RUBY-2980 Add missed QE encryption tests (#2517)

Author: comandeo-mongo

.evergreen/config.yml

@@ -1349,7 +1349,7 @@ buildvariants:
     matrix_spec:
       auth-and-ssl: "noauth-and-nossl"
       ruby: [ruby-3.1, ruby-3.0, ruby-2.7]
-      topology: standalone
+      topology: [replica-set, sharded-cluster]
       mongodb-version: ['6.0']
       os: ubuntu2004
       fle: helper

.evergreen/config/standard.yml.erb

@@ -471,7 +471,7 @@ buildvariants:
     matrix_spec:
       auth-and-ssl: "noauth-and-nossl"
       ruby: [ruby-3.1, ruby-3.0, ruby-2.7]
-      topology: standalone
+      topology: [replica-set, sharded-cluster]
       mongodb-version: ['6.0']
       os: ubuntu2004
       fle: helper

gemfiles/standard.rb

@@ -60,6 +60,6 @@ def standard_dependencies
   end
 
   if ENV['FLE'] == 'helper'
-    gem 'libmongocrypt-helper', '~> 1.5.0.alpha1.0.1001'
+    gem 'libmongocrypt-helper', '~> 1.5.0.rc1.0.1001'
   end
 end

lib/mongo/collection.rb

@@ -70,7 +70,8 @@ class Collection
       :expire_after => :expireAfterSeconds,
       :clustered_index => :clusteredIndex,
       :change_stream_pre_and_post_images => :changeStreamPreAndPostImages,
-      :encrypted_fields => :encryptedFields
+      :encrypted_fields => :encryptedFields,
+      :validator => :validator,
     }
 
     # Check if a collection is equal to another object. Will check the name and
@@ -258,6 +259,8 @@ def capped?
     #   pre- and post-images on the created collection.
     # @option opts [ Hash ] :encrypted_fields Hash describing encrypted fields
     #   for queryable encryption.
+    # @option opts [ Hash ] :validator Hash describing document validation
+    #   options for the collection.
     #
     # @return [ Result ] The result of the command.
     #
@@ -298,6 +301,7 @@ def create(opts = {})
             # taken from options passed to the create method.
             collation: options[:collation] || options['collation'],
             encrypted_fields: encrypted_fields,
+            validator: options[:validator],
           ).execute(next_primary(nil, session), context: context)
         end
       end

lib/mongo/crypt/auto_encrypter.rb

@@ -98,6 +98,7 @@ def initialize(options)
           @options[:extra_options][:mongocryptd_uri],
           monitoring_io: @options[:client].options[:monitoring_io],
           server_selection_timeout: 10,
+          database: @options[:client].options[:database]
         )
 
         begin

lib/mongo/database.rb

@@ -225,8 +225,33 @@ def command(operation, opts = {})
 
       client.send(:with_session, opts) do |session|
         server = selector.select_server(cluster, nil, session)
+        # This code MUST be removed as soon as server starts accepting
+        # contention as int32.
+        _operation = operation.dup
+        if _operation['encryptedFields'] && _operation['encryptedFields'].key?('fields')
+          _operation['encryptedFields']['fields'] = _operation['encryptedFields']['fields'].map do |field|
+            if field['queries'] && field['queries'].key?('contention')
+              field['queries']['contention'] = BSON::Int64.new(field['queries']['contention'])
+            end
+            field
+          end
+        end
+        if schema = _operation.dig('encryptionInformation', 'schema')
+          _operation['encryptionInformation']['schema'] = schema.map do |coll, params|
+            if params['fields']
+              params['fields'] = params['fields'].map do |field|
+                if contention = field.dig('queries', 'contention')
+                  field['queries']['contention'] = BSON::Int64.new(contention)
+                end
+                field
+              end
+            end
+            [coll, params]
+          end.to_h
+        end
+        # End of code to be removed
         op = Operation::Command.new(
-          :selector => operation.dup,
+          :selector => _operation,
           :db_name => name,
           :read => selector,
           :session => session

lib/mongo/operation/create/op_msg.rb

@@ -35,14 +35,17 @@ def selector(connection)
             collation: spec[:collation],
             encryptedFields: spec[:encrypted_fields],
           ).compact.tap do |sel|
-            if sel[:encryptedFields] && sel[:encryptedFields].key?(:fields)
-              sel[:encryptedFields][:fields] = sel[:encryptedFields][:fields].map do |field|
-                if field[:queries] && field[:queries].key?(:contention)
-                  field[:queries][:contention] = BSON::Int64.new(field[:queries][:contention])
+            # This code MUST be removed as soon as server starts accepting
+            # contention as int32.
+            if sel[:encryptedFields] && sel[:encryptedFields].key?('fields')
+              sel[:encryptedFields]['fields'] = sel[:encryptedFields]['fields'].map do |field|
+                if field['queries'] && field['queries'].key?('contention')
+                  field['queries']['contention'] = BSON::Int64.new(field['queries']['contention'])
                 end
                 field
               end
             end
+            # End of code to be removed
           end
         end
       end

lib/mongo/protocol/msg.rb

@@ -229,6 +229,8 @@ def maybe_encrypt(connection, context)
           if cmd.key?('$db') && !enc_cmd.key?('$db')
             enc_cmd['$db'] = cmd['$db']
           end
+          # This code MUST be removed as soon as server starts accepting
+          # contention as int32.
           if schema = enc_cmd.dig('encryptionInformation', 'schema')
             enc_cmd['encryptionInformation']['schema'] = schema.map do |coll, params|
               if params['fields']
@@ -242,6 +244,7 @@ def maybe_encrypt(connection, context)
               [coll, params]
             end.to_h
           end
+          # End of code to be removed
 
           Msg.new(@flags, @options, enc_cmd)
         else

spec/integration/client_side_encryption/bson_size_limit_spec.rb

@@ -52,7 +52,7 @@
         }
       ].create
 
-      key_vault_collection = client.use('admin')['datakeys', write_concern: { w: :majority }]
+      key_vault_collection = client.use('keyvault')['datakeys', write_concern: { w: :majority }]
 
       key_vault_collection.drop
       key_vault_collection.insert_one(

spec/integration/client_side_encryption/explicit_queryable_encryption_spec.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+# encoding: utf-8
+
+require 'spec_helper'
+
+describe 'Explicit Queryable Encryption' do
+  require_libmongocrypt
+  min_server_version '6.0'
+  require_topology :replica_set, :sharded, :load_balanced
+
+  include_context 'define shared FLE helpers'
+
+  let(:key1_id) do
+    key1_document['_id']
+  end
+
+  let(:encrypted_coll) do
+    'explicit_encryption'
+  end
+
+  let(:value) do
+    "encrypted indexed value"
+  end
+
+  let(:unindexed_value) do
+    "encrypted unindexed value"
+  end
+
+  let(:key_vault_client) do
+    ClientRegistry.instance.new_local_client(SpecConfig.instance.addresses)
+  end
+
+  let(:client_encryption_opts) do
+    {
+      kms_providers: local_kms_providers,
+      kms_tls_options: kms_tls_options,
+      key_vault_namespace: key_vault_namespace
+    }
+  end
+
+  let(:client_encryption) do
+    Mongo::ClientEncryption.new(
+      key_vault_client,
+      client_encryption_opts
+    )
+  end
+
+  let(:encrypted_client) do
+    ClientRegistry.instance.new_local_client(
+      SpecConfig.instance.addresses,
+      auto_encryption_options: {
+        key_vault_namespace: "#{key_vault_db}.#{key_vault_coll}",
+        kms_providers: local_kms_providers,
+        bypass_query_analysis: true
+      },
+      database: SpecConfig.instance.test_db
+    )
+  end
+
+  before(:each) do
+    authorized_client[encrypted_coll].drop(encrypted_fields: encrypted_fields)
+    authorized_client[encrypted_coll].create(encrypted_fields: encrypted_fields)
+    authorized_client.use(key_vault_db)[key_vault_coll].drop
+    authorized_client.use(key_vault_db)[key_vault_coll, write_concern: {w: :majority}].insert_one(key1_document)
+  end
+
+  after(:each) do
+    authorized_client[encrypted_coll].drop(encrypted_fields: encrypted_fields)
+    authorized_client.use(key_vault_db)[key_vault_coll].drop
+  end
+
+  it 'can insert encrypted indexed and find' do
+    insert_payload = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed"
+    )
+    encrypted_client[encrypted_coll].insert_one(
+      "encryptedIndexed" => insert_payload
+    )
+    find_payload = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality
+    )
+    find_results = encrypted_client[encrypted_coll]
+      .find("encryptedIndexed" => find_payload)
+      .to_a
+    expect(find_results.size).to eq(1)
+    expect(find_results.first["encryptedIndexed"]).to eq(value)
+  end
+
+  it 'can insert encrypted indexed and find with non-zero contention' do
+    10.times do
+      insert_payload = client_encryption.encrypt(
+        value, key_id: key1_id, algorithm: "Indexed", contention_factor: 10
+      )
+      encrypted_client[encrypted_coll].insert_one(
+        "encryptedIndexed" => insert_payload
+      )
+    end
+    find_payload = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality
+    )
+    find_results = encrypted_client[encrypted_coll]
+      .find("encryptedIndexed" => find_payload)
+      .to_a
+    expect(find_results.size).to be < 10
+    find_results.each do |doc|
+      expect(doc["encryptedIndexed"]).to eq(value)
+    end
+    find_payload_2 = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality, contention_factor: 10
+    )
+    find_results_2 = encrypted_client[encrypted_coll]
+      .find("encryptedIndexed" => find_payload_2)
+      .to_a
+    expect(find_results_2.size).to eq(10)
+    find_results_2.each do |doc|
+      expect(doc["encryptedIndexed"]).to eq(value)
+    end
+  end
+
+  it 'can insert encrypted unindexed' do
+    insert_payload = client_encryption.encrypt(
+      unindexed_value, key_id: key1_id, algorithm: "Unindexed"
+    )
+    encrypted_client[encrypted_coll].insert_one(
+      "_id" => 1, "encryptedUnindexed" => insert_payload
+    )
+    find_results = encrypted_client[encrypted_coll].find("_id" => 1).to_a
+    expect(find_results.size).to eq(1)
+    expect(find_results.first["encryptedUnindexed"]).to eq(unindexed_value)
+  end
+
+  it 'can roundtrip encrypted indexed' do
+    payload = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed"
+    )
+    decrypted_value = client_encryption.decrypt(payload)
+    expect(decrypted_value).to eq(value)
+  end
+
+  it 'can roundtrip encrypted unindexed' do
+    payload = client_encryption.encrypt(
+      unindexed_value, key_id: key1_id, algorithm: "Unindexed"
+    )
+    decrypted_value = client_encryption.decrypt(payload)
+    expect(decrypted_value).to eq(unindexed_value)
+  end
+end