MONGOCRYPT-432 Allow keyAltName in encryptedFieldsMap #1091
Conversation
mdb-ad
requested review from
vector-of-bool
and removed request for
vector-of-bool
| mongocrypt_status_destroy(status); | ||
| } | ||
|
|
||
| static void _test_qe_keyAltName(_mongocrypt_tester_t *tester) { |
There was a problem hiding this comment.
I expect the "create" command is not translating a "keyAltName":
{
"create": "coll",
"encryptedFields": {
"fields": [
{
"path": "secret",
"bsonType": "string",
"keyAltName": "keyDocumentName"
}
]
}
}See this test to exercise this scenario.
Without support for the "create" command or ClientEncryption.createEncryptedCollection helper, I expect keyAltName may be difficult to use (creation would still require a key ID).
If this is a significant effort, consider filing a MONGOCRYPT ticket to track supporting "create", and update the scope to note this as future work.
| mongocrypt_binary_t *encrypted_fields_map = TEST_BSON_STR(BSON_STR({ | ||
| "db.coll" : {"fields" : [ {"path" : "secret", "bsonType" : "string", "keyAltName" : "keyDocumentName"} ]} | ||
| })); | ||
| mongocrypt_setopt_encrypted_field_config_map(crypt, encrypted_fields_map); |
There was a problem hiding this comment.
| mongocrypt_setopt_encrypted_field_config_map(crypt, encrypted_fields_map); | |
| ASSERT_OK(mongocrypt_setopt_encrypted_field_config_map(crypt, encrypted_fields_map), crypt); |
| } | ||
| mongocrypt_ctx_destroy(ctx); | ||
|
|
||
| ctx = mongocrypt_ctx_new(crypt); |
There was a problem hiding this comment.
Suggest noting purpose of encrypting again:
| ctx = mongocrypt_ctx_new(crypt); | |
| // Encrypt again to test flow where key is cached. | |
| ctx = mongocrypt_ctx_new(crypt); |
| } | ||
| mongocrypt_ctx_destroy(ctx); | ||
|
|
||
| // COPY |
There was a problem hiding this comment.
| // COPY | |
| // Encrypt again to test flow where key is cached. |
| const mc_EncryptedFieldConfig_t * | ||
| mc_schema_broker_get_encryptedFields(const mc_schema_broker_t *sb, const char *coll, mongocrypt_status_t *status); | ||
|
|
||
| // mc_schema_broker_get_encryptedFields returns encryptedFields for a collection if any exists. |
There was a problem hiding this comment.
| // mc_schema_broker_get_encryptedFields returns encryptedFields for a collection if any exists. | |
| // mc_schema_broker_maybe_get_encryptedFields returns encryptedFields for a collection if any exists. |
| ASSERT_OK(mongocrypt_ctx_mongo_done(ctx), ctx); | ||
| } | ||
|
|
||
| // MONGOCRYPT_CTX_MARKINGS is entered to send command to mongocryptd. |
There was a problem hiding this comment.
When mongocrypt_setopt_bypass_query_analysis is called, the MONGOCRYPT_CTX_MARKINGS state appears to be incorrectly entered. See this test.
2 participants
Background
Adds
keyAltNametokeyIdclient-side translation to libmongocrypt that allows users to specify human-readablekeyAltNamestrings instead of binary key IDs.Implementation
Whenever
encryptionInformationis appended to at outgoing command, libmongocrypt looks through the encrypted fields forkeyAltNamefields and translates them tokeyId.Testing
Tested on the C driver with spec test: https://spruce.mongodb.com/version/697803dbc0c964000764d2a4/