jstests/core/doc_validation_encrypt_keywords.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

// Verify encryption-related keywords are only allowed in document validators if the action is
// 'error' and validation level is 'strict'.
//
// Cannot implicitly shard accessed collections because of collection existing when none
// expected.
// @tags: [assumes_no_implicit_collection_creation_after_drop, requires_non_retryable_commands,
// requires_fcv_46]
(function() {
"use strict";

var collName = "doc_validation_encrypt_keywords";
var coll = db[collName];
coll.drop();

const encryptSchema = {
    $jsonSchema: {properties: {_id: {encrypt: {}}}}
};
const nestedEncryptSchema = {
    $jsonSchema: {properties: {user: {type: "object", properties: {ssn: {encrypt: {}}}}}}
};
const encryptMetadataSchema = {
    $jsonSchema: {encryptMetadata: {algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"}}
};

assert.commandFailedWithCode(
    db.createCollection(collName, {validator: encryptSchema, validationAction: "warn"}),
    ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(
    db.createCollection(collName, {validator: nestedEncryptSchema, validationAction: "warn"}),
    ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(
    db.createCollection(collName, {validator: encryptMetadataSchema, validationAction: "warn"}),
    ErrorCodes.QueryFeatureNotAllowed);

assert.commandFailedWithCode(
    db.createCollection(collName, {validator: encryptSchema, validationLevel: "moderate"}),
    ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(
    db.createCollection(collName, {validator: nestedEncryptSchema, validationLevel: "moderate"}),
    ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(
    db.createCollection(collName, {validator: encryptMetadataSchema, validationLevel: "moderate"}),
    ErrorCodes.QueryFeatureNotAllowed);

// Create the collection with a valid document validator and action 'warn'.
assert.commandWorked(db.createCollection(
    collName, {validator: {$jsonSchema: {required: ["_id"]}}, validationAction: "warn"}));

// Verify that we can't collMod the validator to include an encryption-related keyword.
assert.commandFailedWithCode(db.runCommand({collMod: collName, validator: encryptSchema}),
                             ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(db.runCommand({collMod: collName, validator: nestedEncryptSchema}),
                             ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(db.runCommand({collMod: collName, validator: encryptMetadataSchema}),
                             ErrorCodes.QueryFeatureNotAllowed);
coll.drop();

// Create the collection with an encrypted validator and action 'error'.
assert.commandWorked(
    db.createCollection(collName, {validator: encryptSchema, validationAction: "error"}));

// Verify that we can't collMod the validation action to 'warn' since the schema contains an
// encryption-related keyword.
assert.commandFailedWithCode(db.runCommand({collMod: collName, validationAction: "warn"}),
                             ErrorCodes.QueryFeatureNotAllowed);

// Verify that we can't collMod the validation level to 'moderate' since the schema contains an
// encryption-related keyword.
assert.commandFailedWithCode(db.runCommand({collMod: collName, validationLevel: "moderate"}),
                             ErrorCodes.QueryFeatureNotAllowed);
coll.drop();

// Create the collection without a document validator.
assert.commandWorked(db.createCollection(collName));

// Verify that we can't collMod with an encrypted validator and validation action 'warn' or level
// 'moderate'.
assert.commandFailedWithCode(
    db.runCommand({collMod: collName, validator: encryptSchema, validationAction: "warn"}),
    ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(
    db.runCommand({collMod: collName, validator: nestedEncryptSchema, validationAction: "warn"}),
    ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(
    db.runCommand({collMod: collName, validator: encryptMetadataSchema, validationAction: "warn"}),
    ErrorCodes.QueryFeatureNotAllowed);

assert.commandFailedWithCode(
    db.runCommand({collMod: collName, validator: encryptSchema, validationLevel: "moderate"}),
    ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(
    db.runCommand({collMod: collName, validator: nestedEncryptSchema, validationLevel: "moderate"}),
    ErrorCodes.QueryFeatureNotAllowed);
assert.commandFailedWithCode(
    db.runCommand(
        {collMod: collName, validator: encryptMetadataSchema, validationLevel: "moderate"}),
    ErrorCodes.QueryFeatureNotAllowed);
coll.drop();
})();