update for libmongocrypt 1.5.2 #1037
Conversation
Accounts for changes made in MONGOCRYPT-437
kevinAlbs
changed the title
kevinAlbs
changed the title
| # After: "can only execute encrypted equality queries with an encrypted equality index" | ||
| # Use a small common substring. | ||
| errorContains: "encrypt" |
There was a problem hiding this comment.
| errorContains: "encrypt" | |
| errorContains: "encrypt" | |
[opt] also missing newline in the spec PR.
There was a problem hiding this comment.
The .yml file is generated from a template: https://github.com/mongodb/specifications/blob/07260166cb48ef6d9455661ad5f1166a87bc7291/source/client-side-encryption/etc/generate-test.py#L614
I will leave this as-is for now.
mongo/client_encryption.go
Outdated
| // libmongocrypt versions 1.5.0 and 1.5.1 have a severe bug in RewrapManyDataKey. | ||
| // Check if the version string starts with 1.5.0 or 1.5.1. This accounts for pre-release versions, like 1.5.0-rc0. | ||
| libmongocryptVersion := mongocrypt.Version() | ||
| if strings.Index(libmongocryptVersion, "1.5.0") == 0 || strings.Index(libmongocryptVersion, "1.5.1") == 0 { |
There was a problem hiding this comment.
[nit] I'd probably use strings.HasPrefix for clarity.
| mt.Run(fmt.Sprintf("%s to %s", srcProvider, dstProvider), func(mt *mtest.T) { | ||
| var err error | ||
| // Drop the collection ``keyvault.datakeys``. | ||
| { |
There was a problem hiding this comment.
Hmm is the point of these empty blocks just to emphasize what the steps of this test are? Or are you using them for some scope logic that I'm not understanding 🧑🔧 . If it's just for emphasizing the steps, I'm not sure it's necessary.
There was a problem hiding this comment.
Yes, it is to emphasize what code accomplishes the step. It is not necessary.
| if val, ok := dataKeyMap[dstProvider]; ok { | ||
| rwOpts.SetMasterKey(val) | ||
| } | ||
| res, err := clientEncryption2.RewrapManyDataKey(context.Background(), bson.D{{}}, rwOpts) |
There was a problem hiding this comment.
| res, err := clientEncryption2.RewrapManyDataKey(context.Background(), bson.D{{}}, rwOpts) | |
| res, err := clientEncryption2.RewrapManyDataKey(context.Background(), bson.D{}, rwOpts) |
Should this just be bson.D{} if you want an empty filter?
mongo/doc.go
Outdated
| @@ -110,7 +110,7 @@ | |||
| // - Go Driver v1.2.0 requires libmongocrypt v1.0.0 or higher | |||
| // - Go Driver v1.5.0 requires libmongocrypt v1.1.0 or higher | |||
| // - Go Driver v1.8.0 requires libmongocrypt v1.3.0 or higher | |||
| // - Go Driver v1.10.0 requires libmongocrypt v1.5.0 or higher | |||
| // - Go Driver v1.10.0 requires libmongocrypt v1.5.2 or higher | |||
There was a problem hiding this comment.
Optional: This is slightly odd messaging and conflates compatibility requirements with libmongocrypt version retraction. My understanding is that libmongocrypt v1.5.0 and v1.5.1 contain serious bugs that can cause data corruption, but are technically build-compatible with Go Driver v1.10.0. Consider adding a note that describes why libmongocrypt v1.5.0/v1.5.1 shouldn't be used.
There was a problem hiding this comment.
I have updated to say v1.5.0 is required but added a note to say 1.5.2 is required to avoid the severe bug in RewrapManyDataKey.
| libmongocryptVersion := mongocrypt.Version() | ||
| if strings.Index(libmongocryptVersion, "1.5.0") == 0 || strings.Index(libmongocryptVersion, "1.5.1") == 0 { | ||
| return nil, fmt.Errorf("RewrapManyDataKey requires libmongocrypt 1.5.2 or newer. Detected version: %v", libmongocryptVersion) | ||
| } |
There was a problem hiding this comment.
These updates will only apply to users who update to Go Driver v1.10.1+ and could be missed by users who are using Go Driver v1.10.0. Are there other ways we're messaging to Go Driver users that they shouldn't use libmongocrypt v1.5.0/v1.5.1 (e.g. retraction notices on the libmongocrypt download page)?
There was a problem hiding this comment.
Good question. I updated the libmongocrypt release notes and changelog to add a warning. There is no libmongocrypt downloads page. Go users are advised to download libmongocrypt from Homebrew, the Linux packages we maintain, or the Windows download URL.
One option is to update the Go driver 1.10.0 release notes to add a notice like the following. I have asked in the team channel.
|
Updated to retract v1.10.0. |
| // - Go Driver v1.10.0 requires libmongocrypt v1.5.0 or higher. | ||
| // There is a severe bug when calling RewrapManyDataKey with libmongocrypt versions less than 1.5.2. | ||
| // This bug may result in data corruption. | ||
| // Please use libmongocrypt 1.5.2 or higher when calling RewrapManyDataKey. |
There was a problem hiding this comment.
Great godoc format improvement!
| libmongocryptVersion := mongocrypt.Version() | ||
| if strings.Index(libmongocryptVersion, "1.5.0") == 0 || strings.Index(libmongocryptVersion, "1.5.1") == 0 { | ||
| return nil, fmt.Errorf("RewrapManyDataKey requires libmongocrypt 1.5.2 or newer. Detected version: %v", libmongocryptVersion) | ||
| } |
Resolve GODRIVER-2511: * Add CSFLE prose test 16. * Update tests to use libmongocrypt 1.5.2. Resolve GODRIVER-2513: * Return error if libmongocrypt < 1.5.2 is detected in RewrapManyDataKey. * Retract Go driver release v1.10.0. Resolve GODRIVER-2509: * Resync RewrapManyDataKey specification tests to mongodb/specifications@10b4a41. * Resolve GODRIVER-2512: Resolve GODRIVER-2512: - Resync fle2-InsertFind-Unindexed.json
Summary
Resolve GODRIVER-2511:
Resolve GODRIVER-2513:
Resolve GODRIVER-2509:
Resolve GODRIVER-2512:
Background & Motivation
libmongocrypt 1.5.2 includes a fix to a severe bug introduced in libmongocrypt 1.5.0: MONGOCRYPT-464.