From b1488d618647c99f7c20385dc16cb882dce4a366 Mon Sep 17 00:00:00 2001
From: Shane Harvey <shnhrv@gmail.com>
Date: Wed, 4 Sep 2024 14:35:19 -0700
Subject: [PATCH] PYTHON-4150 Document support for KMIP delegated master_key

---
 doc/changelog.rst                                              | 2 ++
 pymongo/asynchronous/encryption.py                             | 3 +++
 pymongo/synchronous/encryption.py                              | 3 +++
 .../spec/legacy/fle2v2-Rangev2-Compact.json                    | 3 ++-
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/doc/changelog.rst b/doc/changelog.rst
index 42a4fdf50f..2d574ee8ce 100644
--- a/doc/changelog.rst
+++ b/doc/changelog.rst
@@ -11,6 +11,8 @@ PyMongo 4.9 brings a number of improvements including:
 - Added support for In-Use Encryption range queries with MongoDB 8.0.
   Added :attr:`~pymongo.encryption.Algorithm.RANGE`.
   ``sparsity`` and ``trim_factor`` are now optional in :class:`~pymongo.encryption_options.RangeOpts`.
+- Added support for the "delegated" option for the KMIP ``master_key`` in
+  :meth:`~pymongo.encryption.ClientEncryption.create_data_key`.
 - pymongocrypt>=1.10 is now required for :ref:`In-Use Encryption` support.
 - Added :meth:`~pymongo.cursor.Cursor.to_list` to :class:`~pymongo.cursor.Cursor`,
   :class:`~pymongo.command_cursor.CommandCursor`,
diff --git a/pymongo/asynchronous/encryption.py b/pymongo/asynchronous/encryption.py
index c4cb886df7..c9e3cadd6e 100644
--- a/pymongo/asynchronous/encryption.py
+++ b/pymongo/asynchronous/encryption.py
@@ -764,6 +764,9 @@ async def create_data_key(
                 Secret Data managed object.
               - `endpoint` (string): Optional. Host with optional
                  port, e.g. "example.vault.azure.net:".
+              - `delegated` (bool): Optional. If True (recommended), the
+                KMIP server will perform encryption and decryption. If
+                delegated is not provided, defaults to false.
 
         :param key_alt_names: An optional list of string alternate
             names used to reference a key. If a key is created with alternate
diff --git a/pymongo/synchronous/encryption.py b/pymongo/synchronous/encryption.py
index 2efa995978..3849cf3f2b 100644
--- a/pymongo/synchronous/encryption.py
+++ b/pymongo/synchronous/encryption.py
@@ -762,6 +762,9 @@ def create_data_key(
                 Secret Data managed object.
               - `endpoint` (string): Optional. Host with optional
                  port, e.g. "example.vault.azure.net:".
+              - `delegated` (bool): Optional. If True (recommended), the
+                KMIP server will perform encryption and decryption. If
+                delegated is not provided, defaults to false.
 
         :param key_alt_names: An optional list of string alternate
             names used to reference a key. If a key is created with alternate
diff --git a/test/client-side-encryption/spec/legacy/fle2v2-Rangev2-Compact.json b/test/client-side-encryption/spec/legacy/fle2v2-Rangev2-Compact.json
index 59241927ca..bba9f25535 100644
--- a/test/client-side-encryption/spec/legacy/fle2v2-Rangev2-Compact.json
+++ b/test/client-side-encryption/spec/legacy/fle2v2-Rangev2-Compact.json
@@ -6,7 +6,8 @@
         "replicaset",
         "sharded",
         "load-balanced"
-      ]
+      ],
+      "serverless": "forbid"
     }
   ],
   "database_name": "default",