PHPLIB-851: Queryable encryption support for create/drop collection helpers

Author: jmikola

docs/includes/apiargs-MongoDBCollection-method-drop-option.yaml

@@ -1,15 +1,21 @@
 source:
-  file: apiargs-MongoDBCollection-common-option.yaml
-  ref: typeMap
+  file: apiargs-dropCollection-option.yaml
+  ref: encryptedFields
 post: |
-  This will be used for the returned command result document.
+  .. versionadded:: 1.13
 ---
 source:
   file: apiargs-common-option.yaml
   ref: session
 post: |
   .. versionadded:: 1.3
 ---
+source:
+  file: apiargs-MongoDBCollection-common-option.yaml
+  ref: typeMap
+post: |
+  This will be used for the returned command result document.
+---
 source:
   file: apiargs-MongoDBCollection-common-option.yaml
   ref: writeConcern

docs/includes/apiargs-MongoDBDatabase-method-createCollection-option.yaml

@@ -68,6 +68,24 @@ pre: |
   </reference/bson-type-comparison-order/#collation>` for the collection.
 ---
 arg_name: option
+name: encryptedFields
+type: document
+description: |
+  A document describing encrypted fields for queryable encryption. If omitted,
+  the ``encryptedFieldsMap`` option within the ``autoEncryption`` driver option
+  will be consulted. See the
+  `Client Side Encryption specification <https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst>`_
+  for more information.
+
+  This option is available in MongoDB 6.0+ and will result in an exception at
+  execution time if specified for an older server version.
+
+  .. versionadded:: 1.13
+interface: phpmethod
+operation: ~
+optional: true
+---
+arg_name: option
 name: expireAfterSeconds
 type: integer
 description: |

docs/includes/apiargs-MongoDBDatabase-method-dropCollection-option.yaml

@@ -1,3 +1,9 @@
+source:
+  file: apiargs-dropCollection-option.yaml
+  ref: encryptedFields
+post: |
+  .. versionadded:: 1.13
+---
 source:
   file: apiargs-common-option.yaml
   ref: session

docs/includes/apiargs-dropCollection-option.yaml

@@ -0,0 +1,15 @@
+arg_name: option
+name: encryptedFields
+type: array|object
+description: |
+  A document describing encrypted fields for queryable encryption. If omitted,
+  the ``encryptedFieldsMap`` option within the ``autoEncryption`` driver option
+  will be consulted. If ``encryptedFieldsMap`` was defined but does not specify
+  this collection, the library will make a final attempt to consult the
+  server-side value for ``encryptedFields``. See the
+  `Client Side Encryption specification <https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst>`_
+  for more information.
+interface: phpmethod
+operation: ~
+optional: true
+...

src/Collection.php

@@ -495,6 +495,21 @@ public function drop(array $options = [])
             $options['writeConcern'] = $this->writeConcern;
         }
 
+        $encryptedFields = $options['encryptedFields']
+            ?? get_encrypted_fields_from_driver($this->databaseName, $this->collectionName, $this->manager)
+            ?? get_encrypted_fields_from_server($this->databaseName, $this->collectionName, $this->manager, $server)
+            ?? null;
+
+        if ($encryptedFields !== null) {
+            // encryptedFields is not passed to the drop command
+            unset($options['encryptedFields']);
+
+            $encryptedFields = (array) $encryptedFields;
+            (new DropCollection($this->databaseName, $encryptedFields['escCollection'] ?? 'enxcol_.' . $this->collectionName . '.esc'))->execute($server);
+            (new DropCollection($this->databaseName, $encryptedFields['eccCollection'] ?? 'enxcol_.' . $this->collectionName . '.ecc'))->execute($server);
+            (new DropCollection($this->databaseName, $encryptedFields['ecocCollection'] ?? 'enxcol_.' . $this->collectionName . '.ecoc'))->execute($server);
+        }
+
         $operation = new DropCollection($this->databaseName, $this->collectionName, $options);
 
         return $operation->execute($server);

src/Database.php

@@ -33,6 +33,7 @@
 use MongoDB\Model\CollectionInfoIterator;
 use MongoDB\Operation\Aggregate;
 use MongoDB\Operation\CreateCollection;
+use MongoDB\Operation\CreateIndexes;
 use MongoDB\Operation\DatabaseCommand;
 use MongoDB\Operation\DropCollection;
 use MongoDB\Operation\DropDatabase;
@@ -275,9 +276,30 @@ public function createCollection($collectionName, array $options = [])
             $options['writeConcern'] = $this->writeConcern;
         }
 
+        $encryptedFields = $options['encryptedFields']
+            ?? get_encrypted_fields_from_driver($this->databaseName, $collectionName, $this->manager)
+            ?? null;
+
+        if ($encryptedFields !== null) {
+            // encryptedFields is passed to the create command
+            $options['encryptedFields'] = $encryptedFields;
+
+            $encryptedFields = (array) $encryptedFields;
+            $enxcolOptions = ['clusteredIndex' => ['key' => ['_id' => 1], 'unique' => true]];
+            (new CreateCollection($this->databaseName, $encryptedFields['escCollection'] ?? 'enxcol_.' . $collectionName . '.esc', $enxcolOptions))->execute($server);
+            (new CreateCollection($this->databaseName, $encryptedFields['eccCollection'] ?? 'enxcol_.' . $collectionName . '.ecc', $enxcolOptions))->execute($server);
+            (new CreateCollection($this->databaseName, $encryptedFields['ecocCollection'] ?? 'enxcol_.' . $collectionName . '.ecoc', $enxcolOptions))->execute($server);
+        }
+
         $operation = new CreateCollection($this->databaseName, $collectionName, $options);
 
-        return $operation->execute($server);
+        $result = $operation->execute($server);
+
+        if ($encryptedFields !== null) {
+            (new CreateIndexes($this->databaseName, $collectionName, [['key' => ['__safeContent__' => 1]]]))->execute($server);
+        }
+
+        return $result;
     }
 
     /**
@@ -330,6 +352,21 @@ public function dropCollection($collectionName, array $options = [])
             $options['writeConcern'] = $this->writeConcern;
         }
 
+        $encryptedFields = $options['encryptedFields']
+            ?? get_encrypted_fields_from_driver($this->databaseName, $collectionName, $this->manager)
+            ?? get_encrypted_fields_from_server($this->databaseName, $collectionName, $this->manager, $server)
+            ?? null;
+
+        if ($encryptedFields !== null) {
+            // encryptedFields is not passed to the drop command
+            unset($options['encryptedFields']);
+
+            $encryptedFields = (array) $encryptedFields;
+            (new DropCollection($this->databaseName, $encryptedFields['escCollection'] ?? 'enxcol_.' . $collectionName . '.esc'))->execute($server);
+            (new DropCollection($this->databaseName, $encryptedFields['eccCollection'] ?? 'enxcol_.' . $collectionName . '.ecc'))->execute($server);
+            (new DropCollection($this->databaseName, $encryptedFields['ecocCollection'] ?? 'enxcol_.' . $collectionName . '.ecoc'))->execute($server);
+        }
+
         $operation = new DropCollection($this->databaseName, $collectionName, $options);
 
         return $operation->execute($server);

src/Operation/CreateCollection.php

@@ -83,6 +83,8 @@ class CreateCollection implements Executable
      *
      *  * collation (document): Collation specification.
      *
+     *  * encryptedFields (document): CSFLE specification.
+     *
      *  * expireAfterSeconds: The TTL for documents in time series collections.
      *
      *    This is not supported for servers versions < 5.0.
@@ -158,6 +160,10 @@ public function __construct($databaseName, $collectionName, array $options = [])
             throw InvalidArgumentException::invalidType('"collation" option', $options['collation'], 'array or object');
         }
 
+        if (isset($options['encryptedFields']) && ! is_array($options['encryptedFields']) && ! is_object($options['encryptedFields'])) {
+            throw InvalidArgumentException::invalidType('"encryptedFields" option', $options['encryptedFields'], 'array or object');
+        }
+
         if (isset($options['expireAfterSeconds']) && ! is_integer($options['expireAfterSeconds'])) {
             throw InvalidArgumentException::invalidType('"expireAfterSeconds" option', $options['expireAfterSeconds'], 'integer');
         }
@@ -285,7 +291,7 @@ private function createCommand()
             }
         }
 
-        foreach (['changeStreamPreAndPostImages', 'clusteredIndex', 'collation', 'indexOptionDefaults', 'storageEngine', 'timeseries', 'validator'] as $option) {
+        foreach (['changeStreamPreAndPostImages', 'clusteredIndex', 'collation', 'encryptedFields', 'indexOptionDefaults', 'storageEngine', 'timeseries', 'validator'] as $option) {
             if (isset($this->options[$option])) {
                 $cmd[$option] = (object) $this->options[$option];
             }

src/functions.php

@@ -27,6 +27,7 @@
 use MongoDB\Driver\WriteConcern;
 use MongoDB\Exception\InvalidArgumentException;
 use MongoDB\Exception\RuntimeException;
+use MongoDB\Operation\ListCollections;
 use MongoDB\Operation\WithTransaction;
 use ReflectionClass;
 use ReflectionException;
@@ -123,6 +124,53 @@ function generate_index_name($document): string
     return $name;
 }
 
+/**
+ * Return a collection's encryptedFields from the encryptedFieldsMap
+ * autoEncryption driver option (if available).
+ *
+ * @internal
+ * @see https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#drop-collection-helper
+ * @see Collection::drop
+ * @see Database::createCollection
+ * @see Database::dropCollection
+ * @return array|object|null
+ */
+function get_encrypted_fields_from_driver(string $databaseName, string $collectionName, Manager $manager)
+{
+    $encryptedFieldsMap = (array) $manager->getEncryptedFieldsMap();
+
+    return $encryptedFieldsMap[$databaseName . '.' . $collectionName] ?? null;
+}
+
+/**
+ * Return a collection's encryptedFields option from the server (if any).
+ *
+ * @internal
+ * @see https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#drop-collection-helper
+ * @see Collection::drop
+ * @see Database::dropCollection
+ * @return array|object|null
+ */
+function get_encrypted_fields_from_server(string $databaseName, string $collectionName, Manager $manager, Server $server)
+{
+    // No-op if the encryptedFieldsMap autoEncryption driver option was omitted
+    if ($manager->getEncryptedFieldsMap() === null) {
+        return null;
+    }
+
+    $collectionInfoIterator = (new ListCollections($databaseName, ['filter' => ['name' => $collectionName]]))->execute($server);
+
+    foreach ($collectionInfoIterator as $collectionInfo) {
+        /* Note: ListCollections applies a typeMap that converts BSON documents
+         * to PHP arrays. This should not be problematic as encryptedFields here
+         * is only used by drop helpers to obtain names of supporting encryption
+         * collections. */
+        return $collectionInfo['options']['encryptedFields'] ?? null;
+    }
+
+    return null;
+}
+
 /**
  * Return whether the first key in the document starts with a "$" character.
  *

tests/Operation/CreateCollectionTest.php

@@ -47,6 +47,10 @@ public function provideInvalidConstructorOptions()
             $options[][] = ['collation' => $value];
         }
 
+        foreach ($this->getInvalidDocumentValues() as $value) {
+            $options[][] = ['encryptedFields' => $value];
+        }
+
         foreach ($this->getInvalidIntegerValues() as $value) {
             $options[][] = ['expireAfterSeconds' => $value];
         }