From 43cea98eef18372a246d2b1d03b646602182a4ea Mon Sep 17 00:00:00 2001 From: Jamis Buck Date: Tue, 23 May 2023 16:35:12 -0600 Subject: [PATCH 1/3] RUBY 3156 enforce that masterKey requires provider --- lib/mongo/crypt/explicit_encrypter.rb | 15 ++++++++++++++- .../client_side_encryption/rewrap_prose_spec.rb | 8 ++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/mongo/crypt/explicit_encrypter.rb b/lib/mongo/crypt/explicit_encrypter.rb index cce570e441..2421b337b3 100644 --- a/lib/mongo/crypt/explicit_encrypter.rb +++ b/lib/mongo/crypt/explicit_encrypter.rb @@ -1,5 +1,4 @@ # frozen_string_literal: true -# rubocop:todo all # Copyright (C) 2020 MongoDB Inc. # @@ -257,6 +256,8 @@ def remove_key_alt_name(id, key_alt_name) # # @return [ Crypt::RewrapManyDataKeyResult ] Result of the operation. def rewrap_many_data_key(filter, opts = {}) + validate_rewrap_options!(opts) + master_key_document = if opts[:provider] options = opts.dup provider = options.delete(:provider) @@ -291,6 +292,18 @@ def rewrap_many_data_key(filter, opts = {}) @encryption_io.update_data_keys(updates) ) end + + # Ensures the consistency of the options passed to #rewrap_many_data_keys. + # + # @param [Hash] opts the options hash to validate + # + # @raise [ ArgumentError ] if the options are not consistent or + # compatible. + def validate_rewrap_options!(opts) + if opts.key?(:master_key) && !opts.key?(:provider) + raise ArgumentError, 'If :master_key is specified, :provider must also be given' + end + end end end end diff --git a/spec/integration/client_side_encryption/rewrap_prose_spec.rb b/spec/integration/client_side_encryption/rewrap_prose_spec.rb index fada5ee6e7..46603665b0 100644 --- a/spec/integration/client_side_encryption/rewrap_prose_spec.rb +++ b/spec/integration/client_side_encryption/rewrap_prose_spec.rb @@ -93,6 +93,14 @@ expect(client_encryption_1.decrypt(ciphertext)).to eq('test') expect(client_encryption_2.decrypt(ciphertext)).to eq('test') end + + + context 'when master_key is present without provider' do + it 'raises an exception' do + expect { client_encryption_1.rewrap_many_data_key({}, master_key: {}) } + .to raise_error(ArgumentError, /provider/) + end + end end end end From fad2da2dc42a2fd86f3953dcb9cbe93b698440d2 Mon Sep 17 00:00:00 2001 From: Jamis Buck Date: Fri, 26 May 2023 14:12:52 -0600 Subject: [PATCH 2/3] reference the correct variable --- spec/integration/client_side_encryption/rewrap_prose_spec.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/spec/integration/client_side_encryption/rewrap_prose_spec.rb b/spec/integration/client_side_encryption/rewrap_prose_spec.rb index ddd25f8da4..86958929f2 100644 --- a/spec/integration/client_side_encryption/rewrap_prose_spec.rb +++ b/spec/integration/client_side_encryption/rewrap_prose_spec.rb @@ -102,10 +102,9 @@ expect(client_encryption2.decrypt(ciphertext)).to eq('test') end - context 'when master_key is present without provider' do it 'raises an exception' do - expect { client_encryption_1.rewrap_many_data_key({}, master_key: {}) } + expect { client_encryption1.rewrap_many_data_key({}, master_key: {}) } .to raise_error(ArgumentError, /provider/) end end From 369c7a2f91429e8c78a7e9dee8f22defd5bedac9 Mon Sep 17 00:00:00 2001 From: Jamis Buck Date: Fri, 26 May 2023 14:18:06 -0600 Subject: [PATCH 3/3] rubocop work is being done in a separate branch --- lib/mongo/crypt/explicit_encrypter.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/mongo/crypt/explicit_encrypter.rb b/lib/mongo/crypt/explicit_encrypter.rb index 2421b337b3..ffe885976b 100644 --- a/lib/mongo/crypt/explicit_encrypter.rb +++ b/lib/mongo/crypt/explicit_encrypter.rb @@ -1,4 +1,5 @@ # frozen_string_literal: true +# rubocop:todo all # Copyright (C) 2020 MongoDB Inc. #