make models encryptable

Author: baileympearson

docs/field-level-encryption.md

@@ -151,3 +151,13 @@ To declare a field as encrypted, you must:
 2. Choose an encryption type for the schema and configure the schema for the encryption type
 
 Not all schematypes are supported for CSFLE and QE.  For an overview of valid schema types, refer to MongoDB's documentation.
+
+### Registering Models
+
+Encrypted schemas must be registered on a connection, not the Mongoose global:
+
+```javascript
+
+const connection = mongoose.createConnection();
+const UserModel = connection.model('User', encryptedUserSchema);
+```

lib/collection.js

@@ -81,7 +81,7 @@ Collection.prototype.onOpen = function() {
  * @api private
  */
 
-Collection.prototype.onClose = function() {};
+Collection.prototype.onClose = function() { };
 
 /**
  * Queues a method for later execution when its

lib/connection.js

@@ -609,7 +609,7 @@ Connection.prototype.bulkWrite = async function bulkWrite(ops, options) {
 
 Connection.prototype.createCollections = async function createCollections(options = {}) {
   const result = {};
-  const errorsMap = { };
+  const errorsMap = {};
 
   const { continueOnError } = options;
   delete options.continueOnError;
@@ -736,7 +736,7 @@ Connection.prototype.transaction = function transaction(fn, options) {
         throw err;
       }).
       finally(() => {
-        session.endSession().catch(() => {});
+        session.endSession().catch(() => { });
       });
   });
 };
@@ -1080,7 +1080,7 @@ Connection.prototype.openUri = async function openUri(uri, options) {
 
   for (const model of Object.values(this.models)) {
     // Errors handled internally, so safe to ignore error
-    model.init().catch(function $modelInitNoop() {});
+    model.init().catch(function $modelInitNoop() { });
   }
 
   // `createConnection()` calls this `openUri()` function without
@@ -1116,7 +1116,7 @@ Connection.prototype.openUri = async function openUri(uri, options) {
 // to avoid uncaught exceptions when using `on('error')`. See gh-14377.
 Connection.prototype.on = function on(event, callback) {
   if (event === 'error' && this.$initialConnection) {
-    this.$initialConnection.catch(() => {});
+    this.$initialConnection.catch(() => { });
   }
   return EventEmitter.prototype.on.call(this, event, callback);
 };
@@ -1138,7 +1138,7 @@ Connection.prototype.on = function on(event, callback) {
 // to avoid uncaught exceptions when using `on('error')`. See gh-14377.
 Connection.prototype.once = function on(event, callback) {
   if (event === 'error' && this.$initialConnection) {
-    this.$initialConnection.catch(() => {});
+    this.$initialConnection.catch(() => { });
   }
   return EventEmitter.prototype.once.call(this, event, callback);
 };
@@ -1471,7 +1471,7 @@ Connection.prototype.model = function model(name, schema, collection, options) {
     }
 
     // Errors handled internally, so safe to ignore error
-    model.init().catch(function $modelInitNoop() {});
+    model.init().catch(function $modelInitNoop() { });
 
     return model;
   }
@@ -1498,7 +1498,7 @@ Connection.prototype.model = function model(name, schema, collection, options) {
   }
 
   if (this === model.prototype.db
-      && (!collection || collection === model.collection.name)) {
+    && (!collection || collection === model.collection.name)) {
     // model already uses this connection.
 
     // only the first model with this name is cached to allow
@@ -1685,8 +1685,8 @@ Connection.prototype.authMechanismDoesNotRequirePassword = function authMechanis
  */
 Connection.prototype.optionsProvideAuthenticationData = function optionsProvideAuthenticationData(options) {
   return (options) &&
-      (options.user) &&
-      ((options.pass) || this.authMechanismDoesNotRequirePassword());
+    (options.user) &&
+    ((options.pass) || this.authMechanismDoesNotRequirePassword());
 };
 
 /**
@@ -1748,7 +1748,7 @@ Connection.prototype.createClient = function createClient() {
  */
 Connection.prototype.syncIndexes = async function syncIndexes(options = {}) {
   const result = {};
-  const errorsMap = { };
+  const errorsMap = {};
 
   const { continueOnError } = options;
   delete options.continueOnError;

lib/drivers/node-mongodb-native/connection.js

@@ -12,6 +12,7 @@ const pkg = require('../../../package.json');
 const processConnectionOptions = require('../../helpers/processConnectionOptions');
 const setTimeout = require('../../helpers/timers').setTimeout;
 const utils = require('../../utils');
+const { Schema } = require('../../mongoose');
 
 /**
  * A [node-mongodb-native](https://github.com/mongodb/node-mongodb-native) connection implementation.
@@ -320,6 +321,16 @@ NativeConnection.prototype.createClient = async function createClient(uri, optio
     };
   }
 
+  const { schemaMap, encryptedFieldsMap } = this._buildEncryptionSchemas();
+
+  if (Object.keys(schemaMap).length > 0) {
+    options.autoEncryption.schemaMap = schemaMap;
+  }
+
+  if (Object.keys(encryptedFieldsMap).length > 0) {
+    options.autoEncryption.encryptedFieldsMap = encryptedFieldsMap;
+  }
+
   this.readyState = STATES.connecting;
   this._connectionString = uri;
 
@@ -343,6 +354,55 @@ NativeConnection.prototype.createClient = async function createClient(uri, optio
   return this;
 };
 
+/**
+ * Given a connection, which may or may not have encrypted models, build
+ * a schemaMap and/or an encryptedFieldsMap for the connection, combining all models
+ * into a single schemaMap and encryptedFields map.
+ *
+ * @returns a copy of the options object with a schemaMap and/or an encryptedFieldsMap added to the options' autoEncryption
+ * options.
+  */
+NativeConnection.prototype._buildEncryptionSchemas = function() {
+  const qeMappings = {};
+  const csfleMappings = {};
+
+  // If discriminators are configured for the collection, there might be multiple models
+  // pointing to the same namespace.  For this scenario, we merge all the schemas for each namespace
+  // into a single schema.
+  // Notably, this doesn't allow for discriminators to declare multiple values on the same fields.
+  for (const model of Object.values(this.models)) {
+    const { schema, collection: { collectionName } } = model;
+    const namespace = `${this.$dbName}.${collectionName}`;
+    if (schema.encryptionType() === 'csfle') {
+      csfleMappings[namespace] ??= new Schema({}, { encryptionType: 'csfle' });
+      csfleMappings[namespace].add(schema);
+    } else if (schema.encryptionType() === 'queryableEncryption') {
+      qeMappings[namespace] ??= new Schema({}, { encryptionType: 'queryableEncryption' });
+      qeMappings[namespace].add(schema);
+    }
+  }
+
+  const schemaMap = Object.entries(csfleMappings).reduce(
+    (schemaMap, [namespace, schema]) => {
+      schemaMap[namespace] = schema._buildSchemaMap();
+      return schemaMap;
+    },
+    {}
+  );
+
+  const encryptedFieldsMap = Object.entries(qeMappings).reduce(
+    (encryptedFieldsMap, [namespace, schema]) => {
+      encryptedFieldsMap[namespace] = schema._buildEncryptedFields();
+      return encryptedFieldsMap;
+    },
+    {}
+  );
+
+  return {
+    schemaMap, encryptedFieldsMap
+  };
+};
+
 /*!
  * ignore
  */
@@ -363,7 +423,7 @@ NativeConnection.prototype.setClient = function setClient(client) {
 
   for (const model of Object.values(this.models)) {
     // Errors handled internally, so safe to ignore error
-    model.init().catch(function $modelInitNoop() {});
+    model.init().catch(function $modelInitNoop() { });
   }
 
   return this;
@@ -406,9 +466,9 @@ function _setClient(conn, client, options, dbName) {
   };
 
   const type = client &&
-  client.topology &&
-  client.topology.description &&
-  client.topology.description.type || '';
+    client.topology &&
+    client.topology.description &&
+    client.topology.description.type || '';
 
   if (type === 'Single') {
     client.on('serverDescriptionChanged', ev => {

lib/encryptionUtils.js

@@ -0,0 +1,72 @@
+'use strict';
+
+const schemaTypes = require('./schema/index.js');
+const SchemaBigInt = require('./schema/bigint');
+const SchemaBoolean = require('./schema/boolean');
+const SchemaBuffer = require('./schema/buffer');
+const SchemaDate = require('./schema/date');
+const SchemaDecimal128 = require('./schema/decimal128');
+const SchemaDouble = require('./schema/double');
+const SchemaInt32 = require('./schema/int32');
+const SchemaObjectId = require('./schema/objectId');
+const SchemaString = require('./schema/string');
+
+/**
+ * Given a schema and a path to a field in the schema, this returns the
+ * BSON type of the field, if it can be determined.  This method specifically
+ * **only** handles BSON types that are used for CSFLE and QE - any other
+ * BSON types will return `null`. (example: MinKey and MaxKey).
+ *
+ * @param {import('.').Schema} schema
+ * @param {string} path
+ * @returns {string}
+ */
+function inferBSONType(schema, path) {
+  const type = schema.path(path);
+
+  if (type instanceof SchemaString) {
+    return 'string';
+  }
+
+  if (type instanceof SchemaInt32) {
+    return 'int';
+  }
+
+  if (type instanceof SchemaBigInt) {
+    return 'long';
+  }
+
+  if (type instanceof SchemaBoolean) {
+    return 'bool';
+  }
+
+  if (type instanceof SchemaDate) {
+    return 'date';
+  }
+
+  if (type instanceof SchemaBuffer) {
+    return 'binData';
+  }
+
+  if (type instanceof SchemaObjectId) {
+    return 'objectId';
+  }
+
+  if (type instanceof SchemaDecimal128) {
+    return 'decimal';
+  }
+
+  if (type instanceof SchemaDouble) {
+    return 'double';
+  }
+
+  if (type instanceof schemaTypes.Array) {
+    return 'array';
+  }
+
+  return null;
+}
+
+module.exports = {
+  inferBSONType
+};

lib/encryption_utils.js

@@ -0,0 +1,72 @@
+'use strict';
+
+const { Array } = require('./schema/index.js');
+const SchemaBigInt = require('./schema/bigint');
+const SchemaBoolean = require('./schema/boolean');
+const SchemaBuffer = require('./schema/buffer');
+const SchemaDate = require('./schema/date');
+const SchemaDecimal128 = require('./schema/decimal128');
+const SchemaDouble = require('./schema/double');
+const SchemaInt32 = require('./schema/int32');
+const SchemaObjectId = require('./schema/objectId');
+const SchemaString = require('./schema/string');
+
+/**
+ * Given a schema and a path to a field in the schema, this returns the
+ * BSON type of the field, if it can be determined.  This method specifically
+ * **only** handles BSON types that are used for CSFLE and QE - any other
+ * BSON types will return `null`. (example: MinKey and MaxKey).
+ *
+ * @param {import('.').Schema} schema
+ * @param {string} path
+ * @returns
+ */
+function inferBSONType(schema, path) {
+  const type = schema.path(path);
+
+  if (type instanceof SchemaString) {
+    return 'string';
+  }
+
+  if (type instanceof SchemaInt32) {
+    return 'int';
+  }
+
+  if (type instanceof SchemaBigInt) {
+    return 'long';
+  }
+
+  if (type instanceof SchemaBoolean) {
+    return 'bool';
+  }
+
+  if (type instanceof SchemaDate) {
+    return 'date';
+  }
+
+  if (type instanceof SchemaBuffer) {
+    return 'binData';
+  }
+
+  if (type instanceof SchemaObjectId) {
+    return 'objectId';
+  }
+
+  if (type instanceof SchemaDecimal128) {
+    return 'decimal';
+  }
+
+  if (type instanceof SchemaDouble) {
+    return 'double';
+  }
+
+  if (type instanceof Array) {
+    return 'array';
+  }
+
+  return null;
+}
+
+module.exports = {
+  inferBSONType
+};