From 07bda37adacb0c5b1dfc71f1259cf18631341afb Mon Sep 17 00:00:00 2001 From: Joseph Dougherty Date: Tue, 27 Sep 2022 14:29:44 -0400 Subject: [PATCH 1/3] DOCP-23618 mongosh examples --- .../aws/reader/insert_encrypted_document.js | 123 +++++++++++++++++ .../mongosh/aws/reader/make_data_key.js | 127 +++++++++++++++++ .../mongosh/aws/reader/your_credentials.js | 45 ++++++ .../azure/reader/insert_encrypted_document.js | 124 +++++++++++++++++ .../mongosh/azure/reader/make_data_key.js | 128 +++++++++++++++++ .../mongosh/azure/reader/your_credentials.js | 47 +++++++ .../gcp/reader/insert_encrypted_document.js | 123 +++++++++++++++++ .../mongosh/gcp/reader/make_data_key.js | 129 ++++++++++++++++++ .../mongosh/gcp/reader/your_credentials.js | 48 +++++++ .../local/reader/insert_encrypted_document.js | 125 +++++++++++++++++ .../mongosh/local/reader/make_data_key.js | 127 +++++++++++++++++ .../mongosh/local/reader/your_credentials.js | 39 ++++++ 12 files changed, 1185 insertions(+) create mode 100644 queryable-encryption/mongosh/aws/reader/insert_encrypted_document.js create mode 100644 queryable-encryption/mongosh/aws/reader/make_data_key.js create mode 100644 queryable-encryption/mongosh/aws/reader/your_credentials.js create mode 100644 queryable-encryption/mongosh/azure/reader/insert_encrypted_document.js create mode 100644 queryable-encryption/mongosh/azure/reader/make_data_key.js create mode 100644 queryable-encryption/mongosh/azure/reader/your_credentials.js create mode 100644 queryable-encryption/mongosh/gcp/reader/insert_encrypted_document.js create mode 100644 queryable-encryption/mongosh/gcp/reader/make_data_key.js create mode 100644 queryable-encryption/mongosh/gcp/reader/your_credentials.js create mode 100644 queryable-encryption/mongosh/local/reader/insert_encrypted_document.js create mode 100644 queryable-encryption/mongosh/local/reader/make_data_key.js create mode 100644 queryable-encryption/mongosh/local/reader/your_credentials.js diff --git a/queryable-encryption/mongosh/aws/reader/insert_encrypted_document.js b/queryable-encryption/mongosh/aws/reader/insert_encrypted_document.js new file mode 100644 index 0000000..523311f --- /dev/null +++ b/queryable-encryption/mongosh/aws/reader/insert_encrypted_document.js @@ -0,0 +1,123 @@ +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-key-vault +const keyVaultDB = "encryption"; +const keyVaultColl = "__keyVault"; +const keyVaultNamespace = `${keyVaultDB}.${keyVaultColl}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; +// end-key-vault + +// start-kmsproviders +const kmsProviders = { + aws: { + accessKeyId: credentials["AWS_ACCESS_KEY_ID"], + secretAccessKey: credentials["AWS_SECRET_ACCESS_KEY"], + }, +}; +// end-kmsproviders + +async function run() { + // start-schema + const uri = credentials.MONGODB_URI; + const unencryptedClient = Mongo(uri); + const autoEncryptionOpts = { kmsProviders, keyVaultNamespace }; + + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + const keyVaultClient = unencryptedClient + .getDB(keyVaultDB) + .getCollection(keyVaultColl); + + const dek1 = keyVaultClient.findOne({ keyAltNames: "dataKey1" }); + const dek2 = keyVaultClient.findOne({ keyAltNames: "dataKey2" }); + const dek3 = keyVaultClient.findOne({ keyAltNames: "dataKey3" }); + const dek4 = keyVaultClient.findOne({ keyAltNames: "dataKey4" }); + + const secretDB = "medicalRecords"; + const secretColl = "patients"; + + const encryptedFieldsMap = { + [`${secretDB}.${secretColl}`]: { + fields: [ + { + keyId: dek1._id, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2._id, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3._id, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4._id, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + // end-schema + + // start-extra-options + // end-extra-options + + // start-client + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encryptedClient = Mongo(uri, autoEncryptionOptions); + const encryptedColl = encryptedClient + .getDB(secretDB) + .getCollection(secretColl); + const unencryptedColl = unencryptedClient + .getDB(secretDB) + .getCollection(secretColl); + // end-client + + try { + // start-insert + encryptedColl.insertOne({ + firstName: "Jon", + lastName: "Doe", + patientId: 12345678, + address: "157 Electric Ave.", + patientRecord: { + ssn: "987-65-4320", + billing: { + type: "Visa", + number: "4111111111111111", + }, + }, + medications: ["Atorvastatin", "Levothyroxine"], + }); + // end-insert + + // start-find + console.log("Finding a document with regular (non-encrypted) client."); + console.log(unencryptedColl.findOne({ firstName: /Jon/ })); + console.log( + "Finding a document with encrypted client, searching on an encrypted field" + ); + console.log(encryptedColl.findOne({ "patientRecord.ssn": "987-65-4320" })); + // end-find + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/aws/reader/make_data_key.js b/queryable-encryption/mongosh/aws/reader/make_data_key.js new file mode 100644 index 0000000..55bec83 --- /dev/null +++ b/queryable-encryption/mongosh/aws/reader/make_data_key.js @@ -0,0 +1,127 @@ +const keyVaultDatabase = "encryption"; +const keyVaultCollection = "__keyVault"; +const keyVaultNamespace = `${keyVaultDatabase}.${keyVaultCollection}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; + +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-kmsproviders +const provider = "aws"; +const kmsProviders = { + aws: { + accessKeyId: credentials["AWS_ACCESS_KEY_ID"], + secretAccessKey: credentials["AWS_SECRET_ACCESS_KEY"], + }, +}; +// end-kmsproviders + +// start-datakeyopts +const masterKey = { + key: credentials["AWS_KEY_ARN"], + region: credentials["AWS_KEY_REGION"], +}; +// end-datakeyopts + +async function run() { + // start-create-index + const uri = credentials.MONGODB_URI; + const keyVaultClient = Mongo(uri); + const keyVaultDB = keyVaultClient.getDB(keyVaultDatabase); + // Drop the Key Vault Collection in case you created this collection + // in a previous run of this application. + keyVaultDB.dropDatabase(); + keyVaultDB.createCollection(keyVaultCollection); + + const keyVaultColl = keyVaultDB.getCollection(keyVaultCollection); + keyVaultColl.createIndex( + { keyAltNames: 1 }, + { + unique: true, + partialFilterExpression: { keyAltNames: { $exists: true } }, + } + ); + // end-create-index + + // start-create-dek + const autoEncryptionOpts = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + }; + + // start-create-dek + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + + const dek1 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey1"], + }); + const dek2 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey2"], + }); + const dek3 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey3"], + }); + const dek4 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey4"], + }); + // end-create-dek + + // start-create-enc-collection + const encryptedFieldsMap = { + [`${secretDB}.${secretCollection}`]: { + fields: [ + { + keyId: dek1, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + + try { + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encClient = Mongo(uri, autoEncryptionOptions); + const newEncDB = encClient.getDB(secretDB); + // Drop the encrypted collection in case you created this collection + // in a previous run of this application. + newEncDB.dropDatabase(); + newEncDB.createCollection(secretCollection); + console.log("Created encrypted collection!"); + // end-create-enc-collection + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/aws/reader/your_credentials.js b/queryable-encryption/mongosh/aws/reader/your_credentials.js new file mode 100644 index 0000000..8be0718 --- /dev/null +++ b/queryable-encryption/mongosh/aws/reader/your_credentials.js @@ -0,0 +1,45 @@ +/* +return credentials object and ensure it has been populated +**/ +function getCredentials() { + checkForPlaceholders(); + return credentials; +} + +const credentials = { + // Mongo Paths + URI + MONGODB_URI: "", + SHARED_LIB_PATH: "", + + // AWS Credentials + AWS_ACCESS_KEY_ID: "", + AWS_SECRET_ACCESS_KEY: "", + AWS_KEY_REGION: "", + AWS_KEY_ARN: "", +}; + +/* +check if credentials object contains placeholder values +**/ +function checkForPlaceholders() { + const errorBuffer = Array(); + const placeholderPattern = /^<.*>$/; + for (const [key, value] of Object.entries(credentials)) { + // check for placeholder text + if (`${value}`.match(placeholderPattern)) { + errorMessage = `You must fill out the ${key} field of your credentials object.`; + errorBuffer.push(errorMessage); + } + // check if value is empty + else if (value == undefined) { + error_message = `The value for ${key} is empty. Please enter something for this value.`; + } + } + // raise an error if errors in buffer + if (errorBuffer.length > 0) { + message = errorBuffer.join("\n"); + throw message; + } +} + +module.exports = { getCredentials }; diff --git a/queryable-encryption/mongosh/azure/reader/insert_encrypted_document.js b/queryable-encryption/mongosh/azure/reader/insert_encrypted_document.js new file mode 100644 index 0000000..ff984ad --- /dev/null +++ b/queryable-encryption/mongosh/azure/reader/insert_encrypted_document.js @@ -0,0 +1,124 @@ +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-key-vault +const keyVaultDB = "encryption"; +const keyVaultColl = "__keyVault"; +const keyVaultNamespace = `${keyVaultDB}.${keyVaultColl}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; +// end-key-vault + +// start-kmsproviders +const kmsProviders = { + azure: { + tenantId: credentials["AZURE_TENANT_ID"], + clientId: credentials["AZURE_CLIENT_ID"], + clientSecret: credentials["AZURE_CLIENT_SECRET"], + }, +}; +// end-kmsproviders + +async function run() { + // start-schema + const uri = credentials.MONGODB_URI; + const unencryptedClient = Mongo(uri); + const autoEncryptionOpts = { kmsProviders, keyVaultNamespace }; + + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + const keyVaultClient = unencryptedClient + .getDB(keyVaultDB) + .getCollection(keyVaultColl); + + const dek1 = keyVaultClient.findOne({ keyAltNames: "dataKey1" }); + const dek2 = keyVaultClient.findOne({ keyAltNames: "dataKey2" }); + const dek3 = keyVaultClient.findOne({ keyAltNames: "dataKey3" }); + const dek4 = keyVaultClient.findOne({ keyAltNames: "dataKey4" }); + + const secretDB = "medicalRecords"; + const secretColl = "patients"; + + const encryptedFieldsMap = { + [`${secretDB}.${secretColl}`]: { + fields: [ + { + keyId: dek1._id, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2._id, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3._id, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4._id, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + // end-schema + + // start-extra-options + // end-extra-options + + // start-client + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encryptedClient = Mongo(uri, autoEncryptionOptions); + const encryptedColl = encryptedClient + .getDB(secretDB) + .getCollection(secretColl); + const unencryptedColl = unencryptedClient + .getDB(secretDB) + .getCollection(secretColl); + // end-client + + try { + // start-insert + encryptedColl.insertOne({ + firstName: "Jon", + lastName: "Doe", + patientId: 12345678, + address: "157 Electric Ave.", + patientRecord: { + ssn: "987-65-4320", + billing: { + type: "Visa", + number: "4111111111111111", + }, + }, + medications: ["Atorvastatin", "Levothyroxine"], + }); + // end-insert + + // start-find + console.log("Finding a document with regular (non-encrypted) client."); + console.log(unencryptedColl.findOne({ firstName: /Jon/ })); + console.log( + "Finding a document with encrypted client, searching on an encrypted field" + ); + console.log(encryptedColl.findOne({ "patientRecord.ssn": "987-65-4320" })); + // end-find + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/azure/reader/make_data_key.js b/queryable-encryption/mongosh/azure/reader/make_data_key.js new file mode 100644 index 0000000..4de5ab7 --- /dev/null +++ b/queryable-encryption/mongosh/azure/reader/make_data_key.js @@ -0,0 +1,128 @@ +const keyVaultDatabase = "encryption"; +const keyVaultCollection = "__keyVault"; +const keyVaultNamespace = `${keyVaultDatabase}.${keyVaultCollection}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; + +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-kmsproviders +const provider = "azure"; +const kmsProviders = { + azure: { + tenantId: credentials["AZURE_TENANT_ID"], + clientId: credentials["AZURE_CLIENT_ID"], + clientSecret: credentials["AZURE_CLIENT_SECRET"], + }, +}; +// end-kmsproviders + +// start-datakeyopts +const masterKey = { + keyVaultEndpoint: credentials["AZURE_KEY_VAULT_ENDPOINT"], + keyName: credentials["AZURE_KEY_NAME"], +}; +// end-datakeyopts + +async function run() { + // start-create-index + const uri = credentials.MONGODB_URI; + const keyVaultClient = Mongo(uri); + const keyVaultDB = keyVaultClient.getDB(keyVaultDatabase); + // Drop the Key Vault Collection in case you created this collection + // in a previous run of this application. + keyVaultDB.dropDatabase(); + keyVaultDB.createCollection(keyVaultCollection); + + const keyVaultColl = keyVaultDB.getCollection(keyVaultCollection); + keyVaultColl.createIndex( + { keyAltNames: 1 }, + { + unique: true, + partialFilterExpression: { keyAltNames: { $exists: true } }, + } + ); + // end-create-index + + // start-create-dek + const autoEncryptionOpts = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + }; + + // start-create-dek + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + + const dek1 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey1"], + }); + const dek2 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey2"], + }); + const dek3 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey3"], + }); + const dek4 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey4"], + }); + // end-create-dek + + // start-create-enc-collection + const encryptedFieldsMap = { + [`${secretDB}.${secretCollection}`]: { + fields: [ + { + keyId: dek1, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + + try { + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encClient = Mongo(uri, autoEncryptionOptions); + const newEncDB = encClient.getDB(secretDB); + // Drop the encrypted collection in case you created this collection + // in a previous run of this application. + newEncDB.dropDatabase(); + newEncDB.createCollection(secretCollection); + console.log("Created encrypted collection!"); + // end-create-enc-collection + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/azure/reader/your_credentials.js b/queryable-encryption/mongosh/azure/reader/your_credentials.js new file mode 100644 index 0000000..2061cd7 --- /dev/null +++ b/queryable-encryption/mongosh/azure/reader/your_credentials.js @@ -0,0 +1,47 @@ +/* +return credentials object and ensure it has been populated +**/ +function getCredentials() { + checkForPlaceholders(); + return credentials; +} + +const credentials = { + // Mongo Paths + URI + MONGODB_URI: "", + SHARED_LIB_PATH: "", + + // Azure Credentials + AZURE_TENANT_ID: "", + AZURE_CLIENT_ID: "", + AZURE_CLIENT_SECRET: "", + AZURE_KEY_NAME: "", + AZURE_KEY_VERSION: "", + AZURE_KEY_VAULT_ENDPOINT: "", +}; + +/* +check if credentials object contains placeholder values +**/ +function checkForPlaceholders() { + const errorBuffer = Array(); + const placeholderPattern = /^<.*>$/; + for (const [key, value] of Object.entries(credentials)) { + // check for placeholder text + if (`${value}`.match(placeholderPattern)) { + errorMessage = `You must fill out the ${key} field of your credentials object.`; + errorBuffer.push(errorMessage); + } + // check if value is empty + else if (value == undefined) { + error_message = `The value for ${key} is empty. Please enter something for this value.`; + } + } + // raise an error if errors in buffer + if (errorBuffer.length > 0) { + message = errorBuffer.join("\n"); + throw message; + } +} + +module.exports = { getCredentials }; diff --git a/queryable-encryption/mongosh/gcp/reader/insert_encrypted_document.js b/queryable-encryption/mongosh/gcp/reader/insert_encrypted_document.js new file mode 100644 index 0000000..b259dff --- /dev/null +++ b/queryable-encryption/mongosh/gcp/reader/insert_encrypted_document.js @@ -0,0 +1,123 @@ +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-key-vault +const keyVaultDB = "encryption"; +const keyVaultColl = "__keyVault"; +const keyVaultNamespace = `${keyVaultDB}.${keyVaultColl}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; +// end-key-vault + +// start-kmsproviders +const kmsProviders = { + gcp: { + email: credentials["GCP_EMAIL"], + privateKey: credentials["GCP_PRIVATE_KEY"], + }, +}; +// end-kmsproviders + +async function run() { + // start-schema + const uri = credentials.MONGODB_URI; + const unencryptedClient = Mongo(uri); + const autoEncryptionOpts = { kmsProviders, keyVaultNamespace }; + + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + const keyVaultClient = unencryptedClient + .getDB(keyVaultDB) + .getCollection(keyVaultColl); + + const dek1 = keyVaultClient.findOne({ keyAltNames: "dataKey1" }); + const dek2 = keyVaultClient.findOne({ keyAltNames: "dataKey2" }); + const dek3 = keyVaultClient.findOne({ keyAltNames: "dataKey3" }); + const dek4 = keyVaultClient.findOne({ keyAltNames: "dataKey4" }); + + const secretDB = "medicalRecords"; + const secretColl = "patients"; + + const encryptedFieldsMap = { + [`${secretDB}.${secretColl}`]: { + fields: [ + { + keyId: dek1._id, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2._id, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3._id, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4._id, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + // end-schema + + // start-extra-options + // end-extra-options + + // start-client + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encryptedClient = Mongo(uri, autoEncryptionOptions); + const encryptedColl = encryptedClient + .getDB(secretDB) + .getCollection(secretColl); + const unencryptedColl = unencryptedClient + .getDB(secretDB) + .getCollection(secretColl); + // end-client + + try { + // start-insert + encryptedColl.insertOne({ + firstName: "Jon", + lastName: "Doe", + patientId: 12345678, + address: "157 Electric Ave.", + patientRecord: { + ssn: "987-65-4320", + billing: { + type: "Visa", + number: "4111111111111111", + }, + }, + medications: ["Atorvastatin", "Levothyroxine"], + }); + // end-insert + + // start-find + console.log("Finding a document with regular (non-encrypted) client."); + console.log(unencryptedColl.findOne({ firstName: /Jon/ })); + console.log( + "Finding a document with encrypted client, searching on an encrypted field" + ); + console.log(encryptedColl.findOne({ "patientRecord.ssn": "987-65-4320" })); + // end-find + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/gcp/reader/make_data_key.js b/queryable-encryption/mongosh/gcp/reader/make_data_key.js new file mode 100644 index 0000000..a234ec0 --- /dev/null +++ b/queryable-encryption/mongosh/gcp/reader/make_data_key.js @@ -0,0 +1,129 @@ +const keyVaultDatabase = "encryption"; +const keyVaultCollection = "__keyVault"; +const keyVaultNamespace = `${keyVaultDatabase}.${keyVaultCollection}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; + +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-kmsproviders +const provider = "gcp"; +const kmsProviders = { + gcp: { + email: credentials["GCP_EMAIL"], + privateKey: credentials["GCP_PRIVATE_KEY"], + }, +}; +// end-kmsproviders + +// start-datakeyopts +const masterKey = { + projectId: credentials["GCP_PROJECT_ID"], + location: credentials["GCP_LOCATION"], + keyRing: credentials["GCP_KEY_RING"], + keyName: credentials["GCP_KEY_NAME"], +}; +// end-datakeyopts + +async function run() { + // start-create-index + const uri = credentials.MONGODB_URI; + const keyVaultClient = Mongo(uri); + const keyVaultDB = keyVaultClient.getDB(keyVaultDatabase); + // Drop the Key Vault Collection in case you created this collection + // in a previous run of this application. + keyVaultDB.dropDatabase(); + keyVaultDB.createCollection(keyVaultCollection); + + const keyVaultColl = keyVaultDB.getCollection(keyVaultCollection); + keyVaultColl.createIndex( + { keyAltNames: 1 }, + { + unique: true, + partialFilterExpression: { keyAltNames: { $exists: true } }, + } + ); + // end-create-index + + // start-create-dek + const autoEncryptionOpts = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + }; + + // start-create-dek + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + + const dek1 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey1"], + }); + const dek2 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey2"], + }); + const dek3 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey3"], + }); + const dek4 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey4"], + }); + // end-create-dek + + // start-create-enc-collection + const encryptedFieldsMap = { + [`${secretDB}.${secretCollection}`]: { + fields: [ + { + keyId: dek1, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + + try { + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encClient = Mongo(uri, autoEncryptionOptions); + const newEncDB = encClient.getDB(secretDB); + // Drop the encrypted collection in case you created this collection + // in a previous run of this application. + newEncDB.dropDatabase(); + newEncDB.createCollection(secretCollection); + console.log("Created encrypted collection!"); + // end-create-enc-collection + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/gcp/reader/your_credentials.js b/queryable-encryption/mongosh/gcp/reader/your_credentials.js new file mode 100644 index 0000000..b59797f --- /dev/null +++ b/queryable-encryption/mongosh/gcp/reader/your_credentials.js @@ -0,0 +1,48 @@ +/* +return credentials object and ensure it has been populated +**/ +function getCredentials() { + checkForPlaceholders(); + return credentials; +} + +const credentials = { + // Mongo Paths + URI + MONGODB_URI: "", + SHARED_LIB_PATH: "", + + // GCP Credentials + GCP_EMAIL: "", + GCP_PRIVATE_KEY: "", + GCP_PROJECT_ID: "", + GCP_LOCATION: "", + GCP_KEY_RING: "", + GCP_KEY_NAME: "", + GCP_KEY_VERSION: "", +}; + +/* +check if credentials object contains placeholder values +**/ +function checkForPlaceholders() { + const errorBuffer = Array(); + const placeholderPattern = /^<.*>$/; + for (const [key, value] of Object.entries(credentials)) { + // check for placeholder text + if (`${value}`.match(placeholderPattern)) { + errorMessage = `You must fill out the ${key} field of your credentials object.`; + errorBuffer.push(errorMessage); + } + // check if value is empty + else if (value == undefined) { + error_message = `The value for ${key} is empty. Please enter something for this value.`; + } + } + // raise an error if errors in buffer + if (errorBuffer.length > 0) { + message = errorBuffer.join("\n"); + throw message; + } +} + +module.exports = { getCredentials }; diff --git a/queryable-encryption/mongosh/local/reader/insert_encrypted_document.js b/queryable-encryption/mongosh/local/reader/insert_encrypted_document.js new file mode 100644 index 0000000..329b9c1 --- /dev/null +++ b/queryable-encryption/mongosh/local/reader/insert_encrypted_document.js @@ -0,0 +1,125 @@ +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-key-vault +const keyVaultDB = "encryption"; +const keyVaultColl = "__keyVault"; +const keyVaultNamespace = `${keyVaultDB}.${keyVaultColl}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; +// end-key-vault + +// start-kmsproviders +const provider = "local"; +const path = "./master-key.txt"; +const localMasterKey = fs.readFileSync(path); +const kmsProviders = { + local: { + key: localMasterKey, + }, +}; +// end-kmsproviders + +async function run() { + // start-schema + const uri = credentials.MONGODB_URI; + const unencryptedClient = Mongo(uri); + const autoEncryptionOpts = { kmsProviders, keyVaultNamespace }; + + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + const keyVaultClient = unencryptedClient + .getDB(keyVaultDB) + .getCollection(keyVaultColl); + + const dek1 = keyVaultClient.findOne({ keyAltNames: "dataKey1" }); + const dek2 = keyVaultClient.findOne({ keyAltNames: "dataKey2" }); + const dek3 = keyVaultClient.findOne({ keyAltNames: "dataKey3" }); + const dek4 = keyVaultClient.findOne({ keyAltNames: "dataKey4" }); + + const secretDB = "medicalRecords"; + const secretColl = "patients"; + + const encryptedFieldsMap = { + [`${secretDB}.${secretColl}`]: { + fields: [ + { + keyId: dek1._id, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2._id, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3._id, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4._id, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + // end-schema + + // start-extra-options + // end-extra-options + + // start-client + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encryptedClient = Mongo(uri, autoEncryptionOptions); + const encryptedColl = encryptedClient + .getDB(secretDB) + .getCollection(secretColl); + const unencryptedColl = unencryptedClient + .getDB(secretDB) + .getCollection(secretColl); + // end-client + + try { + // start-insert + encryptedColl.insertOne({ + firstName: "Jon", + lastName: "Doe", + patientId: 12345678, + address: "157 Electric Ave.", + patientRecord: { + ssn: "987-65-4320", + billing: { + type: "Visa", + number: "4111111111111111", + }, + }, + medications: ["Atorvastatin", "Levothyroxine"], + }); + // end-insert + + // start-find + console.log("Finding a document with regular (non-encrypted) client."); + console.log(unencryptedColl.findOne({ firstName: /Jon/ })); + console.log( + "Finding a document with encrypted client, searching on an encrypted field" + ); + console.log(encryptedColl.findOne({ "patientRecord.ssn": "987-65-4320" })); + // end-find + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/local/reader/make_data_key.js b/queryable-encryption/mongosh/local/reader/make_data_key.js new file mode 100644 index 0000000..53d284b --- /dev/null +++ b/queryable-encryption/mongosh/local/reader/make_data_key.js @@ -0,0 +1,127 @@ +const keyVaultDatabase = "encryption"; +const keyVaultCollection = "__keyVault"; +const keyVaultNamespace = `${keyVaultDatabase}.${keyVaultCollection}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; + +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +try { + fs.writeFileSync("./master-key.txt", crypto.randomBytes(96)); +} catch (err) { + console.error(err); +} + +// start-kmsproviders +const provider = "local"; +const path = "./master-key.txt"; +// WARNING: Do not use a local key file in a production application +const localMasterKey = fs.readFileSync(path); +const kmsProviders = { + local: { + key: localMasterKey, + }, +}; +// end-kmsproviders + +// start-datakeyopts +// end-datakeyopts + +async function run() { + // start-create-index + const uri = credentials.MONGODB_URI; + const keyVaultClient = Mongo(uri); + const keyVaultDB = keyVaultClient.getDB(keyVaultDatabase); + // Drop the Key Vault Collection in case you created this collection + // in a previous run of this application. + keyVaultDB.dropDatabase(); + keyVaultDB.createCollection(keyVaultCollection); + + const keyVaultColl = keyVaultDB.getCollection(keyVaultCollection); + keyVaultColl.createIndex( + { keyAltNames: 1 }, + { + unique: true, + partialFilterExpression: { keyAltNames: { $exists: true } }, + } + ); + // end-create-index + + // start-create-dek + const autoEncryptionOpts = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + }; + + // start-create-dek + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + + const dek1 = keyVault.createKey(provider, { + keyAltNames: ["dataKey1"], + }); + const dek2 = keyVault.createKey(provider, { + keyAltNames: ["dataKey2"], + }); + const dek3 = keyVault.createKey(provider, { + keyAltNames: ["dataKey3"], + }); + const dek4 = keyVault.createKey(provider, { + keyAltNames: ["dataKey4"], + }); + // end-create-dek + + // start-create-enc-collection + const encryptedFieldsMap = { + [`${secretDB}.${secretCollection}`]: { + fields: [ + { + keyId: dek1, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + + try { + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encClient = Mongo(uri, autoEncryptionOptions); + const newEncDB = encClient.getDB(secretDB); + // Drop the encrypted collection in case you created this collection + // in a previous run of this application. + newEncDB.dropDatabase(); + newEncDB.createCollection(secretCollection); + console.log("Created encrypted collection!"); + // end-create-enc-collection + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/local/reader/your_credentials.js b/queryable-encryption/mongosh/local/reader/your_credentials.js new file mode 100644 index 0000000..4799a69 --- /dev/null +++ b/queryable-encryption/mongosh/local/reader/your_credentials.js @@ -0,0 +1,39 @@ +/* +return credentials object and ensure it has been populated +**/ +function getCredentials() { + checkForPlaceholders(); + return credentials; +} + +const credentials = { + // Mongo Paths + URI + MONGODB_URI: "", + SHARED_LIB_PATH: "", +}; + +/* +check if credentials object contains placeholder values +**/ +function checkForPlaceholders() { + const errorBuffer = Array(); + const placeholderPattern = /^<.*>$/; + for (const [key, value] of Object.entries(credentials)) { + // check for placeholder text + if (`${value}`.match(placeholderPattern)) { + errorMessage = `You must fill out the ${key} field of your credentials object.`; + errorBuffer.push(errorMessage); + } + // check if value is empty + else if (value == undefined) { + error_message = `The value for ${key} is empty. Please enter something for this value.`; + } + } + // raise an error if errors in buffer + if (errorBuffer.length > 0) { + message = errorBuffer.join("\n"); + throw message; + } +} + +module.exports = { getCredentials }; From 42d8e04ffe658cdf5f36a5a321c7768ba7286403 Mon Sep 17 00:00:00 2001 From: Joseph Dougherty Date: Mon, 3 Oct 2022 10:47:47 -0400 Subject: [PATCH 2/3] adds mongosh examples --- .../mongosh/aws/reader/make_data_key.js | 1 - .../mongosh/azure/reader/make_data_key.js | 1 - .../mongosh/azure/reader/your_credentials.js | 1 - .../mongosh/gcp/reader/make_data_key.js | 1 - .../mongosh/gcp/reader/your_credentials.js | 1 - .../kmip/reader/insert_encrypted_document.js | 133 ++++++++++++++++++ .../mongosh/kmip/reader/make_data_key.js | 132 +++++++++++++++++ .../mongosh/kmip/reader/your_credentials.js | 48 +++++++ .../mongosh/local/reader/make_data_key.js | 1 - .../mongosh/local/reader/your_credentials.js | 1 - 10 files changed, 313 insertions(+), 7 deletions(-) create mode 100644 queryable-encryption/mongosh/kmip/reader/insert_encrypted_document.js create mode 100644 queryable-encryption/mongosh/kmip/reader/make_data_key.js create mode 100644 queryable-encryption/mongosh/kmip/reader/your_credentials.js diff --git a/queryable-encryption/mongosh/aws/reader/make_data_key.js b/queryable-encryption/mongosh/aws/reader/make_data_key.js index 55bec83..b6690c9 100644 --- a/queryable-encryption/mongosh/aws/reader/make_data_key.js +++ b/queryable-encryption/mongosh/aws/reader/make_data_key.js @@ -106,7 +106,6 @@ async function run() { const autoEncryptionOptions = { keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviders, - bypassQueryAnalysis: false, encryptedFieldsMap: encryptedFieldsMap, }; diff --git a/queryable-encryption/mongosh/azure/reader/make_data_key.js b/queryable-encryption/mongosh/azure/reader/make_data_key.js index 4de5ab7..a3db074 100644 --- a/queryable-encryption/mongosh/azure/reader/make_data_key.js +++ b/queryable-encryption/mongosh/azure/reader/make_data_key.js @@ -107,7 +107,6 @@ async function run() { const autoEncryptionOptions = { keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviders, - bypassQueryAnalysis: false, encryptedFieldsMap: encryptedFieldsMap, }; diff --git a/queryable-encryption/mongosh/azure/reader/your_credentials.js b/queryable-encryption/mongosh/azure/reader/your_credentials.js index 2061cd7..994e8ab 100644 --- a/queryable-encryption/mongosh/azure/reader/your_credentials.js +++ b/queryable-encryption/mongosh/azure/reader/your_credentials.js @@ -9,7 +9,6 @@ function getCredentials() { const credentials = { // Mongo Paths + URI MONGODB_URI: "", - SHARED_LIB_PATH: "", // Azure Credentials AZURE_TENANT_ID: "", diff --git a/queryable-encryption/mongosh/gcp/reader/make_data_key.js b/queryable-encryption/mongosh/gcp/reader/make_data_key.js index a234ec0..0a95720 100644 --- a/queryable-encryption/mongosh/gcp/reader/make_data_key.js +++ b/queryable-encryption/mongosh/gcp/reader/make_data_key.js @@ -108,7 +108,6 @@ async function run() { const autoEncryptionOptions = { keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviders, - bypassQueryAnalysis: false, encryptedFieldsMap: encryptedFieldsMap, }; diff --git a/queryable-encryption/mongosh/gcp/reader/your_credentials.js b/queryable-encryption/mongosh/gcp/reader/your_credentials.js index b59797f..68796c9 100644 --- a/queryable-encryption/mongosh/gcp/reader/your_credentials.js +++ b/queryable-encryption/mongosh/gcp/reader/your_credentials.js @@ -9,7 +9,6 @@ function getCredentials() { const credentials = { // Mongo Paths + URI MONGODB_URI: "", - SHARED_LIB_PATH: "", // GCP Credentials GCP_EMAIL: "", diff --git a/queryable-encryption/mongosh/kmip/reader/insert_encrypted_document.js b/queryable-encryption/mongosh/kmip/reader/insert_encrypted_document.js new file mode 100644 index 0000000..6e9dbdb --- /dev/null +++ b/queryable-encryption/mongosh/kmip/reader/insert_encrypted_document.js @@ -0,0 +1,133 @@ +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-key-vault +const keyVaultDB = "encryption"; +const keyVaultColl = "__keyVault"; +const keyVaultNamespace = `${keyVaultDB}.${keyVaultColl}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; +// end-key-vault + +// start-kmsproviders +const provider = "kmip"; +const kmsProviders = { + kmip: { + endpoint: credentials["KMIP_KMS_ENDPOINT"], + }, +}; +// end-kmsproviders + +async function run() { + // start-schema + const uri = credentials.MONGODB_URI; + const unencryptedClient = Mongo(uri); + const autoEncryptionOpts = { kmsProviders, keyVaultNamespace }; + + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + const keyVaultClient = unencryptedClient + .getDB(keyVaultDB) + .getCollection(keyVaultColl); + + const dek1 = keyVaultClient.findOne({ keyAltNames: "dataKey1" }); + const dek2 = keyVaultClient.findOne({ keyAltNames: "dataKey2" }); + const dek3 = keyVaultClient.findOne({ keyAltNames: "dataKey3" }); + const dek4 = keyVaultClient.findOne({ keyAltNames: "dataKey4" }); + + const secretDB = "medicalRecords"; + const secretColl = "patients"; + + const encryptedFieldsMap = { + [`${secretDB}.${secretColl}`]: { + fields: [ + { + keyId: dek1._id, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2._id, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3._id, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4._id, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + // end-schema + + // start-create-tls + const tlsOptions = { + kmip: { + tlsCAFile: credentials.KMIP_TLS_CA_FILE, + tlsCertificateKeyFile: credentials.KMIP_TLS_CERT_FILE, + }, + }; + // end-create-tls + + // start-extra-options + // end-extra-options + + // start-client + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + bypassQueryAnalysis: false, + encryptedFieldsMap: encryptedFieldsMap, + tlsOptions: tlsOptions, + }; + + const encryptedClient = Mongo(uri, autoEncryptionOptions); + const encryptedColl = encryptedClient + .getDB(secretDB) + .getCollection(secretColl); + const unencryptedColl = unencryptedClient + .getDB(secretDB) + .getCollection(secretColl); + // end-client + + try { + // start-insert + encryptedColl.insertOne({ + firstName: "Jon", + lastName: "Doe", + patientId: 12345678, + address: "157 Electric Ave.", + patientRecord: { + ssn: "987-65-4320", + billing: { + type: "Visa", + number: "4111111111111111", + }, + }, + medications: ["Atorvastatin", "Levothyroxine"], + }); + // end-insert + + // start-find + console.log("Finding a document with regular (non-encrypted) client."); + console.log(unencryptedColl.findOne({ firstName: /Jon/ })); + console.log( + "Finding a document with encrypted client, searching on an encrypted field" + ); + console.log(encryptedColl.findOne({ "patientRecord.ssn": "987-65-4320" })); + // end-find + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/kmip/reader/make_data_key.js b/queryable-encryption/mongosh/kmip/reader/make_data_key.js new file mode 100644 index 0000000..0162b37 --- /dev/null +++ b/queryable-encryption/mongosh/kmip/reader/make_data_key.js @@ -0,0 +1,132 @@ +const keyVaultDatabase = "encryption"; +const keyVaultCollection = "__keyVault"; +const keyVaultNamespace = `${keyVaultDatabase}.${keyVaultCollection}`; +const secretDB = "medicalRecords"; +const secretCollection = "patients"; + +const { getCredentials } = require("./your_credentials.js"); +credentials = getCredentials(); + +// start-kmsproviders +const provider = "kmip"; +const kmsProviders = { + kmip: { + endpoint: credentials["KMIP_KMS_ENDPOINT"], + }, +}; +// end-kmsproviders + +// start-datakeyopts +const masterKey = {}; // an empty key object prompts your KMIP-compliant key provider to generate a new Customer Master Key +// end-datakeyopts + +async function run() { + // start-create-index + const uri = credentials.MONGODB_URI; + const keyVaultClient = Mongo(uri); + const keyVaultDB = keyVaultClient.getDB(keyVaultDatabase); + // Drop the Key Vault Collection in case you created this collection + // in a previous run of this application. + keyVaultDB.dropDatabase(); + keyVaultDB.createCollection(keyVaultCollection); + + const keyVaultColl = keyVaultDB.getCollection(keyVaultCollection); + keyVaultColl.createIndex( + { keyAltNames: 1 }, + { + unique: true, + partialFilterExpression: { keyAltNames: { $exists: true } }, + } + ); + // end-create-index + + // start-create-tls + const tlsOptions = { + kmip: { + tlsCAFile: credentials.KMIP_TLS_CA_FILE, + tlsCertificateKeyFile: credentials.KMIP_TLS_CERT_FILE, + }, + }; + // end-create-tls + + // start-create-dek + const autoEncryptionOpts = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + tlsOptions: tlsOptions, + }; + + // start-create-dek + const encClient = Mongo(uri, autoEncryptionOpts); + const keyVault = encClient.getKeyVault(); + + const dek1 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey1"], + }); + const dek2 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey2"], + }); + const dek3 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey3"], + }); + const dek4 = keyVault.createKey(provider, { + masterKey: masterKey, + keyAltNames: ["dataKey4"], + }); + // end-create-dek + + // start-create-enc-collection + const encryptedFieldsMap = { + [`${secretDB}.${secretCollection}`]: { + fields: [ + { + keyId: dek1, + path: "patientId", + bsonType: "int", + queries: { queryType: "equality" }, + }, + { + keyId: dek2, + path: "medications", + bsonType: "array", + }, + { + keyId: dek3, + path: "patientRecord.ssn", + bsonType: "string", + queries: { queryType: "equality" }, + }, + { + keyId: dek4, + path: "patientRecord.billing", + bsonType: "object", + }, + ], + }, + }; + + try { + const autoEncryptionOptions = { + keyVaultNamespace: keyVaultNamespace, + kmsProviders: kmsProviders, + encryptedFieldsMap: encryptedFieldsMap, + }; + + const encClient = Mongo(uri, autoEncryptionOptions); + const newEncDB = encClient.getDB(secretDB); + // Drop the encrypted collection in case you created this collection + // in a previous run of this application. + newEncDB.dropDatabase(); + newEncDB.createCollection(secretCollection); + console.log("Created encrypted collection!"); + // end-create-enc-collection + } catch (error) { + console.log(error); + throw new Error(error); + } +} + +run().catch(console.dir); diff --git a/queryable-encryption/mongosh/kmip/reader/your_credentials.js b/queryable-encryption/mongosh/kmip/reader/your_credentials.js new file mode 100644 index 0000000..c31412b --- /dev/null +++ b/queryable-encryption/mongosh/kmip/reader/your_credentials.js @@ -0,0 +1,48 @@ +/* +return credentials object and ensure it has been populated +**/ +function getCredentials() { + checkForPlaceholders(); + return credentials; +} + +const credentials = { + // Mongo Paths + URI + MONGODB_URI: "", + + // KMIP Credentials + KMIP_KMS_ENDPOINT: + "", + KMIP_TLS_CA_FILE: + "/kmip_utils/certs/ca.pem'>", + KMIP_TLS_CERT_FILE: + "/kmip_utils/certs/client.pem'>", + KMIP_TLS_CERT_P12: + "/kmip_utils/certs/pcks_client.p12'>", +}; + +/* +check if credentials object contains placeholder values +**/ +function checkForPlaceholders() { + const errorBuffer = Array(); + const placeholderPattern = /^<.*>$/; + for (const [key, value] of Object.entries(credentials)) { + // check for placeholder text + if (`${value}`.match(placeholderPattern)) { + errorMessage = `You must fill out the ${key} field of your credentials object.`; + errorBuffer.push(errorMessage); + } + // check if value is empty + else if (value == undefined) { + error_message = `The value for ${key} is empty. Please enter something for this value.`; + } + } + // raise an error if errors in buffer + if (errorBuffer.length > 0) { + message = errorBuffer.join("\n"); + throw message; + } +} + +module.exports = { getCredentials }; diff --git a/queryable-encryption/mongosh/local/reader/make_data_key.js b/queryable-encryption/mongosh/local/reader/make_data_key.js index 53d284b..5871cc3 100644 --- a/queryable-encryption/mongosh/local/reader/make_data_key.js +++ b/queryable-encryption/mongosh/local/reader/make_data_key.js @@ -106,7 +106,6 @@ async function run() { const autoEncryptionOptions = { keyVaultNamespace: keyVaultNamespace, kmsProviders: kmsProviders, - bypassQueryAnalysis: false, encryptedFieldsMap: encryptedFieldsMap, }; diff --git a/queryable-encryption/mongosh/local/reader/your_credentials.js b/queryable-encryption/mongosh/local/reader/your_credentials.js index 4799a69..8fc8f74 100644 --- a/queryable-encryption/mongosh/local/reader/your_credentials.js +++ b/queryable-encryption/mongosh/local/reader/your_credentials.js @@ -9,7 +9,6 @@ function getCredentials() { const credentials = { // Mongo Paths + URI MONGODB_URI: "", - SHARED_LIB_PATH: "", }; /* From 568eaf21f703c0b7948c57076593cec102193e3d Mon Sep 17 00:00:00 2001 From: Joseph Dougherty Date: Mon, 3 Oct 2022 11:02:04 -0400 Subject: [PATCH 3/3] adds mongosh examples --- queryable-encryption/mongosh/aws/reader/your_credentials.js | 1 - 1 file changed, 1 deletion(-) diff --git a/queryable-encryption/mongosh/aws/reader/your_credentials.js b/queryable-encryption/mongosh/aws/reader/your_credentials.js index 8be0718..3adddcc 100644 --- a/queryable-encryption/mongosh/aws/reader/your_credentials.js +++ b/queryable-encryption/mongosh/aws/reader/your_credentials.js @@ -9,7 +9,6 @@ function getCredentials() { const credentials = { // Mongo Paths + URI MONGODB_URI: "", - SHARED_LIB_PATH: "", // AWS Credentials AWS_ACCESS_KEY_ID: "",