jstests/sharding/shard_encrypted_collection.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

// Verify valid and invalid scenarios for sharding an encrypted collection

/**
 * @tags: [
 *  requires_fcv_60,
 * ]
 */

// Cannot run the filtering metadata check on tests that run refineCollectionShardKey.
TestData.skipCheckShardFilteringMetadata = true;

(function() {
'use strict';

const st = new ShardingTest({shards: 1, mongos: 1});
const mongos = st.s0;
const kDbName = 'db';

const sampleEncryptedFields = {
    "fields": [
        {
            "path": "firstName",
            "keyId": UUID("11d58b8a-0c6c-4d69-a0bd-70c6d9befae9"),
            "bsonType": "string",
            "queries": {"queryType": "equality"}
        },
        {
            "path": "paymentMethods.creditCards.number",
            "keyId": UUID("12341234-1234-1234-1234-123412341234"),
            "bsonType": "string",
            "queries": {"queryType": "equality"}
        },
    ]
};

// Set up the encrypted collection & enable sharding
assert.commandWorked(
    mongos.getDB(kDbName).createCollection("basic", {encryptedFields: sampleEncryptedFields}));
assert.commandWorked(mongos.adminCommand({enableSharding: kDbName}));

function testShardingCommand(command) {
    jsTestLog("Testing command: " + command);
    let res = null;
    let commandObj = {};
    commandObj[command] = kDbName + '.basic';

    jsTestLog('Fail ' + command + ' if shard key is an encrypted field');
    commandObj['key'] = {firstName: 1};
    res = mongos.adminCommand(commandObj);
    assert.commandFailedWithCode(
        res, ErrorCodes.InvalidOptions, command + " on encrypted field passed");

    commandObj['key'] = {lastName: 1, firstName: "hashed", middleName: 1};
    res = mongos.adminCommand(commandObj);
    assert.commandFailedWithCode(
        res, ErrorCodes.InvalidOptions, command + " on encrypted field passed");

    jsTestLog('Fail ' + command + ' if shard key is a prefix of an encrypted field');
    commandObj['key'] = {"paymentMethods.creditCards": 1};
    res = mongos.adminCommand(commandObj);
    assert.commandFailedWithCode(
        res, ErrorCodes.InvalidOptions, command + " on prefix of encrypted field passed");

    jsTestLog('Fail ' + command + ' if shard key has a prefix matching an encrypted field');
    commandObj['key'] = {"paymentMethods.creditCards.number.lastFour": 1};
    res = mongos.adminCommand(commandObj);
    assert.commandFailedWithCode(
        res, ErrorCodes.InvalidOptions, command + " on key with encrypted field prefix passed");

    jsTestLog('Test ' + command + ' on non-encrypted field works');
    commandObj['key'] = {lastName: 1};
    assert.commandWorked(mongos.adminCommand(commandObj));
}

testShardingCommand("shardCollection");
testShardingCommand("reshardCollection");
testShardingCommand("refineCollectionShardKey");

st.stop();
})();