-
Type: Epic
-
Resolution: Done
-
Priority: Major - P3
-
None
-
Component/s: None
-
Done
-
FLE GA
This ticket groups multiple small changes made to the Client Side Encryption spec. Each individual SPEC ticket has more detailed information and links to the associated PR, but the following summarizes necessary changes
SPEC-1431 Add API for specifying a custom endpoint with AWS masterkey provider
- Update bindings to libmongocrypt to call mongocrypt_ctx_setopt_masterkey_aws_endpoint with the value of "endpoint" is passed DataKeyOpts.masterKey
- Update libmongocrypt to latest version.
- Implement prose test under the section Custom Endpoint Test.
SPEC-1449 createDataKey returns UUID
- Update the return type (if necessary) of createDataKey to be a BSON binary
SPEC-1469 silence mongocryptd by default
- Spawned mongocryptd should redirect stdout and stderr to /dev/null
SPEC-1466 test that fetching keys uses readConcern=majority
- Resync the FLE JSON spec tests
SPEC-1452 test that created data keys insert with majority writeConcern
- Update the prose test of Data key and double encryption to check command started events
SPEC-1397 limit 2MiB limit to bulk writes
- Check that bulk write batch splitting logic matches the section "Size limits for Write Commands"
- Update the prose test under the section BSON size limits and batch splitting.
Issues with the "Spec Test Format" section:
- client_side_enencryption_opts in the "Spec Test Format" section should be auto_encrypt_opts Fixed in https://github.com/mongodb/specifications/pull/623.
- auto_encrypt_opts should be autoEncryptOpts
- kms_providers should be kmsProviders
- schema_map should be schemaMap
- bypassAutoEncryption is missing from the list of auto encryption options
- Some operations don't have an object field. It should be documented that this defaults to "collection" if omitted.
Issues with the "Use as integration tests" section:
- The json_schema field should be mentioned to describe how the collection should be created.
- The description for setting up the test collection and inserting the test data uses the MongoClient created with the test's clientOptions. For tests with invalid encryption settings (e.g. "an insert with encrypted field on _id errors" in badQueries.json), using this client will cause the data insertion to fail. The test data should be inserted using a different client with no encryption enabled.
Issues with various tests:
- "operation fails with maxWireVersion < 8" in maxWireVersion.json - the error is expected to contain "Auto-encryption requires a minimum MongoDB version of 4.2" but the spec only says "Drivers MUST raise an error when attempting to auto encrypt a command if the maxWireVersion is less than 8" and does not specify the message.
- "getMore with encryption" in getMore.json - results field should be result.
- Corpus test step 9 - ClientEncryption has no schemaMap option.