update prose tests

Author: qingyang-hu

.evergreen/config.yml

@@ -21,10 +21,6 @@ timeout:
       binary: bash
       args: [ls, -la]
 functions:
-  assume-test-secrets-ec2-role:
-    - command: ec2.assume_role
-      params:
-        role_arn: ${aws_test_secrets_role}
   setup-system:
     # Executes clone and applies the submitted patch, if any
     - command: git.get_project
@@ -550,6 +546,21 @@ functions:
           KMS_FAILPOINT_CA_FILE: "${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem"
           KMS_FAILPOINT_SERVER_RUNNING: "true"
         args: [*task-runner, evg-test-retry-kms-requests]
+  run-client-side-encryption-test:
+    - command: subprocess.exec
+      params:
+        binary: "bash"
+        env: 
+          GO_BUILD_TAGS: cse
+        include_expansions_in_env: [AUTH, SSL, MONGODB_URI, TOPOLOGY, 
+          MONGO_GO_DRIVER_COMPRESSOR]
+        args: [*task-runner, setup-test]
+    - command: subprocess.exec
+      type: test
+      retry_on_failure: true
+      params:
+        binary: "bash"
+        args: [*task-runner, evg-test-client-side-encryption]
   run-fuzz-tests:
     - command: subprocess.exec
       type: test
@@ -1452,6 +1463,20 @@ tasks:
           TOPOLOGY: "server"
           AUTH: "noauth"
           SSL: "nossl"
+  - name: "test-client-side-encryption"
+    tags: ["client-side-encryption-test"]
+    commands:
+      - func: bootstrap-mongo-orchestration
+        vars:
+          TOPOLOGY: "replica_set"
+          AUTH: "noauth"
+          SSL: "nossl"
+      - func: start-cse-servers
+      - func: run-client-side-encryption-test
+        vars:
+          TOPOLOGY: "replica_set"
+          AUTH: "noauth"
+          SSL: "nossl"
   - name: "test-retry-kms-requests"
     tags: ["kms-test"]
     commands:
@@ -2093,6 +2118,11 @@ buildvariants:
     display_name: "KMS TEST ${os-ssl-40}"
     tasks:
       - name: ".kms-test"
+  - matrix_name: "client-side-encryption-test"
+    matrix_spec: { version: ["latest"], os-ssl-40: ["rhel87-64"] }
+    display_name: "Client Side Encryption Tests ${os-ssl-40}"
+    tasks:
+      - name: ".client-side-encryption-test"
   - matrix_name: "load-balancer-test"
     tags: ["pullrequest"]
     matrix_spec: {version: ["5.0", "6.0", "7.0", "8.0"], os-ssl-40: ["rhel87-64"]}

Taskfile.yml

@@ -102,6 +102,8 @@ tasks:
     - go test -exec "env PKG_CONFIG_PATH=${PKG_CONFIG_PATH} LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" ${BUILD_TAGS} -v -timeout {{.TEST_TIMEOUT}}s ./internal/integration -run TestClientSideEncryptionProse/kms_tls_tests >> test.suite
   evg-test-retry-kms-requests:
     - go test -exec "env PKG_CONFIG_PATH=${PKG_CONFIG_PATH} LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" ${BUILD_TAGS} -v -timeout {{.TEST_TIMEOUT}}s ./internal/integration -run TestClientSideEncryptionProse/kms_retry_tests >> test.suite
+  evg-test-client-side-encryption:
+    - go test -exec "env PKG_CONFIG_PATH=${PKG_CONFIG_PATH} LD_LIBRARY_PATH=${LD_LIBRARY_PATH} DYLD_LIBRARY_PATH=${MACOS_LIBRARY_PATH}" ${BUILD_TAGS} -v -timeout {{.TEST_TIMEOUT}}s ./internal/integration -run TestClientSideEncryptionProse >> test.suite
   evg-test-load-balancers:
     # Load balancer should be tested with all unified tests as well as tests in the following
     # components: retryable reads, retryable writes, change streams, initial DNS seedlist discovery.

internal/integration/client_side_encryption_prose_test.go

@@ -3195,27 +3195,27 @@ func TestClientSideEncryptionProse(t *testing.T) {
 				{
 					collection: "prefix-suffix",
 					textOpts: options.Text().
+						SetCaseSensitive(true).
+						SetDiacriticSensitive(true).
 						SetPrefix(options.PrefixOptions{
 							StrMaxQueryLength: 10,
 							StrMinQueryLength: 2,
 						}).
 						SetSuffix(options.SuffixOptions{
 							StrMaxQueryLength: 10,
 							StrMinQueryLength: 2,
-						}).
-						SetCaseSensitive(true).
-						SetDiacriticSensitive(true),
+						}),
 				},
 				{
 					collection: "substring",
 					textOpts: options.Text().
+						SetCaseSensitive(true).
+						SetDiacriticSensitive(true).
 						SetSubstring(options.SubstringOptions{
 							StrMaxLength:      10,
 							StrMaxQueryLength: 10,
 							StrMinQueryLength: 2,
-						}).
-						SetCaseSensitive(true).
-						SetDiacriticSensitive(true),
+						}),
 				},
 			} {
 				coll := encryptedClient.Database("db").Collection(c.collection, options.Collection().SetWriteConcern(mtest.MajorityWc))
@@ -3233,36 +3233,234 @@ func TestClientSideEncryptionProse(t *testing.T) {
 			return encryptedClient, clientEncryption
 		}
 
-		mt.Run("Case 1: can decrypt a payload", func(mt *mtest.T) {
+		foo := bson.RawValue{Type: bson.TypeString, Value: bsoncore.AppendString(nil, "foo")}
+		bar := bson.RawValue{Type: bson.TypeString, Value: bsoncore.AppendString(nil, "bar")}
+		baz := bson.RawValue{Type: bson.TypeString, Value: bsoncore.AppendString(nil, "baz")}
+
+		mt.Run("Case 1: can find a document by prefix", func(mt *mtest.T) {
 			encryptedClient, clientEncryption := testSetup()
 			defer clientEncryption.Close(context.Background())
 			defer encryptedClient.Disconnect(context.Background())
 
-			foo := bson.RawValue{Type: bson.TypeString, Value: bsoncore.AppendString(nil, "foo")}
 			eo := options.Encrypt().
-				SetAlgorithm("TextPreview").
 				SetKeyID(key1ID).
+				SetAlgorithm("TextPreview").
+				SetQueryType("prefixPreview").
 				SetContentionFactor(0).
 				SetTextOptions(options.Text().
+					SetCaseSensitive(true).
+					SetDiacriticSensitive(true).
 					SetPrefix(options.PrefixOptions{
 						StrMaxQueryLength: 10,
 						StrMinQueryLength: 2,
-					}).
-					SetCaseSensitive(true).
-					SetDiacriticSensitive(true))
+					}))
 			payload, err := clientEncryption.Encrypt(context.Background(), foo, eo)
 			require.NoError(mt, err, "error in Encrypt: %v", err)
 			coll := encryptedClient.Database("db").Collection("prefix-suffix")
-			got, err := coll.FindOne(context.Background(), bson.D{
+			res := coll.FindOne(context.Background(), bson.D{
+				{"$expr", bson.D{
+					{"$encStrStartsWith", bson.D{
+						{"input", "$encryptedText"},
+						{"prefix", payload},
+					}},
+				}},
+			})
+			require.NoError(mt, err, "error in FindOne: %v", err)
+			var got struct {
+				Id            int    `bson:"_id"`
+				EncryptedText string `bson:"encryptedText"`
+			}
+			err = res.Decode(&got)
+			require.NoError(mt, err, "error decoding result: %v", err)
+			require.Equal(mt, 0, got.Id)
+			require.Equal(mt, "foobarbaz", got.EncryptedText)
+		})
+		mt.Run("Case 2: find a document by suffix", func(mt *mtest.T) {
+			encryptedClient, clientEncryption := testSetup()
+			defer clientEncryption.Close(context.Background())
+			defer encryptedClient.Disconnect(context.Background())
+
+			eo := options.Encrypt().
+				SetKeyID(key1ID).
+				SetAlgorithm("TextPreview").
+				SetQueryType("suffixPreview").
+				SetContentionFactor(0).
+				SetTextOptions(options.Text().
+					SetCaseSensitive(true).
+					SetDiacriticSensitive(true).
+					SetSuffix(options.SuffixOptions{
+						StrMaxQueryLength: 10,
+						StrMinQueryLength: 2,
+					}))
+			payload, err := clientEncryption.Encrypt(context.Background(), baz, eo)
+			require.NoError(mt, err, "error in Encrypt: %v", err)
+			coll := encryptedClient.Database("db").Collection("prefix-suffix")
+			res := coll.FindOne(context.Background(), bson.D{
+				{"$expr", bson.D{
+					{"$encStrEndsWith", bson.D{
+						{"input", "$encryptedText"},
+						{"suffix", payload},
+					}},
+				}},
+			})
+			var got struct {
+				Id            int    `bson:"_id"`
+				EncryptedText string `bson:"encryptedText"`
+			}
+			err = res.Decode(&got)
+			require.NoError(mt, err, "error decoding result: %v", err)
+			require.Equal(mt, 0, got.Id)
+			require.Equal(mt, "foobarbaz", got.EncryptedText)
+		})
+		mt.Run("Case 3: assert no document found by prefix", func(mt *mtest.T) {
+			encryptedClient, clientEncryption := testSetup()
+			defer clientEncryption.Close(context.Background())
+			defer encryptedClient.Disconnect(context.Background())
+
+			eo := options.Encrypt().
+				SetKeyID(key1ID).
+				SetAlgorithm("TextPreview").
+				SetQueryType("prefixPreview").
+				SetContentionFactor(0).
+				SetTextOptions(options.Text().
+					SetCaseSensitive(true).
+					SetDiacriticSensitive(true).
+					SetPrefix(options.PrefixOptions{
+						StrMaxQueryLength: 10,
+						StrMinQueryLength: 2,
+					}))
+			payload, err := clientEncryption.Encrypt(context.Background(), baz, eo)
+			require.NoError(mt, err, "error in Encrypt: %v", err)
+			coll := encryptedClient.Database("db").Collection("prefix-suffix")
+			_, err = coll.FindOne(context.Background(), bson.D{
 				{"$expr", bson.D{
 					{"$encStrStartsWith", bson.D{
 						{"input", "$encryptedText"},
 						{"prefix", payload},
 					}},
 				}},
 			}).Raw()
+			require.Error(mt, err, mongo.ErrNoDocuments)
+		})
+		mt.Run("Case 4: assert no document found by suffix", func(mt *mtest.T) {
+			encryptedClient, clientEncryption := testSetup()
+			defer clientEncryption.Close(context.Background())
+			defer encryptedClient.Disconnect(context.Background())
+
+			eo := options.Encrypt().
+				SetKeyID(key1ID).
+				SetAlgorithm("TextPreview").
+				SetQueryType("suffixPreview").
+				SetContentionFactor(0).
+				SetTextOptions(options.Text().
+					SetCaseSensitive(true).
+					SetDiacriticSensitive(true).
+					SetSuffix(options.SuffixOptions{
+						StrMaxQueryLength: 10,
+						StrMinQueryLength: 2,
+					}))
+			payload, err := clientEncryption.Encrypt(context.Background(), foo, eo)
+			require.NoError(mt, err, "error in Encrypt: %v", err)
+			coll := encryptedClient.Database("db").Collection("prefix-suffix")
+			_, err = coll.FindOne(context.Background(), bson.D{
+				{"$expr", bson.D{
+					{"$encStrEndsWith", bson.D{
+						{"input", "$encryptedText"},
+						{"suffix", payload},
+					}},
+				}},
+			}).Raw()
+			require.Error(mt, err, mongo.ErrNoDocuments)
+		})
+		mt.Run("Case 5: can find a document by substring", func(mt *mtest.T) {
+			encryptedClient, clientEncryption := testSetup()
+			defer clientEncryption.Close(context.Background())
+			defer encryptedClient.Disconnect(context.Background())
+
+			eo := options.Encrypt().
+				SetKeyID(key1ID).
+				SetAlgorithm("TextPreview").
+				SetQueryType("substringPreview").
+				SetContentionFactor(0).
+				SetTextOptions(options.Text().
+					SetCaseSensitive(true).
+					SetDiacriticSensitive(true).
+					SetSubstring(options.SubstringOptions{
+						StrMaxLength:      10,
+						StrMaxQueryLength: 10,
+						StrMinQueryLength: 2,
+					}))
+			payload, err := clientEncryption.Encrypt(context.Background(), bar, eo)
+			require.NoError(mt, err, "error in Encrypt: %v", err)
+			coll := encryptedClient.Database("db").Collection("substring")
+			res := coll.FindOne(context.Background(), bson.D{
+				{"$expr", bson.D{
+					{"$encStrContains", bson.D{
+						{"input", "$encryptedText"},
+						{"substring", payload},
+					}},
+				}},
+			})
 			require.NoError(mt, err, "error in FindOne: %v", err)
-			assert.FailNow(mt, "got: %v", got)
+			var got struct {
+				Id            int    `bson:"_id"`
+				EncryptedText string `bson:"encryptedText"`
+			}
+			err = res.Decode(&got)
+			require.NoError(mt, err, "error decoding result: %v", err)
+			require.Equal(mt, 0, got.Id)
+			require.Equal(mt, "foobarbaz", got.EncryptedText)
+		})
+		mt.Run("Case 6: assert no document found by substring", func(mt *mtest.T) {
+			encryptedClient, clientEncryption := testSetup()
+			defer clientEncryption.Close(context.Background())
+			defer encryptedClient.Disconnect(context.Background())
+
+			qux := bson.RawValue{Type: bson.TypeString, Value: bsoncore.AppendString(nil, "qux")}
+			eo := options.Encrypt().
+				SetKeyID(key1ID).
+				SetAlgorithm("TextPreview").
+				SetQueryType("substringPreview").
+				SetContentionFactor(0).
+				SetTextOptions(options.Text().
+					SetCaseSensitive(true).
+					SetDiacriticSensitive(true).
+					SetSubstring(options.SubstringOptions{
+						StrMaxLength:      10,
+						StrMaxQueryLength: 10,
+						StrMinQueryLength: 2,
+					}))
+			payload, err := clientEncryption.Encrypt(context.Background(), qux, eo)
+			require.NoError(mt, err, "error in Encrypt: %v", err)
+			coll := encryptedClient.Database("db").Collection("substring")
+			_, err = coll.FindOne(context.Background(), bson.D{
+				{"$expr", bson.D{
+					{"$encStrContains", bson.D{
+						{"input", "$encryptedText"},
+						{"suffix", payload},
+					}},
+				}},
+			}).Raw()
+			require.Error(mt, err, mongo.ErrNoDocuments)
+		})
+		mt.Run("Case 7: assert contentionFactor is required", func(mt *mtest.T) {
+			encryptedClient, clientEncryption := testSetup()
+			defer clientEncryption.Close(context.Background())
+			defer encryptedClient.Disconnect(context.Background())
+
+			eo := options.Encrypt().
+				SetKeyID(key1ID).
+				SetAlgorithm("TextPreview").
+				SetQueryType("prefixPreview").
+				SetTextOptions(options.Text().
+					SetCaseSensitive(true).
+					SetDiacriticSensitive(true).
+					SetPrefix(options.PrefixOptions{
+						StrMaxQueryLength: 10,
+						StrMinQueryLength: 2,
+					}))
+			_, err := clientEncryption.Encrypt(context.Background(), baz, eo)
+			require.ErrorContains(mt, err, "contention factor is required for textPreview algorithm")
 		})
 	})
 }

mongo/options/encryptoptions.go

@@ -99,7 +99,7 @@ func (ro *RangeOptionsBuilder) SetPrecision(precision int32) *RangeOptionsBuilde
 	return ro
 }
 
-// TextOptions specifies index options for a Queryable Encryption field supporting "test" queries.
+// TextOptions specifies index options for a Queryable Encryption field supporting "text" queries.
 //
 // See corresponding setter methods for documentation.
 type TextOptions struct {
@@ -110,17 +110,20 @@ type TextOptions struct {
 	DiacriticSensitive bool
 }
 
+// SubstringOptions specifies options to support substring queries.
 type SubstringOptions struct {
 	StrMaxLength      int32
 	StrMinQueryLength int32
 	StrMaxQueryLength int32
 }
 
+// PrefixOptions specifies options to support prefix queries.
 type PrefixOptions struct {
 	StrMinQueryLength int32
 	StrMaxQueryLength int32
 }
 
+// SuffixOptions specifies options to support suffix queries.
 type SuffixOptions struct {
 	StrMinQueryLength int32
 	StrMaxQueryLength int32