GODRIVER-2433 Support explicit encryption for Range Index (#1145)

* add test data files for range prose tests

* add RangeOptions API

* add ClientEncryption.EncryptExpression

* add prose test 22

* use libmongocrypt 1.7.0-alpha1

Co-authored-by: Benjamin Rewis <[email protected]>

Author: kevinAlbs

.evergreen/config.yml

@@ -94,7 +94,7 @@ functions:
           go env
 
           # TODO(GODRIVER-2676): use libmongocrypt 1.7.0 once it is released.
-          LIBMONGOCRYPT_TAG="1.7.0-alpha0"
+          LIBMONGOCRYPT_TAG="1.7.0-alpha1"
           # Install libmongocrypt based on OS.
           if [ "Windows_NT" = "$OS" ]; then
              mkdir -p c:/libmongocrypt/include
@@ -106,7 +106,7 @@ functions:
              # TODO(GODRIVER-2676): replace this URL once libmongocrypt 1.7.0 is released with the following:
              # curl https://mciuploads.s3.amazonaws.com/libmongocrypt/all/$LIBMONGOCRYPT_TAG/libmongocrypt-all.tar.gz -o libmongocrypt-all.tar.gz
              # There is no tag URL for libmongocrypt pre-releases.
-             LIBMONGOCRYPT_COMMIT=a162f4871cface46bdade94cdf7e3ad9459297af
+             LIBMONGOCRYPT_COMMIT=2cd2f77ae806a3a4c12750b39b0be92b0ca3b2c1
              curl https://mciuploads.s3.amazonaws.com/libmongocrypt/all/master/$LIBMONGOCRYPT_COMMIT/libmongocrypt-all.tar.gz -o libmongocrypt-all.tar.gz
              tar -xf libmongocrypt-all.tar.gz
              cd ..

mongo/client_encryption.go

@@ -116,10 +116,8 @@ func (ce *ClientEncryption) CreateDataKey(ctx context.Context, kmsProvider strin
 	return primitive.Binary{Subtype: subtype, Data: data}, nil
 }
 
-// Encrypt encrypts a BSON value with the given key and algorithm. Returns an encrypted value (BSON binary of subtype 6).
-func (ce *ClientEncryption) Encrypt(ctx context.Context, val bson.RawValue,
-	opts ...*options.EncryptOptions) (primitive.Binary, error) {
-
+// transformExplicitEncryptionOptions creates explicit encryption options to be passed to libmongocrypt.
+func transformExplicitEncryptionOptions(opts ...*options.EncryptOptions) *mcopts.ExplicitEncryptionOptions {
 	eo := options.MergeEncryptOptions(opts...)
 	transformed := mcopts.ExplicitEncryption()
 	if eo.KeyID != nil {
@@ -135,13 +133,69 @@ func (ce *ClientEncryption) Encrypt(ctx context.Context, val bson.RawValue,
 		transformed.SetContentionFactor(*eo.ContentionFactor)
 	}
 
+	if eo.RangeOptions != nil {
+		var transformedRange mcopts.ExplicitRangeOptions
+		if eo.RangeOptions.Min != nil {
+			transformedRange.Min = &bsoncore.Value{Type: eo.RangeOptions.Min.Type, Data: eo.RangeOptions.Min.Value}
+		}
+		if eo.RangeOptions.Max != nil {
+			transformedRange.Max = &bsoncore.Value{Type: eo.RangeOptions.Max.Type, Data: eo.RangeOptions.Max.Value}
+		}
+		if eo.RangeOptions.Precision != nil {
+			transformedRange.Precision = eo.RangeOptions.Precision
+		}
+		transformedRange.Sparsity = eo.RangeOptions.Sparsity
+		transformed.SetRangeOptions(transformedRange)
+	}
+	return transformed
+}
+
+// Encrypt encrypts a BSON value with the given key and algorithm. Returns an encrypted value (BSON binary of subtype 6).
+func (ce *ClientEncryption) Encrypt(ctx context.Context, val bson.RawValue,
+	opts ...*options.EncryptOptions) (primitive.Binary, error) {
+
+	transformed := transformExplicitEncryptionOptions(opts...)
 	subtype, data, err := ce.crypt.EncryptExplicit(ctx, bsoncore.Value{Type: val.Type, Data: val.Value}, transformed)
 	if err != nil {
 		return primitive.Binary{}, err
 	}
 	return primitive.Binary{Subtype: subtype, Data: data}, nil
 }
 
+// EncryptExpression encrypts an expression to query a range index.
+// On success, `result` is populated with the resulting BSON document.
+// `expr` is expected to be a BSON document of one of the following forms:
+// 1. A Match Expression of this form:
+//   {$and: [{<field>: {$gt: <value1>}}, {<field>: {$lt: <value2> }}]}
+// 2. An Aggregate Expression of this form:
+//   {$and: [{$gt: [<fieldpath>, <value1>]}, {$lt: [<fieldpath>, <value2>]}]
+// $gt may also be $gte. $lt may also be $lte.
+// Only supported for queryType "rangePreview"
+// NOTE(kevinAlbs): The Range algorithm is experimental only. It is not intended for public use. It is subject to breaking changes.
+func (ce *ClientEncryption) EncryptExpression(ctx context.Context, expr interface{}, result interface{}, opts ...*options.EncryptOptions) error {
+	transformed := transformExplicitEncryptionOptions(opts...)
+
+	exprDoc, err := transformBsoncoreDocument(bson.DefaultRegistry, expr, true, "expr")
+	if err != nil {
+		return err
+	}
+
+	encryptedExprDoc, err := ce.crypt.EncryptExplicitExpression(ctx, exprDoc, transformed)
+	if err != nil {
+		return err
+	}
+	if raw, ok := result.(*bson.Raw); ok {
+		// Avoid the cost of Unmarshal.
+		*raw = bson.Raw(encryptedExprDoc)
+		return nil
+	}
+	err = bson.Unmarshal([]byte(encryptedExprDoc), result)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // Decrypt decrypts an encrypted value (BSON binary of subtype 6) and returns the original BSON value.
 func (ce *ClientEncryption) Decrypt(ctx context.Context, val primitive.Binary) (bson.RawValue, error) {
 	decrypted, err := ce.crypt.DecryptExplicit(ctx, val.Subtype, val.Data)

mongo/doc.go

@@ -122,6 +122,8 @@
 // This bug may result in data corruption.
 // Please use libmongocrypt 1.5.2 or higher when calling RewrapManyDataKey.
 //
+// - Go Driver v1.12.0 requires libmongocrypt v1.7.0 or higher.
+//
 // To install libmongocrypt, follow the instructions for your
 // operating system:
 //