MONGOID-5319 Permit driver FLE configuration to be specified in Mongoid config file (#5251)

* MONGOID-5319 Permit driver FLE configuration to be specified in Mongoid config file

* remove documentation for loading schema map from file

Co-authored-by: Oleg Pudeyev <[email protected]>

Author: p-mongo

docs/reference/configuration.txt

@@ -732,6 +732,44 @@ be executed sequentially during socket creation.
 For more information about TLS context hooks, including best practices for
 assigning and removing them, see `the Ruby driver documentation <https://mongodb.com/docs/ruby-driver/current/reference/create-client/#modifying-sslcontext>`_.
 
+
+Client-Side Encryption
+======================
+
+When loading the configuration file, Mongoid permits the file to contain
+``BSON::Binary`` instances which are used for specifying ``keyId`` in
+the schema map for `client-side encryption
+<https://www.mongodb.com/docs/ruby-driver/current/reference/client-side-encryption/>`_,
+as the following example shows:
+
+.. code-block:: yaml
+
+  development:
+    clients:
+      default:
+        database: blog_development
+        hosts: [localhost:27017]
+        options:
+          auto_encryption_options:
+            key_vault_namespace: 'keyvault.datakeys'
+            kms_providers:
+              local:
+                key: "z7iYiYKLuYymEWtk4kfny1ESBwwFdA58qMqff96A8ghiOcIK75lJGPUIocku8LOFjQuEgeIP4xlln3s7r93FV9J5sAE7zg8U"
+            schema_map:
+              blog_development.comments:
+                properties:
+                  message:
+                    encrypt:
+                      keyId:
+                        - !ruby/object:BSON::Binary
+                          data: !binary |-
+                            R/AgNcxASFiiJWKXqWGo5w==
+                          type: :uuid
+                      bsonType: "string"
+                      algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+                bsonType: "object"
+
+
 Usage with Forking Servers
 ==========================
 

lib/mongoid/config/environment.rb

@@ -44,21 +44,37 @@ def env_name
       #   override the current Mongoid environment.
       #
       # @return [ Hash ] The settings.
+      #
       # @api private
       def load_yaml(path, environment = nil)
         env = environment ? environment.to_s : env_name
-        contents = File.new(path).read
+
+        contents = File.read(path)
         if contents.empty?
           raise Mongoid::Errors::EmptyConfigFile.new(path)
         end
-        data = if RUBY_VERSION.start_with?("2.5")
-          YAML.safe_load(ERB.new(contents).result, [Symbol], [], true)
+
+        # These are the classes that can be used in a Mongoid
+        # configuration file in addition to standard YAML types.
+        permitted_classes = [
+          # Symbols occur as values for read preference, for example.
+          Symbol,
+          # BSON::Binary occur as keyId values for FLE (more precisely,
+          # the keyIds are UUIDs).
+          BSON::Binary,
+        ]
+
+        result = ERB.new(contents).result
+        data = if RUBY_VERSION < '2.6'
+          YAML.safe_load(result, permitted_classes, [], true)
         else
-          YAML.safe_load(ERB.new(contents).result, permitted_classes: [Symbol], aliases: true)
+          YAML.safe_load(result, permitted_classes: permitted_classes, aliases: true)
         end
+
         unless data.is_a?(Hash)
           raise Mongoid::Errors::InvalidConfigFile.new(path)
         end
+
         data[env]
       end
     end

spec/config/mongoid_with_schema_map_uuid.yml

@@ -0,0 +1,27 @@
+test:
+  clients:
+    default:
+      database: mongoid_test
+      hosts:
+        <% SpecConfig.instance.addresses.each do |address| %>
+          - <%= address %>
+        <% end %>
+      options:
+        auto_encryption_options:
+          key_vault_namespace: 'admin.datakeys'
+          kms_providers:
+            local:
+              key: "z7iYiYKLuYymEWtk4kfny1ESBwwFdA58qMqff96A8ghiOcIK75lJGPUIocku8LOFjQuEgeIP4xlln3s7r93FV9J5sAE7zg8U"
+          schema_map:
+            blog_development.comments:
+              properties:
+                message:
+                  encrypt:
+                    keyId:
+                      - !ruby/object:BSON::Binary
+                        data: !binary |-
+                          R/AgNcxASFiiJWKXqWGo5w==
+                        type: :uuid
+                    bsonType: "string"
+                    algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+              bsonType: "object"

spec/mongoid/clients/factory_spec.rb

@@ -36,6 +36,7 @@
       context "when the configuration exists" do
 
         context "when the configuration is standard" do
+          restore_config_clients
 
           let(:config) do
             {
@@ -46,7 +47,6 @@
 
           before do
             Mongoid::Config.send(:clients=, config)
-            # TODO: We should restore overwritten configuration in after block
           end
 
           after do
@@ -118,6 +118,7 @@
         end
 
         context "when the configuration has no ports" do
+          restore_config_clients
 
           let(:config) do
             {
@@ -128,7 +129,6 @@
 
           before do
             Mongoid::Config.send(:clients=, config)
-            # TODO: We should restore overwritten configuration in after block
           end
 
           after do
@@ -163,6 +163,7 @@
         context "when configured via a uri" do
 
           context "when the uri has a single host:port" do
+            restore_config_clients
 
             let(:config) do
               {
@@ -173,7 +174,6 @@
 
             before do
               Mongoid::Config.send(:clients=, config)
-              # TODO: We should restore overwritten configuration in after block
             end
 
             after do
@@ -202,6 +202,7 @@
           end
 
           context "when the uri has multiple host:port pairs" do
+            restore_config_clients
 
             let(:config) do
               {
@@ -212,7 +213,6 @@
 
             before do
               Mongoid::Config.send(:clients=, config)
-              # TODO: We should restore overwritten configuration in after block
             end
 
             after do
@@ -253,14 +253,14 @@
     end
 
     context "when no name is provided" do
+      restore_config_clients
 
       let(:config) do
         { default: { hosts: SpecConfig.instance.addresses, database: database_id }}
       end
 
       before do
         Mongoid::Config.send(:clients=, config)
-        # TODO: We should restore overwritten configuration in after block
       end
 
       after do
@@ -287,12 +287,12 @@
     end
 
     context "when nil is provided and no default config" do
+      restore_config_clients
 
       let(:config) { nil }
 
       before do
         Mongoid.clients[:default] = nil
-        # TODO: We should restore overwritten configuration in after block
       end
 
       it "raises NoClientsConfig error" do
@@ -302,14 +302,14 @@
   end
 
   describe ".default" do
+    restore_config_clients
 
     let(:config) do
       { default: { hosts: SpecConfig.instance.addresses, database: database_id }}
     end
 
     before do
       Mongoid::Config.send(:clients=, config)
-      # TODO: We should restore overwritten configuration in after block
     end
 
     after do
@@ -336,6 +336,7 @@
   end
 
   context "when options are provided with string keys" do
+    restore_config_clients
 
     let(:config) do
       {
@@ -352,7 +353,6 @@
 
     before do
       Mongoid::Config.send(:clients=, config)
-      # TODO: We should restore overwritten configuration in after block
     end
 
     after do
@@ -391,6 +391,8 @@
   end
 
   context "unexpected config options" do
+    restore_config_clients
+
     let(:unknown_opts) do
       {
         bad_one: 1,
@@ -408,11 +410,8 @@
       }
     end
 
-    around(:each) do |example|
-      old_config = Mongoid::Config.clients
+    before do
       Mongoid::Config.send(:clients=, config)
-      example.run
-      Mongoid::Config.send(:clients=, old_config)
     end
 
     [:bad_one, :bad_two].each do |env|

spec/mongoid/config/environment_spec.rb

@@ -106,7 +106,7 @@ def environment; :staging; end
 
     context 'when file found' do
       before do
-        allow(File).to receive(:new).with('mongoid.yml').and_return(StringIO.new(file_contents))
+        allow(File).to receive(:read).with('mongoid.yml').and_return(file_contents)
       end
 
       let(:file_contents) do
@@ -162,5 +162,43 @@ def environment; :staging; end
         it { is_expected.to be_nil }
       end
     end
+
+    context 'when configuration includes schema map' do
+      paths = Dir.glob(File.join(File.dirname(__FILE__), '../../support/schema_maps/*.json'))
+
+      if paths.empty?
+        raise "Expected to find some schema maps"
+      end
+
+      before do
+        allow(File).to receive(:read).with('mongoid.yml').and_return(file_contents)
+      end
+
+      let(:file_contents) do
+        <<~FILE
+          test:
+            clients:
+              default:
+                database: mongoid_test
+                hosts: [localhost]
+                options:
+                  auto_encryption_options:
+                    schema_map: #{schema_map.to_yaml.sub(/\A---/, '').gsub(/\n/, "\n" + ' '*100)}
+        FILE
+      end
+
+      paths.each do |path|
+        context File.basename(path) do
+          let(:schema_map) do
+            BSON::ExtJSON.parse(File.read(path))
+          end
+
+          it 'loads successfully' do
+            subject.should be_a(Hash)
+            subject.fetch('clients').fetch('default').fetch('options').fetch('auto_encryption_options').fetch('schema_map').should be_a(Hash)
+          end
+        end
+      end
+    end
   end
 end

spec/mongoid/config_spec.rb

@@ -544,6 +544,46 @@ def self.logger
         end
       end
     end
+
+    context 'when schema map is provided with uuid' do
+      let(:file) do
+        File.join(File.dirname(__FILE__), "..", "config", "mongoid_with_schema_map_uuid.yml")
+      end
+
+      before do
+        described_class.load!(file, :test)
+      end
+
+      let(:client) { Mongoid.default_client }
+
+      # Wrapping libraries are only recognized by driver 2.13.0+.
+      min_driver_version '2.13'
+
+      it 'passes uuid to driver' do
+        Mongo::Client.should receive(:new).with(SpecConfig.instance.addresses,
+          auto_encryption_options: {
+            'key_vault_namespace' => 'admin.datakeys',
+            'kms_providers' => {'local' => {'key' => 'z7iYiYKLuYymEWtk4kfny1ESBwwFdA58qMqff96A8ghiOcIK75lJGPUIocku8LOFjQuEgeIP4xlln3s7r93FV9J5sAE7zg8U'}},
+            'schema_map' => {'blog_development.comments' => {
+              'bsonType' => 'object',
+              'properties' => {
+                'message' => {'encrypt' => {
+                  'algorithm' => 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic',
+                  'bsonType' => 'string',
+                  'keyId' => [BSON::Binary.new("G\xF0 5\xCC@HX\xA2%b\x97\xA9a\xA8\xE7", :uuid)],
+                }},
+              },
+            }}},
+          database: 'mongoid_test',
+          platform: "mongoid-#{Mongoid::VERSION}",
+          wrapping_libraries: [
+            {'name' => 'Mongoid', 'version' => Mongoid::VERSION},
+          ],
+        )
+
+        client
+      end
+    end
   end
 
   describe "#options=" do

spec/support/macros.rb

@@ -38,5 +38,14 @@ def with_config_values(key, *values, &block)
         end
       end
     end
+
+    def restore_config_clients
+      around do |example|
+        # Duplicate the config because some tests mutate it.
+        old_config = Mongoid::Config.clients.dup
+        example.run
+        Mongoid::Config.send(:clients=, old_config)
+      end
+    end
   end
 end

spec/support/schema_maps/schema_map_aws.json

@@ -0,0 +1,17 @@
+{
+  "properties": {
+    "ssn": {
+      "encrypt": {
+        "keyId": [{
+          "$binary": {
+            "base64": "AWSAAAAAAAAAAAAAAAAAAA==",
+            "subType": "04"
+          }
+        }],
+        "bsonType": "string",
+        "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+      }
+    }
+  },
+  "bsonType": "object"
+}