Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2889

Support createEncryptedCollection with missing "keyId"

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Client Side Encryption
    • Labels:
      None
    • Needed

      Summary

      Interpret a missing "keyId" the same as "keyId: null" in ClientEncryption.createEncryptedCollection.
      Test calling ClientEncryption.createEncryptedCollection with a missing "keyId".

      Motivation

      ClientEncryption.createEncryptedCollection creates a collection for Queryable Encryption. It can optionally create data keys for specified fields:

      • Otherwise, if F has a "keyId" named element K and K is a null value:
        • Create a DataKeyOpts named dkOpts with the masterKey argument.

      Here is an example in PyMongo:

          _, encrypted_fields = client_encryption.create_encrypted_collection(
        client["db"],
        "coll",
        encrypted_fields={
            "fields": [
                {
                    "keyId": None,  # As input, specify `None` (BSON null) to have driver create key.
                    "path": "encryptedIndexed",
                    "bsonType": "string",
                    "queries": {"queryType": "equality"},
                }
            ],
        },
        kms_provider="local",
    )
    # The returned `encrypted_fields` contains the `keyId` filled in.
    assert encrypted_fields["fields"][0]["keyId"] is not None

      There appears to be inconsistency in driver implementations about how to handle when "keyId" is missing. PyMongo interprets a missing "keyId" the same as explicitly setting to BSON null:

          _, encrypted_fields = client_encryption.create_encrypted_collection(
        client["db"],
        "coll",
        encrypted_fields={
            "fields": [
                {
                    # "keyId" is missing. PyMongo still creates the key. This may be out-of-spec behavior.
                    "path": "encryptedIndexed",
                    "bsonType": "string",
                    "queries": {"queryType": "equality"},
                }
            ],
        },
        kms_provider="local",
    )
    # The returned `encrypted_fields` contains the `keyId` filled in.
    assert encrypted_fields["fields"][0]["keyId"] is not None

      The C driver ignores the missing "keyId" and passes it along to the server. Calling mongoc_client_encryption_create_encrypted_collection with a missing "keyId" results in a server error: "BSON field 'create.encryptedFields.fields.keyId' is missing but a required field"

      mongosh appears to agree with PyMongo (example).

      As written, I interpret the spec to mean a missing "keyId" is expected to be ignored by the driver (resulting in an expected server error).

      How likely is it that this problem or use case will occur?

      Somewhat likely. This came up when reviewing DOCSP-37855. Docs showing mongosh example shows the missing keyId. The example works, but it may confuse users translating to other drivers.

      If the problem does occur, what are the consequences and how severe are they?

      Inconsistency among driver implementations. May be confusing behavior.

      Is this issue urgent?

      No?

      Is this ticket only for tests?

      No. This proposes a behavior change.

      Acceptance Criteria

      Update spec to note calling ClientEncryption.createEncryptedCollection with a missing "keyId" should be interpreted the same as "keyId: null".
      Add a test calling ClientEncryption.createEncryptedCollection with a missing "keyId".

      Additional Information

      See the test Case 3: Invalid keyId as a starting point.

            Assignee:
            Unassigned Unassigned
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: