GODRIVER-2584 Error if RewrapManyDataKey is called with MasterKey and without Provider (#1270)

* add failing prose test

* return error if MasterKey is set, but Provider is nil

Author: kevinAlbs

mongo/integration/client_side_encryption_prose_test.go

@@ -1988,6 +1988,30 @@ func TestClientSideEncryptionProse(t *testing.T) {
 				}
 			}
 		})
+
+		mt.Run("Case 2: RewrapManyDataKeyOpts.provider is not optional", func(mt *mtest.T) {
+			var err error
+			var clientEncryption *mongo.ClientEncryption
+			{
+				var keyVaultClient *mongo.Client
+				{
+					co := options.Client().ApplyURI(mtest.ClusterURI())
+					keyVaultClient, err = mongo.Connect(context.Background(), co)
+					defer keyVaultClient.Disconnect(context.Background())
+					testutil.AddTestServerAPIVersion(co)
+					assert.Nil(mt, err, "error on Connect: %v", err)
+				}
+				ceOpts := options.ClientEncryption().
+					SetKeyVaultNamespace("keyvault.datakeys").
+					SetKmsProviders(fullKmsProvidersMap)
+				clientEncryption, err = mongo.NewClientEncryption(keyVaultClient, ceOpts)
+				assert.Nil(mt, err, "error in NewClientEncryption: %v", err)
+				defer clientEncryption.Close(context.Background())
+			}
+
+			_, err = clientEncryption.RewrapManyDataKey(context.Background(), bson.D{}, options.RewrapManyDataKey().SetMasterKey(bson.D{}))
+			assert.True(mt, strings.Contains(err.Error(), "expected 'Provider' to be set to identify type of 'MasterKey'"), "unexpected error message: %v", err)
+		})
 	})
 }
 

x/mongo/driver/mongocrypt/mongocrypt.go

@@ -321,6 +321,11 @@ func (m *MongoCrypt) RewrapDataKeyContext(filter []byte, opts *options.RewrapMan
 		return nil, m.createErrorFromStatus()
 	}
 
+	if opts.MasterKey != nil && opts.Provider == nil {
+		// Provider is nil, but MasterKey is set. This is an error.
+		return nil, fmt.Errorf("expected 'Provider' to be set to identify type of 'MasterKey'")
+	}
+
 	if opts.Provider != nil {
 		// If a provider has been specified, create an encryption key document for creating a data key or for rewrapping
 		// datakeys. If a new provider is not specified, then the filter portion of this logic returns the data as it