Code review fixes

- assertion methods now use camelCase
- document Django QuerySet limitations
- low, high, threshold args are now required kwargs
- Add $ to all shell prompts
- Add patient schema to management and schema tests
- Add recursive fields to schema
- Reorder patient models
- Add bill_amount field
- Set databases for management and schema tests

Author: aclark4life

django_mongodb_backend/schema.py

@@ -483,52 +483,106 @@ def _create_collection(self, model):
         else:
             db.create_collection(db_table)
 
-    def _get_encrypted_fields(self, model, client, create_data_keys=False):
+    def _get_encrypted_fields(
+        self, model, client, create_data_keys=False, key_alt_name=None, client_encryption=None
+    ):
+        """
+        Recursively collect encryption schema data for fields in a model.
+
+        key_alt_name is the base path for this level, typically model._meta.db_table
+        """
         connection = self.connection
         fields = model._meta.fields
+        key_alt_name = key_alt_name or model._meta.db_table
+
         options = client._options
         auto_encryption_opts = options.auto_encryption_opts
-        kms_provider = router.kms_provider(model)
-        master_key = self.connection.settings_dict.get("KMS_CREDENTIALS", {}).get(kms_provider)
-        client_encryption = ClientEncryption(
-            auto_encryption_opts._kms_providers,
-            auto_encryption_opts._key_vault_namespace,
-            client,
-            client.codec_options,
-        )
         key_vault_db, key_vault_coll = auto_encryption_opts._key_vault_namespace.split(".", 1)
         key_vault_collection = client[key_vault_db][key_vault_coll]
-        db_table = model._meta.db_table
+        kms_provider = router.kms_provider(model)
+        master_key = connection.settings_dict.get("KMS_CREDENTIALS", {}).get(kms_provider)
+
+        # Initialize ClientEncryption once
+        if client_encryption is None:
+            client_encryption = ClientEncryption(
+                auto_encryption_opts._kms_providers,
+                auto_encryption_opts._key_vault_namespace,
+                client,
+                client.codec_options,
+            )
+
         field_list = []
+
         for field in fields:
+            new_path = f"{key_alt_name}.{field.column}"
+
+            # --- EmbeddedModelField case ---
             if isinstance(field, EmbeddedModelField):
-                # Recursively get encrypted fields for the embedded model.
-                self._get_encrypted_fields(field.embedded_model, client, create_data_keys)
+                field_dict = {"bsonType": "object", "path": field.column}
+
+                if getattr(field, "encrypted", False):
+                    if create_data_keys:
+                        data_key = client_encryption.create_data_key(
+                            kms_provider=kms_provider,
+                            master_key=master_key,
+                            key_alt_names=[new_path],
+                        )
+                    else:
+                        key_doc = key_vault_collection.find_one({"keyAltNames": new_path})
+                        if not key_doc:
+                            raise ValueError(
+                                f"No key found in keyvault for keyAltName={new_path}. "
+                                "Run with '--create-data-keys' to create missing keys."
+                            )
+                        data_key = key_doc["_id"]
+
+                    field_dict["keyId"] = data_key
+
+                    if getattr(field, "queries", False):
+                        field_dict["queries"] = field.queries
+
+                    field_list.append(field_dict)
+                    continue
+
+                # Not encrypting whole object — add object entry and recurse
+                field_list.append(field_dict)
+                embedded_result = self._get_encrypted_fields(
+                    field.embedded_model,
+                    client,
+                    create_data_keys=create_data_keys,
+                    key_alt_name=new_path,
+                    client_encryption=client_encryption,
+                )
+                field_list.extend(embedded_result["fields"])
+                continue
+
+            # --- Leaf encrypted field case ---
             if getattr(field, "encrypted", False):
-                key_alt_name = f"{db_table}.{field.column}"
                 if create_data_keys:
                     data_key = client_encryption.create_data_key(
                         kms_provider=kms_provider,
                         master_key=master_key,
-                        key_alt_names=[key_alt_name],
+                        key_alt_names=[new_path],  # distinct per field
                     )
                 else:
-                    key_doc = key_vault_collection.find_one({"keyAltNames": key_alt_name})
+                    key_doc = key_vault_collection.find_one({"keyAltNames": new_path})
                     if not key_doc:
                         raise ValueError(
-                            f"No key found in keyvault for keyAltName={key_alt_name}. "
-                            "You may need to run the management command with "
-                            "'--create-data-keys' to create missing keys."
+                            f"No key found in keyvault for keyAltName={new_path}. "
+                            "Run with '--create-data-keys' to create missing keys."
                         )
                     data_key = key_doc["_id"]
+
                 field_dict = {
                     "bsonType": field.db_type(connection),
                     "path": field.column,
                     "keyId": data_key,
                 }
                 if getattr(field, "queries", False):
                     field_dict["queries"] = field.queries
+
                 field_list.append(field_dict)
+
         return {"fields": field_list}
 
 

docs/howto/queryable-encryption.rst

@@ -185,7 +185,7 @@ the :djadmin:`showencryptedfieldsmap` command.
 To see the keys created by Django MongoDB Backend in the above scenario, you can
 run the following command::
 
-    python manage.py showencryptedfieldsmap --database encrypted
+    $ python manage.py showencryptedfieldsmap --database encrypted
 
 You can then use the output of the :djadmin:`showencryptedfieldsmap` command
 to set the ``encrypted_fields_map`` in
@@ -202,7 +202,7 @@ pre-defined encrypted fields map.
 If you do not want to use the data keys created by Django MongoDB Backend (when
 ``python manage.py migrate`` is run), you can generate new data keys with::
 
-    python manage.py showencryptedfieldsmap --database encrypted \
+    $ python manage.py showencryptedfieldsmap --database encrypted \
         --create-data-keys
 
 In this scenario, Django MongoDB Backend will use the newly created data keys

tests/encryption_/models.py

@@ -26,26 +26,27 @@
 from django_mongodb_backend.models import EmbeddedModel
 
 
-class Billing(EmbeddedModel):
-    cc_type = models.CharField(max_length=50)
-    cc_number = models.CharField(max_length=20)
-
-
-class PatientRecord(EmbeddedModel):
-    ssn = EncryptedCharField(max_length=11, queries={"queryType": "equality"})
-    billing = EncryptedEmbeddedModelField(Billing)
-
-
 class Patient(models.Model):
     patient_name = models.CharField(max_length=255)
     patient_id = models.BigIntegerField()
-    patient_record = EmbeddedModelField(PatientRecord)
+    patient_record = EmbeddedModelField("PatientRecord")
 
     def __str__(self):
         return f"{self.patient_name} ({self.patient_id})"
 
 
-class EncryptedModel(models.Model):
+class PatientRecord(EmbeddedModel):
+    ssn = EncryptedCharField(max_length=11, queries={"queryType": "equality"})
+    billing = EncryptedEmbeddedModelField("Billing")
+    bill_amount = models.DecimalField(max_digits=10, decimal_places=2)
+
+
+class Billing(EmbeddedModel):
+    cc_type = models.CharField(max_length=50)
+    cc_number = models.CharField(max_length=20)
+
+
+class EncryptedModelBase(models.Model):
     """
     Abstract base model for all Encrypted models
     that require the 'supports_queryable_encryption' DB feature.
@@ -57,78 +58,78 @@ class Meta:
 
 
 # Equality-queryable fields
-class EncryptedBinaryTest(EncryptedModel):
+class EncryptedBinaryTest(EncryptedModelBase):
     value = EncryptedBinaryField(queries={"queryType": "equality"})
 
 
-class EncryptedBooleanTest(EncryptedModel):
+class EncryptedBooleanTest(EncryptedModelBase):
     value = EncryptedBooleanField(queries={"queryType": "equality"})
 
 
-class EncryptedCharTest(EncryptedModel):
+class EncryptedCharTest(EncryptedModelBase):
     value = EncryptedCharField(max_length=255, queries={"queryType": "equality"})
 
 
-class EncryptedEmailTest(EncryptedModel):
+class EncryptedEmailTest(EncryptedModelBase):
     value = EncryptedEmailField(max_length=255, queries={"queryType": "equality"})
 
 
-class EncryptedGenericIPAddressTest(EncryptedModel):
+class EncryptedGenericIPAddressTest(EncryptedModelBase):
     value = EncryptedGenericIPAddressField(queries={"queryType": "equality"})
 
 
-class EncryptedTextTest(EncryptedModel):
+class EncryptedTextTest(EncryptedModelBase):
     value = EncryptedTextField(queries={"queryType": "equality"})
 
 
-class EncryptedURLTest(EncryptedModel):
+class EncryptedURLTest(EncryptedModelBase):
     value = EncryptedURLField(max_length=500, queries={"queryType": "equality"})
 
 
 # Range-queryable fields (also support equality)
-class EncryptedBigIntegerTest(EncryptedModel):
+class EncryptedBigIntegerTest(EncryptedModelBase):
     value = EncryptedBigIntegerField(queries={"queryType": "range"})
 
 
-class EncryptedDateTest(EncryptedModel):
+class EncryptedDateTest(EncryptedModelBase):
     value = EncryptedDateField(queries={"queryType": "range"})
 
 
-class EncryptedDateTimeTest(EncryptedModel):
+class EncryptedDateTimeTest(EncryptedModelBase):
     value = EncryptedDateTimeField(queries={"queryType": "range"})
 
 
-class EncryptedDecimalTest(EncryptedModel):
+class EncryptedDecimalTest(EncryptedModelBase):
     value = EncryptedDecimalField(max_digits=10, decimal_places=2, queries={"queryType": "range"})
 
 
-class EncryptedDurationTest(EncryptedModel):
+class EncryptedDurationTest(EncryptedModelBase):
     value = EncryptedDurationField(queries={"queryType": "range"})
 
 
-class EncryptedFloatTest(EncryptedModel):
+class EncryptedFloatTest(EncryptedModelBase):
     value = EncryptedFloatField(queries={"queryType": "range"})
 
 
-class EncryptedIntegerTest(EncryptedModel):
+class EncryptedIntegerTest(EncryptedModelBase):
     value = EncryptedIntegerField(queries={"queryType": "range"})
 
 
-class EncryptedPositiveBigIntegerTest(EncryptedModel):
+class EncryptedPositiveBigIntegerTest(EncryptedModelBase):
     value = EncryptedPositiveBigIntegerField(queries={"queryType": "range"})
 
 
-class EncryptedPositiveIntegerTest(EncryptedModel):
+class EncryptedPositiveIntegerTest(EncryptedModelBase):
     value = EncryptedPositiveIntegerField(queries={"queryType": "range"})
 
 
-class EncryptedPositiveSmallIntegerTest(EncryptedModel):
+class EncryptedPositiveSmallIntegerTest(EncryptedModelBase):
     value = EncryptedPositiveSmallIntegerField(queries={"queryType": "range"})
 
 
-class EncryptedSmallIntegerTest(EncryptedModel):
+class EncryptedSmallIntegerTest(EncryptedModelBase):
     value = EncryptedSmallIntegerField(queries={"queryType": "range"})
 
 
-class EncryptedTimeTest(EncryptedModel):
+class EncryptedTimeTest(EncryptedModelBase):
     value = EncryptedTimeField(queries={"queryType": "range"})