From 46176f82e3b7d28de253aeed1978fdd10997cb58 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Mon, 29 Sep 2025 13:52:08 -0400 Subject: [PATCH 01/12] Get test passing --- .../tests/test-mongoc-client-side-encryption.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index 72c051e0c9c..83737841eda 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -24,6 +24,8 @@ #include #include +#include "TestSuite.h" + /* _mongoc_host_list_from_string_with_err */ #include #include @@ -6909,7 +6911,18 @@ test_lookup(void *unused) ] }); - ASSERT_AGG_ERROR(coll, pipeline, "not supported"); + { + mongoc_cursor_t *const cursor = mongoc_collection_aggregate(coll, 0, pipeline, NULL, NULL); + const bson_t *got; + ASSERT(!mongoc_cursor_next(cursor, &got)); + ASSERT(mongoc_cursor_error(cursor, &error)); + ASSERT_ERROR_CONTAINS(error, + MONGOC_ERROR_CLIENT_SIDE_ENCRYPTION, + 1, + "Cannot specify both encryptionInformation and csfleEncryptionSchemas unless " + "csfleEncryptionSchemas only contains non-encryption JSON schema validators"); + mongoc_cursor_destroy(cursor); + } mongoc_collection_destroy(coll); mongoc_client_destroy(client); } From 9d0a59057692a0bb08287a0c40158c8b4e4111ba Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Mon, 29 Sep 2025 14:34:04 -0400 Subject: [PATCH 02/12] Remove include --- src/libmongoc/tests/test-mongoc-client-side-encryption.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index 83737841eda..072059a5ebd 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -24,8 +24,6 @@ #include #include -#include "TestSuite.h" - /* _mongoc_host_list_from_string_with_err */ #include #include From e25c06ed2dc4d851e8280cdadbea30972ad1071c Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Mon, 29 Sep 2025 14:40:10 -0400 Subject: [PATCH 03/12] Bring back macro --- .../tests/test-mongoc-client-side-encryption.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index 072059a5ebd..2aa0a971128 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -6909,18 +6909,10 @@ test_lookup(void *unused) ] }); - { - mongoc_cursor_t *const cursor = mongoc_collection_aggregate(coll, 0, pipeline, NULL, NULL); - const bson_t *got; - ASSERT(!mongoc_cursor_next(cursor, &got)); - ASSERT(mongoc_cursor_error(cursor, &error)); - ASSERT_ERROR_CONTAINS(error, - MONGOC_ERROR_CLIENT_SIDE_ENCRYPTION, - 1, - "Cannot specify both encryptionInformation and csfleEncryptionSchemas unless " - "csfleEncryptionSchemas only contains non-encryption JSON schema validators"); - mongoc_cursor_destroy(cursor); - } + ASSERT_AGG_ERROR(coll, + pipeline, + "Cannot specify both encryptionInformation and csfleEncryptionSchemas unless " + "csfleEncryptionSchemas only contains non-encryption JSON schema validators"); mongoc_collection_destroy(coll); mongoc_client_destroy(client); } From 7a8074da3597cb7d2ec5cc65e2fb9c8f113f96d6 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Mon, 29 Sep 2025 15:12:47 -0400 Subject: [PATCH 04/12] Require 8.2+ --- src/libmongoc/tests/test-libmongoc.c | 2 ++ src/libmongoc/tests/test-libmongoc.h | 2 ++ src/libmongoc/tests/test-mongoc-client-side-encryption.c | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/libmongoc/tests/test-libmongoc.c b/src/libmongoc/tests/test-libmongoc.c index 0c622efbc1b..a0b188d5e7a 100644 --- a/src/libmongoc/tests/test-libmongoc.c +++ b/src/libmongoc/tests/test-libmongoc.c @@ -2268,6 +2268,8 @@ WIRE_VERSION_CHECKS(24) WIRE_VERSION_CHECKS(25) /* wire version 26 begins with the 8.1 release. */ WIRE_VERSION_CHECKS(26) +/* wire version 27 begins with the 8.2 release. */ +WIRE_VERSION_CHECKS(27) int test_framework_skip_if_no_dual_ip_hostname(void) diff --git a/src/libmongoc/tests/test-libmongoc.h b/src/libmongoc/tests/test-libmongoc.h index e3d05d2db06..c092962abdb 100644 --- a/src/libmongoc/tests/test-libmongoc.h +++ b/src/libmongoc/tests/test-libmongoc.h @@ -214,6 +214,8 @@ WIRE_VERSION_CHECK_DECLS(24) WIRE_VERSION_CHECK_DECLS(25) /* wire version 26 begins with the 8.1 release. */ WIRE_VERSION_CHECK_DECLS(26) +/* wire version 27 begins with the 8.2 release. */ +WIRE_VERSION_CHECK_DECLS(27) #undef WIRE_VERSION_CHECK_DECLS diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index 2aa0a971128..4e0a42f54e8 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -7388,7 +7388,7 @@ test_client_side_encryption_install(TestSuite *suite) test_lookup, NULL, NULL, - test_framework_skip_if_max_wire_version_less_than_26 /* require server 8.1+ */, + test_framework_skip_if_max_wire_version_less_than_27 /* require server 8.2+ */, test_framework_skip_if_single, /* QE not supported on standalone */ test_framework_skip_if_no_client_side_encryption); TestSuite_AddFull(suite, From 2b375fb6df5b25c5c27b399700e98d56283bf6bc Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 08:43:33 -0400 Subject: [PATCH 05/12] Pin EVG mongocrypt version to 793 branch --- .evergreen/scripts/compile-libmongocrypt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.evergreen/scripts/compile-libmongocrypt.sh b/.evergreen/scripts/compile-libmongocrypt.sh index 1debf6c95e5..54c67198d18 100755 --- a/.evergreen/scripts/compile-libmongocrypt.sh +++ b/.evergreen/scripts/compile-libmongocrypt.sh @@ -12,9 +12,9 @@ compile_libmongocrypt() { # `src/kms-message`. # # Run `.evergreen/scripts/kms-divergence-check.sh` to ensure that there is no divergence in the copied files. - declare -r version="1.15.1" + declare -r version="qe-json-mixing-error.MONGOCRYPT-793" - git clone -q --depth=1 https://github.com/mongodb/libmongocrypt --branch "${version:?}" || return + git clone -q --depth=1 https://github.com/connorsmacd/libmongocrypt --branch "${version:?}" || return declare -a crypt_cmake_flags=( "-DMONGOCRYPT_MONGOC_DIR=${mongoc_dir}" From 7272f9b373a3172662f9fc0adb124a8f820afcd7 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 09:17:41 -0400 Subject: [PATCH 06/12] Fix libmongocrypt clone --- .evergreen/scripts/compile-libmongocrypt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.evergreen/scripts/compile-libmongocrypt.sh b/.evergreen/scripts/compile-libmongocrypt.sh index 54c67198d18..b58aa0122d5 100755 --- a/.evergreen/scripts/compile-libmongocrypt.sh +++ b/.evergreen/scripts/compile-libmongocrypt.sh @@ -12,9 +12,9 @@ compile_libmongocrypt() { # `src/kms-message`. # # Run `.evergreen/scripts/kms-divergence-check.sh` to ensure that there is no divergence in the copied files. - declare -r version="qe-json-mixing-error.MONGOCRYPT-793" + declare -r version="1.15.1" - git clone -q --depth=1 https://github.com/connorsmacd/libmongocrypt --branch "${version:?}" || return + git clone -q --depth=1 https://github.com/connorsmacd/libmongocrypt --branch qe-json-mixing-error.MONGOCRYPT-793 || return declare -a crypt_cmake_flags=( "-DMONGOCRYPT_MONGOC_DIR=${mongoc_dir}" From 95a58767eb91102c5f5c076857548adc185dac5a Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 15:12:14 -0400 Subject: [PATCH 07/12] Add test case 10 --- .../lookup/schema-non-csfle.json | 3 ++ .../test-mongoc-client-side-encryption.c | 50 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 src/libmongoc/tests/client_side_encryption_prose/lookup/schema-non-csfle.json diff --git a/src/libmongoc/tests/client_side_encryption_prose/lookup/schema-non-csfle.json b/src/libmongoc/tests/client_side_encryption_prose/lookup/schema-non-csfle.json new file mode 100644 index 00000000000..3edd12c8f4c --- /dev/null +++ b/src/libmongoc/tests/client_side_encryption_prose/lookup/schema-non-csfle.json @@ -0,0 +1,3 @@ +{ + "bsonType": "object" +} diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index 4e0a42f54e8..64811c15631 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -6619,6 +6619,18 @@ test_lookup_setup(void) mongoc_collection_destroy(coll); } + // Create db.non_csfle_schema: + { + drop_coll(db, "non_csfle_schema"); + bson_t *schema = get_bson_from_json_file(TESTDIR "schema-non-csfle.json"); + bson_t *create_opts = BCON_NEW("validator", "{", "$jsonSchema", BCON_DOCUMENT(schema), "}"); + mongoc_collection_t *coll = mongoc_database_create_collection(db, "non_csfle_schema", create_opts, &error); + ASSERT_OR_PRINT(coll, error); + mongoc_collection_destroy(coll); + bson_destroy(create_opts); + bson_destroy(schema); + } + mongoc_database_destroy(db); } #undef TESTDIR @@ -6699,6 +6711,19 @@ test_lookup_setup(void) mongoc_collection_destroy(coll_unencrypted); } + // Insert to db.non_csfle_schema + { + mongoc_collection_t *coll = mongoc_client_get_collection(client, "db", "non_csfle_schema"); + ok = mongoc_collection_insert_one( + coll, MAKE_BSON({"non_csfle_schema" : "non_csfle_schema"}), NULL, NULL, &error); + ASSERT_OR_PRINT(ok, error); + mongoc_collection_destroy(coll); + // Find document with unencrypted client to check it is not encrypted. + mongoc_collection_t *coll_unencrypted = mongoc_client_get_collection(setup_client, "db", "non_csfle_schema"); + ASSERT_COLL_MATCHES_ONE(coll_unencrypted, MAKE_BSON({"non_csfle_schema" : "non_csfle_schema"})); + mongoc_collection_destroy(coll_unencrypted); + } + mongoc_client_destroy(client); } @@ -6916,6 +6941,31 @@ test_lookup(void *unused) mongoc_collection_destroy(coll); mongoc_client_destroy(client); } + + // Case 10: db.qe joins db.non_csfle_schema: + { + mongoc_client_t *client = create_encrypted_client(); + mongoc_collection_t *coll = mongoc_client_get_collection(client, "db", "qe"); + + bson_t *pipeline = MAKE_BSON({ + "pipeline" : [ + {"$match" : {"qe" : "qe"}}, + { + "$lookup" : { + "from" : "non_csfle_schema", + "as" : "matched", + "pipeline" : [ {"$match" : {"non_csfle_schema" : "non_csfle_schema"}}, {"$project" : {"_id" : 0}} ] + } + }, + {"$project" : {"_id" : 0}} + ] + }); + + bson_t *expect = MAKE_BSON({"qe" : "qe", "matched" : [ {"non_csfle_schema" : "non_csfle_schema"} ]}); + ASSERT_AGG_RETURNS_ONE(coll, pipeline, expect); + mongoc_collection_destroy(coll); + mongoc_client_destroy(client); + } } static void From 5e7b3f3e6b809adb8550af49468a4269790dcf29 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 17:00:48 -0400 Subject: [PATCH 08/12] Get test passing on both 8.1 and 8.2 --- .../test-mongoc-client-side-encryption.c | 32 ++++++++++++++++--- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index 64811c15631..2ad14df1e21 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -6934,10 +6934,34 @@ test_lookup(void *unused) ] }); - ASSERT_AGG_ERROR(coll, - pipeline, - "Cannot specify both encryptionInformation and csfleEncryptionSchemas unless " - "csfleEncryptionSchemas only contains non-encryption JSON schema validators"); + if (test_framework_get_server_version() < test_framework_str_to_version("8.2.0")) { + ASSERT_AGG_ERROR(coll, pipeline, "not supported"); + } else { + mongoc_cursor_t *const cursor = mongoc_collection_aggregate(coll, 0, pipeline, NULL, NULL); + const bson_t *got; + ASSERT(!mongoc_cursor_next(cursor, &got)); + ASSERT(mongoc_cursor_error(cursor, &error)); + + // The error domain differs depending on the query analysis component: + // * `crypt_shared`: `MONGOC_ERROR_CLIENT_SIDE_ENCRYPTION` + // * `mongocryptd`: `MONGOC_ERROR_QUERY` + + static const char *const expected_error_substring = + "Cannot specify both encryptionInformation and csfleEncryptionSchemas unless csfleEncryptionSchemas only " + "contains non-encryption JSON schema validators"; + + if (mongoc_client_get_crypt_shared_version(client)) { + ASSERT_AGG_ERROR(coll, pipeline, expected_error_substring); + } else { + mongoc_cursor_t *const cursor = mongoc_collection_aggregate(coll, 0, pipeline, NULL, NULL); + const bson_t *got; + ASSERT(!mongoc_cursor_next(cursor, &got)); + ASSERT(mongoc_cursor_error(cursor, &error)); + ASSERT_ERROR_CONTAINS(error, MONGOC_ERROR_QUERY, 0, expected_error_substring); + mongoc_cursor_destroy(cursor); + } + } + mongoc_collection_destroy(coll); mongoc_client_destroy(client); } From a6ff7096f6f79a98dd305f7c7d9200e8fe3fa87a Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 17:09:10 -0400 Subject: [PATCH 09/12] Separate new test case into 8.2+ function --- .../tests/test-mongoc-client-side-encryption.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index 2ad14df1e21..ae65032f8e7 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -6965,6 +6965,14 @@ test_lookup(void *unused) mongoc_collection_destroy(coll); mongoc_client_destroy(client); } +} + +static void +test_lookup_post82(void *unused) +{ + BSON_UNUSED(unused); + test_lookup_setup(); + bson_error_t error; // Case 10: db.qe joins db.non_csfle_schema: { @@ -7462,9 +7470,17 @@ test_client_side_encryption_install(TestSuite *suite) test_lookup, NULL, NULL, - test_framework_skip_if_max_wire_version_less_than_27 /* require server 8.2+ */, + test_framework_skip_if_max_wire_version_less_than_26 /* require server 8.1+ */, test_framework_skip_if_single, /* QE not supported on standalone */ test_framework_skip_if_no_client_side_encryption); + TestSuite_AddFull(suite, + "/client_side_encryption/test_lookup/post-8.2", + test_lookup_post82, + NULL, + NULL, + test_framework_skip_if_max_wire_version_less_than_27, /* require server 8.2+ */ + test_framework_skip_if_single, /* QE not supported on standalone */ + test_framework_skip_if_no_client_side_encryption); TestSuite_AddFull(suite, "/client_side_encryption/test_lookup/pre-8.1", test_lookup_pre81, From 90d649a79b8904576ce8f5711d28793eeba0343a Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 17:12:14 -0400 Subject: [PATCH 10/12] Remove dead code --- src/libmongoc/tests/test-mongoc-client-side-encryption.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index ae65032f8e7..87ea1455c7f 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -6937,11 +6937,6 @@ test_lookup(void *unused) if (test_framework_get_server_version() < test_framework_str_to_version("8.2.0")) { ASSERT_AGG_ERROR(coll, pipeline, "not supported"); } else { - mongoc_cursor_t *const cursor = mongoc_collection_aggregate(coll, 0, pipeline, NULL, NULL); - const bson_t *got; - ASSERT(!mongoc_cursor_next(cursor, &got)); - ASSERT(mongoc_cursor_error(cursor, &error)); - // The error domain differs depending on the query analysis component: // * `crypt_shared`: `MONGOC_ERROR_CLIENT_SIDE_ENCRYPTION` // * `mongocryptd`: `MONGOC_ERROR_QUERY` From db6f8030e6836898107e1edba36e9f1009407112 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Wed, 1 Oct 2025 08:28:40 -0400 Subject: [PATCH 11/12] Fix incorrect error code --- src/libmongoc/tests/test-mongoc-client-side-encryption.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index 87ea1455c7f..eaf5a0c9c60 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -6952,7 +6952,8 @@ test_lookup(void *unused) const bson_t *got; ASSERT(!mongoc_cursor_next(cursor, &got)); ASSERT(mongoc_cursor_error(cursor, &error)); - ASSERT_ERROR_CONTAINS(error, MONGOC_ERROR_QUERY, 0, expected_error_substring); + static const uint32_t expected_error_code = 10026002u; + ASSERT_ERROR_CONTAINS(error, MONGOC_ERROR_QUERY, expected_error_code, expected_error_substring); mongoc_cursor_destroy(cursor); } } From ee991d4e38e746c338f6bf919cfd70d7b9847693 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Wed, 1 Oct 2025 09:40:23 -0400 Subject: [PATCH 12/12] Get case 10 passing --- src/libmongoc/tests/test-mongoc-client-side-encryption.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/libmongoc/tests/test-mongoc-client-side-encryption.c b/src/libmongoc/tests/test-mongoc-client-side-encryption.c index eaf5a0c9c60..ac28dfcea0e 100644 --- a/src/libmongoc/tests/test-mongoc-client-side-encryption.c +++ b/src/libmongoc/tests/test-mongoc-client-side-encryption.c @@ -6982,10 +6982,13 @@ test_lookup_post82(void *unused) "$lookup" : { "from" : "non_csfle_schema", "as" : "matched", - "pipeline" : [ {"$match" : {"non_csfle_schema" : "non_csfle_schema"}}, {"$project" : {"_id" : 0}} ] + "pipeline" : [ + {"$match" : {"non_csfle_schema" : "non_csfle_schema"}}, + {"$project" : {"_id" : 0, "__safeContent__" : 0}} + ] } }, - {"$project" : {"_id" : 0}} + {"$project" : {"_id" : 0, "__safeContent__" : 0}} ] });