint" + << "key-vault-csfle.vault.azure.net" + << "keyName" + << "key-name-csfle" << finalize; + _run_endpoint_test(&setup_client, + azure_masterkey.view(), + "azure", + stdx::nullopt, + {{"Failed to resolve doesnotexist.invalid: generic server error"}}); + } // Call `client_encryption.createDataKey()` with "gcp" as the provider and the following // masterKey: @@ -1304,21 +1402,23 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // with the same masterKey. // Expect this to fail with a network exception indicating failure to resolve // "doesnotexist.invalid". - auto gcp_masterkey = document{} << "projectId" - << "devprod-drivers" - << "location" - << "global" - << "keyRing" - << "key-ring-csfle" - << "keyName" - << "key-name-csfle" - << "endpoint" - << "cloudkms.googleapis.com:443" << finalize; - _run_endpoint_test(&setup_client, - gcp_masterkey.view(), - "gcp", - stdx::nullopt, - {{"Failed to resolve doesnotexist.invalid: generic server error"}}); + SECTION("Test Case 8") { + auto gcp_masterkey = document{} << "projectId" + << "devprod-drivers" + << "location" + << "global" + << "keyRing" + << "key-ring-csfle" + << "keyName" + << "key-name-csfle" + << "endpoint" + << "cloudkms.googleapis.com:443" << finalize; + _run_endpoint_test(&setup_client, + gcp_masterkey.view(), + "gcp", + stdx::nullopt, + {{"Failed to resolve doesnotexist.invalid: generic server error"}}); + } // Call `client_encryption.createDataKey()` with "gcp" as the provider and the following // masterKey: @@ -1331,17 +1431,73 @@ TEST_CASE("Custom endpoint", "[client_side_encryption]") { // } // Expect this to fail with an exception with a message containing the string: "Invalid KMS // response". - auto gcp_masterkey2 = document{} << "projectId" - << "devprod-drivers" - << "location" - << "global" - << "keyRing" - << "key-ring-csfle" - << "keyName" - << "key-name-csfle" - << "endpoint" - << "doesnotexist.invalid:443" << finalize; - _run_endpoint_test(&setup_client, gcp_masterkey2.view(), "gcp", {{"Invalid KMS response"}}); + SECTION("Test Case 9") { + auto gcp_masterkey2 = document{} << "projectId" + << "devprod-drivers" + << "location" + << "global" + << "keyRing" + << "key-ring-csfle" + << "keyName" + << "key-name-csfle" + << "endpoint" + << "doesnotexist.invalid:443" << finalize; + _run_endpoint_test(&setup_client, gcp_masterkey2.view(), "gcp", {{"Invalid KMS response"}}); + } + + // Call `client_encryption.createDataKey()` with "kmip" as the provider and the following + // masterKey: + // { + // "keyId": "1" + // } + // Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt + // the string "test" to validate it works. Call client_encryption_invalid.createDataKey() with + // the same masterKey. Expect this to fail with a network exception indicating failure to + // resolve "doesnotexist.local". + SECTION("Test Case 10") { + auto kmip_masterkey = document{} << "keyId" + << "1" << finalize; + _run_endpoint_test(&setup_client, + kmip_masterkey.view(), + "kmip", + stdx::nullopt, + {{"Failed to resolve doesnotexist.local: generic server error"}}); + } + + // Call `client_encryption.createDataKey()` with "kmip" as the provider and the following + // masterKey: + // { + // "keyId": "1", + // "endpoint": "localhost:5698" + // } + // Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt + // the string "test" to validate it works. + SECTION("Test Case 11") { + auto kmip_masterkey = document{} << "keyId" + << "1" + << "endpoint" + << "localhost:5698" << finalize; + _run_endpoint_test(&setup_client, kmip_masterkey.view(), "kmip"); + } + + // Call `client_encryption.createDataKey()` with "kmip" as the provider and the following + // masterKey: + // { + // "keyId": "1", + // "endpoint": "doesnotexist.local:5698" + // } + // Expect this to fail with a network exception indicating failure to resolve + // "doesnotexist.local". + SECTION("Test Case 12") { + auto kmip_masterkey = document{} << "keyId" + << "1" + << "endpoint" + << "doesnotexist.local:5698" << finalize; + _run_endpoint_test(&setup_client, + kmip_masterkey.view(), + "kmip", + {{"Failed to resolve doesnotexist.local: generic server error"}}); + } } TEST_CASE("Bypass spawning mongocryptd", "[client_side_encryption]") { @@ -1376,8 +1532,8 @@ TEST_CASE("Bypass spawning mongocryptd", "[client_side_encryption]") { options::client client_encrypted_opts; options::auto_encryption auto_encrypt_opts{}; - auto kms_doc = _make_kms_doc(); - auto_encrypt_opts.kms_providers(std::move(kms_doc)); + auto_encrypt_opts.kms_providers(_make_kms_doc()); + auto_encrypt_opts.tls_opts(_make_tls_opts()); auto_encrypt_opts.key_vault_namespace({"keyvault", "datakeys"}); auto_encrypt_opts.schema_map({external_schema.view()}); @@ -1416,8 +1572,8 @@ TEST_CASE("Bypass spawning mongocryptd", "[client_side_encryption]") { // Configure with the keyVaultNamespace set to keyvault.datakeys. options::client client_encrypted_opts2; options::auto_encryption auto_encrypt_opts2{}; - auto kms_doc2 = _make_kms_doc(); - auto_encrypt_opts2.kms_providers(std::move(kms_doc2)); + auto_encrypt_opts2.kms_providers(_make_kms_doc()); + auto_encrypt_opts2.tls_opts(_make_tls_opts()); auto_encrypt_opts2.key_vault_namespace({"keyvault", "datakeys"}); auto_encrypt_opts2.schema_map({external_schema.view()}); @@ -1584,4 +1740,263 @@ TEST_CASE("KMS TLS wrong host certificate", "[client_side_encryption]") { kms_tls_wrong_host_cert_matcher()); } +bsoncxx::document::value make_kms_providers_with_custom_endpoints(stdx::string_view azure, + stdx::string_view gcp, + stdx::string_view kmip) { + bsoncxx::builder::basic::document kms_doc; + + kms_doc.append(kvp("aws", [&](sub_document subdoc) { + subdoc.append(kvp("secretAccessKey", + test_util::getenv_or_fail("MONGOCXX_TEST_AWS_SECRET_ACCESS_KEY"))); + subdoc.append( + kvp("accessKeyId", test_util::getenv_or_fail("MONGOCXX_TEST_AWS_ACCESS_KEY_ID"))); + })); + + kms_doc.append(kvp("azure", [&](sub_document subdoc) { + subdoc.append(kvp("tenantId", test_util::getenv_or_fail("MONGOCXX_TEST_AZURE_TENANT_ID"))); + subdoc.append(kvp("clientId", test_util::getenv_or_fail("MONGOCXX_TEST_AZURE_CLIENT_ID"))); + subdoc.append( + kvp("clientSecret", test_util::getenv_or_fail("MONGOCXX_TEST_AZURE_CLIENT_SECRET"))); + subdoc.append(kvp("identityPlatformEndpoint", azure)); + })); + + kms_doc.append(kvp("gcp", [&](sub_document subdoc) { + subdoc.append(kvp("email", test_util::getenv_or_fail("MONGOCXX_TEST_GCP_EMAIL"))); + subdoc.append(kvp("privateKey", test_util::getenv_or_fail("MONGOCXX_TEST_GCP_PRIVATEKEY"))); + subdoc.append(kvp("endpoint", gcp)); + })); + + kms_doc.append(kvp("kmip", [&](sub_document subdoc) { subdoc.append(kvp("endpoint", kmip)); })); + + return kms_doc.extract(); +} + +enum struct with_certs { none, ca_only, cert_only, both }; + +bsoncxx::document::value make_tls_opts_with_certs(with_certs with) { + bsoncxx::builder::basic::document tls_opts; + + stdx::string_view providers[] = {"aws", "azure", "gcp", "kmip"}; + + for (const auto& provider : providers) { + tls_opts.append(kvp(provider, [&](sub_document subdoc) { + if (with == with_certs::ca_only || with == with_certs::both) { + subdoc.append( + kvp("tlsCAFile", test_util::getenv_or_fail("MONGOCXX_TEST_CSFLE_TLS_CA_FILE"))); + } + + if (with == with_certs::cert_only || with == with_certs::both) { + subdoc.append( + kvp("tlsCertificateKeyFile", + test_util::getenv_or_fail("MONGOCXX_TEST_CSFLE_TLS_CERTIFICATE_KEY_FILE"))); + } + })); + } + + return tls_opts.extract(); +} + +client_encryption make_prose_test_11_ce(mongocxx::client* client, + stdx::string_view azure, + stdx::string_view gcp, + stdx::string_view kmip, + with_certs with) { + options::client_encryption cse_opts; + cse_opts.key_vault_client(client); + cse_opts.key_vault_namespace({"keyvault", "datakeys"}); + cse_opts.kms_providers(make_kms_providers_with_custom_endpoints(azure, gcp, kmip)); + cse_opts.tls_opts(make_tls_opts_with_certs(with)); + return client_encryption(std::move(cse_opts)); +} + +// CDRIVER-4181: may fail due to unexpected invalid hostname errors if C Driver was built with VS +// 2015 and uses Secure Channel (ENABLE_SSL=WINDOWS). +TEST_CASE("KMS TLS Options Tests", "[client_side_encryption][!mayfail]") { + instance::current(); + + auto setup_client = client(uri(), test_util::add_test_server_api()); + + if (!mongocxx::test_util::should_run_client_side_encryption_test()) { + return; + } + + // Support for detailed certificate verify failure messages required by this test are only + // available in libmongoc 1.20.0 and newer (CDRIVER-3927). + if (!mongoc_check_version(1, 20, 0)) { + WARN("Skipping - libmongoc version is < 1.20.0 (CDRIVER-3927)"); + return; + } + + // Required CA certificates may not be registered on system. See BUILD-14068. + if (std::getenv("MONGOCXX_TEST_SKIP_KMS_TLS_TESTS")) { + WARN("Skipping - KMS TLS tests disabled (BUILD-14068)"); + return; + } + + if (test_util::get_max_wire_version(setup_client) < 8) { + // Automatic encryption requires wire version 8. + WARN("Skipping - max wire version is < 8"); + return; + } + + auto client_encryption_no_client_cert = make_prose_test_11_ce( + &setup_client, "127.0.0.1:9002", "127.0.0.1:9002", "127.0.0.1:5698", with_certs::ca_only); + auto client_encryption_with_tls = make_prose_test_11_ce( + &setup_client, "127.0.0.1:9002", "127.0.0.1:9002", "127.0.0.1:5698", with_certs::both); + auto client_encryption_expired = make_prose_test_11_ce( + &setup_client, "127.0.0.1:9000", "127.0.0.1:9000", "127.0.0.1:9000", with_certs::ca_only); + auto client_encryption_invalid_hostname = make_prose_test_11_ce( + &setup_client, "127.0.0.1:9001", "127.0.0.1:9001", "127.0.0.1:9001", with_certs::ca_only); + + const auto expired_cert_matcher = Catch::Contains("expired", Catch::CaseSensitive::No); + const auto invalid_hostname_matcher = Catch::Matches( + // Content of error message may vary depending on the SSL library being used. + ".*(mismatch|doesn't match|not present).*", + Catch::CaseSensitive::No); + + SECTION("Case 1 - AWS") { + // Expect an error indicating TLS handshake failed. + // Note: The remote server may disconnect during the TLS handshake, causing miscellaneous + // errors instead of a neat handshake failure. Just assert that *an* error occurred. + CHECK_THROWS_AS( + client_encryption_no_client_cert.create_data_key( + "aws", + options::data_key().master_key( + document() + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "127.0.0.1:9002" << finalize)), + mongocxx::exception); + + // Expect an error from libmongocrypt with a message containing the string: "parse error". + // This implies TLS handshake succeeded. + CHECK_THROWS_WITH( + client_encryption_with_tls.create_data_key( + "aws", + options::data_key().master_key( + document() + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "127.0.0.1:9002" << finalize)), + Catch::Contains("parse error", Catch::CaseSensitive::No)); + + // Expect an error indicating TLS handshake failed due to an expired certificate. + CHECK_THROWS_WITH( + client_encryption_with_tls.create_data_key( + "aws", + options::data_key().master_key( + document() + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "127.0.0.1:9000" << finalize)), + expired_cert_matcher); + + // Expect an error indicating TLS handshake failed due to an invalid hostname. + CHECK_THROWS_WITH( + client_encryption_with_tls.create_data_key( + "aws", + options::data_key().master_key( + document() + << "region" + << "us-east-1" + << "key" + << "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + << "endpoint" + << "127.0.0.1:9001" << finalize)), + invalid_hostname_matcher); + } + + SECTION("Case 2 - Azure") { + options::data_key opts; + + opts.master_key(document() << "keyVaultEndpoint" + << "doesnotexist.local" + << "keyName" + << "foo" << finalize); + + // Expect an error indicating TLS handshake failed. + // Note: The remote server may disconnect during the TLS handshake, causing miscellaneous + // errors instead of a neat handshake failure. Just assert that *an* error occurred. + CHECK_THROWS_AS(client_encryption_no_client_cert.create_data_key("azure", opts), + mongocxx::exception); + + // Expect an error from libmongocrypt with a message containing the string: "HTTP + // status=404". This implies TLS handshake succeeded. + CHECK_THROWS_WITH(client_encryption_with_tls.create_data_key("azure", opts), + Catch::Contains("HTTP status=404", Catch::CaseSensitive::No)); + + // Expect an error indicating TLS handshake failed due to an expired certificate. + CHECK_THROWS_WITH(client_encryption_expired.create_data_key("azure", opts), + expired_cert_matcher); + + // Expect an error indicating TLS handshake failed due to an invalid hostname. + CHECK_THROWS_WITH(client_encryption_invalid_hostname.create_data_key("azure", opts), + invalid_hostname_matcher); + } + + SECTION("Case 3 - GCP") { + options::data_key opts; + + opts.master_key(document() << "projectId" + << "foo" + << "location" + << "bar" + << "keyRing" + << "baz" + << "keyName" + << "foo" << finalize); + + // Expect an error indicating TLS handshake failed. + // Note: The remote server may disconnect during the TLS handshake, causing miscellaneous + // errors instead of a neat handshake failure. Just assert that *an* error occurred. + CHECK_THROWS_AS(client_encryption_no_client_cert.create_data_key("gcp", opts), + mongocxx::exception); + + // Expect an error from libmongocrypt with a message containing the string: "HTTP + // status=404". This implies TLS handshake succeeded. + CHECK_THROWS_WITH(client_encryption_with_tls.create_data_key("gcp", opts), + Catch::Contains("HTTP status=404", Catch::CaseSensitive::No)); + + // Expect an error indicating TLS handshake failed due to an expired certificate. + CHECK_THROWS_WITH(client_encryption_expired.create_data_key("gcp", opts), + expired_cert_matcher); + + // Expect an error indicating TLS handshake failed due to an invalid hostname. + CHECK_THROWS_WITH(client_encryption_invalid_hostname.create_data_key("gcp", opts), + invalid_hostname_matcher); + } + + SECTION("Case 4 - KMIP") { + options::data_key opts; + + opts.master_key({}); + + // Expect an error indicating TLS handshake failed. + // Note: The remote server may disconnect during the TLS handshake, causing miscellaneous + // errors instead of a neat handshake failure. Just assert that *an* error occurred. + CHECK_THROWS_AS(client_encryption_no_client_cert.create_data_key("kmip", opts), + mongocxx::exception); + + // Expect success. + CHECK_NOTHROW(client_encryption_with_tls.create_data_key("kmip", opts)); + + // Expect an error indicating TLS handshake failed due to an expired certificate. + CHECK_THROWS_WITH(client_encryption_expired.create_data_key("kmip", opts), + expired_cert_matcher); + + // Expect an error indicating TLS handshake failed due to an invalid hostname. + CHECK_THROWS_WITH(client_encryption_invalid_hostname.create_data_key("kmip", opts), + invalid_hostname_matcher); + } +} + } // namespace diff --git a/src/mongocxx/test/spec/client_side_encryption.cpp b/src/mongocxx/test/spec/client_side_encryption.cpp index db89ed7687..3f8d42cfd5 100644 --- a/src/mongocxx/test/spec/client_side_encryption.cpp +++ b/src/mongocxx/test/spec/client_side_encryption.cpp @@ -77,79 +77,70 @@ void add_auto_encryption_opts(document::view test, options::client* client_opts) auto_encrypt_opts.schema_map(test_encrypt_opts["schemaMap"].get_document().value); } - if (test_encrypt_opts["kmsProviders"]) { + if (const auto providers = test_encrypt_opts["kmsProviders"]) { using bsoncxx::builder::basic::kvp; using bsoncxx::builder::basic::sub_document; - auto kms_doc = bsoncxx::builder::basic::document{}; + bsoncxx::builder::basic::document kms_doc; + bsoncxx::builder::basic::document tls_opts; // Add aws credentials (from the environment) - if (test_encrypt_opts["kmsProviders"]["aws"]) { - auto access_key = std::getenv("MONGOCXX_TEST_AWS_SECRET_ACCESS_KEY"); - auto key_id = std::getenv("MONGOCXX_TEST_AWS_ACCESS_KEY_ID"); - - if (!access_key || !key_id) { - FAIL( - "Please set environment variables for client side encryption tests:\n" - "\tMONGOCXX_TEST_AWS_SECRET_ACCESS_KEY\n" - "\tMONGOCXX_TEST_AWS_ACCESS_KEY_ID\n\n"); - } - - kms_doc.append(kvp("aws", [&](sub_document subdoc) { - subdoc.append(kvp("secretAccessKey", access_key)); - subdoc.append(kvp("accessKeyId", key_id)); + if (providers["aws"]) { + kms_doc.append(kvp("aws", [](sub_document subdoc) { + subdoc.append( + kvp("secretAccessKey", + test_util::getenv_or_fail("MONGOCXX_TEST_AWS_SECRET_ACCESS_KEY"))); + subdoc.append( + kvp("accessKeyId", + test_util::getenv_or_fail("MONGOCXX_TEST_AWS_ACCESS_KEY_ID"))); })); } // Add gcp credentials (from the enviornment): - if (test_encrypt_opts["kmsProviders"]["gcp"]) { - auto email = getenv("MONGOCXX_TEST_GCP_EMAIL"); - auto private_key = getenv("MONGOCXX_TEST_GCP_PRIVATEKEY"); - - if (!email || !private_key) { - FAIL( - "Please set environment variables for client side encryption tests:\n" - "\tMONGOCXX_TEST_GCP_EMAIL\n" - "\tMONGOCXX_TEST_GCP_PRIVATEKEY\n" - "\n"); - } - - kms_doc.append(kvp("gcp", [&email, &private_key](sub_document subdoc) { - subdoc.append(kvp("email", email)); - subdoc.append(kvp("privateKey", private_key)); + if (providers["gcp"]) { + kms_doc.append(kvp("gcp", [](sub_document subdoc) { + subdoc.append( + kvp("email", test_util::getenv_or_fail("MONGOCXX_TEST_GCP_EMAIL"))); + subdoc.append(kvp("privateKey", + test_util::getenv_or_fail("MONGOCXX_TEST_GCP_PRIVATEKEY"))); })); } // Add Azure credentials (from the environment): - if (test_encrypt_opts["kmsProviders"]["azure"]) { - auto tenantId = getenv("MONGOCXX_TEST_AZURE_TENANT_ID"); - auto clientId = getenv("MONGOCXX_TEST_AZURE_CLIENT_ID"); - auto clientSecret = getenv("MONGOCXX_TEST_AZURE_CLIENT_SECRET"); - - if (!tenantId || !clientId || !clientSecret) { - FAIL( - "Please set environment variables for client side encryption tests:\n" - "\tMONGOCXX_TEST_AZURE_TENANT_ID\n" - "\tMONGOCXX_TEST_AZURE_CLIENT_ID\n" - "\tMONGOCXX_TEST_AZURE_CLIENT_SECRET\n" - "\n"); - } + if (providers["azure"]) { + kms_doc.append(kvp("azure", [](sub_document subdoc) { + subdoc.append(kvp("tenantId", + test_util::getenv_or_fail("MONGOCXX_TEST_AZURE_TENANT_ID"))); + subdoc.append(kvp("clientId", + test_util::getenv_or_fail("MONGOCXX_TEST_AZURE_CLIENT_ID"))); + subdoc.append( + kvp("clientSecret", + test_util::getenv_or_fail("MONGOCXX_TEST_AZURE_CLIENT_SECRET"))); + })); + } - kms_doc.append( - kvp("azure", [&tenantId, &clientId, &clientSecret](sub_document subdoc) { - subdoc.append(kvp("tenantId", tenantId)); - subdoc.append(kvp("clientId", clientId)); - subdoc.append(kvp("clientSecret", clientSecret)); - })); + // Add KMIP credentials (from the json file): + if (providers["kmip"]) { + kms_doc.append(kvp("kmip", [&](sub_document subdoc) { + subdoc.append(kvp("endpoint", "localhost:5698")); + })); + + tls_opts.append(kvp("kmip", [&](sub_document subdoc) { + subdoc.append(kvp( + "tlsCAFile", test_util::getenv_or_fail("MONGOCXX_TEST_CSFLE_TLS_CA_FILE"))); + subdoc.append(kvp( + "tlsCertificateKeyFile", + test_util::getenv_or_fail("MONGOCXX_TEST_CSFLE_TLS_CERTIFICATE_KEY_FILE"))); + })); } // Add local credentials (from the json file) - if (test_encrypt_opts["kmsProviders"]["local"]) { - kms_doc.append( - kvp("local", test_encrypt_opts["kmsProviders"]["local"].get_document().value)); + if (providers["local"]) { + kms_doc.append(kvp("local", providers["local"].get_document().value)); } auto_encrypt_opts.kms_providers({kms_doc.extract()}); + auto_encrypt_opts.tls_opts({tls_opts.extract()}); } char* bypass_spawn = std::getenv("ENCRYPTION_TESTS_BYPASS_SPAWN"); @@ -198,103 +189,106 @@ void run_encryption_tests_in_file(const std::string& test_path) { wc_majority.acknowledge_level(write_concern::level::k_majority); for (auto&& test : tests) { - auto description = test["description"].get_string().value; - INFO("Test description: " << description); - if (should_skip_spec_test(client{uri{}, test_util::add_test_server_api()}, - test.get_document().value)) { - continue; - } + const auto description = string::to_string(test["description"].get_string().value); - options::client client_opts; + SECTION(description) { + if (should_skip_spec_test(client{uri{}, test_util::add_test_server_api()}, + test.get_document().value)) { + continue; + } - apm_checker apm_checker; - client_opts.apm_opts(apm_checker.get_apm_opts(true /* command_started_events_only */)); + options::client client_opts; - add_auto_encryption_opts(test.get_document().value, &client_opts); + apm_checker apm_checker; + client_opts.apm_opts(apm_checker.get_apm_opts(true /* command_started_events_only */)); - if (strcmp(test["description"].get_string().value.data(), - "operation fails with maxWireVersion < 8") == 0) { - // We cannot create a client with auto encryption enabled on 4.0, - // and it fails in different ways on Windows and POSIX, so rather - // than running this test, skip it. - continue; - } + add_auto_encryption_opts(test.get_document().value, &client_opts); - bool check_results_logging = false; - if (strcmp(test["description"].get_string().value.data(), - "Insert with deterministic encryption, then find it") == 0) { - // CDRIVER-3566 Remove this once windows is debugged. - check_results_logging = true; - } + if (strcmp(test["description"].get_string().value.data(), + "operation fails with maxWireVersion < 8") == 0) { + // We cannot create a client with auto encryption enabled on 4.0, + // and it fails in different ways on Windows and POSIX, so rather + // than running this test, skip it. + continue; + } - class client client { - get_uri(test.get_document().value), test_util::add_test_server_api(client_opts), - }; - - auto db = client[db_name]; - auto test_coll = db[coll_name]; - - _set_up_key_vault(setup_client, test_spec_view); - set_up_collection(setup_client, test_spec_view); - - for (auto&& op : test["operations"].get_array().value) { - if (check_results_logging) { - fprintf(stdout, - "about to run operation %s\n", - to_json(op.get_document().value).c_str()); - fprintf(stdout, "collection contents before: \n"); - auto cursor = test_coll.find({}); - for (auto&& doc : cursor) { - fprintf(stdout, "%s\n", to_json(doc).c_str()); - } - fprintf(stdout, "\n\n"); + bool check_results_logging = false; + if (strcmp(test["description"].get_string().value.data(), + "Insert with deterministic encryption, then find it") == 0) { + // CDRIVER-3566 Remove this once windows is debugged. + check_results_logging = true; } - run_operation_check_result(op.get_document().value, [&]() { - return operation_runner{&db, &test_coll}; - }); + class client client { + get_uri(test.get_document().value), test_util::add_test_server_api(client_opts), + }; - if (check_results_logging) { - fprintf(stdout, "after running operation, collection contents:\n"); - auto cursor = test_coll.find({}); - for (auto&& doc : cursor) { - fprintf(stdout, "%s\n", to_json(doc).c_str()); + auto db = client[db_name]; + auto test_coll = db[coll_name]; + + _set_up_key_vault(setup_client, test_spec_view); + set_up_collection(setup_client, test_spec_view); + + for (auto&& op : test["operations"].get_array().value) { + if (check_results_logging) { + fprintf(stdout, + "about to run operation %s\n", + to_json(op.get_document().value).c_str()); + fprintf(stdout, "collection contents before: \n"); + auto cursor = test_coll.find({}); + for (auto&& doc : cursor) { + fprintf(stdout, "%s\n", to_json(doc).c_str()); + } + fprintf(stdout, "\n\n"); + } + + run_operation_check_result(op.get_document().value, [&]() { + return operation_runner{&db, &test_coll}; + }); + + if (check_results_logging) { + fprintf(stdout, "after running operation, collection contents:\n"); + auto cursor = test_coll.find({}); + for (auto&& doc : cursor) { + fprintf(stdout, "%s\n", to_json(doc).c_str()); + } + fprintf(stdout, "\n\n"); } - fprintf(stdout, "\n\n"); } - } - if (test["expectations"]) { - // remove this if statement - if (!check_results_logging) { - apm_checker.compare(test["expectations"].get_array().value, true); + if (test["expectations"]) { + // remove this if statement + if (!check_results_logging) { + apm_checker.compare(test["expectations"].get_array().value, true); + } } - } - if (test["outcome"] && test["outcome"]["collection"]) { - class client plaintext_client { - uri{}, test_util::add_test_server_api(), - }; + if (test["outcome"] && test["outcome"]["collection"]) { + class client plaintext_client { + uri{}, test_util::add_test_server_api(), + }; - read_preference rp; - read_concern rc; - rp.mode(read_preference::read_mode::k_primary); - rc.acknowledge_level(read_concern::level::k_local); + read_preference rp; + read_concern rc; + rp.mode(read_preference::read_mode::k_primary); + rc.acknowledge_level(read_concern::level::k_local); - auto outcome_coll = plaintext_client[db_name][coll_name]; - outcome_coll.read_concern(rc); - outcome_coll.read_preference(std::move(rp)); + auto outcome_coll = plaintext_client[db_name][coll_name]; + outcome_coll.read_concern(rc); + outcome_coll.read_preference(std::move(rp)); - test_util::check_outcome_collection(&outcome_coll, - test["outcome"]["collection"].get_document().value); + test_util::check_outcome_collection( + &outcome_coll, test["outcome"]["collection"].get_document().value); + } } } } TEST_CASE("Client side encryption spec automated tests", "[client_side_encryption_spec]") { instance::current(); - /* Tests that use operations that the C++ driver does not have. */ - std::set unsupported_tests = {"count.json", "unsupportedCommand.json"}; + + std::set unsupported_tests = { + "badQueries.json", "count.json", "unsupportedCommand.json"}; char* encryption_tests_path = std::getenv("ENCRYPTION_TESTS_PATH"); REQUIRE(encryption_tests_path); @@ -313,12 +307,15 @@ TEST_CASE("Client side encryption spec automated tests", "[client_side_encryptio std::string test_file; while (std::getline(test_files, test_file)) { - if (std::find(unsupported_tests.begin(), unsupported_tests.end(), test_file) != - unsupported_tests.end()) { - WARN("skipping " << test_file << " due to unsupported operation"); - continue; + SECTION(test_file) { + if (std::find(unsupported_tests.begin(), unsupported_tests.end(), test_file) != + unsupported_tests.end()) { + WARN("skipping " << test_file); + continue; + } + + run_encryption_tests_in_file(path + "/" + test_file); } - run_encryption_tests_in_file(path + "/" + test_file); } } diff --git a/src/mongocxx/test/spec/monitoring.cpp b/src/mongocxx/test/spec/monitoring.cpp index 6fa6c9bd2e..4ea989881b 100644 --- a/src/mongocxx/test/spec/monitoring.cpp +++ b/src/mongocxx/test/spec/monitoring.cpp @@ -97,10 +97,23 @@ void apm_checker::compare(bsoncxx::array::view expectations, bool allow_extra, const test_util::match_visitor& match_visitor) { auto is_ignored = [&](bsoncxx::document::value v) { + const auto view = v.view(); + + // CXX-2155: Sharing a MongoClient for metadata lookup can lead to deadlock in + // drivers using automatic encryption. Since the C++ driver does not use a separate + // `client` for listCollections and finds on the key vault, we skip these checks. + if (view["command_started_event"]["command"]["listCollections"]) { + const auto db = view["command_started_event"]["command"]["$db"]; + + if (db && db.get_string().value == stdx::string_view("keyvault")) { + return true; + } + } + return std::any_of(std::begin(_ignore), std::end(_ignore), [&](stdx::string_view key) { - return v.view()["command_started_event"]["command"][key] || - v.view()["command_failed_event"]["command"][key] || - v.view()["command_succeeded_event"]["command"][key]; + return view["command_started_event"]["command"][key] || + view["command_failed_event"]["command"][key] || + view["command_succeeded_event"]["command"][key]; }); }; diff --git a/src/mongocxx/test/spec/util.cpp b/src/mongocxx/test/spec/util.cpp index a7784113a2..390512c90f 100644 --- a/src/mongocxx/test/spec/util.cpp +++ b/src/mongocxx/test/spec/util.cpp @@ -344,11 +344,9 @@ void run_operation_check_result(document::view op, make_op_runner_fn make_op_run auto error_contains = test_util::tolowercase(op["result"]["errorContains"].get_string().value); REQUIRE(test_util::tolowercase(error_msg).find(error_contains) < error_msg.length()); - } else { - if (exception) { - FAIL("operation " << bsoncxx::to_json(op) - << " threw an unexpected exception: " << exception->what()); - } + } else if (exception) { + CAPTURE(server_error); + FAIL("unexpected exception: " << error_msg); } // "If the result document has an 'errorCodeName' field, verify that the method threw a diff --git a/src/mongocxx/test_util/client_helpers.cpp b/src/mongocxx/test_util/client_helpers.cpp index 733b957b54..cb714269d1 100644 --- a/src/mongocxx/test_util/client_helpers.cpp +++ b/src/mongocxx/test_util/client_helpers.cpp @@ -482,13 +482,17 @@ bool should_run_client_side_encryption_test(void) { return false; #endif - std::vector vars{"MONGOCXX_TEST_AWS_SECRET_ACCESS_KEY", - "MONGOCXX_TEST_AWS_ACCESS_KEY_ID", - "MONGOCXX_TEST_GCP_EMAIL", - "MONGOCXX_TEST_GCP_PRIVATEKEY", - "MONGOCXX_TEST_AZURE_TENANT_ID", - "MONGOCXX_TEST_AZURE_CLIENT_ID", - "MONGOCXX_TEST_AZURE_CLIENT_SECRET"}; + std::vector vars{ + "MONGOCXX_TEST_AWS_SECRET_ACCESS_KEY", + "MONGOCXX_TEST_AWS_ACCESS_KEY_ID", + "MONGOCXX_TEST_AZURE_TENANT_ID", + "MONGOCXX_TEST_AZURE_CLIENT_ID", + "MONGOCXX_TEST_AZURE_CLIENT_SECRET", + "MONGOCXX_TEST_CSFLE_TLS_CA_FILE", + "MONGOCXX_TEST_CSFLE_TLS_CERTIFICATE_KEY_FILE", + "MONGOCXX_TEST_GCP_EMAIL", + "MONGOCXX_TEST_GCP_PRIVATEKEY", + }; std::ostringstream os; os << "Please set environment variables to enable client side encryption tests:\n";