changes

baileympearson · baileympearson · commit 210e80aea8f9 · 2025-08-07T15:18:32.000-06:00
diff --git a/src/client-side-encryption/client_encryption.ts b/src/client-side-encryption/client_encryption.ts
@@ -591,14 +591,14 @@ export class ClientEncryption {
         field == null || typeof field !== 'object' || field.keyId != null
           ? field
           : {
-              ...field,
-              keyId: await this.createDataKey(provider, {
-                masterKey,
-                // clone the timeoutContext
-                // in order to avoid sharing the same timeout for server selection and connection checkout across different concurrent operations
-                timeoutContext: timeoutContext?.csotEnabled() ? timeoutContext?.clone() : undefined
-              })
-            }
+            ...field,
+            keyId: await this.createDataKey(provider, {
+              masterKey,
+              // clone the timeoutContext
+              // in order to avoid sharing the same timeout for server selection and connection checkout across different concurrent operations
+              timeoutContext: timeoutContext?.csotEnabled() ? timeoutContext?.clone() : undefined
+            })
+          }
       );
       const createDataKeyResolutions = await Promise.allSettled(createDataKeyPromises);
 
@@ -814,12 +814,12 @@ export interface ClientEncryptionEncryptOptions {
    * The algorithm to use for encryption.
    */
   algorithm:
-    | 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
-    | 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'
-    | 'Indexed'
-    | 'Unindexed'
-    | 'Range'
-    | 'TextPreview';
+  | 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
+  | 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'
+  | 'Indexed'
+  | 'Unindexed'
+  | 'Range'
+  | 'TextPreview';
 
   /**
    * The id of the Binary dataKey to use for encryption
@@ -847,7 +847,7 @@ export interface ClientEncryptionEncryptOptions {
 
 interface TextQueryOptions {
   caseSensitive: boolean;
-  diacraticSensitive: boolean;
+  diacriticSensitive: boolean;
 
   prefix?: {
     strMaxQueryLength: Int32 | number;
@@ -873,11 +873,11 @@ interface TextQueryOptions {
 export interface ClientEncryptionRewrapManyDataKeyProviderOptions {
   provider: ClientEncryptionDataKeyProvider;
   masterKey?:
-    | AWSEncryptionKeyOptions
-    | AzureEncryptionKeyOptions
-    | GCPEncryptionKeyOptions
-    | KMIPEncryptionKeyOptions
-    | undefined;
+  | AWSEncryptionKeyOptions
+  | AzureEncryptionKeyOptions
+  | GCPEncryptionKeyOptions
+  | KMIPEncryptionKeyOptions
+  | undefined;
 }
 
 /**
@@ -1066,11 +1066,11 @@ export interface ClientEncryptionCreateDataKeyProviderOptions {
    * Identifies a new KMS-specific key used to encrypt the new data key
    */
   masterKey?:
-    | AWSEncryptionKeyOptions
-    | AzureEncryptionKeyOptions
-    | GCPEncryptionKeyOptions
-    | KMIPEncryptionKeyOptions
-    | undefined;
+  | AWSEncryptionKeyOptions
+  | AzureEncryptionKeyOptions
+  | GCPEncryptionKeyOptions
+  | KMIPEncryptionKeyOptions
+  | undefined;
 
   /**
    * An optional list of string alternate names used to reference a key.
diff --git a/test/integration/client-side-encryption/client_side_encryption.prose.27.text_queries.test.ts b/test/integration/client-side-encryption/client_side_encryption.prose.27.text_queries.test.ts
@@ -0,0 +1,180 @@
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+
+import { type Binary, type Document, EJSON } from 'bson';
+import { expect } from 'chai';
+
+import { getCSFLEKMSProviders } from '../../csfle-kms-providers';
+import {
+  ClientEncryption,
+  type ClientEncryptionEncryptOptions,
+  type MongoClient
+} from '../../mongodb';
+
+const metadata: MongoDBMetadataUI = {
+  requires: {
+    clientSideEncryption: '>=6.4.0',
+    mongodb: '>=8.2.0',
+    topology: '!single'
+  }
+};
+
+const loadFLEDataFile = (filename: string) =>
+  readFile(join(__dirname, '../../spec/client-side-encryption/etc/data', filename), {
+    encoding: 'utf-8'
+  });
+
+describe.only('27. Text Explicit Encryption', function () {
+  let encryptedFields: Document;
+  let keyDocument1: Document;
+  let keyId1: Binary;
+  let client: MongoClient;
+  let keyVaultClient: MongoClient;
+  let clientEncryption: ClientEncryption;
+  let encryptedClient: MongoClient;
+  let encryptOpts: ClientEncryptionEncryptOptions;
+
+  beforeEach(async function () {
+    encryptedFields = EJSON.parse(await loadFLEDataFile('encryptedFields-prefix-suffix.json'), {
+      relaxed: false
+    });
+    keyDocument1 = EJSON.parse(await loadFLEDataFile('keys/key1-document.json'), {
+      relaxed: false
+    });
+
+    keyId1 = keyDocument1._id;
+    client = this.configuration.newClient();
+
+    await client
+      .db('db')
+      .dropCollection('explicit_encryption', { writeConcern: { w: 'majority' }, encryptedFields });
+    await client.db('db').createCollection('explicit_encryption', {
+      writeConcern: { w: 'majority' },
+      encryptedFields
+    });
+
+    // Drop and create the collection `keyvault.datakeys`.
+    // Insert `key1Document` in `keyvault.datakeys` with majority write concern.
+    await client.db('keyvault').dropCollection('datakeys', { writeConcern: { w: 'majority' } });
+    await client.db('keyvault').createCollection('datakeys', { writeConcern: { w: 'majority' } });
+    await client
+      .db('keyvault')
+      .collection('datakeys')
+      .insertOne(keyDocument1, { writeConcern: { w: 'majority' } });
+
+    // Create a MongoClient named `keyVaultClient`.
+    keyVaultClient = this.configuration.newClient();
+
+    // Create a ClientEncryption object named `clientEncryption` with these options:
+    // class ClientEncryptionOpts {
+    //    keyVaultClient: <keyVaultClient>,
+    //    keyVaultNamespace: "keyvault.datakeys",
+    //    kmsProviders: { "local": { "key": <base64 decoding of LOCAL_MASTERKEY> } },
+    // }
+    clientEncryption = new ClientEncryption(keyVaultClient, {
+      keyVaultNamespace: 'keyvault.datakeys',
+      kmsProviders: {
+        local: getCSFLEKMSProviders().local
+      }
+    });
+
+    // Create a MongoClient named `encryptedClient` with these `AutoEncryptionOpts`:
+    // class AutoEncryptionOpts {
+    //    keyVaultNamespace: "keyvault.datakeys",
+    //    kmsProviders: { "local": { "key": <base64 decoding of LOCAL_MASTERKEY> } },
+    //    bypassQueryAnalysis: true,
+    // }
+    encryptedClient = this.configuration.newClient(
+      {},
+      {
+        autoEncryption: {
+          keyVaultNamespace: 'keyvault.datakeys',
+          kmsProviders: {
+            local: getCSFLEKMSProviders().local
+          },
+          bypassQueryAnalysis: true
+        }
+      }
+    );
+
+    encryptOpts = {
+      keyId: keyId1,
+      contentionFactor: 0,
+      algorithm: 'TextPreview',
+      textOptions: {
+        caseSensitive: true,
+        diacriticSensitive: true,
+        prefix: {
+          strMaxQueryLength: 10,
+          strMinQueryLength: 2
+        },
+        suffix: {
+          strMaxQueryLength: 10,
+          strMinQueryLength: 2
+        },
+        substring: {
+          strMaxLength: 10,
+          strMaxQueryLength: 10,
+          strMinQueryLength: 2
+        }
+      }
+    };
+
+    const encryptedText = await clientEncryption.encrypt('foobarbaz', {
+      keyId: keyId1,
+      algorithm: 'TextPreview',
+      contentionFactor: 0,
+      textOptions: {
+        caseSensitive: true,
+        diacriticSensitive: true,
+        prefix: {
+          strMaxQueryLength: 10,
+          strMinQueryLength: 2
+        },
+        suffix: {
+          strMaxQueryLength: 10,
+          strMinQueryLength: 2
+        }
+      }
+    });
+
+    await encryptedClient
+      .db('db')
+      .collection<{ _id: number; encryptedText: Binary }>('explicit_encryption')
+      .insertOne({
+        _id: 0,
+        encryptedText
+      });
+  });
+
+  afterEach(async function () {
+    await Promise.allSettled([client.close(), encryptedClient.close(), keyVaultClient.close()]);
+  });
+
+  it('works', async function () {
+    const encryptedFoo = await clientEncryption.encrypt('foo', {
+      keyId: keyId1,
+      algorithm: 'TextPreview',
+      contentionFactor: 0,
+      textOptions: {
+        caseSensitive: true,
+        diacriticSensitive: true,
+        prefix: {
+          strMaxQueryLength: 10,
+          strMinQueryLength: 2
+        }
+      }
+    });
+
+    const filter = {
+      $expr: { $encStrStartsWith: { input: 'encryptedText', prefix: encryptedFoo } }
+    };
+
+    expect(
+      await encryptedClient
+        .db('db')
+        .collection<{ _id: number; encryptedText: Binary }>('explicit_encryption')
+        .findOne(filter)
+    ).to.deep.equal({ _id: 0, encryptedText: 'foobarbaz' });
+  });
+});
diff --git a/test/spec/client-side-encryption/etc/data/encryptedFields-prefix-suffix.json b/test/spec/client-side-encryption/etc/data/encryptedFields-prefix-suffix.json
@@ -0,0 +1,38 @@
+{
+    "fields": [
+        {
+            "keyId": {
+                "$binary": {
+                    "base64": "EjRWeBI0mHYSNBI0VniQEg==",
+                    "subType": "04"
+                }
+            },
+            "path": "encryptedText",
+            "bsonType": "string",
+            "queries": [
+                {
+                    "queryType": "prefixPreview",
+                    "strMinQueryLength": {
+                        "$numberInt": "2"
+                    },
+                    "strMaxQueryLength": {
+                        "$numberInt": "10"
+                    },
+                    "caseSensitive": true,
+                    "diacriticSensitive": true
+                },
+                {
+                    "queryType": "suffixPreview",
+                    "strMinQueryLength": {
+                        "$numberInt": "2"
+                    },
+                    "strMaxQueryLength": {
+                        "$numberInt": "10"
+                    },
+                    "caseSensitive": true,
+                    "diacriticSensitive": true
+                }
+            ]
+        }
+    ]
+}
diff --git a/test/spec/client-side-encryption/etc/data/encryptedFields-substring.json b/test/spec/client-side-encryption/etc/data/encryptedFields-substring.json
@@ -0,0 +1,30 @@
+{
+  "fields": [
+    {
+            "keyId": {
+                "$binary": {
+                    "base64": "EjRWeBI0mHYSNBI0VniQEg==",
+                    "subType": "04"
+                }
+            },
+            "path": "encrypted-textPreview",
+            "bsonType": "string",
+            "queries": [
+                {
+                    "queryType": "substringPreview",
+                    "strMaxLength": {
+                        "$numberInt": "10"
+                    },
+                    "strMinQueryLength": {
+                        "$numberInt": "2"
+                    },
+                    "strMaxQueryLength": {
+                        "$numberInt": "10"
+                    },
+                    "caseSensitive": true,
+                    "diacriticSensitive": true
+                }
+            ]
+        }
+  ]
+}
