Remove PyMongo's create_encrypted_collection

- `showfieldsmap` needs to be renamed to `createfieldsmap` and we need
another management command called `showfieldsmap` to retrieve the keys
from the key vault (either from server side or client side generation.)

- In order to retrieve keys from the vault they need to have a
  keyVaultName and PyMongo's `create_data_keys` does not provide this.

- If `encrypted_fields_map` is present, use it to create the collection,
  else create the collection with `create_collection` and our
  `encrypted_fields_map`.

- We may consider requiring users to provide an empty dictionary to initiate
  server side encryption rather than relying on the absence of
  `encrypted_fields_map`. PyMongo uses this convention in its KMS code
  and in this case it emphasizes the need for a map and when and how the
  map is created.

Author: aclark4life

django_mongodb_backend/management/commands/showfieldsmap.py

@@ -19,35 +19,34 @@ def add_arguments(self, parser):
             help="Specify the database to use for generating the encrypted"
             "fields map. Defaults to the 'default' database.",
         )
-        parser.add_argument(
-            "--kms-provider",
-            default="local",
-            help="Specify the KMS provider to use for encryption. Defaults to 'local'.",
-        )
 
     def handle(self, *args, **options):
         db = options["database"]
         connection = connections[db]
         encrypted_fields_map = {}
         for app_config in apps.get_app_configs():
             for model in app_config.get_models():
+                db_table = model._meta.db_table
                 if has_encrypted_fields(model):
                     fields = connection.schema_editor()._get_encrypted_fields_map(model)
                     client = connection.connection
-                    options = client._options.auto_encryption_opts
+                    ae = client._options.auto_encryption_opts
                     ce = ClientEncryption(
-                        options._kms_providers,
-                        options._key_vault_namespace,
+                        ae._kms_providers,
+                        ae._key_vault_namespace,
                         client,
                         client.codec_options,
                     )
                     kms_provider = router.kms_provider(model)
                     master_key = connection.settings_dict.get("KMS_CREDENTIALS").get(kms_provider)
                     for field in fields["fields"]:
+                        key_alt_name = f"{db_table}_{field['path']}"
                         data_key = ce.create_data_key(
                             kms_provider=kms_provider,
                             master_key=master_key,
+                            key_alt_names=[key_alt_name],
                         )
                         field["keyId"] = data_key
-                    encrypted_fields_map[model._meta.db_table] = fields
+                        field["keyAltName"] = key_alt_name
+                    encrypted_fields_map[db_table] = fields
         self.stdout.write(json_util.dumps(encrypted_fields_map, indent=2))

django_mongodb_backend/schema.py

@@ -432,33 +432,36 @@ def _create_collection(self, model):
         db_table = model._meta.db_table
         if has_encrypted_fields(model):
             client = self.connection.connection
-            options = getattr(client._options, "auto_encryption_opts", None)
-            if options is not None:
-                if encrypted_fields_map := getattr(options, "_encrypted_fields_map", None):
-                    db.create_collection(db_table, encryptedFields=encrypted_fields_map[db_table])
-                else:
-                    ce = ClientEncryption(
-                        options._kms_providers,
-                        options._key_vault_namespace,
-                        client,
-                        client.codec_options,
-                    )
-                    encrypted_fields_map = self._get_encrypted_fields_map(model)
-                    provider = router.kms_provider(model)
-                    credentials = self.connection.settings_dict.get("KMS_CREDENTIALS").get(provider)
-                    ce.create_encrypted_collection(
-                        db,
-                        db_table,
-                        encrypted_fields_map,
-                        provider,
-                        credentials,
-                    )
-            else:
+            options = client._options
+            ae = getattr(options, "auto_encryption_opts", None)
+            if not ae:
                 raise ImproperlyConfigured(
                     "Encrypted fields found but the connection does not have "
                     "auto encryption options set. Please set `auto_encryption_opts` "
                     "in the connection settings."
                 )
+            encrypted_fields_map = getattr(ae, "_encrypted_fields_map", None)
+            if not encrypted_fields_map:
+                encrypted_fields_map = {}
+                ce = ClientEncryption(
+                    ae._kms_providers,
+                    ae._key_vault_namespace,
+                    client,
+                    client.codec_options,
+                )
+                fields = self._get_encrypted_fields_map(model)
+                kms_provider = router.kms_provider(model)
+                master_key = self.connection.settings_dict.get("KMS_CREDENTIALS").get(kms_provider)
+                for field in fields["fields"]:
+                    key_alt_name = f"{db_table}_{field['path']}"
+                    data_key = ce.create_data_key(
+                        kms_provider=kms_provider,
+                        master_key=master_key,
+                        key_alt_names=[key_alt_name],
+                    )
+                    field["keyId"] = data_key
+                    encrypted_fields_map[db_table] = fields
+            db.create_collection(db_table, encryptedFields=encrypted_fields_map[db_table])
         else:
             db.create_collection(db_table)