439 lines
21 KiB
YAML
439 lines
21 KiB
YAML
# To ensure consistent ordering for expectResult matching purposes, find
|
|
# commands sort the resulting documents in ascending order by the single-element
|
|
# keyAltNames array to ensure alphabetic order by original KMS provider as
|
|
# defined in initialData.
|
|
description: rewrapManyDataKey
|
|
|
|
schemaVersion: "1.8"
|
|
|
|
runOnRequirements:
|
|
- csfle: true
|
|
|
|
createEntities:
|
|
- client:
|
|
id: &client0 client0
|
|
observeEvents:
|
|
- commandStartedEvent
|
|
- clientEncryption:
|
|
id: &clientEncryption0 clientEncryption0
|
|
clientEncryptionOpts:
|
|
keyVaultClient: *client0
|
|
keyVaultNamespace: keyvault.datakeys
|
|
kmsProviders:
|
|
aws: { accessKeyId: { $$placeholder: 1 }, secretAccessKey: { $$placeholder: 1 } }
|
|
azure: { tenantId: { $$placeholder: 1 }, clientId: { $$placeholder: 1 }, clientSecret: { $$placeholder: 1 } }
|
|
gcp: { email: { $$placeholder: 1 }, privateKey: { $$placeholder: 1 } }
|
|
kmip: { endpoint: { $$placeholder: 1 } }
|
|
local: { key: { $$placeholder: 1 } }
|
|
- database:
|
|
id: &database0 database0
|
|
client: *client0
|
|
databaseName: &database0Name keyvault
|
|
- collection:
|
|
id: &collection0 collection0
|
|
database: *database0
|
|
collectionName: &collection0Name datakeys
|
|
|
|
initialData:
|
|
- databaseName: *database0Name
|
|
collectionName: *collection0Name
|
|
documents:
|
|
- _id: &aws_key_id { $binary: { base64: YXdzYXdzYXdzYXdzYXdzYQ==, subType: "04" } }
|
|
keyAltNames: ["aws_key"]
|
|
keyMaterial: { $binary: { base64: AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gFXJqbF0Fy872MD7xl56D/2AAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDO7HPisPUlGzaio9vgIBEIB7/Qow46PMh/8JbEUbdXgTGhLfXPE+KIVW7T8s6YEMlGiRvMu7TV0QCIUJlSHPKZxzlJ2iwuz5yXeOag+EdY+eIQ0RKrsJ3b8UTisZYzGjfzZnxUKLzLoeXremtRCm3x47wCuHKd1dhh6FBbYt5TL2tDaj+vL2GBrKat2L, subType: "00" } }
|
|
creationDate: { $date: { $numberLong: "1641024000000" } }
|
|
updateDate: { $date: { $numberLong: "1641024000000" } }
|
|
status: 1
|
|
masterKey: &aws_masterkey
|
|
provider: aws
|
|
key: arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0
|
|
region: us-east-1
|
|
- _id: &azure_key_id { $binary: { base64: YXp1cmVhenVyZWF6dXJlYQ==, subType: "04" } }
|
|
keyAltNames: ["azure_key"]
|
|
keyMaterial: { $binary: { base64: pr01l7qDygUkFE/0peFwpnNlv3iIy8zrQK38Q9i12UCN2jwZHDmfyx8wokiIKMb9kAleeY+vnt3Cf1MKu9kcDmI+KxbNDd+V3ytAAGzOVLDJr77CiWjF9f8ntkXRHrAY9WwnVDANYkDwXlyU0Y2GQFTiW65jiQhUtYLYH63Tk48SsJuQvnWw1Q+PzY8ga+QeVec8wbcThwtm+r2IHsCFnc72Gv73qq7weISw+O4mN08z3wOp5FOS2ZM3MK7tBGmPdBcktW7F8ODGsOQ1FU53OrWUnyX2aTi2ftFFFMWVHqQo7EYuBZHru8RRODNKMyQk0BFfKovAeTAVRv9WH9QU7g==, subType: "00" } }
|
|
creationDate: { $date: { $numberLong: "1641024000000" } }
|
|
updateDate: { $date: { $numberLong: "1641024000000" } }
|
|
status: 1
|
|
masterKey: &azure_masterkey
|
|
provider: azure
|
|
keyVaultEndpoint: key-vault-csfle.vault.azure.net
|
|
keyName: key-name-csfle
|
|
- _id: &gcp_key_id { $binary: { base64: Z2NwZ2NwZ2NwZ2NwZ2NwZw==, subType: "04" } }
|
|
keyAltNames: ["gcp_key"]
|
|
keyMaterial: { $binary: { base64: CiQAIgLj0USbQtof/pYRLQO96yg/JEtZbD1UxKueaC37yzT5tTkSiQEAhClWB5ZCSgzHgxv8raWjNB4r7e8ePGdsmSuYTYmLC5oHHS/BdQisConzNKFaobEQZHamTCjyhy5NotKF8MWoo+dyfQApwI29+vAGyrUIQCXzKwRnNdNQ+lb3vJtS5bqvLTvSxKHpVca2kqyC9nhonV+u4qru5Q2bAqUgVFc8fL4pBuvlowZFTQ==, subType: "00" } }
|
|
creationDate: { $date: { $numberLong: "1641024000000" } }
|
|
updateDate: { $date: { $numberLong: "1641024000000" } }
|
|
status: 1
|
|
masterKey: &gcp_masterkey
|
|
provider: gcp
|
|
projectId: devprod-drivers
|
|
location: global
|
|
keyRing: key-ring-csfle
|
|
keyName: key-name-csfle
|
|
- _id: &kmip_key_id { $binary: { base64: a21pcGttaXBrbWlwa21pcA==, subType: "04" } }
|
|
keyAltNames: ["kmip_key"]
|
|
keyMaterial: { $binary: { base64: CklVctHzke4mcytd0TxGqvepkdkQN8NUF4+jV7aZQITAKdz6WjdDpq3lMt9nSzWGG2vAEfvRb3mFEVjV57qqGqxjq2751gmiMRHXz0btStbIK3mQ5xbY9kdye4tsixlCryEwQONr96gwlwKKI9Nubl9/8+uRF6tgYjje7Q7OjauEf1SrJwKcoQ3WwnjZmEqAug0kImCpJ/irhdqPzivRiA==, subType: "00" } }
|
|
creationDate: { $date: { $numberLong: "1641024000000" } }
|
|
updateDate: { $date: { $numberLong: "1641024000000" } }
|
|
status: 1
|
|
masterKey: &kmip_masterkey
|
|
provider: kmip
|
|
keyId: "1"
|
|
- _id: &local_key_id { $binary: { base64: bG9jYWxrZXlsb2NhbGtleQ==, subType: "04" } }
|
|
keyAltNames: ["local_key"]
|
|
keyMaterial: { $binary: { base64: ABKBldDEoDW323yejOnIRk6YQmlD9d3eQthd16scKL75nz2LjNL9fgPDZWrFFOlqlhMCFaSrNJfGrFUjYk5JFDO7soG5Syb50k1niJoKg4ilsj0L4mpimFUtTpOr2nzZOeQtvAksEXc7gsFgq8gV7t/U3lsaXPY7I0t42DfSE8EGlPdxRjFdHnxh+OR8h7U9b8Qs5K5UuhgyeyxaBZ1Hgw==, subType: "00" } }
|
|
creationDate: { $date: { $numberLong: "1641024000000" } }
|
|
updateDate: { $date: { $numberLong: "1641024000000" } }
|
|
status: 1
|
|
masterKey: &local_masterkey
|
|
provider: local
|
|
|
|
tests:
|
|
- description: "no keys to rewrap due to no filter matches"
|
|
operations:
|
|
- name: rewrapManyDataKey
|
|
object: *clientEncryption0
|
|
arguments:
|
|
filter: { keyAltNames: no_matching_keys }
|
|
opts:
|
|
provider: local
|
|
expectResult:
|
|
# If no bulk write operation, then no bulk write result.
|
|
bulkWriteResult: { $$exists: false }
|
|
expectEvents:
|
|
- client: *client0
|
|
events:
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
find: *collection0Name
|
|
filter: { keyAltNames: no_matching_keys }
|
|
readConcern: { level: majority }
|
|
|
|
- description: "rewrap with new AWS KMS provider"
|
|
operations:
|
|
- name: rewrapManyDataKey
|
|
object: *clientEncryption0
|
|
arguments:
|
|
filter: { keyAltNames: { $ne: aws_key } }
|
|
opts:
|
|
provider: aws
|
|
# Different key: 89fcc2c4-08b0-4bd9-9f25-e30687b580d0 -> 061334ae-07a8-4ceb-a813-8135540e837d.
|
|
masterKey: &new_aws_masterkey
|
|
key: arn:aws:kms:us-east-1:579766882180:key/061334ae-07a8-4ceb-a813-8135540e837d
|
|
region: us-east-1
|
|
expectResult:
|
|
bulkWriteResult:
|
|
insertedCount: 0
|
|
matchedCount: 4
|
|
modifiedCount: 4
|
|
deletedCount: 0
|
|
upsertedCount: 0
|
|
upsertedIds: {}
|
|
insertedIds: { $$unsetOrMatches: {} }
|
|
expectEvents:
|
|
- client: *client0
|
|
events:
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
find: *collection0Name
|
|
filter: { keyAltNames: { $ne: aws_key } }
|
|
readConcern: { level: majority }
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
update: *collection0Name
|
|
ordered: true
|
|
updates:
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: aws, <<: *new_aws_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: aws, <<: *new_aws_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: aws, <<: *new_aws_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: aws, <<: *new_aws_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
writeConcern: { w: majority }
|
|
|
|
- description: "rewrap with new Azure KMS provider"
|
|
operations:
|
|
- name: rewrapManyDataKey
|
|
object: *clientEncryption0
|
|
arguments:
|
|
filter: { keyAltNames: { $ne: azure_key } }
|
|
opts:
|
|
provider: azure
|
|
masterKey: &new_azure_masterkey
|
|
keyVaultEndpoint: key-vault-csfle.vault.azure.net
|
|
keyName: key-name-csfle
|
|
expectResult:
|
|
bulkWriteResult:
|
|
insertedCount: 0
|
|
matchedCount: 4
|
|
modifiedCount: 4
|
|
deletedCount: 0
|
|
upsertedCount: 0
|
|
upsertedIds: {}
|
|
insertedIds: { $$unsetOrMatches: {} }
|
|
expectEvents:
|
|
- client: *client0
|
|
events:
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
find: *collection0Name
|
|
filter: { keyAltNames: { $ne: azure_key } }
|
|
readConcern: { level: majority }
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
update: *collection0Name
|
|
ordered: true
|
|
updates:
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: azure, <<: *new_azure_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: azure, <<: *new_azure_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: azure, <<: *new_azure_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: azure, <<: *new_azure_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
writeConcern: { w: majority }
|
|
|
|
- description: "rewrap with new GCP KMS provider"
|
|
operations:
|
|
- name: rewrapManyDataKey
|
|
object: *clientEncryption0
|
|
arguments:
|
|
filter: { keyAltNames: { $ne: gcp_key } }
|
|
opts:
|
|
provider: gcp
|
|
masterKey: &new_gcp_masterkey
|
|
projectId: devprod-drivers
|
|
location: global
|
|
keyRing: key-ring-csfle
|
|
keyName: key-name-csfle
|
|
expectResult:
|
|
bulkWriteResult:
|
|
insertedCount: 0
|
|
matchedCount: 4
|
|
modifiedCount: 4
|
|
deletedCount: 0
|
|
upsertedCount: 0
|
|
upsertedIds: {}
|
|
insertedIds: { $$unsetOrMatches: {} }
|
|
expectEvents:
|
|
- client: *client0
|
|
events:
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
find: *collection0Name
|
|
filter: { keyAltNames: { $ne: gcp_key } }
|
|
readConcern: { level: majority }
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
update: *collection0Name
|
|
ordered: true
|
|
updates:
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: gcp, <<: *new_gcp_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: gcp, <<: *new_gcp_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: gcp, <<: *new_gcp_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: gcp, <<: *new_gcp_masterkey }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
writeConcern: { w: majority }
|
|
|
|
- description: "rewrap with new KMIP KMS provider"
|
|
operations:
|
|
- name: rewrapManyDataKey
|
|
object: *clientEncryption0
|
|
arguments:
|
|
filter: { keyAltNames: { $ne: kmip_key } }
|
|
opts:
|
|
provider: kmip
|
|
expectResult:
|
|
bulkWriteResult:
|
|
insertedCount: 0
|
|
matchedCount: 4
|
|
modifiedCount: 4
|
|
deletedCount: 0
|
|
upsertedCount: 0
|
|
upsertedIds: {}
|
|
insertedIds: { $$unsetOrMatches: {} }
|
|
expectEvents:
|
|
- client: *client0
|
|
events:
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
find: *collection0Name
|
|
filter: { keyAltNames: { $ne: kmip_key } }
|
|
readConcern: { level: majority }
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
update: *collection0Name
|
|
ordered: true
|
|
updates:
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: kmip, keyId: { $$type: string } }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: kmip, keyId: { $$type: string } }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: kmip, keyId: { $$type: string } }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: kmip, keyId: { $$type: string } }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
writeConcern: { w: majority }
|
|
|
|
- description: "rewrap with new local KMS provider"
|
|
operations:
|
|
- name: rewrapManyDataKey
|
|
object: *clientEncryption0
|
|
arguments:
|
|
filter: { keyAltNames: { $ne: local_key } }
|
|
opts:
|
|
provider: local
|
|
expectResult:
|
|
bulkWriteResult:
|
|
insertedCount: 0
|
|
matchedCount: 4
|
|
modifiedCount: 4
|
|
deletedCount: 0
|
|
upsertedCount: 0
|
|
upsertedIds: {}
|
|
insertedIds: { $$unsetOrMatches: {} }
|
|
expectEvents:
|
|
- client: *client0
|
|
events:
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
find: *collection0Name
|
|
filter: { keyAltNames: { $ne: local_key } }
|
|
readConcern: { level: majority }
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
update: *collection0Name
|
|
ordered: true
|
|
updates:
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: local }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: local }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: local }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { provider: local }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
writeConcern: { w: majority }
|
|
|
|
- description: "rewrap with current KMS provider"
|
|
operations:
|
|
- name: rewrapManyDataKey
|
|
object: *clientEncryption0
|
|
arguments:
|
|
filter: {}
|
|
expectResult:
|
|
bulkWriteResult:
|
|
insertedCount: 0
|
|
matchedCount: 5
|
|
modifiedCount: 5
|
|
deletedCount: 0
|
|
upsertedCount: 0
|
|
upsertedIds: {}
|
|
insertedIds: { $$unsetOrMatches: {} }
|
|
- name: find
|
|
object: *collection0
|
|
arguments:
|
|
filter: {}
|
|
projection: { masterKey: 1 }
|
|
sort: { keyAltNames: 1 }
|
|
expectResult:
|
|
- { _id: *aws_key_id, masterKey: *aws_masterkey }
|
|
- { _id: *azure_key_id, masterKey: *azure_masterkey }
|
|
- { _id: *gcp_key_id, masterKey: *gcp_masterkey }
|
|
- { _id: *kmip_key_id, masterKey: *kmip_masterkey }
|
|
- { _id: *local_key_id, masterKey: *local_masterkey }
|
|
expectEvents:
|
|
- client: *client0
|
|
events:
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
find: *collection0Name
|
|
filter: {}
|
|
readConcern: { level: majority }
|
|
- commandStartedEvent:
|
|
databaseName: *database0Name
|
|
command:
|
|
update: *collection0Name
|
|
ordered: true
|
|
updates:
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
- q: { _id: { $$type: binData } }
|
|
u: { $set: { masterKey: { $$type: object }, keyMaterial: { $$type: binData } }, $currentDate: { updateDate: true } }
|
|
multi: { $$unsetOrMatches: false }
|
|
upsert: { $$unsetOrMatches: false }
|
|
writeConcern: { w: majority }
|
|
- commandStartedEvent: { commandName: find }
|