Skip to content

Support text indexes with encryption #1797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 10, 2025
Merged

Support text indexes with encryption #1797

merged 4 commits into from
Sep 10, 2025

Conversation

rozza
Copy link
Member

@rozza rozza commented Sep 1, 2025
edited
Loading

Added TextPreview support for Prefix/Suffix/Substring Indexes

JAVA-5851
JAVA-5903
JAVA-5924

@rozza rozza force-pushed the JAVA-5851 branch 6 times, most recently from 13f5c5d to 7832e76 Compare September 3, 2025 10:20
rozza
rozza commented Sep 3, 2025
View reviewed changes
driver-core/src/test/functional/com/mongodb/client/test/CollectionHelper.java
drop(namespace, writeConcern);
}

public void dropAndCreate(final BsonDocument createOptions) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now part of the Spec and ensures that fresh encryption collections are made. This ensures __safeContent__ values are predictable and testable.

driver-sync/src/test/functional/com/mongodb/client/unified/Entities.java
for (Map.Entry<String, BsonValue> entry : entity.getDocument("autoEncryptOpts").entrySet()) {
BsonDocument autoEncryptOpts = entity.getDocument("autoEncryptOpts");

String cryptSharedLibPath = getEnv("CRYPT_SHARED_LIB_PATH", "");
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allows the crypt shared library to be set in the env.

driver-sync/src/test/functional/com/mongodb/client/unified/RunOnRequirementsMatcher.java
requirementMet = false;
break requirementLoop;
}
if (curRequirement.getValue().isDocument()) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a change in the schema - csfle can be either: true or a document setting the minLibmongocryptVersion.

driver-sync/src/test/functional/com/mongodb/client/unified/UnifiedClientEncryptionHelper.java
case "aws:name1":
setKmsProviderProperty(kmsProviderMap, kmsProviderOptions, "accessKeyId", "AWS_ACCESS_KEY_ID");
setKmsProviderProperty(kmsProviderMap, kmsProviderOptions, "secretAccessKey", "AWS_SECRET_ACCESS_KEY");
// awsTemporary uses `aws` and includes a `sessionToken`.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit awkward as previously the awsTemporary was used when a session token was provided. So I'll check and see if this should be preferred in the unified version of awsTemporary.yml

driver-sync/src/test/functional/com/mongodb/client/unified/UnifiedClientEncryptionHelper.java

BsonValue kmsValue = kmsProviderOptions.get(key);
if (kmsValue.isString()) {
if (kmsValue.isString() && !key.equals("sessionToken")) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sessionToken values should be left as a string and not converted to bytes[]

mongodb-crypt/src/main/com/mongodb/internal/crypt/capi/MongoCryptContextImpl.java
public State getState() {
isTrue("open", !closed);
return State.fromIndex(mongocrypt_ctx_state(wrapped));
State state = State.fromIndex(mongocrypt_ctx_state(wrapped));
Copy link
Member Author

@rozza rozza Sep 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although this hasn't been needed so far. It makes sense to check for an error state and handle if its ever flagged.

I noticed other language implementations do this check.

mongodb-crypt/src/main/com/mongodb/internal/crypt/capi/MongoCryptImpl.java
* <li>Provides context creation for encryption, decryption, key management, and explicit operations.</li>
* <li>Manages native resource lifecycle and error handling.</li>
* </ul>
*/
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes here are 99% refactorings, to dry up the code. This was done with the help of copilot when trying to debug some errors. I also added documentation to aid us devs when coming back to this code after a long time.

The real addition / change is the use of the mongocrypt_ctx_setopt_algorithm_text step for textPreview.

mongodb-crypt/src/main/com/mongodb/internal/crypt/capi/MongoCryptImpl.java
withBinaryHolder(options.getRangeOptions(),
binary -> configureContext(context, () -> mongocrypt_ctx_setopt_algorithm_range(context, binary)));
}
if (options.getTextOptions() != null) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the behavioral change - adds text options when using textPreview.

mongodb-crypt/src/main/com/mongodb/internal/crypt/capi/MongoExplicitEncryptOptions.java
this.contentionFactor = builder.contentionFactor;
this.queryType = builder.queryType;
this.rangeOptions = builder.rangeOptions;
if (!(Objects.equals(algorithm, "Indexed") || Objects.equals(algorithm, "Range"))) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec expects libmongocrypt to report errors. So this removes our custom error reporting. A test was updated to reflect this.

mongodb-crypt/src/test/java/com/mongodb/crypt/capi/MongoCryptTest.java

assertEquals("Invalid configuration, contentionFactor can only be set if algorithm is 'Indexed' or 'Range'",
illegalStateException.getMessage());
MongoCryptException exp = assertThrows(MongoCryptException.class, () -> mongoCrypt.createEncryptExpressionContext(valueToEncrypt, options));
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now this test actually reflects the test name: testRangePreviewAlgorithmIsNotSupported

@rozza rozza marked this pull request as ready for review September 3, 2025 11:53
@rozza rozza requested a review from a team as a code owner September 3, 2025 11:53
@rozza rozza requested review from katcharov and nhachicha and removed request for a team September 3, 2025 11:53
@rozza rozza mentioned this pull request Sep 4, 2025
Closed
@nhachicha nhachicha requested a review from Copilot September 8, 2025 09:10
Copilot
Copilot AI reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for text indexes with encryption by implementing the TextPreview algorithm for queryable encryption. It includes comprehensive changes to support prefix, suffix, and substring search operations on encrypted text fields.

  • Added TextOptions class to define text search parameters (case sensitivity, diacritic sensitivity, and query length limits)
  • Extended MongoExplicitEncryptOptions to support text-specific configuration
  • Updated encryption validation logic and native library version requirements

Reviewed Changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
driver-core/src/main/com/mongodb/client/model/vault/TextOptions.java New TextOptions class for configuring text encryption parameters
driver-core/src/main/com/mongodb/client/model/vault/EncryptOptions.java Added textOptions field and updated documentation for TextPreview algorithm
mongodb-crypt/src/main/com/mongodb/internal/crypt/capi/MongoExplicitEncryptOptions.java Added textOptions support and removed validation restrictions
mongodb-crypt/src/main/com/mongodb/internal/crypt/capi/MongoCryptImpl.java Refactored binary handling and added text algorithm configuration
driver-sync/src/test/functional/com/mongodb/client/AbstractClientEncryptionTextExplicitEncryptionTest.java Comprehensive test suite for text encryption functionality
mongodb-crypt/build.gradle.kts Updated libmongocrypt version to 1.15.1
driver-core/src/test/resources/specifications Updated specifications submodule

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

nhachicha
nhachicha approved these changes Sep 8, 2025
View reviewed changes
Copy link
Contributor

@nhachicha nhachicha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minor stuff 👍

@rozza rozza requested a review from nhachicha September 9, 2025 08:11
@rozza rozza merged commit 94103af into mongodb:main Sep 10, 2025
48 of 55 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@katcharov katcharov Awaiting requested review from katcharov katcharov is a code owner automatically assigned from mongodb/dbx-java

@nhachicha nhachicha Awaiting requested review from nhachicha

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rozza @nhachicha