CDRIVER-4584 support Queryable Encryption v2

.evergreen/scripts/compile-libmongocrypt.sh

@@ -5,16 +5,7 @@ compile_libmongocrypt() {
   declare -r mongoc_dir="${2:?}"
   declare -r install_dir="${3:?}"
 
-  git clone -q --depth=1 https://github.com/mongodb/libmongocrypt --branch 1.7.0 || return
-
-  # TODO: remove once latest libmongocrypt release contains commit c6f65fe6.
-  {
-    pushd libmongocrypt || return
-    echo "1.7.0+c6f65fe6" >|VERSION_CURRENT
-    git fetch -q origin master || return
-    git checkout -q c6f65fe6 || return # Allows -DENABLE_MONGOC=OFF.
-    popd || return                     # libmongocrypt
-  }
+  git clone -q --depth=1 https://github.com/mongodb/libmongocrypt --branch 1.8.0-alpha0 || return
 
   declare -a crypt_cmake_flags=(
     "-DMONGOCRYPT_MONGOC_DIR=${mongoc_dir}"

.evergreen/scripts/integration-tests.sh

@@ -92,6 +92,24 @@ find orchestration_configs -name \*.json | xargs perl -p -i -e "s|/tmp/orchestra
 export ORCHESTRATION_FILE="orchestration_configs/${TOPOLOGY}s/${ORCHESTRATION_FILE}.json"
 export ORCHESTRATION_URL="http://localhost:8889/v1/${TOPOLOGY}s"
 
+if [ "$CLIENT_SIDE_ENCRYPTION" = "on" -a "$MONGODB_VERSION" = "latest" ]; then
+  # This is a temporary workaround until featureFlagFLE2ProtocolVersion2 is enabled by default in SERVER-69563. Once latest server builds have SERVER-69563, this if block may be removed.
+  # DRIVERS-2590 tracks removal of this workaround.
+  echo "SERVER-69563: rewrite orchestration config to add setParameter featureFlagFLE2ProtocolVersion2=1 ... begin"
+  # Only attempt to enable the feature flag if the server is 7.0.0. The 'latest' builds may not be updated to 7.0 yet.
+  ACTUAL_MONGODB_VERSION=$(./mongodb/bin/mongod --version | head -1 | awk '{print $3}')
+  case $ACTUAL_MONGODB_VERSION in
+  v7*)
+   python $DIR/setfle2parameter.py $ORCHESTRATION_FILE > $ORCHESTRATION_FILE.modified
+   mv $ORCHESTRATION_FILE.modified $ORCHESTRATION_FILE
+   ;;
+  *)
+   echo "mongod version $ACTUAL_MONGODB_VERSION is not v7. Not enabling featureFlagFLE2ProtocolVersion2"
+   ;;
+  esac
+  echo "SERVER-69563: rewrite orchestration config to add setParameter featureFlagFLE2ProtocolVersion2=1 ... end"
+fi
+
 export TMPDIR=$MONGO_ORCHESTRATION_HOME/db
 echo From shell `date` > $MONGO_ORCHESTRATION_HOME/server.log
 

.evergreen/scripts/setfle2parameter.py

@@ -0,0 +1,184 @@
+#!/usr/bin/env python3
+"""
+setfle2parameter.py modifies and prints an orchestration config file to add the `--setParameter featureFlagFLE2ProtocolVersion2=1` option to mongod and mongos.
+Usage: setfle2parameter.py <orchestration config file path>
+This file is a temporary workaround until featureFlagFLE2ProtocolVersion2 is enabled by default in SERVER-69563. Once latest server builds have SERVER-69563, this file may be removed.
+DRIVERS-2590 tracks removal of this file.
+"""
+
+import json
+import sys
+import unittest
+import os
+
+
+def do_rewrite(config):
+    did_rewrite = False
+
+    def rewrite_server(server):
+        if "procParams" in server:
+            if "setParameter" in server["procParams"]:
+                server["procParams"]["setParameter"]["featureFlagFLE2ProtocolVersion2"] = "1"
+            else:
+                server["procParams"]["setParameter"] = {
+                    "featureFlagFLE2ProtocolVersion2": "1"
+                }
+            return True
+        return False
+
+    # Rewrite for a server.
+    if rewrite_server(config):
+        did_rewrite = True
+    # Rewrite for each member in a replica set.
+    if "members" in config:
+        for server in config["members"]:
+            if rewrite_server(server):
+                did_rewrite = True
+    # Rewrite each shard.
+    if "shards" in config:
+        for shard in config["shards"]:
+            if "shardParams" in shard:
+                if "members" in shard["shardParams"]:
+                    for server in shard["shardParams"]["members"]:
+                        if rewrite_server (server):
+                            did_rewrite = True
+    # Rewrite each router.
+    if "routers" in config:
+        for router in config["routers"]:
+            # routers do not use `procParams`. Use setParameter directly.
+            if "setParameter" in router:
+                router["setParameter"]["featureFlagFLE2ProtocolVersion2"] = "1"
+            else:
+                router["setParameter"] = {
+                    "featureFlagFLE2ProtocolVersion2": "1"
+                }
+            did_rewrite = True
+
+
+    if not did_rewrite:
+        raise Exception(
+            "Did not add setParameter. Does the orchestration config have `procParams`?"
+        )
+    pass
+
+
+class TestRewrite(unittest.TestCase):
+    def test_rewrite(self):
+        # Test that setParameter is added for a server.
+        input = {
+            "procParams": {}
+        }
+        do_rewrite (input)
+        self.assertEqual (input, {
+            "procParams": {
+                "setParameter": {
+                    "featureFlagFLE2ProtocolVersion2": "1"
+                }
+            }
+        })
+
+        # Test that other setParameter values are kept for a server.
+        input = {
+            "procParams": {
+                "setParameter": {
+                    "foo": "bar"
+                }
+            }
+        }
+        do_rewrite (input)
+        self.assertEqual (input, {
+            "procParams": {
+                "setParameter": {
+                    "foo": "bar",
+                    "featureFlagFLE2ProtocolVersion2": "1"
+                }
+            }
+        })
+
+        # Test that setParameter is added for a replica_set.
+        input = {
+            "members": [
+                {"procParams": {}},
+                {"procParams": {}},
+            ]
+        }
+        do_rewrite(input)
+        self.assertEqual(
+            input,
+            {
+                "members": [
+                    {
+                        "procParams": {
+                            "setParameter": {"featureFlagFLE2ProtocolVersion2": "1"}
+                        }
+                    },
+                    {
+                        "procParams": {
+                            "setParameter": {"featureFlagFLE2ProtocolVersion2": "1"}
+                        }
+                    },
+                ]
+            },
+        )
+
+        # Test that setParameter is added for shards and routers.
+        input = {
+            "shards": [
+                {"shardParams": {"members": [{"procParams": {}}, {"procParams": {}}]}}
+            ],
+            "routers": [{}, {}],
+        }
+
+        do_rewrite(input)
+        self.assertEqual(
+            input,
+            {
+                "shards": [
+                    {
+                        "shardParams": {
+                            "members": [
+                                {
+                                    "procParams": {
+                                        "setParameter": {
+                                            "featureFlagFLE2ProtocolVersion2": "1"
+                                        }
+                                    }
+                                },
+                                {
+                                    "procParams": {
+                                        "setParameter": {
+                                            "featureFlagFLE2ProtocolVersion2": "1"
+                                        }
+                                    }
+                                },
+                            ]
+                        }
+                    }
+                ],
+                "routers": [
+                    {"setParameter": {"featureFlagFLE2ProtocolVersion2": "1"}},
+                    {"setParameter": {"featureFlagFLE2ProtocolVersion2": "1"}},
+                ],
+            },
+        )
+
+
+if __name__ == "__main__":
+    if os.environ.get("SELFTEST", "OFF") == "ON":
+        print("Doing self test")
+        unittest.main()
+        sys.exit(0)
+
+    if len(sys.argv) != 2:
+        print(
+            "Error: expected path to orchestration config file path as first argument"
+        )
+        print("Usage: setfle2parameter.py <orchestration config file path>")
+        sys.exit(1)
+
+    path = sys.argv[1]
+    with open(path, "r") as file:
+        config = json.loads(file.read())
+    do_rewrite(config)
+    print (json.dumps(config, indent=4))
+

src/libmongoc/CMakeLists.txt

@@ -441,10 +441,10 @@ elseif (NOT ENABLE_CLIENT_SIDE_ENCRYPTION STREQUAL OFF)
       find_package (mongocrypt QUIET)
    endif ()
 
-   if (mongocrypt_FOUND AND "${mongocrypt_VERSION}" VERSION_LESS 1.7.0)
+   if (mongocrypt_FOUND AND "${mongocrypt_VERSION}" VERSION_LESS 1.8.0)
       message ("--   libmongocrypt found at ${mongocrypt_DIR}")
       message ("--   libmongocrypt version ${mongocrypt_VERSION} found")
-      message ("--   libmongocrypt version 1.7.0 is required to enable Client-Side Field Level Encryption Support.")
+      message ("--   libmongocrypt version 1.8.0 is required to enable Client-Side Field Level Encryption Support.")
       set (REQUIRED_MONGOCRYPT_VERSION_FOUND OFF)
    elseif (mongocrypt_FOUND)
       set (REQUIRED_MONGOCRYPT_VERSION_FOUND ON)

src/libmongoc/src/mongoc/mongoc-crypt.c

@@ -1326,6 +1326,9 @@ _mongoc_crypt_new (const bson_t *kms_providers,
    crypt = bson_malloc0 (sizeof (*crypt));
    crypt->handle = mongocrypt_new ();
 
+   // Enable the QEv2 protocol.
+   mongocrypt_setopt_fle2v2 (crypt->handle, true);
+
    // Stash away a copy of the user's kmsProviders in case we need to lazily
    // load credentials.
    bson_copy_to (kms_providers, &crypt->kms_providers);

src/libmongoc/tests/json/client_side_encryption/legacy/fle2-BypassQueryAnalysis.json → src/libmongoc/tests/json/client_side_encryption/legacy/fle2v2-BypassQueryAnalysis.json

@@ -1,10 +1,12 @@
 {
   "runOn": [
     {
-      "minServerVersion": "6.0.0",
+      "minServerVersion": "7.0.0",
+      "serverless": "forbid",
       "topology": [
         "replicaset",
-        "sharded"
+        "sharded",
+        "load-balanced"
       ]
     }
   ],
@@ -74,36 +76,6 @@
       "masterKey": {
         "provider": "local"
       }
-    },
-    {
-      "_id": {
-        "$binary": {
-          "base64": "q83vqxI0mHYSNBI0VniQEg==",
-          "subType": "04"
-        }
-      },
-      "keyMaterial": {
-        "$binary": {
-          "base64": "HBk9BWihXExNDvTp1lUxOuxuZK2Pe2ZdVdlsxPEBkiO1bS4mG5NNDsQ7zVxJAH8BtdOYp72Ku4Y3nwc0BUpIKsvAKX4eYXtlhv5zUQxWdeNFhg9qK7qb8nqhnnLeT0f25jFSqzWJoT379hfwDeu0bebJHr35QrJ8myZdPMTEDYF08QYQ48ShRBli0S+QzBHHAQiM2iJNr4svg2WR8JSeWQ==",
-          "subType": "00"
-        }
-      },
-      "creationDate": {
-        "$date": {
-          "$numberLong": "1648914851981"
-        }
-      },
-      "updateDate": {
-        "$date": {
-          "$numberLong": "1648914851981"
-        }
-      },
-      "status": {
-        "$numberInt": "0"
-      },
-      "masterKey": {
-        "provider": "local"
-      }
     }
   ],
   "tests": [
@@ -132,7 +104,7 @@
               "_id": 1,
               "encryptedIndexed": {
                 "$binary": {
-                  "base64": "BHEBAAAFZAAgAAAAAHb62aV7+mqmaGcotPLdG3KP7S8diFwWMLM/5rYtqLrEBXMAIAAAAAAVJ6OWHRv3OtCozHpt3ZzfBhaxZirLv3B+G8PuaaO4EgVjACAAAAAAsZXWOWA+UiCBbrJNB6bHflB/cn7pWSvwWN2jw4FPeIUFcABQAAAAAMdD1nV2nqeI1eXEQNskDflCy8I7/HvvqDKJ6XxjhrPQWdLqjz+8GosGUsB7A8ee/uG9/guENuL25XD+Fxxkv1LLXtavHOlLF7iW0u9yabqqBXUAEAAAAAQSNFZ4EjSYdhI0EjRWeJASEHQAAgAAAAV2AE0AAAAAq83vqxI0mHYSNBI0VniQEkzZZBBDgeZh+h+gXEmOrSFtVvkUcnHWj/rfPW7iJ0G3UJ8zpuBmUM/VjOMJCY4+eDqdTiPIwX+/vNXegc8FZQAgAAAAAOuac/eRLYakKX6B0vZ1r3QodOQFfjqJD+xlGiPu4/PsAA==",
+                  "base64": "C18BAAAFZAAgAAAAANnt+eLTkv4GdDPl8IAfJOvTzArOgFJQ2S/DcLza4W0DBXMAIAAAAAD2u+omZme3P2gBPehMQyQHQ153tPN1+z7bksYA9jKTpAVwADAAAAAAUnCOQqIvmR65YKyYnsiVfVrg9hwUVO3RhhKExo3RWOzgaS0QdsBL5xKFS0JhZSoWBXUAEAAAAAQSNFZ4EjSYdhI0EjRWeJASEHQAAgAAAAV2AFAAAAAAEjRWeBI0mHYSNBI0VniQEpQbp/ZJpWBKeDtKLiXb0P2E9wvc0g3f373jnYQYlJquOrlPOoEy3ngsHPJuSUijvWDsrQzqYa349K7G/66qaXEFZQAgAAAAAOuac/eRLYakKX6B0vZ1r3QodOQFfjqJD+xlGiPu4/PsBWwAIAAAAACkm0o9bj6j0HuADKc0svbqO2UHj6GrlNdF6yKNxh63xRJrAAAAAAAAAAAAAA==",
                   "subType": "06"
                 }
               }
@@ -149,7 +121,7 @@
           "result": [
             {
               "_id": 1,
-              "encryptedIndexed": "value123"
+              "encryptedIndexed": "123"
             }
           ]
         }
@@ -175,7 +147,7 @@
                   "_id": 1,
                   "encryptedIndexed": {
                     "$binary": {
-                      "base64": "BHEBAAAFZAAgAAAAAHb62aV7+mqmaGcotPLdG3KP7S8diFwWMLM/5rYtqLrEBXMAIAAAAAAVJ6OWHRv3OtCozHpt3ZzfBhaxZirLv3B+G8PuaaO4EgVjACAAAAAAsZXWOWA+UiCBbrJNB6bHflB/cn7pWSvwWN2jw4FPeIUFcABQAAAAAMdD1nV2nqeI1eXEQNskDflCy8I7/HvvqDKJ6XxjhrPQWdLqjz+8GosGUsB7A8ee/uG9/guENuL25XD+Fxxkv1LLXtavHOlLF7iW0u9yabqqBXUAEAAAAAQSNFZ4EjSYdhI0EjRWeJASEHQAAgAAAAV2AE0AAAAAq83vqxI0mHYSNBI0VniQEkzZZBBDgeZh+h+gXEmOrSFtVvkUcnHWj/rfPW7iJ0G3UJ8zpuBmUM/VjOMJCY4+eDqdTiPIwX+/vNXegc8FZQAgAAAAAOuac/eRLYakKX6B0vZ1r3QodOQFfjqJD+xlGiPu4/PsAA==",
+                      "base64": "C18BAAAFZAAgAAAAANnt+eLTkv4GdDPl8IAfJOvTzArOgFJQ2S/DcLza4W0DBXMAIAAAAAD2u+omZme3P2gBPehMQyQHQ153tPN1+z7bksYA9jKTpAVwADAAAAAAUnCOQqIvmR65YKyYnsiVfVrg9hwUVO3RhhKExo3RWOzgaS0QdsBL5xKFS0JhZSoWBXUAEAAAAAQSNFZ4EjSYdhI0EjRWeJASEHQAAgAAAAV2AFAAAAAAEjRWeBI0mHYSNBI0VniQEpQbp/ZJpWBKeDtKLiXb0P2E9wvc0g3f373jnYQYlJquOrlPOoEy3ngsHPJuSUijvWDsrQzqYa349K7G/66qaXEFZQAgAAAAAOuac/eRLYakKX6B0vZ1r3QodOQFfjqJD+xlGiPu4/PsBWwAIAAAAACkm0o9bj6j0HuADKc0svbqO2UHj6GrlNdF6yKNxh63xRJrAAAAAAAAAAAAAA==",
                       "subType": "06"
                     }
                   }
@@ -229,39 +201,6 @@
             },
             "command_name": "find"
           }
-        },
-        {
-          "command_started_event": {
-            "command": {
-              "find": "datakeys",
-              "filter": {
-                "$or": [
-                  {
-                    "_id": {
-                      "$in": [
-                        {
-                          "$binary": {
-                            "base64": "q83vqxI0mHYSNBI0VniQEg==",
-                            "subType": "04"
-                          }
-                        }
-                      ]
-                    }
-                  },
-                  {
-                    "keyAltNames": {
-                      "$in": []
-                    }
-                  }
-                ]
-              },
-              "$db": "keyvault",
-              "readConcern": {
-                "level": "majority"
-              }
-            },
-            "command_name": "find"
-          }
         }
       ],
       "outcome": {
@@ -275,7 +214,7 @@
               "__safeContent__": [
                 {
                   "$binary": {
-                    "base64": "ThpoKfQ8AkOzkFfNC1+9PF0pY2nIzfXvRdxQgjkNbBw=",
+                    "base64": "31eCYlbQoVboc5zwC8IoyJVSkag9PxREka8dkmbXJeY=",
                     "subType": "00"
                   }
                 }

src/libmongoc/tests/json/client_side_encryption/legacy/fle2-Compact.json → src/libmongoc/tests/json/client_side_encryption/legacy/fle2v2-Compact.json

@@ -1,10 +1,12 @@
 {
   "runOn": [
     {
-      "minServerVersion": "6.0.0",
+      "minServerVersion": "7.0.0",
+      "serverless": "forbid",
       "topology": [
         "replicaset",
-        "sharded"
+        "sharded",
+        "load-balanced"
       ]
     }
   ],