public string CreateKeyWithGcpKmsProvider()
{
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
var gcpPrivateKey = Environment.GetEnvironmentVariable("FLE_GCP_PRIVATE_KEY");
var gcpEmail = Environment.GetEnvironmentVariable("FLE_GCP_EMAIL");
var gcpEndpoint = Environment.GetEnvironmentVariable("FLE_GCP_IDENTITY_ENDPOINT"); // Optional, defaults to "oauth2.googleapis.com".
var gcpKmsOptions = new Dictionary <string, object>
{
{ "privateKey", gcpPrivateKey },
{ "email", gcpEmail },
};
if (gcpEndpoint != null)
{
gcpKmsOptions.Add("endpoint", gcpEndpoint);
}
kmsProviders.Add("gcp", gcpKmsOptions);
var clientEncryption = GetClientEncryption(kmsProviders);
var gcpDataKeyProjectId = Environment.GetEnvironmentVariable("FLE_GCP_PROJ_ID");
var gcpDataKeyLocation = Environment.GetEnvironmentVariable("FLE_GCP_KEY_LOC"); // Optional. e.g. "global"
var gcpDataKeyKeyRing = Environment.GetEnvironmentVariable("FLE_GCP_KEY_RING");
var gcpDataKeyKeyName = Environment.GetEnvironmentVariable("FLE_GCP_KEY_NAME");
var gcpDataKeyKeyVersion = Environment.GetEnvironmentVariable("FLE_GCP_KEY_VERSION"); // Optional
var gcpDataKeyEndpoint = Environment.GetEnvironmentVariable("FLE_GCP_KMS_ENDPOINT"); // Optional, KMS URL, defaults to https://www.googleapis.com/auth/cloudkms
var dataKeyOptions = new DataKeyOptions(
masterKey: new BsonDocument
{
{ "projectId", gcpDataKeyProjectId },
{ "location", gcpDataKeyLocation },
{ "keyRing", gcpDataKeyKeyRing },
{ "keyName", gcpDataKeyKeyName },
{ "keyVersion", () => gcpDataKeyKeyVersion, gcpDataKeyKeyVersion != null },
{ "endpoint", () => gcpDataKeyEndpoint, gcpDataKeyEndpoint != null }
});
var dataKeyId = clientEncryption.CreateDataKey("gcp", dataKeyOptions, CancellationToken.None);
Console.WriteLine($"DataKeyId [UUID]: {dataKeyId}");
var dataKeyIdBase64 = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard));
Console.WriteLine($"DataKeyId [base64]: {dataKeyIdBase64}");
ValidateKey(dataKeyId);
return(dataKeyIdBase64);
}
private Guid CreateDataKey(
ClientEncryption clientEncryption,
string kmsProvider,
DataKeyOptions dataKeyOptions,
bool async)
{
if (async)
{
return(clientEncryption
.CreateDataKeyAsync(kmsProvider, dataKeyOptions, CancellationToken.None)
.GetAwaiter()
.GetResult());
}
else
{
return(clientEncryption.CreateDataKey(kmsProvider, dataKeyOptions, CancellationToken.None));
}
}
public string CreateKeyWithAzureKmsProvider()
{
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
var azureTenantId = Environment.GetEnvironmentVariable("FLE_AZURE_TENANT_ID");
var azureClientId = Environment.GetEnvironmentVariable("FLE_AZURE_CLIENT_ID");
var azureClientSecret = Environment.GetEnvironmentVariable("FLE_AZURE_CLIENT_SECRET");
var azureIdentityPlatformEndpoint = Environment.GetEnvironmentVariable("FLE_AZURE_IDENTIFY_PLATFORM_ENPDOINT"); // Optional, only needed if user is using a non-commercial Azure instance
var azureKmsOptions = new Dictionary <string, object>
{
{ "tenantId", azureTenantId },
{ "clientId", azureClientId },
{ "clientSecret", azureClientSecret },
};
if (azureIdentityPlatformEndpoint != null)
{
azureKmsOptions.Add("identityPlatformEndpoint", azureIdentityPlatformEndpoint);
}
kmsProviders.Add("azure", azureKmsOptions);
var clientEncryption = GetClientEncryption(kmsProviders);
var azureKeyName = Environment.GetEnvironmentVariable("FLE_AZURE_KEY_NAME");
var azureKeyVaultEndpoint = Environment.GetEnvironmentVariable("FLE_AZURE_KEYVAULT_ENDPOINT"); // typically <azureKeyName>.vault.azure.net
var azureKeyVersion = Environment.GetEnvironmentVariable("FLE_AZURE_KEY_VERSION"); // Optional
var dataKeyOptions = new DataKeyOptions(
masterKey: new BsonDocument
{
{ "keyName", azureKeyName },
{ "keyVaultEndpoint", azureKeyVaultEndpoint },
{ "keyVersion", () => azureKeyVersion, azureKeyVersion != null }
});
var dataKeyId = clientEncryption.CreateDataKey("azure", dataKeyOptions, CancellationToken.None);
Console.WriteLine($"Azure DataKeyId [UUID]: {dataKeyId}");
var dataKeyIdBase64 = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard));
Console.WriteLine($"Azure DataKeyId [base64]: {dataKeyIdBase64}");
ValidateKey(dataKeyId);
return(dataKeyIdBase64);
}
public string CreateKeyWithAwsKmsProvider()
{
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
var awsAccessKey = Environment.GetEnvironmentVariable("FLE_AWS_ACCESS_KEY");
var awsSecretAccessKey = Environment.GetEnvironmentVariable("FLE_AWS_SECRET_ACCESS_KEY");
var awsKmsOptions = new Dictionary <string, object>
{
{ "accessKeyId", awsAccessKey },
{ "secretAccessKey", awsSecretAccessKey }
};
kmsProviders.Add("aws", awsKmsOptions);
var clientEncryption = GetClientEncryption(kmsProviders);
var awsKeyARN = Environment.GetEnvironmentVariable("FLE_AWS_KEY_ARN"); // e.g. "arn:aws:kms:us-east-2:111122223333:alias/test-key"
var awsKeyRegion = Environment.GetEnvironmentVariable("FLE_AWS_KEY_REGION");
var awsEndpoint = Environment.GetEnvironmentVariable("FLE_AWS_ENDPOINT"); // Optional, AWS KMS URL.
var dataKeyOptions = new DataKeyOptions(
masterKey: new BsonDocument
{
{ "region", awsKeyRegion },
{ "key", awsKeyARN },
{ "endpoint", () => awsEndpoint, awsEndpoint != null }
});
var dataKeyId = clientEncryption.CreateDataKey("aws", dataKeyOptions, CancellationToken.None);
Console.WriteLine($"AWS DataKeyId [UUID]: {dataKeyId}");
var dataKeyIdBase64 = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard));
Console.WriteLine($"AWS DataKeyId [base64]: {dataKeyIdBase64}");
ValidateKey(dataKeyId);
return(dataKeyIdBase64);
}
// public void ClientSideEncryptionAutoEncryptionSettingsTour()
public static void Main(string[] args)
{
var localMasterKey = Convert.FromBase64String(LocalMasterKey);
var kmsProviders = new Dictionary <string, IReadOnlyDictionary <string, object> >();
var localKey = new Dictionary <string, object>
{
{ "key", localMasterKey }
};
kmsProviders.Add("local", localKey);
var keyVaultDB = "keyVault";
var keystore = "__keystore";
var keyVaultNamespace = CollectionNamespace.FromFullName($"{keyVaultDB}.{keystore}");
var keyVaultMongoClient = new MongoClient();
var clientEncryptionSettings = new ClientEncryptionOptions(
keyVaultMongoClient,
keyVaultNamespace,
kmsProviders);
var clientEncryption = new ClientEncryption(clientEncryptionSettings);
keyVaultMongoClient.GetDatabase(keyVaultDB).DropCollection(keystore);
var altKeyName = new[] { "csharpDataKey01" };
var dataKeyOptions = new DataKeyOptions(alternateKeyNames: altKeyName);
var dataKeyId = clientEncryption.CreateDataKey("local", dataKeyOptions, CancellationToken.None);
var base64DataKeyId = Convert.ToBase64String(GuidConverter.ToBytes(dataKeyId, GuidRepresentation.Standard));
clientEncryption.Dispose();
var collectionNamespace = CollectionNamespace.FromFullName("test.coll");
var schemaMap = $@"{{
properties: {{
SSN: {{
encrypt: {{
keyId: [{{
'$binary' : {{
'base64' : '{base64DataKeyId}',
'subType' : '04'
}}
}}],
bsonType: 'string',
algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
}}
}}
}},
'bsonType': 'object'
}}";
var autoEncryptionSettings = new AutoEncryptionOptions(
keyVaultNamespace,
kmsProviders,
schemaMap: new Dictionary <string, BsonDocument>()
{
{ collectionNamespace.ToString(), BsonDocument.Parse(schemaMap) }
});
var clientSettings = new MongoClientSettings
{
AutoEncryptionOptions = autoEncryptionSettings
};
var client = new MongoClient(clientSettings);
var database = client.GetDatabase("test");
database.DropCollection("coll");
var collection = database.GetCollection <BsonDocument>("coll");
collection.InsertOne(new BsonDocument("SSN", "123456789"));
var result = collection.Find(FilterDefinition <BsonDocument> .Empty).First();
Console.WriteLine(result.ToJson());
}
public void CustomEndpointTest([Values(false, true)] bool async)
{
RequireServer.Check().Supports(Feature.ClientSideEncryption);
using (var client = ConfigureClient())
using (var clientEncryption = ConfigureClientEncryption(client.Wrapped as MongoClient))
{
var testCaseMasterKey = new BsonDocument
{
{ "region", "us-east-1" },
{ "key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" }
};
TestCase(testCaseMasterKey);
testCaseMasterKey = new BsonDocument
{
{ "region", "us-east-1" },
{ "key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" },
{ "endpoint", "kms.us-east-1.amazonaws.com" }
};
TestCase(testCaseMasterKey);
testCaseMasterKey = new BsonDocument
{
{ "region", "us-east-1" },
{ "key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" },
{ "endpoint", "kms.us-east-1.amazonaws.com:443" }
};
TestCase(testCaseMasterKey);
testCaseMasterKey = new BsonDocument
{
{ "region", "us-east-1" },
{ "key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" },
{ "endpoint", "kms.us-east-1.amazonaws.com:12345" }
};
var exception = Record.Exception(() => TestCase(testCaseMasterKey));
exception.InnerException.Should().BeAssignableTo <SocketException>();
testCaseMasterKey = new BsonDocument
{
{ "region", "us-east-1" },
{ "key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" },
{ "endpoint", "kms.us-east-2.amazonaws.com" }
};
exception = Record.Exception(() => TestCase(testCaseMasterKey));
exception.Should().NotBeNull();
exception.Message.Should().Contain("us-east-1");
testCaseMasterKey = new BsonDocument
{
{ "region", "us-east-1" },
{ "key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" },
{ "endpoint", "example.com" }
};
exception = Record.Exception(() => TestCase(testCaseMasterKey));
exception.Should().NotBeNull();
exception.Message.Should().Contain("parse error");
// additional not spec tests
testCaseMasterKey = new BsonDocument
{
{ "region", "us-east-1" },
{ "key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0" },
{ "endpoint", "$test$" }
};
exception = Record.Exception(() => TestCase(testCaseMasterKey));
exception.Should().NotBeNull();
exception.InnerException.Should().BeAssignableTo <SocketException>();
void TestCase(BsonDocument masterKey)
{
var dataKeyOptions = new DataKeyOptions(masterKey: masterKey);
var dataKey = CreateDataKey(clientEncryption, "aws", dataKeyOptions, async);
var encryptOptions = new EncryptOptions(
algorithm: EncryptionAlgorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic.ToString(),
keyId: dataKey);
var value = "test";
var encrypted = ExplicitEncrypt(clientEncryption, encryptOptions, value, async);
var decrypted = ExplicitDecrypt(clientEncryption, encrypted, async);
decrypted.Should().Be(BsonValue.Create(value));
}
}
}
