Fix recursion

aclark4life · aclark4life · commit b1e9cc08a46e · 2025-10-01T16:14:31.000-04:00
- model check now recurses into embedded models to look for encrypted
  fields
- fields list is now conditionally extended based on the result of the
  recursive call
diff --git a/django_mongodb_backend/schema.py b/django_mongodb_backend/schema.py
@@ -456,68 +456,84 @@ def wait_until_index_dropped(collection, index_name, timeout=60, interval=0.5):
 
     def _create_collection(self, model):
         """
-        Create a collection for the model with the encrypted fields. If
-        provided, use the `_encrypted_fields_map` in the client's
-        `auto_encryption_opts`. Otherwise, create the encrypted fields map
-        with `_get_encrypted_fields`.
+        Create a collection for the model.
+        If the model has encrypted fields, build (or retrieve) the encrypted_fields schema.
         """
         db = self.get_database()
         db_table = model._meta.db_table
+
         if model_has_encrypted_fields(model):
+            # Encrypted path
             client = self.connection.connection
             auto_encryption_opts = getattr(client._options, "auto_encryption_opts", None)
             if not auto_encryption_opts:
                 raise ImproperlyConfigured(
                     f"Encrypted fields found but DATABASES['{self.connection.alias}']['OPTIONS'] "
                     "is missing auto_encryption_opts."
                 )
+
             encrypted_fields_map = getattr(auto_encryption_opts, "_encrypted_fields_map", None)
+
             if not encrypted_fields_map:
                 encrypted_fields = self._get_encrypted_fields(model, create_data_keys=True)
             else:
-                # If the encrypted fields map is provided, get the encrypted fields for the
-                # specific collection.
                 encrypted_fields = encrypted_fields_map.get(db_table)
-            db.create_collection(db_table, encryptedFields=encrypted_fields)
+
+            if encrypted_fields and encrypted_fields.get("fields"):
+                db.create_collection(db_table, encryptedFields=encrypted_fields)
+            else:
+                db.create_collection(db_table)
+
         else:
+            # Unencrypted path
             db.create_collection(db_table)
 
     def _get_encrypted_fields(self, model, create_data_keys=False, key_alt_name=None):
         """
-        Recursively collect encryption schema data for fields in a model.
+        Recursively collect encryption schema data for only encrypted fields in a model.
+        Returns None if no encrypted fields are found anywhere in the model hierarchy.
 
-        key_alt_name is the base path for this level, typically model._meta.db_table
+        key_alt_name is the base path for this level, typically model._meta.db_table.
         """
         connection = self.connection
         client = connection.connection
         fields = model._meta.fields
         key_alt_name = key_alt_name or model._meta.db_table
 
         options = client._options
-        auto_encryption_opts = options.auto_encryption_opts
-        key_vault_db, key_vault_coll = auto_encryption_opts._key_vault_namespace.split(".", 1)
-        key_vault_collection = client[key_vault_db][key_vault_coll]
+        auto_encryption_opts = getattr(options, "auto_encryption_opts", None)
+
+        key_vault_collection = None
+        if auto_encryption_opts:
+            key_vault_db, key_vault_coll = auto_encryption_opts._key_vault_namespace.split(".", 1)
+            key_vault_collection = client[key_vault_db][key_vault_coll]
+
         kms_provider = router.kms_provider(model)
         master_key = connection.settings_dict.get("KMS_CREDENTIALS", {}).get(kms_provider)
-        client_encryption = self.connection.client_encryption
+        client_encryption = getattr(self.connection, "client_encryption", None)
 
         field_list = []
 
         for field in fields:
             new_path = f"{key_alt_name}.{field.column}"
 
-            # --- EmbeddedModelField case ---
+            # --- EmbeddedModelField ---
             if isinstance(field, EmbeddedModelField):
-                field_dict = {"bsonType": "object", "path": field.column}
-
                 if getattr(field, "encrypted", False):
+                    # Entire sub-object is encrypted
                     if create_data_keys:
+                        if not client_encryption:
+                            raise ImproperlyConfigured("client_encryption is not configured.")
                         data_key = client_encryption.create_data_key(
                             kms_provider=kms_provider,
                             master_key=master_key,
                             key_alt_names=[new_path],
                         )
                     else:
+                        if key_vault_collection is None:
+                            raise ImproperlyConfigured(
+                                f"Encrypted field {new_path} detected but no key vault configured"
+                            )
                         key_doc = key_vault_collection.find_one({"keyAltNames": new_path})
                         if not key_doc:
                             raise ValueError(
@@ -526,33 +542,42 @@ def _get_encrypted_fields(self, model, create_data_keys=False, key_alt_name=None
                             )
                         data_key = key_doc["_id"]
 
-                    field_dict["keyId"] = data_key
-
+                    field_dict = {
+                        "bsonType": "object",
+                        "path": field.column,
+                        "keyId": data_key,
+                    }
                     if getattr(field, "queries", False):
                         field_dict["queries"] = field.queries
 
                     field_list.append(field_dict)
-                    continue
-
-                # Not encrypting whole object — add object entry and recurse
-                field_list.append(field_dict)
-                embedded_result = self._get_encrypted_fields(
-                    field.embedded_model,
-                    create_data_keys=create_data_keys,
-                    key_alt_name=new_path,
-                )
-                field_list.extend(embedded_result["fields"])
+                else:
+                    # Not encrypting whole object — recurse first then
+                    # conditionally extend field list
+                    embedded_result = self._get_encrypted_fields(
+                        field.embedded_model,
+                        create_data_keys=create_data_keys,
+                        key_alt_name=new_path,
+                    )
+                    if embedded_result and embedded_result.get("fields"):
+                        field_list.extend(embedded_result["fields"])
                 continue
 
-            # --- Leaf encrypted field case ---
+            # --- Leaf encrypted field ---
             if getattr(field, "encrypted", False):
                 if create_data_keys:
+                    if not client_encryption:
+                        raise ImproperlyConfigured("client_encryption is not configured.")
                     data_key = client_encryption.create_data_key(
                         kms_provider=kms_provider,
                         master_key=master_key,
-                        key_alt_names=[new_path],  # distinct per field
+                        key_alt_names=[new_path],
                     )
                 else:
+                    if key_vault_collection is None:
+                        raise ImproperlyConfigured(
+                            f"Encrypted field {new_path} detected but no key vault configured"
+                        )
                     key_doc = key_vault_collection.find_one({"keyAltNames": new_path})
                     if not key_doc:
                         raise ValueError(
@@ -571,7 +596,7 @@ def _get_encrypted_fields(self, model, create_data_keys=False, key_alt_name=None
 
                 field_list.append(field_dict)
 
-        return {"fields": field_list}
+        return {"fields": field_list} if field_list else None
 
 
 # GISSchemaEditor extends some SchemaEditor methods.
diff --git a/django_mongodb_backend/utils.py b/django_mongodb_backend/utils.py
@@ -189,4 +189,20 @@ def wrapper(self, *args, **kwargs):
 
 
 def model_has_encrypted_fields(model):
-    return any(getattr(field, "encrypted", False) for field in model._meta.fields)
+    """
+    Recursively check if this model or any embedded models contain encrypted fields.
+    Returns True if encryption is found anywhere in the hierarchy.
+    """
+    from django_mongodb_backend.fields import EmbeddedModelField  # noqa: PLC0415
+
+    for field in model._meta.fields:
+        if getattr(field, "encrypted", False):
+            return True
+
+        # Recursively check embedded models.
+        if isinstance(field, EmbeddedModelField) and model_has_encrypted_fields(
+            field.embedded_model
+        ):
+            return True
+
+    return False
