public void TestAwsKeyCreationWithkeyAltNamesStepwise()
{
var keyAltNames = new[] { "KeyMaker", "Architect" };
var keyAltNameDocuments = keyAltNames.Select(name => new BsonDocument("keyAltName", name));
var keyAltNameBuffers = keyAltNameDocuments.Select(BsonUtil.ToBytes);
var keyId = CreateKmsKeyId("aws", keyAltNameBuffers: keyAltNameBuffers);
var key = CreateKmsCredentials("aws");
using (var cryptClient = CryptClientFactory.Create(new CryptOptions(new[] { key })))
using (var context =
cryptClient.StartCreateDataKeyContext(keyId))
{
BsonDocument dataKeyDocument;
var(state, _, _) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_KMS);
(state, _, dataKeyDocument) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
dataKeyDocument.Should().NotBeNull();
var actualKeyAltNames = dataKeyDocument["keyAltNames"].AsBsonArray.Select(x => x.AsString);
var expectedKeyAltNames = keyAltNames.Reverse(); // https://jira.mongodb.org/browse/CDRIVER-3277?
actualKeyAltNames.Should().BeEquivalentTo(expectedKeyAltNames);
(state, _, _) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_DONE);
}
}
public void EncryptQueryStepwise()
{
using (var cryptClient = CryptClientFactory.Create(CreateOptions()))
using (var context = cryptClient.StartEncryptionContext("test", command: BsonUtil.ToBytes(ReadJsonTestFile("cmd.json"))))
{
var(state, _, operationSent) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_MONGO_COLLINFO);
operationSent.Should().Equal((ReadJsonTestFile("list-collections-filter.json")));
(state, _, operationSent) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_MONGO_MARKINGS);
operationSent.Should().Equal(ReadJsonTestFile("mongocryptd-command.json"));
(state, _, operationSent) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_MONGO_KEYS);
operationSent.Should().Equal(ReadJsonTestFile("key-filter.json"));
(state, _, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_KMS);
// kms fluent assertions inside ProcessState()
(state, _, operationSent) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
operationSent.Should().Equal((ReadJsonTestFile("encrypted-command.json")));
}
}
public void EncryptExplicit()
{
var keyDoc = ReadJsonTestFile("key-document.json");
var keyId = keyDoc["_id"].AsBsonBinaryData.Bytes;
BsonDocument doc = new BsonDocument()
{
{ "v", "hello" },
};
var testData = BsonUtil.ToBytes(doc);
byte[] encryptedBytes;
using (var cryptClient = CryptClientFactory.Create(CreateOptions()))
using (var context = cryptClient.StartExplicitEncryptionContextWithKeyId(keyId, AEAD_AES_256_CBC_HMAC_SHA_512_Random, testData))
{
var(encryptedBinary, encryptedDocument) = ProcessContextToCompletion(context);
encryptedBytes = encryptedBinary.ToArray(); // need to copy bytes out before the context gets destroyed
}
using (var cryptClient = CryptClientFactory.Create(CreateOptions()))
using (var context = cryptClient.StartExplicitDecryptionContext(encryptedBytes))
{
var(decryptedResult, _) = ProcessContextToCompletion(context);
decryptedResult.ToArray().Should().Equal(testData);
}
}
public void EncryptQueryWithSchemaStepwise()
{
var listCollectionsReply = ReadJsonTestFile("collection-info.json");
var schema = new BsonDocument("test.test", listCollectionsReply["options"]["validator"]["$jsonSchema"]);
var options = new CryptOptions(
new[] { CreateKmsCredentials("aws") },
BsonUtil.ToBytes(schema));
using (var cryptClient = CryptClientFactory.Create(options))
using (var context =
cryptClient.StartEncryptionContext(
db: "test",
command: BsonUtil.ToBytes(ReadJsonTestFile("cmd.json"))))
{
var(state, _, operationSent) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_MONGO_MARKINGS);
var mongoCryptdCommand = ReadJsonTestFile("mongocryptd-command.json");
mongoCryptdCommand["isRemoteSchema"] = false;
operationSent.Should().Equal(mongoCryptdCommand);
(state, _, operationSent) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_MONGO_KEYS);
operationSent.Should().Equal(ReadJsonTestFile("key-filter.json"));
(state, _, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_KMS);
// kms fluent assertions inside ProcessState()
(state, _, operationSent) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
operationSent.Should().Equal((ReadJsonTestFile("encrypted-command.json")));
}
}
public void EncryptQuery()
{
using (var cryptClient = CryptClientFactory.Create(CreateOptions()))
using (var context =
cryptClient.StartEncryptionContext("test", command: BsonUtil.ToBytes(ReadJsonTestFile("cmd.json"))))
{
var(_, bsonCommand) = ProcessContextToCompletion(context);
bsonCommand.Should().Equal((ReadJsonTestFile("encrypted-command.json")));
}
}
public BsonDocument EncryptCommand(IKmsCredentials credentials, IMongoCollection <BsonDocument> coll, BsonDocument cmd)
{
CryptOptions options = new CryptOptions(credentials);
using (var cryptClient = CryptClientFactory.Create(options))
using (var context = cryptClient.StartEncryptionContext(coll.Database.DatabaseNamespace.DatabaseName, command: BsonUtil.ToBytes(cmd)))
{
return(ProcessState(context, coll.Database, cmd));
}
}
public BsonDocument DecryptCommand(IKmsCredentials credentials, IMongoDatabase db, BsonDocument doc)
{
CryptOptions options = new CryptOptions(credentials);
using (var cryptClient = CryptClientFactory.Create(options))
using (var context = cryptClient.StartDecryptionContext(BsonUtil.ToBytes(doc)))
{
return(ProcessState(context, db, null));
}
}
public void TestAwsKeyCreationWithEndPoint()
{
var endpoint = "kms.us-east-1.amazonaws.com";
var keyId = CreateKmsKeyId("aws", endpoint);
var key = CreateKmsCredentials("aws");
using (var cryptClient = CryptClientFactory.Create(new CryptOptions(new[] { key })))
using (var context = cryptClient.StartCreateDataKeyContext(keyId))
{
var(_, dataKeyDocument) = ProcessContextToCompletion(context, isKmsDecrypt: false);
dataKeyDocument["masterKey"]["endpoint"].Should().Be(endpoint);
}
}
public void EncryptBadBson()
{
using (var cryptClient = CryptClientFactory.Create(CreateOptions()))
{
Func <CryptContext> startEncryptionContext = () =>
cryptClient.StartEncryptionContext("test", command: new byte[] { 0x1, 0x2, 0x3 });
// Ensure if we encrypt non-sense, it throws an exception demonstrating our exception code is good
var exception = Record.Exception(startEncryptionContext);
exception.Should().BeOfType <CryptException>();
}
}
public void TestGetKmsProviderName(string kmsName)
{
var key = CreateKmsCredentials(kmsName);
var keyId = CreateKmsKeyId(kmsName);
var cryptOptions = new CryptOptions(new[] { key });
using (var cryptClient = CryptClientFactory.Create(cryptOptions))
using (var context = cryptClient.StartCreateDataKeyContext(keyId))
{
var request = context.GetKmsMessageRequests().Single();
request.KmsProvider.Should().Be(kmsName);
}
}
public void TestLocalKeyCreation()
{
var key = CreateKmsCredentials("local");
var keyId = CreateKmsKeyId("local");
var cryptOptions = new CryptOptions(new[] { key });
using (var cryptClient = CryptClientFactory.Create(cryptOptions))
using (var context =
cryptClient.StartCreateDataKeyContext(keyId))
{
var(_, dataKeyDocument) = ProcessContextToCompletion(context);
dataKeyDocument.Should().NotBeNull();
}
}
public void TestAwsKeyCreationWithEndPoint()
{
var endpoint = "kms.us-east-1.amazonaws.com";
var keyId = new AwsKeyId(
customerMasterKey: "cmk",
region: "us-east-1",
endpoint: endpoint);
var key = new AwsKmsCredentials(awsSecretAccessKey: "us-east-1", awsAccessKeyId: "us-east-1");
using (var cryptClient = CryptClientFactory.Create(new CryptOptions(CreateCredentialsMap(key))))
using (var context = cryptClient.StartCreateDataKeyContext(keyId))
{
var(_, dataKeyDocument) = ProcessContextToCompletion(context, isKmsDecrypt: false);
dataKeyDocument["masterKey"]["endpoint"].Should().Be(endpoint);
}
}
public void EncryptExplicitStepwise()
{
var keyDoc = ReadJsonTestFile("key-document.json");
var key = keyDoc["_id"].AsGuid;
var doc = new BsonDocument("v", "hello");
var testData = BsonUtil.ToBytes(doc);
using (var cryptClient = CryptClientFactory.Create(CreateOptions()))
{
byte[] encryptedResult;
using (var context = cryptClient.StartExplicitEncryptionContext(
key: key,
encryptionAlgorithm: EncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic,
command: testData))
{
var(state, binaryProduced, operationProduced) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_MONGO_KEYS);
operationProduced.Should().Equal(ReadJsonTestFile("key-filter.json"));
(state, _, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_KMS);
// kms fluent assertions inside ProcessState()
(state, binaryProduced, operationProduced) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
operationProduced.Should().Equal(ReadJsonTestFile("encrypted-value.json"));
encryptedResult = binaryProduced.ToArray(); // need to copy bytes out before the context gets destroyed
(state, _, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_DONE);
}
using (var context = cryptClient.StartExplicitDecryptionContext(encryptedResult))
{
var(state, decryptedBinary, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
decryptedBinary.ToArray().Should().Equal(testData);
(state, _, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_DONE);
}
}
}
public Guid GenerateKey(IKmsCredentials credentials, IKmsKeyId kmsKeyId)
{
CryptOptions options = new CryptOptions(credentials);
BsonDocument key = null;
using (var cryptClient = CryptClientFactory.Create(options))
using (var context = cryptClient.StartCreateDataKeyContext(kmsKeyId))
{
key = ProcessState(context, _keyVault.Database, null);
}
_keyVault.InsertOne(key);
Guid g = key["_id"].AsGuid;
return(g);
}
public void TestAwsKeyCreationWithkeyAltNames()
{
var keyAltNames = new[] { "KeyMaker", "Architect" };
var keyAltNameDocuments = keyAltNames.Select(name => new BsonDocument("keyAltName", name));
var keyAltNameBuffers = keyAltNameDocuments.Select(BsonUtil.ToBytes);
var keyId = CreateAwsKey(keyAltNameBuffers: keyAltNameBuffers);
var key = CreateAwsKmsCredentials();
using (var cryptClient = CryptClientFactory.Create(new CryptOptions(new[] { key })))
using (var context = cryptClient.StartCreateDataKeyContext(keyId))
{
var(_, dataKeyDocument) = ProcessContextToCompletion(context, isKmsDecrypt: false);
dataKeyDocument.Should().NotBeNull();
var actualKeyAltNames = dataKeyDocument["keyAltNames"].AsBsonArray.Select(x => x.AsString);
var expectedKeyAltNames = keyAltNames.Reverse(); // https://jira.mongodb.org/browse/CDRIVER-3277?
actualKeyAltNames.Should().BeEquivalentTo(expectedKeyAltNames);
}
}
public void TestLocalKeyCreationStepwise()
{
var key = CreateKmsCredentials("local");
var keyId = CreateKmsKeyId("local");
var cryptOptions = new CryptOptions(new[] { key });
using (var cryptClient = CryptClientFactory.Create(cryptOptions))
using (var context =
cryptClient.StartCreateDataKeyContext(keyId))
{
var(state, _, dataKeyDocument) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
dataKeyDocument.Should().NotBeNull();
(state, _, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_DONE);
}
}
public void TestAwsKeyCreationWithEndpointStepwise()
{
var endpoint = "kms.us-east-1.amazonaws.com";
var keyId = CreateKmsKeyId("aws", endpoint);
var key = CreateKmsCredentials("aws");
using (var cryptClient = CryptClientFactory.Create(new CryptOptions(new[] { key })))
using (var context = cryptClient.StartCreateDataKeyContext(keyId))
{
BsonDocument dataKeyDocument;
var(state, _, _) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_KMS);
(state, _, dataKeyDocument) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
dataKeyDocument["masterKey"]["endpoint"].Should().Be(endpoint);
(state, _, _) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_DONE);
}
}
public void DecryptQueryStepwise()
{
using (var cryptClient = CryptClientFactory.Create(CreateOptions()))
using (var context = cryptClient.StartDecryptionContext(BsonUtil.ToBytes(ReadJsonTestFile("encrypted-command-reply.json"))))
{
var(state, _, operationProduced) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_MONGO_KEYS);
operationProduced.Should().Equal(ReadJsonTestFile("key-filter.json"));
(state, _, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_KMS);
// kms fluent assertions inside ProcessState()
(state, _, operationProduced) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
operationProduced.Should().Equal(ReadJsonTestFile("command-reply.json"));
(state, _, _) = ProcessState(context);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_DONE);
}
}
public void TestAwsKeyCreationWithEndpointStepwise()
{
var endpoint = "kms.us-east-1.amazonaws.com";
var keyId = new AwsKeyId(
customerMasterKey: "cmk",
region: "us-east-1",
endpoint: endpoint);
var key = new AwsKmsCredentials(awsSecretAccessKey: "us-east-1", awsAccessKeyId: "us-east-1");
using (var cryptClient = CryptClientFactory.Create(new CryptOptions(CreateCredentialsMap(key))))
using (var context = cryptClient.StartCreateDataKeyContext(keyId))
{
BsonDocument dataKeyDocument;
var(state, _, _) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_NEED_KMS);
(state, _, dataKeyDocument) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_READY);
dataKeyDocument["masterKey"]["endpoint"].Should().Be(endpoint);
(state, _, _) = ProcessState(context, isKmsDecrypt: false);
state.Should().Be(CryptContext.StateCode.MONGOCRYPT_CTX_DONE);
}
}
public void CryptClientShouldFailToiInitializeWhenTargetingX86()
{
var exception = Record.Exception(() => CryptClientFactory.Create(CreateOptions()));
exception.Should().BeOfType <PlatformNotSupportedException>();
}
private CryptClient CreateCryptClient(CryptOptions options)
{
return(CryptClientFactory.Create(options));
}
