[SERVER-77040] Append API version fields to root of explain command Created: 11/May/23  Updated: 29/Oct/23  Resolved: 02/Jun/23

Status: Closed
Project: Core Server
Component/s: Field Level Encryption
Affects Version/s: None
Fix Version/s: 7.1.0-rc0, 7.0.0-rc4

Type: Bug Priority: Major - P3
Reporter: Kevin Albertson Assignee: Shreyas Kalyan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File explain-with-apiVersion.json     File test-with-mongocryptd.js     File test-with-mongod.js    
Issue Links:
Backports
Depends
is depended on by DRIVERS-2612 Bump minServerVersion for CSFLE deter... Implementing
Related
is related to SERVER-58293 mongocryptd does not include server A... Closed
is related to SERVER-69564 Query analysis omits version API fiel... Closed
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.0
Steps To Reproduce:

The markup.py script can be used to test crypt_shared:

% cat explain-with-apiVersion.json | markup.py --libpath ~/bin/mongodl/crypt_shared/7.0.0-rc0/lib/mongo_crypt_v1.dylib 
{
    "hasEncryptionPlaceholders": false,
    "schemaRequiresEncryption": false,
    "result": {
        "explain": {
            "find": "default",
            "filter": {},
            "apiVersion": "1",
            "apiDeprecationErrors": true,
            "apiStrict": "true"
        },
        "verbosity": "allPlansExecution"
    }
}

test-with-mongocryptd.js can be run with mongosh:

% mongosh --port 27020 test-with-mongocryptd.js --quiet
Using version: 7.0.0-rc0
{
  hasEncryptionPlaceholders: false,
  schemaRequiresEncryption: false,
  result: {
    explain: {
      find: 'default',
      filter: {}
    },
    verbosity: 'allPlansExecution',
    apiVersion: '1'
  },
  ok: 1
}

Sprint: Security 2023-05-29, Security 2023-06-12
Participants:

 Description   

Request

Add API version fields (apiVersion, apiDeprecationErrors, and apiStrict) to the root of the explain command in the response from crypt_shared and mongocryptd.

In crypt_shared, the fields are appended inside the explain document:

% cat explain-with-apiVersion.json | markup.py --libpath ~/bin/mongodl/crypt_shared/7.0.0-rc0/lib/mongo_crypt_v1.dylib 
{
    "hasEncryptionPlaceholders": false,
    "schemaRequiresEncryption": false,
    "result": {
        "explain": {
            "find": "default",
            "filter": {},
            "apiVersion": "1",
            "apiDeprecationErrors": true,
            "apiStrict": "true"
        },
        "verbosity": "allPlansExecution"
    }
}

In mongocryptd, the apiStrict and apiDeprecationErrors fields do not appear to be appended:

% mongosh --port 27020 test-with-mongocryptd.js --quiet
Using version: 7.0.0-rc0
{
  hasEncryptionPlaceholders: false,
  schemaRequiresEncryption: false,
  result: {
    explain: {
      find: 'default',
      filter: {}
    },
    verbosity: 'allPlansExecution',
    apiVersion: '1'
  },
  ok: 1
}

mongod appears to ignore the nested API version fields, resulting in an error when mongod is configured with requireApiVersion=1:

% mongosh test-with-mongod.js --quiet
Using version: 7.0.0-rc0
got exception: The apiVersion parameter is required, please configure your MongoClient's API version

The expected result is to include the API version fields at the root of the explain command:

{
    "hasEncryptionPlaceholders": false,
    "schemaRequiresEncryption": false,
    "result": {
        "explain": {
            "find": "default",
            "filter": {}
        },
        "apiVersion": "1",
        "apiDeprecationErrors": true,
        "apiStrict": "true",
        "verbosity": "allPlansExecution"
    }
}

If the API version fields are nested, mongod appears to ignore them.

Background & Motivation

Drivers testing CSFLE with explain with requireApiVersion=1 may fail with an error: PHPLIB-947. Some drivers (Go) append the API version fields after encryption, and are not impacted by this bug.


Generated at Thu Feb 08 06:34:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.