Allow user to customize some QE settings.

Via Django settings.

With this change we don't need to provide helpers for
`kms_providers` and `key_vault_namespace` because they
can be configured in Django settings and retrieved by the schema
during `client_encryption` and `create_encrypted_collection`.

Author: aclark4life

django_mongodb_backend/encryption.py

@@ -11,6 +11,26 @@
 KEY_VAULT_COLLECTION_NAME = "__keyVault"
 
 
+def get_customer_master_key():
+    """
+    Returns a 96-byte local master key for use with MongoDB Client-Side Field Level
+    Encryption (CSFLE). For local testing purposes only. In production, use a secure KMS
+    like AWS, Azure, GCP, or KMIP.
+    Returns:
+        bytes: A 96-byte key.
+    """
+    # WARNING: This is a static key for testing only.
+    # Generate with: os.urandom(96)
+    return bytes.fromhex(
+        "000102030405060708090a0b0c0d0e0f"
+        "101112131415161718191a1b1c1d1e1f"
+        "202122232425262728292a2b2c2d2e2f"
+        "303132333435363738393a3b3c3d3e3f"
+        "404142434445464748494a4b4c4d4e4f"
+        "505152535455565758595a5b5c5d5e5f"
+    )
+
+
 def get_kms_providers():
     """
     Return supported KMS providers for MongoDB Client-Side Field Level Encryption (CSFLE).
@@ -22,16 +42,7 @@ def get_kms_providers():
     }
 
 
-def get_client_encryption(client):
-    """
-    Returns a `ClientEncryption` instance for MongoDB Client-Side Field Level
-    Encryption (CSFLE) that can be used to create an encrypted collection.
-    """
-
-    key_vault_namespace = get_key_vault_namespace()
-    kms_providers = get_kms_providers()
-    codec_options = CodecOptions(uuid_representation=STANDARD)
-    return ClientEncryption(kms_providers, key_vault_namespace, client, codec_options)
+KMS_PROVIDERS = get_kms_providers()
 
 
 def get_key_vault_namespace(
@@ -44,6 +55,18 @@ def get_key_vault_namespace(
 KEY_VAULT_NAMESPACE = get_key_vault_namespace()
 
 
+def get_client_encryption(
+    client, key_vault_namespace=KEY_VAULT_NAMESPACE, kms_providers=KMS_PROVIDERS
+):
+    """
+    Returns a `ClientEncryption` instance for MongoDB Client-Side Field Level
+    Encryption (CSFLE) that can be used to create an encrypted collection.
+    """
+
+    codec_options = CodecOptions(uuid_representation=STANDARD)
+    return ClientEncryption(kms_providers, key_vault_namespace, client, codec_options)
+
+
 def get_auto_encryption_opts(
     key_vault_namespace=KEY_VAULT_NAMESPACE, crypt_shared_lib_path=None, kms_providers=None
 ):
@@ -56,23 +79,3 @@ def get_auto_encryption_opts(
         kms_providers=kms_providers,
         crypt_shared_lib_path=crypt_shared_lib_path,
     )
-
-
-def get_customer_master_key():
-    """
-    Returns a 96-byte local master key for use with MongoDB Client-Side Field Level
-    Encryption (CSFLE). For local testing purposes only. In production, use a secure KMS
-    like AWS, Azure, GCP, or KMIP.
-    Returns:
-        bytes: A 96-byte key.
-    """
-    # WARNING: This is a static key for testing only.
-    # Generate with: os.urandom(96)
-    return bytes.fromhex(
-        "000102030405060708090a0b0c0d0e0f"
-        "101112131415161718191a1b1c1d1e1f"
-        "202122232425262728292a2b2c2d2e2f"
-        "303132333435363738393a3b3c3d3e3f"
-        "404142434445464748494a4b4c4d4e4f"
-        "505152535455565758595a5b5c5d5e5f"
-    )

django_mongodb_backend/schema.py

@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db.models import Index, UniqueConstraint
 from pymongo.operations import SearchIndexModel
@@ -430,7 +431,11 @@ def _create_collection(self, model):
             db.create_collection(model._meta.db_table)
         else:
             client = self.connection.connection
-            ce = get_client_encryption(client)
+            ce = get_client_encryption(
+                client,
+                key_vault_namespace=settings.KEY_VAULT_NAMESPACE,
+                kms_providers=settings.KMS_PROVIDERS,
+            )
             ce.create_encrypted_collection(
                 db,
                 model._meta.db_table,