[SERVER-63643] Generate implicit json schema for create collection with encrypted fields Created: 14/Feb/22  Updated: 29/Oct/23  Resolved: 18/Mar/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.0.0-rc0

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Erwin Pe
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
causes SERVER-64734 Coverity analysis defect 121905: Free... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2022-03-07, Security 2022-03-21
Participants:

 Description   

In FLE 1, users could declare a schema. This would tell the client what to encrypt and give the server a schema validator.
For FLE 2 the we still want a server-side schema but it is to be implicitly generated from the users encryption fields in their collection

1. CollectionImpl::parseValidator will generate a match expression in C++ code that mirrors the match expression that FLE 1 generates with a one difference
– InternalSchemaBinDataEncryptedTypeExpression or a new class like will be used instead that will disallow all FLE 1 types and FLE 2 client-side payloads
2. The match expression will be generated from the encryptFields information
3. The users match jsonSchema validator will be parsed with kEncryptKeywords OFF to prevent users from using FLE1.

A likely implementation is to first build a tree from a list of encryption fields and then serialize the tree to a match expressio ntree.

Example FLE1 JSON Schema:
The internal generated tree can be seen by running .explain()

print(tojson(db.foo.find ({
    $jsonSchema: {
        "type": "object",
        "properties": {
            "ssn": {
                "encrypt": {
                    "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
                    "keyId": [
                            UUID( "1362d0ed-6182-478e-bb8a-ebcc53b91aa1")
                    ],
                    "bsonType": "int"
                }
            },
            "user": {
                "type": "object",
                "properties": {
                    "account": {
                        "encrypt": {
                            "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
                            "keyId": [
                                    UUID("93282c77-9a6b-47cf-9c4c-beda02730881")
                            ],
                            "bsonType": "string"
                        }
                    }
                }
            }
        }
 }} ).explain()));



 Comments   
Comment by Githook User [ 18/Mar/22 ]

Author:

{'name': 'Erwin Pe', 'email': 'erwin.pe@mongodb.com', 'username': 'erwee'}

Message: SERVER-63643 Generate implicit schema for create collection with encrypted fields
Branch: master
https://github.com/mongodb/mongo/commit/30397bf89b731cddd953b6c17a91c91c57dcc1a5

Comment by Githook User [ 18/Mar/22 ]

Author:

{'name': 'Erwin Pe', 'email': 'erwin.pe@mongodb.com', 'username': 'erwee'}

Message: SERVER-63643 Generate implicit schema for create collection with encrypted fields
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/b6c3aad88c1cb7f6115ddbe787ee8bd0db8c10e9

Generated at Thu Feb 08 05:58:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.