{ "runOn": [ { "minServerVersion": "4.1.10" } ], "database_name": "default", "collection_name": "default", "data": [ { "_id": 1, "encrypted_string": { "$binary": { "base64": "AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==", "subType": "06" } } }, { "_id": 2, "encrypted_string": { "$binary": { "base64": "AQAAAAAAAAAAAAAAAAAAAAACDdw4KFz3ZLquhsbt7RmDjD0N67n0uSXx7IGnQNCLeIKvot6s/ouI21Eo84IOtb6lhwUNPlSEBNY0/hbszWAKJg==", "subType": "06" } } } ], "json_schema": { "properties": { "encrypted_w_altname": { "encrypt": { "keyId": "/altname", "bsonType": "string", "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random" } }, "encrypted_string": { "encrypt": { "keyId": [ { "$binary": { "base64": "AAAAAAAAAAAAAAAAAAAAAA==", "subType": "04" } } ], "bsonType": "string", "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" } }, "random": { "encrypt": { "keyId": [ { "$binary": { "base64": "AAAAAAAAAAAAAAAAAAAAAA==", "subType": "04" } } ], "bsonType": "string", "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random" } }, "encrypted_string_equivalent": { "encrypt": { "keyId": [ { "$binary": { "base64": "AAAAAAAAAAAAAAAAAAAAAA==", "subType": "04" } } ], "bsonType": "string", "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" } } }, "bsonType": "object" }, "key_vault_data": [ { "status": 1, "_id": { "$binary": { "base64": "AAAAAAAAAAAAAAAAAAAAAA==", "subType": "04" } }, "masterKey": { "provider": "aws", "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", "region": "us-east-1" }, "updateDate": { "$date": { "$numberLong": "1552949630483" } }, "keyMaterial": { "$binary": { "base64": "AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEqnsxXlR51T5EbEVezUqqKAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDHa4jo6yp0Z18KgbUgIBEIB74sKxWtV8/YHje5lv5THTl0HIbhSwM6EqRlmBiFFatmEWaeMk4tO4xBX65eq670I5TWPSLMzpp8ncGHMmvHqRajNBnmFtbYxN3E3/WjxmdbOOe+OXpnGJPcGsftc7cB2shRfA4lICPnE26+oVNXT6p0Lo20nY5XC7jyCO", "subType": "00" } }, "creationDate": { "$date": { "$numberLong": "1552949630483" } }, "keyAltNames": [ "altname", "another_altname" ] } ], "tests": [ { "description": "$text unconditionally fails", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "find", "arguments": { "filter": { "$text": { "$search": "search text" } } }, "result": { "errorContains": "Unsupported match expression operator for encryption" } } ] }, { "description": "$where unconditionally fails", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "find", "arguments": { "filter": { "$where": { "$code": "function() { return true }" } } }, "result": { "errorContains": "Unsupported match expression operator for encryption" } } ] }, { "description": "$bit operators succeed on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "find", "arguments": { "filter": { "unencrypted": { "$bitsAllClear": 35 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$bitsAllClear": 35 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$bitsAllSet": 35 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$bitsAllSet": 35 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$bitsAnyClear": 35 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$bitsAnyClear": 35 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$bitsAnySet": 35 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$bitsAnySet": 35 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } } ] }, { "description": "geo operators succeed on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "find", "arguments": { "filter": { "unencrypted": { "$near": [ 0, 0 ] } } }, "result": { "errorContains": "unable to find index" } }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$near": [ 0, 0 ] } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$nearSphere": [ 0, 0 ] } } }, "result": { "errorContains": "unable to find index" } }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$nearSphere": [ 0, 0 ] } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$geoIntersects": { "$geometry": { "type": "Polygon", "coordinates": [ [ [ 0, 0 ], [ 1, 0 ], [ 1, 1 ], [ 0, 0 ] ] ] } } } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$geoIntersects": { "$geometry": { "type": "Polygon", "coordinates": [ [ [ 0, 0 ], [ 1, 0 ], [ 1, 1 ], [ 0, 0 ] ] ] } } } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$geoWithin": { "$geometry": { "type": "Polygon", "coordinates": [ [ [ 0, 0 ], [ 1, 0 ], [ 1, 1 ], [ 0, 0 ] ] ] } } } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$geoWithin": { "$geometry": { "type": "Polygon", "coordinates": [ [ [ 0, 0 ], [ 1, 0 ], [ 1, 1 ], [ 0, 0 ] ] ] } } } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } } ] }, { "description": "inequality operators succeed on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "find", "arguments": { "filter": { "unencrypted": { "$gt": 1 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$gt": 1 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$lt": 1 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$lt": 1 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$gte": 1 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$gte": 1 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$lte": 1 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$lte": 1 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } } ] }, { "description": "other misc operators succeed on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "find", "arguments": { "filter": { "unencrypted": { "$mod": [ 3, 1 ] } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$mod": [ 3, 1 ] } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$regex": "pattern", "$options": "" } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$regex": "pattern", "$options": "" } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$size": 2 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$size": 2 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$type": 2 } } }, "result": [] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$type": 2 } } }, "result": { "errorContains": "Invalid match expression operator on encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$eq": null } } }, "result": [ { "_id": 1, "encrypted_string": "string0" }, { "_id": 2, "encrypted_string": "string1" } ] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$eq": null } } }, "result": { "errorContains": "Illegal equality to null predicate for encrypted field" } }, { "name": "find", "arguments": { "filter": { "unencrypted": { "$in": [ null ] } } }, "result": [ { "_id": 1, "encrypted_string": "string0" }, { "_id": 2, "encrypted_string": "string1" } ] }, { "name": "find", "arguments": { "filter": { "encrypted_string": { "$in": [ null ] } } }, "result": { "errorContains": "Illegal equality to null inside $in against an encrypted field" } } ] }, { "description": "$addToSet succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$addToSet": { "unencrypted": [ "a" ] } } }, "result": { "matchedCount": 1, "modifiedCount": 1, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$addToSet": { "encrypted_string": [ "a" ] } } }, "result": { "errorContains": "$addToSet not allowed on encrypted values" } } ] }, { "description": "$inc succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$inc": { "unencrypted": 1 } } }, "result": { "matchedCount": 1, "modifiedCount": 1, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$inc": { "encrypted_string": 1 } } }, "result": { "errorContains": "$inc and $mul not allowed on encrypted values" } } ] }, { "description": "$mul succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$mul": { "unencrypted": 1 } } }, "result": { "matchedCount": 1, "modifiedCount": 1, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$mul": { "encrypted_string": 1 } } }, "result": { "errorContains": "$inc and $mul not allowed on encrypted values" } } ] }, { "description": "$max succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$max": { "unencrypted": 1 } } }, "result": { "matchedCount": 1, "modifiedCount": 1, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$max": { "encrypted_string": 1 } } }, "result": { "errorContains": "$max and $min not allowed on encrypted values" } } ] }, { "description": "$min succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$min": { "unencrypted": 1 } } }, "result": { "matchedCount": 1, "modifiedCount": 1, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$min": { "encrypted_string": 1 } } }, "result": { "errorContains": "$max and $min not allowed on encrypted values" } } ] }, { "description": "$currentDate succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$currentDate": { "unencrypted": true } } }, "result": { "matchedCount": 1, "modifiedCount": 1, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$currentDate": { "encrypted_string": true } } }, "result": { "errorContains": "$currentDate not allowed on encrypted values" } } ] }, { "description": "$pop succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$pop": { "unencrypted": 1 } } }, "result": { "matchedCount": 1, "modifiedCount": 0, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$pop": { "encrypted_string": 1 } } }, "result": { "errorContains": "$pop not allowed on encrypted values" } } ] }, { "description": "$pull succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$pull": { "unencrypted": 1 } } }, "result": { "matchedCount": 1, "modifiedCount": 0, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$pull": { "encrypted_string": 1 } } }, "result": { "errorContains": "$pull not allowed on encrypted values" } } ] }, { "description": "$pullAll succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$pullAll": { "unencrypted": [ 1 ] } } }, "result": { "matchedCount": 1, "modifiedCount": 0, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$pullAll": { "encrypted_string": [ 1 ] } } }, "result": { "errorContains": "$pullAll not allowed on encrypted values" } } ] }, { "description": "$push succeeds on unencrypted, error on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$push": { "unencrypted": 1 } } }, "result": { "matchedCount": 1, "modifiedCount": 1, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": {}, "update": { "$push": { "encrypted_string": 1 } } }, "result": { "errorContains": "$push not allowed on encrypted values" } } ] }, { "description": "array filters on encrypted fields does not error in mongocryptd, but errors in mongod", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$set": { "encrypted_string.$[i].x": 1 } }, "arrayFilters": [ { "i.x": 1 } ] }, "result": { "errorContains": "Array update operations not allowed on encrypted values" } } ] }, { "description": "positional operator succeeds on unencrypted, errors on encrypted", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": { "unencrypted": 1 }, "update": { "$set": { "unencrypted.$": 1 } } }, "result": { "matchedCount": 0, "modifiedCount": 0, "upsertedCount": 0 } }, { "name": "updateOne", "arguments": { "filter": { "encrypted_string": "abc" }, "update": { "$set": { "encrypted_string.$": "abc" } } }, "result": { "errorContains": "Cannot encrypt fields below '$' positional update operator" } } ] }, { "description": "an update that would produce an array on an encrypted field errors", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "updateOne", "arguments": { "filter": {}, "update": { "$set": { "encrypted_string": [ 1, 2 ] } } }, "result": { "errorContains": "Cannot encrypt element of type" } } ] }, { "description": "an insert with encrypted field on _id errors", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} }, "schemaMap": { "default.default": { "properties": { "_id": { "encrypt": { "keyId": [ { "$binary": { "base64": "AAAAAAAAAAAAAAAAAAAAAA==", "subType": "04" } } ], "bsonType": "string", "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" } } } } } } }, "operations": [ { "name": "insertOne", "arguments": { "document": { "_id": 1 } }, "result": { "errorContains": "Invalid schema containing the 'encrypt' keyword." } } ] }, { "description": "an insert with an array value for an encrypted field fails", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "insertOne", "arguments": { "document": { "encrypted_string": [ "123", "456" ] } }, "result": { "errorContains": "Cannot encrypt element of type" } } ] }, { "description": "an insert with a Timestamp(0,0) value in the top-level fails", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "insertOne", "arguments": { "document": { "random": { "$timestamp": { "t": 0, "i": 0 } } } }, "result": { "errorContains": "A command that inserts cannot supply Timestamp(0, 0) for an encrypted" } } ] }, { "description": "distinct with the key referring to a field where the keyID is a JSON Pointer errors", "clientOptions": { "autoEncryptOpts": { "kmsProviders": { "aws": {} } } }, "operations": [ { "name": "distinct", "arguments": { "filter": {}, "fieldName": "encrypted_w_altname" }, "result": { "errorContains": "The distinct key is not allowed to be marked for encryption with a non-UUID keyId" } } ] } ] }