SERVER-67202 Add encryption placeholder for range index

author: Davis Haupt <davis.haupt@mongodb.com> 2022-06-22 19:58:33 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2022-07-13 21:00:59 +0000
commit: 462e8f564c037ddb5b771a50a6718a02d546737e (patch)
tree: 13d9a7047596e4de1765a559db1913d880774103 /src/mongo/crypto
parent: 0268aa7d2fdd9a4f2904d85b9af9d95ce5d16285 (diff)
download: mongo-462e8f564c037ddb5b771a50a6718a02d546737e.tar.gz
7 files changed, 122 insertions, 44 deletions
diff --git a/src/mongo/crypto/SConscript b/src/mongo/crypto/SConscript
index 459e8fccc82..4ce7ede944a 100644
--- a/src/mongo/crypto/SConscript
+++ b/src/mongo/crypto/SConscript
@@ -115,6 +115,7 @@ env.Library(
     target="fle_fields",
     source=[
         "fle_field_schema.idl",
+        "fle_fields_util.cpp",
     ],
     LIBDEPS=[
         '$BUILD_DIR/mongo/idl/idl_parser',
diff --git a/src/mongo/crypto/fle_crypto.cpp b/src/mongo/crypto/fle_crypto.cpp
index f55db25f970..cdeb5c2566f 100644
--- a/src/mongo/crypto/fle_crypto.cpp
+++ b/src/mongo/crypto/fle_crypto.cpp
@@ -48,7 +48,6 @@
 #include "mongo/base/data_range.h"
 #include "mongo/base/data_range_cursor.h"
 #include "mongo/base/data_type_endian.h"
-#include "mongo/base/data_type_validated.h"
 #include "mongo/base/data_view.h"
 #include "mongo/base/error_codes.h"
 #include "mongo/base/status.h"
@@ -65,6 +64,7 @@
 #include "mongo/crypto/encryption_fields_util.h"
 #include "mongo/crypto/fle_data_frames.h"
 #include "mongo/crypto/fle_field_schema_gen.h"
+#include "mongo/crypto/fle_fields_util.h"
 #include "mongo/crypto/sha256_block.h"
 #include "mongo/crypto/symmetric_key.h"
 #include "mongo/db/exec/document_value/value.h"
@@ -154,17 +154,6 @@ PrfBlock blockToArray(const SHA256Block& block) {
     return data;
 }
 
-}  // namespace
-
-PrfBlock PrfBlockfromCDR(ConstDataRange block) {
-    uassert(6373501, "Invalid prf length", block.length() == sizeof(PrfBlock));
-
-    PrfBlock ret;
-    std::copy(block.data(), block.data() + block.length(), ret.data());
-    return ret;
-}
-
-namespace {
 ConstDataRange hmacKey(const KeyMaterial& keyMaterial) {
     static_assert(kHmacKeyOffset + crypto::sym256KeySize <= crypto::kFieldLevelEncryptionKeySize);
     invariant(crypto::kFieldLevelEncryptionKeySize == keyMaterial->size());
@@ -208,13 +197,6 @@ PrfBlock prf(ConstDataRange key, uint64_t value, int64_t value2) {
     return blockToArray(block);
 }
 
-ConstDataRange binDataToCDR(const BSONElement element) {
-    uassert(6338501, "Expected binData BSON element", element.type() == BinData);
-
-    int len;
-    const char* data = element.binData(len);
-    return ConstDataRange(data, data + len);
-}
 
 ConstDataRange binDataToCDR(const BSONBinData binData) {
     int len = binData.length;
@@ -251,14 +233,6 @@ void appendTag(PrfBlock block, BSONArrayBuilder* builder) {
     builder->appendBinData(block.size(), BinDataType::BinDataGeneral, block.data());
 }
 
-template <typename T>
-T parseFromCDR(ConstDataRange cdr) {
-    ConstDataRangeCursor cdc(cdr);
-    auto obj = cdc.readAndAdvance<Validated<BSONObj>>();
-
-    IDLParserErrorContext ctx("root");
-    return T::parse(ctx, obj);
-}
 
 std::vector<uint8_t> vectorFromCDR(ConstDataRange cdr) {
     std::vector<uint8_t> buf(cdr.length());
@@ -1192,6 +1166,14 @@ std::vector<uint8_t> toEncryptedVector(EncryptedBinDataType dt, const PrfBlock&
     return buf;
 }
 
+PrfBlock PrfBlockfromCDR(const ConstDataRange& block) {
+    uassert(6373501, "Invalid prf length", block.length() == sizeof(PrfBlock));
+
+    PrfBlock ret;
+    std::copy(block.data(), block.data() + block.length(), ret.data());
+    return ret;
+}
+
 CollectionsLevel1Token FLELevel1TokenGenerator::generateCollectionsLevel1Token(
     FLEIndexKey indexKey) {
     return prf(hmacKey(indexKey.data), kLevel1Collection);
@@ -2517,4 +2499,11 @@ uint64_t CompactionHelpers::countDeleted(const std::vector<ECCDocument>& rangeLi
     return sum;
 }
 
+ConstDataRange binDataToCDR(BSONElement element) {
+    uassert(6338501, "Expected binData BSON element", element.type() == BinData);
+
+    int len;
+    const char* data = element.binData(len);
+    return ConstDataRange(data, data + len);
+}
 }  // namespace mongo
diff --git a/src/mongo/crypto/fle_crypto.h b/src/mongo/crypto/fle_crypto.h
index 5feac8ca2d3..1767988cbe8 100644
--- a/src/mongo/crypto/fle_crypto.h
+++ b/src/mongo/crypto/fle_crypto.h
@@ -37,6 +37,7 @@
 #include <vector>
 
 #include "mongo/base/data_range.h"
+#include "mongo/base/data_type_validated.h"
 #include "mongo/base/secure_allocator.h"
 #include "mongo/base/status_with.h"
 #include "mongo/base/string_data.h"
@@ -1189,14 +1190,24 @@ struct ParsedFindPayload {
 };
 
 /**
- * Utility functions manipulating buffers
+ * Utility functions manipulating buffers.
  */
-PrfBlock PrfBlockfromCDR(ConstDataRange block);
+PrfBlock PrfBlockfromCDR(const ConstDataRange& block);
+
+ConstDataRange binDataToCDR(BSONElement element);
+
+template <typename T>
+T parseFromCDR(ConstDataRange cdr) {
+    ConstDataRangeCursor cdc(cdr);
+    auto obj = cdc.readAndAdvance<Validated<BSONObj>>();
+
+    IDLParserErrorContext ctx("root");
+    return T::parse(ctx, obj);
+}
 
 std::vector<uint8_t> toEncryptedVector(EncryptedBinDataType dt, const PrfBlock& block);
 
 BSONBinData toBSONBinData(const std::vector<uint8_t>& buf);
 
 std::pair<EncryptedBinDataType, ConstDataRange> fromEncryptedBinData(const Value& value);
-
 }  // namespace mongo
diff --git a/src/mongo/crypto/fle_crypto_test.cpp b/src/mongo/crypto/fle_crypto_test.cpp
index 4c4355ebb9f..9e9b4d9269f 100644
--- a/src/mongo/crypto/fle_crypto_test.cpp
+++ b/src/mongo/crypto/fle_crypto_test.cpp
@@ -1018,20 +1018,6 @@ BSONObj transformBSON(
     return frameStack.top().builder.obj();
 }
 
-
-template <typename T>
-T parseFromCDR(ConstDataRange cdr) {
-    ConstDataRangeCursor cdc(cdr);
-    auto swObj = cdc.readAndAdvanceNoThrow<Validated<BSONObj>>();
-
-    uassertStatusOK(swObj);
-
-    BSONObj obj = swObj.getValue();
-
-    IDLParserErrorContext ctx("root");
-    return T::parse(ctx, obj);
-}
-
 template <typename T>
 std::vector<uint8_t> toEncryptedVector(EncryptedBinDataType dt, T t) {
     BSONObj obj = t.toBSON();
diff --git a/src/mongo/crypto/fle_field_schema.idl b/src/mongo/crypto/fle_field_schema.idl
index 9ee522f367b..8840a4480d8 100644
--- a/src/mongo/crypto/fle_field_schema.idl
+++ b/src/mongo/crypto/fle_field_schema.idl
@@ -27,6 +27,8 @@
 
 global:
     cpp_namespace: "mongo"
+    cpp_includes:
+      - "mongo/crypto/fle_fields_util.h"
 
 imports:
     - "mongo/idl/basic_types.idl"
@@ -116,6 +118,7 @@ structs:
         description: "Implements Encryption BinData (subtype 6) sub-subtype 0, the intent-to-encrypt
             mapping. Contains a value to encrypt and a description of how it should be encrypted."
         strict: true
+        cpp_validator_func: "validateIDLFLE2EncryptionPlaceholder"
         fields:
           t:
             description: "The type number, determines what payload to replace the placeholder with"
diff --git a/src/mongo/crypto/fle_fields_util.cpp b/src/mongo/crypto/fle_fields_util.cpp
new file mode 100644
index 00000000000..96c49c1a7f5
--- /dev/null
+++ b/src/mongo/crypto/fle_fields_util.cpp
@@ -0,0 +1,48 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "fle_fields_util.h"
+#include "mongo/bson/bsonelement.h"
+#include "mongo/bson/bsontypes.h"
+#include "mongo/crypto/fle_field_schema_gen.h"
+#include "mongo/idl/basic_types.h"
+
+namespace mongo {
+void validateIDLFLE2EncryptionPlaceholder(const FLE2EncryptionPlaceholder* placeholder) {
+    if (placeholder->getAlgorithm() == Fle2AlgorithmInt::kRange) {
+        auto val = placeholder->getValue().getElement();
+        uassert(6720200, "Range placeholder must be an array.", val.isABSONObj());
+        auto obj = val.Obj();
+        uassert(6720201, "Range placeholder must be an array.", obj.couldBeArray());
+        uassert(6720202,
+                "Range placeholder must hold an array with a min and max value.",
+                obj.nFields() == 2);
+    }
+}
+}  // namespace mongo
diff --git a/src/mongo/crypto/fle_fields_util.h b/src/mongo/crypto/fle_fields_util.h
new file mode 100644
index 00000000000..dc4b60f0342
--- /dev/null
+++ b/src/mongo/crypto/fle_fields_util.h
@@ -0,0 +1,40 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#pragma once
+
+namespace mongo {
+class FLE2EncryptionPlaceholder;
+
+/**
+ * Extra validation for the placeholder struct to verify that range placeholders have min/max
+ * endpoints. Will throw a uassert if the placeholder does not pass validation.
+ */
+void validateIDLFLE2EncryptionPlaceholder(const FLE2EncryptionPlaceholder* placeholder);
+}  // namespace mongo
author	Davis Haupt <davis.haupt@mongodb.com>	2022-06-22 19:58:33 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2022-07-13 21:00:59 +0000
commit	462e8f564c037ddb5b771a50a6718a02d546737e (patch)
tree	13d9a7047596e4de1765a559db1913d880774103 /src/mongo/crypto
parent	0268aa7d2fdd9a4f2904d85b9af9d95ce5d16285 (diff)
download	mongo-462e8f564c037ddb5b771a50a6718a02d546737e.tar.gz