return error if libmongocrypt < 1.5.2 is detected in RewrapManyDataKey

mongodb · Jul 30, 2022 · cc643a5 · cc643a5
1 parent da89e92
commit cc643a5
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/mongo/client_encryption.go b/mongo/client_encryption.go
@@ -249,9 +249,17 @@ func setRewrapManyDataKeyWriteModels(rewrappedDocuments []bsoncore.Document, wri
 // RewrapManyDataKey decrypts and encrypts all matching data keys with a possibly new masterKey value. For all
 // matching documents, this method will overwrite the "masterKey", "updateDate", and "keyMaterial". On error, some
 // matching data keys may have been rewrapped.
+// libmongocrypt 1.5.2 is required. An error is returned if the detected version of libmongocrypt is less than 1.5.2.
 func (ce *ClientEncryption) RewrapManyDataKey(ctx context.Context, filter interface{},
 	opts ...*options.RewrapManyDataKeyOptions) (*RewrapManyDataKeyResult, error) {
 
+	// libmongocrypt versions 1.5.0 and 1.5.1 have a severe bug in RewrapManyDataKey.
+	// Check if the version string starts with 1.5.0 or 1.5.1. This accounts for pre-release versions, like 1.5.0-rc0.
+	libmongocryptVersion := mongocrypt.MongoCryptVersion()
+	if strings.Index(libmongocryptVersion, "1.5.0") == 0 || strings.Index(libmongocryptVersion, "1.5.1") == 0 {
+		return nil, fmt.Errorf("RewrapManyDataKey requires libmongocrypt 1.5.2 or newer. Detected version: %v", libmongocryptVersion)
+	}
+
 	rmdko := options.MergeRewrapManyDataKeyOptions(opts...)
 	if ctx == nil {
 		ctx = context.Background()

diff --git a/x/mongo/driver/mongocrypt/mongocrypt.go b/x/mongo/driver/mongocrypt/mongocrypt.go
@@ -29,6 +29,12 @@ type MongoCrypt struct {
 	wrapped *C.mongocrypt_t
 }
 
+// MongoCryptVersion returns the version string for the loaded libmongocrypt, or an empty string
+// if libmongocrypt was not loaded.
+func MongoCryptVersion() string {
+	str := C.GoString(C.mongocrypt_version(nil))
+	return str
+}
 // NewMongoCrypt constructs a new MongoCrypt instance configured using the provided MongoCryptOptions.
 func NewMongoCrypt(opts *options.MongoCryptOptions) (*MongoCrypt, error) {
 	// create mongocrypt_t handle

diff --git a/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go b/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go
@@ -19,6 +19,12 @@ const cseNotSupportedMsg = "client-side encryption not enabled. add the cse buil
 // MongoCrypt represents a mongocrypt_t handle.
 type MongoCrypt struct{}
 
+// MongoCryptVersion returns the version string for the loaded libmongocrypt, or an empty string
+// if libmongocrypt was not loaded.
+func MongoCryptVersion() string {
+	return ""
+}
+
 // NewMongoCrypt constructs a new MongoCrypt instance configured using the provided MongoCryptOptions.
 func NewMongoCrypt(opts *options.MongoCryptOptions) (*MongoCrypt, error) {
 	panic(cseNotSupportedMsg)