-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(NODE-6390): Add timeoutMS support to auto encryption #4265
base: NODE-6090
Are you sure you want to change the base?
Conversation
Co-authored-by: Warren James <[email protected]>
Co-authored-by: Warren James <[email protected]>
lint fix prose test 2
…4243) Co-authored-by: Warren James <[email protected]> Co-authored-by: Neal Beeken <[email protected]> Co-authored-by: Bailey Pearson <[email protected]>
3591368
to
a645d9f
Compare
Co-authored-by: Warren James <[email protected]>
cd8aaa4
to
1d9034b
Compare
}); | ||
childProcess = spawn( | ||
'mongocryptd', | ||
['--port', mongocryptdTestPort, '--ipv6', '--pidfilepath', new ObjectId().toHexString()], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding a random pidfilepath
ensure it doesn't use the default mongod
pid path which can cause it to randomly fail
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because evergreen is frozen today, I can't test the pidfile changes. But I think they should work.
await stateMachine.execute( | ||
this, | ||
context, | ||
options.timeoutContext?.csotEnabled() ? options.timeoutContext : undefined |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
options.timeoutContext?.csotEnabled() ? options.timeoutContext : undefined | |
options.timeoutContext |
It doesn't matter if the context is a csot context or a legacy context, we should be able to pass it in regardless.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good!
@@ -0,0 +1,251 @@ | |||
import { expect } from 'chai'; | |||
import * as sinon from 'sinon'; | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is poorly named, but driver.test.ts
contains Node-driver specific tests for FLE. Can we move the tests from this file into driver.test.ts
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved them!
}); | ||
childProcess = spawn( | ||
'mongocryptd', | ||
['--port', mongocryptdTestPort, '--ipv6', '--pidfilepath', new ObjectId().toHexString()], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we create the file in the temporary directory instead of the current directory?
const pidFile = path.join(
os.tmpDir(),
new ObjectId().toHexString()
)
Also - how would you feel about making this change to the two other places our tests spawn mongocryptd? (search for spawn('mongo
and three results should appear).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, made the change to the other instances too; I think it's a good call.
}); | ||
}); | ||
|
||
describe('State machine', function () { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have coverage for fetchCollectionInfo
as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just added it in, good catch!
client = new MongoClient(`mongodb://localhost:${mongocryptdTestPort}/?timeoutMS=1000`, { | ||
monitorCommands: true | ||
family: 6, | ||
monitorCommands: true, | ||
serverSelectionTimeoutMS: 2000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was nice-to-have for debugging locally, but doesn't need to be in the test permanently.
client = new MongoClient(`mongodb://localhost:${mongocryptdTestPort}/?timeoutMS=1000`, { | |
monitorCommands: true | |
family: 6, | |
monitorCommands: true, | |
serverSelectionTimeoutMS: 2000 | |
client = new MongoClient(`mongodb://localhost:${mongocryptdTestPort}/?timeoutMS=1000`, { | |
monitorCommands: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noted, just removed them!
}); | ||
|
||
it( | ||
'the command should fail due to a timeout error', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this test needs to fail something inside encryption. Otherwise, we don't have any coverage that asserts that we correctly pass the timeout context from CryptoConnection.command() -> AutoEncrypter.encrypt()/decrypt() -> StateMachine.execute()
- this test currently ensures that we pass the timeout context from CryptoConnection.command() -> Connection.command()
.
I think this could pretty easily be achieved by configuring an auto encrypted client to use the same cluster as the keyvault (we can provided a keyvault client to the MongoClient when configuring auto encryption), and setting a failpoint on a find
(used for list keys).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, made the change - added in data key creation
{ | ||
autoEncryption: { | ||
keyVaultNamespace: 'admin.datakeys', | ||
kmsProviders: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We usually obtain kmsProviders from the CSFLE_KMS_PROVIDERS
environment variable (you can search for other usages of this in tests. I think range explicit encryption prose tests use this for a local kms provider, which is what you'd want). This requires FLE secrets to run locally - I can help you set this up if you'd like.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we can set up FLE secrets locally another day - I'm fine just testing on EVG for this work. Switched it over to use CSFLE_KMS_PROVIDERS + require FLE variables to run.
}); | ||
|
||
context('when client is provided timeoutMS and command hangs', function () { | ||
let encryptedClient; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(just a suggestion)
let encryptedClient; | |
let encryptedClient: MongoClient; |
Then you get red underlines and type hinting when writing tests using the client.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made the change in the other parts of the file too!
const err = await encryptedClient | ||
.db('test') | ||
.collection('test') | ||
.aggregate([]) | ||
.toArray() | ||
.catch(e => e); | ||
expect(err).to.deep.equal([]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usually, if we expect something not to fail, we don't catch the error because mocha considers a test to fail if an error is thrown:
const err = await encryptedClient | |
.db('test') | |
.collection('test') | |
.aggregate([]) | |
.toArray() | |
.catch(e => e); | |
expect(err).to.deep.equal([]); | |
await encryptedClient | |
.db('test') | |
.collection('test') | |
.aggregate([]) | |
.toArray() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(this applies to other "should not fail" tests in this file too)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good!
Description
Auto encryption
encrypt
anddecrypt
helpers now respecttimeoutMS
.What is changing?
timeoutContext
tostateMachine.execute
call inAutoEncrypter.encrypt/decrypt
StateMachine
helpers respectingtimeoutMS
CryptoConnection.command
respecting timeoutMSIs there new documentation needed for these changes?
No
What is the motivation for this change?
CSOT
Release Highlight
Double check the following
npm run check:lint
scripttype(NODE-xxxx)[!]: description
feat(NODE-1234)!: rewriting everything in coffeescript