Added Client side explicit encryption/decryption example

rozza · rozza · commit cae375b769cb · 2019-12-18T16:23:18.000Z
JAVA-3528
diff --git a/docs/reference/content/driver/tutorials/client-side-encryption.md b/docs/reference/content/driver/tutorials/client-side-encryption.md
@@ -36,7 +36,7 @@ There is a separate jar file containing`libmongocrypt` bindings.
 `libmongocrypt` requires the `mongocryptd` daemon / process to be running. A specific daemon / process uri can be configured in the 
 `AutoEncryptionSettings` class by setting `mongocryptdURI` in the `extraOptions`.
 
-More information about mongocryptd will soon be available from the official documentation.
+For more information about mongocryptd see the [official documentation](https://docs.mongodb.com/manual/core/security-client-side-encryption/).
 
 
 ### Examples
@@ -157,4 +157,95 @@ AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder()
         }}).build();
 ```
 
-**Coming soon:** An example using the community version and demonstrating explicit encryption/decryption.
+#### Explicit Encryption and Decryption
+Explicit encryption and decryption is a **MongoDB community** feature and does not use the `mongocryptd` process. Explicit encryption is 
+provided by the `ClientEncryption` class. 
+The full code snippet can be found in [`ClientSideEncryptionExplicitEncryptionAndDecryptionTour.java`]({{< srcref "driver-sync/src/examples/tour/ClientSideEncryptionExplicitEncryptionAndDecryptionTour.java">}}):
+
+```
+// This would have to be the same master key as was used to create the encryption key
+final byte[] localMasterKey = new byte[96];
+new SecureRandom().nextBytes(localMasterKey);
+
+Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>() {{
+    put("local", new HashMap<String, Object>() {{
+        put("key", localMasterKey);
+    }});
+}};
+
+MongoClientSettings clientSettings = MongoClientSettings.builder().build();
+MongoClient mongoClient = MongoClients.create(clientSettings);
+
+// Set up the key vault for this example
+MongoNamespace keyVaultNamespace = new MongoNamespace("encryption.testKeyVault");
+MongoCollection<Document> keyVaultCollection = mongoClient
+    .getDatabase(keyVaultNamespace.getDatabaseName())
+    .getCollection(keyVaultNamespace.getCollectionName());
+keyVaultCollection.drop();
+
+// Ensure that two data keys cannot share the same keyAltName.
+keyVaultCollection.createIndex(Indexes.ascending("keyAltNames"),
+        new IndexOptions().unique(true)
+           .partialFilterExpression(Filters.exists("keyAltNames")));
+
+MongoCollection<Document> collection = mongoClient.getDatabase("test").getCollection("coll");
+collection.drop(); // Clear old data
+
+// Create the ClientEncryption instance
+ClientEncryptionSettings clientEncryptionSettings = ClientEncryptionSettings.builder()
+        .keyVaultMongoClientSettings(MongoClientSettings.builder()
+                .applyConnectionString(new ConnectionString("mongodb://localhost"))
+                .build())
+        .keyVaultNamespace(keyVaultNamespace.getFullName())
+        .kmsProviders(kmsProviders)
+        .build();
+
+ClientEncryption clientEncryption = ClientEncryptions.create(clientEncryptionSettings);
+
+BsonBinary dataKeyId = clientEncryption.createDataKey("local", new DataKeyOptions());
+
+// Explicitly encrypt a field
+BsonBinary encryptedFieldValue = clientEncryption.encrypt(new BsonString("123456789"),
+        new EncryptOptions("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic").keyId(dataKeyId));
+
+collection.insertOne(new Document("encryptedField", encryptedFieldValue));
+
+Document doc = collection.find().first();
+System.out.println(doc.toJson());
+
+// Explicitly decrypt the field
+BsonString decryptedFieldValue = clientEncryption.decrypt(
+    new BsonBinary(doc.get("encryptedField", Binary.class).getData())).asString();
+System.out.println(decryptedFieldValue.getValue());
+```
+
+#### Explicit Encryption and Auto Decryption
+
+Although automatic encryption requires MongoDB 4.2 enterprise or a MongoDB 4.2 Atlas cluster, automatic decryption is supported for all 
+users. To configure automatic decryption without automatic encryption set `bypassAutoEncryption(true)`. The full code snippet can be found in [`ClientSideEncryptionExplicitEncryptionOnlyTour.java`]({{< srcref "driver-sync/src/examples/tour/ClientSideEncryptionExplicitEncryptionOnlyTour.java">}}):
+
+```
+...
+MongoClientSettings clientSettings = MongoClientSettings.builder()
+    .autoEncryptionSettings(AutoEncryptionSettings.builder()
+            .keyVaultNamespace(keyVaultNamespace.getFullName())
+            .kmsProviders(kmsProviders)
+            .bypassAutoEncryption(true)
+            .build())
+    .build();
+MongoClient mongoClient = MongoClients.create(clientSettings);
+
+...
+
+// Explicitly encrypt a field
+BsonBinary encryptedFieldValue = clientEncryption.encrypt(new BsonString("123456789"),
+        new EncryptOptions("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic").keyId(dataKeyId));
+
+collection.insertOne(new Document("encryptedField", encryptedFieldValue));
+
+// Automatically decrypts the encrypted field.
+Document doc = collection.find().first();
+System.out.println(doc.toJson());
+System.out.println(doc.get("encryptedField"));
+
+```
diff --git a/driver-sync/src/examples/tour/ClientSideEncryptionExplicitEncryptionAndDecryptionTour.java b/driver-sync/src/examples/tour/ClientSideEncryptionExplicitEncryptionAndDecryptionTour.java
@@ -102,7 +102,9 @@ public static void main(final String[] args) {
         System.out.println(doc.toJson());
 
         // Explicitly decrypt the field
-        System.out.println(clientEncryption.decrypt(new BsonBinary(doc.get("encryptedField", Binary.class).getData())));
+        BsonString decryptedFieldValue = clientEncryption.decrypt(new BsonBinary(doc.get("encryptedField", Binary.class).getData()))
+                .asString();
+        System.out.println(decryptedFieldValue.getValue());
 
         // release resources
         clientEncryption.close();
diff --git a/driver-sync/src/examples/tour/ClientSideEncryptionExplicitEncryptionOnlyTour.java b/driver-sync/src/examples/tour/ClientSideEncryptionExplicitEncryptionOnlyTour.java
@@ -0,0 +1,116 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package tour;
+
+import com.mongodb.AutoEncryptionSettings;
+import com.mongodb.ClientEncryptionSettings;
+import com.mongodb.ConnectionString;
+import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoNamespace;
+import com.mongodb.client.MongoClient;
+import com.mongodb.client.MongoClients;
+import com.mongodb.client.MongoCollection;
+import com.mongodb.client.model.Filters;
+import com.mongodb.client.model.IndexOptions;
+import com.mongodb.client.model.Indexes;
+import com.mongodb.client.model.vault.DataKeyOptions;
+import com.mongodb.client.model.vault.EncryptOptions;
+import com.mongodb.client.vault.ClientEncryption;
+import com.mongodb.client.vault.ClientEncryptions;
+import org.bson.BsonBinary;
+import org.bson.BsonString;
+import org.bson.Document;
+
+import java.security.SecureRandom;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * ClientSideEncryption explicit encryption and decryption tour
+ */
+public class ClientSideEncryptionExplicitEncryptionOnlyTour {
+
+    /**
+     * Run this main method to see the output of this quick example.
+     *
+     * @param args ignored args
+     */
+    public static void main(final String[] args) {
+
+        // This would have to be the same master key as was used to create the encryption key
+        final byte[] localMasterKey = new byte[96];
+        new SecureRandom().nextBytes(localMasterKey);
+
+        Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>() {{
+            put("local", new HashMap<String, Object>() {{
+                put("key", localMasterKey);
+            }});
+        }};
+
+        MongoNamespace keyVaultNamespace = new MongoNamespace("encryption.testKeyVault");
+
+        MongoClientSettings clientSettings = MongoClientSettings.builder()
+                .autoEncryptionSettings(AutoEncryptionSettings.builder()
+                        .keyVaultNamespace(keyVaultNamespace.getFullName())
+                        .kmsProviders(kmsProviders)
+                        .bypassAutoEncryption(true)
+                        .build())
+                .build();
+        MongoClient mongoClient = MongoClients.create(clientSettings);
+
+        // Set up the key vault for this example
+        MongoCollection<Document> keyVaultCollection = mongoClient.getDatabase(keyVaultNamespace.getDatabaseName())
+                .getCollection(keyVaultNamespace.getCollectionName());
+        keyVaultCollection.drop();
+
+        // Ensure that two data keys cannot share the same keyAltName.
+        keyVaultCollection.createIndex(Indexes.ascending("keyAltNames"),
+                new IndexOptions().unique(true)
+                        .partialFilterExpression(Filters.exists("keyAltNames")));
+
+        MongoCollection<Document> collection = mongoClient.getDatabase("test").getCollection("coll");
+        collection.drop(); // Clear old data
+
+        // Create the ClientEncryption instance
+        ClientEncryptionSettings clientEncryptionSettings = ClientEncryptionSettings.builder()
+                .keyVaultMongoClientSettings(MongoClientSettings.builder()
+                        .applyConnectionString(new ConnectionString("mongodb://localhost"))
+                        .build())
+                .keyVaultNamespace(keyVaultNamespace.getFullName())
+                .kmsProviders(kmsProviders)
+                .build();
+
+        ClientEncryption clientEncryption = ClientEncryptions.create(clientEncryptionSettings);
+
+        BsonBinary dataKeyId = clientEncryption.createDataKey("local", new DataKeyOptions());
+
+        // Explicitly encrypt a field
+        BsonBinary encryptedFieldValue = clientEncryption.encrypt(new BsonString("123456789"),
+                new EncryptOptions("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic").keyId(dataKeyId));
+
+        collection.insertOne(new Document("encryptedField", encryptedFieldValue));
+
+        // Automatically decrypts the encrypted field.
+        Document doc = collection.find().first();
+        System.out.println(doc.toJson());
+        System.out.println(doc.get("encryptedField"));
+
+        // release resources
+        clientEncryption.close();
+        mongoClient.close();
+    }
+}
