SERVER-72937 Create the QE cleanupStructuredEncryptionData command skeleton for mongod

8 files changed, 177 insertions, 4 deletions

diff --git a/src/mongo/crypto/fle_stats.idl b/src/mongo/crypto/fle_stats.idl
index 485a59f8f50..69e8f1f418c 100644
--- a/src/mongo/crypto/fle_stats.idl
+++ b/src/mongo/crypto/fle_stats.idl
@@ -67,3 +67,9 @@ structs:
                 type: ECStats
                 optional: true
            esc: ECStats
+
+    CleanupStats:
+        description: "Stats about records in ECOC, and ESC cleanup touched"
+        fields:
+           ecoc: ECOCStats
+           esc: ECStats
diff --git a/src/mongo/db/auth/action_type.idl b/src/mongo/db/auth/action_type.idl
index 26d993be4c1..8e5a2000745 100644
--- a/src/mongo/db/auth/action_type.idl
+++ b/src/mongo/db/auth/action_type.idl
@@ -67,6 +67,7 @@ enums:
            checkMetadataConsistency :  "checkMetadataConsistency"
            cleanupOrphaned :  "cleanupOrphaned"
            clearJumboFlag :  "clearJumboFlag"
+           cleanupStructuredEncryptionData: "cleanupStructuredEncryptionData"
            closeAllDatabases :  "closeAllDatabases"  # Deprecated (backwards compatibility)
            collMod :  "collMod"
            collStats :  "collStats"
@@ -242,6 +243,7 @@ enums:
                         - analyze
                         - bypassDocumentValidation
                         - changeStream
+                        - cleanupStructuredEncryptionData
                         - collMod
                         - collStats
                         - compact
@@ -290,6 +292,7 @@ enums:
                         - analyze
                         - bypassDocumentValidation
                         - changeStream
+                        - cleanupStructuredEncryptionData
                         - collMod
                         - collStats
                         - compact
@@ -363,6 +366,7 @@ enums:
                         - analyze
                         - bypassDocumentValidation
                         - changeStream
+                        - cleanupStructuredEncryptionData
                         - collMod
                         - collStats
                         - compact
diff --git a/src/mongo/db/auth/builtin_roles.yml b/src/mongo/db/auth/builtin_roles.yml
index 1babdd93486..4f52b65ffd7 100644
--- a/src/mongo/db/auth/builtin_roles.yml
+++ b/src/mongo/db/auth/builtin_roles.yml
@@ -51,6 +51,7 @@ roles:
             - matchType: database
               actions: &readWriteRoleActions
                 - *readRoleActions
+                - cleanupStructuredEncryptionData
                 - compactStructuredEncryptionData
                 - convertToCapped # db admin gets this also
                 - createCollection # db admin gets this also
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript
index ee96de65509..aacacce4b2a 100644
--- a/src/mongo/db/commands/SConscript
+++ b/src/mongo/db/commands/SConscript
@@ -48,6 +48,7 @@ env.Library(
     source=[
         'end_sessions_command.cpp',
         'fail_point_cmd.cpp',
+        'fle2_cleanup.idl',
         'fle2_compact.cpp',
         'fle2_compact.idl',
         'generic.cpp',
@@ -572,6 +573,7 @@ env.Library(
         'get_cluster_parameter_command.cpp',
         "internal_rename_if_options_and_indexes_match_cmd.cpp",
         "internal_transactions_test_command_d.cpp",
+        "fle2_cleanup_cmd.cpp",
         "fle2_compact_cmd.cpp",
         "map_reduce_command.cpp",
         "oplog_application_checks.cpp",
diff --git a/src/mongo/db/commands/fle2_cleanup.idl b/src/mongo/db/commands/fle2_cleanup.idl
new file mode 100644
index 00000000000..836897b065d
--- /dev/null
+++ b/src/mongo/db/commands/fle2_cleanup.idl
@@ -0,0 +1,55 @@
+# Copyright (C) 2023-present MongoDB, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the Server Side Public License, version 1,
+# as published by MongoDB, Inc.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# Server Side Public License for more details.
+#
+# You should have received a copy of the Server Side Public License
+# along with this program. If not, see
+# <http://www.mongodb.com/licensing/server-side-public-license>.
+#
+# As a special exception, the copyright holders give permission to link the
+# code of portions of this program with the OpenSSL library under certain
+# conditions as described in each individual source file and distribute
+# linked combinations including the program with the OpenSSL library. You
+# must comply with the Server Side Public License in all respects for
+# all of the code used other than as permitted herein. If you modify file(s)
+# with this exception, you may extend this exception to your version of the
+# file(s), but you are not obligated to do so. If you do not wish to do so,
+# delete this exception statement from your version. If you delete this
+# exception statement from all source files in the program, then also delete
+# it in the license file.
+#
+
+global:
+    cpp_namespace: "mongo"
+
+imports:
+    - "mongo/db/basic_types.idl"
+    - "mongo/crypto/fle_stats.idl"
+
+structs:
+    CleanupStructuredEncryptionDataCommandReply:
+        description: "Reply from the {cleanupStructuredEncryptionData: ...} command"
+        strict: true
+        is_command_reply: true
+        fields:
+            stats: CleanupStats
+
+commands:
+    cleanupStructuredEncryptionData:
+        description: "Parser for the 'cleanupStructuredEncryptionData' command"
+        command_name: cleanupStructuredEncryptionData
+        api_version: ""
+        namespace: concatenate_with_db
+        strict: true
+        reply_type: CleanupStructuredEncryptionDataCommandReply
+        fields:
+            cleanupTokens:
+                description: "Map of field path to ECOCToken"
+                type: object
diff --git a/src/mongo/db/commands/fle2_cleanup_cmd.cpp b/src/mongo/db/commands/fle2_cleanup_cmd.cpp
new file mode 100644
index 00000000000..36f016c092e
--- /dev/null
+++ b/src/mongo/db/commands/fle2_cleanup_cmd.cpp
@@ -0,0 +1,104 @@
+/**
+ *    Copyright (C) 2022-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+
+#include "mongo/platform/basic.h"
+
+#include "mongo/db/commands.h"
+#include "mongo/db/commands/create_gen.h"
+#include "mongo/db/commands/feature_compatibility_version.h"
+
+#include "mongo/crypto/fle_stats.h"
+#include "mongo/db/auth/authorization_session.h"
+
+#include "mongo/db/commands/fle2_cleanup_gen.h"
+
+#define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kStorage
+
+namespace mongo {
+
+namespace {
+
+CleanupStats cleanupEncryptedCollection(OperationContext* opCtx,
+                                        const CleanupStructuredEncryptionData& request) {
+    uasserted(7293700, "Function not implemented.");
+}
+
+class CleanupStructuredEncryptionDataCmd final
+    : public TypedCommand<CleanupStructuredEncryptionDataCmd> {
+public:
+    using Request = CleanupStructuredEncryptionData;
+    using Reply = CleanupStructuredEncryptionData::Reply;
+    using TC = TypedCommand<CleanupStructuredEncryptionDataCmd>;
+
+    class Invocation final : public TC::InvocationBase {
+    public:
+        using TC::InvocationBase::InvocationBase;
+        using TC::InvocationBase::request;
+
+        Reply typedRun(OperationContext* opCtx) {
+            return Reply(cleanupEncryptedCollection(opCtx, request()));
+        }
+
+    private:
+        bool supportsWriteConcern() const final {
+            return false;
+        }
+
+        void doCheckAuthorization(OperationContext* opCtx) const final {
+            auto* as = AuthorizationSession::get(opCtx->getClient());
+            uassert(ErrorCodes::Unauthorized,
+                    "Not authorized to cleanup structured encryption data",
+                    as->isAuthorizedForActionsOnResource(
+                        ResourcePattern::forExactNamespace(request().getNamespace()),
+                        ActionType::cleanupStructuredEncryptionData));
+        }
+
+        NamespaceString ns() const final {
+            return request().getNamespace();
+        }
+    };
+
+    typename TC::AllowedOnSecondary secondaryAllowed(ServiceContext*) const final {
+        return BasicCommand::AllowedOnSecondary::kNever;
+    }
+
+    bool adminOnly() const final {
+        return false;
+    }
+
+    std::set<StringData> sensitiveFieldNames() const final {
+        return {CleanupStructuredEncryptionData::kCleanupTokensFieldName};
+    }
+} cleanupStructuredEncryptionDataCmd;
+
+
+}  // namespace
+
+}  // namespace mongo
diff --git a/src/mongo/db/commands/fle2_compact.idl b/src/mongo/db/commands/fle2_compact.idl
index 3ba9a9c9686..3ac36f10da0 100644
--- a/src/mongo/db/commands/fle2_compact.idl
+++ b/src/mongo/db/commands/fle2_compact.idl
@@ -35,7 +35,7 @@ imports:
 
 structs:
     CompactStructuredEncryptionDataCommandReply:
-        description: "Reply from the {compactStructuredEncryptedData: ...} command"
+        description: "Reply from the {compactStructuredEncryptionData: ...} command"
         strict: true
         is_command_reply: true
         fields:
diff --git a/src/mongo/shell/encrypted_dbclient_base.cpp b/src/mongo/shell/encrypted_dbclient_base.cpp
index 62ce4d06a2e..253ed8a560e 100644
--- a/src/mongo/shell/encrypted_dbclient_base.cpp
+++ b/src/mongo/shell/encrypted_dbclient_base.cpp
@@ -607,9 +607,10 @@ void EncryptedDBClientBase::cleanup(JSContext* cx, JS::CallArgs args) {
     builder.append("cleanupTokens",
                    efc ? FLEClientCrypto::generateCompactionTokens(*efc, this) : BSONObj());
 
-    // TODO SERVER-72937: Add call to cleanup function
-    mozjs::ValueReader(cx, args.rval()).fromBSON(BSONObj(), nullptr, false);
-    return;
+    BSONObj reply;
+    runCommand(nss.dbName(), builder.obj(), reply, 0);
+    reply = reply.getOwned();
+    mozjs::ValueReader(cx, args.rval()).fromBSON(reply, nullptr, false);
 }
 
 void EncryptedDBClientBase::trace(JSTracer* trc) {