Class: Mongo::Crypt::AutoEncrypter Private

Inherits:

Object

Object
Mongo::Crypt::AutoEncrypter

show all

Defined in:: lib/mongo/crypt/auto_encrypter.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

An AutoEcnrypter is an object that encapsulates the behavior of automatic encryption. It controls all resources associated with auto-encryption, including the libmongocrypt handle, key vault client object, mongocryptd client object, and encryption I/O.

The AutoEncrypter is kept as an instance on a Mongo::Client. Client objects with the same auto_encryption_options Hash may share AutoEncrypters.

Constant Summary collapse

DEFAULT_EXTRA_OPTIONS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

A Hash of default values for the :extra_options option

Options::Redacted.new({
  mongocryptd_uri: 'mongodb://localhost:27020',
  mongocryptd_bypass_spawn: false,
  mongocryptd_spawn_path: 'mongocryptd',
  mongocryptd_spawn_args: ['--idleShutdownTimeoutSecs=60'],
})

Instance Attribute Summary collapse

#key_vault_client ⇒ Object readonly private
#mongocryptd_client ⇒ Object readonly private
#options ⇒ Object readonly private

Instance Method Summary collapse

#close ⇒ true private

Close the resources created by the AutoEncrypter.
#decrypt(command) ⇒ BSON::Document private

Decrypt a database command.
#encrypt(database_name, command) ⇒ BSON::Document private

Encrypt a database command.
#encrypt? ⇒ Boolean private

Whether this encrypter should perform encryption (returns false if the :bypass_auto_encryption option is set to true).
#initialize(options) ⇒ AutoEncrypter constructor private

Set up encryption-related options and instance variables on the class that includes this module.

Constructor Details

#initialize(options) ⇒ `AutoEncrypter`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Set up encryption-related options and instance variables on the class that includes this module. Calls the same method on the Mongo::Crypt::Encrypter module.

Parameters:

options (Hash)

Options Hash (options):

:client (Mongo::Client) —

A client connected to the encrypted collection.
:key_vault_client (Mongo::Client | nil) —

A client connected to the MongoDB instance containing the encryption key vault; optional. If not provided, will default to :client option.
:key_vault_namespace (String) —

The namespace of the key vault in the format database.collection.
:schema_map (Hash | nil) —

The JSONSchema of the collection(s) with encrypted fields.
:bypass_auto_encryption (Boolean | nil) —

When true, disables auto-encryption. Default is false.
:extra_options (Hash | nil) —

Options related to spawning mongocryptd. These are set to default values if no option is passed in.

Raises:

(ArgumentError) —

If required options are missing or incorrectly formatted.

# File 'lib/mongo/crypt/auto_encrypter.rb', line 64

def initialize(options)
  @options = set_default_options(options).freeze

  @crypt_handle = Crypt::Handle.new(
    @options[:kms_providers],
    schema_map: @options[:schema_map]
  )

  @key_vault_client = @options[:key_vault_client]

  # Set server selection timeout to 1 to prevent the client waiting for a
  # long timeout before spawning mongocryptd
  @mongocryptd_client = Client.new(
    @options[:extra_options][:mongocryptd_uri],
    monitoring_io: @options[:client].options[:monitoring_io],
    server_selection_timeout: 1,
  )

  begin
    @encryption_io = EncryptionIO.new(
      client: @options[:client],
      mongocryptd_client: @mongocryptd_client,
      key_vault_namespace: @options[:key_vault_namespace],
      key_vault_client: @key_vault_client,
      mongocryptd_options: @options[:extra_options]
    )
  rescue
    begin
      @mongocryptd_client.close
    rescue => e
      log_warn("Eror closing mongocryptd client in auto encrypter's constructor: #{e.class}: #{e}")
      # Drop this exception so that the original exception is raised
    end
    raise
  end
end

Instance Attribute Details

#key_vault_client ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



31
32
33

# File 'lib/mongo/crypt/auto_encrypter.rb', line 31

def key_vault_client
  @key_vault_client
end

#mongocryptd_client ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



30
31
32

# File 'lib/mongo/crypt/auto_encrypter.rb', line 30

def mongocryptd_client
  @mongocryptd_client
end

#options ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



32
33
34

# File 'lib/mongo/crypt/auto_encrypter.rb', line 32

def options
  @options
end

Instance Method Details

#close ⇒ `true`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Close the resources created by the AutoEncrypter.

Returns:

(true) —

Always true.

# File 'lib/mongo/crypt/auto_encrypter.rb', line 141

def close
  @mongocryptd_client.close if @mongocryptd_client

  true
end

#decrypt(command) ⇒ `BSON::Document`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Decrypt a database command.

Parameters:

command (Hash) —

The command with encrypted fields.

Returns:

(BSON::Document) —

The decrypted command.

# File 'lib/mongo/crypt/auto_encrypter.rb', line 130

def decrypt(command)
  AutoDecryptionContext.new(
    @crypt_handle,
    @encryption_io,
    command
  ).run_state_machine
end

#encrypt(database_name, command) ⇒ `BSON::Document`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Encrypt a database command.

Parameters:

database_name (String) —

The name of the database on which the command is being run.
command (Hash) —

The command to be encrypted.

Returns:

(BSON::Document) —

The encrypted command.

# File 'lib/mongo/crypt/auto_encrypter.rb', line 116

def encrypt(database_name, command)
  AutoEncryptionContext.new(
    @crypt_handle,
    @encryption_io,
    database_name,
    command
  ).run_state_machine
end

#encrypt? ⇒ `Boolean`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Whether this encrypter should perform encryption (returns false if the :bypass_auto_encryption option is set to true).

Returns:

(Boolean) —

Whether to perform encryption.



105
106
107

# File 'lib/mongo/crypt/auto_encrypter.rb', line 105

def encrypt?
  !@options[:bypass_auto_encryption]
end

Class: Mongo::Crypt::AutoEncrypter Private

Overview

Constant Summary collapse

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(options) ⇒ AutoEncrypter

Instance Attribute Details

#key_vault_client ⇒ Object (readonly)

#mongocryptd_client ⇒ Object (readonly)

#options ⇒ Object (readonly)

Instance Method Details

#close ⇒ true

#decrypt(command) ⇒ BSON::Document

#encrypt(database_name, command) ⇒ BSON::Document

#encrypt? ⇒ Boolean

#initialize(options) ⇒ `AutoEncrypter`

#key_vault_client ⇒ `Object` (readonly)

#mongocryptd_client ⇒ `Object` (readonly)

#options ⇒ `Object` (readonly)

#close ⇒ `true`

#decrypt(command) ⇒ `BSON::Document`

#encrypt(database_name, command) ⇒ `BSON::Document`

#encrypt? ⇒ `Boolean`