CDRIVER-4317 Add remaining Key Management API functions (#1008)

* Fix validation of opts field for rewrapManyDataKey operation

* Update unified spec tests

* Set default read and write concern on keyvault collection

* Add key management API functions

* Add prose test for keyAltname unique index

* Add unified test runner support for key management API

Author: eramongodb

src/libmongoc/doc/mongoc_client_encryption_add_key_alt_name.rst

@@ -0,0 +1,37 @@
+:man_page: mongoc_client_encryption_add_key_alt_name
+
+mongoc_client_encryption_add_key_alt_name()
+===========================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   bool
+   mongoc_client_encryption_add_key_alt_name (
+      mongoc_client_encryption_t *client_encryption,
+      const bson_value_t *keyid,
+      const char *keyaltname,
+      bson_t *key_doc,
+      bson_error_t *error);
+
+Add ``keyaltname`` to the set of alternate names in the key document with UUID ``keyid``.
+
+Parameters
+----------
+
+* ``client_encryption``: A :symbol:`mongoc_client_encryption_t`.
+* ``keyid``: A UUID (BSON binary subtype 0x04) key ID of the key to add the key alternate name to.
+* ``keyaltname``: The key alternate name to add.
+* ``key_doc``: Optional. An uninitialized :symbol:`bson_t` set to the value of the key document before addition of the alternate name, or an empty document if the key does not exist. Must be freed by :symbol:`bson_destroy`.
+* ``error``: Optional. :symbol:`bson_error_t`.
+
+Returns
+-------
+
+Returns ``true`` if successful. Returns ``false`` and sets ``error`` otherwise.
+
+.. seealso::
+
+  | :symbol:`mongoc_client_encryption_t`

src/libmongoc/doc/mongoc_client_encryption_create_key.rst

@@ -16,8 +16,7 @@ Synopsis
       bson_value_t *keyid,
       bson_error_t *error);
 
-Creates a new key document in the key vault collection and sets ``keyid`` to the UUID of the
-newly created key if ``keyid`` is not NULL. The new key can be used to configure automatic encryption (see :symbol:`mongoc_client_enable_auto_encryption()` and :symbol:`mongoc_client_pool_enable_auto_encryption()`) or for explicit encryption (see :symbol:`mongoc_client_encryption_encrypt()`).
+Creates a new key document in the key vault collection and sets ``keyid`` to the UUID of the newly created key if ``keyid`` is not NULL. The new key can be used to configure automatic encryption (see :symbol:`mongoc_client_enable_auto_encryption()` and :symbol:`mongoc_client_pool_enable_auto_encryption()`) or for explicit encryption (see :symbol:`mongoc_client_encryption_encrypt()`).
 
 The created key document is inserted into the key vault collection (identified via :symbol:`mongoc_client_encryption_opts_set_keyvault_namespace()`) with majority write concern.
 
@@ -29,8 +28,8 @@ Parameters
 * ``client_encryption``: A :symbol:`mongoc_client_encryption_t`.
 * ``kms_provider``: A string identifying the Key Management Service (KMS) provider used to encrypt the datakey (e.g. "aws" or "local").
 * ``opts``: A :symbol:`mongoc_client_encryption_datakey_opts_t`
-* ``keyid``: The resulting UUID key ID of the newly created key.
-* ``error``: A :symbol:`bson_error_t`
+* ``keyid``: Optional. An uninitialized :symbol:`bson_value_t` set to the UUID (BSON binary subtype 0x04) of the newly created key. Must be freed by :symbol:`bson_value_destroy`.
+* ``error``: Optional. A :symbol:`bson_error_t`.
 
 Returns
 -------

src/libmongoc/doc/mongoc_client_encryption_delete_key.rst

@@ -0,0 +1,36 @@
+:man_page: mongoc_client_encryption_delete_key
+
+mongoc_client_encryption_delete_key()
+=====================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   bool
+   mongoc_client_encryption_delete_key (
+      mongoc_client_encryption_t *client_encryption,
+      const bson_value_t *keyid,
+      bson_t *reply,
+      bson_error_t *error);
+
+Delete a key document in the key vault collection that has the given ``keyid``.
+
+Parameters
+----------
+
+* ``client_encryption``: A :symbol:`mongoc_client_encryption_t`.
+* ``keyid``: The UUID (BSON binary subtype 0x04) of the key to delete.
+* ``reply``: Optional. An uninitalized :symbol:`bson:bson_t` set to the delete result. Must be freed by :symbol:`bson_destroy`.
+* ``error``: Optional. :symbol:`bson_error_t`.
+
+Returns
+-------
+
+Returns ``true`` if successful. Returns ``false`` and sets ``error`` otherwise.
+
+.. seealso::
+
+  | :symbol:`mongoc_client_encryption_t`
+  | :symbol:`mongoc_client_encryption_create_key`

src/libmongoc/doc/mongoc_client_encryption_encrypt_opts_set_contention_factor.rst

@@ -8,7 +8,7 @@ Synopsis
 
 .. code-block:: c
 
-   MONGOC_EXPORT (void)
+    void
     mongoc_client_encryption_encrypt_opts_set_contention_factor (
         mongoc_client_encryption_encrypt_opts_t *opts, int64_t contention_factor);
 

src/libmongoc/doc/mongoc_client_encryption_encrypt_opts_set_keyid.rst

@@ -18,9 +18,8 @@ Parameters
 ----------
 
 * ``opts``: A :symbol:`mongoc_client_encryption_encrypt_opts_t`
-* ``keyid``: A UUID (BSON binary with subtype 4) corresponding to the ``_id`` of the data key.
+* ``keyid``: The UUID (BSON binary subtype 0x04) corresponding to the ``_id`` of the data key.
 
 .. seealso::
 
   | :symbol:`mongoc_client_encryption_encrypt_opts_set_keyaltname`
-

src/libmongoc/doc/mongoc_client_encryption_get_key.rst

@@ -0,0 +1,34 @@
+:man_page: mongoc_client_encryption_get_key
+
+mongoc_client_encryption_get_key()
+==================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   bool
+   mongoc_client_encryption_get_key (mongoc_client_encryption_t *client_encryption,
+                                     const bson_value_t *keyid,
+                                     bson_t *key_doc,
+                                     bson_error_t *error);
+
+Get a key document in the key vault collection that has the given ``keyid``.
+
+Parameters
+----------
+
+* ``client_encryption``: A :symbol:`mongoc_client_encryption_t`.
+* ``keyid``: The UUID (BSON binary subtype 0x04) of the key to get.
+* ``key_doc``: Optional. An uninitialized :symbol:`bson_t` set to the resulting key document, or an empty document value if the key does not exist. Must be freed by :symbol:`bson_destroy`.
+* ``error``: Optional. :symbol:`bson_error_t`.
+
+Returns
+-------
+
+Returns ``true`` if successful. Returns ``false`` and sets ``error`` otherwise.
+
+.. seealso::
+
+  | :symbol:`mongoc_client_encryption_t`

src/libmongoc/doc/mongoc_client_encryption_get_key_by_alt_name.rst

@@ -0,0 +1,35 @@
+:man_page: mongoc_client_encryption_get_key_by_alt_name
+
+mongoc_client_encryption_get_key_by_alt_name()
+==============================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   bool
+   mongoc_client_encryption_get_key_by_alt_name (
+      mongoc_client_encryption_t *client_encryption,
+      const char *keyaltname,
+      bson_value_t *key_doc,
+      bson_error_t *error);
+
+Get a key document in the key vault collection that has the given ``keyaltname``.
+
+Parameters
+----------
+
+* ``client_encryption``: A :symbol:`mongoc_client_encryption_t`.
+* ``keyaltname``: The key alternate name of the key to get.
+* ``key_doc``: Optional. An uninitialized :symbol:`bson_t` set to the resulting key document, or an empty document if the key does not exist. Must be freed by :symbol:`bson_value_destroy`.
+* ``error``: Optional. :symbol:`bson_error_t`.
+
+Returns
+-------
+
+Returns ``true`` if successful. Returns ``false`` and sets ``error`` otherwise.
+
+.. seealso::
+
+  | :symbol:`mongoc_client_encryption_t`

src/libmongoc/doc/mongoc_client_encryption_get_keys.rst

@@ -0,0 +1,30 @@
+:man_page: mongoc_client_encryption_get_keys
+
+mongoc_client_encryption_get_keys()
+===================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   mongoc_cursor_t *
+   mongoc_client_encryption_get_keys (mongoc_client_encryption_t *client_encryption,
+                                      bson_error_t *error);
+
+Get all the key documents in the key vault collection.
+
+Parameters
+----------
+
+* ``client_encryption``: A :symbol:`mongoc_client_encryption_t`.
+* ``error``: Optional. :symbol:`bson_error_t`.
+
+Returns
+-------
+
+Returns the result of the internal find command if successful. Returns ``NULL`` and sets ``error`` otherwise.
+
+.. seealso::
+
+  | :symbol:`mongoc_client_encryption_t`

src/libmongoc/doc/mongoc_client_encryption_remove_key_alt_name.rst

@@ -0,0 +1,39 @@
+:man_page: mongoc_client_encryption_remove_key_alt_name
+
+mongoc_client_encryption_remove_key_alt_name()
+==============================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   bool
+   mongoc_client_encryption_remove_key_alt_name (
+      mongoc_client_encryption_t *client_encryption,
+      const bson_value_t *keyid,
+      const char *keyaltname,
+      bson_t *key_doc,
+      bson_error_t *error);
+
+Remove ``keyaltname`` from the set of keyAltNames in the key document with UUID ``keyid``.
+
+Also removes the ``keyAltNames`` field from the key document if it would otherwise be empty.
+
+Parameters
+----------
+
+* ``client_encryption``: A :symbol:`mongoc_client_encryption_t`.
+* ``keyid``: The UUID (BSON binary subtype 0x04) of the key to remove the key alternate name from.
+* ``keyaltname``: The key alternate name to remove.
+* ``key_doc``: Optional. An uninitialized :symbol:`bson_t` set to the value of the key document before removal of the key alternate name, or an empty document the key does not exist. Must be freed by :symbol:`bson_value_destroy`.
+* ``error``: Optional. :symbol:`bson_error_t`.
+
+Returns
+-------
+
+Returns ``true`` if successful. Returns ``false`` and sets ``error`` otherwise.
+
+.. seealso::
+
+  | :symbol:`mongoc_client_encryption_t`

src/libmongoc/doc/mongoc_client_encryption_t.rst

@@ -37,6 +37,12 @@ The key vault client, configured via :symbol:`mongoc_client_encryption_opts_set_
     mongoc_client_encryption_create_key
     mongoc_client_encryption_create_datakey
     mongoc_client_encryption_rewrap_many_datakey
+    mongoc_client_encryption_delete_key
+    mongoc_client_encryption_get_key
+    mongoc_client_encryption_get_keys
+    mongoc_client_encryption_add_key_alt_name
+    mongoc_client_encryption_remove_key_alt_name
+    mongoc_client_encryption_get_key_by_alt_name
     mongoc_client_encryption_encrypt
     mongoc_client_encryption_decrypt