SERVER-63673 Prohibit encrypted fields with capped collections

4 files changed, 56 insertions, 0 deletions

diff --git a/jstests/fle2/convert_encrypted_to_capped.js b/jstests/fle2/convert_encrypted_to_capped.js
new file mode 100644
index 00000000000..2a14a70f985
--- /dev/null
+++ b/jstests/fle2/convert_encrypted_to_capped.js
@@ -0,0 +1,42 @@
+// Verify cannot convert an encrypted collection to a capped collection
+
+/**
+ * @tags: [
+ *  featureFlagFLE2,
+ * ]
+ */
+(function() {
+'use strict';
+
+const isFLE2Enabled = TestData == undefined || TestData.setParameters.featureFlagFLE2;
+
+if (!isFLE2Enabled) {
+    return;
+}
+
+const dbTest = db.getSiblingDB('convert_encrypted_to_capped_db');
+
+dbTest.basic.drop();
+
+const sampleEncryptedFields = {
+    "fields": [
+        {
+            "path": "firstName",
+            "keyId": UUID("11d58b8a-0c6c-4d69-a0bd-70c6d9befae9"),
+            "bsonType": "string",
+            "queries": {"queryType": "equality"}
+        },
+    ]
+};
+
+assert.commandWorked(dbTest.createCollection("basic", {encryptedFields: sampleEncryptedFields}));
+
+assert.commandFailedWithCode(dbTest.runCommand({convertToCapped: "basic", size: 100000}),
+                             6367302,
+                             "Convert encrypted collection to capped passed");
+
+assert.commandFailedWithCode(
+    dbTest.runCommand({cloneCollectionAsCapped: "basic", toCollection: "capped", size: 100000}),
+    6367302,
+    "Clone encrypted collection as capped passed");
+}());
diff --git a/jstests/fle2/create_encrypted_collection.js b/jstests/fle2/create_encrypted_collection.js
index fe1f9583a27..ffd34b0717b 100644
--- a/jstests/fle2/create_encrypted_collection.js
+++ b/jstests/fle2/create_encrypted_collection.js
@@ -40,6 +40,12 @@ assert.commandFailedWithCode(
     6346401,
     "Create with encryptedFields and timeseries passed");
 
+assert.commandFailedWithCode(
+    dbTest.createCollection("basic",
+                            {capped: true, size: 100000, encryptedFields: sampleEncryptedFields}),
+    6367301,
+    "Create with encryptedFields and capped passed");
+
 assert.commandWorked(dbTest.createCollection("basic", {encryptedFields: sampleEncryptedFields}));
 
 const result = dbTest.getCollectionInfos({name: "basic"});
diff --git a/src/mongo/db/catalog/capped_utils.cpp b/src/mongo/db/catalog/capped_utils.cpp
index 86ee7a8fb10..945881e58c5 100644
--- a/src/mongo/db/catalog/capped_utils.cpp
+++ b/src/mongo/db/catalog/capped_utils.cpp
@@ -133,6 +133,10 @@ void cloneCollectionAsCapped(OperationContext* opCtx,
                   str::stream() << "source collection " << fromNss << " does not exist");
     }
 
+    uassert(6367302,
+            "Cannot convert an encrypted collection to a capped collection",
+            !fromCollection->getCollectionOptions().encryptedFieldConfig);
+
     uassert(ErrorCodes::NamespaceNotFound,
             str::stream() << "source collection " << fromNss
                           << " is currently in a drop-pending state.",
diff --git a/src/mongo/db/commands/create_command.cpp b/src/mongo/db/commands/create_command.cpp
index b1629c16729..ebe478ca160 100644
--- a/src/mongo/db/commands/create_command.cpp
+++ b/src/mongo/db/commands/create_command.cpp
@@ -176,6 +176,10 @@ public:
             }
 
             if (cmd.getEncryptedFields()) {
+                uassert(6367301,
+                        "Encrypted fields cannot be used with capped collections",
+                        !cmd.getCapped());
+
                 uassert(6346401,
                         "Encrypted fields cannot be used with views or timeseries collections",
                         !(cmd.getViewOn() || cmd.getTimeseries()));