feat(NODE-6390): Add timeoutMS support to auto encryption #4265
Conversation
Co-authored-by: Warren James <[email protected]>
Co-authored-by: Warren James <[email protected]>
lint fix prose test 2
…4243) Co-authored-by: Warren James <[email protected]> Co-authored-by: Neal Beeken <[email protected]> Co-authored-by: Bailey Pearson <[email protected]>
baileympearson
force-pushed
the
NODE-6090
branch
from
3591368
to
a645d9f
Compare
Co-authored-by: Warren James <[email protected]>
aditi-khare-mongoDB
force-pushed
the
NODE-6390/auto-encryption-csot
branch
from
cd8aaa4
to
1d9034b
Compare
| }); | ||
| childProcess = spawn( | ||
| 'mongocryptd', | ||
| ['--port', mongocryptdTestPort, '--ipv6', '--pidfilepath', new ObjectId().toHexString()], |
There was a problem hiding this comment.
Adding a random pidfilepath ensure it doesn't use the default mongod pid path which can cause it to randomly fail
baileympearson
added
the
Primary Review
| await stateMachine.execute( | ||
| this, | ||
| context, | ||
| options.timeoutContext?.csotEnabled() ? options.timeoutContext : undefined |
There was a problem hiding this comment.
| options.timeoutContext?.csotEnabled() ? options.timeoutContext : undefined | |
| options.timeoutContext |
It doesn't matter if the context is a csot context or a legacy context, we should be able to pass it in regardless.
There was a problem hiding this comment.
Sounds good!
| @@ -0,0 +1,251 @@ | |||
| import { expect } from 'chai'; | |||
| import * as sinon from 'sinon'; | |||
|
|
|||
There was a problem hiding this comment.
It is poorly named, but driver.test.ts contains Node-driver specific tests for FLE. Can we move the tests from this file into driver.test.ts?
There was a problem hiding this comment.
Moved them!
| }); | ||
| childProcess = spawn( | ||
| 'mongocryptd', | ||
| ['--port', mongocryptdTestPort, '--ipv6', '--pidfilepath', new ObjectId().toHexString()], |
There was a problem hiding this comment.
Could we create the file in the temporary directory instead of the current directory?
const pidFile = path.join(
os.tmpDir(),
new ObjectId().toHexString()
)Also - how would you feel about making this change to the two other places our tests spawn mongocryptd? (search for spawn('mongo and three results should appear).
There was a problem hiding this comment.
Yep, made the change to the other instances too; I think it's a good call.
| }); | ||
| }); | ||
|
|
||
| describe('State machine', function () { |
There was a problem hiding this comment.
Do we have coverage for fetchCollectionInfo as well?
There was a problem hiding this comment.
Just added it in, good catch!
| client = new MongoClient(`mongodb://localhost:${mongocryptdTestPort}/?timeoutMS=1000`, { | ||
| monitorCommands: true | ||
| family: 6, | ||
| monitorCommands: true, | ||
| serverSelectionTimeoutMS: 2000 |
There was a problem hiding this comment.
This was nice-to-have for debugging locally, but doesn't need to be in the test permanently.
| client = new MongoClient(`mongodb://localhost:${mongocryptdTestPort}/?timeoutMS=1000`, { | |
| monitorCommands: true | |
| family: 6, | |
| monitorCommands: true, | |
| serverSelectionTimeoutMS: 2000 | |
| client = new MongoClient(`mongodb://localhost:${mongocryptdTestPort}/?timeoutMS=1000`, { | |
| monitorCommands: true, |
There was a problem hiding this comment.
Noted, just removed them!
| }); | ||
|
|
||
| it( | ||
| 'the command should fail due to a timeout error', |
There was a problem hiding this comment.
I think this test needs to fail something inside encryption. Otherwise, we don't have any coverage that asserts that we correctly pass the timeout context from CryptoConnection.command() -> AutoEncrypter.encrypt()/decrypt() -> StateMachine.execute() - this test currently ensures that we pass the timeout context from CryptoConnection.command() -> Connection.command().
I think this could pretty easily be achieved by configuring an auto encrypted client to use the same cluster as the keyvault (we can provided a keyvault client to the MongoClient when configuring auto encryption), and setting a failpoint on a find (used for list keys).
There was a problem hiding this comment.
Sounds good, made the change - added in data key creation
| { | ||
| autoEncryption: { | ||
| keyVaultNamespace: 'admin.datakeys', | ||
| kmsProviders: { |
There was a problem hiding this comment.
We usually obtain kmsProviders from the CSFLE_KMS_PROVIDERS environment variable (you can search for other usages of this in tests. I think range explicit encryption prose tests use this for a local kms provider, which is what you'd want). This requires FLE secrets to run locally - I can help you set this up if you'd like.
There was a problem hiding this comment.
Maybe we can set up FLE secrets locally another day - I'm fine just testing on EVG for this work. Switched it over to use CSFLE_KMS_PROVIDERS + require FLE variables to run.
| }); | ||
|
|
||
| context('when client is provided timeoutMS and command hangs', function () { | ||
| let encryptedClient; |
There was a problem hiding this comment.
(just a suggestion)
| let encryptedClient; | |
| let encryptedClient: MongoClient; |
Then you get red underlines and type hinting when writing tests using the client.
There was a problem hiding this comment.
Made the change in the other parts of the file too!
| const err = await encryptedClient | ||
| .db('test') | ||
| .collection('test') | ||
| .aggregate([]) | ||
| .toArray() | ||
| .catch(e => e); | ||
| expect(err).to.deep.equal([]); |
There was a problem hiding this comment.
Usually, if we expect something not to fail, we don't catch the error because mocha considers a test to fail if an error is thrown:
| const err = await encryptedClient | |
| .db('test') | |
| .collection('test') | |
| .aggregate([]) | |
| .toArray() | |
| .catch(e => e); | |
| expect(err).to.deep.equal([]); | |
| await encryptedClient | |
| .db('test') | |
| .collection('test') | |
| .aggregate([]) | |
| .toArray() |
There was a problem hiding this comment.
(this applies to other "should not fail" tests in this file too)
There was a problem hiding this comment.
Sounds good!
Description
Auto encryption
encryptanddecrypthelpers now respecttimeoutMS.What is changing?
timeoutContexttostateMachine.executecall inAutoEncrypter.encrypt/decryptStateMachinehelpers respectingtimeoutMSCryptoConnection.commandrespecting timeoutMSIs there new documentation needed for these changes?
No
What is the motivation for this change?
CSOT
Release Highlight
Double check the following
npm run check:lintscripttype(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript