From 05226d6d9883ed890704679d1e0b50fd326476f7 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Fri, 29 Jul 2022 15:24:42 -0400 Subject: [PATCH 01/16] add CSFLE prose test 16 --- .../client_side_encryption_prose_test.go | 134 ++++++++++++++++++ 1 file changed, 134 insertions(+) diff --git a/mongo/integration/client_side_encryption_prose_test.go b/mongo/integration/client_side_encryption_prose_test.go index 46e42be803..4a57f59e4c 100644 --- a/mongo/integration/client_side_encryption_prose_test.go +++ b/mongo/integration/client_side_encryption_prose_test.go @@ -1855,6 +1855,140 @@ func TestClientSideEncryptionProse(t *testing.T) { }) }) + + mt.RunOpts("16. Rewrap", runOpts, func(mt *mtest.T) { + mt.Run("Case 1: Rewrap with separate ClientEncryption", func(mt *mtest.T) { + dataKeyMap := map[string]bson.M{ + "aws": { + "region": "us-east-1", + "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + }, + "azure": { + "keyVaultEndpoint": "key-vault-csfle.vault.azure.net", + "keyName": "key-name-csfle", + }, + "gcp": { + "projectId": "devprod-drivers", + "location": "global", + "keyRing": "key-ring-csfle", + "keyName": "key-name-csfle", + }, + "kmip": {}, + } + + tlsConfig := make(map[string]*tls.Config) + if tlsCAFileKMIP != "" && tlsClientCertificateKeyFileKMIP != "" { + tlsOpts := map[string]interface{}{ + "tlsCertificateKeyFile": tlsClientCertificateKeyFileKMIP, + "tlsCAFile": tlsCAFileKMIP, + } + kmipConfig, err := options.BuildTLSConfig(tlsOpts) + assert.Nil(mt, err, "BuildTLSConfig error: %v", err) + tlsConfig["kmip"] = kmipConfig + } + + kmsProviders := []string{"local", "aws", "gcp", "azure", "kmip"} + for _, srcProvider := range kmsProviders { + for _, dstProvider := range kmsProviders { + mt.Run(fmt.Sprintf("%s to %s", srcProvider, dstProvider), func(mt *mtest.T) { + var err error + // Drop the collection ``keyvault.datakeys``. + { + err = mt.Client.Database("keyvault").Collection("datakeys").Drop(context.Background()) + assert.Nil(mt, err, "error on Drop: %v", err) + } + + // Create a ``ClientEncryption`` object named ``clientEncryption1``. + var clientEncryption1 *mongo.ClientEncryption + { + var keyVaultClient *mongo.Client + { + co := options.Client().ApplyURI(mtest.ClusterURI()) + keyVaultClient, err = mongo.Connect(context.Background(), co) + defer keyVaultClient.Disconnect(context.Background()) + testutil.AddTestServerAPIVersion(co) + assert.Nil(mt, err, "error on Connect: %v", err) + } + ceOpts := options.ClientEncryption(). + SetKeyVaultNamespace("keyvault.datakeys"). + SetKmsProviders(fullKmsProvidersMap). + SetTLSConfig(tlsConfig) + clientEncryption1, err = mongo.NewClientEncryption(keyVaultClient, ceOpts) + assert.Nil(mt, err, "error in NewClientEncryption: %v", err) + defer clientEncryption1.Close(context.Background()) + } + + // Call ``clientEncryption1.createDataKey``. + var keyID primitive.Binary + { + dkOpts := options.DataKey() + if val, ok := dataKeyMap[srcProvider]; ok { + dkOpts.SetMasterKey(val) + } + keyID, err = clientEncryption1.CreateDataKey(context.Background(), srcProvider, dkOpts) + assert.Nil(mt, err, "error in CreateDataKey: %v", err) + } + + // Call ``clientEncryption1.encrypt`` with the value "test". + var ciphertext primitive.Binary + { + t, value, err := bson.MarshalValue("test") + assert.Nil(mt, err, "error in MarshalValue: %v", err) + plaintext := bson.RawValue{Type: t, Value: value} + eOpts := options.Encrypt().SetKeyID(keyID).SetAlgorithm("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic") + ciphertext, err = clientEncryption1.Encrypt(context.Background(), plaintext, eOpts) + assert.Nil(mt, err, "error in Encrypt: %v", err) + } + + // Create a ``ClientEncryption`` object named ``clientEncryption2``. + var clientEncryption2 *mongo.ClientEncryption + { + var keyVaultClient *mongo.Client + { + co := options.Client().ApplyURI(mtest.ClusterURI()) + keyVaultClient, err = mongo.Connect(context.Background(), co) + defer keyVaultClient.Disconnect(context.Background()) + testutil.AddTestServerAPIVersion(co) + assert.Nil(mt, err, "error on Connect: %v", err) + } + ceOpts := options.ClientEncryption(). + SetKeyVaultNamespace("keyvault.datakeys"). + SetKmsProviders(fullKmsProvidersMap). + SetTLSConfig(tlsConfig) + clientEncryption2, err = mongo.NewClientEncryption(keyVaultClient, ceOpts) + assert.Nil(mt, err, "error in NewClientEncryption: %v", err) + defer clientEncryption2.Close(context.Background()) + } + + // Call ``clientEncryption2.rewrapManyDataKey`` with an empty ``filter``. + { + rwOpts := options.RewrapManyDataKey().SetProvider(dstProvider) + if val, ok := dataKeyMap[dstProvider]; ok { + rwOpts.SetMasterKey(val) + } + res, err := clientEncryption2.RewrapManyDataKey(context.Background(), bson.D{{}}, rwOpts) + assert.Nil(mt, err, "error in RewrapManyDataKey: %v", err) + assert.Equal(mt, res.BulkWriteResult.ModifiedCount, int64(1), "expected ModifiedCount of 1, got %v", res.BulkWriteResult.ModifiedCount) + } + + // Call ``clientEncryption1.decrypt`` with the ``ciphertext``. + { + plaintext, err := clientEncryption1.Decrypt(context.Background(), ciphertext) + assert.Nil(mt, err, "error in Decrypt: %v", err) + assert.Equal(mt, plaintext.StringValue(), "test", "expected plaintext 'test', got %q", plaintext.StringValue()) + } + + // Call ``clientEncryption2.decrypt`` with the ``ciphertext``. + { + plaintext, err := clientEncryption2.Decrypt(context.Background(), ciphertext) + assert.Nil(mt, err, "error in Decrypt: %v", err) + assert.Equal(mt, plaintext.StringValue(), "test", "expected plaintext 'test', got %q", plaintext.StringValue()) + } + }) + } + } + }) + }) } func getWatcher(mt *mtest.T, streamType mongo.StreamType, cpt *cseProseTest) watcher { From 2719c3357449df56c3989af55820030acf959bf0 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Fri, 29 Jul 2022 15:26:03 -0400 Subject: [PATCH 02/16] sync tests to https://github.com/mongodb/specifications/commit/10b4a41f8d282cebc5d3681adba27de18539d9f4 --- .../unified/createDataKey-kms_providers-invalid.json | 2 +- .../unified/createDataKey-kms_providers-invalid.yml | 2 +- data/client-side-encryption/unified/rewrapManyDataKey.json | 6 +++--- data/client-side-encryption/unified/rewrapManyDataKey.yml | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/data/client-side-encryption/unified/createDataKey-kms_providers-invalid.json b/data/client-side-encryption/unified/createDataKey-kms_providers-invalid.json index 16cf6ca70d..2344a61a95 100644 --- a/data/client-side-encryption/unified/createDataKey-kms_providers-invalid.json +++ b/data/client-side-encryption/unified/createDataKey-kms_providers-invalid.json @@ -1,5 +1,5 @@ { - "description": "createDataKey-provider-invalid", + "description": "createDataKey-kms_providers-invalid", "schemaVersion": "1.8", "runOnRequirements": [ { diff --git a/data/client-side-encryption/unified/createDataKey-kms_providers-invalid.yml b/data/client-side-encryption/unified/createDataKey-kms_providers-invalid.yml index 70e51acbdc..f692a09075 100644 --- a/data/client-side-encryption/unified/createDataKey-kms_providers-invalid.yml +++ b/data/client-side-encryption/unified/createDataKey-kms_providers-invalid.yml @@ -1,4 +1,4 @@ -description: createDataKey-provider-invalid +description: createDataKey-kms_providers-invalid schemaVersion: "1.8" diff --git a/data/client-side-encryption/unified/rewrapManyDataKey.json b/data/client-side-encryption/unified/rewrapManyDataKey.json index 7e3abb1274..89860de0c0 100644 --- a/data/client-side-encryption/unified/rewrapManyDataKey.json +++ b/data/client-side-encryption/unified/rewrapManyDataKey.json @@ -1,5 +1,5 @@ { - "description": "rewrapManyDataKey-kms_providers", + "description": "rewrapManyDataKey", "schemaVersion": "1.8", "runOnRequirements": [ { @@ -128,7 +128,7 @@ ], "keyMaterial": { "$binary": { - "base64": "AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEGkNTybTc7Eyif0f+qqE0lAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDB2j78AeuIQxcRh8cQIBEIB7vj9buHEaT7XHFIsKBJiyzZRmNnjvqMK5LSdzonKdx97jlqauvPvTDXSsdQDcspUs5oLrGmAXpbFResscxmbwZoKgUtWiuIOpeAcYuszCiMKt15s1WIMLDXUhYtfCmhRhekvgHnRAaK4HJMlGE+lKJXYI84E0b86Cd/g+", + "base64": "pr01l7qDygUkFE/0peFwpnNlv3iIy8zrQK38Q9i12UCN2jwZHDmfyx8wokiIKMb9kAleeY+vnt3Cf1MKu9kcDmI+KxbNDd+V3ytAAGzOVLDJr77CiWjF9f8ntkXRHrAY9WwnVDANYkDwXlyU0Y2GQFTiW65jiQhUtYLYH63Tk48SsJuQvnWw1Q+PzY8ga+QeVec8wbcThwtm+r2IHsCFnc72Gv73qq7weISw+O4mN08z3wOp5FOS2ZM3MK7tBGmPdBcktW7F8ODGsOQ1FU53OrWUnyX2aTi2ftFFFMWVHqQo7EYuBZHru8RRODNKMyQk0BFfKovAeTAVRv9WH9QU7g==", "subType": "00" } }, @@ -196,7 +196,7 @@ ], "keyMaterial": { "$binary": { - "base64": "VoI9J8HusQ3u2gT9i8Awgg/6W4/igvLwRzn3SRDGx0Dl/1ayDMubphOw0ONPVKfuvS6HL3e4gAoCJ/uEz2KLFTVsEqYCpMhfAhgXxm8Ena8vDcOkCzFX+euvN/N2ES3wpzAD18b3qIH0MbBwKJP82d5GQ4pVfGnPW8Ujp9aO1qC/s0EqNqYyzJ1SyzhV9lAjHHGIENYJx+bBrekg2EeZBA==", + "base64": "CklVctHzke4mcytd0TxGqvepkdkQN8NUF4+jV7aZQITAKdz6WjdDpq3lMt9nSzWGG2vAEfvRb3mFEVjV57qqGqxjq2751gmiMRHXz0btStbIK3mQ5xbY9kdye4tsixlCryEwQONr96gwlwKKI9Nubl9/8+uRF6tgYjje7Q7OjauEf1SrJwKcoQ3WwnjZmEqAug0kImCpJ/irhdqPzivRiA==", "subType": "00" } }, diff --git a/data/client-side-encryption/unified/rewrapManyDataKey.yml b/data/client-side-encryption/unified/rewrapManyDataKey.yml index 28009f5473..5141558683 100644 --- a/data/client-side-encryption/unified/rewrapManyDataKey.yml +++ b/data/client-side-encryption/unified/rewrapManyDataKey.yml @@ -2,7 +2,7 @@ # commands sort the resulting documents in ascending order by the single-element # keyAltNames array to ensure alphabetic order by original KMS provider as # defined in initialData. -description: rewrapManyDataKey-kms_providers +description: rewrapManyDataKey schemaVersion: "1.8" @@ -50,7 +50,7 @@ initialData: region: us-east-1 - _id: &azure_key_id { $binary: { base64: YXp1cmVhenVyZWF6dXJlYQ==, subType: "04" } } keyAltNames: ["azure_key"] - keyMaterial: { $binary: { base64: AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEGkNTybTc7Eyif0f+qqE0lAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDB2j78AeuIQxcRh8cQIBEIB7vj9buHEaT7XHFIsKBJiyzZRmNnjvqMK5LSdzonKdx97jlqauvPvTDXSsdQDcspUs5oLrGmAXpbFResscxmbwZoKgUtWiuIOpeAcYuszCiMKt15s1WIMLDXUhYtfCmhRhekvgHnRAaK4HJMlGE+lKJXYI84E0b86Cd/g+, subType: "00" } } + keyMaterial: { $binary: { base64: pr01l7qDygUkFE/0peFwpnNlv3iIy8zrQK38Q9i12UCN2jwZHDmfyx8wokiIKMb9kAleeY+vnt3Cf1MKu9kcDmI+KxbNDd+V3ytAAGzOVLDJr77CiWjF9f8ntkXRHrAY9WwnVDANYkDwXlyU0Y2GQFTiW65jiQhUtYLYH63Tk48SsJuQvnWw1Q+PzY8ga+QeVec8wbcThwtm+r2IHsCFnc72Gv73qq7weISw+O4mN08z3wOp5FOS2ZM3MK7tBGmPdBcktW7F8ODGsOQ1FU53OrWUnyX2aTi2ftFFFMWVHqQo7EYuBZHru8RRODNKMyQk0BFfKovAeTAVRv9WH9QU7g==, subType: "00" } } creationDate: { $date: { $numberLong: "1641024000000" } } updateDate: { $date: { $numberLong: "1641024000000" } } status: 1 @@ -72,7 +72,7 @@ initialData: keyName: key-name-csfle - _id: &kmip_key_id { $binary: { base64: a21pcGttaXBrbWlwa21pcA==, subType: "04" } } keyAltNames: ["kmip_key"] - keyMaterial: { $binary: { base64: VoI9J8HusQ3u2gT9i8Awgg/6W4/igvLwRzn3SRDGx0Dl/1ayDMubphOw0ONPVKfuvS6HL3e4gAoCJ/uEz2KLFTVsEqYCpMhfAhgXxm8Ena8vDcOkCzFX+euvN/N2ES3wpzAD18b3qIH0MbBwKJP82d5GQ4pVfGnPW8Ujp9aO1qC/s0EqNqYyzJ1SyzhV9lAjHHGIENYJx+bBrekg2EeZBA==, subType: "00" } } + keyMaterial: { $binary: { base64: CklVctHzke4mcytd0TxGqvepkdkQN8NUF4+jV7aZQITAKdz6WjdDpq3lMt9nSzWGG2vAEfvRb3mFEVjV57qqGqxjq2751gmiMRHXz0btStbIK3mQ5xbY9kdye4tsixlCryEwQONr96gwlwKKI9Nubl9/8+uRF6tgYjje7Q7OjauEf1SrJwKcoQ3WwnjZmEqAug0kImCpJ/irhdqPzivRiA==, subType: "00" } } creationDate: { $date: { $numberLong: "1641024000000" } } updateDate: { $date: { $numberLong: "1641024000000" } } status: 1 From 143047ca88d10783ca131583445a5bd4326b9595 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Fri, 29 Jul 2022 15:29:05 -0400 Subject: [PATCH 03/16] pin libmongocrypt test dependency to 1.5.2 --- .evergreen/config.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 65b2fe0c51..c4084f1542 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -94,9 +94,9 @@ functions: go version go env - LIBMONGOCRYPT_TAG="1.5.0" + LIBMONGOCRYPT_TAG="1.5.2" # LIBMONGOCRYPT_COMMIT is the commit on libmongocrypt for the tag LIBMONGOCRYPT_TAG. - LIBMONGOCRYPT_COMMIT="c3be59f9b0d756caa4c22c254e0704084cf6bca4" + LIBMONGOCRYPT_COMMIT="8f8675fa11922f00a4516a7f8a60621aa1ca1550" # Install libmongocrypt based on OS. if [ "Windows_NT" = "$OS" ]; then mkdir -p c:/libmongocrypt/include @@ -130,7 +130,8 @@ functions: sed -i "" -E "s+prefix=.*+prefix=$(pwd)/install/libmongocrypt+" ./install/libmongocrypt/lib/pkgconfig/libmongocrypt.pc echo "fetching build for Darwin ... end" else - git clone https://github.com/mongodb/libmongocrypt --branch $LIBMONGOCRYPT_TAG + git clone https://github.com/mongodb/libmongocrypt + git checkout $LIBMONGOCRYPT_COMMIT ./libmongocrypt/.evergreen/compile.sh fi From 83f73b3318a9b33add6b70b6f633b509a863bfa8 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Sat, 30 Jul 2022 14:04:53 -0400 Subject: [PATCH 04/16] update download URLs for libmongocrypt Accounts for changes made in MONGOCRYPT-437 --- .evergreen/config.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index c4084f1542..67d7a2e5a4 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -94,7 +94,7 @@ functions: go version go env - LIBMONGOCRYPT_TAG="1.5.2" + LIBMONGOCRYPT_BRANCH="r1.5" # LIBMONGOCRYPT_COMMIT is the commit on libmongocrypt for the tag LIBMONGOCRYPT_TAG. LIBMONGOCRYPT_COMMIT="8f8675fa11922f00a4516a7f8a60621aa1ca1550" # Install libmongocrypt based on OS. @@ -105,7 +105,7 @@ functions: mkdir libmongocrypt-all cd libmongocrypt-all # The following URL is published from the upload-all task in the libmongocrypt Evergreen project. - curl https://mciuploads.s3.amazonaws.com/libmongocrypt/all/master/$LIBMONGOCRYPT_COMMIT/libmongocrypt-all.tar.gz -o libmongocrypt-all.tar.gz + curl https://mciuploads.s3.amazonaws.com/libmongocrypt/all/$LIBMONGOCRYPT_BRANCH/$LIBMONGOCRYPT_COMMIT/libmongocrypt-all.tar.gz -o libmongocrypt-all.tar.gz tar -xf libmongocrypt-all.tar.gz cd .. cp libmongocrypt-all/windows-test/bin/mongocrypt.dll c:/libmongocrypt/bin @@ -120,7 +120,7 @@ functions: mkdir libmongocrypt-all cd libmongocrypt-all # The following URL is published from the upload-all task in the libmongocrypt Evergreen project. - curl https://mciuploads.s3.amazonaws.com/libmongocrypt/all/master/$LIBMONGOCRYPT_COMMIT/libmongocrypt-all.tar.gz -o libmongocrypt-all.tar.gz + curl https://mciuploads.s3.amazonaws.com/libmongocrypt/all/$LIBMONGOCRYPT_BRANCH/$LIBMONGOCRYPT_COMMIT/libmongocrypt-all.tar.gz -o libmongocrypt-all.tar.gz tar -xf libmongocrypt-all.tar.gz cd .. mv libmongocrypt-all/macos/include ./install/libmongocrypt @@ -131,7 +131,8 @@ functions: echo "fetching build for Darwin ... end" else git clone https://github.com/mongodb/libmongocrypt - git checkout $LIBMONGOCRYPT_COMMIT + cd libmongocrypt + git checkout $LIBMONGOCRYPT_TAG ./libmongocrypt/.evergreen/compile.sh fi From da89e922702850bdd97e5bb407fd310c1191b07d Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Sat, 30 Jul 2022 09:57:10 -0400 Subject: [PATCH 05/16] document requirement of 1.5.2 --- mongo/doc.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mongo/doc.go b/mongo/doc.go index 76a063facc..3ce800d751 100644 --- a/mongo/doc.go +++ b/mongo/doc.go @@ -110,7 +110,7 @@ // - Go Driver v1.2.0 requires libmongocrypt v1.0.0 or higher // - Go Driver v1.5.0 requires libmongocrypt v1.1.0 or higher // - Go Driver v1.8.0 requires libmongocrypt v1.3.0 or higher -// - Go Driver v1.10.0 requires libmongocrypt v1.5.0 or higher +// - Go Driver v1.10.0 requires libmongocrypt v1.5.2 or higher // // To install libmongocrypt, follow the instructions for your // operating system: From cc643a50a91fa21e9857b2c3f4b67a100b877578 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Sat, 30 Jul 2022 13:52:40 -0400 Subject: [PATCH 06/16] return error if libmongocrypt < 1.5.2 is detected in RewrapManyDataKey --- mongo/client_encryption.go | 8 ++++++++ x/mongo/driver/mongocrypt/mongocrypt.go | 6 ++++++ x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go | 6 ++++++ 3 files changed, 20 insertions(+) diff --git a/mongo/client_encryption.go b/mongo/client_encryption.go index f88b7bede7..cc244ffd46 100644 --- a/mongo/client_encryption.go +++ b/mongo/client_encryption.go @@ -249,9 +249,17 @@ func setRewrapManyDataKeyWriteModels(rewrappedDocuments []bsoncore.Document, wri // RewrapManyDataKey decrypts and encrypts all matching data keys with a possibly new masterKey value. For all // matching documents, this method will overwrite the "masterKey", "updateDate", and "keyMaterial". On error, some // matching data keys may have been rewrapped. +// libmongocrypt 1.5.2 is required. An error is returned if the detected version of libmongocrypt is less than 1.5.2. func (ce *ClientEncryption) RewrapManyDataKey(ctx context.Context, filter interface{}, opts ...*options.RewrapManyDataKeyOptions) (*RewrapManyDataKeyResult, error) { + // libmongocrypt versions 1.5.0 and 1.5.1 have a severe bug in RewrapManyDataKey. + // Check if the version string starts with 1.5.0 or 1.5.1. This accounts for pre-release versions, like 1.5.0-rc0. + libmongocryptVersion := mongocrypt.MongoCryptVersion() + if strings.Index(libmongocryptVersion, "1.5.0") == 0 || strings.Index(libmongocryptVersion, "1.5.1") == 0 { + return nil, fmt.Errorf("RewrapManyDataKey requires libmongocrypt 1.5.2 or newer. Detected version: %v", libmongocryptVersion) + } + rmdko := options.MergeRewrapManyDataKeyOptions(opts...) if ctx == nil { ctx = context.Background() diff --git a/x/mongo/driver/mongocrypt/mongocrypt.go b/x/mongo/driver/mongocrypt/mongocrypt.go index 832fd0990d..06d0e9dc82 100644 --- a/x/mongo/driver/mongocrypt/mongocrypt.go +++ b/x/mongo/driver/mongocrypt/mongocrypt.go @@ -29,6 +29,12 @@ type MongoCrypt struct { wrapped *C.mongocrypt_t } +// MongoCryptVersion returns the version string for the loaded libmongocrypt, or an empty string +// if libmongocrypt was not loaded. +func MongoCryptVersion() string { + str := C.GoString(C.mongocrypt_version(nil)) + return str +} // NewMongoCrypt constructs a new MongoCrypt instance configured using the provided MongoCryptOptions. func NewMongoCrypt(opts *options.MongoCryptOptions) (*MongoCrypt, error) { // create mongocrypt_t handle diff --git a/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go b/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go index 10ea901855..246e364b10 100644 --- a/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go +++ b/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go @@ -19,6 +19,12 @@ const cseNotSupportedMsg = "client-side encryption not enabled. add the cse buil // MongoCrypt represents a mongocrypt_t handle. type MongoCrypt struct{} +// MongoCryptVersion returns the version string for the loaded libmongocrypt, or an empty string +// if libmongocrypt was not loaded. +func MongoCryptVersion() string { + return "" +} + // NewMongoCrypt constructs a new MongoCrypt instance configured using the provided MongoCryptOptions. func NewMongoCrypt(opts *options.MongoCryptOptions) (*MongoCrypt, error) { panic(cseNotSupportedMsg) From 3a374dd01baf23d77772204e45204c559a4c580c Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Sat, 30 Jul 2022 14:16:46 -0400 Subject: [PATCH 07/16] do not cd into libmongocrypt --- .evergreen/config.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 67d7a2e5a4..a5e147ee43 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -130,9 +130,7 @@ functions: sed -i "" -E "s+prefix=.*+prefix=$(pwd)/install/libmongocrypt+" ./install/libmongocrypt/lib/pkgconfig/libmongocrypt.pc echo "fetching build for Darwin ... end" else - git clone https://github.com/mongodb/libmongocrypt - cd libmongocrypt - git checkout $LIBMONGOCRYPT_TAG + git clone https://github.com/mongodb/libmongocrypt --branch $LIBMONGOCRYPT_TAG ./libmongocrypt/.evergreen/compile.sh fi From 79932a566340edce27310742c56cba83f96c755f Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Sat, 30 Jul 2022 14:22:20 -0400 Subject: [PATCH 08/16] add LIBMONGOCRYPT_TAG --- .evergreen/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index a5e147ee43..81650a959d 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -95,6 +95,7 @@ functions: go env LIBMONGOCRYPT_BRANCH="r1.5" + LIBMONGOCRYPT_TAG="1.5.2" # LIBMONGOCRYPT_COMMIT is the commit on libmongocrypt for the tag LIBMONGOCRYPT_TAG. LIBMONGOCRYPT_COMMIT="8f8675fa11922f00a4516a7f8a60621aa1ca1550" # Install libmongocrypt based on OS. From 3385d6d4f45677b5261fcd99eb55045269dc22f3 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Sat, 30 Jul 2022 14:49:49 -0400 Subject: [PATCH 09/16] remove stutter --- mongo/client_encryption.go | 2 +- x/mongo/driver/mongocrypt/mongocrypt.go | 4 ++-- x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/mongo/client_encryption.go b/mongo/client_encryption.go index cc244ffd46..cb9246223b 100644 --- a/mongo/client_encryption.go +++ b/mongo/client_encryption.go @@ -255,7 +255,7 @@ func (ce *ClientEncryption) RewrapManyDataKey(ctx context.Context, filter interf // libmongocrypt versions 1.5.0 and 1.5.1 have a severe bug in RewrapManyDataKey. // Check if the version string starts with 1.5.0 or 1.5.1. This accounts for pre-release versions, like 1.5.0-rc0. - libmongocryptVersion := mongocrypt.MongoCryptVersion() + libmongocryptVersion := mongocrypt.Version() if strings.Index(libmongocryptVersion, "1.5.0") == 0 || strings.Index(libmongocryptVersion, "1.5.1") == 0 { return nil, fmt.Errorf("RewrapManyDataKey requires libmongocrypt 1.5.2 or newer. Detected version: %v", libmongocryptVersion) } diff --git a/x/mongo/driver/mongocrypt/mongocrypt.go b/x/mongo/driver/mongocrypt/mongocrypt.go index 06d0e9dc82..64c924ec1c 100644 --- a/x/mongo/driver/mongocrypt/mongocrypt.go +++ b/x/mongo/driver/mongocrypt/mongocrypt.go @@ -29,9 +29,9 @@ type MongoCrypt struct { wrapped *C.mongocrypt_t } -// MongoCryptVersion returns the version string for the loaded libmongocrypt, or an empty string +// Version returns the version string for the loaded libmongocrypt, or an empty string // if libmongocrypt was not loaded. -func MongoCryptVersion() string { +func Version() string { str := C.GoString(C.mongocrypt_version(nil)) return str } diff --git a/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go b/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go index 246e364b10..45e16988c6 100644 --- a/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go +++ b/x/mongo/driver/mongocrypt/mongocrypt_not_enabled.go @@ -19,9 +19,9 @@ const cseNotSupportedMsg = "client-side encryption not enabled. add the cse buil // MongoCrypt represents a mongocrypt_t handle. type MongoCrypt struct{} -// MongoCryptVersion returns the version string for the loaded libmongocrypt, or an empty string +// Version returns the version string for the loaded libmongocrypt, or an empty string // if libmongocrypt was not loaded. -func MongoCryptVersion() string { +func Version() string { return "" } From 1c9b34c62a34138a35fe387303c42afacbcbe31a Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Sat, 30 Jul 2022 15:04:10 -0400 Subject: [PATCH 10/16] DRIVERS-2407 resync fle2-InsertFind-Unindexed --- .../legacy/fle2-InsertFind-Unindexed.json | 2 +- .../legacy/fle2-InsertFind-Unindexed.yml | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/data/client-side-encryption/legacy/fle2-InsertFind-Unindexed.json b/data/client-side-encryption/legacy/fle2-InsertFind-Unindexed.json index 1a75095907..c1bdc90760 100644 --- a/data/client-side-encryption/legacy/fle2-InsertFind-Unindexed.json +++ b/data/client-side-encryption/legacy/fle2-InsertFind-Unindexed.json @@ -241,7 +241,7 @@ } }, "result": { - "errorContains": "Cannot query" + "errorContains": "encrypt" } } ] diff --git a/data/client-side-encryption/legacy/fle2-InsertFind-Unindexed.yml b/data/client-side-encryption/legacy/fle2-InsertFind-Unindexed.yml index 26071fff60..285b46d270 100644 --- a/data/client-side-encryption/legacy/fle2-InsertFind-Unindexed.yml +++ b/data/client-side-encryption/legacy/fle2-InsertFind-Unindexed.yml @@ -80,4 +80,8 @@ tests: arguments: filter: { encryptedUnindexed: "value123" } result: - errorContains: "Cannot query" \ No newline at end of file + # Expected error message changed in https://github.com/10gen/mongo-enterprise-modules/commit/212b584d4f7a44bed41c826a180a4aff00923d7a#diff-5f12b55e8d5c52c2f62853ec595dc2c1e2e5cb4fdbf7a32739a8e3acb3c6f818 + # Before the message was "cannot query non-indexed fields with the randomized encryption algorithm" + # After: "can only execute encrypted equality queries with an encrypted equality index" + # Use a small common substring. + errorContains: "encrypt" \ No newline at end of file From 500418154cd444e53535a9a1f91ad56fdfdee311 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Sat, 30 Jul 2022 15:39:46 -0400 Subject: [PATCH 11/16] run go fmt --- x/mongo/driver/mongocrypt/mongocrypt.go | 1 + 1 file changed, 1 insertion(+) diff --git a/x/mongo/driver/mongocrypt/mongocrypt.go b/x/mongo/driver/mongocrypt/mongocrypt.go index 64c924ec1c..214d7c47b8 100644 --- a/x/mongo/driver/mongocrypt/mongocrypt.go +++ b/x/mongo/driver/mongocrypt/mongocrypt.go @@ -35,6 +35,7 @@ func Version() string { str := C.GoString(C.mongocrypt_version(nil)) return str } + // NewMongoCrypt constructs a new MongoCrypt instance configured using the provided MongoCryptOptions. func NewMongoCrypt(opts *options.MongoCryptOptions) (*MongoCrypt, error) { // create mongocrypt_t handle From 8b6cacefb6991475fdfc8f9ed2f73943e82ce074 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Mon, 1 Aug 2022 21:09:43 -0400 Subject: [PATCH 12/16] use strings.HasPrefix --- mongo/client_encryption.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mongo/client_encryption.go b/mongo/client_encryption.go index cb9246223b..a9794d60ba 100644 --- a/mongo/client_encryption.go +++ b/mongo/client_encryption.go @@ -256,7 +256,7 @@ func (ce *ClientEncryption) RewrapManyDataKey(ctx context.Context, filter interf // libmongocrypt versions 1.5.0 and 1.5.1 have a severe bug in RewrapManyDataKey. // Check if the version string starts with 1.5.0 or 1.5.1. This accounts for pre-release versions, like 1.5.0-rc0. libmongocryptVersion := mongocrypt.Version() - if strings.Index(libmongocryptVersion, "1.5.0") == 0 || strings.Index(libmongocryptVersion, "1.5.1") == 0 { + if strings.HasPrefix(libmongocryptVersion, "1.5.0") || strings.HasPrefix(libmongocryptVersion, "1.5.1") { return nil, fmt.Errorf("RewrapManyDataKey requires libmongocrypt 1.5.2 or newer. Detected version: %v", libmongocryptVersion) } From 7c1082586b8e726cde95841fa02cca733e4eaa60 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Mon, 1 Aug 2022 21:09:50 -0400 Subject: [PATCH 13/16] fix godoc formatting --- mongo/doc.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mongo/doc.go b/mongo/doc.go index 3ce800d751..d22db8e1c7 100644 --- a/mongo/doc.go +++ b/mongo/doc.go @@ -107,9 +107,13 @@ // // The libmongocrypt C library is required when using client-side encryption. Specific versions of libmongocrypt // are required for different versions of the Go Driver: +// // - Go Driver v1.2.0 requires libmongocrypt v1.0.0 or higher +// // - Go Driver v1.5.0 requires libmongocrypt v1.1.0 or higher +// // - Go Driver v1.8.0 requires libmongocrypt v1.3.0 or higher +// // - Go Driver v1.10.0 requires libmongocrypt v1.5.2 or higher // // To install libmongocrypt, follow the instructions for your From 68c96f30d7d03cf36b32501946ecbc5f167f38cb Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Mon, 1 Aug 2022 21:10:37 -0400 Subject: [PATCH 14/16] Note why libmongocrypt 1.5.2 is needed --- mongo/doc.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mongo/doc.go b/mongo/doc.go index d22db8e1c7..e6e4d9e5f0 100644 --- a/mongo/doc.go +++ b/mongo/doc.go @@ -114,7 +114,10 @@ // // - Go Driver v1.8.0 requires libmongocrypt v1.3.0 or higher // -// - Go Driver v1.10.0 requires libmongocrypt v1.5.2 or higher +// - Go Driver v1.10.0 requires libmongocrypt v1.5.0 or higher. +// There is a severe bug when calling RewrapManyDataKey with libmongocrypt versions less than 1.5.2. +// This bug may result in data corruption. +// Please use libmongocrypt 1.5.2 or higher when calling RewrapManyDataKey. // // To install libmongocrypt, follow the instructions for your // operating system: From f6922ae5712f8d8aae72ef85d400bf02d51021a0 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Mon, 1 Aug 2022 21:22:50 -0400 Subject: [PATCH 15/16] remove unnecessary braces --- mongo/integration/client_side_encryption_prose_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mongo/integration/client_side_encryption_prose_test.go b/mongo/integration/client_side_encryption_prose_test.go index 4a57f59e4c..80ad3ce0e1 100644 --- a/mongo/integration/client_side_encryption_prose_test.go +++ b/mongo/integration/client_side_encryption_prose_test.go @@ -1966,7 +1966,7 @@ func TestClientSideEncryptionProse(t *testing.T) { if val, ok := dataKeyMap[dstProvider]; ok { rwOpts.SetMasterKey(val) } - res, err := clientEncryption2.RewrapManyDataKey(context.Background(), bson.D{{}}, rwOpts) + res, err := clientEncryption2.RewrapManyDataKey(context.Background(), bson.D{}, rwOpts) assert.Nil(mt, err, "error in RewrapManyDataKey: %v", err) assert.Equal(mt, res.BulkWriteResult.ModifiedCount, int64(1), "expected ModifiedCount of 1, got %v", res.BulkWriteResult.ModifiedCount) } From feed4b6507fcfe0cdfa02725e00e406e1853d2e5 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Mon, 1 Aug 2022 21:22:56 -0400 Subject: [PATCH 16/16] retract v1.10.0 --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index 1b7f2ec7de..e2e6c2e608 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module go.mongodb.org/mongo-driver go 1.10 retract ( + v1.10.0 // Contains a possible data corruption bug in RewrapManyDataKey when using libmongocrypt versions less than 1.5.2. [v1.7.0, v1.7.1] // Contains data race bug in background connection establishment. [v1.6.0, v1.6.1] // Contains data race bug in background connection establishment. )