Skip to content

[Encryption] Fix format of encryptedFieldsMaps in the autoEncryption configuration #905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: feature/queryable-encryption
Choose a base branch
from
Open

[Encryption] Fix format of encryptedFieldsMaps in the autoEncryption configuration #905

wants to merge 5 commits into from

Conversation

GromNaN
Copy link
Member

@GromNaN GromNaN commented Jul 4, 2025

In driver options, the encryptedFieldsMap option must:

  1. contain a fields key with the list of fields
  2. convert query.min and query.max to the same BSON type as the field
  3. contain the keyId. But this value will change every time the database is reset.

This needs to be improved by leveraging keyAltNames.

GromNaN
GromNaN commented Jul 4, 2025
View reviewed changes
src/Command/DumpEncryptedFieldsMapCommand.php
$encryptedFieldsMap = [];
foreach ($documentManager->getMetadataFactory()->getAllMetadata() as $metadata) {
$database = $documentManager->getDocumentDatabase($metadata->getName());
$collectionInfoIterator = $database->listCollections(['filter' => ['name' => $metadata->getCollection()]]);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is inspired by the get_encrypted_fields_from_server function.

GromNaN
GromNaN commented Jul 7, 2025
View reviewed changes
alcaeus
alcaeus reviewed Jul 7, 2025
View reviewed changes
Copy link
Member

@alcaeus alcaeus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this change is reasonable. We need to make sure how to properly generate the encryptedFieldsMap for use in the configuration. For a future improvement, we can consider dumping the encryptedFieldsMap based on the return value of createEncryptedCollection calls in the schema:create command.

@GromNaN GromNaN force-pushed the encryptedFieldsMap branch from 125545d to 96849e3 Compare July 10, 2025 09:25
GromNaN
GromNaN commented Jul 10, 2025
View reviewed changes
tests/DependencyInjection/Fixtures/config/xml/full.xml
<doctrine:queries queryType="equality" />
</doctrine:field>
</doctrine:encryptedFields>
<![CDATA[
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alcaeus Since the XML format is set to disappear, I have simplified the configuration here. EncryptedFieldsMap is a JSON string that is copied from the dump command in the XML. It is too complicated to convert this to XML tags, and most likely unusable anyway.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense 👍

@GromNaN GromNaN changed the title Fix format of encryptedFieldsMaps in the autoEncryption configuration [Encryption] Fix format of encryptedFieldsMaps in the autoEncryption configuration Jul 10, 2025
@GromNaN GromNaN marked this pull request as ready for review July 10, 2025 09:30
@GromNaN GromNaN force-pushed the encryptedFieldsMap branch from 96849e3 to 3eb3779 Compare July 10, 2025 09:30
@GromNaN GromNaN requested a review from paulinevos July 10, 2025 11:01
@GromNaN GromNaN mentioned this pull request Jul 10, 2025
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alcaeus alcaeus alcaeus left review comments

@paulinevos paulinevos Awaiting requested review from paulinevos

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GromNaN @alcaeus