diff --git a/src/action/csfle/encrypt.rs b/src/action/csfle/encrypt.rs index 601cacaa0..5a6252541 100644 --- a/src/action/csfle/encrypt.rs +++ b/src/action/csfle/encrypt.rs @@ -33,12 +33,16 @@ impl ClientEncryption { } } - /// NOTE: This method is experimental only. It is not intended for public use. + /// Encrypts a Match Expression or Aggregate Expression to query a range index. + /// `expression` is expected to be a BSON document of one of the following forms: + /// 1. A Match Expression of this form: + /// {$and: [{: {$gt: }}, {: {$lt: }}]} + /// 2. An Aggregate Expression of this form: + /// {$and: [{$gt: [, ]}, {$lt: [, ]}] + /// $gt may also be $gte. $lt may also be $lte. /// - /// Encrypts a match or aggregate expression with the given key. - /// - /// The expression will be encrypted using the [`Algorithm::RangePreview`] algorithm and the - /// "rangePreview" query type. + /// The expression will be encrypted using the [`Algorithm::Range`] algorithm and the + /// "range" query type. /// /// `await` will return a d[`Result`] containing the encrypted expression. #[deeplink] @@ -51,10 +55,9 @@ impl ClientEncryption { client_enc: self, mode: Expression { value: expression }, key: key.into(), - #[allow(deprecated)] - algorithm: Algorithm::RangePreview, + algorithm: Algorithm::Range, options: Some(EncryptOptions { - query_type: Some("rangePreview".into()), + query_type: Some("range".into()), ..Default::default() }), } @@ -109,19 +112,16 @@ pub struct EncryptOptions { pub contention_factor: Option, /// The query type. pub query_type: Option, - /// NOTE: This method is experimental and not intended for public use. - /// - /// Set the range options. This method should only be called when the algorithm is - /// [`Algorithm::RangePreview`]. + /// Set the range options. This should only be set when the algorithm is + /// [`Algorithm::Range`]. pub range_options: Option, } -/// NOTE: These options are experimental and not intended for public use. -/// -/// The index options for a Queryable Encryption field supporting "rangePreview" queries. +/// The index options for a Queryable Encryption field supporting "range" queries. /// The options set must match the values set in the encryptedFields of the destination collection. #[skip_serializing_none] #[derive(Clone, Default, Debug, Serialize, TypedBuilder)] +#[serde(rename_all = "camelCase")] #[builder(field_defaults(default, setter(into)))] #[non_exhaustive] pub struct RangeOptions { @@ -131,6 +131,9 @@ pub struct RangeOptions { /// The maximum value. This option must be set if `precision` is set. pub max: Option, + /// The trim factor. + pub trim_factor: i32, + /// The sparsity. pub sparsity: i64, diff --git a/src/client/csfle.rs b/src/client/csfle.rs index 0bf39512c..de45a6277 100644 --- a/src/client/csfle.rs +++ b/src/client/csfle.rs @@ -99,7 +99,8 @@ impl ClientState { fn make_crypt(opts: &AutoEncryptionOptions) -> Result { let mut builder = Crypt::builder() .kms_providers(&opts.kms_providers.credentials_doc()?)? - .use_need_kms_credentials_state(); + .use_need_kms_credentials_state() + .use_range_v2()?; if let Some(m) = &opts.schema_map { builder = builder.schema_map(&bson::to_document(m)?)?; } diff --git a/src/client/csfle/client_encryption.rs b/src/client/csfle/client_encryption.rs index 489dddeb0..9b5999faa 100644 --- a/src/client/csfle/client_encryption.rs +++ b/src/client/csfle/client_encryption.rs @@ -63,6 +63,7 @@ impl ClientEncryption { let crypt = Crypt::builder() .kms_providers(&kms_providers.credentials_doc()?)? .use_need_kms_credentials_state() + .use_range_v2()? .build()?; let exec = CryptExecutor::new_explicit( key_vault_client.weak(), diff --git a/src/test/csfle.rs b/src/test/csfle.rs index 874201ca9..cf9f60876 100644 --- a/src/test/csfle.rs +++ b/src/test/csfle.rs @@ -2977,19 +2977,20 @@ async fn range_explicit_encryption() -> Result<()> { return Ok(()); } let client = TestClient::new().await; - if client.server_version_lt(6, 2) || client.server_version_gte(8, 0) || client.is_standalone() { + if client.server_version_lt(8, 0) || client.is_standalone() { log_uncaptured("Skipping range_explicit_encryption due to unsupported topology"); return Ok(()); } range_explicit_encryption_test( "DecimalNoPrecision", - RangeOptions::builder().sparsity(1).build(), + RangeOptions::builder().sparsity(1).trim_factor(1).build(), ) .await?; range_explicit_encryption_test( "DecimalPrecision", RangeOptions::builder() + .trim_factor(1) .sparsity(1) .min(Bson::Decimal128("0".parse()?)) .max(Bson::Decimal128("200".parse()?)) @@ -2999,12 +3000,13 @@ async fn range_explicit_encryption() -> Result<()> { .await?; range_explicit_encryption_test( "DoubleNoPrecision", - RangeOptions::builder().sparsity(1).build(), + RangeOptions::builder().trim_factor(1).sparsity(1).build(), ) .await?; range_explicit_encryption_test( "DoublePrecision", RangeOptions::builder() + .trim_factor(1) .sparsity(1) .min(Bson::Double(0.0)) .max(Bson::Double(200.0)) @@ -3015,6 +3017,7 @@ async fn range_explicit_encryption() -> Result<()> { range_explicit_encryption_test( "Date", RangeOptions::builder() + .trim_factor(1) .sparsity(1) .min(Bson::DateTime(DateTime::from_millis(0))) .max(Bson::DateTime(DateTime::from_millis(200))) @@ -3024,6 +3027,7 @@ async fn range_explicit_encryption() -> Result<()> { range_explicit_encryption_test( "Int", RangeOptions::builder() + .trim_factor(1) .sparsity(1) .min(Bson::Int32(0)) .max(Bson::Int32(200)) @@ -3033,6 +3037,7 @@ async fn range_explicit_encryption() -> Result<()> { range_explicit_encryption_test( "Long", RangeOptions::builder() + .trim_factor(1) .sparsity(1) .min(Bson::Int64(0)) .max(Bson::Int64(200)) @@ -3114,12 +3119,7 @@ async fn range_explicit_encryption_test( for (id, num) in bson_numbers.keys().enumerate() { let encrypted_value = client_encryption - .encrypt( - bson_numbers[num].clone(), - key1_id.clone(), - #[allow(deprecated)] - Algorithm::RangePreview, - ) + .encrypt(bson_numbers[num].clone(), key1_id.clone(), Algorithm::Range) .contention_factor(0) .range_options(range_options.clone()) .await?; @@ -3134,12 +3134,7 @@ async fn range_explicit_encryption_test( // Case 1: Decrypt a payload let insert_payload = client_encryption - .encrypt( - bson_numbers[&6].clone(), - key1_id.clone(), - #[allow(deprecated)] - Algorithm::RangePreview, - ) + .encrypt(bson_numbers[&6].clone(), key1_id.clone(), Algorithm::Range) .contention_factor(0) .range_options(range_options.clone()) .await?; @@ -3250,9 +3245,8 @@ async fn range_explicit_encryption_test( // Case 6: Encrypting a document greater than the maximum errors if bson_type != "DoubleNoPrecision" && bson_type != "DecimalNoPrecision" { let num = get_raw_bson_from_num(bson_type, 201); - #[allow(deprecated)] let error = client_encryption - .encrypt(num, key1_id.clone(), Algorithm::RangePreview) + .encrypt(num, key1_id.clone(), Algorithm::Range) .contention_factor(0) .range_options(range_options.clone()) .await @@ -3267,9 +3261,8 @@ async fn range_explicit_encryption_test( } else { rawdoc! { &key: { "$numberInt": "6" } } }; - #[allow(deprecated)] let error = client_encryption - .encrypt(value, key1_id.clone(), Algorithm::RangePreview) + .encrypt(value, key1_id.clone(), Algorithm::Range) .contention_factor(0) .range_options(range_options.clone()) .await @@ -3286,12 +3279,7 @@ async fn range_explicit_encryption_test( .precision(2) .build(); let error = client_encryption - .encrypt( - bson_numbers[&6].clone(), - key1_id.clone(), - #[allow(deprecated)] - Algorithm::RangePreview, - ) + .encrypt(bson_numbers[&6].clone(), key1_id.clone(), Algorithm::Range) .contention_factor(0) .range_options(range_options) .await diff --git a/src/test/spec/json/client-side-encryption/README.md b/src/test/spec/json/client-side-encryption/README.md new file mode 100644 index 000000000..fa7d73d8e --- /dev/null +++ b/src/test/spec/json/client-side-encryption/README.md @@ -0,0 +1,3212 @@ +# Client Side Encryption Tests + +______________________________________________________________________ + +## Introduction + +This document describes the format of the driver spec tests included in the JSON and YAML files included in the `legacy` +sub-directory. Tests in the `unified` directory are written using the +[Unified Test Format](../../unified-test-format/unified-test-format.md). + +The `timeoutMS.yml`/`timeoutMS.json` files in this directory contain tests for the `timeoutMS` option and its +application to the client-side encryption feature. Drivers MUST only run these tests after implementing the +[Client Side Operations Timeout](../../client-side-operations-timeout/client-side-operations-timeout.md) specification. + +Additional prose tests, that are not represented in the spec tests, are described and MUST be implemented by all +drivers. + +Running spec and prose tests require that the driver and server both support Client-Side Field Level Encryption. CSFLE +is supported when all of the following are true: + +- Server version is 4.2.0 or higher. Legacy spec test runners can rely on `runOn.minServerVersion` for this check. +- Driver has libmongocrypt enabled +- At least one of [crypt_shared](../client-side-encryption.rst#crypt_shared) and/or + [mongocryptd](../client-side-encryption.rst#mongocryptd) is available. + +## Spec Test Format + +The spec tests format is an extension of the +[transactions spec legacy test format](../../transactions/tests/legacy-test-format.md) with some additions: + +- A `json_schema` to set on the collection used for operations. +- An `encrypted_fields` to set on the collection used for operations. +- A `key_vault_data` of data that should be inserted in the key vault collection before each test. +- Introduction `autoEncryptOpts` to `clientOptions` +- Addition of `$db`to command in`command_started_event` +- Addition of `$$type` to `command_started_event` and outcome. + +The semantics of `$$type` is that any actual value matching one of the types indicated by either a BSON type string or +an array of BSON type strings is considered a match. + +For example, the following matches a command_started_event for an insert of a document where `random` must be of type +`binData`: + +``` +- command_started_event: + command: + insert: *collection_name + documents: + - { random: { $$type: "binData" } } + ordered: true + command_name: insert +``` + +The following matches a command_started_event for an insert of a document where `random` must be of type `binData` or +`string`: + +``` +- command_started_event: + command: + insert: *collection_name + documents: + - { random: { $$type: ["binData", "string"] } } + ordered: true + command_name: insert +``` + +The values of `$$type` correspond to +[these documented string representations of BSON types](https://www.mongodb.com/docs/manual/reference/bson-types/). + +Each YAML file has the following keys: + +- `runOn` Unchanged from Transactions spec tests. +- `database_name` Unchanged from Transactions spec tests. +- `collection_name` Unchanged from Transactions spec tests. +- `data` Unchanged from Transactions spec tests. +- `json_schema` A JSON Schema that should be set on the collection (using `createCollection`) before each test run. +- `encrypted_fields` An encryptedFields option that should be set on the collection (using `createCollection`) before + each test run. +- `key_vault_data` The data that should exist in the key vault collection under test before each test run. +- `tests`: An array of tests that are to be run independently of each other. Each test will have some or all of the + following fields: + - `description`: Unchanged from Transactions spec tests. + - `skipReason`: Unchanged from Transactions spec tests. + - `useMultipleMongoses`: Unchanged from Transactions spec tests. + - `failPoint`: Unchanged from Transactions spec tests. + - `clientOptions`: Optional, parameters to pass to MongoClient(). + - `autoEncryptOpts`: Optional + - `kmsProviders` A dictionary of KMS providers to set on the key vault ("aws" or "local") + - `aws` The AWS KMS provider. An empty object. Drivers MUST fill in AWS credentials (`accessKeyId`, + `secretAccessKey`) from the environment. + - `azure` The Azure KMS provider credentials. An empty object. Drivers MUST fill in Azure credentials + (`tenantId`, `clientId`, and `clientSecret`) from the environment. + - `gcp` The GCP KMS provider credentials. An empty object. Drivers MUST fill in GCP credentials (`email`, + `privateKey`) from the environment. + - `local` or `local:name2` The local KMS provider. + - `key` A 96 byte local key. + - `kmip` The KMIP KMS provider credentials. An empty object. Drivers MUST fill in KMIP credentials (`endpoint`, + and TLS options). + - `schemaMap`: Optional, a map from namespaces to local JSON schemas. + - `keyVaultNamespace`: Optional, a namespace to the key vault collection. Defaults to "keyvault.datakeys". + - `bypassAutoEncryption`: Optional, a boolean to indicate whether or not auto encryption should be bypassed. + Defaults to `false`. + - `encryptedFieldsMap` An optional document. The document maps collection namespace to `EncryptedFields` + documents. + - `operations`: Array of documents, each describing an operation to be executed. Each document has the following + fields: + - `name`: Unchanged from Transactions spec tests. + - `object`: Unchanged from Transactions spec tests.. Defaults to "collection" if omitted. + - `collectionOptions`: Unchanged from Transactions spec tests. + - `command_name`: Unchanged from Transactions spec tests. + - `arguments`: Unchanged from Transactions spec tests. + - `result`: Same as the Transactions spec test format with one addition: if the operation is expected to return an + error, the `result` document may contain an `isTimeoutError` boolean field. If `true`, the test runner MUST assert + that the error represents a timeout due to the use of the `timeoutMS` option. If `false`, the test runner MUST + assert that the error does not represent a timeout. + - `expectations`: Unchanged from Transactions spec tests. + - `outcome`: Unchanged from Transactions spec tests. + +## Credentials + +Test credentials are available in AWS Secrets Manager. See + for more background +on how the secrets are managed. + +Test credentials to KMS are located in "drivers/csfle". + +Test credentials to create environments are available in "drivers/gcpkms" and "drivers/azurekms". + +## Use as integration tests + +Do the following before running spec tests: + +- If available for the platform under test, obtain a [crypt_shared](../client-side-encryption.rst#crypt_shared) binary + and place it in a location accessible to the tests. Refer to: [Using crypt_shared](#using-crypt_shared) +- Start the mongocryptd process. +- Start a mongod process with **server version 4.2.0 or later**. +- Place credentials somewhere in the environment outside of tracked code. (If testing on evergreen, project variables + are a good place). +- Start a KMIP test server on port 5698 by running + [drivers-evergreen-tools/.evergreen/csfle/kms_kmip_server.py](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/kms_kmip_server.py). + +Load each YAML (or JSON) file using a Canonical Extended JSON parser. + +If the test file name matches the regular expression `fle2-Range-.*-Correctness`, drivers MAY skip the test on macOS. +The `fle2-Range` tests are very slow on macOS and do not provide significant additional test coverage. + +Then for each element in `tests`: + +1. If the `skipReason` field is present, skip this test completely. + +2. If the `key_vault_data` field is present: + + 1. Drop the `keyvault.datakeys` collection using writeConcern "majority". + 2. Insert the data specified into the `keyvault.datakeys` with write concern "majority". + +3. Create a MongoClient. + +4. Create a collection object from the MongoClient, using the `database_name` and `collection_name` fields from the YAML + file. Drop the collection with writeConcern "majority". If a `json_schema` is defined in the test, use the + `createCollection` command to explicitly create the collection: + + ```typescript + {"create": , "validator": {"$jsonSchema": }} + ``` + + If `encrypted_fields` is defined in the test, the required collections and index described in + [Create and Drop Collection Helpers](../client-side-encryption.md#queryable-encryption-create-and-drop-collection-helpers) + must be created: + + - Use the `dropCollection` helper with `encrypted_fields` as an option and writeConcern "majority". + - Use the `createCollection` helper with `encrypted_fields` as an option. + +5. If the YAML file contains a `data` array, insert the documents in `data` into the test collection, using writeConcern + "majority". + +6. Create a **new** MongoClient using `clientOptions`. + + 1. If `autoEncryptOpts` includes `aws`, `awsTemporary`, `awsTemporaryNoSessionToken`, `azure`, `gcp`, and/or `kmip` + as a KMS provider, pass in credentials from the environment. + - `awsTemporary`, and `awsTemporaryNoSessionToken` require temporary AWS credentials. These can be retrieved using + the csfle + [set-temp-creds.sh](https://github.com/mongodb-labs/drivers-evergreen-tools/tree/master/.evergreen/csfle) + script. + + - `aws`, `awsTemporary`, and `awsTemporaryNoSessionToken` are mutually exclusive. + + `aws` should be substituted with: + + ```javascript + "aws": { + "accessKeyId": , + "secretAccessKey": + } + ``` + + `awsTemporary` should be substituted with: + + ```javascript + "aws": { + "accessKeyId": , + "secretAccessKey": + "sessionToken": + } + ``` + + `awsTemporaryNoSessionToken` should be substituted with: + + ```javascript + "aws": { + "accessKeyId": , + "secretAccessKey": + } + ``` + + `gcp` should be substituted with: + + ```javascript + "gcp": { + "email": , + "privateKey": , + } + ``` + + `azure` should be substituted with: + + ```javascript + "azure": { + "tenantId": , + "clientId": , + "clientSecret": , + } + ``` + + `local` should be substituted with: + + ```javascript + "local": { "key": } + ``` + + `kmip` should be substituted with: + + ```javascript + "kmip": { "endpoint": "localhost:5698" } + ``` + + Configure KMIP TLS connections to use the following options: + + - `tlsCAFile` (or equivalent) set to + [drivers-evergreen-tools/.evergreen/x509gen/ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). + This MAY be configured system-wide. + - `tlsCertificateKeyFile` (or equivalent) set to + [drivers-evergreen-tools/.evergreen/x509gen/client.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/client.pem). + + The method of passing TLS options for KMIP TLS connections is driver dependent. + 2. If `autoEncryptOpts` does not include `keyVaultNamespace`, default it to `keyvault.datakeys`. + +7. For each element in `operations`: + + - Enter a "try" block or your programming language's closest equivalent. + + - Create a Database object from the MongoClient, using the `database_name` field at the top level of the test file. + + - Create a Collection object from the Database, using the `collection_name` field at the top level of the test file. + If `collectionOptions` is present create the Collection object with the provided options. Otherwise create the + object with the default options. + + - Execute the named method on the provided `object`, passing the arguments listed. + + - If the driver throws an exception / returns an error while executing this series of operations, store the error + message and server error code. + + - If the result document has an "errorContains" field, verify that the method threw an exception or returned an + error, and that the value of the "errorContains" field matches the error string. "errorContains" is a substring + (case-insensitive) of the actual error message. + + If the result document has an "errorCodeName" field, verify that the method threw a command failed exception or + returned an error, and that the value of the "errorCodeName" field matches the "codeName" in the server error + response. + + If the result document has an "errorLabelsContain" field, verify that the method threw an exception or returned an + error. Verify that all of the error labels in "errorLabelsContain" are present in the error or exception using the + `hasErrorLabel` method. + + If the result document has an "errorLabelsOmit" field, verify that the method threw an exception or returned an + error. Verify that none of the error labels in "errorLabelsOmit" are present in the error or exception using the + `hasErrorLabel` method. + + - If the operation returns a raw command response, eg from `runCommand`, then compare only the fields present in the + expected result document. Otherwise, compare the method's return value to `result` using the same logic as the CRUD + Spec Tests runner. + +8. If the test includes a list of command-started events in `expectations`, compare them to the actual command-started + events using the same logic as the + [Command Monitoring spec legacy test runner](https://github.com/mongodb/specifications/blob/09ee1ebc481f1502e3246971a9419e484d736207/source/command-monitoring/tests/README.rst). + +9. For each element in `outcome`: + + - If `name` is "collection", create a new MongoClient *without encryption* and verify that the test collection + contains exactly the documents in the `data` array. Ensure this find reads the latest data by using **primary read + preference** with **local read concern** even when the MongoClient is configured with another read preference or + read concern. + +The spec test MUST be run with *and* without auth. + +## Using `crypt_shared` + +On platforms where [crypt_shared](../client-side-encryption.rst#crypt_shared) is available, drivers should prefer to +test with the `crypt_shared` library instead of spawning mongocryptd. + +[crypt_shared](../client-side-encryption.rst#crypt_shared) is released alongside the server. +[crypt_shared](../client-side-encryption.rst#crypt_shared) is only available in versions 6.0 and above. + +mongocryptd is released alongside the server. mongocryptd is available in versions 4.2 and above. + +Drivers MUST run all tests with mongocryptd on at least one platform for all tested server versions. + +Drivers MUST run all tests with [crypt_shared](../client-side-encryption.rst#crypt_shared) on at least one platform for +all tested server versions. For server versions \< 6.0, drivers MUST test with the latest major release of +[crypt_shared](../client-side-encryption.rst#crypt_shared). Using the latest major release of +[crypt_shared](../client-side-encryption.rst#crypt_shared) is supported with older server versions. + +Note that some tests assert on mongocryptd-related behaviors (e.g. the `mongocryptdBypassSpawn` test). + +Drivers under test should load the [crypt_shared](../client-side-encryption.rst#crypt_shared) library using either the +`cryptSharedLibPath` public API option (as part of the AutoEncryption `extraOptions`), or by setting a special search +path instead. + +Some tests will require *not* using [crypt_shared](../client-side-encryption.rst#crypt_shared). For such tests, one +should ensure that `crypt_shared` will not be loaded. Refer to the client-side-encryption documentation for information +on "disabling" `crypt_shared` and setting library search paths. + +> [!NOTE] +> The [crypt_shared](../client-side-encryption.rst#crypt_shared) dynamic library can be obtained using the +> [mongodl](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/mongodl.py) Python script +> from [drivers-evergreen-tools](https://github.com/mongodb-labs/drivers-evergreen-tools/): +> +> ```shell +> $ python3 mongodl.py --component=crypt_shared --version= --out=./crypt_shared/ +> ``` +> +> Other versions of `crypt_shared` are also available. Please use the `--list` option to see versions. + +## Prose Tests + +Tests for the ClientEncryption type are not included as part of the YAML tests. + +In the prose tests LOCAL_MASTERKEY refers to the following base64: + +```javascript +Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk +``` + +Perform all applicable operations on key vault collections (e.g. inserting an example data key, or running a find +command) with readConcern/writeConcern "majority". + +### 1. Custom Key Material Test + +1. Create a `MongoClient` object (referred to as `client`). +2. Using `client`, drop the collection `keyvault.datakeys`. +3. Create a `ClientEncryption` object (referred to as `client_encryption`) with `client` set as the `keyVaultClient`. +4. Using `client_encryption`, create a data key with a `local` KMS provider and the following custom key material (given + as base64): + +```javascript +xPTAjBRG5JiPm+d3fj6XLi2q5DMXUS/f1f+SMAlhhwkhDRL0kr8r9GDLIGTAGlvC+HVjSIgdL+RKwZCvpXSyxTICWSXTUYsWYPyu3IoHbuBZdmw2faM3WhcRIgbMReU5 +``` + +1. Find the resulting key document in `keyvault.datakeys`, save a copy of the key document, then remove the key document + from the collection. +2. Replace the `_id` field in the copied key document with a UUID with base64 value `AAAAAAAAAAAAAAAAAAAAAA==` (16 bytes + all equal to `0x00`) and insert the modified key document into `keyvault.datakeys` with majority write concern. +3. Using `client_encryption`, encrypt the string `"test"` with the modified data key using the + `AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic` algorithm and assert the resulting value is equal to the following + (given as base64): + +```javascript +AQAAAAAAAAAAAAAAAAAAAAACz0ZOLuuhEYi807ZXTdhbqhLaS2/t9wLifJnnNYwiw79d75QYIZ6M/aYC1h9nCzCjZ7pGUpAuNnkUhnIXM3PjrA== +``` + +### 2. Data Key and Double Encryption + +First, perform the setup. + +1. Create a MongoClient without encryption enabled (referred to as `client`). Enable command monitoring to listen for + command_started events. + +2. Using `client`, drop the collections `keyvault.datakeys` and `db.coll`. + +3. Create the following: + + - A MongoClient configured with auto encryption (referred to as `client_encrypted`) + - A `ClientEncryption` object (referred to as `client_encryption`) + + Configure both objects with the following KMS providers: + + ```javascript + { + "aws": { + "accessKeyId": , + "secretAccessKey": + }, + "azure": { + "tenantId": , + "clientId": , + "clientSecret": , + }, + "gcp": { + "email": , + "privateKey": , + } + "local": { "key": }, + "kmip": { "endpoint": "localhost:5698" } + } + ``` + + Configure KMIP TLS connections to use the following options: + + - `tlsCAFile` (or equivalent) set to + [drivers-evergreen-tools/.evergreen/x509gen/ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). + This MAY be configured system-wide. + - `tlsCertificateKeyFile` (or equivalent) set to + [drivers-evergreen-tools/.evergreen/x509gen/client.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/client.pem). + + The method of passing TLS options for KMIP TLS connections is driver dependent. + + Configure both objects with `keyVaultNamespace` set to `keyvault.datakeys`. + + Configure the `MongoClient` with the following `schema_map`: + + ```javascript + { + "db.coll": { + "bsonType": "object", + "properties": { + "encrypted_placeholder": { + "encrypt": { + "keyId": "/placeholder", + "bsonType": "string", + "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random" + } + } + } + } + } + ``` + + Configure `client_encryption` with the `keyVaultClient` of the previously created `client`. + +For each KMS provider (`aws`, `azure`, `gcp`, `local`, and `kmip`), referred to as `provider_name`, run the following +test. + +1. Call `client_encryption.createDataKey()`. + - Set keyAltNames to `["_altname"]`. + + - Set the masterKey document based on `provider_name`. + + For "aws": + + ```javascript + { + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + } + ``` + + For "azure": + + ```javascript + { + "keyVaultEndpoint": "key-vault-csfle.vault.azure.net", + "keyName": "key-name-csfle" + } + ``` + + For "gcp": + + ```javascript + { + "projectId": "devprod-drivers", + "location": "global", + "keyRing": "key-ring-csfle", + "keyName": "key-name-csfle" + } + ``` + + For "kmip": + + ```javascript + {} + ``` + + For "local", do not set a masterKey document. + + - Expect a BSON binary with subtype 4 to be returned, referred to as `datakey_id`. + + - Use `client` to run a `find` on `keyvault.datakeys` by querying with the `_id` set to the `datakey_id`. + + - Expect that exactly one document is returned with the "masterKey.provider" equal to `provider_name`. + + - Check that `client` captured a command_started event for the `insert` command containing a majority writeConcern. +2. Call `client_encryption.encrypt()` with the value "hello \", the algorithm + `AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic`, and the `key_id` of `datakey_id`. + - Expect the return value to be a BSON binary subtype 6, referred to as `encrypted`. + - Use `client_encrypted` to insert `{ _id: "", "value": }` into `db.coll`. + - Use `client_encrypted` to run a find querying with `_id` of "\" and expect `value` to be "hello + \". +3. Call `client_encryption.encrypt()` with the value "hello \", the algorithm + `AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic`, and the `key_alt_name` of `_altname`. + - Expect the return value to be a BSON binary subtype 6. Expect the value to exactly match the value of `encrypted`. +4. Test explicit encrypting an auto encrypted field. + - Use `client_encrypted` to attempt to insert `{ "encrypted_placeholder": }` + - Expect an exception to be thrown, since this is an attempt to auto encrypt an already encrypted value. + +### 3. External Key Vault Test + +Run the following tests twice, parameterized by a boolean `withExternalKeyVault`. + +1. Create a MongoClient without encryption enabled (referred to as `client`). + +2. Using `client`, drop the collections `keyvault.datakeys` and `db.coll`. Insert the document + [external/external-key.json](../external/external-key.json) into `keyvault.datakeys`. + +3. Create the following: + + - A MongoClient configured with auto encryption (referred to as `client_encrypted`) + - A `ClientEncryption` object (referred to as `client_encryption`) + + Configure both objects with the `local` KMS providers as follows: + + ```javascript + { "local": { "key": } } + ``` + + Configure both objects with `keyVaultNamespace` set to `keyvault.datakeys`. + + Configure `client_encrypted` to use the schema [external/external-schema.json](../external/external-schema.json) for + `db.coll` by setting a schema map like: `{ "db.coll": }` + + If `withExternalKeyVault == true`, configure both objects with an external key vault client. The external client MUST + connect to the same MongoDB cluster that is being tested against, except it MUST use the username `fake-user` and + password `fake-pwd`. + +4. Use `client_encrypted` to insert the document `{"encrypted": "test"}` into `db.coll`. If + `withExternalKeyVault == true`, expect an authentication exception to be thrown. Otherwise, expect the insert to + succeed. + +5. Use `client_encryption` to explicitly encrypt the string `"test"` with key ID `LOCALAAAAAAAAAAAAAAAAA==` and + deterministic algorithm. If `withExternalKeyVault == true`, expect an authentication exception to be thrown. + Otherwise, expect the insert to succeed. + +### 4. BSON Size Limits and Batch Splitting + +First, perform the setup. + +1. Create a MongoClient without encryption enabled (referred to as `client`). + +2. Using `client`, drop and create the collection `db.coll` configured with the included JSON schema + [limits/limits-schema.json](../limits/limits-schema.json). + +3. Using `client`, drop the collection `keyvault.datakeys`. Insert the document + [limits/limits-key.json](../limits/limits-key.json) + +4. Create a MongoClient configured with auto encryption (referred to as `client_encrypted`) + + Configure with the `local` KMS provider as follows: + + ```javascript + { "local": { "key": } } + ``` + + Configure with the `keyVaultNamespace` set to `keyvault.datakeys`. + +Using `client_encrypted` perform the following operations: + +1. Insert `{ "_id": "over_2mib_under_16mib", "unencrypted": }`. + + Expect this to succeed since this is still under the `maxBsonObjectSize` limit. + +2. Insert the document [limits/limits-doc.json](../limits/limits-doc.json) concatenated with + `{ "_id": "encryption_exceeds_2mib", "unencrypted": < the string "a" repeated (2097152 - 2000) times > }` Note: + limits-doc.json is a 1005 byte BSON document that encrypts to a ~10,000 byte document. + + Expect this to succeed since after encryption this still is below the normal maximum BSON document size. Note, before + auto encryption this document is under the 2 MiB limit. After encryption it exceeds the 2 MiB limit, but does NOT + exceed the 16 MiB limit. + +3. Bulk insert the following: + + - `{ "_id": "over_2mib_1", "unencrypted": }` + - `{ "_id": "over_2mib_2", "unencrypted": }` + + Expect the bulk write to succeed and split after first doc (i.e. two inserts occur). This may be verified using + [command monitoring](https://github.com/mongodb/specifications/tree/master/source/command-logging-and-monitoring/command-logging-and-monitoring.rst). + +4. Bulk insert the following: + + - The document [limits/limits-doc.json](../limits/limits-doc.json) concatenated with + `{ "_id": "encryption_exceeds_2mib_1", "unencrypted": < the string "a" repeated (2097152 - 2000) times > }` + - The document [limits/limits-doc.json](../limits/limits-doc.json) concatenated with + `{ "_id": "encryption_exceeds_2mib_2", "unencrypted": < the string "a" repeated (2097152 - 2000) times > }` + + Expect the bulk write to succeed and split after first doc (i.e. two inserts occur). This may be verified using + [command logging and monitoring](https://github.com/mongodb/specifications/tree/master/source/command-logging-and-monitoring/command-logging-and-monitoring.rst). + +5. Insert `{ "_id": "under_16mib", "unencrypted": `. + + Expect this to succeed since this is still (just) under the `maxBsonObjectSize` limit. + +6. Insert the document [limits/limits-doc.json](../limits/limits-doc.json) concatenated with + `{ "_id": "encryption_exceeds_16mib", "unencrypted": < the string "a" repeated (16777216 - 2000) times > }` + + Expect this to fail since encryption results in a document exceeding the `maxBsonObjectSize` limit. + +Optionally, if it is possible to mock the maxWriteBatchSize (i.e. the maximum number of documents in a batch) test that +setting maxWriteBatchSize=1 and inserting the two documents `{ "_id": "a" }, { "_id": "b" }` with `client_encrypted` +splits the operation into two inserts. + +### 5. Views Are Prohibited + +1. Create a MongoClient without encryption enabled (referred to as `client`). + +2. Using `client`, drop and create a view named `db.view` with an empty pipeline. E.g. using the command + `{ "create": "view", "viewOn": "coll" }`. + +3. Create a MongoClient configured with auto encryption (referred to as `client_encrypted`) + + Configure with the `local` KMS provider as follows: + + ```javascript + { "local": { "key": } } + ``` + + Configure with the `keyVaultNamespace` set to `keyvault.datakeys`. + +4. Using `client_encrypted`, attempt to insert a document into `db.view`. Expect an exception to be thrown containing + the message: "cannot auto encrypt a view". + +### 6. Corpus Test + +The corpus test exhaustively enumerates all ways to encrypt all BSON value types. Note, the test data includes BSON +binary subtype 4 (or standard UUID), which MUST be decoded and encoded as subtype 4. Run the test as follows. + +1. Create a MongoClient without encryption enabled (referred to as `client`). + +2. Using `client`, drop and create the collection `db.coll` configured with the included JSON schema + [corpus/corpus-schema.json](../corpus/corpus-schema.json). + +3. Using `client`, drop the collection `keyvault.datakeys`. Insert the documents + [corpus/corpus-key-local.json](../corpus/corpus-key-local.json), + [corpus/corpus-key-aws.json](../corpus/corpus-key-aws.json), + [corpus/corpus-key-azure.json](../corpus/corpus-key-azure.json), + [corpus/corpus-key-gcp.json](../corpus/corpus-key-gcp.json), and + [corpus/corpus-key-kmip.json](../corpus/corpus-key-kmip.json). + +4. Create the following: + + - A MongoClient configured with auto encryption (referred to as `client_encrypted`) + - A `ClientEncryption` object (referred to as `client_encryption`) + + Configure both objects with `aws`, `azure`, `gcp`, `local`, and `kmip` KMS providers as follows: + + ```javascript + { + "aws": { }, + "azure": { }, + "gcp": { }, + "local": { "key": }, + "kmip": { "endpoint": "localhost:5698" } } + } + ``` + + Configure KMIP TLS connections to use the following options: + + - `tlsCAFile` (or equivalent) set to + [drivers-evergreen-tools/.evergreen/x509gen/ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). + This MAY be configured system-wide. + - `tlsCertificateKeyFile` (or equivalent) set to + [drivers-evergreen-tools/.evergreen/x509gen/client.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/client.pem). + + The method of passing TLS options for KMIP TLS connections is driver dependent. + + Where LOCAL_MASTERKEY is the following base64: + + ```javascript + Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk + ``` + + Configure both objects with `keyVaultNamespace` set to `keyvault.datakeys`. + +5. Load [corpus/corpus.json](../corpus/corpus.json) to a variable named `corpus`. The corpus contains subdocuments with + the following fields: + + - `kms` is `aws`, `azure`, `gcp`, `local`, or `kmip` + - `type` is a BSON type string + [names coming from here](https://www.mongodb.com/docs/manual/reference/operator/query/type/)) + - `algo` is either `rand` or `det` for random or deterministic encryption + - `method` is either `auto`, for automatic encryption or `explicit` for explicit encryption + - `identifier` is either `id` or `altname` for the key identifier + - `allowed` is a boolean indicating whether the encryption for the given parameters is permitted. + - `value` is the value to be tested. + + Create a new BSON document, named `corpus_copied`. Iterate over each field of `corpus`. + + - If the field name is `_id`, `altname_aws`, `altname_local`, `altname_azure`, `altname_gcp`, or `altname_kmip` copy + the field to `corpus_copied`. + + - If `method` is `auto`, copy the field to `corpus_copied`. + + - If `method` is `explicit`, use `client_encryption` to explicitly encrypt the value. + + - Encrypt with the algorithm described by `algo`. + - If `identifier` is `id` + - If `kms` is `local` set the key_id to the UUID with base64 value `LOCALAAAAAAAAAAAAAAAAA==`. + - If `kms` is `aws` set the key_id to the UUID with base64 value `AWSAAAAAAAAAAAAAAAAAAA==`. + - If `kms` is `azure` set the key_id to the UUID with base64 value `AZUREAAAAAAAAAAAAAAAAA==`. + - If `kms` is `gcp` set the key_id to the UUID with base64 value `GCPAAAAAAAAAAAAAAAAAAA==`. + - If `kms` is `kmip` set the key_id to the UUID with base64 value `KMIPAAAAAAAAAAAAAAAAAA==`. + - If `identifier` is `altname` + - If `kms` is `local` set the key_alt_name to "local". + - If `kms` is `aws` set the key_alt_name to "aws". + - If `kms` is `azure` set the key_alt_name to "azure". + - If `kms` is `gcp` set the key_alt_name to "gcp". + - If `kms` is `kmip` set the key_alt_name to "kmip". + + If `allowed` is true, copy the field and encrypted value to `corpus_copied`. If `allowed` is false. verify that an + exception is thrown. Copy the unencrypted value to to `corpus_copied`. + +6. Using `client_encrypted`, insert `corpus_copied` into `db.coll`. + +7. Using `client_encrypted`, find the inserted document from `db.coll` to a variable named `corpus_decrypted`. Since it + should have been automatically decrypted, assert the document exactly matches `corpus`. + +8. Load [corpus/corpus_encrypted.json](../corpus/corpus-encrypted.json) to a variable named `corpus_encrypted_expected`. + Using `client` find the inserted document from `db.coll` to a variable named `corpus_encrypted_actual`. + + Iterate over each field of `corpus_encrypted_expected` and check the following: + + - If the `algo` is `det`, that the value equals the value of the corresponding field in `corpus_encrypted_actual`. + - If the `algo` is `rand` and `allowed` is true, that the value does not equal the value of the corresponding field + in `corpus_encrypted_actual`. + - If `allowed` is true, decrypt the value with `client_encryption`. Decrypt the value of the corresponding field of + `corpus_encrypted` and validate that they are both equal. + - If `allowed` is false, validate the value exactly equals the value of the corresponding field of `corpus` (neither + was encrypted). + +9. Repeat steps 1-8 with a local JSON schema. I.e. amend step 4 to configure the schema on `client_encrypted` with the + `schema_map` option. + +### 7. Custom Endpoint Test + +#### Setup + +For each test cases, start by creating two `ClientEncryption` objects. Recreate the `ClientEncryption` objects for each +test case. + +Create a `ClientEncryption` object (referred to as `client_encryption`) + +Configure with `keyVaultNamespace` set to `keyvault.datakeys`, and a default MongoClient as the `keyVaultClient`. + +Configure with KMS providers as follows: + +```javascript +{ + "aws": { + "accessKeyId": , + "secretAccessKey": + }, + "azure": { + "tenantId": , + "clientId": , + "clientSecret": , + "identityPlatformEndpoint": "login.microsoftonline.com:443" + }, + "gcp": { + "email": , + "privateKey": , + "endpoint": "oauth2.googleapis.com:443" + }, + "kmip" { + "endpoint": "localhost:5698" + } +} +``` + +Create a `ClientEncryption` object (referred to as `client_encryption_invalid`) + +Configure with `keyVaultNamespace` set to `keyvault.datakeys`, and a default MongoClient as the `keyVaultClient`. + +Configure with KMS providers as follows: + +```javascript +{ + "azure": { + "tenantId": , + "clientId": , + "clientSecret": , + "identityPlatformEndpoint": "doesnotexist.invalid:443" + }, + "gcp": { + "email": , + "privateKey": , + "endpoint": "doesnotexist.invalid:443" + }, + "kmip": { + "endpoint": "doesnotexist.local:5698" + } +} +``` + +Configure KMIP TLS connections to use the following options: + +- `tlsCAFile` (or equivalent) set to + [drivers-evergreen-tools/.evergreen/x509gen/ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). + This MAY be configured system-wide. +- `tlsCertificateKeyFile` (or equivalent) set to + [drivers-evergreen-tools/.evergreen/x509gen/client.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/client.pem). + +The method of passing TLS options for KMIP TLS connections is driver dependent. + +#### Test cases + +01. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: + + ```javascript + { + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + } + ``` + + Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to + validate it works. + +02. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: + + ```javascript + { + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + endpoint: "kms.us-east-1.amazonaws.com" + } + ``` + + Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to + validate it works. + +03. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: + + ```javascript + { + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + endpoint: "kms.us-east-1.amazonaws.com:443" + } + ``` + + Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to + validate it works. + +04. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: + + ```javascript + { + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + endpoint: "kms.us-east-1.amazonaws.com:12345" + } + ``` + + Expect this to fail with a socket connection error. + +05. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: + + ```javascript + { + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + endpoint: "kms.us-east-2.amazonaws.com" + } + ``` + + Expect this to fail with an exception. + +06. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: + + ```javascript + { + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + endpoint: "doesnotexist.invalid" + } + ``` + + Expect this to fail with a network exception indicating failure to resolve "doesnotexist.invalid". + +07. Call `client_encryption.createDataKey()` with "azure" as the provider and the following masterKey: + + ```javascript + { + "keyVaultEndpoint": "key-vault-csfle.vault.azure.net", + "keyName": "key-name-csfle" + } + ``` + + Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to + validate it works. + + Call `client_encryption_invalid.createDataKey()` with the same masterKey. Expect this to fail with a network + exception indicating failure to resolve "doesnotexist.invalid". + +08. Call `client_encryption.createDataKey()` with "gcp" as the provider and the following masterKey: + + ```javascript + { + "projectId": "devprod-drivers", + "location": "global", + "keyRing": "key-ring-csfle", + "keyName": "key-name-csfle", + "endpoint": "cloudkms.googleapis.com:443" + } + ``` + + Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to + validate it works. + + Call `client_encryption_invalid.createDataKey()` with the same masterKey. Expect this to fail with a network + exception indicating failure to resolve "doesnotexist.invalid". + +09. Call `client_encryption.createDataKey()` with "gcp" as the provider and the following masterKey: + + ```javascript + { + "projectId": "devprod-drivers", + "location": "global", + "keyRing": "key-ring-csfle", + "keyName": "key-name-csfle", + "endpoint": "doesnotexist.invalid:443" + } + ``` + + Expect this to fail with an exception with a message containing the string: "Invalid KMS response". + +10. Call `client_encryption.createDataKey()` with "kmip" as the provider and the following masterKey: + + ```javascript + { + "keyId": "1" + } + ``` + + Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to + validate it works. + + Call `client_encryption_invalid.createDataKey()` with the same masterKey. Expect this to fail with a network + exception indicating failure to resolve "doesnotexist.local". + +11. Call `client_encryption.createDataKey()` with "kmip" as the provider and the following masterKey: + + ```javascript + { + "keyId": "1", + "endpoint": "localhost:5698" + } + ``` + + Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to + validate it works. + +12. Call `client_encryption.createDataKey()` with "kmip" as the provider and the following masterKey: + + ```javascript + { + "keyId": "1", + "endpoint": "doesnotexist.local:5698" + } + ``` + + Expect this to fail with a network exception indicating failure to resolve "doesnotexist.local". + +### 8. Bypass Spawning mongocryptd + +> [!NOTE] +> CONSIDER: To reduce the chances of tests interfering with each other, drivers MAY use a different port for each test +> in this group, and include it in `--pidfilepath`. The interference may come from the fact that once spawned by a test, +> `mongocryptd` stays up and running for some time. + +#### Via loading shared library + +The following tests that loading [crypt_shared](../client-side-encryption.rst#crypt_shared) bypasses spawning +mongocryptd. + +> [!NOTE] +> IMPORTANT: This test requires the [crypt_shared](../client-side-encryption.rst#crypt_shared) library be loaded. If the +> [crypt_shared](../client-side-encryption.rst#crypt_shared) library is not available, skip the test. + +1. Create a MongoClient configured with auto encryption (referred to as `client_encrypted`) + + Configure the required options. Use the `local` KMS provider as follows: + + ```javascript + { "local": { "key": } } + ``` + + Configure with the `keyVaultNamespace` set to `keyvault.datakeys`. + + Configure `client_encrypted` to use the schema [external/external-schema.json](../external/external-schema.json) for + `db.coll` by setting a schema map like: `{ "db.coll": }` + + Configure the following `extraOptions`: + + ```javascript + { + "mongocryptdURI": "mongodb://localhost:27021/?serverSelectionTimeoutMS=1000", + "mongocryptdSpawnArgs": [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=27021"], + "cryptSharedLibPath": "", + "cryptSharedLibRequired": true + } + ``` + + Drivers MAY pass a different port if they expect their testing infrastructure to be using port 27021. Pass a port + that should be free. + +2. Use `client_encrypted` to insert the document `{"unencrypted": "test"}` into `db.coll`. Expect this to succeed. + +3. Validate that mongocryptd was not spawned. Create a MongoClient to localhost:27021 (or whatever was passed via + `--port`) with serverSelectionTimeoutMS=1000. Run a handshake command and ensure it fails with a server selection + timeout. + +> [!NOTE] +> IMPORTANT: If [crypt_shared](../client-side-encryption.rst#crypt_shared) is visible to the operating system's library +> search mechanism, the expected server error generated by the `Via mongocryptdBypassSpawn`, `Via bypassAutoEncryption`, +> `Via bypassQueryAnalysis` tests will not appear because libmongocrypt will load the `crypt_shared` library instead of +> consulting mongocryptd. For the following tests, it is required that libmongocrypt *not* load `crypt_shared`. Refer to +> the client-side-encryption document for more information on "disabling" `crypt_shared`. Take into account that once +> loaded, for example, by another test, `crypt_shared` cannot be unloaded and may be used by `MongoClient`, thus making +> the tests misbehave in unexpected ways. + +#### Via mongocryptdBypassSpawn + +The following tests that setting `mongocryptdBypassSpawn=true` really does bypass spawning mongocryptd. + +1. Insert the document [external/external-key.json](../external/external-key.json) into `keyvault.datakeys` with + majority write concern. This step is not required to run this test, and drivers MAY skip it. But if the driver + misbehaves, then not having the encryption fully set up may complicate the process of figuring out what is wrong. + +2. Create a MongoClient configured with auto encryption (referred to as `client_encrypted`) + + Configure the required options. Use the `local` KMS provider as follows: + + ```javascript + { "local": { "key": } } + ``` + + Configure with the `keyVaultNamespace` set to `keyvault.datakeys`. + + Configure `client_encrypted` to use the schema [external/external-schema.json](../external/external-schema.json) for + `db.coll` by setting a schema map like: `{ "db.coll": }` + + Configure the following `extraOptions`: + + ```javascript + { + "mongocryptdBypassSpawn": true + "mongocryptdURI": "mongodb://localhost:27021/?serverSelectionTimeoutMS=1000", + "mongocryptdSpawnArgs": [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=27021"] + } + ``` + + Drivers MAY pass a different port if they expect their testing infrastructure to be using port 27021. Pass a port + that should be free. + +3. Use `client_encrypted` to insert the document `{"encrypted": "test"}` into `db.coll`. Expect a server selection error + propagated from the internal MongoClient failing to connect to mongocryptd on port 27021. + +#### Via bypassAutoEncryption + +The following tests that setting `bypassAutoEncryption=true` really does bypass spawning mongocryptd. + +1. Create a MongoClient configured with auto encryption (referred to as `client_encrypted`) + + Configure the required options. Use the `local` KMS provider as follows: + + ```javascript + { "local": { "key": } } + ``` + + Configure with the `keyVaultNamespace` set to `keyvault.datakeys`. + + Configure with `bypassAutoEncryption=true`. + + Configure the following `extraOptions`: + + ```javascript + { + "mongocryptdSpawnArgs": [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=27021"] + } + ``` + + Drivers MAY pass a different value to `--port` if they expect their testing infrastructure to be using port 27021. + Pass a port that should be free. + +2. Use `client_encrypted` to insert the document `{"unencrypted": "test"}` into `db.coll`. Expect this to succeed. + +3. Validate that mongocryptd was not spawned. Create a MongoClient to localhost:27021 (or whatever was passed via + `--port`) with serverSelectionTimeoutMS=1000. Run a handshake command and ensure it fails with a server selection + timeout. + +#### Via bypassQueryAnalysis + +Repeat the steps from the "Via bypassAutoEncryption" test, replacing "bypassAutoEncryption=true" with +"bypassQueryAnalysis=true". + +### 9. Deadlock Tests + +The following tests only apply to drivers that have implemented a connection pool (see the +[Connection Monitoring and Pooling](../../connection-monitoring-and-pooling/connection-monitoring-and-pooling.md) +specification). + +There are multiple parameterized test cases. Before each test case, perform the setup. + +#### Setup + +Create a `MongoClient` for setup operations named `client_test`. + +Create a `MongoClient` for key vault operations with `maxPoolSize=1` named `client_keyvault`. Capture command started +events. + +Using `client_test`, drop the collections `keyvault.datakeys` and `db.coll`. + +Insert the document [external/external-key.json](../external/external-key.json) into `keyvault.datakeys` with majority +write concern. + +Create a collection `db.coll` configured with a JSON schema +[external/external-schema.json](../external/external-schema.json) as the validator, like so: + +```typescript +{"create": "coll", "validator": {"$jsonSchema": }} +``` + +Create a `ClientEncryption` object, named `client_encryption` configured with: - `keyVaultClient`=`client_test` - +`keyVaultNamespace`="keyvault.datakeys" - `kmsProviders`=`{ "local": { "key": } }` + +Use `client_encryption` to encrypt the value "string0" with `algorithm`="AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" +and `keyAltName`="local". Store the result in a variable named `ciphertext`. + +Proceed to run the test case. + +Each test case configures a `MongoClient` with automatic encryption (named `client_encrypted`). + +Each test must assert the number of unique `MongoClient` objects created. This can be accomplished by capturing +`TopologyOpeningEvent`, or by checking command started events for a client identifier (not possible in all drivers). + +#### Running a test case + +- Create a `MongoClient` named `client_encrypted` configured as follows: + + - Set `AutoEncryptionOpts`: + + - `keyVaultNamespace="keyvault.datakeys"` + - `kmsProviders`=`{ "local": { "key": } }` + - Append `TestCase.AutoEncryptionOpts` (defined below) + + - Capture command started events. + + - Set `maxPoolSize=TestCase.MaxPoolSize` + +- If the testcase sets `AutoEncryptionOpts.bypassAutoEncryption=true`: + + - Use `client_test` to insert `{ "_id": 0, "encrypted": }` into `db.coll`. + +- Otherwise: + + - Use `client_encrypted` to insert `{ "_id": 0, "encrypted": "string0" }`. + +- Use `client_encrypted` to run a `findOne` operation on `db.coll`, with the filter `{ "_id": 0 }`. + +- Expect the result to be `{ "_id": 0, "encrypted": "string0" }`. + +- Check captured events against `TestCase.Expectations`. + +- Check the number of unique `MongoClient` objects created is equal to `TestCase.ExpectedNumberOfClients`. + +#### Case 1 + +- MaxPoolSize: 1 + +- AutoEncryptionOpts: + + - bypassAutoEncryption=false + - keyVaultClient=unset + +- Expectations: + + - Expect `client_encrypted` to have captured four `CommandStartedEvent`: + - a listCollections to "db". + - a find on "keyvault". + - an insert on "db". + - a find on "db" + +- ExpectedNumberOfClients: 2 + +#### Case 2 + +- MaxPoolSize: 1 + +- AutoEncryptionOpts: + + - bypassAutoEncryption=false + - keyVaultClient=client_keyvault + +- Expectations: + + - Expect `client_encrypted` to have captured three `CommandStartedEvent`: + + - a listCollections to "db". + - an insert on "db". + - a find on "db" + + - Expect `client_keyvault` to have captured one `CommandStartedEvent`: + + - a find on "keyvault". + +- ExpectedNumberOfClients: 2 + +#### Case 3 + +- MaxPoolSize: 1 + +- AutoEncryptionOpts: + + - bypassAutoEncryption=true + - keyVaultClient=unset + +- Expectations: + + - Expect `client_encrypted` to have captured three `CommandStartedEvent`: + - a find on "db" + - a find on "keyvault". + +- ExpectedNumberOfClients: 2 + +#### Case 4 + +- MaxPoolSize: 1 + +- AutoEncryptionOpts: + + - bypassAutoEncryption=true + - keyVaultClient=client_keyvault + +- Expectations: + + - Expect `client_encrypted` to have captured two `CommandStartedEvent`: + + - a find on "db" + + - Expect `client_keyvault` to have captured one `CommandStartedEvent`: + + - a find on "keyvault". + +- ExpectedNumberOfClients: 1 + +#### Case 5 + +Drivers that do not support an unlimited maximum pool size MUST skip this test. + +- MaxPoolSize: 0 + +- AutoEncryptionOpts: + + - bypassAutoEncryption=false + - keyVaultClient=unset + +- Expectations: + + - Expect `client_encrypted` to have captured five `CommandStartedEvent`: + - a listCollections to "db". + - a listCollections to "keyvault". + - a find on "keyvault". + - an insert on "db". + - a find on "db" + +- ExpectedNumberOfClients: 1 + +#### Case 6 + +Drivers that do not support an unlimited maximum pool size MUST skip this test. + +- MaxPoolSize: 0 + +- AutoEncryptionOpts: + + - bypassAutoEncryption=false + - keyVaultClient=client_keyvault + +- Expectations: + + - Expect `client_encrypted` to have captured three `CommandStartedEvent`: + + - a listCollections to "db". + - an insert on "db". + - a find on "db" + + - Expect `client_keyvault` to have captured one `CommandStartedEvent`: + + - a find on "keyvault". + +- ExpectedNumberOfClients: 1 + +#### Case 7 + +Drivers that do not support an unlimited maximum pool size MUST skip this test. + +- MaxPoolSize: 0 + +- AutoEncryptionOpts: + + - bypassAutoEncryption=true + - keyVaultClient=unset + +- Expectations: + + - Expect `client_encrypted` to have captured three `CommandStartedEvent`: + - a find on "db" + - a find on "keyvault". + +- ExpectedNumberOfClients: 1 + +#### Case 8 + +Drivers that do not support an unlimited maximum pool size MUST skip this test. + +- MaxPoolSize: 0 + +- AutoEncryptionOpts: + + - bypassAutoEncryption=true + - keyVaultClient=client_keyvault + +- Expectations: + + - Expect `client_encrypted` to have captured two `CommandStartedEvent`: + + - a find on "db" + + - Expect `client_keyvault` to have captured one `CommandStartedEvent`: + + - a find on "keyvault". + +- ExpectedNumberOfClients: 1 + +### 10. KMS TLS Tests + +The following tests that connections to KMS servers with TLS verify peer certificates. + +The two tests below make use of mock KMS servers which can be run on Evergreen using +[the mock KMS server script](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/kms_http_server.py). +Drivers can set up their local Python environment for the mock KMS server by running +[the virtualenv activation script](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/activate-kmstlsvenv.sh). + +To start two mock KMS servers, one on port 9000 with +[ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem) as a CA file and +[expired.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/expired.pem) as a +cert file, and one on port 9001 with +[ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem) as a CA file and +[wrong-host.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/wrong-host.pem) +as a cert file, run the following commands from the `.evergreen/csfle` directory: + +``` +. ./activate_venv.sh +python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 9000 & +python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 9001 & +``` + +#### Setup + +For both tests, do the following: + +1. Start a `mongod` process with **server version 4.2.0 or later**. +2. Create a `MongoClient` for key vault operations. +3. Create a `ClientEncryption` object (referred to as `client_encryption`) with `keyVaultNamespace` set to + `keyvault.datakeys`. + +#### Invalid KMS Certificate + +1. Start a mock KMS server on port 9000 with + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem) as a CA file + and [expired.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/expired.pem) + as a cert file. + +2. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: + + ```javascript + { + "region": "us-east-1", + "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + "endpoint": "127.0.0.1:9000", + } + ``` + + Expect this to fail with an exception with a message referencing an expired certificate. This message will be + language dependent. In Python, this message is "certificate verify failed: certificate has expired". In Go, this + message is "certificate has expired or is not yet valid". If the language of implementation has a single, generic + error message for all certificate validation errors, drivers may inspect other fields of the error to verify its + meaning. + +#### Invalid Hostname in KMS Certificate + +1. Start a mock KMS server on port 9001 with + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem) as a CA file + and + [wrong-host.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/wrong-host.pem) + as a cert file. + +2. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: + + ```javascript + { + "region": "us-east-1", + "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + "endpoint": "127.0.0.1:9001", + } + ``` + + Expect this to fail with an exception with a message referencing an incorrect or unexpected host. This message will + be language dependent. In Python, this message is "certificate verify failed: IP address mismatch, certificate is not + valid for '127.0.0.1'". In Go, this message is "cannot validate certificate for 127.0.0.1 because it doesn't contain + any IP SANs". If the language of implementation has a single, generic error message for all certificate validation + errors, drivers may inspect other fields of the error to verify its meaning. + +### 11. KMS TLS Options Tests + +#### Setup + +Start a `mongod` process with **server version 4.2.0 or later**. + +Four mock KMS server processes must be running: + +1. The mock + [KMS HTTP server](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/kms_http_server.py). + + Run on port 9000 with + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem) as a CA file + and [expired.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/expired.pem) + as a cert file. + + Example: + + ``` + python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 9000 + ``` + +2. The mock + [KMS HTTP server](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/kms_http_server.py). + + Run on port 9001 with + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem) as a CA file + and + [wrong-host.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/wrong-host.pem) + as a cert file. + + Example: + + ``` + python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 9001 + ``` + +3. The mock + [KMS HTTP server](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/kms_http_server.py). + + Run on port 9002 with + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem) as a CA file + and [server.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/server.pem) + as a cert file. + + Run with the `--require_client_cert` option. + + Example: + + ``` + python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 9002 --require_client_cert + ``` + +4. The mock + [KMS KMIP server](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/kms_kmip_server.py). + +Create the following `ClientEncryption` objects. + +Configure each with `keyVaultNamespace` set to `keyvault.datakeys`, and a default MongoClient as the `keyVaultClient`. + +1. Create a `ClientEncryption` object named `client_encryption_no_client_cert` with the following KMS providers: + + ```javascript + { + "aws": { + "accessKeyId": , + "secretAccessKey": + }, + "azure": { + "tenantId": , + "clientId": , + "clientSecret": , + "identityPlatformEndpoint": "127.0.0.1:9002" + }, + "gcp": { + "email": , + "privateKey": , + "endpoint": "127.0.0.1:9002" + }, + "kmip" { + "endpoint": "127.0.0.1:5698" + } + } + ``` + + Add TLS options for the `aws`, `azure`, `gcp`, and `kmip` providers to use the following options: + + - `tlsCAFile` (or equivalent) set to + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). This MAY + be configured system-wide. + +2. Create a `ClientEncryption` object named `client_encryption_with_tls` with the following KMS providers: + + ```javascript + { + "aws": { + "accessKeyId": , + "secretAccessKey": + }, + "azure": { + "tenantId": , + "clientId": , + "clientSecret": , + "identityPlatformEndpoint": "127.0.0.1:9002" + }, + "gcp": { + "email": , + "privateKey": , + "endpoint": "127.0.0.1:9002" + }, + "kmip" { + "endpoint": "127.0.0.1:5698" + } + } + ``` + + Add TLS options for the `aws`, `azure`, `gcp`, and `kmip` providers to use the following options: + + - `tlsCAFile` (or equivalent) set to + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). This MAY + be configured system-wide. + - `tlsCertificateKeyFile` (or equivalent) set to + [client.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/client.pem) + +3. Create a `ClientEncryption` object named `client_encryption_expired` with the following KMS providers: + + ```javascript + { + "aws": { + "accessKeyId": , + "secretAccessKey": + }, + "azure": { + "tenantId": , + "clientId": , + "clientSecret": , + "identityPlatformEndpoint": "127.0.0.1:9000" + }, + "gcp": { + "email": , + "privateKey": , + "endpoint": "127.0.0.1:9000" + }, + "kmip" { + "endpoint": "127.0.0.1:9000" + } + } + ``` + + Add TLS options for the `aws`, `azure`, `gcp`, and `kmip` providers to use the following options: + + - `tlsCAFile` (or equivalent) set to + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). This MAY + be configured system-wide. + +4. Create a `ClientEncryption` object named `client_encryption_invalid_hostname` with the following KMS providers: + + ```javascript + { + "aws": { + "accessKeyId": , + "secretAccessKey": + }, + "azure": { + "tenantId": , + "clientId": , + "clientSecret": , + "identityPlatformEndpoint": "127.0.0.1:9001" + }, + "gcp": { + "email": , + "privateKey": , + "endpoint": "127.0.0.1:9001" + }, + "kmip" { + "endpoint": "127.0.0.1:9001" + } + } + ``` + + Add TLS options for the `aws`, `azure`, `gcp`, and `kmip` providers to use the following options: + + - `tlsCAFile` (or equivalent) set to + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). This MAY + be configured system-wide. + +5. Create a `ClientEncryption` object named `client_encryption_with_names` with the following KMS providers: + + ```javascript + { + "aws:no_client_cert": { + "accessKeyId": , + "secretAccessKey": + }, + "azure:no_client_cert": { + "tenantId": , + "clientId": , + "clientSecret": , + "identityPlatformEndpoint": "127.0.0.1:9002" + }, + "gcp:no_client_cert": { + "email": , + "privateKey": , + "endpoint": "127.0.0.1:9002" + }, + "kmip:no_client_cert": { + "endpoint": "127.0.0.1:5698" + }, + "aws:with_tls": { + "accessKeyId": , + "secretAccessKey": + }, + "azure:with_tls": { + "tenantId": , + "clientId": , + "clientSecret": , + "identityPlatformEndpoint": "127.0.0.1:9002" + }, + "gcp:with_tls": { + "email": , + "privateKey": , + "endpoint": "127.0.0.1:9002" + }, + "kmip:with_tls": { + "endpoint": "127.0.0.1:5698" + } + } + ``` + + Support for named KMS providers requires libmongocrypt 1.9.0. + + Add TLS options for the `aws:no_client_cert`, `azure:no_client_cert`, `gcp:no_client_cert`, and `kmip:no_client_cert` + providers to use the following options: + + - `tlsCAFile` (or equivalent) set to + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). This MAY + be configured system-wide. + + Add TLS options for the `aws:with_tls`, `azure:with_tls`, `gcp:with_tls`, and `kmip:with_tls` providers to use the + following options: + + - `tlsCAFile` (or equivalent) set to + [ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). This MAY + be configured system-wide. + - `tlsCertificateKeyFile` (or equivalent) set to + [client.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/client.pem) + +#### Case 1: AWS + +Call `client_encryption_no_client_cert.createDataKey()` with "aws" as the provider and the following masterKey: + +```javascript +{ + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + endpoint: "127.0.0.1:9002" +} +``` + +Expect an error indicating TLS handshake failed. + +Call `client_encryption_with_tls.createDataKey()` with "aws" as the provider and the following masterKey: + +```javascript +{ + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + endpoint: "127.0.0.1:9002" +} +``` + +Expect an error from libmongocrypt with a message containing the string: "parse error". This implies TLS handshake +succeeded. + +Call `client_encryption_expired.createDataKey()` with "aws" as the provider and the following masterKey: + +```javascript +{ + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + endpoint: "127.0.0.1:9000" +} +``` + +Expect an error indicating TLS handshake failed due to an expired certificate. + +Call `client_encryption_invalid_hostname.createDataKey()` with "aws" as the provider and the following masterKey: + +```javascript +{ + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + endpoint: "127.0.0.1:9001" +} +``` + +Expect an error indicating TLS handshake failed due to an invalid hostname. + +#### Case 2: Azure + +Call `client_encryption_no_client_cert.createDataKey()` with "azure" as the provider and the following masterKey: + +```javascript +{ 'keyVaultEndpoint': 'doesnotexist.local', 'keyName': 'foo' } +``` + +Expect an error indicating TLS handshake failed. + +Call `client_encryption_with_tls.createDataKey()` with "azure" as the provider and the same masterKey. + +Expect an error from libmongocrypt with a message containing the string: "HTTP status=404". This implies TLS handshake +succeeded. + +Call `client_encryption_expired.createDataKey()` with "azure" as the provider and the same masterKey. + +Expect an error indicating TLS handshake failed due to an expired certificate. + +Call `client_encryption_invalid_hostname.createDataKey()` with "azure" as the provider and the same masterKey. + +Expect an error indicating TLS handshake failed due to an invalid hostname. + +#### Case 3: GCP + +Call `client_encryption_no_client_cert.createDataKey()` with "gcp" as the provider and the following masterKey: + +```javascript +{ 'projectId': 'foo', 'location': 'bar', 'keyRing': 'baz', 'keyName': 'foo' } +``` + +Expect an error indicating TLS handshake failed. + +Call `client_encryption_with_tls.createDataKey()` with "gcp" as the provider and the same masterKey. + +Expect an error from libmongocrypt with a message containing the string: "HTTP status=404". This implies TLS handshake +succeeded. + +Call `client_encryption_expired.createDataKey()` with "gcp" as the provider and the same masterKey. + +Expect an error indicating TLS handshake failed due to an expired certificate. + +Call `client_encryption_invalid_hostname.createDataKey()` with "gcp" as the provider and the same masterKey. + +Expect an error indicating TLS handshake failed due to an invalid hostname. + +#### Case 4: KMIP + +Call `client_encryption_no_client_cert.createDataKey()` with "kmip" as the provider and the following masterKey: + +```javascript +{ } +``` + +Expect an error indicating TLS handshake failed. + +Call `client_encryption_with_tls.createDataKey()` with "kmip" as the provider and the same masterKey. + +Expect success. + +Call `client_encryption_expired.createDataKey()` with "kmip" as the provider and the same masterKey. + +Expect an error indicating TLS handshake failed due to an expired certificate. + +Call `client_encryption_invalid_hostname.createDataKey()` with "kmip" as the provider and the same masterKey. + +Expect an error indicating TLS handshake failed due to an invalid hostname. + +#### Case 5: `tlsDisableOCSPEndpointCheck` is permitted + +This test does not apply if the driver does not support the the option `tlsDisableOCSPEndpointCheck`. + +Create a `ClientEncryption` object with the following KMS providers: + +> ```javascript +> { +> "aws": { +> "accessKeyId": "foo", +> "secretAccessKey": "bar" +> } +> } +> ``` +> +> Add TLS options for the `aws` with the following options: +> +> - `tlsDisableOCSPEndpointCheck` (or equivalent) set to `true`. + +Expect no error on construction. + +#### Case 6: named KMS providers apply TLS options + +##### Named AWS + +Call `client_encryption_with_names.createDataKey()` with "aws:no_client_cert" as the provider and the following +masterKey. + +```javascript +{ + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" + endpoint: "127.0.0.1:9002" +} +``` + +Expect an error indicating TLS handshake failed. + +Call `client_encryption_with_names.createDataKey()` with "aws:with_tls" as the provider and the same masterKey. + +Expect an error from libmongocrypt with a message containing the string: "parse error". This implies TLS handshake +succeeded. + +##### Named Azure + +Call `client_encryption_with_names.createDataKey()` with "azure:no_client_cert" as the provider and the following +masterKey: + +```javascript +{ 'keyVaultEndpoint': 'doesnotexist.local', 'keyName': 'foo' } +``` + +Expect an error indicating TLS handshake failed. + +Call `client_encryption_with_names.createDataKey()` with "azure:with_tls" as the provider and the same masterKey. + +Expect an error from libmongocrypt with a message containing the string: "HTTP status=404". This implies TLS handshake +succeeded. + +##### Named GCP + +Call `client_encryption_with_names.createDataKey()` with "gcp:no_client_cert" as the provider and the following +masterKey: + +```javascript +{ 'projectId': 'foo', 'location': 'bar', 'keyRing': 'baz', 'keyName': 'foo' } +``` + +Expect an error indicating TLS handshake failed. + +Call `client_encryption_with_names.createDataKey()` with "gcp:with_tls" as the provider and the same masterKey. + +Expect an error from libmongocrypt with a message containing the string: "HTTP status=404". This implies TLS handshake +succeeded. + +##### Named KMIP + +Call `client_encryption_with_names.createDataKey()` with "kmip:no_client_cert" as the provider and the following +masterKey: + +```javascript +{ } +``` + +Expect an error indicating TLS handshake failed. + +Call `client_encryption_with_names.createDataKey()` with "kmip:with_tls" as the provider and the same masterKey. + +Expect success. + +### 12. Explicit Encryption + +The Explicit Encryption tests require MongoDB server 7.0+. The tests must not run against a standalone. + +> [!NOTE] +> MongoDB Server 7.0 introduced a backwards breaking change to the Queryable Encryption (QE) protocol: QEv2. +> libmongocrypt 1.8.0 is configured to use the QEv2 protocol. + +Before running each of the following test cases, perform the following Test Setup. + +#### Test Setup + +Load the file +[encryptedFields.json](https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/etc/data/encryptedFields.json) +as `encryptedFields`. + +Load the file +[key1-document.json](https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/etc/data/keys/key1-document.json) +as `key1Document`. + +Read the `"_id"` field of `key1Document` as `key1ID`. + +Drop and create the collection `db.explicit_encryption` using `encryptedFields` as an option. See +[FLE 2 CreateCollection() and Collection.Drop()](../client-side-encryption.md#fle-2-createcollection-and-collection-drop). + +Drop and create the collection `keyvault.datakeys`. + +Insert `key1Document` in `keyvault.datakeys` with majority write concern. + +Create a MongoClient named `keyVaultClient`. + +Create a ClientEncryption object named `clientEncryption` with these options: + +```typescript +class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "local": { "key": } }, +} +``` + +Create a MongoClient named `encryptedClient` with these `AutoEncryptionOpts`: + +```typescript +class AutoEncryptionOpts { + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "local": { "key": } }, + bypassQueryAnalysis: true, +} +``` + +#### Case 1: can insert encrypted indexed and find + +Use `clientEncryption` to encrypt the value "encrypted indexed value" with these `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Indexed", + contentionFactor: 0, +} +``` + +Store the result in `insertPayload`. + +Use `encryptedClient` to insert the document `{ "encryptedIndexed": }` into `db.explicit_encryption`. + +Use `clientEncryption` to encrypt the value "encrypted indexed value" with these `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Indexed", + queryType: "equality", + contentionFactor: 0, +} +``` + +Store the result in `findPayload`. + +Use `encryptedClient` to run a "find" operation on the `db.explicit_encryption` collection with the filter +`{ "encryptedIndexed": }`. + +Assert one document is returned containing the field `{ "encryptedIndexed": "encrypted indexed value" }`. + +#### Case 2: can insert encrypted indexed and find with non-zero contention + +Use `clientEncryption` to encrypt the value "encrypted indexed value" with these `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Indexed", + contentionFactor: 10, +} +``` + +Store the result in `insertPayload`. + +Use `encryptedClient` to insert the document `{ "encryptedIndexed": }` into `db.explicit_encryption`. + +Repeat the above steps 10 times to insert 10 total documents. The `insertPayload` must be regenerated each iteration. + +Use `clientEncryption` to encrypt the value "encrypted indexed value" with these `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Indexed", + queryType: "equality", + contentionFactor: 0, +} +``` + +Store the result in `findPayload`. + +Use `encryptedClient` to run a "find" operation on the `db.explicit_encryption` collection with the filter +`{ "encryptedIndexed": }`. + +Assert less than 10 documents are returned. 0 documents may be returned. Assert each returned document contains the +field `{ "encryptedIndexed": "encrypted indexed value" }`. + +Use `clientEncryption` to encrypt the value "encrypted indexed value" with these `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Indexed", + queryType: "equality", + contentionFactor: 10, +} +``` + +Store the result in `findPayload2`. + +Use `encryptedClient` to run a "find" operation on the `db.explicit_encryption` collection with the filter +`{ "encryptedIndexed": }`. + +Assert 10 documents are returned. Assert each returned document contains the field +`{ "encryptedIndexed": "encrypted indexed value" }`. + +#### Case 3: can insert encrypted unindexed + +Use `clientEncryption` to encrypt the value "encrypted unindexed value" with these `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Unindexed", +} +``` + +Store the result in `insertPayload`. + +Use `encryptedClient` to insert the document `{ "_id": 1, "encryptedUnindexed": }` into +`db.explicit_encryption`. + +Use `encryptedClient` to run a "find" operation on the `db.explicit_encryption` collection with the filter +`{ "_id": 1 }`. + +Assert one document is returned containing the field `{ "encryptedUnindexed": "encrypted unindexed value" }`. + +#### Case 4: can roundtrip encrypted indexed + +Use `clientEncryption` to encrypt the value "encrypted indexed value" with these `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Indexed", + contentionFactor: 0, +} +``` + +Store the result in `payload`. + +Use `clientEncryption` to decrypt `payload`. Assert the returned value equals "encrypted indexed value". + +#### Case 5: can roundtrip encrypted unindexed + +Use `clientEncryption` to encrypt the value "encrypted unindexed value" with these `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Unindexed", +} +``` + +Store the result in `payload`. + +Use `clientEncryption` to decrypt `payload`. Assert the returned value equals "encrypted unindexed value". + +### 13. Unique Index on keyAltNames + +The following setup must occur before running each of the following test cases. + +#### Setup + +1. Create a `MongoClient` object (referred to as `client`). +2. Using `client`, drop the collection `keyvault.datakeys`. +3. Using `client`, create a unique index on `keyAltNames` with a partial index filter for only documents where + `keyAltNames` exists using writeConcern "majority". + +The command should be equivalent to: + +```typescript +db.runCommand( + { + createIndexes: "datakeys", + indexes: [ + { + name: "keyAltNames_1", + key: { "keyAltNames": 1 }, + unique: true, + partialFilterExpression: { keyAltNames: { $exists: true } } + } + ], + writeConcern: { w: "majority" } + } +) +``` + +4. Create a `ClientEncryption` object (referred to as `client_encryption`) with `client` set as the `keyVaultClient`. +5. Using `client_encryption`, create a data key with a `local` KMS provider and the keyAltName "def". + +#### Case 1: createDataKey() + +1. Use `client_encryption` to create a new local data key with a keyAltName "abc" and assert the operation does not + fail. +2. Repeat Step 1 and assert the operation fails due to a duplicate key server error (error code 11000). +3. Use `client_encryption` to create a new local data key with a keyAltName "def" and assert the operation fails due to + a duplicate key server error (error code 11000). + +#### Case 2: addKeyAltName() + +1. Use `client_encryption` to create a new local data key and assert the operation does not fail. +2. Use `client_encryption` to add a keyAltName "abc" to the key created in Step 1 and assert the operation does not + fail. +3. Repeat Step 2, assert the operation does not fail, and assert the returned key document contains the keyAltName "abc" + added in Step 2. +4. Use `client_encryption` to add a keyAltName "def" to the key created in Step 1 and assert the operation fails due to + a duplicate key server error (error code 11000). +5. Use `client_encryption` to add a keyAltName "def" to the existing key, assert the operation does not fail, and assert + the returned key document contains the keyAltName "def" added during Setup. + +### 14. Decryption Events + +Before running each of the following test cases, perform the following Test Setup. + +#### Test Setup + +Create a MongoClient named `setupClient`. + +Drop and create the collection `db.decryption_events`. + +Create a ClientEncryption object named `clientEncryption` with these options: + +```typescript +class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "local": { "key": } }, +} +``` + +Create a data key with the "local" KMS provider. Storing the result in a variable named `keyID`. + +Use `clientEncryption` to encrypt the string "hello" with the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId: , + algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", +} +``` + +Store the result in a variable named `ciphertext`. + +Copy `ciphertext` into a variable named `malformedCiphertext`. Change the last byte to a different value. This will +produce an invalid HMAC tag. + +Create a MongoClient named `encryptedClient` with these `AutoEncryptionOpts`: + +```typescript +class AutoEncryptionOpts { + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "local": { "key": } }, +} +``` + +Configure `encryptedClient` with "retryReads=false". Register a listener for CommandSucceeded events on +`encryptedClient`. The listener must store the most recent `CommandSucceededEvent` reply for the "aggregate" command. +The listener must store the most recent `CommandFailedEvent` error for the "aggregate" command. + +#### Case 1: Command Error + +Use `setupClient` to configure the following failpoint: + +```typescript +{ + "configureFailPoint": "failCommand", + "mode": { + "times": 1 + }, + "data": { + "errorCode": 123, + "failCommands": [ + "aggregate" + ] + } +} +``` + +Use `encryptedClient` to run an aggregate on `db.decryption_events`. + +Expect an exception to be thrown from the command error. Expect a `CommandFailedEvent`. + +#### Case 2: Network Error + +Use `setupClient` to configure the following failpoint: + +```typescript +{ + "configureFailPoint": "failCommand", + "mode": { + "times": 1 + }, + "data": { + "errorCode": 123, + "closeConnection": true, + "failCommands": [ + "aggregate" + ] + } +} +``` + +Use `encryptedClient` to run an aggregate on `db.decryption_events`. + +Expect an exception to be thrown from the network error. Expect a `CommandFailedEvent`. + +#### Case 3: Decrypt Error + +Use `encryptedClient` to insert the document `{ "encrypted": }` into `db.decryption_events`. + +Use `encryptedClient` to run an aggregate on `db.decryption_events` with an empty pipeline. + +Expect an exception to be thrown from the decryption error. Expect a `CommandSucceededEvent`. Expect the +`CommandSucceededEvent.reply` to contain BSON binary for the field `cursor.firstBatch.encrypted`. + +#### Case 4: Decrypt Success + +Use `encryptedClient` to insert the document `{ "encrypted": }` into `db.decryption_events`. + +Use `encryptedClient` to run an aggregate on `db.decryption_events` with an empty pipeline. + +Expect no exception. Expect a `CommandSucceededEvent`. Expect the `CommandSucceededEvent.reply` to contain BSON binary +for the field `cursor.firstBatch.encrypted`. + +### 15. On-demand AWS Credentials + +These tests require valid AWS credentials. Refer: +[Automatic AWS Credentials](../client-side-encryption.rst#automatic-aws-credentials). + +For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object $C$ with the +following options: + +```typescript +class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "aws": {} }, +} +``` + +#### Case 1: Failure + +Do not run this test case in an environment where AWS credentials are available (e.g. via environment variables or a +metadata URL). (Refer: [Obtaining credentials for AWS](../../auth/auth.rst#obtaining-credentials)) + +Attempt to create a datakey with $C$ using the `"aws"` KMS provider. Expect this to fail due to a lack of KMS provider +credentials. + +#### Case 2: Success + +For this test case, the environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` must be defined and set to +a valid set of AWS credentials. + +Use the client encryption to create a datakey using the `"aws"` KMS provider. This should successfully load and use the +AWS credentials that were defined in the environment. + +### 16. Rewrap + +#### Case 1: Rewrap with separate ClientEncryption + +When the following test case requests setting `masterKey`, use the following values based on the KMS provider: + +For "aws": + +```javascript +{ + "region": "us-east-1", + "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" +} +``` + +For "azure": + +```javascript +{ + "keyVaultEndpoint": "key-vault-csfle.vault.azure.net", + "keyName": "key-name-csfle" +} +``` + +For "gcp": + +```javascript +{ + "projectId": "devprod-drivers", + "location": "global", + "keyRing": "key-ring-csfle", + "keyName": "key-name-csfle" +} +``` + +For "kmip": + +```javascript +{} +``` + +For "local", do not set a masterKey document. + +Run the following test case for each pair of KMS providers (referred to as `srcProvider` and `dstProvider`). Include +pairs where `srcProvider` equals `dstProvider`. + +1. Drop the collection `keyvault.datakeys`. + +2. Create a `ClientEncryption` object named `clientEncryption1` with these options: + + ```typescript + class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: , + } + ``` + +3. Call `clientEncryption1.createDataKey` with `srcProvider` and these options: + + ```typescript + class DataKeyOpts { + masterKey: , + } + ``` + + Store the return value in `keyID`. + +4. Call `clientEncryption1.encrypt` with the value "test" and these options: + + ```typescript + class EncryptOpts { + keyId : keyID, + algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", + } + ``` + + Store the return value in `ciphertext`. + +5. Create a `ClientEncryption` object named `clientEncryption2` with these options: + + ```typescript + class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: , + } + ``` + +6. Call `clientEncryption2.rewrapManyDataKey` with an empty `filter` and these options: + + ```typescript + class RewrapManyDataKeyOpts { + provider: dstProvider, + masterKey: , + } + ``` + + Assert that the returned `RewrapManyDataKeyResult.bulkWriteResult.modifiedCount` is 1. + +7. Call `clientEncryption1.decrypt` with the `ciphertext`. Assert the return value is "test". + +8. Call `clientEncryption2.decrypt` with the `ciphertext`. Assert the return value is "test". + +#### Case 2: RewrapManyDataKeyOpts.provider is not optional + +Drivers MAY chose not to implement this prose test if their implementation of `RewrapManyDataKeyOpts` makes it +impossible by design to omit `RewrapManyDataKeyOpts.provider` when `RewrapManyDataKeyOpts.masterKey` is set. + +1. Create a `ClientEncryption` object named `clientEncryption` with these options: + + ```typescript + class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: , + } + ``` + +2. Call `clientEncryption.rewrapManyDataKey` with an empty `filter` and these options: + + ```typescript + class RewrapManyDataKeyOpts { + masterKey: {} + } + ``` + + Assert that `clientEncryption.rewrapManyDataKey` raises a client error indicating that the required + `RewrapManyDataKeyOpts.provider` field is missing. + +### 17. On-demand GCP Credentials + +Refer: [Automatic GCP Credentials](../client-side-encryption.rst#automatic-gcp-credentials). + +For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object $C$ with the +following options: + +```typescript +class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "gcp": {} }, +} +``` + +#### Case 1: Failure + +Do not run this test case in an environment with a GCP service account is attached (e.g. any +[GCE equivalent runtime](https://google.aip.dev/auth/4115)). This may be run in an AWS EC2 instance. + +Attempt to create a datakey with $C$ using the `"gcp"` KMS provider and following `DataKeyOpts`: + +```typescript +class DataKeyOpts { + masterKey: { + "projectId": "devprod-drivers", + "location": "global", + "keyRing": "key-ring-csfle", + "keyName": "key-name-csfle", + } +} +``` + +Expect the attempt to obtain `"gcp"` credentials from the environment to fail. + +#### Case 2: Success + +This test case must run in a Google Compute Engine (GCE) Virtual Machine with a service account attached. See +[drivers-evergreen-tools/.evergreen/csfle/gcpkms](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/gcpkms) +for scripts to create a GCE instance for testing. The Evergreen task SHOULD set a `batchtime` of 14 days to reduce how +often this test case runs. + +Attempt to create a datakey with $C$ using the `"gcp"` KMS provider and following `DataKeyOpts`: + +```typescript +class DataKeyOpts { + masterKey: { + "projectId": "devprod-drivers", + "location": "global", + "keyRing": "key-ring-csfle", + "keyName": "key-name-csfle", + } +} +``` + +This should successfully load and use the GCP credentials of the service account attached to the virtual machine. + +Expect the key to be successfully created. + +### 18. Azure IMDS Credentials + +Refer: [Automatic Azure Credentials](../client-side-encryption.rst#obtaining-an-access-token-for-azure-key-vault) + +The test cases for IMDS communication are specially designed to not require an Azure environment, while still exercising +the core of the functionality. The design of these test cases encourages an implementation to separate the concerns of +IMDS communication from the logic of KMS key manipulation. The purpose of these test cases is to ensure drivers will +behave appropriately regardless of the behavior of the IMDS server. + +For these IMDS credentials tests, a simple stand-in IMDS-imitating HTTP server is available in drivers-evergreen-tools, +at `.evergreen/csfle/fake_azure.py`. `fake_azure.py` is a very simple `bottle.py` application. For the easiest use, it +is recommended to execute it through `bottle.py` (which is a sibling file in the same directory): + +``` +python .evergreen/csfle/bottle.py fake_azure:imds +``` + +This will run the `imds` Bottle application defined in the `fake_azure` Python module. `bottle.py` accepts additional +command line arguments to control the bind host and TCP port (use `--help` for more information). + +For each test case, follow the process for obtaining the token as outlined in the +[automatic Azure credentials section](../client-side-encryption.rst#obtaining-an-access-token-for-azure-key-vault) with +the following changes: + +1. Instead of the standard IMDS TCP endpoint of `169.254.169.254:80`, communicate with the running `fake_azure` HTTP + server. +2. For each test case, the behavior of the server may be controlled by attaching an additional HTTP header to the sent + request: `X-MongoDB-HTTP-TestParams`. + +#### Case 1: Success + +Do not set an `X-MongoDB-HTTP-TestParams` header. + +Upon receiving a response from `fake_azure`, the driver must decode the following information: + +1. HTTP status will be `200 Okay`. +2. The HTTP body will be a valid JSON string. +3. The access token will be the string `"magic-cookie"`. +4. The expiry duration of the token will be seventy seconds. +5. The token will have a resource of `"https://vault.azure.net"` + +#### Case 2: Empty JSON + +This case addresses a server returning valid JSON with invalid content. + +Set `X-MongoDB-HTTP-TestParams` to `case=empty-json`. + +Upon receiving a response: + +1. HTTP status will be `200 Okay` +2. The HTTP body will be a valid JSON string. +3. There will be no access token, expiry duration, or resource. + +The test case should ensure that this error condition is handled gracefully. + +#### Case 3: Bad JSON + +This case addresses a server returning malformed JSON. + +Set `X-MongoDB-HTTP-TestParams` to `case=bad-json`. + +Upon receiving a response: + +1. HTTP status will be `200 Okay` +2. The response body will contain a malformed JSON string. + +The test case should ensure that this error condition is handled gracefully. + +#### Case 4: HTTP 404 + +This case addresses a server returning a "Not Found" response. This is documented to occur spuriously within an Azure +environment. + +Set `X-MongoDB-HTTP-TestParams` to `case=404`. + +Upon receiving a response: + +1. HTTP status will be `404 Not Found`. +2. The response body is unspecified. + +The test case should ensure that this error condition is handled gracefully. + +#### Case 5: HTTP 500 + +This case addresses an IMDS server reporting an internal error. This is documented to occur spuriously within an Azure +environment. + +Set `X-MongoDB-HTTP-TestParams` to `case=500`. + +Upon receiving a response: + +1. HTTP status code will be `500`. +2. The response body is unspecified. + +The test case should ensure that this error condition is handled gracefully. + +#### Case 6: Slow Response + +This case addresses an IMDS server responding very slowly. Drivers should not halt the application waiting on a peer to +communicate. + +Set `X-MongoDB-HTTP-TestParams` to `case=slow`. + +The HTTP response from the `fake_azure` server will take at least 1000 seconds to complete. The request should fail with +a timeout. + +### 19. Azure IMDS Credentials Integration Test + +Refer: [Automatic Azure Credentials](../client-side-encryption.rst#obtaining-an-access-token-for-azure-key-vault) + +For these cases, create a [ClientEncryption](../client-side-encryption.rst#clientencryption) object $C$ with the +following options: + +```typescript +class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "azure": {} }, +} +``` + +#### Case 1: Failure + +Do not run this test case in an Azure environment with an attached identity. This may be run in an AWS EC2 instance. + +Attempt to create a datakey with $C$ using the `"azure"` KMS provider and following `DataKeyOpts`: + +```typescript +class DataKeyOpts { + masterKey: { + "keyVaultEndpoint": "https://keyvault-drivers-2411.vault.azure.net/keys/", + "keyName": "KEY-NAME", + } +} +``` + +Expect the attempt to obtain `"azure"` credentials from the environment to fail. + +#### Case 2: Success + +This test case must run in an Azure environment with an attached identity. See +[drivers-evergreen-tools/.evergreen/csfle/azurekms](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/csfle/azurekms) +for scripts to create a Azure instance for testing. The Evergreen task SHOULD set a `batchtime` of 14 days to reduce how +often this test case runs. + +Attempt to create a datakey with $C$ using the `"azure"` KMS provider and following `DataKeyOpts`: + +```typescript +class DataKeyOpts { + masterKey: { + "keyVaultEndpoint": "https://keyvault-drivers-2411.vault.azure.net/keys/", + "keyName": "KEY-NAME", + } +} +``` + +This should successfully load and use the Azure credentials of the service account attached to the virtual machine. + +Expect the key to be successfully created. + +### 20. Bypass creating mongocryptd client when shared library is loaded + +> [!NOTE] +> IMPORTANT: If [crypt_shared](../client-side-encryption.rst#crypt_shared) is not visible to the operating system's +> library search mechanism, this test should be skipped. + +The following tests that a mongocryptd client is not created when shared library is in-use. + +1. Start a new thread (referred to as `listenerThread`) + +2. On `listenerThread`, create a TcpListener on 127.0.0.1 endpoint and port 27021. Start the listener and wait for + establishing connections. If any connection is established, then signal about this to the main thread. + + Drivers MAY pass a different port if they expect their testing infrastructure to be using port 27021. Pass a port + that should be free. + +3. Create a MongoClient configured with auto encryption (referred to as `client_encrypted`) + + Configure the required options. Use the `local` KMS provider as follows: + + ```javascript + { "local": { "key": } } + ``` + + Configure with the `keyVaultNamespace` set to `keyvault.datakeys`. + + Configure the following `extraOptions`: + + ```javascript + { + "mongocryptdURI": "mongodb://localhost:27021/?serverSelectionTimeoutMS=1000" + } + ``` + +4. Use `client_encrypted` to insert the document `{"unencrypted": "test"}` into `db.coll`. + +5. Expect no signal from `listenerThread`. + +### 21. Automatic Data Encryption Keys + +The Automatic Data Encryption Keys tests require MongoDB server 7.0+. The tests must not run against a standalone. + +> [!NOTE] +> MongoDB Server 7.0 introduced a backwards breaking change to the Queryable Encryption (QE) protocol: QEv2. +> libmongocrypt 1.8.0 is configured to use the QEv2 protocol. + +For each of the following test cases, assume `DB` is a valid open database handle, and assume a +[ClientEncryption](../client-side-encryption.rst#clientencryption) object `CE` created using the following options: + +``` +clientEncryptionOptions: { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { + local: { key: base64Decode(LOCAL_MASTERKEY) }, + aws: { + accessKeyId: , + secretAccessKey: + }, + }, +} +``` + +Run each test case with each of these KMS providers: `aws`, `local`. The KMS provider name is referred to as +`kmsProvider`. When testing `aws`, use the following as the `masterKey` option: + +```javascript +{ + region: "us-east-1", + key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" +} +``` + +When testing `local`, set `masterKey` to `null`. + +#### Case 1: Simple Creation and Validation + +This test is the most basic to verify that +[CreateEncryptedCollection](../client-side-encryption.rst#create-encrypted-collection-helper) created a collection with +queryable encryption enabled. It verifies that the server rejects an attempt to insert plaintext in an encrypted fields. + +1. Create a new create-collection options $Opts$ including the following: + + ```typescript + { + encryptedFields: { + fields: [{ + path: "ssn", + bsonType: "string", + keyId: null + }] + } + } + ``` + +2. Invoke $CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$ to obtain a new collection + $Coll$. Expect success. + +3. Attempt to insert the following document into `Coll`: + + ```typescript + { + ssn: "123-45-6789" + } + ``` + +4. Expect an error from the insert operation that indicates that the document failed validation. This error indicates + that the server expects to receive an encrypted field for `ssn`, but we tried to insert a plaintext field via a + client that is unaware of the encryption requirements. + +#### Case 2: Missing `encryptedFields` + +The [CreateEncryptedCollection](../client-side-encryption.rst#create-encrypted-collection-helper) helper should not +create a regular collection if there are no `encryptedFields` for the collection being created. Instead, it should +generate an error indicated that the `encryptedFields` option is missing. + +1. Create a new empty create-collection options $Opts$. (i.e. it must not contain any `encryptedFields` options.) +2. Invoke $CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$. +3. Expect the invocation to fail with an error indicating that `encryptedFields` is not defined for the collection, and + expect that no collection was created within the database. It would be *incorrect* for + [CreateEncryptedCollection](../client-side-encryption.rst#create-encrypted-collection-helper) to create a regular + collection without queryable encryption enabled. + +#### Case 3: Invalid `keyId` + +The [CreateEncryptedCollection](../client-side-encryption.rst#create-encrypted-collection-helper) helper only inspects +`encryptedFields.fields` for `keyId` of `null`. +[CreateEncryptedCollection](../client-side-encryption.rst#create-encrypted-collection-helper) should forward all other +data as-is, even if it would be malformed. The server should generate an error when attempting to create a collection +with such invalid settings. + +> [!NOTE] +> This test is not required if the type system of the driver has a compile-time check that fields' `keyId`s are of the +> correct type. + +1. Create a new create-collection options $Opts$ including the following: + + ```typescript + { + encryptedFields: { + fields: [{ + path: "ssn", + bsonType: "string", + keyId: false, + }] + } + } + ``` + +2. Invoke $CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$. + +3. Expect an error from the server indicating a validation error at `create.encryptedFields.fields.keyId`, which must be + a UUID and not a boolean value. + +#### Case 4: Insert encrypted value + +This test is continuation of the case 1 and provides a way to complete inserting with encrypted value. + +1. Create a new create-collection options $Opts$ including the following: + + ```typescript + { + encryptedFields: { + fields: [{ + path: "ssn", + bsonType: "string", + keyId: null + }] + } + } + ``` + +2. Invoke $CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)$ to obtain a new collection + $Coll$ and data key $key1$. Expect success. + +3. Use $CE$ to explicitly encrypt the string "123-45-6789" using algorithm $Unindexed$ and data key $key1$. Refer result + as $encryptedPayload$. + +4. Attempt to insert the following document into `Coll`: + + ```typescript + { + ssn: + } + ``` + + Expect success. + +### 22. Range Explicit Encryption + +The Range Explicit Encryption tests require MongoDB server 8.0+. + +> [!NOTE] +> MongoDB Server 8.0 introduced a backwards breaking change to the Queryable Encryption (QE) range protocol: QE Range V2 +> libmongocrypt 1.10.0 is required to use the QE Range V2. + +> [!NOTE] +> MongoDB Server 7.0 introduced a backwards breaking change to the Queryable Encryption (QE) protocol: QEv2. +> libmongocrypt 1.8.0 is configured to use the QEv2 protocol. + +Each of the following test cases must pass for each of the supported types (`DecimalNoPrecision`, `DecimalPrecision`, +`DoublePrecision`, `DoubleNoPrecision`, `Date`, `Int`, and `Long`), unless it is stated the type should be skipped. + +Tests for `DecimalNoPrecision` must only run against a replica set. `DecimalNoPrecision` queries are expected to take a +long time and may exceed the default mongos timeout. + +Before running each of the following test cases, perform the following Test Setup. + +#### Test Setup + +Load the file for the specific data type being tested `range-encryptedFields-.json`. For example, for `Int` load +[range-encryptedFields-Int.json](https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/etc/data/range-encryptedFields-Int.json) +as `encryptedFields`. + +Load the file +[key1-document.json](https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/etc/data/keys/key1-document.json) +as `key1Document`. + +Read the `"_id"` field of `key1Document` as `key1ID`. + +Drop and create the collection `db.explicit_encryption` using `encryptedFields` as an option. See +[FLE 2 CreateCollection() and Collection.Drop()](../client-side-encryption.md#fle-2-createcollection-and-collection-drop). + +Drop and create the collection `keyvault.datakeys`. + +Insert `key1Document` in `keyvault.datakeys` with majority write concern. + +Create a MongoClient named `keyVaultClient`. + +Create a ClientEncryption object named `clientEncryption` with these options: + +```typescript +class ClientEncryptionOpts { + keyVaultClient: , + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "local": { "key": } }, +} +``` + +Create a MongoClient named `encryptedClient` with these `AutoEncryptionOpts`: + +```typescript +class AutoEncryptionOpts { + keyVaultNamespace: "keyvault.datakeys", + kmsProviders: { "local": { "key": } }, + bypassQueryAnalysis: true, +} +``` + +The remaining tasks require setting `RangeOpts`. [Test Setup: RangeOpts](#test-setup-rangeopts) lists the values to use +for `RangeOpts` for each of the supported data types. + +Use `clientEncryption` to encrypt these values: 0, 6, 30, and 200. Ensure the type matches that of the encrypted field. +For example, if the encrypted field is `encryptedDoubleNoPrecision` encrypt the value 6.0. + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Use `encryptedClient` to insert the following documents into `db.explicit_encryption`: + +```javascript +{ "_id": 0, "encrypted": } +{ "_id": 1, "encrypted": } +{ "_id": 2, "encrypted": } +{ "_id": 3, "encrypted": } +``` + +#### Test Setup: RangeOpts + +This section lists the values to use for `RangeOpts` for each of the supported data types, since each data type requires +a different `RangeOpts`. + +Each test listed in the cases below must pass for all supported data types unless it is stated the type should be +skipped. + +1. DecimalNoPrecision + + ```typescript + class RangeOpts { + trimFactor: 1, + sparsity: 1, + } + ``` + +2. DecimalPrecision + + ```typescript + class RangeOpts { + min: { "$numberDecimal": "0" }, + max: { "$numberDecimal": "200" }, + trimFactor: 1, + sparsity: 1, + precision: 2, + } + ``` + +3. DoubleNoPrecision + + ```typescript + class RangeOpts { + trimFactor: 1 + sparsity: 1, + } + ``` + +4. DoublePrecision + + ```typescript + class RangeOpts { + min: { "$numberDouble": "0" }, + max: { "$numberDouble": "200" }, + trimFactor: 1, + sparsity: 1, + precision: 2, + } + ``` + +5. Date + + ```typescript + class RangeOpts { + min: {"$date": { "$numberLong": "0" } } , + max: {"$date": { "$numberLong": "200" } }, + trimFactor: 1, + sparsity: 1, + } + ``` + +6. Int + + ```typescript + class RangeOpts { + min: {"$numberInt": "0" } , + max: {"$numberInt": "200" }, + trimFactor: 1, + sparsity: 1, + } + ``` + +7. Long + + ```typescript + class RangeOpts { + min: {"$numberLong": "0" } , + max: {"$numberLong": "200" }, + trimFactor: 1, + sparsity: 1, + } + ``` + +#### Case 1: can decrypt a payload + +Use `clientEncryption.encrypt()` to encrypt the value 6. Ensure the type matches that of the encrypted field. For +example, if the encrypted field is `encryptedLong` encrypt a BSON int64 type, not a BSON int32 type. + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Store the result in `insertPayload`. + +Use `clientEncryption` to decrypt `insertPayload`. Assert the returned value equals 6 and has the expected type. + +> [!NOTE] +> The type returned by `clientEncryption.decrypt()` may differ from the input type to `clientEncryption.encrypt()` +> depending on how the driver unmarshals BSON numerics to language native types. Example: a driver may unmarshal a BSON +> int64 to a numeric type that does not distinguish between int64 and int32. + +#### Case 2: can find encrypted range and return the maximum + +Use `clientEncryption.encryptExpression()` to encrypt this query: + +```javascript +// Convert 6 and 200 to the encrypted field type +{ "$and": [ { "encrypted": { "$gte": 6 } }, { "encrypted": { "$lte": 200 } } ] } +``` + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + queryType: "range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Store the result in `findPayload`. + +Use `encryptedClient` to run a "find" operation on the `db.explicit_encryption` collection with the filter `findPayload` +and sort the results by `_id`. + +Assert the following three documents are returned: + +```javascript +// Convert 6, 30, and 200 to the encrypted field type +{ "_id": 1, "encrypted": 6 } +{ "_id": 2, "encrypted": 30 } +{ "_id": 3, "encrypted": 200 } +``` + +#### Case 3: can find encrypted range and return the minimum + +Use `clientEncryption.encryptExpression()` to encrypt this query: + +```javascript +// Convert 0 and 6 to the encrypted field type +{ "$and": [ { "encrypted": { "$gte": 0 } }, { "encrypted": { "$lte": 6 } } ] } +``` + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + queryType: "range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Store the result in `findPayload`. + +Use `encryptedClient` to run a "find" operation on the `db.explicit_encryption` collection with the filter `findPayload` +and sort the results by `_id`. + +Assert the following two documents are returned: + +```javascript +// Convert 0 and 6 to the encrypted field type +{ "_id": 0, "encrypted": 0 } +{ "_id": 1, "encrypted": 6 } +``` + +#### Case 4: can find encrypted range with an open range query + +Use `clientEncryption.encryptExpression()` to encrypt this query: + +```javascript +// Convert 30 to the encrypted field type +{ "$and": [ { "encrypted": { "$gt": 30 } } ] } +``` + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + queryType: "range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Store the result in `findPayload`. + +Use `encryptedClient` to run a "find" operation on the `db.explicit_encryption` collection with the filter `findPayload` +and sort the results by `_id`. + +Assert the following document is returned: + +```javascript +// Convert 200 to the encrypted field type +{ "_id": 3, "encrypted": 200 } +``` + +#### Case 5: can run an aggregation expression inside $expr + +Use `clientEncryption.encryptExpression()` to encrypt this query: + +```javascript +// Convert 30 to the encrypted field type +{ "$and": [ { "$lt": [ "$encrypted", 30 ] } ] } } +``` + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + queryType: "range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Store the result in `findPayload`. + +Use `encryptedClient` to run a "find" operation on the `db.explicit_encryption` collection with the filter +`{ "$expr": }` and sort the results by `_id`. + +Assert the following two documents are returned: + +```javascript +// Convert 0 and 6 to the encrypted field type +{ "_id": 0, "encrypted": 0 } +{ "_id": 1, "encrypted": 6 } +``` + +#### Case 6: encrypting a document greater than the maximum errors + +This test case should be skipped if the encrypted field is `encryptedDoubleNoPrecision` or +`encryptedDecimalNoPrecision`. + +Use `clientEncryption.encrypt()` to encrypt the value 201. Ensure the type matches that of the encrypted field. + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Assert that an error was raised because 201 is greater than the maximum value in `RangeOpts`. + +#### Case 7: encrypting a value of a different type errors + +This test case should be skipped if the encrypted field is `encryptedDoubleNoPrecision` or +`encryptedDecimalNoPrecision`. + +Use `clientEncryption.encrypt()` to encrypt the value 6 with a type that does not match that of the encrypted field. + +If the encrypted field is `encryptedInt` use a BSON double type. Otherwise, use a BSON int32 type. + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Ensure that `RangeOpts` corresponds to the type of the encrypted field (i.e. expected type) and not that of the value +being passed to `clientEncryption.encrypt()`. + +Assert that an error was raised. + +#### Case 8: setting precision errors if the type is not double or Decimal128 + +This test case should be skipped if the encrypted field is `encryptedDoublePrecision`, `encryptedDoubleNoPrecision`, +`encryptedDecimalPrecision`, or `encryptedDecimalNoPrecision`. + +Use `clientEncryption.encrypt()` to encrypt the value 6. Ensure the type matches that of the encrypted field. + +Add `{ precision: 2 }` to the encrypted field's `RangeOpts` (see: [Test Setup: RangeOpts](#test-setup-rangeopts)). + +Encrypt using the following `EncryptOpts`: + +```typescript +class EncryptOpts { + keyId : , + algorithm: "Range", + contentionFactor: 0, + rangeOpts: , +} +``` + +Assert that an error was raised. diff --git a/src/test/spec/json/client-side-encryption/README.rst b/src/test/spec/json/client-side-encryption/README.rst deleted file mode 100644 index 746630c53..000000000 --- a/src/test/spec/json/client-side-encryption/README.rst +++ /dev/null @@ -1,3077 +0,0 @@ -============================ -Client Side Encryption Tests -============================ - -.. contents:: - ----- - -Introduction -============ - -This document describes the format of the driver spec tests included in the -JSON and YAML files included in the ``legacy`` sub-directory. Tests in the -``unified`` directory are written using the `Unified Test Format -<../../unified-test-format/unified-test-format.rst>`_. - -The ``timeoutMS.yml``/``timeoutMS.json`` files in this directory contain tests -for the ``timeoutMS`` option and its application to the client-side encryption -feature. Drivers MUST only run these tests after implementing the -`Client Side Operations Timeout -<../client-side-operations-timeout/client-side-operations-timeout.rst>`__ -specification. - -Additional prose tests, that are not represented in the spec tests, are described -and MUST be implemented by all drivers. - -Running spec and prose tests require that the driver and server both support -Client-Side Field Level Encryption. CSFLE is supported when all of the following -are true: - -- Server version is 4.2.0 or higher. Legacy spec test runners can rely on - ``runOn.minServerVersion`` for this check. -- Driver has libmongocrypt enabled -- At least one of crypt_shared_ and/or mongocryptd_ is available. - -.. _crypt_shared: ../client-side-encryption.rst#crypt_shared -.. _mongocryptd: ../client-side-encryption.rst#mongocryptd - -Spec Test Format -================ - -The spec tests format is an extension of `transactions spec tests `_ with some additions: - -- A ``json_schema`` to set on the collection used for operations. - -- An ``encrypted_fields`` to set on the collection used for operations. - -- A ``key_vault_data`` of data that should be inserted in the key vault collection before each test. - -- Introduction ``autoEncryptOpts`` to `clientOptions` - -- Addition of `$db` to command in `command_started_event` - -- Addition of `$$type` to command_started_event and outcome. - -The semantics of `$$type` is that any actual value matching one of the types indicated by either a BSON type string -or an array of BSON type strings is considered a match. - -For example, the following matches a command_started_event for an insert of a document where `random` must be of type ``binData``:: - - - command_started_event: - command: - insert: *collection_name - documents: - - { random: { $$type: "binData" } } - ordered: true - command_name: insert - -The following matches a command_started_event for an insert of a document where ``random`` must be of type -``binData`` or ``string``:: - - - command_started_event: - command: - insert: *collection_name - documents: - - { random: { $$type: ["binData", "string"] } } - ordered: true - command_name: insert - -The values of `$$type` correspond to `these documented string representations of BSON types `_. - - -Each YAML file has the following keys: - -.. |txn| replace:: Unchanged from Transactions spec tests. - -- ``runOn`` |txn| - -- ``database_name`` |txn| - -- ``collection_name`` |txn| - -- ``data`` |txn| - -- ``json_schema`` A JSON Schema that should be set on the collection (using ``createCollection``) before each test run. - -- ``encrypted_fields`` An encryptedFields option that should be set on the collection (using ``createCollection``) before each test run. - -- ``key_vault_data`` The data that should exist in the key vault collection under test before each test run. - -- ``tests``: An array of tests that are to be run independently of each other. - Each test will have some or all of the following fields: - - - ``description``: |txn| - - - ``skipReason``: |txn| - - - ``useMultipleMongoses``: |txn| - - - ``failPoint``: |txn| - - - ``clientOptions``: Optional, parameters to pass to MongoClient(). - - - ``autoEncryptOpts``: Optional - - - ``kmsProviders`` A dictionary of KMS providers to set on the key vault ("aws" or "local") - - - ``aws`` The AWS KMS provider. An empty object. Drivers MUST fill in AWS credentials (`accessKeyId`, `secretAccessKey`) from the environment. - - - ``azure`` The Azure KMS provider credentials. An empty object. Drivers MUST fill in Azure credentials (`tenantId`, `clientId`, and `clientSecret`) from the environment. - - - ``gcp`` The GCP KMS provider credentials. An empty object. Drivers MUST fill in GCP credentials (`email`, `privateKey`) from the environment. - - - ``local`` The local KMS provider. - - - ``key`` A 96 byte local key. - - - ``kmip`` The KMIP KMS provider credentials. An empty object. Drivers MUST fill in KMIP credentials (`endpoint`, and TLS options). - - - ``schemaMap``: Optional, a map from namespaces to local JSON schemas. - - - ``keyVaultNamespace``: Optional, a namespace to the key vault collection. Defaults to "keyvault.datakeys". - - - ``bypassAutoEncryption``: Optional, a boolean to indicate whether or not auto encryption should be bypassed. Defaults to ``false``. - - - ``encryptedFieldsMap`` An optional document. The document maps collection namespace to ``EncryptedFields`` documents. - - - ``operations``: Array of documents, each describing an operation to be - executed. Each document has the following fields: - - - ``name``: |txn| - - - ``object``: |txn|. Defaults to "collection" if omitted. - - - ``collectionOptions``: |txn| - - - ``command_name``: |txn| - - - ``arguments``: |txn| - - - ``result``: Same as the Transactions spec test format with one addition: if the operation is expected to return - an error, the ``result`` document may contain an ``isTimeoutError`` boolean field. If ``true``, the test runner - MUST assert that the error represents a timeout due to the use of the ``timeoutMS`` option. If ``false``, the - test runner MUST assert that the error does not represent a timeout. - - - ``expectations``: |txn| - - - ``outcome``: |txn| - - - -Use as integration tests -======================== - -Do the following before running spec tests: - -- If available for the platform under test, obtain a crypt_shared_ binary and place it - in a location accessible to the tests. Refer to: `Using crypt_shared`_ -- Start the mongocryptd process. -- Start a mongod process with **server version 4.2.0 or later**. -- Place credentials to an AWS IAM user (access key ID + secret access key) somewhere in the environment outside of tracked code. (If testing on evergreen, project variables are a good place). -- Start a KMIP test server on port 5698 by running `drivers-evergreen-tools/.evergreen/csfle/kms_kmip_server.py `_. - -Load each YAML (or JSON) file using a Canonical Extended JSON parser. - -If the test file name matches the regular expression ``fle2\-Range\-.*\-Correctness``, drivers MAY skip the test on macOS. The ``fle2-Range`` tests are very slow on macOS and do not provide significant additional test coverage. - -Then for each element in ``tests``: - -#. If the ``skipReason`` field is present, skip this test completely. -#. If the ``key_vault_data`` field is present: - - #. Drop the ``keyvault.datakeys`` collection using writeConcern "majority". - #. Insert the data specified into the ``keyvault.datakeys`` with write concern "majority". - -#. Create a MongoClient. - -#. Create a collection object from the MongoClient, using the ``database_name`` - and ``collection_name`` fields from the YAML file. Drop the collection - with writeConcern "majority". If a ``json_schema`` is defined in the test, - use the ``createCollection`` command to explicitly create the collection: - - .. code:: typescript - - {"create": , "validator": {"$jsonSchema": }} - - If ``encrypted_fields`` is defined in the test, the required collections and index described in `Create and Drop Collection Helpers `_ must be created: - - - Use the ``dropCollection`` helper with ``encrypted_fields`` as an option and writeConcern "majority". - - Use the ``createCollection`` helper with ``encrypted_fields`` as an option. - -#. If the YAML file contains a ``data`` array, insert the documents in ``data`` - into the test collection, using writeConcern "majority". - -#. Create a **new** MongoClient using ``clientOptions``. - - #. If ``autoEncryptOpts`` includes ``aws``, ``awsTemporary``, ``awsTemporaryNoSessionToken``, - ``azure``, ``gcp``, and/or ``kmip`` as a KMS provider, pass in credentials from the environment. - - - ``awsTemporary``, and ``awsTemporaryNoSessionToken`` require temporary - AWS credentials. These can be retrieved using the csfle `set-temp-creds.sh - `_ - script. - - - ``aws``, ``awsTemporary``, and ``awsTemporaryNoSessionToken`` are - mutually exclusive. - - ``aws`` should be substituted with: - - .. code:: javascript - - "aws": { - "accessKeyId": , - "secretAccessKey": - } - - ``awsTemporary`` should be substituted with: - - .. code:: javascript - - "aws": { - "accessKeyId": , - "secretAccessKey": - "sessionToken": - } - - ``awsTemporaryNoSessionToken`` should be substituted with: - - .. code:: javascript - - "aws": { - "accessKeyId": , - "secretAccessKey": - } - - ``gcp`` should be substituted with: - - .. code:: javascript - - "gcp": { - "email": , - "privateKey": , - } - - ``azure`` should be substituted with: - - .. code:: javascript - - "azure": { - "tenantId": , - "clientId": , - "clientSecret": , - } - - ``local`` should be substituted with: - - .. code:: javascript - - "local": { "key": } - - ``kmip`` should be substituted with: - - .. code:: javascript - - "kmip": { "endpoint": "localhost:5698" } - - Configure KMIP TLS connections to use the following options: - - - ``tlsCAFile`` (or equivalent) set to `drivers-evergreen-tools/.evergreen/x509gen/ca.pem `_. This MAY be configured system-wide. - - ``tlsCertificateKeyFile`` (or equivalent) set to `drivers-evergreen-tools/.evergreen/x509gen/client.pem `_. - - The method of passing TLS options for KMIP TLS connections is driver dependent. - - #. If ``autoEncryptOpts`` does not include ``keyVaultNamespace``, default it - to ``keyvault.datakeys``. - -#. For each element in ``operations``: - - - Enter a "try" block or your programming language's closest equivalent. - - Create a Database object from the MongoClient, using the ``database_name`` - field at the top level of the test file. - - Create a Collection object from the Database, using the - ``collection_name`` field at the top level of the test file. - If ``collectionOptions`` is present create the Collection object with the - provided options. Otherwise create the object with the default options. - - Execute the named method on the provided ``object``, passing the - arguments listed. - - If the driver throws an exception / returns an error while executing this - series of operations, store the error message and server error code. - - If the result document has an "errorContains" field, verify that the - method threw an exception or returned an error, and that the value of the - "errorContains" field matches the error string. "errorContains" is a - substring (case-insensitive) of the actual error message. - - If the result document has an "errorCodeName" field, verify that the - method threw a command failed exception or returned an error, and that - the value of the "errorCodeName" field matches the "codeName" in the - server error response. - - If the result document has an "errorLabelsContain" field, verify that the - method threw an exception or returned an error. Verify that all of the - error labels in "errorLabelsContain" are present in the error or exception - using the ``hasErrorLabel`` method. - - If the result document has an "errorLabelsOmit" field, verify that the - method threw an exception or returned an error. Verify that none of the - error labels in "errorLabelsOmit" are present in the error or exception - using the ``hasErrorLabel`` method. - - If the operation returns a raw command response, eg from ``runCommand``, - then compare only the fields present in the expected result document. - Otherwise, compare the method's return value to ``result`` using the same - logic as the CRUD Spec Tests runner. - -#. If the test includes a list of command-started events in ``expectations``, - compare them to the actual command-started events using the - same logic as the `Command Monitoring spec legacy test runner `__. - -#. For each element in ``outcome``: - - - If ``name`` is "collection", create a new MongoClient *without encryption* - and verify that the test collection contains exactly the documents in the - ``data`` array. Ensure this find reads the latest data by using - **primary read preference** with **local read concern** even when the - MongoClient is configured with another read preference or read concern. - -The spec test MUST be run with *and* without auth. - - -Using ``crypt_shared`` -====================== - -On platforms where crypt_shared_ is available, drivers should prefer to test -with the ``crypt_shared`` library instead of spawning mongocryptd. - -crypt_shared_ is released alongside the server. -crypt_shared_ is only available in versions 6.0 and above. - -mongocryptd is released alongside the server. -mongocryptd is available in versions 4.2 and above. - -Drivers MUST run all tests with mongocryptd on at least one platform for all -tested server versions. - -Drivers MUST run all tests with crypt_shared_ on at least one platform for all -tested server versions. For server versions < 6.0, drivers MUST test with the -latest major release of crypt_shared_. Using the latest major release of -crypt_shared_ is supported with older server versions. - -Note that some tests assert on mongocryptd-related behaviors (e.g. the -``mongocryptdBypassSpawn`` test). - -Drivers under test should load the crypt_shared_ library using either the -``cryptSharedLibPath`` public API option (as part of the AutoEncryption -``extraOptions``), or by setting a special search path instead. - -Some tests will require *not* using crypt_shared_. For such tests, one should -ensure that ``crypt_shared`` will not be loaded. Refer to the -client-side-encryption documentation for information on "disabling" -``crypt_shared`` and setting library search paths. - -.. note:: - - The crypt_shared_ dynamic library can be obtained using the mongodl_ Python - script from drivers-evergreen-tools_: - - .. code-block:: shell - - $ python3 mongodl.py --component=crypt_shared --version= --out=./crypt_shared/ - - Other versions of ``crypt_shared`` are also available. Please use the - ``--list`` option to see versions. - -.. _mongodl: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/mongodl.py -.. _drivers-evergreen-tools: https://github.com/mongodb-labs/drivers-evergreen-tools/ - - - -Prose Tests -=========== - -Tests for the ClientEncryption type are not included as part of the YAML tests. - -In the prose tests LOCAL_MASTERKEY refers to the following base64: - -.. code:: javascript - - Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk - -Perform all applicable operations on key vault collections (e.g. inserting an example data key, or running a find command) with readConcern/writeConcern "majority". - -1. Custom Key Material Test -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -#. Create a ``MongoClient`` object (referred to as ``client``). - -#. Using ``client``, drop the collection ``keyvault.datakeys``. - -#. Create a ``ClientEncryption`` object (referred to as ``client_encryption``) with ``client`` set as the ``keyVaultClient``. - -#. Using ``client_encryption``, create a data key with a ``local`` KMS provider and the following custom key material (given as base64): - -.. code:: javascript - - xPTAjBRG5JiPm+d3fj6XLi2q5DMXUS/f1f+SMAlhhwkhDRL0kr8r9GDLIGTAGlvC+HVjSIgdL+RKwZCvpXSyxTICWSXTUYsWYPyu3IoHbuBZdmw2faM3WhcRIgbMReU5 - -#. Find the resulting key document in ``keyvault.datakeys``, save a copy of the key document, then remove the key document from the collection. - -#. Replace the ``_id`` field in the copied key document with a UUID with base64 value ``AAAAAAAAAAAAAAAAAAAAAA==`` (16 bytes all equal to ``0x00``) and insert the modified key document into ``keyvault.datakeys`` with majority write concern. - -#. Using ``client_encryption``, encrypt the string ``"test"`` with the modified data key using the ``AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic`` algorithm and assert the resulting value is equal to the following (given as base64): - -.. code:: javascript - - AQAAAAAAAAAAAAAAAAAAAAACz0ZOLuuhEYi807ZXTdhbqhLaS2/t9wLifJnnNYwiw79d75QYIZ6M/aYC1h9nCzCjZ7pGUpAuNnkUhnIXM3PjrA== - -2. Data Key and Double Encryption -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -First, perform the setup. - -#. Create a MongoClient without encryption enabled (referred to as ``client``). Enable command monitoring to listen for command_started events. - -#. Using ``client``, drop the collections ``keyvault.datakeys`` and ``db.coll``. - -#. Create the following: - - - A MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - A ``ClientEncryption`` object (referred to as ``client_encryption``) - - Configure both objects with the following KMS providers: - - .. code:: javascript - - { - "aws": { - "accessKeyId": , - "secretAccessKey": - }, - "azure": { - "tenantId": , - "clientId": , - "clientSecret": , - }, - "gcp": { - "email": , - "privateKey": , - } - "local": { "key": }, - "kmip": { "endpoint": "localhost:5698" } - } - - Configure KMIP TLS connections to use the following options: - - - ``tlsCAFile`` (or equivalent) set to `drivers-evergreen-tools/.evergreen/x509gen/ca.pem `_. This MAY be configured system-wide. - - ``tlsCertificateKeyFile`` (or equivalent) set to `drivers-evergreen-tools/.evergreen/x509gen/client.pem `_. - - The method of passing TLS options for KMIP TLS connections is driver dependent. - - Configure both objects with ``keyVaultNamespace`` set to ``keyvault.datakeys``. - - Configure the ``MongoClient`` with the following ``schema_map``: - - .. code:: javascript - - { - "db.coll": { - "bsonType": "object", - "properties": { - "encrypted_placeholder": { - "encrypt": { - "keyId": "/placeholder", - "bsonType": "string", - "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random" - } - } - } - } - } - - Configure ``client_encryption`` with the ``keyVaultClient`` of the previously created ``client``. - -For each KMS provider (``aws``, ``azure``, ``gcp``, ``local``, and ``kmip``), referred to as ``provider_name``, run the following test. - -#. Call ``client_encryption.createDataKey()``. - - - Set keyAltNames to ``["_altname"]``. - - Set the masterKey document based on ``provider_name``. - - For "aws": - - .. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - } - - For "azure": - - .. code:: javascript - - { - "keyVaultEndpoint": "key-vault-csfle.vault.azure.net", - "keyName": "key-name-csfle" - } - - For "gcp": - - .. code:: javascript - - { - "projectId": "devprod-drivers", - "location": "global", - "keyRing": "key-ring-csfle", - "keyName": "key-name-csfle" - } - - For "kmip": - - .. code:: javascript - - {} - - For "local", do not set a masterKey document. - - Expect a BSON binary with subtype 4 to be returned, referred to as ``datakey_id``. - - Use ``client`` to run a ``find`` on ``keyvault.datakeys`` by querying with the ``_id`` set to the ``datakey_id``. - - Expect that exactly one document is returned with the "masterKey.provider" equal to ``provider_name``. - - Check that ``client`` captured a command_started event for the ``insert`` command containing a majority writeConcern. - -#. Call ``client_encryption.encrypt()`` with the value "hello ", the algorithm ``AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic``, and the ``key_id`` of ``datakey_id``. - - - Expect the return value to be a BSON binary subtype 6, referred to as ``encrypted``. - - Use ``client_encrypted`` to insert ``{ _id: "", "value": }`` into ``db.coll``. - - Use ``client_encrypted`` to run a find querying with ``_id`` of "" and expect ``value`` to be "hello ". - -#. Call ``client_encryption.encrypt()`` with the value "hello ", the algorithm ``AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic``, and the ``key_alt_name`` of ``_altname``. - - - Expect the return value to be a BSON binary subtype 6. Expect the value to exactly match the value of ``encrypted``. - -#. Test explicit encrypting an auto encrypted field. - - - Use ``client_encrypted`` to attempt to insert ``{ "encrypted_placeholder": }`` - - Expect an exception to be thrown, since this is an attempt to auto encrypt an already encrypted value. - - - -3. External Key Vault Test -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Run the following tests twice, parameterized by a boolean ``withExternalKeyVault``. - -#. Create a MongoClient without encryption enabled (referred to as ``client``). - -#. Using ``client``, drop the collections ``keyvault.datakeys`` and ``db.coll``. - Insert the document `external/external-key.json <../external/external-key.json>`_ into ``keyvault.datakeys``. - -#. Create the following: - - - A MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - A ``ClientEncryption`` object (referred to as ``client_encryption``) - - Configure both objects with the ``local`` KMS providers as follows: - - .. code:: javascript - - { "local": { "key": } } - - Configure both objects with ``keyVaultNamespace`` set to ``keyvault.datakeys``. - - Configure ``client_encrypted`` to use the schema `external/external-schema.json <../external/external-schema.json>`_ for ``db.coll`` by setting a schema map like: ``{ "db.coll": }`` - - If ``withExternalKeyVault == true``, configure both objects with an external key vault client. The external client MUST connect to the same - MongoDB cluster that is being tested against, except it MUST use the username ``fake-user`` and password ``fake-pwd``. - -#. Use ``client_encrypted`` to insert the document ``{"encrypted": "test"}`` into ``db.coll``. - If ``withExternalKeyVault == true``, expect an authentication exception to be thrown. Otherwise, expect the insert to succeed. - -#. Use ``client_encryption`` to explicitly encrypt the string ``"test"`` with key ID ``LOCALAAAAAAAAAAAAAAAAA==`` and deterministic algorithm. - If ``withExternalKeyVault == true``, expect an authentication exception to be thrown. Otherwise, expect the insert to succeed. - - -4. BSON Size Limits and Batch Splitting -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -First, perform the setup. - -#. Create a MongoClient without encryption enabled (referred to as ``client``). - -#. Using ``client``, drop and create the collection ``db.coll`` configured with the included JSON schema `limits/limits-schema.json <../limits/limits-schema.json>`_. - -#. Using ``client``, drop the collection ``keyvault.datakeys``. Insert the document `limits/limits-key.json <../limits/limits-key.json>`_ - -#. Create a MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - Configure with the ``local`` KMS provider as follows: - - .. code:: javascript - - { "local": { "key": } } - - Configure with the ``keyVaultNamespace`` set to ``keyvault.datakeys``. - -Using ``client_encrypted`` perform the following operations: - -#. Insert ``{ "_id": "over_2mib_under_16mib", "unencrypted": }``. - - Expect this to succeed since this is still under the ``maxBsonObjectSize`` limit. - -#. Insert the document `limits/limits-doc.json <../limits/limits-doc.json>`_ concatenated with ``{ "_id": "encryption_exceeds_2mib", "unencrypted": < the string "a" repeated (2097152 - 2000) times > }`` - Note: limits-doc.json is a 1005 byte BSON document that encrypts to a ~10,000 byte document. - - Expect this to succeed since after encryption this still is below the normal maximum BSON document size. - Note, before auto encryption this document is under the 2 MiB limit. After encryption it exceeds the 2 MiB limit, but does NOT exceed the 16 MiB limit. - -#. Bulk insert the following: - - - ``{ "_id": "over_2mib_1", "unencrypted": }`` - - - ``{ "_id": "over_2mib_2", "unencrypted": }`` - - Expect the bulk write to succeed and split after first doc (i.e. two inserts occur). This may be verified using `command monitoring `_. - -#. Bulk insert the following: - - - The document `limits/limits-doc.json <../limits/limits-doc.json>`_ concatenated with ``{ "_id": "encryption_exceeds_2mib_1", "unencrypted": < the string "a" repeated (2097152 - 2000) times > }`` - - - The document `limits/limits-doc.json <../limits/limits-doc.json>`_ concatenated with ``{ "_id": "encryption_exceeds_2mib_2", "unencrypted": < the string "a" repeated (2097152 - 2000) times > }`` - - Expect the bulk write to succeed and split after first doc (i.e. two inserts occur). This may be verified using `command logging and monitoring `_. - -#. Insert ``{ "_id": "under_16mib", "unencrypted": ``. - - Expect this to succeed since this is still (just) under the ``maxBsonObjectSize`` limit. - -#. Insert the document `limits/limits-doc.json <../limits/limits-doc.json>`_ concatenated with ``{ "_id": "encryption_exceeds_16mib", "unencrypted": < the string "a" repeated (16777216 - 2000) times > }`` - - Expect this to fail since encryption results in a document exceeding the ``maxBsonObjectSize`` limit. - -Optionally, if it is possible to mock the maxWriteBatchSize (i.e. the maximum number of documents in a batch) test that setting maxWriteBatchSize=1 and inserting the two documents ``{ "_id": "a" }, { "_id": "b" }`` with ``client_encrypted`` splits the operation into two inserts. - - -5. Views Are Prohibited -~~~~~~~~~~~~~~~~~~~~~~~ - -#. Create a MongoClient without encryption enabled (referred to as ``client``). - -#. Using ``client``, drop and create a view named ``db.view`` with an empty pipeline. E.g. using the command ``{ "create": "view", "viewOn": "coll" }``. - -#. Create a MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - Configure with the ``local`` KMS provider as follows: - - .. code:: javascript - - { "local": { "key": } } - - Configure with the ``keyVaultNamespace`` set to ``keyvault.datakeys``. - -#. Using ``client_encrypted``, attempt to insert a document into ``db.view``. Expect an exception to be thrown containing the message: "cannot auto encrypt a view". - - -6. Corpus Test -~~~~~~~~~~~~~~ - -The corpus test exhaustively enumerates all ways to encrypt all BSON value types. Note, the test data includes BSON binary subtype 4 (or standard UUID), which MUST be decoded and encoded as subtype 4. Run the test as follows. - -1. Create a MongoClient without encryption enabled (referred to as ``client``). - -2. Using ``client``, drop and create the collection ``db.coll`` configured with the included JSON schema `corpus/corpus-schema.json <../corpus/corpus-schema.json>`_. - -3. Using ``client``, drop the collection ``keyvault.datakeys``. Insert the documents `corpus/corpus-key-local.json <../corpus/corpus-key-local.json>`_, `corpus/corpus-key-aws.json <../corpus/corpus-key-aws.json>`_, `corpus/corpus-key-azure.json <../corpus/corpus-key-azure.json>`_, `corpus/corpus-key-gcp.json <../corpus/corpus-key-gcp.json>`_, and `corpus/corpus-key-kmip.json <../corpus/corpus-key-kmip.json>`_. - -4. Create the following: - - - A MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - A ``ClientEncryption`` object (referred to as ``client_encryption``) - - Configure both objects with ``aws``, ``azure``, ``gcp``, ``local``, and ``kmip`` KMS providers as follows: - - .. code:: javascript - - { - "aws": { }, - "azure": { }, - "gcp": { }, - "local": { "key": }, - "kmip": { "endpoint": "localhost:5698" } } - } - - Configure KMIP TLS connections to use the following options: - - - ``tlsCAFile`` (or equivalent) set to `drivers-evergreen-tools/.evergreen/x509gen/ca.pem `_. This MAY be configured system-wide. - - ``tlsCertificateKeyFile`` (or equivalent) set to `drivers-evergreen-tools/.evergreen/x509gen/client.pem `_. - - The method of passing TLS options for KMIP TLS connections is driver dependent. - - Where LOCAL_MASTERKEY is the following base64: - - .. code:: javascript - - Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk - - Configure both objects with ``keyVaultNamespace`` set to ``keyvault.datakeys``. - -5. Load `corpus/corpus.json <../corpus/corpus.json>`_ to a variable named ``corpus``. The corpus contains subdocuments with the following fields: - - - ``kms`` is ``aws``, ``azure``, ``gcp``, ``local``, or ``kmip`` - - ``type`` is a BSON type string `names coming from here `_) - - ``algo`` is either ``rand`` or ``det`` for random or deterministic encryption - - ``method`` is either ``auto``, for automatic encryption or ``explicit`` for explicit encryption - - ``identifier`` is either ``id`` or ``altname`` for the key identifier - - ``allowed`` is a boolean indicating whether the encryption for the given parameters is permitted. - - ``value`` is the value to be tested. - - Create a new BSON document, named ``corpus_copied``. - Iterate over each field of ``corpus``. - - - If the field name is ``_id``, ``altname_aws``, ``altname_local``, ``altname_azure``, ``altname_gcp``, or ``altname_kmip`` copy the field to ``corpus_copied``. - - If ``method`` is ``auto``, copy the field to ``corpus_copied``. - - If ``method`` is ``explicit``, use ``client_encryption`` to explicitly encrypt the value. - - - Encrypt with the algorithm described by ``algo``. - - If ``identifier`` is ``id`` - - - If ``kms`` is ``local`` set the key_id to the UUID with base64 value ``LOCALAAAAAAAAAAAAAAAAA==``. - - If ``kms`` is ``aws`` set the key_id to the UUID with base64 value ``AWSAAAAAAAAAAAAAAAAAAA==``. - - If ``kms`` is ``azure`` set the key_id to the UUID with base64 value ``AZUREAAAAAAAAAAAAAAAAA==``. - - If ``kms`` is ``gcp`` set the key_id to the UUID with base64 value ``GCPAAAAAAAAAAAAAAAAAAA==``. - - If ``kms`` is ``kmip`` set the key_id to the UUID with base64 value ``KMIPAAAAAAAAAAAAAAAAAA==``. - - - If ``identifier`` is ``altname`` - - - If ``kms`` is ``local`` set the key_alt_name to "local". - - If ``kms`` is ``aws`` set the key_alt_name to "aws". - - If ``kms`` is ``azure`` set the key_alt_name to "azure". - - If ``kms`` is ``gcp`` set the key_alt_name to "gcp". - - If ``kms`` is ``kmip`` set the key_alt_name to "kmip". - - If ``allowed`` is true, copy the field and encrypted value to ``corpus_copied``. - If ``allowed`` is false. verify that an exception is thrown. Copy the unencrypted value to to ``corpus_copied``. - - -6. Using ``client_encrypted``, insert ``corpus_copied`` into ``db.coll``. - -7. Using ``client_encrypted``, find the inserted document from ``db.coll`` to a variable named ``corpus_decrypted``. Since it should have been automatically decrypted, assert the document exactly matches ``corpus``. - -8. Load `corpus/corpus_encrypted.json <../corpus/corpus-encrypted.json>`_ to a variable named ``corpus_encrypted_expected``. - Using ``client`` find the inserted document from ``db.coll`` to a variable named ``corpus_encrypted_actual``. - - Iterate over each field of ``corpus_encrypted_expected`` and check the following: - - - If the ``algo`` is ``det``, that the value equals the value of the corresponding field in ``corpus_encrypted_actual``. - - If the ``algo`` is ``rand`` and ``allowed`` is true, that the value does not equal the value of the corresponding field in ``corpus_encrypted_actual``. - - If ``allowed`` is true, decrypt the value with ``client_encryption``. Decrypt the value of the corresponding field of ``corpus_encrypted`` and validate that they are both equal. - - If ``allowed`` is false, validate the value exactly equals the value of the corresponding field of ``corpus`` (neither was encrypted). - -9. Repeat steps 1-8 with a local JSON schema. I.e. amend step 4 to configure the schema on ``client_encrypted`` with the ``schema_map`` option. - -7. Custom Endpoint Test -~~~~~~~~~~~~~~~~~~~~~~~ - -Setup -````` - -For each test cases, start by creating two ``ClientEncryption`` objects. Recreate the ``ClientEncryption`` objects for each test case. - -Create a ``ClientEncryption`` object (referred to as ``client_encryption``) - -Configure with ``keyVaultNamespace`` set to ``keyvault.datakeys``, and a default MongoClient as the ``keyVaultClient``. - -Configure with KMS providers as follows: - -.. code:: javascript - - { - "aws": { - "accessKeyId": , - "secretAccessKey": - }, - "azure": { - "tenantId": , - "clientId": , - "clientSecret": , - "identityPlatformEndpoint": "login.microsoftonline.com:443" - }, - "gcp": { - "email": , - "privateKey": , - "endpoint": "oauth2.googleapis.com:443" - }, - "kmip" { - "endpoint": "localhost:5698" - } - } - -Create a ``ClientEncryption`` object (referred to as ``client_encryption_invalid``) - -Configure with ``keyVaultNamespace`` set to ``keyvault.datakeys``, and a default MongoClient as the ``keyVaultClient``. - -Configure with KMS providers as follows: - -.. code:: javascript - - { - "azure": { - "tenantId": , - "clientId": , - "clientSecret": , - "identityPlatformEndpoint": "doesnotexist.invalid:443" - }, - "gcp": { - "email": , - "privateKey": , - "endpoint": "doesnotexist.invalid:443" - }, - "kmip": { - "endpoint": "doesnotexist.local:5698" - } - } - -Configure KMIP TLS connections to use the following options: - -- ``tlsCAFile`` (or equivalent) set to `drivers-evergreen-tools/.evergreen/x509gen/ca.pem `_. This MAY be configured system-wide. -- ``tlsCertificateKeyFile`` (or equivalent) set to `drivers-evergreen-tools/.evergreen/x509gen/client.pem `_. - -The method of passing TLS options for KMIP TLS connections is driver dependent. - -Test cases -`````````` - -1. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: - - .. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - } - - Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to validate it works. - -2. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: - - .. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - endpoint: "kms.us-east-1.amazonaws.com" - } - - Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to validate it works. - -3. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: - - .. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - endpoint: "kms.us-east-1.amazonaws.com:443" - } - - Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to validate it works. - -4. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: - - .. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - endpoint: "kms.us-east-1.amazonaws.com:12345" - } - - Expect this to fail with a socket connection error. - -5. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: - - .. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - endpoint: "kms.us-east-2.amazonaws.com" - } - - Expect this to fail with an exception. - -6. Call `client_encryption.createDataKey()` with "aws" as the provider and the following masterKey: - - .. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - endpoint: "doesnotexist.invalid" - } - - Expect this to fail with a network exception indicating failure to resolve "doesnotexist.invalid". - -7. Call `client_encryption.createDataKey()` with "azure" as the provider and the following masterKey: - - .. code:: javascript - - { - "keyVaultEndpoint": "key-vault-csfle.vault.azure.net", - "keyName": "key-name-csfle" - } - - Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to validate it works. - - Call ``client_encryption_invalid.createDataKey()`` with the same masterKey. Expect this to fail with a network exception indicating failure to resolve "doesnotexist.invalid". - -8. Call `client_encryption.createDataKey()` with "gcp" as the provider and the following masterKey: - - .. code:: javascript - - { - "projectId": "devprod-drivers", - "location": "global", - "keyRing": "key-ring-csfle", - "keyName": "key-name-csfle", - "endpoint": "cloudkms.googleapis.com:443" - } - - Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to validate it works. - - Call ``client_encryption_invalid.createDataKey()`` with the same masterKey. Expect this to fail with a network exception indicating failure to resolve "doesnotexist.invalid". - -9. Call `client_encryption.createDataKey()` with "gcp" as the provider and the following masterKey: - - .. code:: javascript - - { - "projectId": "devprod-drivers", - "location": "global", - "keyRing": "key-ring-csfle", - "keyName": "key-name-csfle", - "endpoint": "doesnotexist.invalid:443" - } - - Expect this to fail with an exception with a message containing the string: "Invalid KMS response". - -10. Call `client_encryption.createDataKey()` with "kmip" as the provider and the following masterKey: - - .. code:: javascript - - { - "keyId": "1" - } - - Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to validate it works. - - Call ``client_encryption_invalid.createDataKey()`` with the same masterKey. Expect this to fail with a network exception indicating failure to resolve "doesnotexist.local". - -11. Call ``client_encryption.createDataKey()`` with "kmip" as the provider and the following masterKey: - - .. code:: javascript - - { - "keyId": "1", - "endpoint": "localhost:5698" - } - - Expect this to succeed. Use the returned UUID of the key to explicitly encrypt and decrypt the string "test" to validate it works. - -12. Call ``client_encryption.createDataKey()`` with "kmip" as the provider and the following masterKey: - - .. code:: javascript - - { - "keyId": "1", - "endpoint": "doesnotexist.local:5698" - } - - Expect this to fail with a network exception indicating failure to resolve "doesnotexist.local". - -8. Bypass Spawning mongocryptd -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. note:: - - CONSIDER: To reduce the chances of tests interfering with each other, - drivers MAY use a different port for each test in this group, - and include it in ``--pidfilepath``. The interference - may come from the fact that once spawned by a test, - ``mongocryptd`` stays up and running for some time. - -Via loading shared library -`````````````````````````` - -The following tests that loading crypt_shared_ bypasses spawning mongocryptd. - -.. note:: - - IMPORTANT: This test requires the crypt_shared_ library be loaded. If the crypt_shared_ library is - not available, skip the test. - -#. Create a MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - Configure the required options. Use the ``local`` KMS provider as follows: - - .. code:: javascript - - { "local": { "key": } } - - Configure with the ``keyVaultNamespace`` set to ``keyvault.datakeys``. - - Configure ``client_encrypted`` to use the schema `external/external-schema.json <../external/external-schema.json>`_ for ``db.coll`` by setting a schema map like: ``{ "db.coll": }`` - - Configure the following ``extraOptions``: - - .. code:: javascript - - { - "mongocryptdURI": "mongodb://localhost:27021/?serverSelectionTimeoutMS=1000", - "mongocryptdSpawnArgs": [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=27021"], - "cryptSharedLibPath": "", - "cryptSharedLibRequired": true - } - - Drivers MAY pass a different port if they expect their testing infrastructure to be using port 27021. Pass a port that should be free. - -#. Use ``client_encrypted`` to insert the document ``{"unencrypted": "test"}`` into ``db.coll``. Expect this to succeed. - -#. Validate that mongocryptd was not spawned. Create a MongoClient to localhost:27021 (or whatever was passed via ``--port``) with serverSelectionTimeoutMS=1000. Run a handshake command and ensure it fails with a server selection timeout. - -.. note:: - - IMPORTANT: If crypt_shared_ is visible to the operating system's library - search mechanism, the expected server error generated by the - ``Via mongocryptdBypassSpawn``, ``Via bypassAutoEncryption``, ``Via bypassQueryAnalysis`` - tests will not appear because libmongocrypt will - load the ``crypt_shared`` library instead of consulting mongocryptd. For - the following tests, it is required that libmongocrypt *not* load ``crypt_shared``. - Refer to the client-side-encryption document for more information on - "disabling" ``crypt_shared``. Take into account that once loaded, - for example, by another test, - ``crypt_shared`` cannot be unloaded and may be used by ``MongoClient``, - thus making the tests misbehave in unexpected ways. - - -Via mongocryptdBypassSpawn -`````````````````````````` - -The following tests that setting ``mongocryptdBypassSpawn=true`` really does bypass spawning mongocryptd. - -#. Insert the document `external/external-key.json <../external/external-key.json>`_ into ``keyvault.datakeys`` with majority write concern. - This step is not required to run this test, and drivers MAY skip it. But if the driver misbehaves, - then not having the encryption fully set up may complicate the process of figuring out what is wrong. - -#. Create a MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - Configure the required options. Use the ``local`` KMS provider as follows: - - .. code:: javascript - - { "local": { "key": } } - - Configure with the ``keyVaultNamespace`` set to ``keyvault.datakeys``. - - Configure ``client_encrypted`` to use the schema `external/external-schema.json <../external/external-schema.json>`_ for ``db.coll`` by setting a schema map like: ``{ "db.coll": }`` - - Configure the following ``extraOptions``: - - .. code:: javascript - - { - "mongocryptdBypassSpawn": true - "mongocryptdURI": "mongodb://localhost:27021/?serverSelectionTimeoutMS=1000", - "mongocryptdSpawnArgs": [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=27021"] - } - - Drivers MAY pass a different port if they expect their testing infrastructure to be using port 27021. Pass a port that should be free. - -#. Use ``client_encrypted`` to insert the document ``{"encrypted": "test"}`` into ``db.coll``. Expect a server selection error propagated from the internal MongoClient failing to connect to mongocryptd on port 27021. - -Via bypassAutoEncryption -```````````````````````` - -The following tests that setting ``bypassAutoEncryption=true`` really does bypass spawning mongocryptd. - -#. Create a MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - Configure the required options. Use the ``local`` KMS provider as follows: - - .. code:: javascript - - { "local": { "key": } } - - Configure with the ``keyVaultNamespace`` set to ``keyvault.datakeys``. - - Configure with ``bypassAutoEncryption=true``. - - Configure the following ``extraOptions``: - - .. code:: javascript - - { - "mongocryptdSpawnArgs": [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=27021"] - } - - Drivers MAY pass a different value to ``--port`` if they expect their testing infrastructure to be using port 27021. Pass a port that should be free. - -#. Use ``client_encrypted`` to insert the document ``{"unencrypted": "test"}`` into ``db.coll``. Expect this to succeed. - -#. Validate that mongocryptd was not spawned. Create a MongoClient to localhost:27021 (or whatever was passed via ``--port``) with serverSelectionTimeoutMS=1000. Run a handshake command and ensure it fails with a server selection timeout. - -Via bypassQueryAnalysis -``````````````````````` - -Repeat the steps from the "Via bypassAutoEncryption" test, replacing "bypassAutoEncryption=true" with "bypassQueryAnalysis=true". - -9. Deadlock Tests -~~~~~~~~~~~~~~~~~ - -.. _Connection Monitoring and Pooling: /source/connection-monitoring-and-pooling/connection-monitoring-and-pooling.rst - -The following tests only apply to drivers that have implemented a connection pool (see the `Connection Monitoring and Pooling`_ specification). - -There are multiple parameterized test cases. Before each test case, perform the setup. - -Setup -````` - -Create a ``MongoClient`` for setup operations named ``client_test``. - -Create a ``MongoClient`` for key vault operations with ``maxPoolSize=1`` named ``client_keyvault``. Capture command started events. - -Using ``client_test``, drop the collections ``keyvault.datakeys`` and ``db.coll``. - -Insert the document `external/external-key.json <../external/external-key.json>`_ into ``keyvault.datakeys`` with majority write concern. - -Create a collection ``db.coll`` configured with a JSON schema `external/external-schema.json <../external/external-schema.json>`_ as the validator, like so: - -.. code:: typescript - - {"create": "coll", "validator": {"$jsonSchema": }} - -Create a ``ClientEncryption`` object, named ``client_encryption`` configured with: -- ``keyVaultClient``=``client_test`` -- ``keyVaultNamespace``="keyvault.datakeys" -- ``kmsProviders``=``{ "local": { "key": } }`` - -Use ``client_encryption`` to encrypt the value "string0" with ``algorithm``="AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" and ``keyAltName``="local". Store the result in a variable named ``ciphertext``. - -Proceed to run the test case. - -Each test case configures a ``MongoClient`` with automatic encryption (named ``client_encrypted``). - -Each test must assert the number of unique ``MongoClient``s created. This can be accomplished by capturing ``TopologyOpeningEvent``, or by checking command started events for a client identifier (not possible in all drivers). - -Running a test case -``````````````````` -- Create a ``MongoClient`` named ``client_encrypted`` configured as follows: - - Set ``AutoEncryptionOpts``: - - ``keyVaultNamespace="keyvault.datakeys"`` - - ``kmsProviders``=``{ "local": { "key": } }`` - - Append ``TestCase.AutoEncryptionOpts`` (defined below) - - Capture command started events. - - Set ``maxPoolSize=TestCase.MaxPoolSize`` -- If the testcase sets ``AutoEncryptionOpts.bypassAutoEncryption=true``: - - Use ``client_test`` to insert ``{ "_id": 0, "encrypted": }`` into ``db.coll``. -- Otherwise: - - Use ``client_encrypted`` to insert ``{ "_id": 0, "encrypted": "string0" }``. -- Use ``client_encrypted`` to run a ``findOne`` operation on ``db.coll``, with the filter ``{ "_id": 0 }``. -- Expect the result to be ``{ "_id": 0, "encrypted": "string0" }``. -- Check captured events against ``TestCase.Expectations``. -- Check the number of unique ``MongoClient``s created is equal to ``TestCase.ExpectedNumberOfClients``. - -Case 1 -`````` -- MaxPoolSize: 1 -- AutoEncryptionOpts: - - bypassAutoEncryption=false - - keyVaultClient=unset -- Expectations: - - Expect ``client_encrypted`` to have captured four ``CommandStartedEvent``: - - a listCollections to "db". - - a find on "keyvault". - - an insert on "db". - - a find on "db" -- ExpectedNumberOfClients: 2 - -Case 2 -`````` -- MaxPoolSize: 1 -- AutoEncryptionOpts: - - bypassAutoEncryption=false - - keyVaultClient=client_keyvault -- Expectations: - - Expect ``client_encrypted`` to have captured three ``CommandStartedEvent``: - - a listCollections to "db". - - an insert on "db". - - a find on "db" - - Expect ``client_keyvault`` to have captured one ``CommandStartedEvent``: - - a find on "keyvault". -- ExpectedNumberOfClients: 2 - -Case 3 -`````` -- MaxPoolSize: 1 -- AutoEncryptionOpts: - - bypassAutoEncryption=true - - keyVaultClient=unset -- Expectations: - - Expect ``client_encrypted`` to have captured three ``CommandStartedEvent``: - - a find on "db" - - a find on "keyvault". -- ExpectedNumberOfClients: 2 - -Case 4 -`````` -- MaxPoolSize: 1 -- AutoEncryptionOpts: - - bypassAutoEncryption=true - - keyVaultClient=client_keyvault -- Expectations: - - Expect ``client_encrypted`` to have captured two ``CommandStartedEvent``: - - a find on "db" - - Expect ``client_keyvault`` to have captured one ``CommandStartedEvent``: - - a find on "keyvault". -- ExpectedNumberOfClients: 1 - -Case 5 -`````` -Drivers that do not support an unlimited maximum pool size MUST skip this test. - -- MaxPoolSize: 0 -- AutoEncryptionOpts: - - bypassAutoEncryption=false - - keyVaultClient=unset -- Expectations: - - Expect ``client_encrypted`` to have captured five ``CommandStartedEvent``: - - a listCollections to "db". - - a listCollections to "keyvault". - - a find on "keyvault". - - an insert on "db". - - a find on "db" -- ExpectedNumberOfClients: 1 - -Case 6 -`````` -Drivers that do not support an unlimited maximum pool size MUST skip this test. - -- MaxPoolSize: 0 -- AutoEncryptionOpts: - - bypassAutoEncryption=false - - keyVaultClient=client_keyvault -- Expectations: - - Expect ``client_encrypted`` to have captured three ``CommandStartedEvent``: - - a listCollections to "db". - - an insert on "db". - - a find on "db" - - Expect ``client_keyvault`` to have captured one ``CommandStartedEvent``: - - a find on "keyvault". -- ExpectedNumberOfClients: 1 - -Case 7 -`````` -Drivers that do not support an unlimited maximum pool size MUST skip this test. - -- MaxPoolSize: 0 -- AutoEncryptionOpts: - - bypassAutoEncryption=true - - keyVaultClient=unset -- Expectations: - - Expect ``client_encrypted`` to have captured three ``CommandStartedEvent``: - - a find on "db" - - a find on "keyvault". -- ExpectedNumberOfClients: 1 - -Case 8 -`````` -Drivers that do not support an unlimited maximum pool size MUST skip this test. - -- MaxPoolSize: 0 -- AutoEncryptionOpts: - - bypassAutoEncryption=true - - keyVaultClient=client_keyvault -- Expectations: - - Expect ``client_encrypted`` to have captured two ``CommandStartedEvent``: - - a find on "db" - - Expect ``client_keyvault`` to have captured one ``CommandStartedEvent``: - - a find on "keyvault". -- ExpectedNumberOfClients: 1 - -10. KMS TLS Tests -~~~~~~~~~~~~~~~~~ - -.. _ca.pem: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem -.. _expired.pem: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/expired.pem -.. _wrong-host.pem: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/wrong-host.pem -.. _server.pem: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/server.pem -.. _client.pem: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/client.pem - -The following tests that connections to KMS servers with TLS verify peer certificates. - -The two tests below make use of mock KMS servers which can be run on Evergreen using `the mock KMS server script `_. -Drivers can set up their local Python enviroment for the mock KMS server by running `the virtualenv activation script `_. - -To start two mock KMS servers, one on port 9000 with `ca.pem`_ as a CA file and `expired.pem`_ as a cert file, and one on port 9001 with `ca.pem`_ as a CA file and `wrong-host.pem`_ as a cert file, -run the following commands from the ``.evergreen/csfle`` directory: - -.. code:: - - . ./activate_venv.sh - python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 9000 & - python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 9001 & - -Setup -````` - -For both tests, do the following: - -#. Start a ``mongod`` process with **server version 4.2.0 or later**. - -#. Create a ``MongoClient`` for key vault operations. - -#. Create a ``ClientEncryption`` object (referred to as ``client_encryption``) with ``keyVaultNamespace`` set to ``keyvault.datakeys``. - -Invalid KMS Certificate -``````````````````````` - -#. Start a mock KMS server on port 9000 with `ca.pem`_ as a CA file and `expired.pem`_ as a cert file. - -#. Call ``client_encryption.createDataKey()`` with "aws" as the provider and the following masterKey: - - .. code:: javascript - - { - "region": "us-east-1", - "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "127.0.0.1:9000", - } - - Expect this to fail with an exception with a message referencing an expired certificate. This message will be language dependent. - In Python, this message is "certificate verify failed: certificate has expired". In Go, this message is - "certificate has expired or is not yet valid". If the language of implementation has a single, generic error message for - all certificate validation errors, drivers may inspect other fields of the error to verify its meaning. - -Invalid Hostname in KMS Certificate -``````````````````````````````````` - -#. Start a mock KMS server on port 9001 with `ca.pem`_ as a CA file and `wrong-host.pem`_ as a cert file. - -#. Call ``client_encryption.createDataKey()`` with "aws" as the provider and the following masterKey: - - .. code:: javascript - - { - "region": "us-east-1", - "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "127.0.0.1:9001", - } - - Expect this to fail with an exception with a message referencing an incorrect or unexpected host. This message will be language dependent. - In Python, this message is "certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'". In Go, this message - is "cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs". If the language of implementation has a single, generic - error message for all certificate validation errors, drivers may inspect other fields of the error to verify its meaning. - -11. KMS TLS Options Tests -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Setup -````` - -Start a ``mongod`` process with **server version 4.2.0 or later**. - -Four mock KMS server processes must be running: - -1. The mock `KMS HTTP server `_. - - Run on port 9000 with `ca.pem`_ as a CA file and `expired.pem`_ as a cert file. - - Example: - - .. code:: - - python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 9000 - -2. The mock `KMS HTTP server `_. - - Run on port 9001 with `ca.pem`_ as a CA file and `wrong-host.pem`_ as a cert file. - - Example: - - .. code:: - - python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 9001 - -3. The mock `KMS HTTP server `_. - - Run on port 9002 with `ca.pem`_ as a CA file and `server.pem`_ as a cert file. - - Run with the ``--require_client_cert`` option. - - Example: - - .. code:: - - python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 9002 --require_client_cert - - -4. The mock `KMS KMIP server `_. - -Create the following four ``ClientEncryption`` objects. - -Configure each with ``keyVaultNamespace`` set to ``keyvault.datakeys``, and a default MongoClient as the ``keyVaultClient``. - -1. Create a ``ClientEncryption`` object named ``client_encryption_no_client_cert`` with the following KMS providers: - - .. code:: javascript - - { - "aws": { - "accessKeyId": , - "secretAccessKey": - }, - "azure": { - "tenantId": , - "clientId": , - "clientSecret": , - "identityPlatformEndpoint": "127.0.0.1:9002" - }, - "gcp": { - "email": , - "privateKey": , - "endpoint": "127.0.0.1:9002" - }, - "kmip" { - "endpoint": "127.0.0.1:5698" - } - } - - Add TLS options for the ``aws``, ``azure``, ``gcp``, and - ``kmip`` providers to use the following options: - - - ``tlsCAFile`` (or equivalent) set to `ca.pem`_. This MAY be configured system-wide. - -2. Create a ``ClientEncryption`` object named ``client_encryption_with_tls`` with the following KMS providers: - - .. code:: javascript - - { - "aws": { - "accessKeyId": , - "secretAccessKey": - }, - "azure": { - "tenantId": , - "clientId": , - "clientSecret": , - "identityPlatformEndpoint": "127.0.0.1:9002" - }, - "gcp": { - "email": , - "privateKey": , - "endpoint": "127.0.0.1:9002" - }, - "kmip" { - "endpoint": "127.0.0.1:5698" - } - } - - Add TLS options for the ``aws``, ``azure``, ``gcp``, and - ``kmip`` providers to use the following options: - - - ``tlsCAFile`` (or equivalent) set to `ca.pem`_. This MAY be configured system-wide. - - ``tlsCertificateKeyFile`` (or equivalent) set to `client.pem`_ - -3. Create a ``ClientEncryption`` object named ``client_encryption_expired`` with the following KMS providers: - - .. code:: javascript - - { - "aws": { - "accessKeyId": , - "secretAccessKey": - }, - "azure": { - "tenantId": , - "clientId": , - "clientSecret": , - "identityPlatformEndpoint": "127.0.0.1:9000" - }, - "gcp": { - "email": , - "privateKey": , - "endpoint": "127.0.0.1:9000" - }, - "kmip" { - "endpoint": "127.0.0.1:9000" - } - } - - Add TLS options for the ``aws``, ``azure``, ``gcp``, and - ``kmip`` providers to use the following options: - - - ``tlsCAFile`` (or equivalent) set to `ca.pem`_. This MAY be configured system-wide. - -4. Create a ``ClientEncryption`` object named ``client_encryption_invalid_hostname`` with the following KMS providers: - - .. code:: javascript - - { - "aws": { - "accessKeyId": , - "secretAccessKey": - }, - "azure": { - "tenantId": , - "clientId": , - "clientSecret": , - "identityPlatformEndpoint": "127.0.0.1:9001" - }, - "gcp": { - "email": , - "privateKey": , - "endpoint": "127.0.0.1:9001" - }, - "kmip" { - "endpoint": "127.0.0.1:9001" - } - } - - Add TLS options for the ``aws``, ``azure``, ``gcp``, and - ``kmip`` providers to use the following options: - - - ``tlsCAFile`` (or equivalent) set to `ca.pem`_. This MAY be configured system-wide. - -Case 1: AWS -``````````` - -Call `client_encryption_no_client_cert.createDataKey()` with "aws" as the provider and the -following masterKey: - -.. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - endpoint: "127.0.0.1:9002" - } - -Expect an error indicating TLS handshake failed. - -Call `client_encryption_with_tls.createDataKey()` with "aws" as the provider and the -following masterKey: - -.. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - endpoint: "127.0.0.1:9002" - } - -Expect an error from libmongocrypt with a message containing the string: "parse -error". This implies TLS handshake succeeded. - -Call `client_encryption_expired.createDataKey()` with "aws" as the provider and the -following masterKey: - -.. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - endpoint: "127.0.0.1:9000" - } - -Expect an error indicating TLS handshake failed due to an expired certificate. - -Call `client_encryption_invalid_hostname.createDataKey()` with "aws" as the provider and the -following masterKey: - -.. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - endpoint: "127.0.0.1:9001" - } - -Expect an error indicating TLS handshake failed due to an invalid hostname. - -Case 2: Azure -````````````` - -Call `client_encryption_no_client_cert.createDataKey()` with "azure" as the provider and the -following masterKey: - -.. code:: javascript - - { 'keyVaultEndpoint': 'doesnotexist.local', 'keyName': 'foo' } - -Expect an error indicating TLS handshake failed. - -Call `client_encryption_with_tls.createDataKey()` with "azure" as the provider -and the same masterKey. - -Expect an error from libmongocrypt with a message containing the string: "HTTP -status=404". This implies TLS handshake succeeded. - -Call `client_encryption_expired.createDataKey()` with "azure" as the provider and -the same masterKey. - -Expect an error indicating TLS handshake failed due to an expired certificate. - -Call `client_encryption_invalid_hostname.createDataKey()` with "azure" as the provider and -the same masterKey. - -Expect an error indicating TLS handshake failed due to an invalid hostname. - -Case 3: GCP -``````````` - -Call `client_encryption_no_client_cert.createDataKey()` with "gcp" as the provider and the -following masterKey: - -.. code:: javascript - - { 'projectId': 'foo', 'location': 'bar', 'keyRing': 'baz', 'keyName': 'foo' } - -Expect an error indicating TLS handshake failed. - -Call `client_encryption_with_tls.createDataKey()` with "gcp" as the provider and -the same masterKey. - -Expect an error from libmongocrypt with a message containing the string: "HTTP -status=404". This implies TLS handshake succeeded. - -Call `client_encryption_expired.createDataKey()` with "gcp" as the provider and -the same masterKey. - -Expect an error indicating TLS handshake failed due to an expired certificate. - -Call `client_encryption_invalid_hostname.createDataKey()` with "gcp" as the provider and -the same masterKey. - -Expect an error indicating TLS handshake failed due to an invalid hostname. - -Case 4: KMIP -```````````` - -Call `client_encryption_no_client_cert.createDataKey()` with "kmip" as the provider and the -following masterKey: - -.. code:: javascript - - { } - -Expect an error indicating TLS handshake failed. - -Call `client_encryption_with_tls.createDataKey()` with "kmip" as the provider -and the same masterKey. - -Expect success. - -Call `client_encryption_expired.createDataKey()` with "kmip" as the provider and -the same masterKey. - -Expect an error indicating TLS handshake failed due to an expired certificate. - -Call `client_encryption_invalid_hostname.createDataKey()` with "kmip" as the provider and -the same masterKey. - -Expect an error indicating TLS handshake failed due to an invalid hostname. - -Case 5: `tlsDisableOCSPEndpointCheck` is permitted -`````````````````````````````````````````````````` - -This test does not apply if the driver does not support the the option ``tlsDisableOCSPEndpointCheck``. - -Create a ``ClientEncryption`` object with the following KMS providers: - - .. code:: javascript - - { - "aws": { - "accessKeyId": "foo", - "secretAccessKey": "bar" - } - } - - Add TLS options for the ``aws`` with the following options: - - - ``tlsDisableOCSPEndpointCheck`` (or equivalent) set to ``true``. - -Expect no error on construction. - - -12. Explicit Encryption -~~~~~~~~~~~~~~~~~~~~~~~ - -The Explicit Encryption tests require MongoDB server 7.0+. The tests must not run against a standalone. - -.. note:: - MongoDB Server 7.0 introduced a backwards breaking change to the Queryable Encryption (QE) protocol: QEv2. - libmongocrypt 1.8.0 is configured to use the QEv2 protocol. - -Before running each of the following test cases, perform the following Test Setup. - -Test Setup -`````````` - -Load the file `encryptedFields.json `_ as ``encryptedFields``. - -Load the file `key1-document.json `_ as ``key1Document``. - -Read the ``"_id"`` field of ``key1Document`` as ``key1ID``. - -Drop and create the collection ``db.explicit_encryption`` using ``encryptedFields`` as an option. See `FLE 2 CreateCollection() and Collection.Drop() `_. - -Drop and create the collection ``keyvault.datakeys``. - -Insert ``key1Document`` in ``keyvault.datakeys`` with majority write concern. - -Create a MongoClient named ``keyVaultClient``. - -Create a ClientEncryption object named ``clientEncryption`` with these options: - -.. code:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "local": { "key": } }, - } - -Create a MongoClient named ``encryptedClient`` with these ``AutoEncryptionOpts``: - -.. code:: typescript - - class AutoEncryptionOpts { - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "local": { "key": } }, - bypassQueryAnalysis: true, - } - - -Case 1: can insert encrypted indexed and find -````````````````````````````````````````````` - -Use ``clientEncryption`` to encrypt the value "encrypted indexed value" with these ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "Indexed", - contentionFactor: 0, - } - -Store the result in ``insertPayload``. - -Use ``encryptedClient`` to insert the document ``{ "encryptedIndexed": }`` into ``db.explicit_encryption``. - -Use ``clientEncryption`` to encrypt the value "encrypted indexed value" with these ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "Indexed", - queryType: "equality", - contentionFactor: 0, - } - -Store the result in ``findPayload``. - -Use ``encryptedClient`` to run a "find" operation on the ``db.explicit_encryption`` collection with the filter ``{ "encryptedIndexed": }``. - -Assert one document is returned containing the field ``{ "encryptedIndexed": "encrypted indexed value" }``. - -Case 2: can insert encrypted indexed and find with non-zero contention -``````````````````````````````````````````````````````````````````````` - -Use ``clientEncryption`` to encrypt the value "encrypted indexed value" with these ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "Indexed", - contentionFactor: 10, - } - -Store the result in ``insertPayload``. - -Use ``encryptedClient`` to insert the document ``{ "encryptedIndexed": }`` into ``db.explicit_encryption``. - -Repeat the above steps 10 times to insert 10 total documents. The ``insertPayload`` must be regenerated each iteration. - -Use ``clientEncryption`` to encrypt the value "encrypted indexed value" with these ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "Indexed", - queryType: "equality", - contentionFactor: 0, - } - -Store the result in ``findPayload``. - -Use ``encryptedClient`` to run a "find" operation on the ``db.explicit_encryption`` collection with the filter ``{ "encryptedIndexed": }``. - -Assert less than 10 documents are returned. 0 documents may be returned. Assert each returned document contains the field ``{ "encryptedIndexed": "encrypted indexed value" }``. - -Use ``clientEncryption`` to encrypt the value "encrypted indexed value" with these ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "Indexed", - queryType: "equality", - contentionFactor: 10, - } - -Store the result in ``findPayload2``. - -Use ``encryptedClient`` to run a "find" operation on the ``db.explicit_encryption`` collection with the filter ``{ "encryptedIndexed": }``. - -Assert 10 documents are returned. Assert each returned document contains the field ``{ "encryptedIndexed": "encrypted indexed value" }``. - -Case 3: can insert encrypted unindexed -`````````````````````````````````````` - -Use ``clientEncryption`` to encrypt the value "encrypted unindexed value" with these ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "Unindexed", - } - -Store the result in ``insertPayload``. - -Use ``encryptedClient`` to insert the document ``{ "_id": 1, "encryptedUnindexed": }`` into ``db.explicit_encryption``. - -Use ``encryptedClient`` to run a "find" operation on the ``db.explicit_encryption`` collection with the filter ``{ "_id": 1 }``. - -Assert one document is returned containing the field ``{ "encryptedUnindexed": "encrypted unindexed value" }``. - -Case 4: can roundtrip encrypted indexed -``````````````````````````````````````` - -Use ``clientEncryption`` to encrypt the value "encrypted indexed value" with these ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "Indexed", - contentionFactor: 0, - } - -Store the result in ``payload``. - -Use ``clientEncryption`` to decrypt ``payload``. Assert the returned value equals "encrypted indexed value". - -Case 5: can roundtrip encrypted unindexed -````````````````````````````````````````` - -Use ``clientEncryption`` to encrypt the value "encrypted unindexed value" with these ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "Unindexed", - } - -Store the result in ``payload``. - -Use ``clientEncryption`` to decrypt ``payload``. Assert the returned value equals "encrypted unindexed value". - -13. Unique Index on keyAltNames -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following setup must occur before running each of the following test cases. - -Setup -````` - -1. Create a ``MongoClient`` object (referred to as ``client``). - -2. Using ``client``, drop the collection ``keyvault.datakeys``. - -3. Using ``client``, create a unique index on ``keyAltNames`` with a partial index filter for only documents where ``keyAltNames`` exists using writeConcern "majority". - -The command should be equivalent to: - -.. code:: typescript - - db.runCommand( - { - createIndexes: "datakeys", - indexes: [ - { - name: "keyAltNames_1", - key: { "keyAltNames": 1 }, - unique: true, - partialFilterExpression: { keyAltNames: { $exists: true } } - } - ], - writeConcern: { w: "majority" } - } - ) - -4. Create a ``ClientEncryption`` object (referred to as ``client_encryption``) with ``client`` set as the ``keyVaultClient``. - -5. Using ``client_encryption``, create a data key with a ``local`` KMS provider and the keyAltName "def". - -Case 1: createDataKey() -``````````````````````` - -1. Use ``client_encryption`` to create a new local data key with a keyAltName "abc" and assert the operation does not fail. - -2. Repeat Step 1 and assert the operation fails due to a duplicate key server error (error code 11000). - -3. Use ``client_encryption`` to create a new local data key with a keyAltName "def" and assert the operation fails due to a duplicate key server error (error code 11000). - -Case 2: addKeyAltName() -``````````````````````` - -1. Use ``client_encryption`` to create a new local data key and assert the operation does not fail. - -2. Use ``client_encryption`` to add a keyAltName "abc" to the key created in Step 1 and assert the operation does not fail. - -3. Repeat Step 2, assert the operation does not fail, and assert the returned key document contains the keyAltName "abc" added in Step 2. - -4. Use ``client_encryption`` to add a keyAltName "def" to the key created in Step 1 and assert the operation fails due to a duplicate key server error (error code 11000). - -5. Use ``client_encryption`` to add a keyAltName "def" to the existing key, assert the operation does not fail, and assert the returned key document contains the keyAltName "def" added during Setup. - -14. Decryption Events -~~~~~~~~~~~~~~~~~~~~~ - -Before running each of the following test cases, perform the following Test Setup. - -Test Setup -`````````` - -Create a MongoClient named ``setupClient``. - -Drop and create the collection ``db.decryption_events``. - -Create a ClientEncryption object named ``clientEncryption`` with these options: - -.. code:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "local": { "key": } }, - } - -Create a data key with the "local" KMS provider. Storing the result in a variable named ``keyID``. - -Use ``clientEncryption`` to encrypt the string "hello" with the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId: , - algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", - } - -Store the result in a variable named ``ciphertext``. - -Copy ``ciphertext`` into a variable named ``malformedCiphertext``. Change the -last byte to a different value. This will produce an invalid HMAC tag. - -Create a MongoClient named ``encryptedClient`` with these ``AutoEncryptionOpts``: - -.. code:: typescript - - class AutoEncryptionOpts { - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "local": { "key": } }, - } - -Configure ``encryptedClient`` with "retryReads=false". -Register a listener for CommandSucceeded events on ``encryptedClient``. -The listener must store the most recent ``CommandSucceededEvent`` reply for the "aggregate" command. -The listener must store the most recent ``CommandFailedEvent`` error for the "aggregate" command. - -Case 1: Command Error -````````````````````` - -Use ``setupClient`` to configure the following failpoint: - -.. code:: typescript - - { - "configureFailPoint": "failCommand", - "mode": { - "times": 1 - }, - "data": { - "errorCode": 123, - "failCommands": [ - "aggregate" - ] - } - } - -Use ``encryptedClient`` to run an aggregate on ``db.decryption_events``. - -Expect an exception to be thrown from the command error. Expect a ``CommandFailedEvent``. - -Case 2: Network Error -````````````````````` - -Use ``setupClient`` to configure the following failpoint: - -.. code:: typescript - - { - "configureFailPoint": "failCommand", - "mode": { - "times": 1 - }, - "data": { - "errorCode": 123, - "closeConnection": true, - "failCommands": [ - "aggregate" - ] - } - } - -Use ``encryptedClient`` to run an aggregate on ``db.decryption_events``. - -Expect an exception to be thrown from the network error. Expect a ``CommandFailedEvent``. - -Case 3: Decrypt Error -````````````````````` - -Use ``encryptedClient`` to insert the document ``{ "encrypted": }`` into ``db.decryption_events``. - -Use ``encryptedClient`` to run an aggregate on ``db.decryption_events`` with an empty pipeline. - -Expect an exception to be thrown from the decryption error. -Expect a ``CommandSucceededEvent``. Expect the ``CommandSucceededEvent.reply`` to contain BSON binary for the field ``cursor.firstBatch.encrypted``. - -Case 4: Decrypt Success -``````````````````````` - -Use ``encryptedClient`` to insert the document ``{ "encrypted": }`` into ``db.decryption_events``. - -Use ``encryptedClient`` to run an aggregate on ``db.decryption_events`` with an empty pipeline. - -Expect no exception. -Expect a ``CommandSucceededEvent``. Expect the ``CommandSucceededEvent.reply`` to contain BSON binary for the field ``cursor.firstBatch.encrypted``. - - -15. On-demand AWS Credentials -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -These tests require valid AWS credentials. Refer: `Automatic AWS Credentials`_. - -For these cases, create a ClientEncryption_ object :math:`C` with the following -options: - -.. code-block:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "aws": {} }, - } - -Case 1: Failure -``````````````` - -Do not run this test case in an environment where AWS credentials are available -(e.g. via environment variables or a metadata URL). (Refer: -`Obtaining credentials for AWS `_) - -Attempt to create a datakey with :math:`C` using the ``"aws"`` KMS provider. -Expect this to fail due to a lack of KMS provider credentials. - -Case 2: Success -``````````````` - -For this test case, the environment variables ``AWS_ACCESS_KEY_ID`` and -``AWS_SECRET_ACCESS_KEY`` must be defined and set to a valid set of AWS -credentials. - -Use the client encryption to create a datakey using the ``"aws"`` KMS provider. -This should successfully load and use the AWS credentials that were defined in -the environment. - -.. _Automatic AWS Credentials: ../client-side-encryption.rst#automatic-aws-credentials -.. _ClientEncryption: ../client-side-encryption.rst#clientencryption -.. _auth-aws: ../../auth/auth.rst#obtaining-credentials - -16. Rewrap -~~~~~~~~~~ - -Case 1: Rewrap with separate ClientEncryption -````````````````````````````````````````````` - -When the following test case requests setting ``masterKey``, use the following values based on the KMS provider: - -For "aws": - -.. code:: javascript - - { - "region": "us-east-1", - "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - } - -For "azure": - -.. code:: javascript - - { - "keyVaultEndpoint": "key-vault-csfle.vault.azure.net", - "keyName": "key-name-csfle" - } - -For "gcp": - -.. code:: javascript - - { - "projectId": "devprod-drivers", - "location": "global", - "keyRing": "key-ring-csfle", - "keyName": "key-name-csfle" - } - -For "kmip": - -.. code:: javascript - - {} - -For "local", do not set a masterKey document. - -Run the following test case for each pair of KMS providers (referred to as ``srcProvider`` and ``dstProvider``). -Include pairs where ``srcProvider`` equals ``dstProvider``. - -1. Drop the collection ``keyvault.datakeys``. - -2. Create a ``ClientEncryption`` object named ``clientEncryption1`` with these options: - - .. code:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: , - } - -3. Call ``clientEncryption1.createDataKey`` with ``srcProvider`` and these options: - - .. code:: typescript - - class DataKeyOpts { - masterKey: , - } - - Store the return value in ``keyID``. - -4. Call ``clientEncryption1.encrypt`` with the value "test" and these options: - - .. code:: typescript - - class EncryptOpts { - keyId : keyID, - algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", - } - - Store the return value in ``ciphertext``. - -5. Create a ``ClientEncryption`` object named ``clientEncryption2`` with these options: - - .. code:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: , - } - -6. Call ``clientEncryption2.rewrapManyDataKey`` with an empty ``filter`` and these options: - - .. code:: typescript - - class RewrapManyDataKeyOpts { - provider: dstProvider, - masterKey: , - } - - Assert that the returned ``RewrapManyDataKeyResult.bulkWriteResult.modifiedCount`` is 1. - -7. Call ``clientEncryption1.decrypt`` with the ``ciphertext``. Assert the return value is "test". - -8. Call ``clientEncryption2.decrypt`` with the ``ciphertext``. Assert the return value is "test". - -Case 2: RewrapManyDataKeyOpts.provider is not optional -````````````````````````````````````````````````````````````````````````` - -Drivers MAY chose not to implement this prose test if their implementation of ``RewrapManyDataKeyOpts`` makes it impossible by design to omit ``RewrapManyDataKeyOpts.provider`` when ``RewrapManyDataKeyOpts.masterKey`` is set. - -1. Create a ``ClientEncryption`` object named ``clientEncryption`` with these options: - - .. code:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: , - } - -2. Call ``clientEncryption.rewrapManyDataKey`` with an empty ``filter`` and these options: - - .. code:: typescript - - class RewrapManyDataKeyOpts { - masterKey: {} - } - - Assert that `clientEncryption.rewrapManyDataKey` raises a client error indicating that the required ``RewrapManyDataKeyOpts.provider`` field is missing. - -17. On-demand GCP Credentials -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Refer: `Automatic GCP Credentials`_. - -For these cases, create a ClientEncryption_ object :math:`C` with the following -options: - -.. code-block:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "gcp": {} }, - } - -Case 1: Failure -``````````````` - -Do not run this test case in an environment with a GCP service account is -attached (e.g. any `GCE equivalent runtime -`_). This may be run in an AWS EC2 instance. - -Attempt to create a datakey with :math:`C` using the ``"gcp"`` KMS provider and -following ``DataKeyOpts``: - -.. code-block:: typescript - - class DataKeyOpts { - masterKey: { - "projectId": "devprod-drivers", - "location": "global", - "keyRing": "key-ring-csfle", - "keyName": "key-name-csfle", - } - } - -Expect the attempt to obtain ``"gcp"`` credentials from the environment to fail. - -Case 2: Success -``````````````` - -This test case must run in a Google Compute Engine (GCE) Virtual Machine with a -service account attached. See `drivers-evergreen-tools/.evergreen/csfle/gcpkms -`_ -for scripts to create a GCE instance for testing. The Evergreen task SHOULD set a -``batchtime`` of 14 days to reduce how often this test case runs. - -Attempt to create a datakey with :math:`C` using the ``"gcp"`` KMS provider and -following ``DataKeyOpts``: - -.. code-block:: typescript - - class DataKeyOpts { - masterKey: { - "projectId": "devprod-drivers", - "location": "global", - "keyRing": "key-ring-csfle", - "keyName": "key-name-csfle", - } - } - -This should successfully load and use the GCP credentials of the service account -attached to the virtual machine. - -Expect the key to be successfully created. - -.. _Automatic GCP Credentials: ../client-side-encryption.rst#automatic-gcp-credentials - - -18. Azure IMDS Credentials -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Refer: `Automatic Azure Credentials `_ - -.. _auto-azure: ../client-side-encryption.rst#obtaining-an-access-token-for-azure-key-vault - -The test cases for IMDS communication are specially designed to not require an -Azure environment, while still exercising the core of the functionality. The -design of these test cases encourages an implementation to separate the concerns -of IMDS communication from the logic of KMS key manipulation. The purpose of -these test cases is to ensure drivers will behave appropriately regardless of -the behavior of the IMDS server. - -For these IMDS credentials tests, a simple stand-in IMDS-imitating HTTP server -is available in drivers-evergreen-tools, at ``.evergreen/csfle/fake_azure.py``. -``fake_azure.py`` is a very simple ``bottle.py`` application. For the easiest -use, it is recommended to execute it through ``bottle.py`` (which is a sibling -file in the same directory):: - - python .evergreen/csfle/bottle.py fake_azure:imds - -This will run the ``imds`` Bottle application defined in the ``fake_azure`` -Python module. ``bottle.py`` accepts additional command line arguments to -control the bind host and TCP port (use ``--help`` for more information). - -For each test case, follow the process for obtaining the token as outlined in -the `automatic Azure credentials section `_ with the following -changes: - -1. Instead of the standard IMDS TCP endpoint of `169.254.169.254:80`, - communicate with the running ``fake_azure`` HTTP server. - -2. For each test case, the behavior of the server may be controlled by attaching - an additional HTTP header to the sent request: ``X-MongoDB-HTTP-TestParams``. - - -Case 1: Success -``````````````` - -Do not set an ``X-MongoDB-HTTP-TestParams`` header. - -Upon receiving a response from ``fake_azure``, the driver must decode the -following information: - -1. HTTP status will be ``200 Okay``. -2. The HTTP body will be a valid JSON string. -3. The access token will be the string ``"magic-cookie"``. -4. The expiry duration of the token will be seventy seconds. -5. The token will have a resource of ``"https://vault.azure.net"`` - - -Case 2: Empty JSON -`````````````````` - -This case addresses a server returning valid JSON with invalid content. - -Set ``X-MongoDB-HTTP-TestParams`` to ``case=empty-json``. - -Upon receiving a response: - -1. HTTP status will be ``200 Okay`` -2. The HTTP body will be a valid JSON string. -3. There will be no access token, expiry duration, or resource. - -The test case should ensure that this error condition is handled gracefully. - - -Case 3: Bad JSON -```````````````` - -This case addresses a server returning malformed JSON. - -Set ``X-MongoDB-HTTP-TestParams`` to ``case=bad-json``. - -Upon receiving a response: - -1. HTTP status will be ``200 Okay`` -2. The response body will contain a malformed JSON string. - -The test case should ensure that this error condition is handled gracefully. - - -Case 4: HTTP 404 -```````````````` - -This case addresses a server returning a "Not Found" response. This is -documented to occur spuriously within an Azure environment. - -Set ``X-MongoDB-HTTP-TestParams`` to ``case=404``. - -Upon receiving a response: - -1. HTTP status will be ``404 Not Found``. -2. The response body is unspecified. - -The test case should ensure that this error condition is handled gracefully. - - -Case 5: HTTP 500 -```````````````` - -This case addresses an IMDS server reporting an internal error. This is -documented to occur spuriously within an Azure environment. - -Set ``X-MongoDB-HTTP-TestParams`` to ``case=500``. - -Upon receiving a response: - -1. HTTP status code will be ``500``. -2. The response body is unspecified. - -The test case should ensure that this error condition is handled gracefully. - - -Case 6: Slow Response -````````````````````` - -This case addresses an IMDS server responding very slowly. Drivers should not -halt the application waiting on a peer to communicate. - -Set ``X-MongoDB-HTTP-TestParams`` to ``case=slow``. - -The HTTP response from the ``fake_azure`` server will take at least 1000 seconds -to complete. The request should fail with a timeout. - -19. Azure IMDS Credentials Integration Test -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Refer: `Automatic Azure Credentials `_ - -.. _auto-azure: ../client-side-encryption.rst#obtaining-an-access-token-for-azure-key-vault - -For these cases, create a ClientEncryption_ object :math:`C` with the following -options: - -.. code-block:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "azure": {} }, - } - -Case 1: Failure -``````````````` - -Do not run this test case in an Azure environment with an attached identity. -This may be run in an AWS EC2 instance. - -Attempt to create a datakey with :math:`C` using the ``"azure"`` KMS provider and -following ``DataKeyOpts``: - -.. code-block:: typescript - - class DataKeyOpts { - masterKey: { - "keyVaultEndpoint": "https://keyvault-drivers-2411.vault.azure.net/keys/", - "keyName": "KEY-NAME", - } - } - -Expect the attempt to obtain ``"azure"`` credentials from the environment to fail. - -Case 2: Success -``````````````` - -This test case must run in an Azure environment with an attached identity. -See `drivers-evergreen-tools/.evergreen/csfle/azurekms -`_ -for scripts to create a Azure instance for testing. The Evergreen task SHOULD set a -``batchtime`` of 14 days to reduce how often this test case runs. - -Attempt to create a datakey with :math:`C` using the ``"azure"`` KMS provider and -following ``DataKeyOpts``: - -.. code-block:: typescript - - class DataKeyOpts { - masterKey: { - "keyVaultEndpoint": "https://keyvault-drivers-2411.vault.azure.net/keys/", - "keyName": "KEY-NAME", - } - } - -This should successfully load and use the Azure credentials of the service account -attached to the virtual machine. - -Expect the key to be successfully created. - -20. Bypass creating mongocryptd client when shared library is loaded -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. note:: - - IMPORTANT: If crypt_shared_ is not visible to the operating system's library - search mechanism, this test should be skipped. - - -The following tests that a mongocryptd client is not created when shared library is in-use. - -#. Start a new thread (referred to as ``listenerThread``) - -#. On ``listenerThread``, create a TcpListener on 127.0.0.1 endpoint and port 27021. Start the listener and wait for establishing connections. - If any connection is established, then signal about this to the main thread. - - Drivers MAY pass a different port if they expect their testing infrastructure to be using port 27021. Pass a port that should be free. - -#. Create a MongoClient configured with auto encryption (referred to as ``client_encrypted``) - - Configure the required options. Use the ``local`` KMS provider as follows: - - .. code:: javascript - - { "local": { "key": } } - - Configure with the ``keyVaultNamespace`` set to ``keyvault.datakeys``. - - Configure the following ``extraOptions``: - - .. code:: javascript - - { - "mongocryptdURI": "mongodb://localhost:27021/?serverSelectionTimeoutMS=1000" - } - -#. Use ``client_encrypted`` to insert the document ``{"unencrypted": "test"}`` into ``db.coll``. - -#. Expect no signal from ``listenerThread``. - - - -21. Automatic Data Encryption Keys -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Automatic Data Encryption Keys tests require MongoDB server 7.0+. The tests must not run against a standalone. - -.. note:: - MongoDB Server 7.0 introduced a backwards breaking change to the Queryable Encryption (QE) protocol: QEv2. - libmongocrypt 1.8.0 is configured to use the QEv2 protocol. - -For each of the following test cases, assume `DB` is a valid open database -handle, and assume a ClientEncryption_ object `CE` created using the following -options:: - - clientEncryptionOptions: { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { - local: { key: base64Decode(LOCAL_MASTERKEY) }, - aws: { - accessKeyId: , - secretAccessKey: - }, - }, - } - -Run each test case with each of these KMS providers: ``aws``, ``local``. The KMS provider name is referred to as ``kmsProvider``. -When testing ``aws``, use the following as the ``masterKey`` option: - -.. code:: javascript - - { - region: "us-east-1", - key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" - } - -When testing ``local``, set ``masterKey`` to ``null``. - -Case 1: Simple Creation and Validation -`````````````````````````````````````` - -This test is the most basic to verify that CreateEncryptedCollection_ created a -collection with queryable encryption enabled. It verifies that the server -rejects an attempt to insert plaintext in an encrypted fields. - -.. _CreateEncryptedCollection: ../client-side-encryption.rst#create-encrypted-collection-helper -.. _MongoClient: ../client-side-encryption.rst#mongoclient-changes - -.. highlight:: typescript -.. default-role:: math - -1. Create a new create-collection options `Opts` including the following:: - - { - encryptedFields: { - fields: [{ - path: "ssn", - bsonType: "string", - keyId: null - }] - } - } - -2. Invoke `CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)` - to obtain a new collection `Coll`. Expect success. -3. Attempt to insert the following document into `Coll`:: - - { - ssn: "123-45-6789" - } - -4. Expect an error from the insert operation that indicates that the document - failed validation. This error indicates that the server expects to receive an - encrypted field for ``ssn``, but we tried to insert a plaintext field via a - client that is unaware of the encryption requirements. - - -Case 2: Missing ``encryptedFields`` -``````````````````````````````````` - -The CreateEncryptedCollection_ helper should not create a regular collection if -there are no ``encryptedFields`` for the collection being created. Instead, it -should generate an error indicated that the ``encryptedFields`` option is -missing. - -1. Create a new empty create-collection options `Opts`. (i.e. it must not - contain any ``encryptedFields`` options.) -2. Invoke `CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)`. -3. Expect the invocation to fail with an error indicating that - ``encryptedFields`` is not defined for the collection, and expect that no - collection was created within the database. It would be *incorrect* for - CreateEncryptedCollection_ to create a regular collection without queryable - encryption enabled. - - -Case 3: Invalid ``keyId`` -````````````````````````` - -The CreateEncryptedCollection_ helper only inspects ``encryptedFields.fields`` -for ``keyId`` of ``null``. CreateEncryptedCollection_ should forward all other -data as-is, even if it would be malformed. The server should generate an error -when attempting to create a collection with such invalid settings. - -.. note:: - - This test is not required if the type system of the driver has a compile-time - check that fields' ``keyId``\ s are of the correct type. - -1. Create a new create-collection options `Opts` including the following:: - - { - encryptedFields: { - fields: [{ - path: "ssn", - bsonType: "string", - keyId: false, - }] - } - } - -2. Invoke `CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)`. -3. Expect an error from the server indicating a validation error at - ``create.encryptedFields.fields.keyId``, which must be a UUID and not a - boolean value. - -Case 4: Insert encrypted value -`````````````````````````````` - -This test is continuation of the case 1 and provides a way to complete inserting -with encrypted value. - -1. Create a new create-collection options `Opts` including the following:: - - { - encryptedFields: { - fields: [{ - path: "ssn", - bsonType: "string", - keyId: null - }] - } - } - -2. Invoke `CreateEncryptedCollection(CE, DB, "testing1", Opts, kmsProvider, masterKey)` - to obtain a new collection `Coll` and data key `key1`. Expect success. -3. Use `CE` to explicitly encrypt the string "123-45-6789" using - algorithm `Unindexed` and data key `key1`. Refer result as `encryptedPayload`. -4. Attempt to insert the following document into `Coll`:: - - { - ssn: - } - - Expect success. - -22. Range Explicit Encryption -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Range Explicit Encryption tests require MongoDB server 7.0+. The tests must not run against a standalone. - -.. note:: - MongoDB Server 7.0 introduced a backwards breaking change to the Queryable Encryption (QE) protocol: QEv2. - libmongocrypt 1.8.0 is configured to use the QEv2 protocol. - -Each of the following test cases must pass for each of the supported types (``DecimalNoPrecision``, ``DecimalPrecision``, ``DoublePrecision``, ``DoubleNoPrecision``, ``Date``, ``Int``, and ``Long``), unless it is stated the type should be skipped. - -Tests for ``DecimalNoPrecision`` must only run against a replica set. ``DecimalNoPrecision`` queries are expected to take a long time and may exceed the default mongos timeout. - -Before running each of the following test cases, perform the following Test Setup. - -Test Setup -`````````` -Load the file for the specific data type being tested ``range-encryptedFields-.json``. For example, for ``Int`` load `range-encryptedFields-Int.json `_ as ``encryptedFields``. - -Load the file `key1-document.json `_ as ``key1Document``. - -Read the ``"_id"`` field of ``key1Document`` as ``key1ID``. - -Drop and create the collection ``db.explicit_encryption`` using ``encryptedFields`` as an option. See `FLE 2 CreateCollection() and Collection.Drop() `_. - -Drop and create the collection ``keyvault.datakeys``. - -Insert ``key1Document`` in ``keyvault.datakeys`` with majority write concern. - -Create a MongoClient named ``keyVaultClient``. - -Create a ClientEncryption object named ``clientEncryption`` with these options: - -.. code:: typescript - - class ClientEncryptionOpts { - keyVaultClient: , - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "local": { "key": } }, - } - -Create a MongoClient named ``encryptedClient`` with these ``AutoEncryptionOpts``: - -.. code:: typescript - - class AutoEncryptionOpts { - keyVaultNamespace: "keyvault.datakeys", - kmsProviders: { "local": { "key": } }, - bypassQueryAnalysis: true, - } - -The remaining tasks require setting ``RangeOpts``. `Test Setup: RangeOpts`_ lists the values to use for ``RangeOpts`` for each of the supported data types. - -Use ``clientEncryption`` to encrypt these values: 0, 6, 30, and 200. Ensure the type matches that of the encrypted field. For example, if the encrypted field is ``encryptedDoubleNoPrecision`` encrypt the value 6.0. - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Use ``encryptedClient`` to insert the following documents into ``db.explicit_encryption``: - -.. code:: javascript - - { "_id": 0, "encrypted": } - { "_id": 1, "encrypted": } - { "_id": 2, "encrypted": } - { "_id": 3, "encrypted": } - - -Test Setup: RangeOpts -````````````````````` -This section lists the values to use for ``RangeOpts`` for each of the supported data types, since each data type requires a different ``RangeOpts``. - -Each test listed in the cases below must pass for all supported data types unless it is stated the type should be skipped. - -#. DecimalNoPrecision - - .. code:: typescript - - class RangeOpts { - sparsity: 1, - } - -#. DecimalPrecision - - .. code:: typescript - - class RangeOpts { - min: { "$numberDecimal": "0" }, - max: { "$numberDecimal": "200" }, - sparsity: 1, - precision: 2, - } - -#. DoubleNoPrecision - - .. code:: typescript - - class RangeOpts { - sparsity: 1, - } - -#. DoublePrecision - - .. code:: typescript - - class RangeOpts { - min: { "$numberDouble": "0" }, - max: { "$numberDouble": "200" }, - sparsity: 1, - precision: 2, - } - -#. Date - - .. code:: typescript - - class RangeOpts { - min: {"$date": { "$numberLong": "0" } } , - max: {"$date": { "$numberLong": "200" } }, - sparsity: 1, - } - -#. Int - - .. code:: typescript - - class RangeOpts { - min: {"$numberInt": "0" } , - max: {"$numberInt": "200" }, - sparsity: 1, - } - -#. Long - - .. code:: typescript - - class RangeOpts { - min: {"$numberLong": "0" } , - max: {"$numberLong": "200" }, - sparsity: 1, - } - -Case 1: can decrypt a payload -````````````````````````````` -Use ``clientEncryption.encrypt()`` to encrypt the value 6. Ensure the type matches that of the encrypted field. For example, if the encrypted field is ``encryptedLong`` encrypt a BSON int64 type, not a BSON int32 type. - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Store the result in ``insertPayload``. - -Use ``clientEncryption`` to decrypt ``insertPayload``. Assert the returned value equals 6 and has the expected type. - -.. note:: - - The type returned by ``clientEncryption.decrypt()`` may differ from the input type to ``clientEncryption.encrypt()`` depending on how the driver unmarshals BSON numerics to language native types. - Example: a driver may unmarshal a BSON int64 to a numeric type that does not distinguish between int64 and int32. - - -Case 2: can find encrypted range and return the maximum -``````````````````````````````````````````````````````` -Use ``clientEncryption.encryptExpression()`` to encrypt this query: - -.. code:: javascript - - // Convert 6 and 200 to the encrypted field type - { "$and": [ { "encrypted": { "$gte": 6 } }, { "encrypted": { "$lte": 200 } } ] } - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - queryType: "rangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Store the result in ``findPayload``. - -Use ``encryptedClient`` to run a "find" operation on the ``db.explicit_encryption`` collection with the filter ``findPayload`` and sort the results by ``_id``. - -Assert the following three documents are returned: - -.. code:: javascript - - // Convert 6, 30, and 200 to the encrypted field type - { "_id": 1, "encrypted": 6 } - { "_id": 2, "encrypted": 30 } - { "_id": 3, "encrypted": 200 } - - -Case 3: can find encrypted range and return the minimum -``````````````````````````````````````````````````````` -Use ``clientEncryption.encryptExpression()`` to encrypt this query: - -.. code:: javascript - - // Convert 0 and 6 to the encrypted field type - { "$and": [ { "encrypted": { "$gte": 0 } }, { "encrypted": { "$lte": 6 } } ] } - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - queryType: "rangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Store the result in ``findPayload``. - -Use ``encryptedClient`` to run a "find" operation on the ``db.explicit_encryption`` collection with the filter ``findPayload`` and sort the results by ``_id``. - -Assert the following two documents are returned: - -.. code:: javascript - - // Convert 0 and 6 to the encrypted field type - { "_id": 0, "encrypted": 0 } - { "_id": 1, "encrypted": 6 } - - -Case 4: can find encrypted range with an open range query -````````````````````````````````````````````````````````` -Use ``clientEncryption.encryptExpression()`` to encrypt this query: - -.. code:: javascript - - // Convert 30 to the encrypted field type - { "$and": [ { "encrypted": { "$gt": 30 } } ] } - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - queryType: "rangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Store the result in ``findPayload``. - -Use ``encryptedClient`` to run a "find" operation on the ``db.explicit_encryption`` collection with the filter ``findPayload`` and sort the results by ``_id``. - -Assert the following document is returned: - -.. code:: javascript - - // Convert 200 to the encrypted field type - { "_id": 3, "encrypted": 200 } - - -Case 5: can run an aggregation expression inside $expr -`````````````````````````````````````````````````````` -Use ``clientEncryption.encryptExpression()`` to encrypt this query: - -.. code:: javascript - - // Convert 30 to the encrypted field type - { "$and": [ { "$lt": [ "$encrypted", 30 ] } ] } } - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - queryType: "rangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Store the result in ``findPayload``. - -Use ``encryptedClient`` to run a "find" operation on the ``db.explicit_encryption`` collection with the filter ``{ "$expr": }`` and sort the results by ``_id``. - -Assert the following two documents are returned: - -.. code:: javascript - - // Convert 0 and 6 to the encrypted field type - { "_id": 0, "encrypted": 0 } - { "_id": 1, "encrypted": 6 } - - -Case 6: encrypting a document greater than the maximum errors -````````````````````````````````````````````````````````````` -This test case should be skipped if the encrypted field is ``encryptedDoubleNoPrecision`` or ``encryptedDecimalNoPrecision``. - -Use ``clientEncryption.encrypt()`` to encrypt the value 201. Ensure the type matches that of the encrypted field. - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Assert that an error was raised because 201 is greater than the maximum value in ``RangeOpts``. - - -Case 7: encrypting a value of a different type errors -````````````````````````````````````````````````````` -This test case should be skipped if the encrypted field is ``encryptedDoubleNoPrecision`` or ``encryptedDecimalNoPrecision``. - -Use ``clientEncryption.encrypt()`` to encrypt the value 6 with a type that does not match that of the encrypted field. - -If the encrypted field is ``encryptedInt`` use a BSON double type. Otherwise, use a BSON int32 type. - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Ensure that ``RangeOpts`` corresponds to the type of the encrypted field (i.e. expected type) and not that of the value being passed to ``clientEncryption.encrypt()``. - -Assert that an error was raised. - - -Case 8: setting precision errors if the type is not double or Decimal128 -```````````````````````````````````````````````````````````````````` -This test case should be skipped if the encrypted field is ``encryptedDoublePrecision``, ``encryptedDoubleNoPrecision``, ``encryptedDecimalPrecision``, or ``encryptedDecimalNoPrecision``. - -Use ``clientEncryption.encrypt()`` to encrypt the value 6. Ensure the type matches that of the encrypted field. - -Add ``{ precision: 2 }`` to the encrypted field's ``RangeOpts`` (see: `Test Setup: RangeOpts`_). - -Encrypt using the following ``EncryptOpts``: - -.. code:: typescript - - class EncryptOpts { - keyId : , - algorithm: "RangePreview", - contentionFactor: 0, - rangeOpts: , - } - -Assert that an error was raised. diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Aggregate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Aggregate.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Aggregate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Aggregate.json index 9eaabe0d7..63a2db3ef 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Aggregate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Aggregate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -226,10 +228,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -283,10 +288,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -346,10 +354,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -383,12 +394,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -445,12 +450,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Aggregate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Aggregate.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Aggregate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Aggregate.yml index c0f617944..9f36eec0a 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Aggregate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Aggregate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Date. Aggregate." @@ -124,12 +122,6 @@ tests: "_id": 0, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -185,12 +177,6 @@ tests: "_id": 1, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Correctness.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Correctness.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Correctness.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Correctness.json index fa887e089..fae25a1c0 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Correctness.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Correctness.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Correctness.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Correctness.yml similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Correctness.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Correctness.yml index 49f66ae28..f7ed9fb93 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Correctness.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Correctness.yml @@ -3,16 +3,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "Find with $gt" diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Delete.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Delete.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Delete.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Delete.json index cce4faf18..63a2b29fc 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Delete.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Delete.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -215,10 +217,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -272,10 +277,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -336,10 +344,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -373,12 +384,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Delete.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Delete.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Delete.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Delete.yml index 689d93a71..17f954e04 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Delete.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Delete.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Date. Delete." @@ -126,12 +124,6 @@ tests: "_id": 0, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-FindOneAndUpdate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-FindOneAndUpdate.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-FindOneAndUpdate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-FindOneAndUpdate.json index 4392b6768..049186c86 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-FindOneAndUpdate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-FindOneAndUpdate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -230,10 +232,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -287,10 +292,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -352,10 +360,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -389,12 +400,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -451,12 +456,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-FindOneAndUpdate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-FindOneAndUpdate.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-FindOneAndUpdate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-FindOneAndUpdate.yml index 69418e441..99ed076aa 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-FindOneAndUpdate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-FindOneAndUpdate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Date. FindOneAndUpdate." @@ -122,12 +120,6 @@ tests: "_id": 0, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -183,12 +175,6 @@ tests: "_id": 1, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-InsertFind.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-InsertFind.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-InsertFind.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-InsertFind.json index 27ce7881d..d0751434b 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-InsertFind.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-InsertFind.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -222,10 +224,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -279,10 +284,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -337,10 +345,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -374,12 +385,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -436,12 +441,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-InsertFind.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-InsertFind.yml similarity index 92% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-InsertFind.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-InsertFind.yml index 9ad57efa7..c55ba9eee 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-InsertFind.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-InsertFind.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Date. Insert and Find." @@ -118,12 +116,6 @@ tests: "_id": 0, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -179,12 +171,6 @@ tests: "_id": 1, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Update.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Update.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Update.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Update.json index f7d5a6af6..1e7750fee 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Update.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Update.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -226,10 +228,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -283,10 +288,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -354,10 +362,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -391,12 +402,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -453,12 +458,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Update.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Update.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Update.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Update.yml index 2dd35dfaa..f81d20a17 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Date-Update.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Date-Update.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDate', 'bsonType': 'date', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$date': {'$numberLong': '0'}}, 'max': {'$date': {'$numberLong': '200'}}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Date. Update." @@ -135,12 +133,6 @@ tests: "_id": 0, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -196,12 +188,6 @@ tests: "_id": 1, "encryptedDate": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Aggregate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Aggregate.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Aggregate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Aggregate.json index 401ee34e3..5f573a933 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Aggregate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Aggregate.json @@ -1,11 +1,10 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -23,10 +22,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -206,10 +208,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -253,10 +258,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -306,10 +314,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -335,12 +346,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", @@ -1119,12 +1124,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "RGTjNVEsNJb+DG7DpPOam8rQWD5HZAMpRyiTQaw7tk8=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Aggregate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Aggregate.yml similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Aggregate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Aggregate.yml index 4debfefc8..c0bbff590 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Aggregate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Aggregate.yml @@ -1,17 +1,15 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. # Tests for Decimal (without precision) must only run against a replica set. Decimal (without precision) queries are expected to take a long time and may exceed the default mongos timeout. topology: [ "replicaset" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Decimal. Aggregate." @@ -127,12 +125,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", @@ -910,12 +902,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "RGTjNVEsNJb+DG7DpPOam8rQWD5HZAMpRyiTQaw7tk8=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Correctness.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Correctness.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Correctness.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Correctness.json index 758d3e573..4316a31c3 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Correctness.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Correctness.json @@ -1,11 +1,10 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -23,10 +22,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Correctness.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Correctness.yml similarity index 97% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Correctness.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Correctness.yml index 4eef897c4..815462479 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Correctness.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Correctness.yml @@ -3,17 +3,15 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. # Tests for Decimal (without precision) must only run against a replica set. Decimal (without precision) queries are expected to take a long time and may exceed the default mongos timeout. topology: [ "replicaset" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "Find with $gt" diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Delete.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Delete.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Delete.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Delete.json index 24a08f318..a94dd40fe 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Delete.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Delete.json @@ -1,11 +1,10 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -23,10 +22,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -197,10 +199,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -244,10 +249,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -298,10 +306,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -327,12 +338,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Delete.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Delete.yml similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Delete.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Delete.yml index aad79c545..ca9c58f92 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Delete.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Delete.yml @@ -1,17 +1,15 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. # Tests for Decimal (without precision) must only run against a replica set. Decimal (without precision) queries are expected to take a long time and may exceed the default mongos timeout. topology: [ "replicaset" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Decimal. Delete." @@ -129,12 +127,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-FindOneAndUpdate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-FindOneAndUpdate.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-FindOneAndUpdate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-FindOneAndUpdate.json index 2a8070ecf..5226facfb 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-FindOneAndUpdate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-FindOneAndUpdate.json @@ -1,11 +1,10 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -23,10 +22,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -208,10 +210,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -255,10 +260,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -310,10 +318,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -339,12 +350,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", @@ -1123,12 +1128,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "Mr/laWHUijZT5VT3x2a7crb7wgd/UXOGz8jr8BVqBpM=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-FindOneAndUpdate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-FindOneAndUpdate.yml similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-FindOneAndUpdate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-FindOneAndUpdate.yml index d71ba28c5..2869767ad 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-FindOneAndUpdate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-FindOneAndUpdate.yml @@ -1,17 +1,15 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. # Tests for Decimal (without precision) must only run against a replica set. Decimal (without precision) queries are expected to take a long time and may exceed the default mongos timeout. topology: [ "replicaset" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Decimal. FindOneAndUpdate." @@ -125,12 +123,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", @@ -908,12 +900,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "Mr/laWHUijZT5VT3x2a7crb7wgd/UXOGz8jr8BVqBpM=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-InsertFind.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-InsertFind.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-InsertFind.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-InsertFind.json index 2ef63f42b..b6615454b 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-InsertFind.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-InsertFind.json @@ -1,11 +1,10 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -23,10 +22,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -202,10 +204,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -249,10 +254,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -297,10 +305,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -326,12 +337,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", @@ -1110,12 +1115,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "RGTjNVEsNJb+DG7DpPOam8rQWD5HZAMpRyiTQaw7tk8=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-InsertFind.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-InsertFind.yml similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-InsertFind.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-InsertFind.yml index 9e70ff972..69c58a773 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-InsertFind.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-InsertFind.yml @@ -1,17 +1,15 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. # Tests for Decimal (without precision) must only run against a replica set. Decimal (without precision) queries are expected to take a long time and may exceed the default mongos timeout. topology: [ "replicaset" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Decimal. Insert and Find." @@ -121,12 +119,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", @@ -904,12 +896,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "RGTjNVEsNJb+DG7DpPOam8rQWD5HZAMpRyiTQaw7tk8=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Update.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Update.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Update.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Update.json index 8064eb1b1..ceef8ca9b 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Update.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Update.json @@ -1,11 +1,10 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -23,10 +22,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -206,10 +208,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -253,10 +258,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -314,10 +322,13 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -343,12 +354,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", @@ -1127,12 +1132,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "Mr/laWHUijZT5VT3x2a7crb7wgd/UXOGz8jr8BVqBpM=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Update.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Update.yml similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Update.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Update.yml index f06c13a4e..32e93c41d 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Decimal-Update.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Decimal-Update.yml @@ -1,17 +1,15 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. # Tests for Decimal (without precision) must only run against a replica set. Decimal (without precision) queries are expected to take a long time and may exceed the default mongos timeout. topology: [ "replicaset" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalNoPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Decimal. Update." @@ -138,12 +136,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "rbf3AeBEv4wWFAKknqDxRW5cLNkFvbIs6iJjc6LShQY=", @@ -921,12 +913,6 @@ tests: }, "encryptedDecimalNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "Mr/laWHUijZT5VT3x2a7crb7wgd/UXOGz8jr8BVqBpM=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Aggregate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Aggregate.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Aggregate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Aggregate.json index 8cf143c09..35cc4aba8 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Aggregate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Aggregate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -217,10 +219,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -273,10 +278,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -335,10 +343,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -373,12 +384,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -479,12 +484,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "mVZb+Ra0EYjQ4Zrh9X//E2T8MRj7NMqm5GUJXhRrBEI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Aggregate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Aggregate.yml similarity index 94% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Aggregate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Aggregate.yml index 43f1df686..79d5267b0 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Aggregate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Aggregate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DecimalPrecision. Aggregate." @@ -126,12 +124,6 @@ tests: }, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -231,12 +223,6 @@ tests: }, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "mVZb+Ra0EYjQ4Zrh9X//E2T8MRj7NMqm5GUJXhRrBEI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Correctness.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Correctness.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Correctness.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Correctness.json index a4b06998f..895444588 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Correctness.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Correctness.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Correctness.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Correctness.yml similarity index 97% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Correctness.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Correctness.yml index c4b037bde..cd1ced0b8 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Correctness.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Correctness.yml @@ -3,16 +3,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "Find with $gt" diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Delete.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Delete.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Delete.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Delete.json index fad823483..e000c4058 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Delete.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Delete.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -208,10 +210,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -264,10 +269,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -327,10 +335,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -365,12 +376,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Delete.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Delete.yml similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Delete.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Delete.yml index cb10767df..7c3b7623b 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Delete.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Delete.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DecimalPrecision. Delete." @@ -128,12 +126,6 @@ tests: }, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-FindOneAndUpdate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-FindOneAndUpdate.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-FindOneAndUpdate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-FindOneAndUpdate.json index fb8f4f414..27f10a30a 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-FindOneAndUpdate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-FindOneAndUpdate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -219,10 +221,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -275,10 +280,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -339,10 +347,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -377,12 +388,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -483,12 +488,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "V6knyt7Zq2CG3++l75UtBx2m32iGAPjHiAe439Bf02w=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-FindOneAndUpdate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-FindOneAndUpdate.yml similarity index 94% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-FindOneAndUpdate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-FindOneAndUpdate.yml index 2c67b3638..2bf6c1686 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-FindOneAndUpdate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-FindOneAndUpdate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DecimalPrecision. FindOneAndUpdate." @@ -124,12 +122,6 @@ tests: }, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -229,12 +221,6 @@ tests: }, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "V6knyt7Zq2CG3++l75UtBx2m32iGAPjHiAe439Bf02w=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-InsertFind.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-InsertFind.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-InsertFind.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-InsertFind.json index 79562802e..5fb96730d 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-InsertFind.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-InsertFind.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -213,10 +215,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -269,10 +274,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -326,10 +334,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -362,12 +373,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -466,12 +471,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "mVZb+Ra0EYjQ4Zrh9X//E2T8MRj7NMqm5GUJXhRrBEI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-InsertFind.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-InsertFind.yml similarity index 94% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-InsertFind.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-InsertFind.yml index f01401718..5bde55984 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-InsertFind.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-InsertFind.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DecimalPrecision. Insert and Find." @@ -118,12 +116,6 @@ tests: "_id": 0, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -221,12 +213,6 @@ tests: "_id": 1, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "mVZb+Ra0EYjQ4Zrh9X//E2T8MRj7NMqm5GUJXhRrBEI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Update.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Update.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Update.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Update.json index cc93b7694..f67ae3ca2 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Update.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Update.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -217,10 +219,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -273,10 +278,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -343,10 +351,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -379,12 +390,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -483,12 +488,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "V6knyt7Zq2CG3++l75UtBx2m32iGAPjHiAe439Bf02w=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Update.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Update.yml similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Update.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Update.yml index 22beb93e9..75763dcb6 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DecimalPrecision-Update.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DecimalPrecision-Update.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDecimalPrecision', 'bsonType': 'decimal', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDecimal': '0.0'}, 'max': {'$numberDecimal': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DecimalPrecision. Update." @@ -135,12 +133,6 @@ tests: "_id": 0, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -238,12 +230,6 @@ tests: "_id": 1, "encryptedDecimalPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "V6knyt7Zq2CG3++l75UtBx2m32iGAPjHiAe439Bf02w=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Aggregate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Aggregate.json similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Aggregate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Aggregate.json index 79f26660f..e14ca8ff0 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Aggregate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Aggregate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -208,10 +210,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -255,10 +260,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -308,10 +316,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -335,12 +346,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", @@ -733,12 +738,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "2FIZh/9N+NeJEQwxYIX5ikQT85xJzulBNReXk8PnG/s=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Aggregate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Aggregate.yml similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Aggregate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Aggregate.yml index 83ca7fb90..63e06a886 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Aggregate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Aggregate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Double. Aggregate." @@ -124,12 +122,6 @@ tests: "_id": 0, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", @@ -521,12 +513,6 @@ tests: "_id": 1, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "2FIZh/9N+NeJEQwxYIX5ikQT85xJzulBNReXk8PnG/s=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Correctness.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Correctness.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Correctness.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Correctness.json index 117e56af6..edb336743 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Correctness.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Correctness.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Correctness.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Correctness.yml similarity index 97% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Correctness.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Correctness.yml index 5f91aead1..54a116e5c 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Correctness.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Correctness.yml @@ -3,16 +3,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "Find with $gt" diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Delete.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Delete.json similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Delete.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Delete.json index 40d8ed5bb..6821c9793 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Delete.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Delete.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -199,10 +201,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -246,10 +251,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -300,10 +308,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -327,12 +338,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Delete.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Delete.yml similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Delete.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Delete.yml index def2bcb67..f926c7b56 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Delete.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Delete.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Double. Delete." @@ -126,12 +124,6 @@ tests: "_id": 0, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-FindOneAndUpdate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-FindOneAndUpdate.json similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-FindOneAndUpdate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-FindOneAndUpdate.json index f0893ce66..298a4506c 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-FindOneAndUpdate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-FindOneAndUpdate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -210,10 +212,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -257,10 +262,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -312,10 +320,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -339,12 +350,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", @@ -737,12 +742,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "HI88j1zrIsFoijIXKybr9mYubNV5uVeODyLHFH4Ueco=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-FindOneAndUpdate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-FindOneAndUpdate.yml similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-FindOneAndUpdate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-FindOneAndUpdate.yml index 4bac3c138..f8cfe40ab 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-FindOneAndUpdate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-FindOneAndUpdate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Double. FindOneAndUpdate." @@ -122,12 +120,6 @@ tests: "_id": 0, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", @@ -519,12 +511,6 @@ tests: "_id": 1, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "HI88j1zrIsFoijIXKybr9mYubNV5uVeODyLHFH4Ueco=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-InsertFind.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-InsertFind.json similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-InsertFind.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-InsertFind.json index d3dc2f830..0c6f9e987 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-InsertFind.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-InsertFind.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -204,10 +206,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -251,10 +256,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -299,10 +307,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -326,12 +337,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", @@ -724,12 +729,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "2FIZh/9N+NeJEQwxYIX5ikQT85xJzulBNReXk8PnG/s=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-InsertFind.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-InsertFind.yml similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-InsertFind.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-InsertFind.yml index 33b531f83..cea49c72d 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-InsertFind.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-InsertFind.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Double. Insert and Find." @@ -118,12 +116,6 @@ tests: "_id": 0, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", @@ -515,12 +507,6 @@ tests: "_id": 1, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "2FIZh/9N+NeJEQwxYIX5ikQT85xJzulBNReXk8PnG/s=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Update.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Update.json similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Update.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Update.json index 9d6a1fbfd..dabe8a093 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Update.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Update.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -208,10 +210,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -255,10 +260,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -316,10 +324,13 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } @@ -343,12 +354,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", @@ -741,12 +746,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "HI88j1zrIsFoijIXKybr9mYubNV5uVeODyLHFH4Ueco=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Update.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Update.yml similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Update.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Update.yml index 65f50aecd..4c550854d 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Double-Update.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Double-Update.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoubleNoPrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Double. Update." @@ -135,12 +133,6 @@ tests: "_id": 0, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "6YrBn2ofIw1b5ooakrLOwF41BWrps8OO0H9WH4/rtlE=", @@ -532,12 +524,6 @@ tests: "_id": 1, "encryptedDoubleNoPrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "HI88j1zrIsFoijIXKybr9mYubNV5uVeODyLHFH4Ueco=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Aggregate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Aggregate.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Aggregate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Aggregate.json index 4188685a2..8d434dc27 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Aggregate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Aggregate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -217,10 +219,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -273,10 +278,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -335,10 +343,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -371,12 +382,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -475,12 +480,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "mVZb+Ra0EYjQ4Zrh9X//E2T8MRj7NMqm5GUJXhRrBEI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Aggregate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Aggregate.yml similarity index 94% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Aggregate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Aggregate.yml index 4c3b3d66b..bd603467b 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Aggregate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Aggregate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DoublePrecision. Aggregate." @@ -124,12 +122,6 @@ tests: "_id": 0, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -227,12 +219,6 @@ tests: "_id": 1, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "mVZb+Ra0EYjQ4Zrh9X//E2T8MRj7NMqm5GUJXhRrBEI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Correctness.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Correctness.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Correctness.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Correctness.json index 60f1ea7a3..87d0e3dd8 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Correctness.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Correctness.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Correctness.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Correctness.yml similarity index 97% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Correctness.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Correctness.yml index 6f3259f32..9c7a8d22f 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Correctness.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Correctness.yml @@ -3,16 +3,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "Find with $gt" diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Delete.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Delete.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Delete.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Delete.json index 4ed591d3f..a9315dec9 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Delete.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Delete.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -208,10 +210,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -264,10 +269,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -327,10 +335,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -363,12 +374,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Delete.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Delete.yml similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Delete.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Delete.yml index fa0444753..817d785c1 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Delete.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Delete.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DoublePrecision. Delete." @@ -126,12 +124,6 @@ tests: "_id": 0, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-FindOneAndUpdate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-FindOneAndUpdate.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-FindOneAndUpdate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-FindOneAndUpdate.json index d8fbbfae7..28bebe0db 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-FindOneAndUpdate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-FindOneAndUpdate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -219,10 +221,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -275,10 +280,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -339,10 +347,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -375,12 +386,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -479,12 +484,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "V6knyt7Zq2CG3++l75UtBx2m32iGAPjHiAe439Bf02w=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-FindOneAndUpdate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-FindOneAndUpdate.yml similarity index 94% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-FindOneAndUpdate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-FindOneAndUpdate.yml index 0f615d4b5..c1aa8333b 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-FindOneAndUpdate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-FindOneAndUpdate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DoublePrecision. FindOneAndUpdate." @@ -122,12 +120,6 @@ tests: "_id": 0, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -225,12 +217,6 @@ tests: "_id": 1, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "V6knyt7Zq2CG3++l75UtBx2m32iGAPjHiAe439Bf02w=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-InsertFind.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-InsertFind.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-InsertFind.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-InsertFind.json index 4213b066d..3b3176be6 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-InsertFind.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-InsertFind.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -213,10 +215,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -269,10 +274,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -326,10 +334,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -362,12 +373,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -466,12 +471,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "mVZb+Ra0EYjQ4Zrh9X//E2T8MRj7NMqm5GUJXhRrBEI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-InsertFind.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-InsertFind.yml similarity index 94% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-InsertFind.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-InsertFind.yml index 107151449..17295c2e6 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-InsertFind.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-InsertFind.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DoublePrecision. Insert and Find." @@ -118,12 +116,6 @@ tests: "_id": 0, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -221,12 +213,6 @@ tests: "_id": 1, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "mVZb+Ra0EYjQ4Zrh9X//E2T8MRj7NMqm5GUJXhRrBEI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Update.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Update.json similarity index 96% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Update.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Update.json index 89eb4c338..be2d0e9f4 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Update.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Update.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -217,10 +219,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -273,10 +278,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -343,10 +351,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -379,12 +390,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -483,12 +488,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "V6knyt7Zq2CG3++l75UtBx2m32iGAPjHiAe439Bf02w=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Update.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Update.yml similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Update.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Update.yml index b8ffbe9d4..c0c794357 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-DoublePrecision-Update.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-DoublePrecision-Update.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedDoublePrecision', 'bsonType': 'double', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberDouble': '0.0'}, 'max': {'$numberDouble': '200.0'}, 'precision': {'$numberInt': '2'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range DoublePrecision. Update." @@ -137,12 +135,6 @@ tests: "_id": 0, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "Dri0CXmL78L2DOgk9w0DwxHOMGMzih7m6l59vgy+WWo=", @@ -240,12 +232,6 @@ tests: "_id": 1, "encryptedDoublePrecision": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "V6knyt7Zq2CG3++l75UtBx2m32iGAPjHiAe439Bf02w=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Aggregate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Aggregate.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Aggregate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Aggregate.json index 686f0241b..c689dede1 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Aggregate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Aggregate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -214,10 +216,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -267,10 +272,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -326,10 +334,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -359,12 +370,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -421,12 +426,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Aggregate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Aggregate.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Aggregate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Aggregate.yml index 052a3006e..f59c104d4 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Aggregate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Aggregate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Int. Aggregate." @@ -124,12 +122,6 @@ tests: "_id": 0, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -185,12 +177,6 @@ tests: "_id": 1, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Correctness.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Correctness.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Correctness.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Correctness.json index 2964624f2..9dc4e4e50 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Correctness.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Correctness.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Correctness.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Correctness.yml similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Correctness.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Correctness.yml index f7e4c53de..9cb1cb368 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Correctness.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Correctness.yml @@ -3,16 +3,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "Find with $gt" diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Delete.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Delete.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Delete.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Delete.json index 531b3e759..4a6b34a1d 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Delete.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Delete.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -205,10 +207,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -258,10 +263,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -318,10 +326,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -351,12 +362,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Delete.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Delete.yml similarity index 94% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Delete.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Delete.yml index ecc5eaa27..d2ef688a8 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Delete.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Delete.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Int. Delete." @@ -126,12 +124,6 @@ tests: "_id": 0, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-FindOneAndUpdate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-FindOneAndUpdate.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-FindOneAndUpdate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-FindOneAndUpdate.json index 402086cdb..2bf905fa6 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-FindOneAndUpdate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-FindOneAndUpdate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -216,10 +218,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -269,10 +274,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -330,10 +338,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -363,12 +374,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -425,12 +430,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-FindOneAndUpdate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-FindOneAndUpdate.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-FindOneAndUpdate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-FindOneAndUpdate.yml index 9e878890f..a27de9b7e 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-FindOneAndUpdate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-FindOneAndUpdate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Int. FindOneAndUpdate." @@ -122,12 +120,6 @@ tests: "_id": 0, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -183,12 +175,6 @@ tests: "_id": 1, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-InsertFind.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-InsertFind.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-InsertFind.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-InsertFind.json index 965b8a551..a5eb4d60e 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-InsertFind.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-InsertFind.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -210,10 +212,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -263,10 +268,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -317,10 +325,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -350,12 +361,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -412,12 +417,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-InsertFind.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-InsertFind.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-InsertFind.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-InsertFind.yml index 6e9594a1b..fdb580cee 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-InsertFind.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-InsertFind.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Int. Insert and Find." @@ -118,12 +116,6 @@ tests: "_id": 0, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -179,12 +171,6 @@ tests: "_id": 1, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Update.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Update.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Update.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Update.json index 6cf44ac78..e826ea2ac 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Update.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Update.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -214,10 +216,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -267,10 +272,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -334,10 +342,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -367,12 +378,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -429,12 +434,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Update.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Update.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Update.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Update.yml index a98c1a659..7a383aae4 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Int-Update.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Int-Update.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Int. Update." @@ -137,12 +135,6 @@ tests: "_id": 0, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -198,12 +190,6 @@ tests: "_id": 1, "encryptedInt": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Aggregate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Aggregate.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Aggregate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Aggregate.json index 6edb38a80..d5020f592 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Aggregate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Aggregate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -214,10 +216,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -267,10 +272,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -326,10 +334,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -359,12 +370,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -421,12 +426,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Aggregate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Aggregate.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Aggregate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Aggregate.yml index 5bc598daa..8eb8f3615 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Aggregate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Aggregate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Long. Aggregate." @@ -124,12 +122,6 @@ tests: "_id": 0, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -185,12 +177,6 @@ tests: "_id": 1, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Correctness.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Correctness.json similarity index 99% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Correctness.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Correctness.json index 3d33f7381..d81e0933f 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Correctness.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Correctness.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Correctness.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Correctness.yml similarity index 98% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Correctness.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Correctness.yml index 01834f1c3..97b7db2b7 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Correctness.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Correctness.yml @@ -3,16 +3,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "Find with $gt" diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Delete.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Delete.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Delete.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Delete.json index 1b3278201..3720d0034 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Delete.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Delete.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -205,10 +207,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -258,10 +263,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -318,10 +326,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -351,12 +362,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Delete.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Delete.yml similarity index 94% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Delete.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Delete.yml index 617794a17..4f18efa1d 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Delete.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Delete.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Long. Delete." @@ -126,12 +124,6 @@ tests: "_id": 0, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-FindOneAndUpdate.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-FindOneAndUpdate.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-FindOneAndUpdate.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-FindOneAndUpdate.json index b8e3b888a..5e4b5ae0d 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-FindOneAndUpdate.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-FindOneAndUpdate.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -216,10 +218,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -269,10 +274,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -330,10 +338,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -363,12 +374,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -425,12 +430,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-FindOneAndUpdate.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-FindOneAndUpdate.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-FindOneAndUpdate.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-FindOneAndUpdate.yml index 1459ca106..4e5a32994 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-FindOneAndUpdate.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-FindOneAndUpdate.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Long. FindOneAndUpdate." @@ -122,12 +120,6 @@ tests: "_id": 0, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -183,12 +175,6 @@ tests: "_id": 1, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-InsertFind.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-InsertFind.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-InsertFind.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-InsertFind.json index d637fcf9e..0d4858062 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-InsertFind.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-InsertFind.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -210,10 +212,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -263,10 +268,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -317,10 +325,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -350,12 +361,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -412,12 +417,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-InsertFind.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-InsertFind.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-InsertFind.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-InsertFind.yml index 578c08c24..c30106402 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-InsertFind.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-InsertFind.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Long. Insert and Find." @@ -118,12 +116,6 @@ tests: "_id": 0, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -179,12 +171,6 @@ tests: "_id": 1, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "bE1vqWj3KNyM7cCYUv/cnYm8BPaUL3eMp5syTHq6NF4=", - "subType": "00" - } - }, { "$binary": { "base64": "25j9sQXZCihCmHKvTHgaBsAVZFcGPn7JjHdrCGlwyyw=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Update.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Update.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Update.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Update.json index 1b76019a4..2d3321fd8 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Update.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Update.json @@ -1,13 +1,12 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" - ], - "maxServerVersion": "7.99.99" + ] } ], "database_name": "default", @@ -25,10 +24,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -214,10 +216,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -267,10 +272,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -334,10 +342,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -367,12 +378,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -429,12 +434,6 @@ "$$type": "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Update.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Update.yml similarity index 93% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Update.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Update.yml index db16c3dd6..81879398e 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-Long-Update.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-Long-Update.yml @@ -1,16 +1,14 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} +encrypted_fields: &encrypted_fields {'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedLong', 'bsonType': 'long', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberInt': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberLong': '0'}, 'max': {'$numberLong': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "FLE2 Range Long. Update." @@ -137,12 +135,6 @@ tests: "_id": 0, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "5nRutVIyq7URVOVtbE4vM01APSIajAVnsShMwjBlzkM=", - "subType": "00" - } - }, { "$binary": { "base64": "RjBYT2h3ZAoHxhf8DU6/dFbDkEBZp0IxREcsRTu2MXs=", @@ -198,12 +190,6 @@ tests: "_id": 1, "encryptedLong": { $$type: "binData" }, "__safeContent__": [ - { - "$binary": { - "base64": "DLCAJs+W2PL2DV5YChCL6dYrQNr+j4p3L7xhVaub4ic=", - "subType": "00" - } - }, { "$binary": { "base64": "hyDcE6QQjPrYJaIS/n7evEZFYcm31Tj89CpEYGF45cI=", diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-WrongType.json b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-WrongType.json similarity index 95% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-WrongType.json rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-WrongType.json index 704a693b8..621560450 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-WrongType.json +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-WrongType.json @@ -1,13 +1,13 @@ { "runOn": [ { - "minServerVersion": "7.0.0", + "minServerVersion": "8.0.0", "topology": [ "replicaset", "sharded", "load-balanced" ], - "maxServerVersion": "7.99.99" + "maxServerVersion": "8.99.99" } ], "database_name": "default", @@ -25,10 +25,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberLong": "1" + }, "sparsity": { "$numberLong": "1" }, diff --git a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-WrongType.yml b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-WrongType.yml similarity index 88% rename from src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-WrongType.yml rename to src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-WrongType.yml index 9f1a93386..432f86b42 100644 --- a/src/test/spec/json/client-side-encryption/legacy/fle2v2-Range-WrongType.yml +++ b/src/test/spec/json/client-side-encryption/legacy/fle2v2-Rangev2-WrongType.yml @@ -3,16 +3,15 @@ # Requires libmongocrypt 1.8.0. runOn: - - minServerVersion: "7.0.0" + - minServerVersion: "8.0.0" # Skip QEv2 (also referred to as FLE2v2) tests on Serverless. Unskip once Serverless enables the QEv2 protocol. # FLE 2 Encrypted collections are not supported on standalone. topology: [ "replicaset", "sharded", "load-balanced" ] - # Skip tests for "rangePreview" algorithm on Server 8.0+. Server 8.0 drops "rangePreview" and adds "range". - maxServerVersion: "7.99.99" + maxServerVersion: "8.99.99" database_name: &database_name "default" collection_name: &collection_name "default" data: [] -encrypted_fields: &encrypted_fields { 'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'rangePreview', 'contention': {'$numberLong': '0'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} +encrypted_fields: &encrypted_fields { 'fields': [{'keyId': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'path': 'encryptedInt', 'bsonType': 'int', 'queries': {'queryType': 'range', 'contention': {'$numberLong': '0'}, 'trimFactor': {'$numberLong': '1'}, 'sparsity': {'$numberLong': '1'}, 'min': {'$numberInt': '0'}, 'max': {'$numberInt': '200'}}}]} key_vault_data: [ {'_id': {'$binary': {'base64': 'EjRWeBI0mHYSNBI0VniQEg==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'sHe0kz57YW7v8g9VP9sf/+K1ex4JqKc5rf/URX3n3p8XdZ6+15uXPaSayC6adWbNxkFskuMCOifDoTT+rkqMtFkDclOy884RuGGtUysq3X7zkAWYTKi8QAfKkajvVbZl2y23UqgVasdQu3OVBQCrH/xY00nNAs/52e958nVjBuzQkSb1T8pKJAyjZsHJ60+FtnfafDZSTAIBJYn7UWBCwQ==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1648914851981'}}, 'updateDate': {'$date': {'$numberLong': '1648914851981'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'local'}} ] tests: - description: "Wrong type: Insert Double" diff --git a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Date.json b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Date.json index 97a2b2d4e..defa6e37f 100644 --- a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Date.json +++ b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Date.json @@ -10,10 +10,13 @@ "path": "encryptedDate", "bsonType": "date", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -30,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DecimalNoPrecision.json b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DecimalNoPrecision.json index 4d284475f..dbe28e9c1 100644 --- a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DecimalNoPrecision.json +++ b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DecimalNoPrecision.json @@ -10,14 +10,17 @@ "path": "encryptedDecimalNoPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } } } ] -} +} \ No newline at end of file diff --git a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DecimalPrecision.json b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DecimalPrecision.json index 53449182b..538ab20f0 100644 --- a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DecimalPrecision.json +++ b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DecimalPrecision.json @@ -10,10 +10,13 @@ "path": "encryptedDecimalPrecision", "bsonType": "decimal", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -29,4 +32,4 @@ } } ] -} +} \ No newline at end of file diff --git a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DoubleNoPrecision.json b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DoubleNoPrecision.json index b478a772d..fb4f46d37 100644 --- a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DoubleNoPrecision.json +++ b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DoubleNoPrecision.json @@ -10,14 +10,17 @@ "path": "encryptedDoubleNoPrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" } } } ] -} +} \ No newline at end of file diff --git a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DoublePrecision.json b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DoublePrecision.json index 395a36968..07d1c84d6 100644 --- a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DoublePrecision.json +++ b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-DoublePrecision.json @@ -10,10 +10,13 @@ "path": "encryptedDoublePrecision", "bsonType": "double", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -29,4 +32,4 @@ } } ] -} +} \ No newline at end of file diff --git a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Int.json b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Int.json index 61b7082df..4f0b4854e 100644 --- a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Int.json +++ b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Int.json @@ -10,10 +10,13 @@ "path": "encryptedInt", "bsonType": "int", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -26,4 +29,4 @@ } } ] -} +} \ No newline at end of file diff --git a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Long.json b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Long.json index b18b84b6e..32fe1ea15 100644 --- a/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Long.json +++ b/src/test/spec/json/testdata/client-side-encryption/data/range-encryptedFields-Long.json @@ -10,10 +10,13 @@ "path": "encryptedLong", "bsonType": "long", "queries": { - "queryType": "rangePreview", + "queryType": "range", "contention": { "$numberLong": "0" }, + "trimFactor": { + "$numberInt": "1" + }, "sparsity": { "$numberLong": "1" }, @@ -26,4 +29,4 @@ } } ] -} +} \ No newline at end of file