Create encrypted collection

Author: GromNaN

lib/Doctrine/ODM/MongoDB/Configuration.php

@@ -34,8 +34,12 @@
 use ReflectionClass;
 
 use function array_key_exists;
+use function array_key_first;
 use function class_exists;
+use function count;
 use function interface_exists;
+use function is_array;
+use function is_string;
 use function trigger_deprecation;
 use function trim;
 
@@ -50,6 +54,11 @@
  *     $dm = DocumentManager::create(new Connection(), $config);
  *
  * @phpstan-import-type CommitOptions from UnitOfWork
+ * @phpstan-type AutoEncryptionOptions array{
+ *     keyVaultNamespace: string,
+ *     kmsProviders: array<string, array<string, string>>,
+ *     tlsOptions?: array{kmip: array{tlsCAFile: string, tlsCertificateKeyFile: string}},
+ * }
  */
 class Configuration
 {
@@ -121,7 +130,8 @@ class Configuration
      *      persistentCollectionNamespace?: string,
      *      proxyDir?: string,
      *      proxyNamespace?: string,
-     *      repositoryFactory?: RepositoryFactory
+     *      repositoryFactory?: RepositoryFactory,
+     *      autoEncryption?: AutoEncryptionOptions,
      * }
      */
     private array $attributes = [];
@@ -653,6 +663,49 @@ public function isLazyGhostObjectEnabled(): bool
     {
         return $this->useLazyGhostObject;
     }
+
+    /**
+     * Set the options for auto-encryption.
+     *
+     * @see https://www.php.net/manual/en/mongodb-driver-clientencryption.construct.php
+     *
+     * @param AutoEncryptionOptions $options
+     *
+     * @throws InvalidArgumentException If the options are invalid.
+     */
+    public function setAutoEncryption(array $options): void
+    {
+        if (! isset($options['keyVaultNamespace']) || ! is_string($options['keyVaultNamespace'])) {
+            throw new InvalidArgumentException('The "keyVaultNamespace" option is required.');
+        }
+
+        if (! isset($options['kmsProviders']) || ! is_array($options['kmsProviders']) || count($options['kmsProviders']) < 1) {
+            throw new InvalidArgumentException('The "kmsProviders" option is required.');
+        }
+
+        $this->attributes['autoEncryption'] = $options;
+    }
+
+    /**
+     * Get the options for auto-encryption.
+     *
+     * @see https://www.php.net/manual/en/mongodb-driver-clientencryption.construct.php
+     *
+     * @return AutoEncryptionOptions
+     */
+    public function getAutoEncryption(): ?array
+    {
+        return $this->attributes['autoEncryption'] ?? null;
+    }
+
+    public function getKmsProvider(): ?string
+    {
+        if (! isset($this->attributes['autoEncryption'])) {
+            return null;
+        }
+
+        return array_key_first($this->attributes['autoEncryption']['kmsProviders']);
+    }
 }
 
 interface_exists(MappingDriver::class);

lib/Doctrine/ODM/MongoDB/DocumentManager.php

@@ -29,6 +29,7 @@
 use MongoDB\Client;
 use MongoDB\Collection;
 use MongoDB\Database;
+use MongoDB\Driver\ClientEncryption;
 use MongoDB\Driver\ReadPreference;
 use MongoDB\GridFS\Bucket;
 use ProxyManager\Proxy\GhostObjectInterface;
@@ -64,6 +65,8 @@ class DocumentManager implements ObjectManager
      */
     private Client $client;
 
+    private ClientEncryption $clientEncryption;
+
     /**
      * The used Configuration.
      */
@@ -151,12 +154,7 @@ protected function __construct(?Client $client = null, ?Configuration $config =
         $this->client       = $client ?: new Client(
             'mongodb://127.0.0.1',
             [],
-            [
-                'driver' => [
-                    'name' => 'doctrine-odm',
-                    'version' => self::getVersion(),
-                ],
-            ],
+            $this->getDriverOptions(),
         );
 
         $this->classNameResolver = $this->config->isLazyGhostObjectEnabled()
@@ -225,6 +223,21 @@ public function getClient(): Client
         return $this->client;
     }
 
+    public function getClientEncryption(): ClientEncryption
+    {
+        $autoEncryptionOptions = $this->config->getAutoEncryption();
+
+        if (! $autoEncryptionOptions) {
+            throw new RuntimeException('Auto-encryption is not enabled.');
+        }
+
+        return $this->clientEncryption ??= $this->client->createClientEncryption([
+            'keyVaultNamespace' => $autoEncryptionOptions['keyVaultNamespace'],
+            'kmsProviders' => $autoEncryptionOptions['kmsProviders'],
+            'tlsOptions' => $autoEncryptionOptions['tlsOptions'] ?? [],
+        ]);
+    }
+
     /** Gets the metadata factory used to gather the metadata of classes. */
     public function getMetadataFactory(): ClassmetadataFactoryInterface
     {
@@ -924,6 +937,23 @@ public function getClassNameForAssociation(array $mapping, $data): string
         return $mapping['targetDocument'];
     }
 
+    /** @todo move this to the Configuration class, so that it can be use to instantiate the Client outside of the DocumentManager */
+    private function getDriverOptions(): array
+    {
+        $driverOptions = [
+            'driver' => [
+                'name' => 'doctrine-odm',
+                'version' => self::getVersion(),
+            ],
+        ];
+
+        if ($this->config->getAutoEncryption()) {
+            $driverOptions['autoEncryption'] = $this->config->getAutoEncryption();
+        }
+
+        return $driverOptions;
+    }
+
     private static function getVersion(): string
     {
         if (self::$version === null) {

lib/Doctrine/ODM/MongoDB/Mapping/ClassMetadata.php

@@ -803,6 +803,13 @@
      */
     public $isReadOnly;
 
+    /**
+     * READ-ONLY: A flag for whether or not this document has encrypted fields.
+     *
+     * @var bool
+     */
+    public $isEncrypted = false;
+
     /** READ ONLY: stores metadata about the time series collection */
     public ?TimeSeries $timeSeriesOptions = null;
 

lib/Doctrine/ODM/MongoDB/SchemaManager.php

@@ -7,6 +7,7 @@
 use Doctrine\ODM\MongoDB\Mapping\ClassMetadata;
 use Doctrine\ODM\MongoDB\Mapping\ClassMetadataFactoryInterface;
 use Doctrine\ODM\MongoDB\Repository\ViewRepository;
+use Doctrine\ODM\MongoDB\Utility\EncryptionFieldMap;
 use InvalidArgumentException;
 use MongoDB\Driver\Exception\CommandException;
 use MongoDB\Driver\Exception\RuntimeException;
@@ -643,10 +644,29 @@ public function createDocumentCollection(string $documentName, ?int $maxTimeMs =
             }
         }
 
-        $this->dm->getDocumentDatabase($documentName)->createCollection(
-            $class->getCollection(),
-            $this->getWriteOptions($maxTimeMs, $writeConcern, $options),
-        );
+        // Encryption is enabled only if the KMS provider is set and at least one field is encrypted
+        if ($this->dm->getConfiguration()->getKmsProvider()) {
+            $encryptedFields = (new EncryptionFieldMap($this->dm->getMetadataFactory()))->getEncryptionFieldMap($class->name);
+
+            if ($encryptedFields) {
+                $options['encryptedFields'] = ['fields' => $encryptedFields];
+            }
+        }
+
+        if (isset($options['encryptedFields'])) {
+            $this->dm->getDocumentDatabase($documentName)->createEncryptedCollection(
+                $class->getCollection(),
+                $this->dm->getClientEncryption(),
+                $this->dm->getConfiguration()->getKmsProvider(),
+                null, // @todo when is it necessary to set the master key?
+                $options,
+            );
+        } else {
+            $this->dm->getDocumentDatabase($documentName)->createCollection(
+                $class->getCollection(),
+                $this->getWriteOptions($maxTimeMs, $writeConcern, $options),
+            );
+        }
     }
 
     /**

lib/Doctrine/ODM/MongoDB/Utility/EncryptionFieldMap.php

@@ -30,6 +30,7 @@ private function createEncryptionFieldMap(string $className, string $path = ''):
     {
         $classMetadata = $this->classMetadataFactory->getMetadataFor($className);
         foreach ($classMetadata->fieldMappings as $mapping) {
+            // @todo support polymorphic types and inheritence?
             // Add fields recursively
             if ($mapping['embedded'] ?? false) {
                 yield from $this->createEncryptionFieldMap($mapping['targetDocument'], $path . $mapping['name'] . '.');
@@ -40,8 +41,8 @@ private function createEncryptionFieldMap(string $className, string $path = ''):
             }
 
             $field = [
-                'name' => $path . $mapping['name'],
-                'type' => match ($mapping['type']) {
+                'path' => $path . $mapping['name'],
+                'bsonType' => match ($mapping['type']) {
                     'one' => 'object',
                     'many' => 'array',
                     default => $mapping['type'],

tests/Doctrine/ODM/MongoDB/Tests/BaseTestCase.php

@@ -129,8 +129,14 @@ protected static function createMetadataDriverImpl(): MappingDriver
 
     protected static function createTestDocumentManager(): DocumentManager
     {
-        $config = static::getConfiguration();
-        $client = new Client(self::getUri());
+        $config        = static::getConfiguration();
+        $driverOptions = [];
+
+        if ($config->getAutoEncryption()) {
+            $driverOptions['autoEncryption'] = $config->getAutoEncryption();
+        }
+
+        $client = new Client(self::getUri(), [], $driverOptions);
 
         return DocumentManager::create($client, $config);
     }

tests/Doctrine/ODM/MongoDB/Tests/EncryptionTest.php

@@ -16,19 +16,19 @@ public function testMetadataIsEncrypted(): void
 
         $expected = [
             [
-                'name' => 'patientRecord.ssn',
-                'type' => 'string',
+                'path' => 'patientRecord.ssn',
+                'bsonType' => 'string',
                 'keyId' => null,
                 'queries' => ['queryType' => 'equality'],
             ],
             [
-                'name' => 'patientRecord.billing',
-                'type' => 'object',
+                'path' => 'patientRecord.billing',
+                'bsonType' => 'object',
                 'keyId' => null,
             ],
             [
-                'name' => 'patientRecord.billingAmount',
-                'type' => 'int',
+                'path' => 'patientRecord.billingAmount',
+                'bsonType' => 'int',
                 'keyId' => null,
                 'queries' => ['queryType' => 'range', 'min' => 100, 'max' => 2000, 'sparsity' => 1, 'trimFactor' => 4],
             ],

tests/Doctrine/ODM/MongoDB/Tests/Functional/QueryableEncryptionTest.php

@@ -1,35 +1,83 @@
 <?php
 
+declare(strict_types=1);
+
 namespace Doctrine\ODM\MongoDB\Tests\Functional;
 
-use Doctrine\ODM\MongoDB\Configuration;
-use Doctrine\ODM\MongoDB\Mapping\Annotations as ODM;
+use Doctrine\ODM\MongoDB\DocumentManager;
 use Doctrine\ODM\MongoDB\Tests\BaseTestCase;
-use MongoDB\Driver\ClientEncryption;
+use Documents\Encryption\Patient;
+use Documents\Encryption\PatientBilling;
+use Documents\Encryption\PatientRecord;
+use MongoDB\BSON\Binary;
+use MongoDB\Client;
+
+use function base64_decode;
+use function iterator_to_array;
 
 class QueryableEncryptionTest extends BaseTestCase
 {
-    public function testBasic(): void
+    private const LOCAL_MASTERKEY = 'quTJGRzz3TS2yrPUzNf9Ajv+rG2cn0buRsWT6i6BTQihznxZkhYKzyagXZZ05+y/FMEV1kpC79reiJSpysytFyEcXXJChjBsH2iTzBK8uWFN2dN7udzYjWvBJmWKbhhm';
+
+    public function testCreateAndQueryEncryptedCollection(): void
     {
+        // @todo skip if not using MongoDB < 7, single node or not enterprise
+        $client   = new Client(self::getUri());
+        $database = $client->getDatabase(DOCTRINE_MONGODB_DATABASE);
 
-    }
+        // Create the encrypted collection
+        $this->dm->getSchemaManager()->createDocumentCollection(Patient::class);
 
+        // Test created collectionss
+        $collectionNames = iterator_to_array($database->listCollectionNames());
+        self::assertContains('patients', $collectionNames);
+        self::assertContains('datakeys', $collectionNames);
 
-    protected static function getConfiguration(): Configuration
-    {
-        $config = parent::getConfiguration();
+        // Insert a document
+        $patient              = new Patient();
+        $patient->patientName = 'Jon Doe';
+        $patient->patientId   = 12345678;
+
+        $patientRecord                = new PatientRecord();
+        $patientRecord->ssn           = '987-65-4320';
+        $patientRecord->billingAmount = 1200;
+
+        $billing         = new PatientBilling();
+        $billing->type   = 'Visa';
+        $billing->number = '4111111111111111';
+
+        $patientRecord->billing = $billing;
+        $patient->patientRecord = $patientRecord;
 
-        return $config;
+        $this->dm->persist($patient);
+        $this->dm->flush();
+        $this->dm->clear();
+
+        // Queryable with equality
+        $result = $this->dm->getRepository(Patient::class)->findOneBy(['patientRecord.ssn' => '987-65-4320']);
+        self::assertNotNull($result);
+        self::assertSame('Jon Doe', $result->patientName);
+        self::assertSame('987-65-4320', $result->patientRecord->ssn);
+
+        // Queryable with range
+        $result = $this->dm->getRepository(Patient::class)->findOneBy(['patientRecord.billingAmount' => ['$gt' => 1000, '$lt' => 2000]]);
+        self::assertSame('Jon Doe', $result->patientName);
+        self::assertSame('987-65-4320', $result->patientRecord->ssn);
+        self::assertSame('4111111111111111', $result->patientRecord->billing->number);
     }
-}
 
-#[ODM\Document]
-class EncryptedDocument
-{
-    #[ODM\Id]
-    public string $id;
+    protected static function createTestDocumentManager(): DocumentManager
+    {
+        $config = static::getConfiguration();
+        $config->setAutoEncryption([
+            'keyVaultNamespace' => DOCTRINE_MONGODB_DATABASE . '.datakeys',
+            'kmsProviders' => [
+                'local' => ['key' => new Binary(base64_decode(self::LOCAL_MASTERKEY))],
+            ],
+        ]);
+
+        $client = new Client(self::getUri(), [], ['autoEncryption' => $config->getAutoEncryption()]);
 
-    #[ODM\Field]
-    #[ODM\Encrypt(queryType: ClientEncryption::QUERY_TYPE_EQUALITY)]
-    private string $sensitiveField;
-}
+        return DocumentManager::create($client, $config);
+    }
+}