throw errors when discriminators have duplicate keys

baileympearson · baileympearson · commit 53d31a6c59b8 · 2025-03-19T10:43:27.000-06:00
diff --git a/lib/drivers/node-mongodb-native/connection.js b/lib/drivers/node-mongodb-native/connection.js
@@ -323,6 +323,10 @@ NativeConnection.prototype.createClient = async function createClient(uri, optio
 
   const { schemaMap, encryptedFieldsMap } = this._buildEncryptionSchemas();
 
+  if ((Object.keys(schemaMap).length > 0 || Object.keys(encryptedFieldsMap).length) && !options.autoEncryption) {
+    throw new Error('Must provide `autoEncryption` when connecting with encrypted schemas.');
+  }
+
   if (Object.keys(schemaMap).length > 0) {
     options.autoEncryption.schemaMap = schemaMap;
   }
@@ -365,20 +369,30 @@ NativeConnection.prototype._buildEncryptionSchemas = function() {
   const qeMappings = {};
   const csfleMappings = {};
 
+  const encryptedModels = Object.values(this.models).filter(model => model.schema._hasEncryptedFields());
+
   // If discriminators are configured for the collection, there might be multiple models
   // pointing to the same namespace.  For this scenario, we merge all the schemas for each namespace
-  // into a single schema.
-  // Notably, this doesn't allow for discriminators to declare multiple values on the same fields.
-  for (const model of Object.values(this.models)) {
+  // into a single schema and then generate a schemaMap/encryptedFieldsMap for the combined schema.
+  for (const model of encryptedModels) {
     const { schema, collection: { collectionName } } = model;
     const namespace = `${this.$dbName}.${collectionName}`;
-    if (schema.encryptionType() === 'csfle') {
-      csfleMappings[namespace] ??= new Schema({}, { encryptionType: 'csfle' });
-      csfleMappings[namespace].add(schema);
-    } else if (schema.encryptionType() === 'queryableEncryption') {
-      qeMappings[namespace] ??= new Schema({}, { encryptionType: 'queryableEncryption' });
-      qeMappings[namespace].add(schema);
+    const mappings = schema.encryptionType() === 'csfle' ? csfleMappings : qeMappings;
+
+    mappings[namespace] ??= new Schema({}, { encryptionType: schema.encryptionType() });
+
+    const isNonRootDiscriminator = schema.discriminatorMapping && !schema.discriminatorMapping.isRoot;
+    if (isNonRootDiscriminator) {
+      const rootSchema = schema._baseSchema;
+      schema.eachPath((pathname) => {
+        if (rootSchema.path(pathname)) return;
+        if (!mappings[namespace]._hasEncryptedField(pathname)) return;
+
+        throw new Error(`Cannot have duplicate keys in discriminators with encryption. key=${pathname}`);
+      });
     }
+
+    mappings[namespace].add(schema);
   }
 
   const schemaMap = Object.fromEntries(Object.entries(csfleMappings).map(
diff --git a/lib/helpers/model/discriminator.js b/lib/helpers/model/discriminator.js
@@ -95,6 +95,13 @@ module.exports = function discriminator(model, name, schema, tiedValue, applyPlu
     const baseSchemaPaths = Object.keys(baseSchema.paths);
     const conflictingPaths = [];
 
+
+    baseSchema.eachPath((pathname) => {
+      if (schema._hasEncryptedField(pathname)) {
+        throw new Error(`cannot declare an encrypted field on child schema overriding base schema. key=${pathname}`);
+      }
+    });
+
     for (const path of baseSchemaPaths) {
       if (schema.nested[path]) {
         conflictingPaths.push(path);
diff --git a/lib/schema.js b/lib/schema.js
@@ -721,7 +721,6 @@ Schema.prototype.encryptionType = function encryptionType(encryptionType) {
 Schema.prototype.add = function add(obj, prefix) {
   if (obj instanceof Schema || (obj != null && obj.instanceOfSchema)) {
     merge(this, obj);
-
     return this;
   }
 
@@ -914,6 +913,14 @@ Schema.prototype._hasEncryptedFields = function _hasEncryptedFields() {
   return Object.keys(this.encryptedFields).length > 0;
 };
 
+/**
+ * @api private
+ */
+Schema.prototype._hasEncryptedField = function _hasEncryptedField(path) {
+  return path in this.encryptedFields;
+};
+
+
 /**
  * Builds an encryptedFieldsMap for the schema.
  */
diff --git a/test/encryption/encryption.test.js b/test/encryption/encryption.test.js
@@ -797,6 +797,133 @@ describe('encryption integration tests', () => {
         });
       });
 
+      describe('duplicate keys in discriminators', function() {
+        beforeEach(async function() {
+          connection = createConnection();
+        });
+        describe('csfle', function() {
+          it('throws on duplicate keys declared on different discriminators', async function() {
+            const schema = new Schema({
+              name: {
+                type: String, encrypt: { keyId: [keyId], algorithm }
+              }
+            }, {
+              encryptionType: 'csfle'
+            });
+            model = connection.model('Schema', schema);
+            discrim1 = model.discriminator('Test', new Schema({
+              age: {
+                type: Int32, encrypt: { keyId: [keyId], algorithm }
+              }
+            }, {
+              encryptionType: 'csfle'
+            }));
+
+            discrim2 = model.discriminator('Test2', new Schema({
+              age: {
+                type: Int32, encrypt: { keyId: [keyId], algorithm }
+              }
+            }, {
+              encryptionType: 'csfle'
+            }));
+
+            const error = await connection.openUri(process.env.MONGOOSE_TEST_URI, {
+              dbName: 'db', autoEncryption: {
+                keyVaultNamespace: 'keyvault.datakeys',
+                kmsProviders: { local: { key: LOCAL_KEY } },
+                extraOptions: {
+                  cryptdSharedLibRequired: true,
+                  cryptSharedLibPath: process.env.CRYPT_SHARED_LIB_PATH
+                }
+              }
+            }).catch(e => e);
+
+            assert.ok(error instanceof Error);
+            assert.match(error.message, /Cannot have duplicate keys in discriminators with encryption/);
+          });
+          it('throws on duplicate keys declared on root and child discriminators', async function() {
+            const schema = new Schema({
+              name: {
+                type: String, encrypt: { keyId: [keyId], algorithm }
+              }
+            }, {
+              encryptionType: 'csfle'
+            });
+            model = connection.model('Schema', schema);
+            assert.throws(() => model.discriminator('Test', new Schema({
+              name: {
+                type: String, encrypt: { keyId: [keyId], algorithm }
+              }
+            }, {
+              encryptionType: 'csfle'
+            })),
+            /cannot declare an encrypted field on child schema overriding base schema\. key=name/
+            );
+          });
+        });
+
+        describe('queryable encryption', function() {
+          it('throws on duplicate keys declared on different discriminators', async function() {
+            const schema = new Schema({
+              name: {
+                type: String, encrypt: { keyId }
+              }
+            }, {
+              encryptionType: 'queryableEncryption'
+            });
+            model = connection.model('Schema', schema);
+            discrim1 = model.discriminator('Test', new Schema({
+              age: {
+                type: Int32, encrypt: { keyId: keyId2 }
+              }
+            }, {
+              encryptionType: 'queryableEncryption'
+            }));
+
+            discrim2 = model.discriminator('Test2', new Schema({
+              age: {
+                type: Int32, encrypt: { keyId: keyId3 }
+              }
+            }, {
+              encryptionType: 'queryableEncryption'
+            }));
+
+            const error = await connection.openUri(process.env.MONGOOSE_TEST_URI, {
+              dbName: 'db', autoEncryption: {
+                keyVaultNamespace: 'keyvault.datakeys',
+                kmsProviders: { local: { key: LOCAL_KEY } },
+                extraOptions: {
+                  cryptdSharedLibRequired: true,
+                  cryptSharedLibPath: process.env.CRYPT_SHARED_LIB_PATH
+                }
+              }
+            }).catch(e => e);
+
+            assert.ok(error instanceof Error);
+            assert.match(error.message, /Cannot have duplicate keys in discriminators with encryption/);
+          });
+          it('throws on duplicate keys declared on root and child discriminators', async function() {
+            const schema = new Schema({
+              name: {
+                type: String, encrypt: { keyId }
+              }
+            }, {
+              encryptionType: 'queryableEncryption'
+            });
+            model = connection.model('Schema', schema);
+            assert.throws(() => model.discriminator('Test', new Schema({
+              name: {
+                type: String, encrypt: { keyId: keyId2 }
+              }
+            }, {
+              encryptionType: 'queryableEncryption'
+            })),
+            /cannot declare an encrypted field on child schema overriding base schema\. key=name/
+            );
+          });
+        });
+      });
+
     });
   });
 });
