MONGOCRYPT-432 Allow keyAltName in encryptedFieldsMap (#1091)

Author: mdb-ad

src/mc-efc-private.h

@@ -37,6 +37,7 @@ typedef enum _supported_query_type_flags {
 typedef struct _mc_EncryptedField_t {
     supported_query_type_flags supported_queries;
     _mongocrypt_buffer_t keyId;
+    const char *keyAltName;
     const char *path;
     struct _mc_EncryptedField_t *next;
 } mc_EncryptedField_t;

src/mc-efc.c

@@ -80,23 +80,48 @@ _parse_supported_query_types(bson_iter_t *iter, supported_query_type_flags *out,
 /* _parse_field parses and prepends one field document to efc->fields. */
 static bool _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocrypt_status_t *status) {
     supported_query_type_flags query_types = SUPPORTS_NO_QUERIES;
-    bson_iter_t field_iter;
+    bson_iter_t field_iter, keyid_iter, keyaltname_iter;
 
     BSON_ASSERT_PARAM(efc);
     BSON_ASSERT_PARAM(field);
 
-    if (!bson_iter_init_find(&field_iter, field, "keyId")) {
-        CLIENT_ERR("unable to find 'keyId' in 'field' document");
+    bool has_keyid = false;
+    bool has_keyaltname = false;
+    if (bson_iter_init_find(&keyid_iter, field, "keyId")) {
+        has_keyid = true;
+    }
+    if (bson_iter_init_find(&keyaltname_iter, field, "keyAltName")) {
+        has_keyaltname = true;
+    }
+    if (!(has_keyid || has_keyaltname)) {
+        CLIENT_ERR("unable to find 'keyId' or 'keyAltName' in 'field' document");
         return false;
     }
-    if (!BSON_ITER_HOLDS_BINARY(&field_iter)) {
-        CLIENT_ERR("expected 'fields.keyId' to be type binary, got: %d", (int)bson_iter_type(&field_iter));
+    if (has_keyid && has_keyaltname) {
+        CLIENT_ERR("only one of 'keyId' or 'keyAltName may be in 'field' document");
         return false;
     }
+
     _mongocrypt_buffer_t field_keyid;
-    if (!_mongocrypt_buffer_from_uuid_iter(&field_keyid, &field_iter)) {
-        CLIENT_ERR("unable to parse uuid key from 'fields.keyId'");
-        return false;
+    if (has_keyid) {
+        if (!BSON_ITER_HOLDS_BINARY(&keyid_iter)) {
+            CLIENT_ERR("expected 'fields.keyId' to be type binary, got: %s",
+                       mc_bson_type_to_string(bson_iter_type(&keyid_iter)));
+            return false;
+        }
+        if (!_mongocrypt_buffer_from_uuid_iter(&field_keyid, &keyid_iter)) {
+            CLIENT_ERR("unable to parse uuid key from 'fields.keyId'");
+            return false;
+        }
+    }
+
+    const char *keyAltName = "";
+    if (has_keyaltname) {
+        if (!BSON_ITER_HOLDS_UTF8(&keyaltname_iter)) {
+            CLIENT_ERR("expected 'fields.keyAltName' to be type UTF-8, got: %d", (int)bson_iter_type(&keyaltname_iter));
+            return false;
+        }
+        keyAltName = bson_iter_utf8(&keyaltname_iter, NULL);
     }
 
     const char *field_path;
@@ -151,7 +176,12 @@ static bool _parse_field(mc_EncryptedFieldConfig_t *efc, bson_t *field, mongocry
 
     /* Prepend a new mc_EncryptedField_t */
     mc_EncryptedField_t *ef = bson_malloc0(sizeof(mc_EncryptedField_t));
-    _mongocrypt_buffer_copy_to(&field_keyid, &ef->keyId);
+    if (has_keyid) {
+        _mongocrypt_buffer_copy_to(&field_keyid, &ef->keyId);
+    }
+    if (has_keyaltname) {
+        ef->keyAltName = bson_strdup(keyAltName);
+    }
     ef->path = bson_strdup(field_path);
     ef->next = efc->fields;
     ef->supported_queries = query_types;
@@ -194,6 +224,20 @@ bool mc_EncryptedFieldConfig_parse(mc_EncryptedFieldConfig_t *efc,
         all_supported_queries |= efc->fields->supported_queries;
     }
 
+    // Check for duplicate keyAltName values
+    for (mc_EncryptedField_t *field1 = efc->fields; field1 != NULL; field1 = field1->next) {
+        if (field1->keyAltName) {
+            for (mc_EncryptedField_t *field2 = field1->next; field2 != NULL; field2 = field2->next) {
+                if (field2->keyAltName) {
+                    if (strcmp(field1->keyAltName, field2->keyAltName) == 0) {
+                        CLIENT_ERR("duplicate keyAltName '%s' found in encrypted field config", field1->keyAltName);
+                        return false;
+                    }
+                }
+            }
+        }
+    }
+
     if (!bson_iter_init_find(&iter, efc_bson, "strEncodeVersion")) {
         if (all_supported_queries
             & (SUPPORTS_SUBSTRING_PREVIEW_QUERIES | SUPPORTS_SUFFIX_PREVIEW_QUERIES
@@ -229,6 +273,7 @@ void mc_EncryptedFieldConfig_cleanup(mc_EncryptedFieldConfig_t *efc) {
         mc_EncryptedField_t *ptr_next = ptr->next;
         _mongocrypt_buffer_cleanup(&ptr->keyId);
         bson_free((char *)ptr->path);
+        bson_free((char *)ptr->keyAltName);
         bson_free(ptr);
         ptr = ptr_next;
     }

src/mc-schema-broker-private.h

@@ -19,6 +19,7 @@
 
 #include "mc-efc-private.h" // mc_EncryptedFieldConfig_t
 #include "mongocrypt-cache-collinfo-private.h"
+#include "mongocrypt-key-broker-private.h"
 #include "mongocrypt.h"
 #include <bson/bson.h>
 
@@ -102,6 +103,12 @@ bool mc_schema_broker_need_more_schemas(const mc_schema_broker_t *sb);
 const mc_EncryptedFieldConfig_t *
 mc_schema_broker_get_encryptedFields(const mc_schema_broker_t *sb, const char *coll, mongocrypt_status_t *status);
 
+// mc_schema_broker_maybe_get_encryptedFields returns encryptedFields for a collection if any exists.
+//
+// Returns NULL if none is found.
+const mc_EncryptedFieldConfig_t *
+mc_schema_broker_maybe_get_encryptedFields(const mc_schema_broker_t *sb, const char *coll, mongocrypt_status_t *status);
+
 typedef enum {
     MC_CMD_SCHEMAS_FOR_CRYPT_SHARED, // target the crypt_shared library.
     MC_CMD_SCHEMAS_FOR_MONGOCRYPTD,  // target mongocryptd process.
@@ -118,8 +125,23 @@ typedef enum {
 // - encryptionInformation: for QE.
 //
 // Set cmd_target to the intended command destination. This impacts if/how schema information is added.
-bool mc_schema_broker_add_schemas_to_cmd(const mc_schema_broker_t *sb,
+bool mc_schema_broker_add_schemas_to_cmd(mc_schema_broker_t *sb,
+                                         _mongocrypt_key_broker_t *kb,
                                          bson_t *cmd /* in and out */,
                                          mc_cmd_target_t cmd_target,
                                          mongocrypt_status_t *status);
+
+// mc_translate_fields_keyAltName_to_keyId processes a "fields" array from encryptedFields,
+// translating keyAltName to keyId for each field document.
+//
+// @param fields_bson The fields array to process
+// @param kb The key broker to use for keyAltName to keyId translation
+// @param out The output array to append translated fields to
+// @param status Output status
+// @return -1 on error, 0 if keyAltName was not found, 1 on success
+int mc_translate_fields_keyAltName_to_keyId(const bson_t *fields_bson,
+                                            _mongocrypt_key_broker_t *kb,
+                                            bson_t *out,
+                                            mongocrypt_status_t *status);
+
 #endif // MC_SCHEMA_BROKER_PRIVATE_H