|
| 1 | +/* |
| 2 | + * Copyright 2008-present MongoDB, Inc. |
| 3 | + * |
| 4 | + * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | + * you may not use this file except in compliance with the License. |
| 6 | + * You may obtain a copy of the License at |
| 7 | + * |
| 8 | + * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | + * |
| 10 | + * Unless required by applicable law or agreed to in writing, software |
| 11 | + * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | + * See the License for the specific language governing permissions and |
| 14 | + * limitations under the License. |
| 15 | + */ |
| 16 | + |
| 17 | +package com.mongodb.client; |
| 18 | + |
| 19 | +import com.mongodb.ClientEncryptionSettings; |
| 20 | +import com.mongodb.MongoClientSettings; |
| 21 | +import com.mongodb.client.model.vault.DataKeyOptions; |
| 22 | +import com.mongodb.client.model.vault.EncryptOptions; |
| 23 | +import com.mongodb.client.model.vault.RewrapManyDataKeyOptions; |
| 24 | +import com.mongodb.client.model.vault.RewrapManyDataKeyResult; |
| 25 | +import com.mongodb.client.vault.ClientEncryption; |
| 26 | +import org.bson.BsonBinary; |
| 27 | +import org.bson.BsonDocument; |
| 28 | +import org.bson.BsonString; |
| 29 | +import org.junit.jupiter.api.Assumptions; |
| 30 | +import org.junit.jupiter.params.ParameterizedTest; |
| 31 | +import org.junit.jupiter.params.provider.Arguments; |
| 32 | +import org.junit.jupiter.params.provider.MethodSource; |
| 33 | + |
| 34 | +import java.util.ArrayList; |
| 35 | +import java.util.Collection; |
| 36 | +import java.util.HashMap; |
| 37 | +import java.util.List; |
| 38 | +import java.util.Map; |
| 39 | +import java.util.Set; |
| 40 | + |
| 41 | +import static com.mongodb.ClusterFixture.hasEncryptionTestsEnabled; |
| 42 | +import static com.mongodb.ClusterFixture.serverVersionAtLeast; |
| 43 | +import static com.mongodb.client.Fixture.getMongoClient; |
| 44 | +import static com.mongodb.client.Fixture.getMongoClientSettingsBuilder; |
| 45 | +import static org.junit.jupiter.api.Assertions.assertEquals; |
| 46 | + |
| 47 | +/** |
| 48 | + * See <a href="https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/tests#rewrap"> |
| 49 | + * 16. Rewrap</a>. |
| 50 | + */ |
| 51 | +public abstract class AbstractClientEncryptionRewrapManyDataKeyProseTest { |
| 52 | + |
| 53 | + private static final Map<String, BsonDocument> MASTER_KEYS_BY_PROVIDER = new HashMap<>(); |
| 54 | + static { |
| 55 | + MASTER_KEYS_BY_PROVIDER.put("aws", BsonDocument.parse("{\n" |
| 56 | + + " \"region\": \"us-east-1\",\n" |
| 57 | + + " \"key\": \"arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0\"\n" |
| 58 | + + "}")); |
| 59 | + MASTER_KEYS_BY_PROVIDER.put("azure", BsonDocument.parse("{\n" |
| 60 | + + " \"keyVaultEndpoint\": \"key-vault-csfle.vault.azure.net\",\n" |
| 61 | + + " \"keyName\": \"key-name-csfle\"\n" |
| 62 | + + "}")); |
| 63 | + MASTER_KEYS_BY_PROVIDER.put("gcp", BsonDocument.parse("{\n" |
| 64 | + + " \"projectId\": \"devprod-drivers\",\n" |
| 65 | + + " \"location\": \"global\",\n" |
| 66 | + + " \"keyRing\": \"key-ring-csfle\",\n" |
| 67 | + + " \"keyName\": \"key-name-csfle\"\n" |
| 68 | + + "}")); |
| 69 | + MASTER_KEYS_BY_PROVIDER.put("kmip", BsonDocument.parse("{}")); |
| 70 | + MASTER_KEYS_BY_PROVIDER.put("local", null); |
| 71 | + } |
| 72 | + |
| 73 | + private static final Map<String, Map<String, Object>> KMS_PROVIDERS = new HashMap<String, Map<String, Object>>() {{ |
| 74 | + put("aws", new HashMap<String, Object>() {{ |
| 75 | + put("accessKeyId", System.getProperty("org.mongodb.test.awsAccessKeyId")); |
| 76 | + put("secretAccessKey", System.getProperty("org.mongodb.test.awsSecretAccessKey")); |
| 77 | + }}); |
| 78 | + put("azure", new HashMap<String, Object>() {{ |
| 79 | + put("tenantId", System.getProperty("org.mongodb.test.azureTenantId")); |
| 80 | + put("clientId", System.getProperty("org.mongodb.test.azureClientId")); |
| 81 | + put("clientSecret", System.getProperty("org.mongodb.test.azureClientSecret")); |
| 82 | + put("identityPlatformEndpoint", "login.microsoftonline.com:443"); |
| 83 | + }}); |
| 84 | + put("gcp", new HashMap<String, Object>() {{ |
| 85 | + put("email", System.getProperty("org.mongodb.test.gcpEmail")); |
| 86 | + put("privateKey", System.getProperty("org.mongodb.test.gcpPrivateKey")); |
| 87 | + put("endpoint", "oauth2.googleapis.com:443"); |
| 88 | + }}); |
| 89 | + put("kmip", new HashMap<String, Object>() {{ |
| 90 | + put("endpoint", "localhost:5698"); |
| 91 | + }}); |
| 92 | + put("local", new HashMap<String, Object>() {{ |
| 93 | + put("key", "Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBM" |
| 94 | + + "UN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk"); |
| 95 | + }}); |
| 96 | + }}; |
| 97 | + |
| 98 | + protected abstract MongoClient createMongoClient(MongoClientSettings settings); |
| 99 | + public abstract ClientEncryption getClientEncryption(ClientEncryptionSettings settings); |
| 100 | + |
| 101 | + public static Collection<Arguments> data() { |
| 102 | + List<Arguments> data = new ArrayList<>(); |
| 103 | + Set<String> types = MASTER_KEYS_BY_PROVIDER.keySet(); |
| 104 | + for (String srcProvider : types) { |
| 105 | + for (String dstProvider : types) { |
| 106 | + data.add(Arguments.of(srcProvider, dstProvider)); |
| 107 | + } |
| 108 | + } |
| 109 | + return data; |
| 110 | + } |
| 111 | + |
| 112 | + @ParameterizedTest |
| 113 | + @MethodSource("data") |
| 114 | + public void rewrapWithSeparateClientEncryption(final String srcProvider, final String dstProvider) { |
| 115 | + Assumptions.assumeTrue(serverVersionAtLeast(4, 2)); |
| 116 | + Assumptions.assumeTrue(hasEncryptionTestsEnabled(), "Custom Endpoint tests disables"); |
| 117 | + |
| 118 | + BsonDocument srcKey = MASTER_KEYS_BY_PROVIDER.get(srcProvider); |
| 119 | + BsonDocument dstKey = MASTER_KEYS_BY_PROVIDER.get(dstProvider); |
| 120 | + BsonString testString = new BsonString("test"); |
| 121 | + |
| 122 | + getMongoClient().getDatabase("keyvault").getCollection("datakeys").drop(); |
| 123 | + |
| 124 | + ClientEncryption clientEncryption1 = getClientEncryption(ClientEncryptionSettings.builder() |
| 125 | + .keyVaultMongoClientSettings(getMongoClientSettingsBuilder().build()) |
| 126 | + .keyVaultNamespace("keyvault.datakeys") |
| 127 | + .kmsProviders(KMS_PROVIDERS) |
| 128 | + .build()); |
| 129 | + |
| 130 | + BsonBinary keyId = clientEncryption1.createDataKey(srcProvider, new DataKeyOptions().masterKey(srcKey)); |
| 131 | + |
| 132 | + BsonBinary ciphertext = clientEncryption1.encrypt( |
| 133 | + testString, |
| 134 | + new EncryptOptions("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic").keyId(keyId)); |
| 135 | + |
| 136 | + ClientEncryption clientEncryption2 = getClientEncryption(ClientEncryptionSettings.builder() |
| 137 | + .keyVaultMongoClientSettings(getMongoClientSettingsBuilder().build()) |
| 138 | + .keyVaultNamespace("keyvault.datakeys") |
| 139 | + .kmsProviders(KMS_PROVIDERS) |
| 140 | + .build()); |
| 141 | + |
| 142 | + RewrapManyDataKeyResult result = clientEncryption2.rewrapManyDataKey( |
| 143 | + new BsonDocument(), |
| 144 | + new RewrapManyDataKeyOptions().provider(dstProvider).masterKey(dstKey)); |
| 145 | + assertEquals(1, result.getBulkWriteResult().getModifiedCount()); |
| 146 | + |
| 147 | + assertEquals(testString, clientEncryption1.decrypt(ciphertext)); |
| 148 | + assertEquals(testString, clientEncryption2.decrypt(ciphertext)); |
| 149 | + } |
| 150 | +} |
0 commit comments