Named KMS providers requires libmongocrypt with MONGOCRYPT-605. libmongocrypt binaries to test are available on the upload-all task.
Background
Previously supported KMS providers were only: aws, azure, gcp, kmip, and local. The KMS provider is now expanded to support name suffixes. (e.g. local:myname).
Named KMS providers enables more than one of each KMS provider type to be configured. Example: libmongocrypt can now support more than one local KMS provider configured:
kms_providers = {
"local": {"key": local_kek1}, # Unnamed KMS provider.
"local:myname": {"key": local_kek2 } # Named KMS provider with name "myname".
}
namedKMS-rewrapManyDataKey.yml tests key rewrapping. This was noted as a motivation in DRIVERS-2731.
namedKMS-explicit.yml tests explicit encryption. This introduces use of the encrypt and decrypt operations.
namedKMS-createDataKey.yml tests creating data keys with named KMS providers.
The Unified Test Format schema 1.18 is added to allow additionalPropertiespatternProperties in kmsProviders.
Prose Test 11 (KMS TLS Options Tests) is extended to test named KMS providers. This is motivated by necessary changes in the C driver to support named KMS providers in the KMSProvidersTLSOptions.
Tests refer to additional KMS providers: local:name1, aws:name1, gcp:name1, azure:name1, and kmip:name1.
The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws.
To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2.
This PR proposes not adding azure:name2, gcp:name2, kmip:name2 with distinct credentials. I expect there is little gained value in testing all external KMS providers. And it requires managing more accounts.
[x] Make sure there are generated JSON files from the YAML test files.
[x] Test changes in at least one language driver. Tested in C
~~[] Test these changes against all server versions and topologies (including standalone, replica set, sharded
clusters, and serverless).~~ C does not run Client-Side Encryption tests with sharded or serverless
Summary
This PR includes tests and documentation for the new feature: named KMS providers.
https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.
Named KMS providers requires libmongocrypt with MONGOCRYPT-605. libmongocrypt binaries to test are available on the upload-all task.
Background
Previously supported KMS providers were only:
aws,azure,gcp,kmip, andlocal. The KMS provider is now expanded to support name suffixes. (e.g.local:myname).Named KMS providers enables more than one of each KMS provider type to be configured. Example: libmongocrypt can now support more than one
localKMS provider configured:Named KMS providers is further described in DBX Scope: Support Named KMS Providers.
Tests
The following specification tests are added:
namedKMS.ymltests automatic encryption.namedKMS-rewrapManyDataKey.ymltests key rewrapping. This was noted as a motivation in DRIVERS-2731.namedKMS-explicit.ymltests explicit encryption. This introduces use of theencryptanddecryptoperations.namedKMS-createDataKey.ymltests creating data keys with named KMS providers.The Unified Test Format schema 1.18 is added to allow
additionalPropertiespatternPropertiesinkmsProviders.Prose Test 11 (
KMS TLS Options Tests) is extended to test named KMS providers. This is motivated by necessary changes in the C driver to support named KMS providers in theKMSProvidersTLSOptions.Tests refer to additional KMS providers:
local:name1,aws:name1,gcp:name1,azure:name1, andkmip:name1.The
name1KMS providers may be configured exactly as the unnamed KMS providers. I.e.aws:name1is configured the same asaws.To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined:
local:name2andaws:name2.This PR proposes not adding
azure:name2,gcp:name2,kmip:name2with distinct credentials. I expect there is little gained value in testing all external KMS providers. And it requires managing more accounts.Test credentials for
aws:name2are available in AWS Secrets Manager underdrivers/csfle. Theaws:name2account credentials are inFLE_AWS_KEY2andFLE_AWS_SECRET2. See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed.Please complete the following before merging: