[SERVER-44148] mongod should validate JSON schema keywords that do not have a validation effect Created: 22/Oct/19  Updated: 05/Dec/22  Resolved: 17/Nov/22

Status: Closed
Project: Core Server
Component/s: Security, Shell
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Ravind Kumar (Inactive) Assignee: Backlog - Query Optimization
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB 4.2.1, Ubuntu 18.04


Issue Links:
Related
Assigned Teams:
Query Optimization
Participants:

 Description   

The mongod server should implement similar validation controls as mongocryptd such that it protects users from submitting a jsonSchema that would result in document validation errors when used as a remote schema by client-side field level encryption-configured clients.

Specifically, if the server-side jsonSchema would be invalid if used as an automatic encryption schema client-side, mongod should throw an error.



 Comments   
Comment by Jacob Evans [ 17/Nov/22 ]

Closing since FLE 2.0 does not use JSON schema for declaring encrypted fields

Comment by Ravind Kumar (Inactive) [ 25/Oct/19 ]

nicholas.zolnierz

SO it turns out this might be a more widespread issue:

 var AutoClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.__dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, "w4+YaEYJc91kI+vi3zID6ryXhQDzRDsoGiV7KczPTbHFKvfg7Ypa0C5gnqB+ybaY+xxl3nYijfhWA0xvMSUO1IzEi3XwpwbH1Zune2AnYuyhq44nXfgn5Yk1rbO0Jxes")
    }
  },
  schemaMap : {
    "hr.employees" : {
      "bsonType" : "object",
      "properties": {
        "taxid": {
            "encrypt" : {
                "keyId" : [UUID("33408ee9-e499-43f9-89fe-5f8533870617")],
                "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
            }
        }
      }
    }
  }
}

The code above has an incomplete definition for the encrypt field. However, I can still create a connection with the incorrect schemaMap:

 autoEncryptionCluster = Mongo(
... 
...   "mongodb://192.168.56.11:27017/?replicaSet=warzone",
...   AutoClientSideFieldLevelEncryptionOptions
... 
... )
connection to warzone/192.168.56.11:27017
MongoDB Enterprise warzone:PRIMARY> 
MongoDB Enterprise warzone:PRIMARY> autoEncryptionCluster.getKeyVault()
{
        "mongo" : connection to warzone/192.168.56.11:27017,
        "keyColl" : encryption.__dataKeys
}

I only get an error when I try to perform a write operation:

 MongoDB Enterprise warzone:PRIMARY> autoEncryptionCluster.getDB("hr").getCollection("employees").insertOne({"taxid" : "foo"})
2019-10-25T15:51:29.490-0400 E  QUERY    [js] Error: A deterministically encrypted field must have exactly one specified type. :
runClientFunctionWithRetries@src/mongo/shell/session.js:366:27
runCommand@src/mongo/shell/session.js:460:25
DB.prototype._runCommandImpl@src/mongo/shell/db.js:147:12
DB.prototype.runCommand@src/mongo/shell/db.js:162:16
DBCollection.prototype._dbCommand@src/mongo/shell/collection.js:171:16
executeBatch@src/mongo/shell/bulk_api.js:912:22
Bulk/this.execute@src/mongo/shell/bulk_api.js:1163:21
DBCollection.prototype.insertOne@src/mongo/shell/crud_api.js:264:9
@(shell):1:1

 

cc mark.benvenuto@mongodb.com as an aside this somewhat reinforces SERVER-43884, as the returned error does not make it clear at all that the user has an issue with their automatic encryption schema. This is actually made worse if the client is inheriting from the server, as there is no indication that the remote schema is the source of failure.

Generated at Thu Feb 08 05:05:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.