public void ClientSideEncryptionSimpleTour() { RequireServer.Check().Supports(Feature.ClientSideEncryption); var localMasterKey = Convert.FromBase64String(LocalMasterKey); var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >(); var localKey = new Dictionary <string, object> { { "key", localMasterKey } }; kmsProviders.Add("local", localKey); var keyVaultNamespace = CollectionNamespace.FromFullName("admin.datakeys"); var autoEncryptionOptions = new AutoEncryptionOptions(keyVaultNamespace, kmsProviders); var mongoClientSettings = new MongoClientSettings { AutoEncryptionOptions = autoEncryptionOptions }; var client = new MongoClient(mongoClientSettings); var database = client.GetDatabase("test"); database.DropCollection("coll"); var collection = database.GetCollection <BsonDocument>("coll"); collection.InsertOne(new BsonDocument("encryptedField", "123456789")); var result = collection.Find(FilterDefinition <BsonDocument> .Empty).First(); _output.WriteLine(result.ToJson()); }
private DisposableMongoClient CreateMongoClient( CollectionNamespace keyVaultNamespace = null, BsonDocument schemaMapDocument = null, IReadOnlyDictionary <string, IReadOnlyDictionary <string, object> > kmsProviders = null, bool withExternalKeyVault = false, Action <ClusterBuilder> clusterConfigurator = null, Dictionary <string, object> extraOptions = null, bool bypassAutoEncryption = false) { var mongoClientSettings = DriverTestConfiguration.GetClientSettings().Clone(); #pragma warning disable 618 if (BsonDefaults.GuidRepresentationMode == GuidRepresentationMode.V2) { mongoClientSettings.GuidRepresentation = GuidRepresentation.Unspecified; } #pragma warning restore 618 mongoClientSettings.ClusterConfigurator = clusterConfigurator; if (keyVaultNamespace != null || schemaMapDocument != null || kmsProviders != null || withExternalKeyVault) { if (extraOptions == null) { extraOptions = new Dictionary <string, object>() { { "mongocryptdSpawnPath", Environment.GetEnvironmentVariable("MONGODB_BINARIES") ?? string.Empty } }; } var schemaMap = GetSchemaMapIfNotNull(schemaMapDocument); if (kmsProviders == null) { kmsProviders = new ReadOnlyDictionary <string, IReadOnlyDictionary <string, object> >(new Dictionary <string, IReadOnlyDictionary <string, object> >()); } var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviders, schemaMap: schemaMap, extraOptions: extraOptions, bypassAutoEncryption: bypassAutoEncryption); if (withExternalKeyVault) { var externalKeyVaultClientSettings = DriverTestConfiguration.GetClientSettings().Clone(); externalKeyVaultClientSettings.Credential = MongoCredential.FromComponents(null, null, "fake-user", "fake-pwd"); var externalKeyVaultClient = new MongoClient(externalKeyVaultClientSettings); autoEncryptionOptions = autoEncryptionOptions.With(keyVaultClient: externalKeyVaultClient); } mongoClientSettings.AutoEncryptionOptions = autoEncryptionOptions; } return(new DisposableMongoClient(new MongoClient(mongoClientSettings))); }
// private methods private AutoEncryptionOptions ConfigureAutoEncryptionOptions(BsonDocument autoEncryptOpts) { var extraOptions = new Dictionary <string, object>(); EncryptionTestHelper.ConfigureDefaultExtraOptions(extraOptions); var kmsProviders = new ReadOnlyDictionary <string, IReadOnlyDictionary <string, object> >(new Dictionary <string, IReadOnlyDictionary <string, object> >()); var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: __keyVaultCollectionNamespace, kmsProviders: kmsProviders, extraOptions: extraOptions); foreach (var option in autoEncryptOpts.Elements) { switch (option.Name) { case "kmsProviders": kmsProviders = ParseKmsProviders(option.Value.AsBsonDocument); autoEncryptionOptions = autoEncryptionOptions.With(kmsProviders: kmsProviders); var tlsSettings = EncryptionTestHelper.CreateTlsOptionsIfAllowed(kmsProviders, allowClientCertificateFunc: (kms) => kms == "kmip"); if (tlsSettings != null) { autoEncryptionOptions = autoEncryptionOptions.With(tlsOptions: tlsSettings); } break; case "schemaMap": var schemaMapsDocument = option.Value.AsBsonDocument; var schemaMaps = schemaMapsDocument.Elements.ToDictionary(e => e.Name, e => e.Value.AsBsonDocument); autoEncryptionOptions = autoEncryptionOptions.With(schemaMap: schemaMaps); break; case "bypassAutoEncryption": autoEncryptionOptions = autoEncryptionOptions.With(bypassAutoEncryption: option.Value.ToBoolean()); break; case "keyVaultNamespace": autoEncryptionOptions = autoEncryptionOptions.With(keyVaultNamespace: CollectionNamespace.FromFullName(option.Value.AsString)); break; case "encryptedFieldsMap": var encryptedFieldsMapDocument = option.Value.AsBsonDocument; var encryptedFieldsMap = encryptedFieldsMapDocument.Elements.ToDictionary(e => e.Name, e => e.Value.AsBsonDocument); autoEncryptionOptions = autoEncryptionOptions.With(encryptedFieldsMap: encryptedFieldsMap); break; default: throw new Exception($"Unexpected auto encryption option {option.Name}."); } } return(autoEncryptionOptions); }
public void ToString_should_return_expected_result() { var guid = new Guid("00112233445566778899aabbccddeeff"); var guidBytes = GuidConverter.ToBytes(guid, GuidRepresentation.Standard); var binary = new BsonBinaryData(guidBytes, BsonBinarySubType.UuidStandard); var extraOptions = new Dictionary <string, object>() { { "mongocryptdURI", "testURI" }, }; var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >() { { "provider1", new Dictionary <string, object>() { { "string", "test" } } }, { "provider2", new Dictionary <string, object>() { { "binary", binary.Bytes } } } }; var schemaMap = new Dictionary <string, BsonDocument>() { { "coll1", new BsonDocument("string", "test") }, { "coll2", new BsonDocument("binary", binary) }, }; var tlsOptions = new Dictionary <string, SslSettings> { { "local", new SslSettings { ClientCertificates = new [] { Mock.Of <X509Certificate2>() } } } }; var encryptedFieldsMap = new Dictionary <string, BsonDocument> { { "db.test", BsonDocument.Parse("{ dummy : 'doc' }") } }; var subject = new AutoEncryptionOptions( keyVaultNamespace: __keyVaultNamespace, kmsProviders: kmsProviders, bypassAutoEncryption: true, extraOptions: extraOptions, schemaMap: schemaMap, tlsOptions: tlsOptions, encryptedFieldsMap: encryptedFieldsMap); var result = subject.ToString(); result.Should().Be("{ BypassAutoEncryption : True, KmsProviders : { \"provider1\" : { \"string\" : \"test\" }, \"provider2\" : { \"binary\" : { \"_t\" : \"System.Byte[]\", \"_v\" : new BinData(0, \"ABEiM0RVZneImaq7zN3u/w==\") } } }, KeyVaultNamespace : \"db.coll\", ExtraOptions : { \"mongocryptdURI\" : \"testURI\" }, SchemaMap : { \"coll1\" : { \"string\" : \"test\" }, \"coll2\" : { \"binary\" : UUID(\"00112233-4455-6677-8899-aabbccddeeff\") } }, TlsOptions: [{ \"local\" : \"<hidden>\" }], EncryptedFieldsMap : { \"db.test\" : { \"dummy\" : \"doc\" } } }"); }
// private methods private AutoEncryptionOptions ConfigureAutoEncryptionOptions(BsonDocument autoEncryptOpts) { var keyVaultCollectionNamespace = new CollectionNamespace("admin", "datakeys"); var extraOptions = new Dictionary <string, object>() { { "mongocryptdSpawnPath", Environment.GetEnvironmentVariable("MONGODB_BINARIES") ?? string.Empty } }; var kmsProviders = new ReadOnlyDictionary <string, IReadOnlyDictionary <string, object> >(new Dictionary <string, IReadOnlyDictionary <string, object> >()); var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: keyVaultCollectionNamespace, kmsProviders: kmsProviders, extraOptions: extraOptions); foreach (var option in autoEncryptOpts.Elements) { switch (option.Name) { case "kmsProviders": kmsProviders = ParseKmsProviders(option.Value.AsBsonDocument); autoEncryptionOptions = autoEncryptionOptions .With(kmsProviders: kmsProviders); break; case "schemaMap": var schemaMaps = new Dictionary <string, BsonDocument>(); var schemaMapsDocument = option.Value.AsBsonDocument; foreach (var schemaMapElement in schemaMapsDocument.Elements) { schemaMaps.Add(schemaMapElement.Name, schemaMapElement.Value.AsBsonDocument); } autoEncryptionOptions = autoEncryptionOptions.With(schemaMap: schemaMaps); break; case "bypassAutoEncryption": autoEncryptionOptions = autoEncryptionOptions.With(bypassAutoEncryption: option.Value.ToBoolean()); break; case "keyVaultNamespace": autoEncryptionOptions = autoEncryptionOptions.With(keyVaultNamespace: CollectionNamespace.FromFullName(option.Value.AsString)); break; default: throw new Exception($"Unexpected auto encryption option {option.Name}."); } } return(autoEncryptionOptions); }
// constructors /// <summary> /// Creates a new instance of MongoClientSettings. Usually you would use a connection string instead. /// </summary> public MongoClientSettings() { _allowInsecureTls = false; _applicationName = null; _autoEncryptionOptions = null; _compressors = new CompressorConfiguration[0]; #pragma warning disable CS0618 // Type or member is obsolete _connectionMode = ConnectionMode.Automatic; _connectionModeSwitch = ConnectionModeSwitch.NotSet; #pragma warning restore CS0618 // Type or member is obsolete _connectTimeout = MongoDefaults.ConnectTimeout; _credentials = new MongoCredentialStore(new MongoCredential[0]); _directConnection = null; #pragma warning disable 618 if (BsonDefaults.GuidRepresentationMode == GuidRepresentationMode.V2) { _guidRepresentation = MongoDefaults.GuidRepresentation; } #pragma warning restore 618 _heartbeatInterval = ServerSettings.DefaultHeartbeatInterval; _heartbeatTimeout = ServerSettings.DefaultHeartbeatTimeout; _ipv6 = false; _localThreshold = MongoDefaults.LocalThreshold; _maxConnectionIdleTime = MongoDefaults.MaxConnectionIdleTime; _maxConnectionLifeTime = MongoDefaults.MaxConnectionLifeTime; _maxConnectionPoolSize = MongoDefaults.MaxConnectionPoolSize; _minConnectionPoolSize = MongoDefaults.MinConnectionPoolSize; _readConcern = ReadConcern.Default; _readEncoding = null; _readPreference = ReadPreference.Primary; _replicaSetName = null; _retryReads = true; _retryWrites = true; _scheme = ConnectionStringScheme.MongoDB; _sdamLogFilename = null; _servers = new List<MongoServerAddress> { new MongoServerAddress("localhost") }; _serverSelectionTimeout = MongoDefaults.ServerSelectionTimeout; _socketTimeout = MongoDefaults.SocketTimeout; _sslSettings = null; _useTls = false; #pragma warning disable 618 _waitQueueSize = MongoDefaults.ComputedWaitQueueSize; #pragma warning restore 618 _waitQueueTimeout = MongoDefaults.WaitQueueTimeout; _writeConcern = WriteConcern.Acknowledged; _writeEncoding = null; }
private IMongoClient CreateAutoEncryptingClient( KmsKeyLocation kmsKeyLocation, CollectionNamespace keyVaultNamespace, BsonDocument schema) { var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >(); // Specify the local master encryption key if (kmsKeyLocation == KmsKeyLocation.Local) { var localMasterKeyBase64 = File.ReadAllText(__localMasterKeyPath); var localMasterKeyBytes = Convert.FromBase64String(localMasterKeyBase64); var localOptions = new Dictionary <string, object> { { "key", localMasterKeyBytes } }; kmsProviders.Add("local", localOptions); } // var schemaMap = new Dictionary <string, BsonDocument>(); schemaMap.Add(_medicalRecordsNamespace.ToString(), schema); // Specify location of mongocryptd binary, if necessary var extraOptions = new Dictionary <string, object>() { // uncomment the following line if you are running mongocryptd manually // { "mongocryptdBypassSpawn", true } }; // Create CSFLE-enabled MongoClient // The addition of the automatic encryption settings are what // change this from a standard MongoClient to a CSFLE-enabled one var clientSettings = MongoClientSettings.FromConnectionString(_connectionString); var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviders, schemaMap: schemaMap, extraOptions: extraOptions); clientSettings.AutoEncryptionOptions = autoEncryptionOptions; return(new MongoClient(clientSettings)); }
public void Equals_should_work_correctly() { var options1 = CreateAutoEncryptionOptions(); var options2 = CreateAutoEncryptionOptions(); options1.Equals(options2).Should().BeTrue(); options1 = CreateAutoEncryptionOptions(tlsOptions: new SslSettings()); options2 = CreateAutoEncryptionOptions(tlsOptions: new SslSettings()); options1.Equals(options2).Should().BeTrue(); options1 = CreateAutoEncryptionOptions(tlsOptions: new SslSettings()); options2 = CreateAutoEncryptionOptions(tlsOptions: new SslSettings(), collectionNamespace: CollectionNamespace.FromFullName("d.c")); options1.Equals(options2).Should().BeFalse(); options1 = CreateAutoEncryptionOptions(tlsOptions: new SslSettings(), tlsKey: "test1"); options2 = CreateAutoEncryptionOptions(tlsOptions: new SslSettings()); options1.Equals(options2).Should().BeFalse(); options1 = CreateAutoEncryptionOptions(tlsOptions: new SslSettings() { EnabledSslProtocols = System.Security.Authentication.SslProtocols.None }); options2 = CreateAutoEncryptionOptions(tlsOptions: new SslSettings()); options1.Equals(options2).Should().BeFalse(); AutoEncryptionOptions CreateAutoEncryptionOptions(SslSettings tlsOptions = null, string tlsKey = "test", CollectionNamespace collectionNamespace = null) { var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: collectionNamespace ?? __keyVaultNamespace, kmsProviders: GetKmsProviders()); if (tlsOptions != null) { autoEncryptionOptions = autoEncryptionOptions.With(tlsOptions: new Dictionary <string, SslSettings> { { tlsKey, tlsOptions } }); } return(autoEncryptionOptions); } }
public void ToString_should_return_expected_result() { var guid = new Guid("00112233445566778899aabbccddeeff"); var guidBytes = GuidConverter.ToBytes(guid, GuidRepresentation.Standard); var binary = new BsonBinaryData(guidBytes, BsonBinarySubType.UuidStandard); var extraOptions = new Dictionary <string, object>() { { "mongocryptdURI", "testURI" }, }; var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >() { { "provider1", new Dictionary <string, object>() { { "string", "test" } } }, { "provider2", new Dictionary <string, object>() { { "binary", binary.Bytes } } } }; var schemaMap = new Dictionary <string, BsonDocument>() { { "coll1", new BsonDocument("string", "test") }, { "coll2", new BsonDocument("binary", binary) }, }; var subject = new AutoEncryptionOptions( keyVaultNamespace: CollectionNamespace.FromFullName("db.coll"), kmsProviders: kmsProviders, bypassAutoEncryption: true, extraOptions: extraOptions, schemaMap: schemaMap); var result = subject.ToString(); result.Should().Be("{ BypassAutoEncryption : True, KmsProviders : { \"provider1\" : { \"string\" : \"test\" }, \"provider2\" : { \"binary\" : { \"_t\" : \"System.Byte[]\", \"_v\" : new BinData(0, \"ABEiM0RVZneImaq7zN3u/w==\") } } }, KeyVaultNamespace : \"db.coll\", ExtraOptions : { \"mongocryptdURI\" : \"testURI\" }, SchemaMap : { \"coll1\" : { \"string\" : \"test\" }, \"coll2\" : { \"binary\" : UUID(\"00112233-4455-6677-8899-aabbccddeeff\") } } }"); }
private DisposableMongoClient GetClient(bool withAutoEncryption = false, Dictionary <string, object> extraOptions = null) { var mongoClientSettings = new MongoClientSettings(); if (withAutoEncryption) { if (extraOptions == null) { extraOptions = new Dictionary <string, object>(); } EncryptionTestHelper.ConfigureDefaultExtraOptions(extraOptions); var kmsProviders = GetKmsProviders(); var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: __keyVaultCollectionNamespace, kmsProviders: kmsProviders, extraOptions: extraOptions); mongoClientSettings.AutoEncryptionOptions = autoEncryptionOptions; } return(new DisposableMongoClient(new MongoClient(mongoClientSettings), CreateLogger <DisposableMongoClient>())); }
private AutoEncryptionOptions CreateSubject( SslSettings tlsOptions = null, string tlsKey = "test", CollectionNamespace collectionNamespace = null, Dictionary <string, BsonDocument> schemaMap = null, Dictionary <string, BsonDocument> encryptedFieldsMap = null, Dictionary <string, object> extraOptions = null) { var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: collectionNamespace ?? __keyVaultNamespace, kmsProviders: GetKmsProviders(), schemaMap: schemaMap, encryptedFieldsMap: encryptedFieldsMap, extraOptions: extraOptions); if (tlsOptions != null) { autoEncryptionOptions = autoEncryptionOptions.With(tlsOptions: new Dictionary <string, SslSettings> { { tlsKey, tlsOptions } }); } return(autoEncryptionOptions); }
private DisposableMongoClient GetClient(bool withAutoEncryption = false, Dictionary <string, object> extraOptions = null) { var mongoClientSettings = new MongoClientSettings(); if (withAutoEncryption) { if (extraOptions == null) { extraOptions = new Dictionary <string, object>() { { "mongocryptdSpawnPath", Environment.GetEnvironmentVariable("MONGODB_BINARIES") ?? string.Empty } }; } var kmsProviders = GetKmsProviders(); var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: __keyVaultCollectionNamespace, kmsProviders: kmsProviders, extraOptions: extraOptions); mongoClientSettings.AutoEncryptionOptions = autoEncryptionOptions; } return(new DisposableMongoClient(new MongoClient(mongoClientSettings))); }
// public void ClientSideEncryptionAutoEncryptionSettingsTour() public static void Main(string[] args) { var localMasterKey = Convert.FromBase64String(LocalMasterKey); var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >(); var localKey = new Dictionary <string, object> { { "key", localMasterKey } }; kmsProviders.Add("local", localKey); var keyVaultDB = "keyVault"; var keystore = "__keystore"; var keyVaultNamespace = CollectionNamespace.FromFullName($"{keyVaultDB}.{keystore}"); var keyVaultMongoClient = new MongoClient(); var clientEncryptionSettings = new ClientEncryptionOptions( keyVaultMongoClient, keyVaultNamespace, kmsProviders); var clientEncryption = new ClientEncryption(clientEncryptionSettings); keyVaultMongoClient.GetDatabase(keyVaultDB).DropCollection(keystore); var altKeyName = new[] { "csharpDataKey01" }; var dataKeyOptions = new DataKeyOptions(alternateKeyNames: altKeyName); var dataKeyId = clientEncryption.CreateDataKey("local", dataKeyOptions, CancellationToken.None); var base64DataKeyId = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard)); clientEncryption.Dispose(); var collectionNamespace = CollectionNamespace.FromFullName("test.coll"); var schemaMap = $@"{{ properties: {{ SSN: {{ encrypt: {{ keyId: [{{ '$binary' : {{ 'base64' : '{base64DataKeyId}', 'subType' : '04' }} }}], bsonType: 'string', algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' }} }} }}, 'bsonType': 'object' }}"; var autoEncryptionSettings = new AutoEncryptionOptions( keyVaultNamespace, kmsProviders, schemaMap: new Dictionary <string, BsonDocument>() { { collectionNamespace.ToString(), BsonDocument.Parse(schemaMap) } }); var clientSettings = new MongoClientSettings { AutoEncryptionOptions = autoEncryptionSettings }; var client = new MongoClient(clientSettings); var database = client.GetDatabase("test"); database.DropCollection("coll"); var collection = database.GetCollection <BsonDocument>("coll"); collection.InsertOne(new BsonDocument("SSN", "123456789")); var result = collection.Find(FilterDefinition <BsonDocument> .Empty).First(); Console.WriteLine(result.ToJson()); }
private IMongoClient CreateAutoEncryptingClient( KmsKeyLocation kmsKeyLocation, CollectionNamespace keyVaultNamespace, BsonDocument schema) { var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >(); switch (kmsKeyLocation) { case KmsKeyLocation.Local: var localMasterKeyBase64 = File.ReadAllText(__localMasterKeyPath); var localMasterKeyBytes = Convert.FromBase64String(localMasterKeyBase64); var localOptions = new Dictionary <string, object> { { "key", localMasterKeyBytes } }; kmsProviders.Add("local", localOptions); break; case KmsKeyLocation.AWS: var awsAccessKey = Environment.GetEnvironmentVariable("FLE_AWS_ACCESS_KEY"); var awsSecretAccessKey = Environment.GetEnvironmentVariable("FLE_AWS_SECRET_ACCESS_KEY"); var awsKmsOptions = new Dictionary <string, object> { { "accessKeyId", awsAccessKey }, { "secretAccessKey", awsSecretAccessKey } }; kmsProviders.Add("aws", awsKmsOptions); break; case KmsKeyLocation.Azure: var azureTenantId = Environment.GetEnvironmentVariable("FLE_AZURE_TENANT_ID"); var azureClientId = Environment.GetEnvironmentVariable("FLE_AZURE_CLIENT_ID"); var azureClientSecret = Environment.GetEnvironmentVariable("FLE_AZURE_CLIENT_SECRET"); var azureIdentityPlatformEndpoint = Environment.GetEnvironmentVariable("FLE_AZURE_IDENTIFY_PLATFORM_ENPDOINT"); // Optional, only needed if user is using a non-commercial Azure instance var azureKmsOptions = new Dictionary <string, object> { { "tenantId", azureTenantId }, { "clientId", azureClientId }, { "clientSecret", azureClientSecret }, }; if (azureIdentityPlatformEndpoint != null) { azureKmsOptions.Add("identityPlatformEndpoint", azureIdentityPlatformEndpoint); } kmsProviders.Add("azure", azureKmsOptions); break; case KmsKeyLocation.GCP: var gcpPrivateKey = Environment.GetEnvironmentVariable("FLE_GCP_PRIVATE_KEY"); var gcpEmail = Environment.GetEnvironmentVariable("FLE_GCP_EMAIL"); var gcpKmsOptions = new Dictionary <string, object> { { "privateKey", gcpPrivateKey }, { "email", gcpEmail }, }; kmsProviders.Add("gcp", gcpKmsOptions); break; } var schemaMap = new Dictionary <string, BsonDocument>(); schemaMap.Add(_medicalRecordsNamespace.ToString(), schema); var extraOptions = new Dictionary <string, object>() { // uncomment the following line if you are running mongocryptd manually // { "mongocryptdBypassSpawn", true } }; var clientSettings = MongoClientSettings.FromConnectionString(_connectionString); var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviders, schemaMap: schemaMap, extraOptions: extraOptions); clientSettings.AutoEncryptionOptions = autoEncryptionOptions; return(new MongoClient(clientSettings)); }
public void ClientSideExplicitEncryptionAndAutoDecryptionTour() { RequireServer.Check().Supports(Feature.ClientSideEncryption); var localMasterKey = Convert.FromBase64String(LocalMasterKey); var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >(); var localKey = new Dictionary <string, object> { { "key", localMasterKey } }; kmsProviders.Add("local", localKey); var keyVaultNamespace = CollectionNamespace.FromFullName("encryption.__keyVault"); var collectionNamespace = CollectionNamespace.FromFullName("test.coll"); var autoEncryptionOptions = new AutoEncryptionOptions( keyVaultNamespace, kmsProviders, bypassAutoEncryption: true); var clientSettings = MongoClientSettings.FromConnectionString("mongodb://localhost"); clientSettings.AutoEncryptionOptions = autoEncryptionOptions; var mongoClient = new MongoClient(clientSettings); var database = mongoClient.GetDatabase(collectionNamespace.DatabaseNamespace.DatabaseName); database.DropCollection(collectionNamespace.CollectionName); var collection = database.GetCollection <BsonDocument>(collectionNamespace.CollectionName); var keyVaultClient = new MongoClient("mongodb://localhost"); var keyVaultDatabase = keyVaultClient.GetDatabase(keyVaultNamespace.DatabaseNamespace.DatabaseName); keyVaultDatabase.DropCollection(keyVaultNamespace.CollectionName); // Create the ClientEncryption instance var clientEncryptionSettings = new ClientEncryptionOptions( keyVaultClient, keyVaultNamespace, kmsProviders); using (var clientEncryption = new ClientEncryption(clientEncryptionSettings)) { var dataKeyId = clientEncryption.CreateDataKey( "local", new DataKeyOptions(), CancellationToken.None); var originalString = "123456789"; _output.WriteLine($"Original string {originalString}."); // Explicitly encrypt a field var encryptOptions = new EncryptOptions( EncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic.ToString(), keyId: dataKeyId); var encryptedFieldValue = clientEncryption.Encrypt( originalString, encryptOptions, CancellationToken.None); _output.WriteLine($"Encrypted value {encryptedFieldValue}."); collection.InsertOne(new BsonDocument("encryptedField", encryptedFieldValue)); // Automatically decrypts the encrypted field. var decryptedValue = collection.Find(FilterDefinition <BsonDocument> .Empty).First(); _output.WriteLine($"Decrypted document {decryptedValue.ToJson()}."); } }
public void ClientSideEncryptionAutoEncryptionSettingsTour() { RequireServer.Check().Supports(Feature.ClientSideEncryption); var localMasterKey = Convert.FromBase64String(LocalMasterKey); var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >(); var localKey = new Dictionary <string, object> { { "key", localMasterKey } }; kmsProviders.Add("local", localKey); var keyVaultNamespace = CollectionNamespace.FromFullName("admin.datakeys"); var keyVaultMongoClient = new MongoClient(); var clientEncryptionSettings = new ClientEncryptionOptions( keyVaultMongoClient, keyVaultNamespace, kmsProviders); var clientEncryption = new ClientEncryption(clientEncryptionSettings); var dataKeyId = clientEncryption.CreateDataKey("local", new DataKeyOptions(), CancellationToken.None); var base64DataKeyId = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard)); clientEncryption.Dispose(); var collectionNamespace = CollectionNamespace.FromFullName("test.coll"); var schemaMap = $@"{{ properties: {{ encryptedField: {{ encrypt: {{ keyId: [{{ '$binary' : {{ 'base64' : '{base64DataKeyId}', 'subType' : '04' }} }}], bsonType: 'string', algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' }} }} }}, 'bsonType': 'object' }}"; var autoEncryptionSettings = new AutoEncryptionOptions( keyVaultNamespace, kmsProviders, schemaMap: new Dictionary <string, BsonDocument>() { { collectionNamespace.ToString(), BsonDocument.Parse(schemaMap) } }); var clientSettings = new MongoClientSettings { AutoEncryptionOptions = autoEncryptionSettings }; var client = new MongoClient(clientSettings); var database = client.GetDatabase("test"); database.DropCollection("coll"); var collection = database.GetCollection <BsonDocument>("coll"); collection.InsertOne(new BsonDocument("encryptedField", "123456789")); var result = collection.Find(FilterDefinition <BsonDocument> .Empty).First(); _output.WriteLine(result.ToJson()); }