diff options
| author | Ted Tuckman <ted.tuckman@mongodb.com> | 2019-04-22 15:49:53 -0400 |
|---|---|---|
| committer | Ted Tuckman <ted.tuckman@mongodb.com> | 2019-04-30 11:42:16 -0400 |
| commit | f7a4c4a9632f75996ed607ffc77e2a3cab15ea88 (patch) | |
| tree | d17298d01d604322f3aa94c43abe50a7ea361851 /src/mongo/db/matcher | |
| parent | bd8af75e7d2b53d3094705bcb24c8521c28da81a (diff) | |
| download | mongo-f7a4c4a9632f75996ed607ffc77e2a3cab15ea88.tar.gz | |
SERVER-40627 Ban schemas which define a deterministic encrypted field without an explicit single encrypt.bsonType
Diffstat (limited to 'src/mongo/db/matcher')
| -rw-r--r-- | src/mongo/db/matcher/schema/json_schema_parser.cpp | 9 | ||||
| -rw-r--r-- | src/mongo/db/matcher/schema/json_schema_parser_test.cpp | 70 |
2 files changed, 78 insertions, 1 deletions
diff --git a/src/mongo/db/matcher/schema/json_schema_parser.cpp b/src/mongo/db/matcher/schema/json_schema_parser.cpp index 348b745c4d4..4c4b4b39335 100644 --- a/src/mongo/db/matcher/schema/json_schema_parser.cpp +++ b/src/mongo/db/matcher/schema/json_schema_parser.cpp @@ -1369,10 +1369,17 @@ Status translateEncryptionKeywords(StringMap<BSONElement>& keywordMap, // This checks the types of all the fields. Will throw on any parsing error. const IDLParserErrorContext encryptCtxt("encrypt"); auto encryptInfo = EncryptionInfo::parse(encryptCtxt, encryptElt.embeddedObject()); + auto infoType = encryptInfo.getBsonType(); + uassert(31051, + "A deterministically encrypted field must have exactly one specified " + "non-object type.", + encryptInfo.getAlgorithm() != FleAlgorithmEnum::kDeterministic || + ((infoType && infoType.get().typeSet().isSingleType()) && + !infoType.get().typeSet().hasType(BSONType::Object))); andExpr->add(new InternalSchemaBinDataSubTypeExpression(path, BinDataType::Encrypt)); - if (auto typeOptional = encryptInfo.getBsonType()) + if (auto typeOptional = infoType) andExpr->add(new InternalSchemaBinDataEncryptedTypeExpression( path, typeOptional->typeSet())); } catch (const AssertionException&) { diff --git a/src/mongo/db/matcher/schema/json_schema_parser_test.cpp b/src/mongo/db/matcher/schema/json_schema_parser_test.cpp index ac0fd94f2c8..becdcaada87 100644 --- a/src/mongo/db/matcher/schema/json_schema_parser_test.cpp +++ b/src/mongo/db/matcher/schema/json_schema_parser_test.cpp @@ -2164,5 +2164,75 @@ TEST(JSONSchemaParserTest, FailsToParseWithNonUUIDArrayElement) { auto result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema); ASSERT_EQ(result.getStatus().code(), 51084); } + +TEST(JSONSchemaParserTest, FailsToParseWithNoBSONTypeInDeterministicEncrypt) { + auto uuid = UUID::gen(); + BSONObj schema = BSON("encrypt" << BSON("algorithm" + << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + << "initializationVector" + << BSONBinData(NULL, 0, BinDataType::BinDataGeneral) + << "keyId" + << BSON_ARRAY(uuid))); + auto result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema); + ASSERT_EQ(result.getStatus().code(), 31051); +} + +TEST(JSONSchemaParserTest, FailsToParseWithBSONTypeObjectInDeterministicEncrypt) { + auto uuid = UUID::gen(); + BSONObj schema = BSON("encrypt" << BSON("algorithm" + << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + << "initializationVector" + << BSONBinData(NULL, 0, BinDataType::BinDataGeneral) + << "keyId" + << BSON_ARRAY(uuid) + << "bsonType" + << "object")); + auto result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema); + ASSERT_EQ(result.getStatus().code(), 31051); +} + +TEST(JSONSchemaParserTest, FailsToParseWithEmptyArrayBSONTypeInDeterministicEncrypt) { + auto uuid = UUID::gen(); + BSONObj schema = BSON("encrypt" << BSON("algorithm" + << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + << "initializationVector" + << BSONBinData(NULL, 0, BinDataType::BinDataGeneral) + << "keyId" + << BSON_ARRAY(uuid) + << "bsonType" + << BSONArray())); + auto result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema); + ASSERT_EQ(result.getStatus().code(), 31051); +} + +TEST(JSONSchemaParserTest, FailsToParseWithMultipleElementArrayBSONTypeInDeterministicEncrypt) { + auto uuid = UUID::gen(); + BSONObj schema = BSON("encrypt" << BSON("algorithm" + << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + << "initializationVector" + << BSONBinData(NULL, 0, BinDataType::BinDataGeneral) + << "keyId" + << BSON_ARRAY(uuid) + << "bsonType" + << BSON_ARRAY("int" + << "string"))); + auto result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema); + ASSERT_EQ(result.getStatus().code(), 31051); +} + +TEST(JSONSchemaParserTest, FailsToParseWithObjectInArrayBSONTypeInDeterministicEncrypt) { + auto uuid = UUID::gen(); + BSONObj schema = BSON("encrypt" << BSON("algorithm" + << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" + << "initializationVector" + << BSONBinData(NULL, 0, BinDataType::BinDataGeneral) + << "keyId" + << BSON_ARRAY(uuid) + << "bsonType" + << BSON_ARRAY("object"))); + auto result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema); + ASSERT_EQ(result.getStatus().code(), 31051); +} + } // namespace } // namespace mongo |