SERVER-41313 Evaluate Driver's Client Side FLE Specification Tests in Shell

2024-11-30 17:10:48 +01:00 · 2019-06-20 16:20:12 -04:00 · 2019-06-20 16:20:12 -04:00 · ac6c8db70d
commit ac6c8db70d
parent 70a3df4dd5
10 changed files with 28 additions and 32 deletions
--- a/etc/evergreen.yml
+++ b/etc/evergreen.yml
@ -1858,6 +1858,16 @@ functions:
            exit $(cat jepsen_system_failure_${task_name}_${execution})
          fi

+  "load aws test credentials":
+    - command: shell.exec
+      params:
+        silent: true
+        working_dir: src
+        script: |
+          set -o errexit
+          echo "const AWS_KMS_SECRET_ID = '${aws_kms_access_key_id}';" >> src/mongo/db/modules/enterprise/jstests/fle/lib/aws_secrets.js
+          echo "const AWS_KMS_SECRET_KEY = '${aws_kms_secret_access_key}';" >> src/mongo/db/modules/enterprise/jstests/fle/lib/aws_secrets.js
+
  "generate fuzzer tasks":
    - command: manifest.load
    - *git_get_project
@ -7394,6 +7404,7 @@ tasks:
  tags: ["encrypt"]
  commands:
  - func: "do setup"
+  - func: "load aws test credentials"
  - func: "run tests"
    vars:
      resmoke_args: --suites=fle --storageEngine=wiredTiger
--- a/jstests/client_encrypt/fle_auto_decrypt.js
+++ b/jstests/client_encrypt/fle_auto_decrypt.js
@ -14,7 +14,7 @@ load('jstests/ssl/libs/ssl_helpers.js');
    let localKMS = {
        key: BinData(
            0,
-            "/i8ytmWQuCe1zt3bIuVa4taPGKhqasVp0/0yI4Iy0ixQPNmeDF1J5qPUbBYoueVUJHMqj350eRTwztAWXuBdSQ=="),
+            "tu9jUCBqZdwCelwE/EAm/4WqdxrSMi04B8e9uAV+m30rI1J2nhKZZtQjdvsSCwuI4erR6IEcEK+5eGUAODv43NDNIR9QheT2edWFewUfHKsl9cnzTc86meIzOmYl6drp"),
    };

    const clientSideFLEOptions = {
--- a/jstests/client_encrypt/fle_encrypt_decrypt_shell.js
+++ b/jstests/client_encrypt/fle_encrypt_decrypt_shell.js
@ -25,7 +25,7 @@ load('jstests/ssl/libs/ssl_helpers.js');
    let localKMS = {
        key: BinData(
            0,
-            "/i8ytmWQuCe1zt3bIuVa4taPGKhqasVp0/0yI4Iy0ixQPNmeDF1J5qPUbBYoueVUJHMqj350eRTwztAWXuBdSQ=="),
+            "tu9jUCBqZdwCelwE/EAm/4WqdxrSMi04B8e9uAV+m30rI1J2nhKZZtQjdvsSCwuI4erR6IEcEK+5eGUAODv43NDNIR9QheT2edWFewUfHKsl9cnzTc86meIzOmYl6drp"),
    };

    const clientSideFLEOptions = {
--- a/jstests/client_encrypt/fle_key_faults.js
+++ b/jstests/client_encrypt/fle_key_faults.js
@ -26,7 +26,7 @@ load('jstests/ssl/libs/ssl_helpers.js');
    var localKMS = {
        key: BinData(
            0,
-            "/i8ytmWQuCe1zt3bIuVa4taPGKhqasVp0/0yI4Iy0ixQPNmeDF1J5qPUbBYoueVUJHMqj350eRTwztAWXuBdSQ=="),
+            "tu9jUCBqZdwCelwE/EAm/4WqdxrSMi04B8e9uAV+m30rI1J2nhKZZtQjdvsSCwuI4erR6IEcEK+5eGUAODv43NDNIR9QheT2edWFewUfHKsl9cnzTc86meIzOmYl6drp"),
    };

    const clientSideFLEOptions = {
--- a/src/mongo/crypto/aead_encryption.cpp
+++ b/src/mongo/crypto/aead_encryption.cpp
@ -215,29 +215,8 @@ Status aeadEncrypt(const SymmetricKey& key,
    DataRange dataLenBitsEncoded(dataLenBitsEncodedStorage);
    dataLenBitsEncoded.write<BigEndian<uint64_t>>(associatedDataLen * 8);

-    auto keySize = key.getKeySize();
-    if (keySize < kAeadAesHmacKeySize) {
-        return Status(ErrorCodes::BadValue,
-                      "AEAD encryption key too short. "
-                      "Must be either 64 or 96 bytes.");
-    }
-
    ConstDataRange aeadKey(key.getKey(), kAeadAesHmacKeySize);

-    if (key.getKeySize() == kAeadAesHmacKeySize) {
-        // local key store key encryption
-        return aeadEncryptWithIV(aeadKey,
-                                 in,
-                                 inLen,
-                                 nullptr,
-                                 0,
-                                 associatedData,
-                                 associatedDataLen,
-                                 dataLenBitsEncoded,
-                                 out,
-                                 outLen);
-    }
-
    if (key.getKeySize() != kFieldLevelEncryptionKeySize) {
        return Status(ErrorCodes::BadValue, "Invalid key size.");
    }
@ -252,8 +231,9 @@ Status aeadEncrypt(const SymmetricKey& key,

    ConstDataRange hmacCDR(nullptr, 0);
    SHA512Block hmacOutput;
-    if (static_cast<int>(associatedData[0]) ==
-        FleAlgorithmInt_serializer(FleAlgorithmInt::kDeterministic)) {
+    if (associatedData != nullptr &&
+        static_cast<int>(associatedData[0]) ==
+            FleAlgorithmInt_serializer(FleAlgorithmInt::kDeterministic)) {
        const uint8_t* ivKey = key.getKey() + kAeadAesHmacKeySize;
        hmacOutput = SHA512Block::computeHmac(ivKey,
                                              sym256KeySize,
--- a/src/mongo/scripting/mozjs/valuereader.cpp
+++ b/src/mongo/scripting/mozjs/valuereader.cpp
@ -73,7 +73,8 @@ void ValueReader::fromBSONElement(const BSONElement& elem, const BSONObj& parent
                JS::AutoValueArray<2> args(_context);

                ValueReader(_context, args[0]).fromStringData(elem.codeWScopeCode());
-                ValueReader(_context, args[1]).fromBSON(elem.codeWScopeObject(), nullptr, readOnly);
+                ValueReader(_context, args[1])
+                    .fromBSON(elem.codeWScopeObject().getOwned(), nullptr, readOnly);

                scope->getProto<CodeInfo>().newInstance(args, _value);
            } else {
--- a/src/mongo/shell/kms.idl
+++ b/src/mongo/shell/kms.idl
@ -123,6 +123,7 @@ structs:
            type: string
          endpoint:
            type: string
+            optional: true

    awsMasterKeyAndMaterial:
        description: "AWS KMS Key Material Description"
--- a/src/mongo/shell/kms_aws.cpp
+++ b/src/mongo/shell/kms_aws.cpp
@ -285,7 +285,7 @@ BSONObj AWSKMSService::encryptDataKey(ConstDataRange cdr, StringData keyId) {
    AwsMasterKey masterKey;
    masterKey.setKey(keyId);
    masterKey.setRegion(parseCMK(keyId));
-    masterKey.setEndpoint(_server.toString());
+    masterKey.setEndpoint(boost::optional<StringData>(_server.toString()));

    AwsMasterKeyAndMaterial keyAndMaterial;
    keyAndMaterial.setKeyMaterial(dataKey);
--- a/src/mongo/shell/kms_local.cpp
+++ b/src/mongo/shell/kms_local.cpp
@ -110,9 +110,9 @@ SecureVector<uint8_t> LocalKMSService::decrypt(ConstDataRange cdr, BSONObj maste

 std::unique_ptr<KMSService> LocalKMSService::create(const LocalKMS& config) {
    uassert(51237,
-            str::stream() << "Local KMS key must be 64 bytes, found " << config.getKey().length()
+            str::stream() << "Local KMS key must be 96 bytes, found " << config.getKey().length()
                          << " bytes instead",
-            config.getKey().length() == crypto::kAeadAesHmacKeySize);
+            config.getKey().length() == crypto::kFieldLevelEncryptionKeySize);

    SecureVector<uint8_t> aesVector = SecureVector<uint8_t>(
        config.getKey().data(), config.getKey().data() + config.getKey().length());
--- a/src/mongo/shell/kms_test.cpp
+++ b/src/mongo/shell/kms_test.cpp
@ -56,12 +56,15 @@ TEST(KmsTest, TestBadKey) {

 // Positive: Test Encrypt works
 TEST(KmsTest, TestGoodKey) {
-    std::array<uint8_t, 64> key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+    std::array<uint8_t, 96> key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
                                   0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
                                   0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
                                   0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
                                   0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
-                                   0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f};
+                                   0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41,
+                                   0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c,
+                                   0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
+                                   0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f};

    BSONObj config =
        BSON("local" << BSON("key" << BSONBinData(key.data(), key.size(), BinDataGeneral)));