PHPC-1498: Read auto encryption options from driverOptions

Author: alcaeus

php_phongo.c

@@ -2720,6 +2720,129 @@ static mongoc_client_t* php_phongo_find_client(const char* hash, size_t hash_len
 	return NULL;
 }
 
+#ifdef MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION
+static bool phongo_manager_set_auto_encryption_opts(php_phongo_manager_t* manager, zval* driverOptions TSRMLS_DC) /* {{{ */
+{
+	zval*                          zAutoEncryptionOpts;
+	bson_error_t                   error                = { 0 };
+	mongoc_auto_encryption_opts_t* auto_encryption_opts = NULL;
+	bool                           retval               = false;
+
+	if (!driverOptions || !php_array_existsc(driverOptions, "autoEncryption")) {
+		return true;
+	}
+
+	zAutoEncryptionOpts = php_array_fetch(driverOptions, "autoEncryption");
+
+	if (Z_TYPE_P(zAutoEncryptionOpts) != IS_ARRAY) {
+		phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Expected \"autoEncryption\" driver option to be array, %s given", PHONGO_ZVAL_CLASS_OR_TYPE_NAME_P(zAutoEncryptionOpts));
+		return false;
+	}
+
+	auto_encryption_opts = mongoc_auto_encryption_opts_new();
+
+	if (php_array_existsc(zAutoEncryptionOpts, "keyVaultClient")) {
+		zval* key_vault_client = php_array_fetch(zAutoEncryptionOpts, "keyVaultClient");
+
+		if (Z_TYPE_P(key_vault_client) != IS_OBJECT || !instanceof_function(Z_OBJCE_P(key_vault_client), php_phongo_manager_ce TSRMLS_CC)) {
+			phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Expected \"keyVaultClient\" encryption option to be %s, %s given", ZSTR_VAL(php_phongo_manager_ce->name), PHONGO_ZVAL_CLASS_OR_TYPE_NAME_P(key_vault_client));
+			goto cleanup;
+		}
+
+		mongoc_auto_encryption_opts_set_keyvault_client(auto_encryption_opts, Z_MANAGER_OBJ_P(key_vault_client)->client);
+	}
+
+	if (php_array_existsc(zAutoEncryptionOpts, "keyVaultNamespace")) {
+		char*     key_vault_ns;
+		char*     db_name;
+		char*     coll_name;
+		int       plen;
+		zend_bool pfree;
+
+		key_vault_ns = php_array_fetch_string(zAutoEncryptionOpts, "keyVaultNamespace", &plen, &pfree);
+
+		if (!phongo_split_namespace(key_vault_ns, &db_name, &coll_name)) {
+			phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Expected \"keyVaultNamespace\" encryption option to contain a full collection name");
+
+			if (pfree) {
+				str_efree(key_vault_ns);
+			}
+
+			goto cleanup;
+		}
+
+		mongoc_auto_encryption_opts_set_keyvault_namespace(auto_encryption_opts, db_name, coll_name);
+
+		efree(db_name);
+		efree(coll_name);
+
+		if (pfree) {
+			str_efree(key_vault_ns);
+		}
+	}
+
+	if (php_array_existsc(zAutoEncryptionOpts, "kmsProviders")) {
+		zval*  kms_providers  = php_array_fetch(zAutoEncryptionOpts, "kmsProviders");
+		bson_t bson_providers = BSON_INITIALIZER;
+
+		php_phongo_zval_to_bson(kms_providers, PHONGO_BSON_NONE, &bson_providers, NULL TSRMLS_CC);
+		if (EG(exception)) {
+			goto cleanup;
+		}
+
+		mongoc_auto_encryption_opts_set_kms_providers(auto_encryption_opts, &bson_providers);
+
+		bson_destroy(&bson_providers);
+	}
+
+	if (php_array_existsc(zAutoEncryptionOpts, "schemaMap")) {
+		zval*  schema_map = php_array_fetch(zAutoEncryptionOpts, "schemaMap");
+		bson_t bson_map   = BSON_INITIALIZER;
+
+		php_phongo_zval_to_bson(schema_map, PHONGO_BSON_NONE, &bson_map, NULL TSRMLS_CC);
+		if (EG(exception)) {
+			goto cleanup;
+		}
+
+		mongoc_auto_encryption_opts_set_schema_map(auto_encryption_opts, &bson_map);
+
+		bson_destroy(&bson_map);
+	}
+
+	if (php_array_existsc(zAutoEncryptionOpts, "bypassAutoEncryption")) {
+		zend_bool bypass_auto_encryption = php_array_fetch_bool(zAutoEncryptionOpts, "bypassAutoEncryption");
+
+		mongoc_auto_encryption_opts_set_bypass_auto_encryption(auto_encryption_opts, bypass_auto_encryption);
+	}
+
+	if (php_array_existsc(zAutoEncryptionOpts, "extraOptions")) {
+		zval*  extra_options = php_array_fetch(zAutoEncryptionOpts, "extraOptions");
+		bson_t bson_options  = BSON_INITIALIZER;
+
+		php_phongo_zval_to_bson(extra_options, PHONGO_BSON_NONE, &bson_options, NULL TSRMLS_CC);
+		if (EG(exception)) {
+			goto cleanup;
+		}
+
+		mongoc_auto_encryption_opts_set_extra(auto_encryption_opts, &bson_options);
+
+		bson_destroy(&bson_options);
+	}
+
+	if (!mongoc_client_enable_auto_encryption(manager->client, auto_encryption_opts, &error)) {
+		phongo_throw_exception_from_bson_error_t(&error TSRMLS_CC);
+		goto cleanup;
+	}
+
+	retval = true;
+
+cleanup:
+	mongoc_auto_encryption_opts_destroy(auto_encryption_opts);
+	return retval;
+}
+/* }}} */
+#endif
+
 void phongo_manager_init(php_phongo_manager_t* manager, const char* uri_string, zval* options, zval* driverOptions TSRMLS_DC) /* {{{ */
 {
 	bson_t        bson_options = BSON_INITIALIZER;
@@ -2798,6 +2921,13 @@ void phongo_manager_init(php_phongo_manager_t* manager, const char* uri_string,
 	}
 #endif
 
+#ifdef MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION
+	if (!phongo_manager_set_auto_encryption_opts(manager, driverOptions TSRMLS_CC)) {
+		/* Exception should already have been thrown */
+		goto cleanup;
+	}
+#endif
+
 	MONGOC_DEBUG("Created client hash: %s\n", manager->client_hash);
 	php_phongo_persist_client(manager->client_hash, manager->client_hash_len, manager->client TSRMLS_CC);
 

src/LIBMONGOCRYPT_VERSION_CURRENT

@@ -1 +1 @@
-1.0.1-dev+20191220git5ff8a05d97
+1.0.1-dev+20200108gitb6cab3967e

src/libmongocrypt

@@ -0,0 +1,50 @@
+--TEST--
+MongoDB\Driver\Manager::__construct(): auto encryption options
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_libmongocrypt(); ?>
+--FILE--
+<?php
+
+$baseOptions = [
+    'keyVaultNamespace' => 'admin.dataKeys',
+    'kmsProviders' => ['aws' => (object) ['accessKeyId' => 'abc', 'secretAccessKey' => 'def']]
+];
+
+$tests = [
+    [],
+    ['keyVaultClient' => new MongoDB\Driver\Manager()],
+    ['schemaMap' => [
+        'default.default' => [
+            'properties' => [
+                'encrypted_objectId' => [
+                    'encrypt' => [
+                        'keyId' => [
+                            [
+                                '$binary' => [
+                                    'base64' => 'AAAAAAAAAAAAAAAAAAAAAA==',
+                                    'subType' => '04',
+                                ],
+                            ],
+                        ],
+                        'bsonType' => 'objectId',
+                        'algorithm' => 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic',
+                    ],
+                ],
+            ],
+            'bsonType' => 'object',
+        ],
+    ]],
+    ['bypassAutoEncryption' => true],
+    ['extraOptions' => ['mongocryptdBypassSpawn' => true]],
+];
+
+foreach ($tests as $autoEncryptionOptions) {
+    $manager = new MongoDB\Driver\Manager(null, [], ['autoEncryption' => $autoEncryptionOptions + $baseOptions]);
+}
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+===DONE===

tests/manager/manager-ctor-auto_encryption-001.phpt

@@ -0,0 +1,32 @@
+--TEST--
+MongoDB\Driver\Manager::__construct(): incomplete auto encryption options
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_libmongocrypt(); ?>
+--FILE--
+<?php
+
+require_once __DIR__ . '/../utils/tools.php';
+
+$tests = [
+    [],
+    ['keyVaultNamespace' => 'admin.keys'],
+];
+
+foreach ($tests as $driverOptions) {
+    echo throws(function() use ($driverOptions) {
+        $manager = new MongoDB\Driver\Manager(null, [], ['autoEncryption' => $driverOptions]);
+    }, 'MongoDB\Driver\Exception\RuntimeException'), "\n\n";
+}
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+OK: Got MongoDB\Driver\Exception\RuntimeException
+Key vault namespace option required
+
+OK: Got MongoDB\Driver\Exception\RuntimeException
+KMS providers option required
+
+===DONE===

tests/manager/manager-ctor-auto_encryption-error-001.phpt

@@ -355,6 +355,30 @@ function skip_if_not_libmongoc_ssl(array $libs = [])
     }
 }
 
+/**
+ * Skips the test if the driver was not compiled with support for FLE
+ */
+function skip_if_not_libmongocrypt()
+{
+    $lib = get_module_info('libmongocrypt');
+
+    if ($lib === 'disabled') {
+        exit('skip libmongocrypt is not enabled');
+    }
+}
+
+/**
+ * Skips the test if the driver was compiled with support for FLE
+ */
+function skip_if_libmongocrypt()
+{
+    $lib = get_module_info('libmongocrypt');
+
+    if ($lib !== 'disabled') {
+        exit('skip libmongocrypt is enabled');
+    }
+}
+
 /**
  * Skips the test if the collection cannot be dropped.
  *