DOCSP-28275 createEncryptedClient (#3412)

* DOCSP-28275 createEncryptedClient

* fix filename

* fix filename

* includify

* include

* internal review

* removes title

* nav

* use procedure admonition in example

* clean up options

* procedure-ify

* external review feedback

* removes createEncryptedCollection method mention from release notes

Author: jmd-mongo

source/includes/create-an-encrypted-db-conn.rst

@@ -0,0 +1,23 @@
+The :binary:`~bin.mongosh` client-side field level and queryable 
+encryption methods require a database connection configured for 
+client-side encryption. If the current database connection was not 
+initiated with client-side field level encryption enabled, either:
+
+- Use the :method:`Mongo()` constructor from the ``mongosh``
+  to establish a connection with the required client-side field
+  level encryption options. The ``Mongo()`` method supports the
+  following Key Management Service (KMS) providers for Customer
+  Master Key (CMK) management:
+
+  - :ref:`Amazon Web Services KMS <field-level-encryption-aws-kms>`
+  - :ref:`Azure Key Vault <field-level-encryption-azure-keyvault>`
+  - :ref:`Google Cloud Platform KMS <field-level-encryption-gcp-kms>`
+  - :ref:`Locally Managed Key <field-level-encryption-local-kms>`
+
+*or*
+
+- Use the ``mongosh`` :ref:`command line options
+  <mongosh-client-side-field-level-encryption-options>` to establish a
+  connection with the required options. The command line options only
+  support the :ref:`Amazon Web Services KMS
+  <field-level-encryption-aws-kms>` provider for CMK management. 

source/includes/csfle-connection-boilerplate-example.rst

@@ -1,40 +1,52 @@
-To configure client-side field level encryption for a locally managed
-key:
-
-- generate a base64-encoded 96-byte string with no line breaks
-- use :binary:`mongosh` to load the key
-
-.. code-block:: bash
-   :emphasize-lines: 1
-
-   export TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
-
-   mongosh --nodb
-
-Create the client-side field level encryption object using the
-generated local key string:
-
-.. code-block:: javascript
-   :emphasize-lines: 5
-
-    var autoEncryptionOpts = {
-      "keyVaultNamespace" : "encryption.__dataKeys",
-      "kmsProviders" : {
-        "local" : {
-          "key" : BinData(0, process.env["TEST_LOCAL_KEY"])
-        }
-      }
-    }
-
-Use the :method:`Mongo()` constructor with the client-side field level 
-encryption options configured to create a database connection. Replace 
-the ``mongodb://myMongo.example.net`` URI with the :ref:`connection 
-string URI <mongodb-uri>` of the target cluster.
-
-.. code-block:: javascript
-   :emphasize-lines: 2
-      
-   encryptedClient = Mongo( 
-     "mongodb://myMongo.example.net:27017/?replSetName=myMongo", 
-      autoEncryptionOpts
-   )
+.. procedure::
+   :style: normal
+
+   .. step:: Start mongosh
+
+      Start the ``mongosh`` client.
+    
+      .. code-block:: bash
+
+         mongosh --nodb
+
+   .. step:: Generate Your Key
+
+      To configure client-side field level encryption for a locally 
+      managed key, generate a base64-encoded 96-byte string with no line 
+      breaks.
+
+      .. code-block:: javascript
+
+         const TEST_LOCAL_KEY = require("crypto").randomBytes(96).toString("base64")
+
+   .. step:: Create the Client-Side Field Level Encryption Options
+   
+      Create the client-side field level encryption options using the
+      generated local key string:
+
+      .. code-block:: javascript
+         :emphasize-lines: 5
+
+          var autoEncryptionOpts = {
+            "keyVaultNamespace" : "encryption.__dataKeys",
+            "kmsProviders" : {
+              "local" : {
+                "key" : BinData(0, TEST_LOCAL_KEY)
+              }
+            }
+          }
+
+   .. step:: Create Your Encrypted Client
+
+      Use the :method:`Mongo()` constructor with the client-side field level 
+      encryption options configured to create a database connection. Replace 
+      the ``mongodb://myMongo.example.net`` URI with the :ref:`connection 
+      string URI <mongodb-uri>` of the target cluster.
+
+      .. code-block:: javascript
+         :emphasize-lines: 2
+          
+         encryptedClient = Mongo( 
+           "mongodb://myMongo.example.net:27017/?replSetName=myMongo", 
+            autoEncryptionOpts
+         )

source/includes/qe-connection-boilerplate.rst

@@ -1,39 +1,50 @@
-Configuring queryable encryption for a locally managed key requires 
-specifying a base64-encoded 96-byte string with no line breaks. The 
-following operation generates a key that meets the stated requirements 
-and loads it into :binary:`~bin.mongosh`:
-
-.. code-block:: bash
-   :emphasize-lines: 1
-
-   export TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
- 
-   mongosh --nodb
-
-Create the client-side field level encryption object using the
-generated local key string:
-
-.. code-block:: javascript
-   :emphasize-lines: 5
-
-   var autoEncryptionOpts = {
-     "keyVaultNamespace" : "encryption.__keyVault",
-     "kmsProviders" : {
-       "local" : {
-         "key" : BinData(0, process.env["TEST_LOCAL_KEY"])
-       }
-     }
-   }
-
-Use the :method:`Mongo()` constructor to create a database connection
-with the queryable encryption options. Replace the 
-``mongodb://myMongo.example.net`` URI with the :ref:`connection string
-URI <mongodb-uri>` of the target cluster.
-
-.. code-block:: javascript
-   :emphasize-lines: 2
+.. procedure::
+   :style: normal
+
+   .. step:: Start mongosh
+
+      Start the ``mongosh`` client.
+    
+      .. code-block:: bash
+
+         mongosh --nodb
+
+   .. step:: Generate Your Key
+
+      To configure queryable encryption for a locally managed key, 
+      generate a base64-encoded 96-byte string with no line breaks.
+
+      .. code-block:: javascript
+
+         const TEST_LOCAL_KEY = require("crypto").randomBytes(96).toString("base64")
+
+   .. step:: Create the Queryable Encryption Options
 
-   encryptedClient = Mongo( 
-     "mongodb://myMongo.example.net:27017/?replSetName=myMongo", 
-     autoEncryptionOpts
-   )
+      Create the queryable encryption options using the generated local key string:
+
+      .. code-block:: javascript
+         :emphasize-lines: 5
+
+          var autoEncryptionOpts = {
+            "keyVaultNamespace" : "encryption.__dataKeys",
+            "kmsProviders" : {
+              "local" : {
+                "key" : BinData(0, TEST_LOCAL_KEY)
+              }
+            }
+          }
+
+   .. step:: Create Your Encrypted Client
+
+      Use the :method:`Mongo()` constructor with the queryable 
+      encryption options configured to create a database connection. Replace 
+      the ``mongodb://myMongo.example.net`` URI with the :ref:`connection 
+      string URI <mongodb-uri>` of the target cluster.
+
+      .. code-block:: javascript
+         :emphasize-lines: 2
+          
+         encryptedClient = Mongo( 
+           "mongodb://myMongo.example.net:27017/?replSetName=myMongo", 
+            autoEncryptionOpts
+         )

source/reference/method.txt

@@ -1319,6 +1319,10 @@ Client-Side Field Level Encryption
 
      - Returns the client encryption object for supporting explicit encryption/decryption of fields.
 
+   * - :method:`ClientEncryption.createEncryptedCollection()`
+
+     - Creates a collection with encrypted fields.
+
    * - :method:`ClientEncryption.encrypt()`
 
      - Encrypts a field using a specified data encryption key and encryption algorithm.

source/reference/method/ClientEncryption.createEncryptedCollection.txt

@@ -0,0 +1,160 @@
+============================================
+ClientEncryption.createEncryptedCollection()
+============================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. versionadded:: 7.0
+
+.. method:: ClientEncryption.createEncryptedCollection(dbName, collName, clientEncOpts)
+
+   ``ClientEncryption.createEncryptedCollection`` creates an 
+   encrypted collection specified by ``collName`` on the database 
+   specified by ``dbName``.
+
+Syntax
+------
+
+``ClientEncryption.createEncryptedCollection`` has the 
+following syntax:
+
+.. code-block:: javascript
+
+   clientEncryption = db.getMongo().getClientEncryption()
+
+   clientEncryption.createEncryptedCollection(
+     dbName,
+     collName,
+     {
+       provider: kmsProviderName,
+       createCollectionOptions: encryptedFieldsMap,
+       masterKey: customerMasterKeyCredentials
+     }
+   )
+
+Command Fields
+--------------
+
+``createEncryptedCollection`` takes these fields:
+
+.. list-table::
+  :header-rows: 1
+  :widths: 20 20 20 80
+
+  * - Field
+    - Type
+    - Necessity
+    - Description
+
+  * - ``dbName``
+    - string
+    - Required
+    - Name of the database to encrypt.
+
+  * - ``collName``
+    - string
+    - Required
+    - Name of the collection to encrypt.
+
+  * - ``clientEncOpts``
+    - document
+    - Required
+    - Options to configure the encrypted collection.
+
+  * - ``clientEncOpts.provider``
+    - string
+    - Required
+    - KMS you are using to store your {+cmk-long+}.
+
+  * - ``clientEncOpts.createCollectionOptions``
+    - document
+    - Required
+    - Fields to encrypt. See :ref:`qe-specify-fields-for-encryption`
+      for details on how to configure the ``encryptedFieldsMap`` object.
+
+  * - ``clientEncOpts.masterKey``
+    - document
+    - Optional
+    - How to get the master key when the KMS Provider is AWS, GCP, or 
+      Azure.
+
+Behavior
+--------
+
+.. include:: /includes/create-an-encrypted-db-conn.rst 
+
+Example
+-------
+
+The following example uses a locally managed KMS for the 
+queryable encryption configuration.
+
+.. procedure::
+   :style: normal
+
+   .. step:: Create Your Encrypted Connection
+
+      .. include:: /includes/csfle-connection-boilerplate-example.rst
+
+   .. step:: Specify which Fields to Encrypt
+
+      Create an ``encryptedFieldsMaps`` to specify which fields to encrypt:
+
+      .. code-block:: javascript
+
+         const encryptedFieldsMap = {
+           encryptedFields: {
+             fields: [
+               {
+                 path: "secretField",
+                 bsonType: "string",
+                 queries: { queryType: "equality" },
+               },
+             ],
+           },
+         };
+
+   .. step:: Create Your Encrypted Collection
+
+      Create an encrypted ``enc.users`` collection:
+
+      .. code-block:: javascript
+
+         clientEncryption = encryptedClient.getClientEncryption();
+
+         var result = clientEncryption.createEncryptedCollection(
+           "enc", 
+           "users",
+           {
+             provider: "local",
+             createCollectionOptions: encryptedFieldsMap,
+             masterKey: {} // masterKey is optional when provider is local
+           }
+         )
+
+   .. step:: Check Your Result Object
+
+      ``createEncryptedCollection`` returns a large result object with many 
+      fields. Check the value of ``result.collection`` to confirm the 
+      collection was created in the desired location.
+
+      .. code-block:: javascript
+         :copyable: false
+
+         enc> result.collection
+         enc.users
+
+Learn More
+----------
+
+- For complete documentation on initiating MongoDB connections with
+  client-side field level encryption enabled, see :method:`Mongo()`.
+
+- For a complete example of how to create and query an encrypted 
+  collection, see :ref:`qe-quick-start`.