GODRIVER-2746 replace CreateEncryptedCollection DataKeyOpts with masterKey (#1169)

kevinAlbs · web-flow · commit c5146995ca4d · 2023-02-05T09:53:54.000-05:00
* run prose test 21 with "aws" and "local" KMS providers

* replace CEC DataKeyOpts with masterKey
diff --git a/mongo/client_encryption.go b/mongo/client_encryption.go
@@ -77,7 +77,7 @@ func NewClientEncryption(keyVaultClient *Client, opts ...*options.ClientEncrypti
 // It returns the created collection and the encrypted fields document used to create it.
 func (ce *ClientEncryption) CreateEncryptedCollection(ctx context.Context,
 	db *Database, coll string, createOpts *options.CreateCollectionOptions,
-	kmsProvider string, dkOpts *options.DataKeyOptions) (*Collection, bson.M, error) {
+	kmsProvider string, masterKey interface{}) (*Collection, bson.M, error) {
 	if createOpts == nil {
 		return nil, nil, errors.New("nil CreateCollectionOptions")
 	}
@@ -107,6 +107,10 @@ func (ce *ClientEncryption) CreateEncryptedCollection(ctx context.Context,
 				if f, ok := field.(bson.M); !ok {
 					continue
 				} else if v, ok := f["keyId"]; ok && v == nil {
+					dkOpts := options.DataKey()
+					if masterKey != nil {
+						dkOpts.SetMasterKey(masterKey)
+					}
 					keyid, err := ce.CreateDataKey(ctx, kmsProvider, dkOpts)
 					if err != nil {
 						createOpts.EncryptedFields = m
diff --git a/mongo/integration/client_side_encryption_prose_test.go b/mongo/integration/client_side_encryption_prose_test.go
@@ -2080,120 +2080,144 @@ func TestClientSideEncryptionProse(t *testing.T) {
 			return client, clientEnc, nil
 		}
 
-		mt.Run("case 1: simple creation and validation", func(mt *mtest.T) {
-			client, clientEnc, err := setup()
-			assert.Nil(mt, err, "setup error: %v", err)
-			defer func() {
-				err := clientEnc.Close(context.Background())
-				assert.Nil(mt, err, "error in Close")
-			}()
+		type KMSProviderTestcase struct {
+			kmsProvider string
+			masterKey   *bson.D
+		}
+
+		testcases := []KMSProviderTestcase{
+			{
+				kmsProvider: "local",
+				masterKey:   nil,
+			},
+			{
+				kmsProvider: "aws",
+				masterKey: &bson.D{
+					{"region", "us-east-1"},
+					{"key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"},
+				},
+			},
+		}
 
-			var encryptedFields bson.Raw
-			err = bson.UnmarshalExtJSON([]byte(`{
+		for _, tc := range testcases {
+			mt.Run(tc.kmsProvider, func(mt *mtest.T) {
+
+				mt.Run("case 1: simple creation and validation", func(mt *mtest.T) {
+					client, clientEnc, err := setup()
+					assert.Nil(mt, err, "setup error: %v", err)
+					defer func() {
+						err := clientEnc.Close(context.Background())
+						assert.Nil(mt, err, "error in Close")
+					}()
+
+					var encryptedFields bson.Raw
+					err = bson.UnmarshalExtJSON([]byte(`{
 				"fields": [{
 					"path": "ssn",
 					"bsonType": "string",
 					"keyId": null
 				}]
 			}`), true /* canonical */, &encryptedFields)
-			assert.Nil(mt, err, "Unmarshal error: %v", err)
-
-			coll, _, err := clientEnc.CreateEncryptedCollection(
-				context.Background(),
-				client.Database("db"),
-				"testing1", options.CreateCollection().SetEncryptedFields(encryptedFields),
-				"local", nil,
-			)
-			assert.Nil(mt, err, "CreateCollection error: %v", err)
-
-			_, err = coll.InsertOne(context.Background(), bson.D{{"ssn", "123-45-6789"}})
-			assert.ErrorContains(mt, err, "Document failed validation")
-		})
-		mt.Run("case 2: missing encryptedFields", func(mt *mtest.T) {
-			client, clientEnc, err := setup()
-			assert.Nil(mt, err, "setup error: %v", err)
-			defer func() {
-				err := clientEnc.Close(context.Background())
-				assert.Nil(mt, err, "error in Close")
-			}()
-
-			coll, _, err := clientEnc.CreateEncryptedCollection(
-				context.Background(),
-				client.Database("db"),
-				"testing1", options.CreateCollection(),
-				"local", nil,
-			)
-			assert.Nil(mt, coll, "expect nil collection")
-			assert.EqualError(mt, err, "no EncryptedFields defined for the collection")
-		})
-		mt.Run("case 3: invalid keyId", func(mt *mtest.T) {
-			client, clientEnc, err := setup()
-			assert.Nil(mt, err, "setup error: %v", err)
-			defer func() {
-				err := clientEnc.Close(context.Background())
-				assert.Nil(mt, err, "error in Close")
-			}()
-
-			var encryptedFields bson.Raw
-			err = bson.UnmarshalExtJSON([]byte(`{
+					assert.Nil(mt, err, "Unmarshal error: %v", err)
+
+					coll, _, err := clientEnc.CreateEncryptedCollection(
+						context.Background(),
+						client.Database("db"),
+						"testing1", options.CreateCollection().SetEncryptedFields(encryptedFields),
+						"local", nil,
+					)
+					assert.Nil(mt, err, "CreateCollection error: %v", err)
+
+					_, err = coll.InsertOne(context.Background(), bson.D{{"ssn", "123-45-6789"}})
+					assert.ErrorContains(mt, err, "Document failed validation")
+				})
+				mt.Run("case 2: missing encryptedFields", func(mt *mtest.T) {
+					client, clientEnc, err := setup()
+					assert.Nil(mt, err, "setup error: %v", err)
+					defer func() {
+						err := clientEnc.Close(context.Background())
+						assert.Nil(mt, err, "error in Close")
+					}()
+
+					coll, _, err := clientEnc.CreateEncryptedCollection(
+						context.Background(),
+						client.Database("db"),
+						"testing1", options.CreateCollection(),
+						"local", nil,
+					)
+					assert.Nil(mt, coll, "expect nil collection")
+					assert.EqualError(mt, err, "no EncryptedFields defined for the collection")
+				})
+				mt.Run("case 3: invalid keyId", func(mt *mtest.T) {
+					client, clientEnc, err := setup()
+					assert.Nil(mt, err, "setup error: %v", err)
+					defer func() {
+						err := clientEnc.Close(context.Background())
+						assert.Nil(mt, err, "error in Close")
+					}()
+
+					var encryptedFields bson.Raw
+					err = bson.UnmarshalExtJSON([]byte(`{
 				"fields": [{
 					"path": "ssn",
 					"bsonType": "string",
 					"keyId": false
 				}]
 			}`), true /* canonical */, &encryptedFields)
-			assert.Nil(mt, err, "Unmarshal error: %v", err)
-
-			_, _, err = clientEnc.CreateEncryptedCollection(
-				context.Background(),
-				client.Database("db"),
-				"testing1", options.CreateCollection().SetEncryptedFields(encryptedFields),
-				"local", nil,
-			)
-			assert.ErrorContains(mt, err, "BSON field 'create.encryptedFields.fields.keyId' is the wrong type 'bool', expected type 'binData'")
-		})
-		mt.Run("case 4: insert encrypted value", func(mt *mtest.T) {
-			client, clientEnc, err := setup()
-			assert.Nil(mt, err, "setup error: %v", err)
-			defer func() {
-				err := clientEnc.Close(context.Background())
-				assert.Nil(mt, err, "error in Close")
-			}()
-
-			var encryptedFields bson.Raw
-			err = bson.UnmarshalExtJSON([]byte(`{
+					assert.Nil(mt, err, "Unmarshal error: %v", err)
+
+					_, _, err = clientEnc.CreateEncryptedCollection(
+						context.Background(),
+						client.Database("db"),
+						"testing1", options.CreateCollection().SetEncryptedFields(encryptedFields),
+						"local", nil,
+					)
+					assert.ErrorContains(mt, err, "BSON field 'create.encryptedFields.fields.keyId' is the wrong type 'bool', expected type 'binData'")
+				})
+				mt.Run("case 4: insert encrypted value", func(mt *mtest.T) {
+					client, clientEnc, err := setup()
+					assert.Nil(mt, err, "setup error: %v", err)
+					defer func() {
+						err := clientEnc.Close(context.Background())
+						assert.Nil(mt, err, "error in Close")
+					}()
+
+					var encryptedFields bson.Raw
+					err = bson.UnmarshalExtJSON([]byte(`{
 				"fields": [{
 					"path": "ssn",
 					"bsonType": "string",
 					"keyId": null
 				}]
 			}`), true /* canonical */, &encryptedFields)
-			assert.Nil(mt, err, "Unmarshal error: %v", err)
-
-			coll, ef, err := clientEnc.CreateEncryptedCollection(
-				context.Background(),
-				client.Database("db"),
-				"testing1", options.CreateCollection().SetEncryptedFields(encryptedFields),
-				"local", nil,
-			)
-			assert.Nil(mt, err, "CreateCollection error: %v", err)
-
-			keyid := ef["fields"].(bson.A)[0].(bson.M)["keyId"].(primitive.Binary)
-			rawValueType, rawValueData, err := bson.MarshalValue("123-45-6789")
-			assert.Nil(mt, err, "MarshalValue error: %v", err)
-			rawValue := bson.RawValue{Type: rawValueType, Value: rawValueData}
-			encryptionOpts := options.Encrypt().
-				SetAlgorithm("Unindexed").
-				SetKeyID(keyid)
-			encryptedField, err := clientEnc.Encrypt(
-				context.Background(),
-				rawValue,
-				encryptionOpts)
-			assert.Nil(mt, err, "Encrypt error: %v", err)
-
-			_, err = coll.InsertOne(context.Background(), bson.D{{"ssn", encryptedField}})
-			assert.Nil(mt, err, "InsertOne error: %v", err)
-		})
+					assert.Nil(mt, err, "Unmarshal error: %v", err)
+
+					coll, ef, err := clientEnc.CreateEncryptedCollection(
+						context.Background(),
+						client.Database("db"),
+						"testing1", options.CreateCollection().SetEncryptedFields(encryptedFields),
+						"local", nil,
+					)
+					assert.Nil(mt, err, "CreateCollection error: %v", err)
+
+					keyid := ef["fields"].(bson.A)[0].(bson.M)["keyId"].(primitive.Binary)
+					rawValueType, rawValueData, err := bson.MarshalValue("123-45-6789")
+					assert.Nil(mt, err, "MarshalValue error: %v", err)
+					rawValue := bson.RawValue{Type: rawValueType, Value: rawValueData}
+					encryptionOpts := options.Encrypt().
+						SetAlgorithm("Unindexed").
+						SetKeyID(keyid)
+					encryptedField, err := clientEnc.Encrypt(
+						context.Background(),
+						rawValue,
+						encryptionOpts)
+					assert.Nil(mt, err, "Encrypt error: %v", err)
+
+					_, err = coll.InsertOne(context.Background(), bson.D{{"ssn", encryptedField}})
+					assert.Nil(mt, err, "InsertOne error: %v", err)
+				})
+			})
+		}
 	})
 
 	rangeRunOpts := mtest.NewOptions().MinServerVersion("6.2").Topologies(mtest.ReplicaSet, mtest.Sharded, mtest.LoadBalanced, mtest.ShardedReplicaSet)
