Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-1013

Add tests for CSFLE enhancements

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 1.3.0
    • None
    • Field Level Encryption
    • None
    • 3
    • Needed
    • Hide

      Relevant for documentation: The second argument of the Mongo() constructor now takes an additional tlsOptions field, which is a map of KMSProvider → TLS options, and TLS options in turn refers to any of tlsCertificateKeyFile, tlsCertificateKeyFilePassword and tlsCAFile. Both file options expect filenames, not file contents.

      These options will be used when connecting to the KMS. This applies to all providers, but is particularly relevant for KMIP, since KMIP uses TLS certificate/key as its authentication mechanism.

      As a concrete example, a CSFLE connection using KMIP as the KMS provider can be established using the following:

      const connection = Mongo(url, {
      		 
        keyVaultNamespace: 'encryption.__keyVault',
      		 
        kmsProviders: { kmip: { endpoint: 'kmip.example.com:123' } },
      		 
        tlsOptions: { kmip: { tlsCertificateKeyFile: '/path/to/client/cert-and-key-bundle.pem' } }
      		 
      });

      Show
      Relevant for documentation: The second argument of the Mongo() constructor now takes an additional tlsOptions field, which is a map of KMSProvider → TLS options, and TLS options in turn refers to any of tlsCertificateKeyFile , tlsCertificateKeyFilePassword and tlsCAFile . Both file options expect filenames, not file contents. These options will be used when connecting to the KMS. This applies to all providers, but is particularly relevant for KMIP, since KMIP uses TLS certificate/key as its authentication mechanism. As a concrete example, a CSFLE connection using KMIP as the KMS provider can be established using the following: const connection = Mongo(url, { keyVaultNamespace: 'encryption.__keyVault', kmsProviders: { kmip: { endpoint: 'kmip.example.com:123' } }, tlsOptions: { kmip: { tlsCertificateKeyFile: '/path/to/client/cert-and-key-bundle.pem' } } });
    • Iteration Wolverhampton, Iteration Xochimilco

    Description

      Add tests for the following driver changes regarding CSFLE enhancements:

      KMIP support for FLE (NODE-3460) and support Hashicorp Vault as a KMS provider (NODE-3459) (the first ticket should give us the second for free, second is about specifically testing that Hashicorp works)

      Attachments

        Activity

          People

            anna.henningsen@mongodb.com Anna Henningsen
            maurizio.casimirri@mongodb.com Maurizio Casimirri
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: