Merge pull request Automattic#15356 from mongodb-js/NODE-6894

feat: expose a ClientEncryption object on encrypted Models

Author: vkarpov15

docs/field-level-encryption.md

@@ -216,3 +216,30 @@ const ModelWithBirthday = model.discriminator('ModelWithBirthday', new Schema({
 ```
 
 When generating encryption schemas, Mongoose merges all discriminators together for the all discriminators declared on the same namespace.  As a result, discriminators that declare the same key with different types are not supported.  Furthermore, all discriminators must share the same encryption type - it is not possible to configure discriminators on the same model for both CSFLE and QE.
+
+## Managing Data Keys
+
+Mongoose provides a convenient API to obtain a [ClientEncryption](https://mongodb.github.io/node-mongodb-native/Next/classes/ClientEncryption.html)
+object configured to manage data keys in the key vault.  A client encryption can be obtained with the `Model.clientEncryption()` helper:
+
+```javascript
+const connection = createConnection();
+
+const schema = new Schema({
+  name: {
+    type: String, encrypt: { keyId }
+  }
+}, {
+  encryptionType: 'queryableEncryption'
+});
+
+const Model = connection.model('BaseUserModel', schema);
+await connection.openUri(`mongodb://localhost:27017`, {
+  autoEncryption: {
+    keyVaultNamespace: 'datakeys.datakeys',
+    kmsProviders: { local: '....' }
+  }
+});
+
+const clientEncryption = Model.clientEncryption();
+```

lib/drivers/node-mongodb-native/index.js

@@ -7,3 +7,4 @@
 exports.BulkWriteResult = require('./bulkWriteResult');
 exports.Collection = require('./collection');
 exports.Connection = require('./connection');
+exports.ClientEncryption = require('mongodb').ClientEncryption;

lib/helpers/model/discriminator.js

@@ -44,10 +44,8 @@ function validateDiscriminatorSchemasForEncryption(parentSchema, childSchema) {
     }
   }
 
-  function* allNestedPaths(schema) {
-    const { paths, singleNestedPaths } = schema;
-    yield* Object.keys(paths);
-    yield* Object.keys(singleNestedPaths);
+  function allNestedPaths(schema) {
+    return [...Object.keys(schema.paths), ...Object.keys(schema.singleNestedPaths)];
   }
 
   /**

lib/model.js

@@ -69,7 +69,6 @@ const minimize = require('./helpers/minimize');
 const MongooseBulkSaveIncompleteError = require('./error/bulkSaveIncompleteError');
 const ObjectExpectedError = require('./error/objectExpected');
 const decorateBulkWriteResult = require('./helpers/model/decorateBulkWriteResult');
-
 const modelCollectionSymbol = Symbol('mongoose#Model#collection');
 const modelDbSymbol = Symbol('mongoose#Model#db');
 const modelSymbol = require('./helpers/symbols').modelSymbol;
@@ -4880,6 +4879,33 @@ Model.compile = function compile(name, schema, collectionName, connection, base)
   return model;
 };
 
+Model.clientEncryption = function clientEncryption() {
+  const ClientEncryption = this.base.driver.get().ClientEncryption;
+  if (!ClientEncryption) {
+    throw new Error('The mongodb driver must be used to obtain a ClientEncryption object.');
+  }
+
+  const client = this.collection?.conn?.client;
+
+  if (!client) return null;
+
+  const autoEncryptionOptions = client.options.autoEncryption;
+
+  if (!autoEncryptionOptions) return null;
+
+  const {
+    keyVaultNamespace,
+    keyVaultClient,
+    kmsProviders,
+    credentialProviders,
+    proxyOptions,
+    tlsOptions
+  } = autoEncryptionOptions;
+  return new ClientEncryption(keyVaultClient ?? client,
+    { keyVaultNamespace, kmsProviders, credentialProviders, proxyOptions, tlsOptions }
+  );
+};
+
 /**
  * Update this model to use the new connection, including updating all internal
  * references and creating a new `Collection` instance using the new connection.

scripts/configure-cluster-with-encryption.sh

@@ -49,7 +49,7 @@ if [ ! -d "data" ]; then
   echo 'Configuring Cluster...'
 
   # start cluster
-  (bash $DRIVERS_TOOLS/.evergreen/run-orchestration.sh) 1>/dev/null 2>/dev/null
+  (bash $DRIVERS_TOOLS/.evergreen/run-orchestration.sh)
 
   echo 'Cluster Configuration Finished!'