PYTHON-4112 Support named KMS providers (#1487)

Requires pymongocrypt >= 1.9.0 and libmongocrypt >= 1.9.0.

Author: ShaneHarvey

doc/changelog.rst

@@ -14,6 +14,12 @@ PyMongo 4.7 brings a number of improvements including:
 - Replaced usage of :class:`bson.son.SON` on all internal classes and commands to dict,
   :attr:`options.pool_options.metadata` is now of type ``dict`` as opposed to :class:`bson.son.SON`.
 - Significantly improved the performance of encoding BSON documents to JSON.
+- Support for named KMS providers for client side field level encryption.
+  Previously supported KMS providers were only: aws, azure, gcp, kmip, and local.
+  The KMS provider is now expanded to support name suffixes (e.g. local:myname).
+  Named KMS providers enables more than one of each KMS provider type to be configured.
+  See the docstring for :class:`~pymongo.encryption_options.AutoEncryptionOpts`.
+  Note that named KMS providers requires pymongocrypt >=1.9 and libmongocrypt >=1.9.
 - Fixed a bug where :class:`~bson.int64.Int64` instances could not always be encoded by `orjson`_. The following now
   works::
 

doc/examples/encryption.rst

@@ -125,8 +125,8 @@ examples show how to setup automatic client-side field level encryption
 using :class:`~pymongo.encryption.ClientEncryption` to create a new
 encryption data key.
 
-.. note:: Automatic client-side field level encryption requires MongoDB 4.2
-   enterprise or a MongoDB 4.2 Atlas cluster. The community version of the
+.. note:: Automatic client-side field level encryption requires MongoDB >=4.2
+   enterprise or a MongoDB >=4.2 Atlas cluster. The community version of the
    server supports automatic decryption as well as
    :ref:`explicit-client-side-encryption`.
 
@@ -255,7 +255,7 @@ will result in an error.
 Server-Side Field Level Encryption Enforcement
 ``````````````````````````````````````````````
 
-The MongoDB 4.2 server supports using schema validation to enforce encryption
+MongoDB >=4.2 servers supports using schema validation to enforce encryption
 of specific fields in a collection. This schema validation will prevent an
 application from inserting unencrypted values for any fields marked with the
 ``"encrypt"`` JSON schema keyword.
@@ -457,8 +457,8 @@ Explicit encryption is a MongoDB community feature and does not use the
 Explicit Encryption with Automatic Decryption
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Although automatic encryption requires MongoDB 4.2 enterprise or a
-MongoDB 4.2 Atlas cluster, automatic *decryption* is supported for all users.
+Although automatic encryption requires MongoDB >=4.2 enterprise or a
+MongoDB >=4.2 Atlas cluster, automatic *decryption* is supported for all users.
 To configure automatic *decryption* without automatic *encryption* set
 ``bypass_auto_encryption=True`` in
 :class:`~pymongo.encryption_options.AutoEncryptionOpts`:

pymongo/encryption.py

@@ -101,7 +101,7 @@ def _wrap_encryption_errors() -> Iterator[None]:
         # we should propagate them unchanged.
         raise
     except Exception as exc:
-        raise EncryptionError(exc) from None
+        raise EncryptionError(exc) from exc
 
 
 class _EncryptionIO(MongoCryptCallback):  # type: ignore[misc]
@@ -520,6 +520,9 @@ def __init__(
                 data keys. This key should be generated and stored as securely
                 as possible.
 
+            KMS providers may be specified with an optional name suffix
+            separated by a colon, for example "kmip:name" or "aws:name".
+            Named KMS providers do not support :ref:`CSFLE on-demand credentials`.
         :param key_vault_namespace: The namespace for the key vault collection.
             The key vault collection contains all data keys used for encryption
             and decryption. Data keys are stored as documents in this MongoDB
@@ -674,12 +677,13 @@ def create_data_key(
         """Create and insert a new data key into the key vault collection.
 
         :param kms_provider: The KMS provider to use. Supported values are
-            "aws", "azure", "gcp", "kmip", and "local".
+            "aws", "azure", "gcp", "kmip", "local", or a named provider like
+            "kmip:name".
         :param master_key: Identifies a KMS-specific key used to encrypt the
             new data key. If the kmsProvider is "local" the `master_key` is
             not applicable and may be omitted.
 
-            If the `kms_provider` is "aws" it is required and has the
+            If the `kms_provider` type is "aws" it is required and has the
             following fields::
 
               - `region` (string): Required. The AWS region, e.g. "us-east-1".
@@ -689,15 +693,15 @@ def create_data_key(
                 requests to. May include port number, e.g.
                 "kms.us-east-1.amazonaws.com:443".
 
-            If the `kms_provider` is "azure" it is required and has the
+            If the `kms_provider` type is "azure" it is required and has the
             following fields::
 
               - `keyVaultEndpoint` (string): Required. Host with optional
                  port, e.g. "example.vault.azure.net".
               - `keyName` (string): Required. Key name in the key vault.
               - `keyVersion` (string): Optional. Version of the key to use.
 
-            If the `kms_provider` is "gcp" it is required and has the
+            If the `kms_provider` type is "gcp" it is required and has the
             following fields::
 
               - `projectId` (string): Required. The Google cloud project ID.
@@ -709,7 +713,7 @@ def create_data_key(
               - `endpoint` (string): Optional. Host with optional port.
                 Defaults to "cloudkms.googleapis.com".
 
-            If the `kms_provider` is "kmip" it is optional and has the
+            If the `kms_provider` type is "kmip" it is optional and has the
             following fields::
 
               - `keyId` (string): Optional. `keyId` is the KMIP Unique

pymongo/encryption_options.py

@@ -55,13 +55,13 @@ def __init__(
     ) -> None:
         """Options to configure automatic client-side field level encryption.
 
-        Automatic client-side field level encryption requires MongoDB 4.2
-        enterprise or a MongoDB 4.2 Atlas cluster. Automatic encryption is not
+        Automatic client-side field level encryption requires MongoDB >=4.2
+        enterprise or a MongoDB >=4.2 Atlas cluster. Automatic encryption is not
         supported for operations on a database or view and will result in
         error.
 
-        Although automatic encryption requires MongoDB 4.2 enterprise or a
-        MongoDB 4.2 Atlas cluster, automatic *decryption* is supported for all
+        Although automatic encryption requires MongoDB >=4.2 enterprise or a
+        MongoDB >=4.2 Atlas cluster, automatic *decryption* is supported for all
         users. To configure automatic *decryption* without automatic
         *encryption* set ``bypass_auto_encryption=True``. Explicit
         encryption and explicit decryption is also supported for all users
@@ -94,12 +94,23 @@ def __init__(
                 data keys. This key should be generated and stored as securely
                 as possible.
 
+            KMS providers may be specified with an optional name suffix
+            separated by a colon, for example "kmip:name" or "aws:name".
+            Named KMS providers do not support :ref:`CSFLE on-demand credentials`.
+            Named KMS providers enables more than one of each KMS provider type to be configured.
+            For example, to configure multiple local KMS providers::
+
+              kms_providers = {
+                  "local": {"key": local_kek1},        # Unnamed KMS provider.
+                  "local:myname": {"key": local_kek2}, # Named KMS provider with name "myname".
+              }
+
         :param key_vault_namespace: The namespace for the key vault collection.
             The key vault collection contains all data keys used for encryption
             and decryption. Data keys are stored as documents in this MongoDB
             collection. Data keys are protected with encryption by a KMS
             provider.
-        :param key_vault_client: By default the key vault collection
+        :param key_vault_client: By default, the key vault collection
             is assumed to reside in the same MongoDB cluster as the encrypted
             MongoClient. Use this option to route data key queries to a
             separate MongoDB cluster.

test/__init__.py

@@ -113,6 +113,10 @@
     "accessKeyId": os.environ.get("FLE_AWS_KEY", ""),
     "secretAccessKey": os.environ.get("FLE_AWS_SECRET", ""),
 }
+AWS_CREDS_2 = {
+    "accessKeyId": os.environ.get("FLE_AWS_KEY2", ""),
+    "secretAccessKey": os.environ.get("FLE_AWS_SECRET2", ""),
+}
 AZURE_CREDS = {
     "tenantId": os.environ.get("FLE_AZURE_TENANTID", ""),
     "clientId": os.environ.get("FLE_AZURE_CLIENTID", ""),

test/client-side-encryption/spec/legacy/fle2v2-BypassQueryAnalysis.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Compact.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-CreateCollection-OldServer.json

@@ -55,6 +55,38 @@
           "result": {
             "errorContains": "Driver support of Queryable Encryption is incompatible with server. Upgrade server to use Queryable Encryption."
           }
+        },
+        {
+          "name": "assertCollectionNotExists",
+          "object": "testRunner",
+          "arguments": {
+            "database": "default",
+            "collection": "enxcol_.encryptedCollection.esc"
+          }
+        },
+        {
+          "name": "assertCollectionNotExists",
+          "object": "testRunner",
+          "arguments": {
+            "database": "default",
+            "collection": "enxcol_.encryptedCollection.ecc"
+          }
+        },
+        {
+          "name": "assertCollectionNotExists",
+          "object": "testRunner",
+          "arguments": {
+            "database": "default",
+            "collection": "enxcol_.encryptedCollection.ecoc"
+          }
+        },
+        {
+          "name": "assertCollectionNotExists",
+          "object": "testRunner",
+          "arguments": {
+            "database": "default",
+            "collection": "encryptedCollection"
+          }
         }
       ]
     }

test/client-side-encryption/spec/legacy/fle2v2-CreateCollection.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-DecryptExistingData.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Delete.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-EncryptedFields-vs-EncryptedFieldsMap.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-EncryptedFields-vs-jsonSchema.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-EncryptedFieldsMap-defaults.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-FindOneAndUpdate.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-InsertFind-Indexed.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-InsertFind-Unindexed.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-MissingKey.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-NoEncryption.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Range-Date-Aggregate.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Range-Date-Correctness.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Range-Date-Delete.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Range-Date-FindOneAndUpdate.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Range-Date-InsertFind.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Range-Date-Update.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset",
         "sharded",

test/client-side-encryption/spec/legacy/fle2v2-Range-Decimal-Aggregate.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset"
       ]

test/client-side-encryption/spec/legacy/fle2v2-Range-Decimal-Correctness.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset"
       ]

test/client-side-encryption/spec/legacy/fle2v2-Range-Decimal-Delete.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset"
       ]

test/client-side-encryption/spec/legacy/fle2v2-Range-Decimal-FindOneAndUpdate.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset"
       ]

test/client-side-encryption/spec/legacy/fle2v2-Range-Decimal-InsertFind.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset"
       ]

test/client-side-encryption/spec/legacy/fle2v2-Range-Decimal-Update.json

@@ -2,7 +2,6 @@
   "runOn": [
     {
       "minServerVersion": "7.0.0",
-      "serverless": "forbid",
       "topology": [
         "replicaset"
       ]