CDRIVER-4365 support encryptedFields in collection create and drop (#983)

Author: kevinAlbs

.evergreen/config.yml

@@ -2916,6 +2916,33 @@ tasks:
       AUTH: noauth
       SSL: nossl
       VALGRIND: 'off'
+- name: test-asan-latest-replica-set-auth-nosasl-openssl-cse
+  tags:
+  - client-side-encryption
+  - latest
+  - test-asan
+  exec_timeout_secs: 3600
+  depends_on:
+    name: debug-compile-asan-openssl-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-asan-openssl-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: auth
+      SSL: openssl
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'on'
+      AUTH: auth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: openssl
+      VALGRIND: 'off'
 - name: test-asan-latest-replica-set-auth-nosasl-openssl
   tags:
   - latest
@@ -5973,6 +6000,35 @@ tasks:
       AUTH: noauth
       SSL: nossl
       VALGRIND: 'off'
+- name: test-latest-replica-set-auth-sasl-openssl-cse
+  tags:
+  - auth
+  - client-side-encryption
+  - latest
+  - openssl
+  - replica_set
+  - sasl
+  depends_on:
+    name: debug-compile-sasl-openssl-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-sasl-openssl-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: auth
+      SSL: openssl
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'off'
+      AUTH: auth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: openssl
+      VALGRIND: 'off'
 - name: test-latest-replica-set-auth-sasl-openssl
   tags:
   - auth
@@ -5998,6 +6054,35 @@ tasks:
       AUTH: auth
       SSL: openssl
       VALGRIND: 'off'
+- name: test-latest-replica-set-auth-sasl-openssl-static-cse
+  tags:
+  - auth
+  - client-side-encryption
+  - latest
+  - openssl-static
+  - replica_set
+  - sasl
+  depends_on:
+    name: debug-compile-sasl-openssl-static-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-sasl-openssl-static-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: auth
+      SSL: openssl-static
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'off'
+      AUTH: auth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: openssl-static
+      VALGRIND: 'off'
 - name: test-latest-replica-set-auth-sasl-openssl-static
   tags:
   - auth
@@ -6023,6 +6108,35 @@ tasks:
       AUTH: auth
       SSL: openssl-static
       VALGRIND: 'off'
+- name: test-latest-replica-set-auth-sasl-darwinssl-cse
+  tags:
+  - auth
+  - client-side-encryption
+  - darwinssl
+  - latest
+  - replica_set
+  - sasl
+  depends_on:
+    name: debug-compile-sasl-darwinssl-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-sasl-darwinssl-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: auth
+      SSL: darwinssl
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'off'
+      AUTH: auth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: darwinssl
+      VALGRIND: 'off'
 - name: test-latest-replica-set-auth-sasl-darwinssl
   tags:
   - auth
@@ -6048,6 +6162,35 @@ tasks:
       AUTH: auth
       SSL: darwinssl
       VALGRIND: 'off'
+- name: test-latest-replica-set-auth-sasl-winssl-cse
+  tags:
+  - auth
+  - client-side-encryption
+  - latest
+  - replica_set
+  - sasl
+  - winssl
+  depends_on:
+    name: debug-compile-sasl-winssl-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-sasl-winssl-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: auth
+      SSL: winssl
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'off'
+      AUTH: auth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: winssl
+      VALGRIND: 'off'
 - name: test-latest-replica-set-auth-sasl-winssl
   tags:
   - auth
@@ -6173,6 +6316,35 @@ tasks:
       AUTH: auth
       SSL: winssl
       VALGRIND: 'off'
+- name: test-latest-replica-set-noauth-sasl-openssl-cse
+  tags:
+  - client-side-encryption
+  - latest
+  - noauth
+  - openssl
+  - replica_set
+  - sasl
+  depends_on:
+    name: debug-compile-sasl-openssl-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-sasl-openssl-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: noauth
+      SSL: openssl
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'off'
+      AUTH: noauth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: openssl
+      VALGRIND: 'off'
 - name: test-latest-replica-set-noauth-sasl-openssl
   tags:
   - latest
@@ -6198,6 +6370,35 @@ tasks:
       AUTH: noauth
       SSL: openssl
       VALGRIND: 'off'
+- name: test-latest-replica-set-noauth-sasl-openssl-static-cse
+  tags:
+  - client-side-encryption
+  - latest
+  - noauth
+  - openssl-static
+  - replica_set
+  - sasl
+  depends_on:
+    name: debug-compile-sasl-openssl-static-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-sasl-openssl-static-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: noauth
+      SSL: openssl-static
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'off'
+      AUTH: noauth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: openssl-static
+      VALGRIND: 'off'
 - name: test-latest-replica-set-noauth-sasl-openssl-static
   tags:
   - latest
@@ -6223,6 +6424,35 @@ tasks:
       AUTH: noauth
       SSL: openssl-static
       VALGRIND: 'off'
+- name: test-latest-replica-set-noauth-sasl-darwinssl-cse
+  tags:
+  - client-side-encryption
+  - darwinssl
+  - latest
+  - noauth
+  - replica_set
+  - sasl
+  depends_on:
+    name: debug-compile-sasl-darwinssl-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-sasl-darwinssl-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: noauth
+      SSL: darwinssl
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'off'
+      AUTH: noauth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: darwinssl
+      VALGRIND: 'off'
 - name: test-latest-replica-set-noauth-sasl-darwinssl
   tags:
   - darwinssl
@@ -6248,6 +6478,35 @@ tasks:
       AUTH: noauth
       SSL: darwinssl
       VALGRIND: 'off'
+- name: test-latest-replica-set-noauth-sasl-winssl-cse
+  tags:
+  - client-side-encryption
+  - latest
+  - noauth
+  - replica_set
+  - sasl
+  - winssl
+  depends_on:
+    name: debug-compile-sasl-winssl-cse
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-sasl-winssl-cse
+  - func: bootstrap mongo-orchestration
+    vars:
+      AUTH: noauth
+      SSL: winssl
+      TOPOLOGY: replica_set
+      VERSION: latest
+  - func: clone drivers-evergreen-tools
+  - func: run kms servers
+  - func: run tests
+    vars:
+      ASAN: 'off'
+      AUTH: noauth
+      CLIENT_SIDE_ENCRYPTION: 'on'
+      SSL: winssl
+      VALGRIND: 'off'
 - name: test-latest-replica-set-noauth-sasl-winssl
   tags:
   - latest

build/evergreen_config_lib/tasks.py

@@ -604,7 +604,11 @@ def _check_allowed(self):
 
         if self.cse:
             require(self.version == 'latest' or parse_version(self.version) >= parse_version("4.2"))
-            require(self.topology == 'server')
+            if self.version == 'latest' or parse_version(self.version) >= parse_version("6.0"):
+                # FLE 2.0 Client-Side Encryption tasks on 6.0 require a non-standalone topology.
+                require(self.topology in ('server', 'replica_set'))
+            else:
+                require(self.topology == 'server')
             if self.sanitizer != "asan":
                 # limit to SASL=AUTO to reduce redundant tasks.
                 require(self.sasl)

src/libmongoc/doc/mongoc_auto_encryption_opts_set_encrypted_fields_map.rst

@@ -0,0 +1,29 @@
+:man_page: mongoc_auto_encryption_opts_set_encrypted_fields_map
+
+mongoc_auto_encryption_opts_set_encrypted_fields_map()
+======================================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   void
+   mongoc_auto_encryption_opts_set_encrypted_fields_map (
+      mongoc_auto_encryption_opts_t *opts, const bson_t *encrypted_fields_map);
+
+
+Parameters
+----------
+
+* ``opts``: The :symbol:`mongoc_auto_encryption_opts_t`
+* ``encrypted_fields_map``: A :symbol:`bson_t` where keys are collection namespaces and values are encrypted fields documents.
+
+Supplying an ``encrypted_fields_map`` provides more security than relying on an ``encryptedFields`` obtained from the server. It protects against a malicious server advertising a false ``encryptedFields``.
+
+.. seealso::
+
+  | :symbol:`mongoc_client_enable_auto_encryption()`
+
+  | The guide for :doc:`Using Client-Side Field Level Encryption <using_client_side_encryption>`
+

src/libmongoc/doc/mongoc_auto_encryption_opts_t.rst

@@ -35,4 +35,5 @@ Synopsis
     mongoc_auto_encryption_opts_set_bypass_auto_encryption
     mongoc_auto_encryption_opts_set_extra
     mongoc_auto_encryption_opts_set_tls_opts
+    mongoc_auto_encryption_opts_set_encrypted_fields_map
 

src/libmongoc/doc/mongoc_database_create_collection.rst

@@ -30,6 +30,8 @@ This function creates a :symbol:`mongoc_collection_t` from the given :symbol:`mo
 
 If no write concern is provided in ``opts``, the database's write concern is used.
 
+The ``encryptedFields`` document in ``opts`` may be used to create a collection used for :doc:`Using Client-Side Field Level Encryption <using_client_side_encryption>`.
+
 For a list of all options, see `the MongoDB Manual entry on the create command <https://docs.mongodb.org/manual/reference/command/create/>`_.
 
 Errors

src/libmongoc/doc/mongoc_database_drop_with_opts.rst

@@ -30,6 +30,8 @@ This function attempts to drop a database on the MongoDB server.
 
 If no write concern is provided in ``opts``, the database's write concern is used.
 
+The ``encryptedFields`` document in ``opts`` may be used to drop a collection used for :doc:`Using Client-Side Field Level Encryption <using_client_side_encryption>`.
+
 Errors
 ------