PHPLIB-885: Queryable encryption spec tests

Synced with mongodb/specifications@cd34149

Change logic to use encryptedClient only when available.

Support encrypted_fields in CSFLE spec tests. Updates logic for creating the collection under test and also applies a "majority" write concern for the spec's default write options. Also updates a prose test, which does not need to reference the Context option (mainly for spec tests).

Add to assertion count when evaluating ErrorExpectation, which avoids a potential PHPUnit warning for a test performing no assertions when a test consisted of an operation(s) with no explicit error/result expectations.

Author: jmikola

tests/SpecTests/ClientSideEncryptionSpecTest.php

@@ -15,7 +15,6 @@
 use MongoDB\Driver\Exception\EncryptionException;
 use MongoDB\Driver\Exception\RuntimeException;
 use MongoDB\Driver\WriteConcern;
-use MongoDB\Operation\CreateCollection;
 use MongoDB\Tests\CommandObserver;
 use PHPUnit\Framework\Assert;
 use PHPUnit\Framework\SkippedTestError;
@@ -57,6 +56,8 @@ class ClientSideEncryptionSpecTest extends FunctionalTestCase
         'awsTemporary: Insert a document with auto encryption using the AWS provider with temporary credentials' => 'Not yet implemented (PHPC-1751)',
         'awsTemporary: Insert with invalid temporary credentials' => 'Not yet implemented (PHPC-1751)',
         'azureKMS: Insert a document with auto encryption using Azure KMS provider' => 'RHEL platform is missing Azure root certificate (PHPLIB-619)',
+        'timeoutMS: timeoutMS applied to listCollections to get collection schema' => 'Not yet implemented (PHPC-1760)',
+        'timeoutMS: remaining timeoutMS applied to find to get keyvault data' => 'Not yet implemented (PHPC-1760)',
     ];
 
     public function setUp(): void
@@ -90,7 +91,7 @@ public static function assertCommandMatches(stdClass $expected, stdClass $actual
      * @param string      $databaseName   Name of database under test
      * @param string      $collectionName Name of collection under test
      */
-    public function testClientSideEncryption(stdClass $test, ?array $runOn, array $data, ?array $keyVaultData = null, $jsonSchema = null, ?string $databaseName = null, ?string $collectionName = null): void
+    public function testClientSideEncryption(stdClass $test, ?array $runOn, array $data, ?stdClass $encryptedFields = null, ?array $keyVaultData = null, ?stdClass $jsonSchema = null, ?string $databaseName = null, ?string $collectionName = null): void
     {
         if (isset(self::$incompleteTests[$this->dataDescription()])) {
             $this->markTestIncomplete(self::$incompleteTests[$this->dataDescription()]);
@@ -107,6 +108,11 @@ public function testClientSideEncryption(stdClass $test, ?array $runOn, array $d
         $databaseName = $databaseName ?? $this->getDatabaseName();
         $collectionName = $collectionName ?? $this->getCollectionName();
 
+        // TODO: Remove this once SERVER-66901 is implemented (see: PHPLIB-884)
+        if (isset($test->clientOptions->autoEncryptOpts->encryptedFieldsMap)) {
+            $test->clientOptions->autoEncryptOpts->encryptedFieldsMap = $this->prepareEncryptedFieldsMap($test->clientOptions->autoEncryptOpts->encryptedFieldsMap);
+        }
+
         try {
             $context = Context::fromClientSideEncryption($test, $databaseName, $collectionName);
         } catch (SkippedTestError $e) {
@@ -116,15 +122,15 @@ public function testClientSideEncryption(stdClass $test, ?array $runOn, array $d
         $this->setContext($context);
 
         self::insertKeyVaultData($context->getClient(), $keyVaultData);
-        $this->dropTestAndOutcomeCollections();
-        $this->createTestCollection($jsonSchema);
+        $this->dropTestAndOutcomeCollections(empty($encryptedFields) ? [] : ['encryptedFields' => $encryptedFields]);
+        $this->createTestCollection($encryptedFields, $jsonSchema);
         $this->insertDataFixtures($data);
 
         if (isset($test->failPoint)) {
             $this->configureFailPoint($test->failPoint);
         }
 
-        $context->enableEncryption();
+        $context->useEncryptedClientIfConfigured = true;
 
         if (isset($test->expectations)) {
             $commandExpectations = CommandExpectations::fromClientSideEncryption($context->getClient(), $test->expectations);
@@ -140,7 +146,7 @@ public function testClientSideEncryption(stdClass $test, ?array $runOn, array $d
             $commandExpectations->assert($this, $context);
         }
 
-        $context->disableEncryption();
+        $context->useEncryptedClientIfConfigured = false;
 
         if (isset($test->outcome->collection->data)) {
             $this->assertOutcomeCollectionData($test->outcome->collection->data, ResultExpectation::ASSERT_DOCUMENTS_MATCH);
@@ -169,6 +175,7 @@ public function provideTests()
             $runOn = $json->runOn ?? null;
             $data = $json->data ?? [];
             // phpcs:disable Squiz.NamingConventions.ValidVariableName.MemberNotCamelCaps
+            $encryptedFields = $json->encrypted_fields ?? null;
             $keyVaultData = $json->key_vault_data ?? null;
             $jsonSchema = $json->json_schema ?? null;
             $databaseName = $json->database_name ?? null;
@@ -177,7 +184,7 @@ public function provideTests()
 
             foreach ($json->tests as $test) {
                 $name = $group . ': ' . $test->description;
-                $testArgs[$name] = [$test, $runOn, $data, $keyVaultData, $jsonSchema, $databaseName, $collectionName];
+                $testArgs[$name] = [$test, $runOn, $data, $encryptedFields, $keyVaultData, $jsonSchema, $databaseName, $collectionName];
             }
         }
 
@@ -1331,11 +1338,20 @@ private function createInt64(string $value): Int64
         return unserialize($int64);
     }
 
-    private function createTestCollection($jsonSchema): void
+    private function createTestCollection(?stdClass $encryptedFields = null, ?stdClass $jsonSchema = null): void
     {
-        $options = empty($jsonSchema) ? [] : ['validator' => ['$jsonSchema' => $jsonSchema]];
-        $operation = new CreateCollection($this->getContext()->databaseName, $this->getContext()->collectionName, $options);
-        $operation->execute($this->getPrimaryServer());
+        $context = $this->getContext();
+        $options = $context->defaultWriteOptions;
+
+        if (! empty($encryptedFields)) {
+            $options['encryptedFields'] = $this->prepareEncryptedFields($encryptedFields);
+        }
+
+        if (! empty($jsonSchema)) {
+            $options['validator'] = ['$jsonSchema' => $jsonSchema];
+        }
+
+        $context->getDatabase()->createCollection($context->collectionName, $options);
     }
 
     private function encryptCorpusValue(string $fieldName, stdClass $data, ClientEncryption $clientEncryption)
@@ -1466,6 +1482,19 @@ private function prepareEncryptedFields(stdClass $encryptedFields): stdClass
         return $encryptedFields;
     }
 
+    /**
+     * @todo Remove this once SERVER-66901 is implemented
+     * @see https://jira.mongodb.org/browse/PHPLIB-884
+     */
+    private function prepareEncryptedFieldsMap(stdClass $encryptedFieldsMap): stdClass
+    {
+        foreach ($encryptedFieldsMap as $namespace => $encryptedFields) {
+            $encryptedFieldsMap->{$namespace} = $this->prepareEncryptedFields($encryptedFields);
+        }
+
+        return $encryptedFieldsMap;
+    }
+
     private function skipIfLocalMongocryptdIsUnavailable(): void
     {
         $paths = explode(PATH_SEPARATOR, getenv("PATH"));

tests/SpecTests/Context.php

@@ -57,15 +57,15 @@ final class Context
     /** @var object */
     public $session1Lsid;
 
+    /** @var bool */
+    public $useEncryptedClientIfConfigured = false;
+
     /** @var Client */
     private $internalClient;
 
     /** @var Client|null */
     private $encryptedClient;
 
-    /** @var bool */
-    private $useEncryptedClient = false;
-
     private function __construct(string $databaseName, ?string $collectionName)
     {
         $this->databaseName = $databaseName;
@@ -74,20 +74,6 @@ private function __construct(string $databaseName, ?string $collectionName)
         $this->internalClient = FunctionalTestCase::createTestClient();
     }
 
-    public function disableEncryption(): void
-    {
-        $this->useEncryptedClient = false;
-    }
-
-    public function enableEncryption(): void
-    {
-        if (! $this->encryptedClient instanceof Client) {
-            throw new LogicException('Cannot enable encryption without autoEncryption options');
-        }
-
-        $this->useEncryptedClient = true;
-    }
-
     public static function fromClientSideEncryption(stdClass $test, $databaseName, $collectionName)
     {
         $o = new self($databaseName, $collectionName);
@@ -127,6 +113,8 @@ public static function fromClientSideEncryption(stdClass $test, $databaseName, $
             $o->outcomeCollectionName = $test->outcome->collection->name;
         }
 
+        $o->defaultWriteOptions = ['writeConcern' => new WriteConcern(WriteConcern::MAJORITY)];
+
         $o->client = self::createTestClient(null, $clientOptions);
 
         if ($autoEncryptionOptions !== []) {
@@ -292,7 +280,7 @@ public static function getGCPCredentials(): array
 
     public function getClient(): Client
     {
-        return $this->useEncryptedClient && $this->encryptedClient ? $this->encryptedClient : $this->client;
+        return $this->useEncryptedClientIfConfigured && $this->encryptedClient ? $this->encryptedClient : $this->client;
     }
 
     public function getCollection(array $collectionOptions = [], array $databaseOptions = [])

tests/SpecTests/ErrorExpectation.php

@@ -144,6 +144,8 @@ public function assert(TestCase $test, ?Throwable $actual = null): void
                 $test->fail(sprintf("Operation threw unexpected %s: %s\n%s", get_class($actual), $actual->getMessage(), $actual->getTraceAsString()));
             }
 
+            $test->addToAssertionCount(1);
+
             return;
         }
 

tests/SpecTests/FunctionalTestCase.php

@@ -197,7 +197,7 @@ protected function setContext(Context $context): void
     /**
      * Drop the test and outcome collections by dropping them.
      */
-    protected function dropTestAndOutcomeCollections(): void
+    protected function dropTestAndOutcomeCollections(array $testCollectionDropOptions = []): void
     {
         $context = $this->getContext();
 
@@ -213,7 +213,7 @@ protected function dropTestAndOutcomeCollections(): void
         $collection = null;
         if ($context->collectionName !== null) {
             $collection = $context->getCollection($context->defaultWriteOptions);
-            $collection->drop();
+            $collection->drop($testCollectionDropOptions);
         }
 
         if ($context->outcomeCollectionName !== null) {

tests/SpecTests/client-side-encryption/tests/create-and-createIndexes.json

@@ -0,0 +1,115 @@
+{
+  "runOn": [
+    {
+      "minServerVersion": "4.1.10"
+    }
+  ],
+  "database_name": "default",
+  "collection_name": "default",
+  "data": [],
+  "tests": [
+    {
+      "description": "create is OK",
+      "clientOptions": {
+        "autoEncryptOpts": {
+          "kmsProviders": {
+            "local": {
+              "key": {
+                "$binary": {
+                  "base64": "Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk",
+                  "subType": "00"
+                }
+              }
+            }
+          }
+        }
+      },
+      "operations": [
+        {
+          "name": "dropCollection",
+          "object": "database",
+          "arguments": {
+            "collection": "unencryptedCollection"
+          }
+        },
+        {
+          "name": "createCollection",
+          "object": "database",
+          "arguments": {
+            "collection": "unencryptedCollection",
+            "validator": {
+              "unencrypted_string": "foo"
+            }
+          }
+        },
+        {
+          "name": "assertCollectionExists",
+          "object": "testRunner",
+          "arguments": {
+            "database": "default",
+            "collection": "unencryptedCollection"
+          }
+        }
+      ]
+    },
+    {
+      "description": "createIndexes is OK",
+      "clientOptions": {
+        "autoEncryptOpts": {
+          "kmsProviders": {
+            "local": {
+              "key": {
+                "$binary": {
+                  "base64": "Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk",
+                  "subType": "00"
+                }
+              }
+            }
+          }
+        }
+      },
+      "operations": [
+        {
+          "name": "dropCollection",
+          "object": "database",
+          "arguments": {
+            "collection": "unencryptedCollection"
+          }
+        },
+        {
+          "name": "createCollection",
+          "object": "database",
+          "arguments": {
+            "collection": "unencryptedCollection"
+          }
+        },
+        {
+          "name": "runCommand",
+          "object": "database",
+          "arguments": {
+            "command": {
+              "createIndexes": "unencryptedCollection",
+              "indexes": [
+                {
+                  "name": "name",
+                  "key": {
+                    "name": 1
+                  }
+                }
+              ]
+            }
+          }
+        },
+        {
+          "name": "assertIndexExists",
+          "object": "testRunner",
+          "arguments": {
+            "database": "default",
+            "collection": "unencryptedCollection",
+            "index": "name"
+          }
+        }
+      ]
+    }
+  ]
+}