-
Type: Improvement
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Component/s: Client Side Encryption
-
None
-
Needed
Summary
Interpret a missing "keyId" the same as "keyId: null" in ClientEncryption.createEncryptedCollection.
Test calling ClientEncryption.createEncryptedCollection with a missing "keyId".
Motivation
ClientEncryption.createEncryptedCollection creates a collection for Queryable Encryption. It can optionally create data keys for specified fields:
- Otherwise, if F has a "keyId" named element K and K is a null value:
- Create a DataKeyOpts named dkOpts with the masterKey argument.
Here is an example in PyMongo:
_, encrypted_fields = client_encryption.create_encrypted_collection( client["db"], "coll", encrypted_fields={ "fields": [ { "keyId": None, # As input, specify `None` (BSON null) to have driver create key. "path": "encryptedIndexed", "bsonType": "string", "queries": {"queryType": "equality"}, } ], }, kms_provider="local", ) # The returned `encrypted_fields` contains the `keyId` filled in. assert encrypted_fields["fields"][0]["keyId"] is not None
There appears to be inconsistency in driver implementations about how to handle when "keyId" is missing. PyMongo interprets a missing "keyId" the same as explicitly setting to BSON null:
_, encrypted_fields = client_encryption.create_encrypted_collection( client["db"], "coll", encrypted_fields={ "fields": [ { # "keyId" is missing. PyMongo still creates the key. This may be out-of-spec behavior. "path": "encryptedIndexed", "bsonType": "string", "queries": {"queryType": "equality"}, } ], }, kms_provider="local", ) # The returned `encrypted_fields` contains the `keyId` filled in. assert encrypted_fields["fields"][0]["keyId"] is not None
The C driver ignores the missing "keyId" and passes it along to the server. Calling mongoc_client_encryption_create_encrypted_collection with a missing "keyId" results in a server error: "BSON field 'create.encryptedFields.fields.keyId' is missing but a required field"
mongosh appears to agree with PyMongo (example).
As written, I interpret the spec to mean a missing "keyId" is expected to be ignored by the driver (resulting in an expected server error).
How likely is it that this problem or use case will occur?
Somewhat likely. This came up when reviewing DOCSP-37855. Docs showing mongosh example shows the missing keyId. The example works, but it may confuse users translating to other drivers.
If the problem does occur, what are the consequences and how severe are they?
Inconsistency among driver implementations. May be confusing behavior.
Is this issue urgent?
No?
Is this ticket only for tests?
No. This proposes a behavior change.
Acceptance Criteria
Update spec to note calling ClientEncryption.createEncryptedCollection with a missing "keyId" should be interpreted the same as "keyId: null".
Add a test calling ClientEncryption.createEncryptedCollection with a missing "keyId".
Additional Information
See the test Case 3: Invalid keyId as a starting point.