# Copyright (C) 2022-present MongoDB, Inc. # # This program is free software: you can redistribute it and/or modify # it under the terms of the Server Side Public License, version 1, # as published by MongoDB, Inc. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # Server Side Public License for more details. # # You should have received a copy of the Server Side Public License # along with this program. If not, see # . # # As a special exception, the copyright holders give permission to link the # code of portions of this program with the OpenSSL library under certain # conditions as described in each individual source file and distribute # linked combinations including the program with the OpenSSL library. You # must comply with the Server Side Public License in all respects for # all of the code used other than as permitted herein. If you modify file(s) # with this exception, you may extend this exception to your version of the # file(s), but you are not obligated to do so. If you do not wish to do so, # delete this exception statement from your version. If you delete this # exception statement from all source files in the program, then also delete # it in the license file. global: cpp_namespace: "mongo" cpp_includes: - "mongo/crypto/fle_fields_util.h" imports: - "mongo/db/basic_types.idl" - "mongo/crypto/encryption_fields.idl" enums: EncryptedBinDataType: description: "Subtypes with an BinData 6, this is the first byte of the payload" type: int values: # FLE 1 Payloads kPlaceholder : 0 # see FLEEncryptionPlaceholder kDeterministic : 1 kRandom : 2 # FLE 2 # FLE 2 Client-side kFLE2Placeholder : 3 # see FLE2EncryptionPlaceholder kFLE2InsertUpdatePayload : 4 # see FLE2InsertUpdatePayload kFLE2FindEqualityPayload : 5 # see FLE2FindEqualityPayload # FLE 2 Server-side kFLE2UnindexedEncryptedValue : 6 # see FLE2IndexedEqualityEncryptedValue kFLE2EqualityIndexedValue : 7 # Transient encrypted data in query rewrites, not persisted # same as BinDataGeneral but redacted kFLE2TransientRaw : 8 kFLE2RangeIndexedValue : 9 # see FLE2IndexedRangeEncryptedValue kFLE2FindRangePayload : 10 # see FLE2FindRangePayload FleVersion: description: "The version / type of field-level encryption in use." type: int values: kFle1: 1 kFle2: 2 FleAlgorithmInt: description: "The algorithm used to encrypt fields for field level encryption represented as an unsigned integer." type: int values: kDeterministic: 1 kRandom: 2 Fle2AlgorithmInt: description: "The algorithm used to encrypt fields for field level encryption represented as an unsigned integer." type: int values: kUnindexed: 1 kEquality: 2 kRange: 3 Fle2PlaceholderType: description: "The type of payload to generate from a placeholder" type: int values: kInsert: 1 kFind: 2 Fle2RangeOperator: description: "Enum representing valid range operators that an encrypted payload can be under." type: int values: kGt: 1 kGte: 2 kLt: 3 kLte: 4 types: encrypted_numeric_element: bson_serialization_type: - date - decimal - double - int - long description: A value with any encrypted range numeric BSON type. cpp_type: "mongo::IDLAnyType" serializer: mongo::IDLAnyType::serializeToBSON deserializer: mongo::IDLAnyType::parseFromBSON structs: EncryptionPlaceholder: description: "Implements Encryption BinData (subtype 6) sub-subtype 0, the intent-to-encrypt mapping. Contains a value to encrypt and a description of how it should be encrypted." strict: true fields: a: description: "The encryption algorithm to be used." type: FleAlgorithmInt cpp_name: algorithm ki: description: "Used to query the key vault by _id. If omitted, ka must be specified." type: uuid cpp_name: keyId optional: true ka: description: "Used to query the key vault by keyAltName. If omitted, ki must be specified." type: string cpp_name: keyAltName optional: true v: description: "value to encrypt" type: IDLAnyType cpp_name: value FLE2EncryptionPlaceholder: description: "Implements Encryption BinData (subtype 6) sub-subtype 0, the intent-to-encrypt mapping. Contains a value to encrypt and a description of how it should be encrypted." strict: true cpp_validator_func: "validateIDLFLE2EncryptionPlaceholder" fields: t: description: "The type number, determines what payload to replace the placeholder with" type: Fle2PlaceholderType cpp_name: type a: description: "The encryption algorithm to be used." type: Fle2AlgorithmInt cpp_name: algorithm ki: description: "IndexKeyId, Used to query the key vault by _id." type: uuid cpp_name: indexKeyId ku: description: "UserKeyId, Used to query the key vault by _id., Typically same as IndexKeyId unless explicit encryption is used." type: uuid cpp_name: userKeyId v: description: "value to encrypt" type: IDLAnyType cpp_name: value cm: description: "Queryable Encryption max contention counter" type: long cpp_name: maxContentionCounter s: description: "Queryable Encryption range hypergraph sparsity factor" type: long cpp_name: sparsity optional: true validator: { gte: 1, lte: 4 } EdgeTokenSet: description: "Payload of an indexed field to insert or update" strict: true fields: d: description: "EDCDerivedFromDataTokenAndCounter" type: bindata_generic cpp_name: edcDerivedToken s: description: "ESCDerivedFromDataTokenAndCounter" type: bindata_generic cpp_name: escDerivedToken c: description: "ECCDerivedFromDataTokenAndCounter" type: bindata_generic cpp_name: eccDerivedToken p: description: "Encrypted tokens" type: bindata_generic cpp_name: encryptedTokens FLE2InsertUpdatePayload: description: "Payload of an indexed field to insert or update" strict: true fields: d: description: "EDCDerivedFromDataTokenAndCounter" type: bindata_generic cpp_name: edcDerivedToken s: description: "ESCDerivedFromDataTokenAndCounter" type: bindata_generic cpp_name: escDerivedToken c: description: "ECCDerivedFromDataTokenAndCounter" type: bindata_generic cpp_name: eccDerivedToken p: description: "Encrypted tokens" type: bindata_generic cpp_name: encryptedTokens u: description: "Index KeyId" type: uuid cpp_name: indexKeyId t: description: "Encrypted type" type: safeInt cpp_name: type v: description: "Encrypted value" type: bindata_generic cpp_name: value e: description: "ServerDataEncryptionLevel1Token" type: bindata_generic cpp_name: serverEncryptionToken g: description: "Array of Edges" type: array cpp_name: edgeTokenSet optional: true FLE2DeletePayload: description: "Payload of an indexed field to delete" strict: true fields: o: description: "ECOCToken" type: bindata_generic cpp_name: ecocToken e: description: "ServerDataEncryptionLevel1Token" type: bindata_generic cpp_name: serverEncryptionToken FLE2FindEqualityPayload: description: "Payload for an equality find" strict: true fields: d: description: "EDCDerivedFromDataToken" type: bindata_generic cpp_name: edcDerivedToken s: description: "ESCDerivedFromDataToken" type: bindata_generic cpp_name: escDerivedToken c: description: "ECCDerivedFromDataToken" type: bindata_generic cpp_name: eccDerivedToken e: description: "ServerDataEncryptionLevel1Token" type: bindata_generic cpp_name: serverEncryptionToken optional: true # For backwards compat, make this optional cm: description: "Queryable Encryption max counter" type: long cpp_name: maxCounter optional: true EdgeFindTokenSet: description: "Payload of an edge to query for" strict: true fields: d: description: "EDCDerivedFromDataToken" type: bindata_generic cpp_name: edcDerivedToken s: description: "ESCDerivedFromDataToken" type: bindata_generic cpp_name: escDerivedToken c: description: "ECCDerivedFromDataToken" type: bindata_generic cpp_name: eccDerivedToken FLE2FindRangePayloadEdgesInfo: description: "Tokken information for find range payload." strict: true fields: g: description: "Array of Edges" type: array cpp_name: edges e: description: "ServerDataEncryptionLevel1Token" type: bindata_generic cpp_name: serverEncryptionToken cm: description: "Queryable Encryption max counter" type: long cpp_name: maxCounter FLE2FindRangePayload: description: "Payload for a range find" strict: true fields: payload: description: "Token information for a find range payload" type: FLE2FindRangePayloadEdgesInfo optional: true payloadId: description: "Id of payload - must be paired with another payload" type: safeInt optional: false firstOperator: description: "First query operator for which this payload was generated." type: Fle2RangeOperator optional: false secondOperator: description: "Second query operator for which this payload was generated. Only populated for two-sided ranges." type: Fle2RangeOperator optional: true EncryptionInformation: description: "Implements Encryption Information which includes the schema for Queryable Encryption that is consumed by query_analysis, queries and write_ops" strict: true fields: type: description: "The version number" type: safeInt default: 1 stability: unstable deleteTokens: description: "A map of field paths to FLEDeletePayload" type: object_owned optional: true stability: unstable schema: description: "A map of NamespaceString to EncryptedFieldConfig" type: object_owned stability: unstable crudProcessed: description: "A boolean to indicate whether the CRUD layer has already processed this Queryable Encryption request. Used to prevent infinite recursion." type: bool optional: true stability: unstable ecocDocument: description: "This represents a document stored in an encrypted compaction collection." strict: true fields: _id: description: "Random id" type: objectid fieldName: description: "Name of field" type: string value: description: "Encrypted value" type: bindata_generic FLE2RangeFindSpecEdgesInfo: description: "Edges Information for FLE2 Range Spec" strict: true fields: lowerBound: description: "The lower bound for an encrypted range query." type: IDLAnyType lbIncluded: description: "Indicates if the lower bound should be included in the range." type: bool upperBound: description: "The upper bound for an encrypted range query." type: IDLAnyType ubIncluded: description: "Indicates if the upper bound should be included in the range." type: bool precision: description: "Determines the number of digits after the decimal point for floating point values" type: safeInt optional: true indexMin: description: "Minimum value for the encrypted index that this query is using." type: encrypted_numeric_element indexMax: description: "Maximum value for the encrypted index that this query is using." type: encrypted_numeric_element FLE2RangeFindSpec: description: "Range find specification that is encoded inside of a FLE2EncryptionPlaceholder." strict: true cpp_validator_func: "validateIDLFLE2RangeFindSpec" fields: edgesInfo: description: "Information about the edges in an FLE2 find payload." type: FLE2RangeFindSpecEdgesInfo optional: true payloadId: description: "Id of payload - must be paired with another payload" type: safeInt optional: false firstOperator: description: "First query operator for which this payload was generated." type: Fle2RangeOperator optional: false secondOperator: description: "Second query operator for which this payload was generated. Only populated for two-sided ranges." type: Fle2RangeOperator optional: true FLE2RangeInsertSpec: description: "Range insert specification that is encoded inside of a FLE2EncryptionPlaceholder." strict: true fields: v: description: "Value to encrypt" type: encrypted_numeric_element cpp_name: value min: description: "Queryable Encryption min bound for range" type: encrypted_numeric_element optional: true cpp_name: minBound max: description: "Queryable Encryption max bound for range" type: encrypted_numeric_element optional: true cpp_name: maxBound precision: description: "Determines the number of digits after the decimal point for floating point values" type: safeInt optional: true