INTPYTHON-527 Add Queryable Encryption support #329
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
django_mongodb_backend/management/commands/get_encrypted_fields_map.py
Outdated
Show resolved
Hide resolved
django_mongodb_backend/management/commands/get_encrypted_fields_map.py
Outdated
Show resolved
Hide resolved
django_mongodb_backend/management/commands/get_encrypted_fields_map.py
Outdated
Show resolved
Hide resolved
django_mongodb_backend/management/commands/get_encrypted_fields_map.py
Outdated
Show resolved
Hide resolved
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
aclark4life
force-pushed
the
INTPYTHON-527
branch
from
5b2bc07 to
bddae41
Compare
django_mongodb_backend/management/commands/showencryptedfieldsmap.py
Outdated
Show resolved
Hide resolved
django_mongodb_backend/management/commands/showencryptedfieldsmap.py
Outdated
Show resolved
Hide resolved
django_mongodb_backend/schema.py
Outdated
| raise ImproperlyConfigured( | ||
| "Encrypted fields found but " | ||
| "DATABASES[[self.connection.alias}]['OPTIONS'] is missing " | ||
| "auto_encryption_opts. Please set `auto_encryption_opts` " | ||
| "in the connection settings." | ||
| ) |
There was a problem hiding this comment.
Did you try adding a test for this exception?
There was a problem hiding this comment.
I've tested it manually but haven't written a test for it yet.
| "KMS_PROVIDERS": {}, | ||
| "KMS_CREDENTIALS": {}, |
There was a problem hiding this comment.
For KMS_CREDENTIALS, I believe the options are documented here: https://pymongo.readthedocs.io/en/stable/api/pymongo/encryption.html#pymongo.encryption.ClientEncryption.create_data_key (but pymongo docs are deprecated?)
So a minimal example for AWS: "KMS_CREDENTIALS": {"aws": {"region": "...", "key": "..."}
- Fix rebase merge conflict edits - Remove integer field FIXME comments - Remove pos_int
Don't break the build!
Don't break the build Part II
aclark4life
force-pushed
the
INTPYTHON-527
branch
from
0e7b955 to
6afce5a
Compare
|
|
||
| .. _server-side-queryable-encryption-settings: | ||
|
|
||
| Server-side Queryable Encryption |
There was a problem hiding this comment.
Definitely not a phrase we should be using in documentation; the core point of CSFLE/QE is that the encryption itself is primarily a client-side feature, and this title sounds like some of the encryption logic actually happens on the server side. This should be something like "Server-side schema for Queryable Encryption".
|
|
||
| .. _client-side-queryable-encryption: | ||
|
|
||
| Client-side Queryable Encryption |
| … | ||
| "OPTIONS": { | ||
| "auto_encryption_opts": AutoEncryptionOpts( | ||
| … |
There was a problem hiding this comment.
Should this include an example of how to specify the crypt_shared library path?
There was a problem hiding this comment.
Yes! Will add.
timgraham
force-pushed
the
INTPYTHON-527
branch
from
c7f360e to
31b24f6
Compare
Co-authored-by: Anna Henningsen <[email protected]>
- Removed all signs of client side vs. server side configuration of Queryable Encryption which can be too easily confused with client-side encryption, which is what Queryable Encryption is.
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for MongoDB's Queryable Encryption feature to the Django MongoDB Backend, allowing developers to store sensitive data in encrypted fields that can still be queried using specific query types. The implementation includes encrypted field classes, schema support, management commands, and comprehensive documentation.
- Adds encrypted field types that wrap Django's built-in fields with encryption capabilities
- Implements schema editor support for creating collections with encrypted fields and managing data keys
- Provides management command for generating encrypted fields maps and creating encryption keys
Reviewed Changes
Copilot reviewed 32 out of 33 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
django_mongodb_backend/fields/encryption.py |
Defines encrypted field classes and mixin for queryable encryption |
django_mongodb_backend/schema.py |
Adds schema editor support for creating encrypted collections and managing data keys |
django_mongodb_backend/management/commands/showencryptedfieldsmap.py |
Management command for generating encrypted fields maps |
django_mongodb_backend/features.py |
Adds feature detection for queryable encryption support |
tests/encryption_/ |
Comprehensive test suite covering encrypted fields, schema operations, and management commands |
docs/source/ |
Documentation for configuring and using queryable encryption |
pyproject.toml |
Adds optional encryption dependency |
django_mongodb_backend/management/commands/showencryptedfieldsmap.py
Outdated
Show resolved
Hide resolved
…map.py Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Previous attempts and additional context here: