ready for rereview

Author: aditi-khare-mongoDB

.github/scripts/run-kms-servers.sh

@@ -1,8 +1,9 @@
 name: Encryption Tests 
 
 on:
-  push
-  #workflow_dispatch: {}
+  push: 
+    branches: ['master']
+  workflow_dispatch: {}
 
 permissions:
   contents: write
@@ -16,13 +17,7 @@ jobs:
       security-events: write
       id-token: write
       contents: write
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        node: [20]
-        os: [ubuntu-latest]
-        mongodb: [8.0.0]
+    runs-on: ubuntu-latest
     name: Encryption tests
     env:
       FORCE_COLOR: true
@@ -40,11 +35,11 @@ jobs:
         id: setup-cluster
         uses: mongodb-labs/drivers-evergreen-tools@master
         with:
-          version: ${{ matrix.mongodb }}
+          version: 8.0.0
           topology: sharded_cluster 
           auth: auth
       - name: Run Tests
-        run: npx mocha --exit ./test/encryption/*.test.js
+        run: npm run encryption-test
         env:
           MONGOOSE_TEST_URI: ${{ steps.setup-cluster.outputs.cluster-uri }}
           CRYPT_SHARED_LIB_PATH: ${{ steps.setup-cluster.outputs.crypt-shared-lib-path }}

.github/workflows/encryption-tests.yml

@@ -105,6 +105,7 @@
     "test-deno": "deno run --allow-env --allow-read --allow-net --allow-run --allow-sys --allow-write ./test/deno.js",
     "test-rs": "START_REPLICA_SET=1 mocha --timeout 30000 --exit ./test/*.test.js",
     "test-tsd": "node ./test/types/check-types-filename && tsd",
+    "test-encryption": "mocha --exit ./test/encryption/*.test.js",
     "tdd": "mocha ./test/*.test.js --inspect --watch --recursive --watch-files ./**/*.{js,ts}",
     "test-coverage": "nyc --reporter=html --reporter=text npm test",
     "ts-benchmark": "cd ./benchmarks/typescript/simple && npm install && npm run benchmark | node ../../../scripts/tsc-diagnostics-check"

package.json

@@ -2,9 +2,12 @@
 
 const assert = require('assert');
 const mdb = require('mongodb');
+const isBsonType = require('../../lib/helpers/isBsonType');
+
+const LOCAL_KEY = Buffer.from('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk', 'base64');
 
 describe('environmental variables', () => {
-  it('MONGODB_TEST_URI is set', async function() {
+  it('MONGOOSE_TEST_URI is set', async function() {
     const uri = process.env.MONGOOSE_TEST_URI;
     assert.ok(uri);
   });
@@ -16,30 +19,77 @@ describe('environmental variables', () => {
 });
 
 describe('basic integration', () => {
-  it('supports mongodb csfle auto-encryption integration', async() => {
-    // 1. Create a MongoClient configured with auto encryption (referred to as `client_encrypted`)
-    const client = new mdb.MongoClient(
+  let keyVaultClient;
+  let dataKey;
+  let encryptedClient;
+  let dummyClient;
+
+  beforeEach(async function() {
+    keyVaultClient = new mdb.MongoClient(process.env.MONGOOSE_TEST_URI);
+    await keyVaultClient.connect();
+    await keyVaultClient.db('keyvault').collection('datakeys');
+    const clientEncryption = new mdb.ClientEncryption(keyVaultClient, {
+      keyVaultNamespace: 'keyvault.datakeys',
+      kmsProviders: { local: { key: LOCAL_KEY } }
+    });
+    dataKey = await clientEncryption.createDataKey('local');
+
+    encryptedClient = new mdb.MongoClient(
       process.env.MONGOOSE_TEST_URI,
       {
         autoEncryption: {
           keyVaultNamespace: 'keyvault.datakeys',
-          kmsProviders: { local: { key: Buffer.from(
-            'Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk',
-            'base64'
-          )
-          } },
+          kmsProviders: { local: { key: LOCAL_KEY } },
+          schemaMap: {
+            'db.coll': {
+              bsonType: 'object',
+              encryptMetadata: {
+                keyId: [new mdb.UUID(dataKey)]
+              },
+              properties: {
+                a: {
+                  encrypt: {
+                    bsonType: 'int',
+                    algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random',
+                    keyId: [new mdb.UUID(dataKey)]
+                  }
+                }
+              }
+            }
+          },
           extraOptions: {
             cryptdSharedLibRequired: true,
             cryptSharedLibPath: process.env.CRYPT_SHARED_LIB_PATH
           }
         }
       }
     );
-    await client.connect();
-    const insertResult = await client
-      .db('db')
-      .collection('coll')
-      .insertOne({ unencrypted: 'test' });
-    assert.ok(insertResult.insertedId);
+
+    dummyClient = new mdb.MongoClient(process.env.MONGOOSE_TEST_URI);
+  });
+
+  afterEach(async function() {
+    await keyVaultClient.close();
+    await encryptedClient.close();
+    await dummyClient.close();
+  });
+
+  it('supports mongodb csfle auto-encryption integration', async() => {
+    await encryptedClient.connect();
+    await encryptedClient.db('db').collection('coll').insertOne({ a: 1 });
+
+    // a dummyClient not configured with autoEncryption, returns a encrypted binary type, meaning that encryption succeeded
+    const encryptedCursor = await dummyClient.db('db').collection('coll').find();
+    const encryptedResult = await encryptedCursor.next();
+    assert.ok(encryptedResult);
+    assert.ok(encryptedResult.a);
+    assert.ok(isBsonType(encryptedResult.a, 'Binary'));
+    assert.ok(encryptedResult.a.sub_type === 6);
+
+    // when the encryptedClient runs a find, the original unencrypted value is returned
+    const unencryptedCursor = await encryptedClient.db('db').collection('coll').find();
+    const unencryptedResult = await unencryptedCursor.next();
+    assert.ok(unencryptedResult);
+    assert.ok(unencryptedResult.a === 1);
   });
 });