Add a property to .

Author: baileympearson

lib/model.js

@@ -69,6 +69,7 @@ const minimize = require('./helpers/minimize');
 const MongooseBulkSaveIncompleteError = require('./error/bulkSaveIncompleteError');
 const ObjectExpectedError = require('./error/objectExpected');
 const decorateBulkWriteResult = require('./helpers/model/decorateBulkWriteResult');
+const { ClientEncryption } = require('mongodb');
 
 const modelCollectionSymbol = Symbol('mongoose#Model#collection');
 const modelDbSymbol = Symbol('mongoose#Model#db');
@@ -4880,6 +4881,29 @@ Model.compile = function compile(name, schema, collectionName, connection, base)
   return model;
 };
 
+Model.clientEncryption = function clientEncryption() {
+  /** @type(import('mongodb').MongoClient) */
+  const client = this.collection?.conn?.client;
+
+  if (!client) return null;
+
+  const autoEncryptionOptions = client.options.autoEncryption;
+
+  if (!autoEncryptionOptions) return null;
+
+  const {
+    keyVaultNamespace,
+    keyVaultClient,
+    kmsProviders,
+    credentialProviders,
+    proxyOptions,
+    tlsOptions
+  } = autoEncryptionOptions;
+  return new ClientEncryption(keyVaultClient ?? client,
+    { keyVaultNamespace, kmsProviders, credentialProviders, proxyOptions, tlsOptions }
+  );
+};
+
 /**
  * Update this model to use the new connection, including updating all internal
  * references and creating a new `Collection` instance using the new connection.

test/encryption/encryption.test.js

@@ -1268,7 +1268,7 @@ describe('encryption integration tests', () => {
     });
   });
 
-  describe('Encryption can be configured on the default mongoose connection', function() {
+  describe.only('Encryption can be configured on the default mongoose connection', function() {
     afterEach(async function() {
       mongoose.deleteModel('Schema');
       await mongoose.disconnect();
@@ -1307,4 +1307,116 @@ describe('encryption integration tests', () => {
       assert.deepEqual(doc.a, 2);
     });
   });
+
+  describe('Key Vault API', function() {
+    describe('No FLE configured', function() {
+      it('returns `null`', async function() {
+        const connection = mongoose.createConnection();
+        const model = connection.model('Name', { age: String });
+
+        await connection.openUri(process.env.MONGOOSE_TEST_URI);
+
+        assert.equal(model.clientEncryption(), null);
+      });
+    });
+
+    describe('Client not connected', function() {
+      it('returns `null`', async function() {
+        const connection = mongoose.createConnection();
+        const model = connection.model('Name', { age: String });
+
+        assert.equal(model.clientEncryption(), null);
+      });
+    });
+
+    describe('auto encryption enabled for a collection', function() {
+      let connection;
+      let model;
+      beforeEach(async function() {
+        connection = createConnection();
+        model = connection.model('Model1', new Schema({
+          a: {
+            type: String,
+            encrypt: {
+              keyId
+            }
+          }
+        }, {
+          encryptionType: 'queryableEncryption'
+        }));
+
+        await connection.openUri(process.env.MONGOOSE_TEST_URI, {
+          dbName: 'db', autoEncryption: {
+            keyVaultNamespace: 'keyvault.datakeys',
+            kmsProviders: { local: { key: LOCAL_KEY } },
+            extraOptions: {
+              cryptdSharedLibRequired: true,
+              cryptSharedLibPath: process.env.CRYPT_SHARED_LIB_PATH
+            }
+          }
+        });
+      });
+
+      afterEach(async function() {
+        await connection.close();
+      });
+
+      it('returns a client encryption object', async function() {
+        assert.ok(model.clientEncryption() instanceof mdb.ClientEncryption);
+      });
+
+      it('the client encryption is usable as a key vault', async function() {
+        const clientEncryption = model.clientEncryption();
+        const dataKey = await clientEncryption.createDataKey('local');
+        const keys = await clientEncryption.getKeys().toArray();
+
+        assert.ok(keys.length > 0);
+
+        const key = keys.find(
+          ({ _id }) => _id.toString() === dataKey.toString()
+        );
+
+        assert.ok(key);
+      });
+
+      it('uses the same keyvaultNamespace', async function() {
+        assert.equal(model.clientEncryption()._keyVaultNamespace, 'keyvault.datakeys');
+      });
+
+      it('uses the same kms providers', async function() {
+        assert.deepEqual(model.clientEncryption()._kmsProviders, { local: { key: LOCAL_KEY } });
+      });
+
+      it('uses the same proxy options', async function() {
+        const options = model.collection.conn.client.options.autoEncryption;
+        options.proxyOptions = { name: 'bailey' };
+        assert.deepEqual(model.clientEncryption()._proxyOptions, { name: 'bailey' });
+      });
+
+      it('uses the same TLS options', async function() {
+        const options = model.collection.conn.client.options.autoEncryption;
+        options.tlsOptions = {
+          tlsCAFile: 'some file'
+        };
+        assert.deepEqual(model.clientEncryption()._tlsOptions, {
+          tlsCAFile: 'some file'
+        });
+      });
+
+      it.skip('uses the same credentialProviders', async function() {
+        const options = model.collection.conn.client.options.autoEncryption;
+        const credentialProviders = {
+          aws: async() => {}
+        };
+        options.credentialProviders = credentialProviders;
+        assert.equal(model.clientEncryption()._credentialProviders, credentialProviders);
+      });
+
+      it('uses the underlying MongoClient as the keyvault client', async function() {
+        const options = model.collection.conn.client.options.autoEncryption;
+        assert.ok(model.clientEncryption()._client === options.keyVaultClient, 'client not the same');
+        assert.equal(model.clientEncryption()._keyVaultClient, options.keyVaultClient, 'keyvault client not the same');
+      });
+    });
+  });
 });