Code review fixes

Author: aclark4life

django_mongodb_backend/management/commands/showencryptedfieldsmap.py

@@ -1,9 +1,9 @@
 from bson import json_util
 from django.apps import apps
 from django.core.management.base import BaseCommand
-from django.db import DEFAULT_DB_ALIAS, connections
+from django.db import DEFAULT_DB_ALIAS, connections, router
 
-from django_mongodb_backend.model_utils import has_encrypted_fields
+from django_mongodb_backend.model_utils import model_has_encrypted_fields
 
 
 class Command(BaseCommand):
@@ -31,13 +31,9 @@ def handle(self, *args, **options):
         client = connection.connection
         encrypted_fields_map = {}
         auto_encryption_opts = getattr(client._options, "auto_encryption_opts", None)
-        # FIXME:
-        # TypeError: ConnectionRouter.get_migratable_models() missing 2 required
-        # positional arguments: 'app_config' and 'db'
-        # for app_config in router.get_migratable_models():
         for app_config in apps.get_app_configs():
-            for model in app_config.get_models():
-                if has_encrypted_fields(model):
+            for model in router.get_migratable_models(app_config, db):
+                if model_has_encrypted_fields(model):
                     from_db = not create
                     fields = connection.schema_editor()._get_encrypted_fields_map(
                         model, client, auto_encryption_opts, from_db=from_db

django_mongodb_backend/model_utils.py

@@ -1,3 +1,2 @@
-# TODO: Move to models.utils
-def has_encrypted_fields(model):
+def model_has_encrypted_fields(model):
     return any(getattr(field, "encrypted", False) for field in model._meta.fields)

django_mongodb_backend/routers.py

@@ -2,7 +2,7 @@
 from django.core.exceptions import ImproperlyConfigured
 from django.db.utils import ConnectionRouter
 
-from .model_utils import has_encrypted_fields
+from .model_utils import model_has_encrypted_fields
 
 
 class MongoRouter:
@@ -30,7 +30,7 @@ def kms_provider(self, model, *args, **kwargs):
             result = func(model, *args, **kwargs)
             if result is not None:
                 return result
-    if has_encrypted_fields(model):
+    if model_has_encrypted_fields(model):
         raise ImproperlyConfigured("No kms_provider found in database router.")
     return None
 

django_mongodb_backend/schema.py

@@ -7,7 +7,7 @@
 
 from .fields import EmbeddedModelField
 from .indexes import SearchIndex
-from .model_utils import has_encrypted_fields
+from .model_utils import model_has_encrypted_fields
 from .query import wrap_database_errors
 from .utils import OperationCollector
 
@@ -431,7 +431,7 @@ def _create_collection(self, model):
         """
         db = self.get_database()
         db_table = model._meta.db_table
-        if has_encrypted_fields(model):
+        if model_has_encrypted_fields(model):
             client = self.connection.connection
             auto_encryption_opts = getattr(client._options, "auto_encryption_opts", None)
             if not auto_encryption_opts:
@@ -485,7 +485,7 @@ def _get_encrypted_fields_map(self, model, client, auto_encryption_opts, from_db
                     "path": field.column,
                     "keyId": data_key,
                 }
-                if getattr(field, "queries", None):
+                if field.queries:
                     field_dict["queries"] = field.queries
                 field_list.append(field_dict)
         return {"fields": field_list}

docs/source/howto/queryable-encryption.rst

@@ -86,9 +86,20 @@ database router. Here's how to set it up in your Django settings.
 
     DATABASE_ROUTERS = [EncryptedRouter()]
 
-You are now ready to use server side :doc:`Queryable Encryption
+You are now ready to use server-side :doc:`Queryable Encryption
 </topics/queryable-encryption>` in your Django project.
 
+.. admonition:: KMS providers and credentials
+
+    The above example uses a local KMS provider with a randomly generated
+    key. In a production environment, you should use a secure KMS provider
+    such as AWS KMS, Azure Key Vault, or GCP KMS.
+
+    Please refer to :ref:`manual:qe-fundamentals-kms-providers`
+    for more information on configuring KMS providers and credentials as well as
+    :doc:`manual:core/queryable-encryption/fundamentals/keys-key-vaults`
+    for information on creating and managing data encryption keys.
+
 .. _client-side-queryable-encryption:
 
 Client-side Queryable Encryption

tests/encryption_/models.py

@@ -22,6 +22,7 @@
 
 EQUALITY_QUERY = {"queryType": "equality"}
 RANGE_QUERY = {"queryType": "range"}
+RANGE_QUERY_MIN_MAX = {"queryType": "range", "min": 0, "max": 100}
 
 
 class Appointment(models.Model):
@@ -52,7 +53,7 @@ class PatientRecord(models.Model):
     ssn = EncryptedCharField(max_length=11, queries=EQUALITY_QUERY)
     birth_date = EncryptedDateField(queries=RANGE_QUERY)
     profile_picture = EncryptedBinaryField(queries=EQUALITY_QUERY)
-    patient_age = EncryptedIntegerField("patient_age", queries=RANGE_QUERY)
+    patient_age = EncryptedIntegerField("patient_age", queries=RANGE_QUERY_MIN_MAX)
     weight = EncryptedFloatField(queries=RANGE_QUERY)
 
     # TODO: Embed Billing model

tests/encryption_/routers.py

@@ -1,4 +1,4 @@
-from django_mongodb_backend.model_utils import has_encrypted_fields
+from django_mongodb_backend.model_utils import model_has_encrypted_fields
 
 
 class TestEncryptedRouter:
@@ -10,11 +10,11 @@ class TestEncryptedRouter:
 
     def allow_migrate(self, db, app_label, model_name=None, model=None, **hints):
         if model:
-            return db == ("encrypted" if has_encrypted_fields(model) else "default")
+            return db == ("encrypted" if model_has_encrypted_fields(model) else "default")
         return db == "default"
 
     def db_for_read(self, model, **hints):
-        if has_encrypted_fields(model):
+        if model_has_encrypted_fields(model):
             return "encrypted"
         return "default"
 

tests/encryption_/test_base.py

@@ -163,7 +163,7 @@ def test_patientrecord(self):
             PatientRecord.objects.get(ssn="123-45-6789").profile_picture, b"image data"
         )
         self.assertTrue(PatientRecord.objects.filter(patient_age__gte=40).exists())
-        self.assertFalse(PatientRecord.objects.filter(patient_age__gte=200).exists())
+        self.assertFalse(PatientRecord.objects.filter(patient_age__gte=80).exists())
         self.assertTrue(PatientRecord.objects.filter(weight__gte=175.0).exists())
 
         # Test encrypted patient record in unencrypted database.

tests/encryption_/test_management.py

@@ -46,7 +46,7 @@
             {
                 "bsonType": "int",
                 "path": "patient_age",
-                "queries": {"queryType": "range"},
+                "queries": {"queryType": "range", "max": 100, "min": 0},
             },
             {
                 "bsonType": "double",