Skip to content

Commit 233d695

Browse files
abr-egnabr-egn
authored
RUST-1830 Support KMIP delegated protocol (#1115)
1 parent 243d154 commit 233d695

File tree

14 files changed

+861
-33
lines changed

14 files changed

+861
-33
lines changed

src/client/csfle/client_encryption.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -227,6 +227,8 @@ pub enum MasterKey {
227227
/// keyId is the KMIP Unique Identifier to a 96 byte KMIP Secret Data managed object. If
228228
/// keyId is omitted, the driver creates a random 96 byte KMIP Secret Data managed object.
229229
key_id: Option<String>,
230+
/// If true (recommended), the KMIP server must decrypt this key. Defaults to false.
231+
delegated: Option<bool>,
230232
/// Host with optional port.
231233
endpoint: Option<String>,
232234
},

src/test/csfle.rs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -315,6 +315,7 @@ async fn data_key_double_encryption() -> Result<()> {
315315
KmsProvider::Kmip,
316316
MasterKey::Kmip {
317317
key_id: None,
318+
delegated: None,
318319
endpoint: None,
319320
},
320321
),
@@ -1185,6 +1186,7 @@ async fn custom_endpoint_kmip_no_endpoint() -> Result<()> {
11851186

11861187
let master_key = MasterKey::Kmip {
11871188
key_id: Some("1".to_string()),
1189+
delegated: None,
11881190
endpoint: None,
11891191
};
11901192

@@ -1210,6 +1212,7 @@ async fn custom_endpoint_kmip_valid_endpoint() -> Result<()> {
12101212

12111213
let master_key = MasterKey::Kmip {
12121214
key_id: Some("1".to_string()),
1215+
delegated: None,
12131216
endpoint: Some("localhost:5698".to_string()),
12141217
};
12151218

@@ -1227,6 +1230,7 @@ async fn custom_endpoint_kmip_invalid_endpoint() -> Result<()> {
12271230

12281231
let master_key = MasterKey::Kmip {
12291232
key_id: Some("1".to_string()),
1233+
delegated: None,
12301234
endpoint: Some("doesnotexist.local:5698".to_string()),
12311235
};
12321236

@@ -1929,6 +1933,7 @@ async fn kms_tls_options() -> Result<()> {
19291933
// Case 4: KMIP
19301934
let kmip_key = MasterKey::Kmip {
19311935
key_id: None,
1936+
delegated: None,
19321937
endpoint: None,
19331938
};
19341939

src/test/spec/client_side_encryption.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ async fn run_unified() {
55
let mut skipped_tests = vec![];
66
if cfg!(not(feature = "openssl-tls")) {
77
skipped_tests.push("create datakey with KMIP KMS provider");
8+
skipped_tests.push("create datakey with KMIP delegated KMS provider");
89
}
910

1011
run_unified_tests(&["client-side-encryption", "unified"])

src/test/spec/json/client-side-encryption/legacy/azureKMS.json

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,17 @@
7878
"bsonType": "string",
7979
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
8080
}
81+
},
82+
"encrypted_string_kmip_delegated": {
83+
"encrypt": {
84+
"keyId": [
85+
{
86+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
87+
}
88+
],
89+
"bsonType": "string",
90+
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
91+
}
8192
}
8293
},
8394
"bsonType": "object"

src/test/spec/json/client-side-encryption/legacy/azureKMS.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ database_name: &database_name "default"
44
collection_name: &collection_name "default"
55

66
data: []
7-
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
7+
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip_delegated': {'encrypt': {'keyId': [{'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
88
key_vault_data: [{'_id': {'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'n+HWZ0ZSVOYA3cvQgP7inN4JSXfOH85IngmeQxRpQHjCCcqT3IFqEWNlrsVHiz3AELimHhX4HKqOLWMUeSIT6emUDDoQX9BAv8DR1+E1w4nGs/NyEneac78EYFkK3JysrFDOgl2ypCCTKAypkn9CkAx1if4cfgQE93LW4kczcyHdGiH36CIxrCDGv1UzAvERN5Qa47DVwsM6a+hWsF2AAAJVnF0wYLLJU07TuRHdMrrphPWXZsFgyV+lRqJ7DDpReKNO8nMPLV/mHqHBHGPGQiRdb9NoJo8CvokGz4+KE8oLwzKf6V24dtwZmRkrsDV4iOhvROAzz+Euo1ypSkL3mw==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1601573901680'}}, 'updateDate': {'$date': {'$numberLong': '1601573901680'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'azure', 'keyVaultEndpoint': 'key-vault-csfle.vault.azure.net', 'keyName': 'key-name-csfle'}, 'keyAltNames': ['altname', 'azure_altname']}]
99

1010
tests:

src/test/spec/json/client-side-encryption/legacy/gcpKMS.json

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,17 @@
7878
"bsonType": "string",
7979
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
8080
}
81+
},
82+
"encrypted_string_kmip_delegated": {
83+
"encrypt": {
84+
"keyId": [
85+
{
86+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
87+
}
88+
],
89+
"bsonType": "string",
90+
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
91+
}
8192
}
8293
},
8394
"bsonType": "object"

src/test/spec/json/client-side-encryption/legacy/gcpKMS.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ database_name: &database_name "default"
44
collection_name: &collection_name "default"
55

66
data: []
7-
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
7+
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip_delegated': {'encrypt': {'keyId': [{'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
88
key_vault_data: [{'_id': {'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'CiQAIgLj0WyktnB4dfYHo5SLZ41K4ASQrjJUaSzl5vvVH0G12G0SiQEAjlV8XPlbnHDEDFbdTO4QIe8ER2/172U1ouLazG0ysDtFFIlSvWX5ZnZUrRMmp/R2aJkzLXEt/zf8Mn4Lfm+itnjgo5R9K4pmPNvvPKNZX5C16lrPT+aA+rd+zXFSmlMg3i5jnxvTdLHhg3G7Q/Uv1ZIJskKt95bzLoe0tUVzRWMYXLIEcohnQg==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1601574333107'}}, 'updateDate': {'$date': {'$numberLong': '1601574333107'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'gcp', 'projectId': 'devprod-drivers', 'location': 'global', 'keyRing': 'key-ring-csfle', 'keyName': 'key-name-csfle'}, 'keyAltNames': ['altname', 'gcp_altname']}]
99

1010
tests:

src/test/spec/json/client-side-encryption/legacy/kmipKMS.json

Lines changed: 140 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,17 @@
7878
"bsonType": "string",
7979
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
8080
}
81+
},
82+
"encrypted_string_kmip_delegated": {
83+
"encrypt": {
84+
"keyId": [
85+
{
86+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
87+
}
88+
],
89+
"bsonType": "string",
90+
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
91+
}
8192
}
8293
},
8394
"bsonType": "object"
@@ -117,6 +128,38 @@
117128
"altname",
118129
"kmip_altname"
119130
]
131+
},
132+
{
133+
"_id": {
134+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
135+
},
136+
"keyMaterial": {
137+
"$binary": {
138+
"base64": "5TLMFWlguBWe5GUESTvOVtkdBsCrynhnV72XRyZ66/nk+EP9/1oEp1t1sg0+vwCTqULHjBiUE6DRx2mYD/Eup1+u2Jgz9/+1sV1drXeOPALNPkSgiZiDbIb67zRi+wTABEcKcegJH+FhmSGxwUoQAiHCsCbcvia5P8tN1lt98YQ=",
139+
"subType": "00"
140+
}
141+
},
142+
"creationDate": {
143+
"$date": {
144+
"$numberLong": "1634220190041"
145+
}
146+
},
147+
"updateDate": {
148+
"$date": {
149+
"$numberLong": "1634220190041"
150+
}
151+
},
152+
"status": {
153+
"$numberInt": "0"
154+
},
155+
"masterKey": {
156+
"provider": "kmip",
157+
"delegated": true,
158+
"keyId": "11"
159+
},
160+
"keyAltNames": [
161+
"delegated"
162+
]
120163
}
121164
],
122165
"tests": [
@@ -218,6 +261,102 @@
218261
]
219262
}
220263
}
264+
},
265+
{
266+
"description": "Insert a document with auto encryption using KMIP delegated KMS provider",
267+
"clientOptions": {
268+
"autoEncryptOpts": {
269+
"kmsProviders": {
270+
"kmip": {}
271+
}
272+
}
273+
},
274+
"operations": [
275+
{
276+
"name": "insertOne",
277+
"arguments": {
278+
"document": {
279+
"_id": 1,
280+
"encrypted_string_kmip_delegated": "string0"
281+
}
282+
}
283+
}
284+
],
285+
"expectations": [
286+
{
287+
"command_started_event": {
288+
"command": {
289+
"listCollections": 1,
290+
"filter": {
291+
"name": "default"
292+
}
293+
},
294+
"command_name": "listCollections"
295+
}
296+
},
297+
{
298+
"command_started_event": {
299+
"command": {
300+
"find": "datakeys",
301+
"filter": {
302+
"$or": [
303+
{
304+
"_id": {
305+
"$in": [
306+
{
307+
"$uuid": "7411e9af-c688-4df7-8143-5e60ae96cba6"
308+
}
309+
]
310+
}
311+
},
312+
{
313+
"keyAltNames": {
314+
"$in": []
315+
}
316+
}
317+
]
318+
},
319+
"$db": "keyvault"
320+
},
321+
"command_name": "find"
322+
}
323+
},
324+
{
325+
"command_started_event": {
326+
"command": {
327+
"insert": "default",
328+
"documents": [
329+
{
330+
"_id": 1,
331+
"encrypted_string_kmip_delegated": {
332+
"$binary": {
333+
"base64": "AXQR6a/GiE33gUNeYK6Wy6YCkB+8NVfAAjIbvLqyXIg6g1a8tXrym92DPoqmxpcdQyH0vQM3aFNMz7tZwQBimKs29ztZV/LWjM633HhO5ACl9A==",
334+
"subType": "06"
335+
}
336+
}
337+
}
338+
],
339+
"ordered": true
340+
},
341+
"command_name": "insert"
342+
}
343+
}
344+
],
345+
"outcome": {
346+
"collection": {
347+
"data": [
348+
{
349+
"_id": 1,
350+
"encrypted_string_kmip_delegated": {
351+
"$binary": {
352+
"base64": "AXQR6a/GiE33gUNeYK6Wy6YCkB+8NVfAAjIbvLqyXIg6g1a8tXrym92DPoqmxpcdQyH0vQM3aFNMz7tZwQBimKs29ztZV/LWjM633HhO5ACl9A==",
353+
"subType": "06"
354+
}
355+
}
356+
}
357+
]
358+
}
359+
}
221360
}
222361
]
223-
}
362+
}

src/test/spec/json/client-side-encryption/legacy/kmipKMS.yml

Lines changed: 39 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@ database_name: &database_name "default"
44
collection_name: &collection_name "default"
55

66
data: []
7-
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
8-
key_vault_data: [{'_id': {'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'eUYDyB0HuWb+lQgUwO+6qJQyTTDTY2gp9FbemL7ZFo0pvr0x6rm6Ff9OVUTGH6HyMKipaeHdiIJU1dzsLwvqKvi7Beh+U4iaIWX/K0oEg1GOsJc0+Z/in8gNHbGUYLmycHViM3LES3kdt7FdFSUl5rEBHrM71yoNEXImz17QJWMGOuT4x6yoi2pvnaRJwfrI4DjpmnnTrDMac92jgZehbg==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1634220190041'}}, 'updateDate': {'$date': {'$numberLong': '1634220190041'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'kmip', 'keyId': '1'}, 'keyAltNames': ['altname', 'kmip_altname']}]
7+
json_schema: {'properties': {'encrypted_string_aws': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_azure': {'encrypt': {'keyId': [{'$binary': {'base64': 'AZURE+AAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_gcp': {'encrypt': {'keyId': [{'$binary': {'base64': 'GCP+AAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_local': {'encrypt': {'keyId': [{'$binary': {'base64': 'AAAAAAAAAAAAAAAAAAAAAA==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip': {'encrypt': {'keyId': [{'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}, 'encrypted_string_kmip_delegated': {'encrypt': {'keyId': [{'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'}], 'bsonType': 'string', 'algorithm': 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'}}}, 'bsonType': 'object'}
8+
key_vault_data: [{'_id': {'$binary': {'base64': 'dBHpr8aITfeBQ15grpbLpQ==', 'subType': '04'}}, 'keyMaterial': {'$binary': {'base64': 'eUYDyB0HuWb+lQgUwO+6qJQyTTDTY2gp9FbemL7ZFo0pvr0x6rm6Ff9OVUTGH6HyMKipaeHdiIJU1dzsLwvqKvi7Beh+U4iaIWX/K0oEg1GOsJc0+Z/in8gNHbGUYLmycHViM3LES3kdt7FdFSUl5rEBHrM71yoNEXImz17QJWMGOuT4x6yoi2pvnaRJwfrI4DjpmnnTrDMac92jgZehbg==', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1634220190041'}}, 'updateDate': {'$date': {'$numberLong': '1634220190041'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'kmip', 'keyId': '1'}, 'keyAltNames': ['altname', 'kmip_altname']},{'_id': {'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'}, 'keyMaterial': {'$binary': {'base64': '5TLMFWlguBWe5GUESTvOVtkdBsCrynhnV72XRyZ66/nk+EP9/1oEp1t1sg0+vwCTqULHjBiUE6DRx2mYD/Eup1+u2Jgz9/+1sV1drXeOPALNPkSgiZiDbIb67zRi+wTABEcKcegJH+FhmSGxwUoQAiHCsCbcvia5P8tN1lt98YQ=', 'subType': '00'}}, 'creationDate': {'$date': {'$numberLong': '1634220190041'}}, 'updateDate': {'$date': {'$numberLong': '1634220190041'}}, 'status': {'$numberInt': '0'}, 'masterKey': {'provider': 'kmip', 'delegated': True, 'keyId': '11'}, 'keyAltNames': ['delegated']}]
99

1010
tests:
1111
- description: "Insert a document with auto encryption using KMIP KMS provider"
@@ -43,4 +43,40 @@ tests:
4343
collection:
4444
# Outcome is checked using a separate MongoClient without auto encryption.
4545
data:
46-
- *doc0_encrypted
46+
- *doc0_encrypted
47+
48+
- description: "Insert a document with auto encryption using KMIP delegated KMS provider"
49+
clientOptions:
50+
autoEncryptOpts:
51+
kmsProviders:
52+
kmip: {}
53+
operations:
54+
- name: insertOne
55+
arguments:
56+
document: &doc1 { _id: 1, encrypted_string_kmip_delegated: "string0" }
57+
expectations:
58+
- command_started_event:
59+
command:
60+
listCollections: 1
61+
filter:
62+
name: *collection_name
63+
command_name: listCollections
64+
# Then key is fetched from the key vault.
65+
- command_started_event:
66+
command:
67+
find: datakeys
68+
filter: { $or: [ { _id: { $in: [ {'$uuid': '7411e9af-c688-4df7-8143-5e60ae96cba6'} ] } }, { keyAltNames: { $in: [] } } ] }
69+
$db: keyvault
70+
command_name: find
71+
- command_started_event:
72+
command:
73+
insert: *collection_name
74+
documents:
75+
- &doc1_encrypted { _id: 1, encrypted_string_kmip_delegated: {'$binary': {'base64': 'AXQR6a/GiE33gUNeYK6Wy6YCkB+8NVfAAjIbvLqyXIg6g1a8tXrym92DPoqmxpcdQyH0vQM3aFNMz7tZwQBimKs29ztZV/LWjM633HhO5ACl9A==', 'subType': '06'}} }
76+
ordered: true
77+
command_name: insert
78+
outcome:
79+
collection:
80+
# Outcome is checked using a separate MongoClient without auto encryption.
81+
data:
82+
- *doc1_encrypted

0 commit comments

Comments
 (0)