diff options
| author | Nick Zolnierz <nicholas.zolnierz@mongodb.com> | 2020-05-04 11:48:14 -0400 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-05-06 15:50:10 +0000 |
| commit | e7b5473adb156afc20e8ff3b53446d5e17bec2d2 (patch) | |
| tree | aa7dc323f38db83079c20f0baaa277af7c90ee23 /jstests | |
| parent | ff38a192f588a01718f0ca259c147707819bd4cb (diff) | |
| download | mongo-e7b5473adb156afc20e8ff3b53446d5e17bec2d2.tar.gz | |
SERVER-45514 Reject document validators with encryption-related keywords if the validationAction is "warn" or validationLevel is "moderate"
This commit also contains a fix from SERVER-47834 which will not be
backported to 4.2.
Diffstat (limited to 'jstests')
| -rw-r--r-- | jstests/core/doc_validation_encrypt_keywords.js | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/jstests/core/doc_validation_encrypt_keywords.js b/jstests/core/doc_validation_encrypt_keywords.js new file mode 100644 index 00000000000..de8303fe59d --- /dev/null +++ b/jstests/core/doc_validation_encrypt_keywords.js @@ -0,0 +1,98 @@ +// Verify encryption-related keywords are only allowed in document validators if the action is +// 'error' and validation level is 'strict'. +// +// Cannot implicitly shard accessed collections because of collection existing when none +// expected. +// @tags: [assumes_no_implicit_collection_creation_after_drop, requires_non_retryable_commands] +(function() { +"use strict"; + +var collName = "doc_validation_encrypt_keywords"; +var coll = db[collName]; +coll.drop(); + +const encryptSchema = { + $jsonSchema: {properties: {_id: {encrypt: {}}}} +}; +const nestedEncryptSchema = { + $jsonSchema: {properties: {user: {type: "object", properties: {ssn: {encrypt: {}}}}}} +}; +const encryptMetadataSchema = { + $jsonSchema: {encryptMetadata: {algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"}} +}; + +assert.commandFailedWithCode( + db.createCollection(collName, {validator: encryptSchema, validationAction: "warn"}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode( + db.createCollection(collName, {validator: nestedEncryptSchema, validationAction: "warn"}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode( + db.createCollection(collName, {validator: encryptMetadataSchema, validationAction: "warn"}), + ErrorCodes.QueryFeatureNotAllowed); + +assert.commandFailedWithCode( + db.createCollection(collName, {validator: encryptSchema, validationLevel: "moderate"}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode( + db.createCollection(collName, {validator: nestedEncryptSchema, validationLevel: "moderate"}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode( + db.createCollection(collName, {validator: encryptMetadataSchema, validationLevel: "moderate"}), + ErrorCodes.QueryFeatureNotAllowed); + +// Create the collection with a valid document validator and action 'warn'. +assert.commandWorked(db.createCollection( + collName, {validator: {$jsonSchema: {required: ["_id"]}}, validationAction: "warn"})); + +// Verify that we can't collMod the validator to include an encryption-related keyword. +assert.commandFailedWithCode(db.runCommand({collMod: collName, validator: encryptSchema}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode(db.runCommand({collMod: collName, validator: nestedEncryptSchema}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode(db.runCommand({collMod: collName, validator: encryptMetadataSchema}), + ErrorCodes.QueryFeatureNotAllowed); +coll.drop(); + +// Create the collection with an encrypted validator and action 'error'. +assert.commandWorked( + db.createCollection(collName, {validator: encryptSchema, validationAction: "error"})); + +// Verify that we can't collMod the validation action to 'warn' since the schema contains an +// encryption-related keyword. +assert.commandFailedWithCode(db.runCommand({collMod: collName, validationAction: "warn"}), + ErrorCodes.QueryFeatureNotAllowed); + +// Verify that we can't collMod the validation level to 'moderate' since the schema contains an +// encryption-related keyword. +assert.commandFailedWithCode(db.runCommand({collMod: collName, validationLevel: "moderate"}), + ErrorCodes.QueryFeatureNotAllowed); +coll.drop(); + +// Create the collection without a document validator. +assert.commandWorked(db.createCollection(collName)); + +// Verify that we can't collMod with an encrypted validator and validation action 'warn' or level +// 'moderate'. +assert.commandFailedWithCode( + db.runCommand({collMod: collName, validator: encryptSchema, validationAction: "warn"}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode( + db.runCommand({collMod: collName, validator: nestedEncryptSchema, validationAction: "warn"}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode( + db.runCommand({collMod: collName, validator: encryptMetadataSchema, validationAction: "warn"}), + ErrorCodes.QueryFeatureNotAllowed); + +assert.commandFailedWithCode( + db.runCommand({collMod: collName, validator: encryptSchema, validationLevel: "moderate"}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode( + db.runCommand({collMod: collName, validator: nestedEncryptSchema, validationLevel: "moderate"}), + ErrorCodes.QueryFeatureNotAllowed); +assert.commandFailedWithCode( + db.runCommand( + {collMod: collName, validator: encryptMetadataSchema, validationLevel: "moderate"}), + ErrorCodes.QueryFeatureNotAllowed); +coll.drop(); +})(); |