[CDRIVER-4801] CSFLE/QE Support for more than 1 KMS provider per type Created: 20/Dec/23  Updated: 31/Jan/24  Resolved: 31/Jan/24

Status: Closed
Project: C Driver
Component/s: Client Side Encryption
Affects Version/s: None
Fix Version/s: 1.26.0

Type: New Feature Priority: Major - P3
Reporter: PM Bot Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Issue split
split from DRIVERS-2731 CSFLE/QE Support for more than 1 KMS ... Implementing
Related
is related to PHPLIB-1328 CSFLE/QE Support for more than 1 KMS ... Needs Triage
Upstream Changes Summary:

DRIVERS-2731:

Summary

Driver Changes

Some drivers may need API changes to accept an arbitrary string where a KMS provider is accepted: kmsProviders, KMSProvidersTLSOptions, ClientEncryption.createDataKey(), and RewrapManyDataKeyOpts.provider

Can current drivers accept arbitrary strings for KMS identifier? suggests Node and Rust will need API changes.

Drivers may need changes to support named KMS providers in the KMSProvidersTLSOptions map.

Test Changes

Specification tests are added. This introduces use of the encrypt and decrypt operations in the unified test format.

The Unified Test Format schema 1.18 is added to allow patternProperties in kmsProviders.

Tests refer to additional KMS providers: local:name1, aws:name1, gcp:name1, azure:name1, and kmip:name1.

The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws.

To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2.

Test credentials for aws:name2 are available in AWS Secrets Manager under drivers/csfle. The aws:name2 account credentials are in FLE_AWS_SECRET2 and FLE_AWS_KEY2. See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed.

Prose Test 11 (KMS TLS Options Tests) is extended to test named KMS providers.

References

https://github.com/mongodb/specifications/pull/1492 includes the specification change and tests.

https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.


 Description   

This ticket was split from DRIVERS-2731, please see that ticket for a detailed description.



 Comments   
Comment by Githook User [ 31/Jan/24 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-4801 support named KMS providers (#1509)

  • copy in new unified tests
  • copy in new legacy spec test
  • add new KMS providers to test runner

add partial support for JSON schema 1.18

  • implement `encrypt` and `decrypt` operations in unified test runner
  • export env vars in run-tests.sh
  • update prose test 11 for named KMS providers
  • add map for TLS options

Required to configure TLS options on named KMS providers

  • update docs to reflect spec terminology

KMS provider is specified with string `<KMS provider type>` or `<KMS provider type>:<KMS provider name>`
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/b34cd2b5602e522428bada2a691c229b88d41f5b

Generated at Wed Feb 07 21:21:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.