Add ViewAreProhibited and ExternalKeyVault FLE tests.

Author: DmitryLukyanov

driver-async/src/main/com/mongodb/async/client/internal/Crypt.java

@@ -238,7 +238,9 @@ public void onResult(final RawBsonDocument result, final Throwable t) {
     @Override
     public void close() {
         mongoCrypt.close();
-        commandMarker.close();
+        if (commandMarker != null) {
+            commandMarker.close();
+        }
         keyRetriever.close();
     }
 

driver-async/src/test/functional/com/mongodb/async/client/ClientSideEncryptionCorpusTest.java

@@ -32,6 +32,7 @@
 import org.bson.Document;
 import org.bson.UuidRepresentation;
 import org.bson.codecs.UuidCodec;
+import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -285,4 +286,30 @@ public static Collection<Object[]> data() {
         return Arrays.asList(new Object[]{true}, new Object[]{false});
     }
 
+    @After
+    public void after() {
+        if (client != null) {
+            try {
+                client.close();
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+
+        if (autoEncryptingClient != null) {
+            try {
+                autoEncryptingClient.close();
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+
+        if (clientEncryption != null) {
+            try {
+                clientEncryption.close();
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+    }
 }

driver-async/src/test/functional/com/mongodb/async/client/ClientSideEncryptionExternalKeyVaultTest.java

@@ -0,0 +1,186 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.async.client;
+
+import com.mongodb.ClientEncryptionSettings;
+import com.mongodb.AutoEncryptionSettings;
+import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoCredential;
+import com.mongodb.MongoSecurityException;
+import com.mongodb.async.FutureResultCallback;
+import com.mongodb.async.client.vault.ClientEncryption;
+import com.mongodb.async.client.vault.ClientEncryptions;
+import com.mongodb.client.model.vault.EncryptOptions;
+import org.bson.BsonBinary;
+import org.bson.BsonBinarySubType;
+import org.bson.BsonDocument;
+import org.bson.BsonString;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.mongodb.ClusterFixture.isNotAtLeastJava8;
+import static com.mongodb.ClusterFixture.serverVersionAtLeast;
+import static com.mongodb.async.client.Fixture.getMongoClientBuilderFromConnectionString;
+import static com.mongodb.async.client.Fixture.getMongoClient;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeTrue;
+import static util.JsonPoweredTestHelper.getTestDocument;
+
+@RunWith(Parameterized.class)
+public class ClientSideEncryptionExternalKeyVaultTest {
+    private MongoClient client, clientEncrypted;
+    private ClientEncryption clientEncryption;
+    private final boolean withExternalKeyVault;
+
+    public ClientSideEncryptionExternalKeyVaultTest(final boolean withExternalKeyVault) {
+        this.withExternalKeyVault = withExternalKeyVault;
+    }
+
+    @Before
+    public void setUp() throws IOException, URISyntaxException {
+        assumeFalse(isNotAtLeastJava8());
+        assumeTrue(serverVersionAtLeast(4, 1));
+        assumeTrue("Encryption test with external keyVault is disabled",
+                System.getProperty("org.mongodb.test.awsAccessKeyId") != null
+                        && !System.getProperty("org.mongodb.test.awsAccessKeyId").isEmpty());
+
+        /* Step 1: get unencrypted client and recreate keys collection */
+        client = getMongoClient();
+        MongoDatabase admin = client.getDatabase("admin");
+        MongoCollection<BsonDocument> datakeys = admin.getCollection("datakeys", BsonDocument.class);
+        FutureResultCallback<Void> voidCallback = new FutureResultCallback<Void>();
+        datakeys.drop(voidCallback);
+        voidCallback.get();
+
+        voidCallback = new FutureResultCallback<Void>();
+        datakeys.insertOne(bsonDocumentFromPath("external-key.json"), voidCallback);
+        voidCallback.get();
+
+        /* Step 2: create encryption objects. */
+        Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>();
+        Map<String, Object> localMasterkey = new HashMap<String, Object>();
+        Map<String, BsonDocument> schemaMap = new HashMap<String, BsonDocument>();
+
+        byte[] localMasterkeyBytes = Base64.getDecoder().decode("Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBM"
+                + "UN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk");
+        localMasterkey.put("key", localMasterkeyBytes);
+        kmsProviders.put("local", localMasterkey);
+        schemaMap.put("db.coll", bsonDocumentFromPath("external-schema.json"));
+
+        AutoEncryptionSettings.Builder autoEncryptionSettingsBuilder = AutoEncryptionSettings.builder()
+                .keyVaultNamespace("admin.datakeys")
+                .kmsProviders(kmsProviders)
+                .schemaMap(schemaMap);
+
+        MongoClientSettings externalClientSettings = null;
+        if (withExternalKeyVault) {
+            externalClientSettings = getMongoClientBuilderFromConnectionString()
+                    .credential(MongoCredential.createCredential("fake-user", "admin", "fake-pwd".toCharArray()))
+                    .build();
+            autoEncryptionSettingsBuilder.keyVaultMongoClientSettings(externalClientSettings);
+        }
+
+        AutoEncryptionSettings autoEncryptionSettings = autoEncryptionSettingsBuilder.build();
+
+        MongoClientSettings clientSettings = getMongoClientBuilderFromConnectionString()
+                .autoEncryptionSettings(autoEncryptionSettings)
+                .build();
+        clientEncrypted = MongoClients.create(clientSettings);
+
+        ClientEncryptionSettings.Builder clientEncryptionSettingsBuilder = ClientEncryptionSettings.builder().
+                keyVaultMongoClientSettings(getMongoClientBuilderFromConnectionString().build())
+                .kmsProviders(kmsProviders)
+                .keyVaultNamespace("admin.datakeys");
+
+        if (withExternalKeyVault) {
+            clientEncryptionSettingsBuilder.keyVaultMongoClientSettings(externalClientSettings);
+        }
+
+        ClientEncryptionSettings clientEncryptionSettings = clientEncryptionSettingsBuilder.build();
+        clientEncryption = ClientEncryptions.create(clientEncryptionSettings);
+    }
+
+    @Test
+    public void testExternal() {
+        boolean authExceptionThrown = false;
+        MongoCollection<BsonDocument> coll = clientEncrypted
+                .getDatabase("db")
+                .getCollection("coll", BsonDocument.class);
+        FutureResultCallback<Void> voidCallback;
+        try {
+            voidCallback = new FutureResultCallback<Void>();
+            coll.insertOne(new BsonDocument().append("encrypted", new BsonString("test")), voidCallback);
+            voidCallback.get();
+        } catch (MongoSecurityException mse) {
+            authExceptionThrown = true;
+        }
+        assertEquals(authExceptionThrown, withExternalKeyVault);
+
+        EncryptOptions encryptOptions = new EncryptOptions("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic")
+                .keyId(new BsonBinary(BsonBinarySubType.UUID_STANDARD, Base64.getDecoder().decode("LOCALAAAAAAAAAAAAAAAAA==")));
+        authExceptionThrown = false;
+        try {
+            FutureResultCallback<BsonBinary> bsonBinaryCallback = new FutureResultCallback<BsonBinary>();
+            clientEncryption.encrypt(new BsonString("test"), encryptOptions, bsonBinaryCallback);
+            bsonBinaryCallback.get();
+        } catch (MongoSecurityException mse) {
+            authExceptionThrown = true;
+        }
+        assertEquals(authExceptionThrown, withExternalKeyVault);
+    }
+
+    private static BsonDocument bsonDocumentFromPath(final String path) throws IOException, URISyntaxException {
+        return getTestDocument(new File(ClientSideEncryptionExternalKeyVaultTest.class
+                .getResource("/client-side-encryption-external/" + path).toURI()));
+    }
+
+    @Parameterized.Parameters(name = "withExternalKeyVault: {0}")
+    public static Collection<Object[]> data() {
+        return Arrays.asList(new Object[]{true}, new Object[]{false});
+    }
+
+    @After
+    public void after() {
+        if (clientEncrypted != null) {
+            try {
+                clientEncrypted.close();
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+        if (clientEncryption != null) {
+            try {
+                clientEncryption.close();
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+    }
+}

driver-async/src/test/functional/com/mongodb/async/client/ClientSideEncryptionViewAreProhibitedTest.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.async.client;
+
+import com.mongodb.AutoEncryptionSettings;
+import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoException;
+import com.mongodb.async.FutureResultCallback;
+import org.bson.BsonDocument;
+import org.bson.BsonString;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.util.Base64;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.mongodb.ClusterFixture.isNotAtLeastJava8;
+import static com.mongodb.ClusterFixture.serverVersionAtLeast;
+import static junit.framework.TestCase.assertTrue;
+import static com.mongodb.async.client.Fixture.getMongoClientBuilderFromConnectionString;
+import static com.mongodb.async.client.Fixture.getMongoClient;
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeTrue;
+import static org.junit.Assert.fail;
+
+public class ClientSideEncryptionViewAreProhibitedTest {
+    private MongoClient clientEncrypted;
+
+    @Before
+    public void setUp() {
+        assumeFalse(isNotAtLeastJava8());
+        assumeTrue(serverVersionAtLeast(4, 1));
+        assumeTrue("Encryption test with external keyVault is disabled",
+                System.getProperty("org.mongodb.test.awsAccessKeyId") != null
+                        && !System.getProperty("org.mongodb.test.awsAccessKeyId").isEmpty());
+
+        MongoClient client = getMongoClient();
+
+        MongoDatabase db = client.getDatabase("db");
+        FutureResultCallback<Void> voidCallback = new FutureResultCallback<Void>();
+        db.getCollection("view").drop(voidCallback);
+        voidCallback.get();
+
+        voidCallback = new FutureResultCallback<Void>();
+        db.createView("view", "coll", Collections.<BsonDocument>emptyList(), voidCallback);
+        voidCallback.get();
+
+        Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>();
+        Map<String, Object> localMasterkey = new HashMap<String, Object>();
+
+        byte[] localMasterkeyBytes = Base64.getDecoder().decode("Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBM"
+                + "UN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk");
+        localMasterkey.put("key", localMasterkeyBytes);
+        kmsProviders.put("local", localMasterkey);
+
+        AutoEncryptionSettings.Builder autoEncryptionSettingsBuilder = AutoEncryptionSettings.builder()
+                .keyVaultNamespace("admin.datakeys")
+                .kmsProviders(kmsProviders);
+
+        AutoEncryptionSettings autoEncryptionSettings = autoEncryptionSettingsBuilder.build();
+
+        MongoClientSettings.Builder clientSettingsBuilder = getMongoClientBuilderFromConnectionString();
+        MongoClientSettings clientSettings = clientSettingsBuilder
+                .autoEncryptionSettings(autoEncryptionSettings)
+                .build();
+        clientEncrypted = MongoClients.create(clientSettings);
+    }
+
+    @Test
+    public void shouldThrowError() {
+        MongoCollection<BsonDocument> coll = clientEncrypted
+                .getDatabase("db")
+                .getCollection("view", BsonDocument.class);
+        try {
+            FutureResultCallback<Void> voidCallback = new FutureResultCallback<Void>();
+            coll.insertOne(new BsonDocument().append("encrypted", new BsonString("test")), voidCallback);
+            voidCallback.get();
+            fail();
+        } catch (MongoException me) {
+            assertTrue(me.getMessage().contains("cannot auto encrypt a view"));
+        }
+    }
+
+    @After
+    public void after() {
+        if (clientEncrypted != null) {
+            clientEncrypted.close();
+        }
+    }
+}

driver-core/src/test/resources/client-side-encryption-external/external-key.json

@@ -0,0 +1,31 @@
+{
+    "status": {
+        "$numberInt": "1"
+    }, 
+    "_id": {
+        "$binary": {
+            "base64": "LOCALAAAAAAAAAAAAAAAAA==", 
+            "subType": "04"
+        }
+    }, 
+    "masterKey": {
+        "provider": "local"
+    }, 
+    "updateDate": {
+        "$date": {
+            "$numberLong": "1557827033449"
+        }
+    }, 
+    "keyMaterial": {
+        "$binary": {
+            "base64": "Ce9HSz/HKKGkIt4uyy+jDuKGA+rLC2cycykMo6vc8jXxqa1UVDYHWq1r+vZKbnnSRBfB981akzRKZCFpC05CTyFqDhXv6OnMjpG97OZEREGIsHEYiJkBW0jJJvfLLgeLsEpBzsro9FztGGXASxyxFRZFhXvHxyiLOKrdWfs7X1O/iK3pEoHMx6uSNSfUOgbebLfIqW7TO++iQS5g1xovXA==", 
+            "subType": "00"
+        }
+    }, 
+    "creationDate": {
+        "$date": {
+            "$numberLong": "1557827033449"
+        }
+    },
+    "keyAltNames": [ "local" ]
+}

driver-core/src/test/resources/client-side-encryption-external/external-schema.json

@@ -0,0 +1,19 @@
+{
+    "properties": {
+       "encrypted": {
+           "encrypt": {
+               "keyId": [
+                   {
+                       "$binary": {
+                           "base64": "LOCALAAAAAAAAAAAAAAAAA==", 
+                           "subType": "04"
+                       }
+                   }
+               ], 
+               "bsonType": "string", 
+               "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+           }
+       }
+    },
+    "bsonType": "object"
+}