Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-1013

Add tests for CSFLE enhancements

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.3.0
    • Affects Version/s: None
    • Component/s: Field Level Encryption
    • None
    • 3
    • Iteration Wolverhampton, Iteration Xochimilco
    • Needed
    • Hide

      Relevant for documentation: The second argument of the Mongo() constructor now takes an additional tlsOptions field, which is a map of KMSProvider → TLS options, and TLS options in turn refers to any of tlsCertificateKeyFile, tlsCertificateKeyFilePassword and tlsCAFile. Both file options expect filenames, not file contents.

      These options will be used when connecting to the KMS. This applies to all providers, but is particularly relevant for KMIP, since KMIP uses TLS certificate/key as its authentication mechanism.

      As a concrete example, a CSFLE connection using KMIP as the KMS provider can be established using the following:

      const connection = Mongo(url, {
  keyVaultNamespace: 'encryption.__keyVault',
  kmsProviders: { kmip: { endpoint: 'kmip.example.com:123' } },
  tlsOptions: { kmip: { tlsCertificateKeyFile: '/path/to/client/cert-and-key-bundle.pem' } }
});
      Show
      Relevant for documentation: The second argument of the Mongo() constructor now takes an additional tlsOptions field, which is a map of KMSProvider → TLS options, and TLS options in turn refers to any of tlsCertificateKeyFile , tlsCertificateKeyFilePassword and tlsCAFile . Both file options expect filenames, not file contents. These options will be used when connecting to the KMS. This applies to all providers, but is particularly relevant for KMIP, since KMIP uses TLS certificate/key as its authentication mechanism. As a concrete example, a CSFLE connection using KMIP as the KMS provider can be established using the following: const connection = Mongo(url, { keyVaultNamespace: 'encryption.__keyVault' , kmsProviders: { kmip: { endpoint: 'kmip.example.com:123' } }, tlsOptions: { kmip: { tlsCertificateKeyFile: '/path/to/client/cert-and-key-bundle.pem' } } });

      Add tests for the following driver changes regarding CSFLE enhancements:

      KMIP support for FLE (NODE-3460) and support Hashicorp Vault as a KMS provider (NODE-3459) (the first ticket should give us the second for free, second is about specifically testing that Hashicorp works)

            Assignee:
            anna.henningsen@mongodb.com Anna Henningsen
            Reporter:
            maurizio.casimirri@mongodb.com Maurizio Casimirri
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: