Named KMS providers requires libmongocrypt with MONGOCRYPT-605. libmongocrypt binaries to test are available on the upload-all task.
Background
Previously supported KMS providers were only: aws, azure, gcp, kmip, and local. The KMS provider is now expanded to support name suffixes. (e.g. local:myname).
Named KMS providers enables more than one of each KMS provider type to be configured. Example: libmongocrypt can now support more than one local KMS provider configured:
kms_providers = {
"local": {"key": local_kek1}, # Unnamed KMS provider.
"local:myname": {"key": local_kek2 } # Named KMS provider with name "myname".
}
namedKMS-rewrapManyDataKey.yml tests key rewrapping. This was noted as a motivation in DRIVERS-2731.
namedKMS-explicit.yml tests explicit encryption. This introduces use of the encrypt and decrypt operations.
namedKMS-createDataKey.yml tests creating data keys with named KMS providers.
The Unified Test Format schema 1.18 is added to allow additionalPropertiespatternProperties in kmsProviders.
Prose Test 11 (KMS TLS Options Tests) is extended to test named KMS providers. This is motivated by necessary changes in the C driver to support named KMS providers in the KMSProvidersTLSOptions.
Tests refer to additional KMS providers: local:name1, aws:name1, gcp:name1, azure:name1, and kmip:name1.
The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws.
To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2.
This PR proposes not adding azure:name2, gcp:name2, kmip:name2 with distinct credentials. I expect there is little gained value in testing all external KMS providers. And it requires managing more accounts.
[x] Make sure there are generated JSON files from the YAML test files.
[x] Test changes in at least one language driver. Tested in C
~~[] Test these changes against all server versions and topologies (including standalone, replica set, sharded
clusters, and serverless).~~ C does not run Client-Side Encryption tests with sharded or serverless
Summary
This PR includes tests and documentation for the new feature: named KMS providers.
https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.
Named KMS providers requires libmongocrypt with MONGOCRYPT-605. libmongocrypt binaries to test are available on the upload-all task.
Background
Previously supported KMS providers were only:
aws
,azure
,gcp
,kmip
, andlocal
. The KMS provider is now expanded to support name suffixes. (e.g.local:myname
).Named KMS providers enables more than one of each KMS provider type to be configured. Example: libmongocrypt can now support more than one
local
KMS provider configured:Named KMS providers is further described in DBX Scope: Support Named KMS Providers.
Tests
The following specification tests are added:
namedKMS.yml
tests automatic encryption.namedKMS-rewrapManyDataKey.yml
tests key rewrapping. This was noted as a motivation in DRIVERS-2731.namedKMS-explicit.yml
tests explicit encryption. This introduces use of theencrypt
anddecrypt
operations.namedKMS-createDataKey.yml
tests creating data keys with named KMS providers.The Unified Test Format schema 1.18 is added to allow
additionalProperties
patternProperties
inkmsProviders
.Prose Test 11 (
KMS TLS Options Tests
) is extended to test named KMS providers. This is motivated by necessary changes in the C driver to support named KMS providers in theKMSProvidersTLSOptions
.Tests refer to additional KMS providers:
local:name1
,aws:name1
,gcp:name1
,azure:name1
, andkmip:name1
.The
name1
KMS providers may be configured exactly as the unnamed KMS providers. I.e.aws:name1
is configured the same asaws
.To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined:
local:name2
andaws:name2
.This PR proposes not adding
azure:name2
,gcp:name2
,kmip:name2
with distinct credentials. I expect there is little gained value in testing all external KMS providers. And it requires managing more accounts.Test credentials for
aws:name2
are available in AWS Secrets Manager underdrivers/csfle
. Theaws:name2
account credentials are inFLE_AWS_KEY2
andFLE_AWS_SECRET2
. See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed.Please complete the following before merging: