Add autoEncryption configuration to the client (#889)

Author: GromNaN

config/command.php

@@ -3,6 +3,7 @@
 declare(strict_types=1);
 
 use Doctrine\Bundle\MongoDBBundle\Command\ClearMetadataCacheDoctrineODMCommand;
+use Doctrine\Bundle\MongoDBBundle\Command\ConnectionDiagnosticCommand;
 use Doctrine\Bundle\MongoDBBundle\Command\CreateSchemaDoctrineODMCommand;
 use Doctrine\Bundle\MongoDBBundle\Command\DropSchemaDoctrineODMCommand;
 use Doctrine\Bundle\MongoDBBundle\Command\GenerateHydratorsDoctrineODMCommand;
@@ -15,12 +16,17 @@
 use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
 
 use function Symfony\Component\DependencyInjection\Loader\Configurator\service;
+use function Symfony\Component\DependencyInjection\Loader\Configurator\tagged_locator;
 
 return static function (ContainerConfigurator $containerConfigurator): void {
     $containerConfigurator->services()
         ->set('doctrine_mongodb.odm.command.clear_metadata_cache', ClearMetadataCacheDoctrineODMCommand::class)
             ->tag('console.command', ['command' => 'doctrine:mongodb:cache:clear-metadata'])
 
+        ->set('doctrine_mongodb.odm.command.connection_diagnostic', ConnectionDiagnosticCommand::class)
+            ->tag('console.command', ['command' => 'doctrine:mongodb:connection:diagnostic'])
+            ->args([tagged_locator('doctrine_mongodb.connection_diagnostic', 'name')])
+
         ->set('doctrine_mongodb.odm.command.create_schema', CreateSchemaDoctrineODMCommand::class)
             ->tag('console.command', ['command' => 'doctrine:mongodb:schema:create'])
 

config/schema/mongodb-1.0.xsd

@@ -48,6 +48,7 @@
     <xsd:sequence>
       <xsd:element name="options" type="connection-options" minOccurs="0" maxOccurs="1" />
       <xsd:element name="driver-options" type="connection-driver-options" minOccurs="0" maxOccurs="1" />
+      <xsd:element name="autoEncryption" type="auto-encryption" minOccurs="0" maxOccurs="1" />
     </xsd:sequence>
     <xsd:attribute name="id" type="xsd:string" use="required" />
     <xsd:attribute name="server" type="xsd:string" />
@@ -84,6 +85,9 @@
   </xsd:complexType>
 
   <xsd:complexType name="connection-driver-options">
+    <xsd:all>
+      <xsd:element name="autoEncryption" type="auto-encryption" minOccurs="0"/>
+    </xsd:all>
     <xsd:attribute name="context" type="xsd:string" />
   </xsd:complexType>
 
@@ -119,6 +123,99 @@
     <xsd:attribute name="value" type="xsd:string" use="required" />
   </xsd:complexType>
 
+  <xsd:complexType name="auto-encryption">
+    <xsd:sequence>
+      <xsd:element name="kmsProvider" type="kms-provider" minOccurs="0" maxOccurs="1" />
+      <xsd:element name="masterKey" type="master-key" minOccurs="0" maxOccurs="1" />
+      <xsd:element name="keyVaultNamespace" type="xsd:string" minOccurs="0" maxOccurs="1" />
+      <xsd:element name="tlsOptions" type="tls-options" minOccurs="0" maxOccurs="1" />
+      <xsd:element name="encryptedFieldsMap" type="encrypted-fields-map" minOccurs="0" maxOccurs="1" />
+      <xsd:element name="extraOptions" type="extra-options" minOccurs="0" maxOccurs="1" />
+    </xsd:sequence>
+    <xsd:attribute name="bypassAutoEncryption" type="xsd:boolean" use="optional" />
+    <xsd:attribute name="bypassQueryAnalysis" type="xsd:boolean" use="optional" />
+  </xsd:complexType>
+
+  <xsd:complexType name="kms-provider">
+    <xsd:attribute name="type" type="xsd:string" use="required" />
+    <!-- AWS -->
+    <xsd:attribute name="accessKeyId" type="xsd:string" use="optional" />
+    <xsd:attribute name="secretAccessKey" type="xsd:string" use="optional" />
+    <xsd:attribute name="sessionToken" type="xsd:string" use="optional" />
+    <!-- Azure -->
+    <xsd:attribute name="tenantId" type="xsd:string" use="optional" />
+    <xsd:attribute name="clientId" type="xsd:string" use="optional" />
+    <xsd:attribute name="clientSecret" type="xsd:string" use="optional" />
+    <xsd:attribute name="keyVaultEndpoint" type="xsd:string" use="optional" />
+    <xsd:attribute name="identityPlatformEndpoint" type="xsd:string" use="optional" />
+    <xsd:attribute name="keyName" type="xsd:string" use="optional" />
+    <xsd:attribute name="keyVersion" type="xsd:string" use="optional" />
+    <!-- GCP -->
+    <xsd:attribute name="email" type="xsd:string" use="optional" />
+    <xsd:attribute name="privateKey" type="xsd:string" use="optional" />
+    <xsd:attribute name="endpoint" type="xsd:string" use="optional" />
+    <xsd:attribute name="projectId" type="xsd:string" use="optional" />
+    <xsd:attribute name="location" type="xsd:string" use="optional" />
+    <xsd:attribute name="keyRing" type="xsd:string" use="optional" />
+    <!-- <xsd:attribute name="keyName" type="xsd:string" use="optional" /> -->
+    <!-- <xsd:attribute name="keyVersion" type="xsd:string" use="optional" /> -->
+    <!-- KMIP -->
+    <!-- <xsd:attribute name="endpoint" type="xsd:string" use="optional" /> -->
+    <xsd:attribute name="tlsCAFile" type="xsd:string" use="optional" />
+    <xsd:attribute name="tlsClientCertificateKeyFile" type="xsd:string" use="optional" />
+    <xsd:attribute name="tlsClientCertificateKeyFilePassword" type="xsd:string" use="optional" />
+    <!-- Local -->
+    <xsd:attribute name="key" type="xsd:string" use="optional" />
+  </xsd:complexType>
+
+  <xsd:complexType name="master-key">
+    <xsd:attribute name="key" type="xsd:string" use="required" />
+  </xsd:complexType>
+
+  <xsd:complexType name="tls-options">
+    <xsd:attribute name="tlsCAFile" type="xsd:string" use="optional" />
+    <xsd:attribute name="tlsCertificateKeyFile" type="xsd:string" use="optional" />
+    <xsd:attribute name="tlsCertificateKeyFilePassword" type="xsd:string" use="optional" />
+    <xsd:attribute name="tlsDisableOCSPEndpointCheck" type="xsd:boolean" use="optional" />
+  </xsd:complexType>
+
+  <xsd:complexType name="encrypted-fields-map">
+    <xsd:sequence>
+      <xsd:element name="encryptedFields" type="encrypted-fields" minOccurs="0" maxOccurs="unbounded" />
+    </xsd:sequence>
+  </xsd:complexType>
+
+  <xsd:complexType name="encrypted-fields">
+    <xsd:sequence>
+      <xsd:element name="field" type="encrypted-field" minOccurs="1" maxOccurs="unbounded" />
+    </xsd:sequence>
+    <xsd:attribute name="name" type="xsd:string" use="required" />
+  </xsd:complexType>
+
+  <xsd:complexType name="encrypted-field">
+    <xsd:sequence>
+      <xsd:element name="queries" type="encrypted-queries" minOccurs="0" maxOccurs="1" />
+    </xsd:sequence>
+    <xsd:attribute name="path" type="xsd:string" use="required" />
+    <xsd:attribute name="bsonType" type="xsd:string" use="required" />
+  </xsd:complexType>
+
+  <xsd:complexType name="encrypted-queries">
+    <xsd:attribute name="queryType" type="xsd:string" use="required" />
+    <xsd:attribute name="min" type="xsd:string" use="optional" />
+    <xsd:attribute name="max" type="xsd:string" use="optional" />
+    <xsd:attribute name="sparsity" type="xsd:string" use="optional" />
+    <xsd:attribute name="trimFactor" type="xsd:string" use="optional" />
+  </xsd:complexType>
+
+  <xsd:complexType name="extra-options">
+    <xsd:attribute name="mongocryptdURI" type="xsd:string" use="optional" />
+    <xsd:attribute name="mongocryptdBypassSpawn" type="xsd:boolean" use="optional" />
+    <xsd:attribute name="mongocryptdSpawnPath" type="xsd:string" use="optional" />
+    <xsd:attribute name="mongocryptdSpawnArgs" type="xsd:string" use="optional" />
+    <xsd:attribute name="cryptSharedLibPath" type="xsd:string" use="optional" />
+  </xsd:complexType>
+
   <xsd:complexType name="document-manager">
     <xsd:choice maxOccurs="unbounded">
       <xsd:element name="filter" type="filter" minOccurs="0" maxOccurs="unbounded" />

docs/config.rst

@@ -624,6 +624,10 @@ Otherwise you will get a *auth failed* exception.
                 ]);
         };
 
+Using Queryable Encryption
+--------------------------
+
+TODO: Add documentation for queryable encryption configuration.
 
 Full Default Configuration
 --------------------------
@@ -699,6 +703,33 @@ Full Default Configuration
                         wTimeoutMS:                             ~
                     driver_options:
                         context:              ~ # stream context to use for connection
+                        autoEncryption:       # Options for client-side field-level encryption
+                            keyVaultClient:               null  # Service ID of a MongoDB\Driver\Manager for the key vault
+                            keyVaultNamespace:            null  # The namespace for the key vault collection (e.g., "encryption.__keyVault")
+                            kmsProvider:                  {}    # Configuration for Key Management System provider (see specific examples above)
+                                # e.g., { type: "local", key: "YOUR_BASE64_KEY" }
+                                # e.g., { type: "aws", accessKeyId: "...", secretAccessKey: "..." }
+                            masterKey:                    ~     # Default master key to use when creating a new encrypted collection
+                            schemaMap:                    []    # Document schemas for explicit encryption
+                            encryptedFieldsMap:           []    # Map of collections to their encrypted fields configuration
+                            extraOptions:                 []    # Extra options for mongocryptd
+                                # mongocryptdURI: "mongodb://localhost:27020"
+                                # mongocryptdBypassSpawn: false
+                                # mongocryptdSpawnPath: "/usr/local/bin/mongocryptd"
+                                # mongocryptdSpawnArgs: ["--idleShutdownTimeoutSecs=60"]
+                                # cryptSharedLibPath: null  # Path to the crypt_shared library
+                                # cryptSharedLibRequired: false # If true, fails if the crypt_shared library cannot be loaded
+                            bypassQueryAnalysis:          false # Disables automatic analysis of read and write operations for encryption
+                            bypassAutoEncryption:         false # Disables auto-encryption
+                            tlsOptions:                   # TLS options for the Key Vault client (if keyVaultClient is not specified)
+                                tlsCAFile:                              null  # Path to CA file, e.g., /path/to/key-vault-ca.pem
+                                tlsCertificateKeyFile:                  null  # Path to client cert/key file, e.g., /path/to/key-vault-client.pem
+                                tlsCertificateKeyFilePassword:          null  # Password for client cert/key file
+                                tlsAllowInvalidCertificates:            false # Bypass server certificate validation (use with caution)
+                                tlsAllowInvalidHostnames:               false # Bypass server hostname validation (use with caution)
+                                tlsDisableCertificateRevocationCheck:   false # Disable CRL checks
+                                tlsDisableOCSPEndpointCheck:            false # Disable OCSP checks
+                                tlsInsecure:                            false # Allow invalid/no server cert (use with extreme caution)
 
             proxy_namespace:      MongoDBODMProxies
             proxy_dir:            "%kernel.cache_dir%/doctrine/odm/mongodb/Proxies"
@@ -825,8 +856,32 @@ Full Default Configuration
 
             $config->connection('id')
                 ->server('mongodb://localhost')
-                ->driverOptions([
-                    'context' => null, // stream context to use for connection
+                ->driverOptions(['context' => null]), // stream context to use for connection
+                ->autoEncryption([ // Options for client-side field-level encryption
+                    'bypassAutoEncryption' => false, // Disables auto-encryption
+                    'keyVaultClient' => null,  // Service ID of a MongoDB\Driver\Manager for the key vault
+                    'keyVaultNamespace' => null,  // The namespace for the key vault collection (e.g., "encryption.__keyVault")
+                    'kmsProvider' => [    // Configuration for Key Management System provider
+                        // e.g., ['type' => 'local', 'key' => 'YOUR_BASE64_KEY']
+                        // e.g., ['type' => 'aws', 'accessKeyId' => '...', 'secretAccessKey' => '...']
+                    ],
+                    'schemaMap' => [],    // Document schemas for explicit encryption
+                    'encryptedFieldsMap' => [], // Map of collections to their encrypted fields configuration
+                    'extraOptions' => [    // Extra options for mongocryptd
+                        // 'cryptSharedLibPath' => null,  // Path to the crypt_shared library
+                        // 'cryptSharedLibRequired' => false, // If true, fails if the crypt_shared library cannot be loaded
+                    ],
+                    'bypassQueryAnalysis' => false, // Disables automatic analysis of read and write operations for encryption
+                    'tlsOptions' => [        // TLS options for the Key Vault client (if keyVaultClient is not specified)
+                        // 'tlsCAFile' => null,  // Path to CA file, e.g., /path/to/key-vault-ca.pem
+                        // 'tlsCertificateKeyFile' => null,  // Path to client cert/key file, e.g., /path/to/key-vault-client.pem
+                        // 'tlsCertificateKeyFilePassword' => null,  // Password for client cert/key file
+                        // 'tlsAllowInvalidCertificates' => false, // Bypass server certificate validation (use with caution)
+                        // 'tlsAllowInvalidHostnames' => false, // Bypass server hostname validation (use with caution)
+                        // 'tlsDisableCertificateRevocation' => false, // Disable CRL checks
+                        // 'tlsDisableOCSPEndpointCheck' => false, // Disable OCSP checks
+                        // 'tlsInsecure' => false, // Allow invalid/no server cert (use with extreme caution)
+                    ],
                 ])
                 ->options([
                     'authMechanism' => null,