1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
// Test to ensure that the client community shell auto decrypts an encrypted field
// stored in the database if it has the correct credentials.
load("jstests/client_encrypt/lib/mock_kms.js");
load('jstests/ssl/libs/ssl_helpers.js');
(function() {
"use strict";
const x509_options = {
sslMode: "requireSSL",
sslPEMKeyFile: SERVER_CERT,
sslCAFile: CA_CERT
};
const conn = MongoRunner.runMongod(x509_options);
const deterministicAlgorithm = "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic";
let localKMS = {
key: BinData(
0,
"tu9jUCBqZdwCelwE/EAm/4WqdxrSMi04B8e9uAV+m30rI1J2nhKZZtQjdvsSCwuI4erR6IEcEK+5eGUAODv43NDNIR9QheT2edWFewUfHKsl9cnzTc86meIzOmYl6drp"),
};
const clientSideFLEOptions = {
kmsProviders: {
local: localKMS,
},
keyVaultNamespace: "test.coll",
schemaMap: {}
};
const shell = Mongo(conn.host, clientSideFLEOptions);
const keyVault = shell.getKeyVault();
const keyId = keyVault.createKey("local", "arn:aws:kms:us-east-1:fake:fake:fake", ['mongoKey']);
var test = function(conn, clientSideFLEOptions, keyId) {
const test_shell = Mongo(conn.host, clientSideFLEOptions);
const clientEncrypt = test_shell.getClientEncryption();
const encryptedStr = clientEncrypt.encrypt(keyId, "mongodb", deterministicAlgorithm);
// Insert encrypted string into database
const collection = conn.getDB("test").getCollection("collection");
for (var i = 0; i < 150; i++) {
assert.commandWorked(collection.insert({string: encryptedStr, id: 1}));
}
// Ensure string is auto decrypted
const encryptedCollection = test_shell.getDB("test").getCollection("collection");
const result = encryptedCollection.find({id: 1}).toArray();
result.forEach(function(entry) {
assert.eq(entry.string, "mongodb");
});
};
test(conn, clientSideFLEOptions, keyId);
// Test that auto decrypt still works with bypassAutoEncryption
const clientSideFLEOptionsBypassAutoEncrypt = {
kmsProviders: {
local: localKMS,
},
keyVaultNamespace: "test.coll",
bypassAutoEncryption: true,
schemaMap: {}
};
test(conn, clientSideFLEOptionsBypassAutoEncrypt, keyId);
MongoRunner.stopMongod(conn);
}());
|