MongoDb with .NET driver server-side validation of manual client-side field encryption

PeeGee
July 13, 2023
164 views
1 vote
2 Answers

I am implementing manual client-side encryption of specific properties in my document. The MongoDB documentation suggests that I can specify a schema that can be used to carry out server-side validation, I’m trying to set this up in order to ensure that the properties are correctly encrypted by the client code.

I’m specifying the schema when the collection is being created.

var schemaMap = new Dictionary<string, BsonDocument> { { collectionNamespace.CollectionName, schema } };

var options = new AutoEncryptionOptions(
    keyVaultNamespace,
    kmsProviders,
    schemaMap: schemaMap,
    bypassAutoEncryption: true);

var settings = MongoClientSettings.FromConnectionString(connectionString);
settings.AutoEncryptionOptions = options;
var client = new MongoClient(settings);
var encryptedDatabase = client.GetDatabase(collectionNamespace.DatabaseNamespace.DatabaseName);
encryptedDatabase.CreateCollection(collectionNamespace.CollectionName);

And then again when creating the MongoDB Client that is used to Insert the documents.

var clientSettings = MongoClientSettings.FromConnectionString(connectionString);
var autoEncryptionOptions = new AutoEncryptionOptions(
    
    keyVaultNamespace: keyVaultNamespace,
    kmsProviders: kmsProviders,
    schemaMap: schemaMap,
    bypassAutoEncryption: true
    );
clientSettings.AutoEncryptionOptions = autoEncryptionOptions;
var secureClient = new MongoClient(clientSettings);

When I then insert a document that intentionally doesn’t comply with the configured schema, there is no exceptions thrown to identify the issue.

secureCollection.InsertOne(sampleDocument);

The schema being used is based on the MongoDB example code

I’m working with a Azure Cosmos DB for MongoDB account, server version 4.2. The MongoDB.Driver version is 2.20.0.

Have I mis-understood what the schema validation is capable of doing? Or have I missed a step?

Any pointers would be useful, thanks.

Tags: mongodb mongodb-.net-driver

Answers

Chosen as BEST ANSWER
- PeeGee
- July 12, 2023 at 1:42 pm
- 0 votes
0
Whilst the original attempt at schema validation using AutoEncryptionOptions was incorrect (as helpfully pointed out by @dododo) further investigation into how to implement server-side schema validation led to defining a Validator when creating a Collection.
```
    encryptedDatabase.CreateCollection(
        collectionNamespace.CollectionName,
        new CreateCollectionOptions<Student>
        {
            Validator = new FilterDefinitionBuilder<Student>().JsonSchema(schemaDocument)
        });
```
This approach still didn't work, but this is due to the database being used, rather than the implementation.The solution being worked on is using the MongoDB API to access an Azure CosmosDB. An answer from Microsoft states that this functionality isn't supported by CosmosDB

We got info from our team - Cosmos DB doesn’t support schema validation

Closer examination of the Microsoft Azure Cosmos DB for MongoDB vs MongoDB Atlas documentation reveals that 'JSON schema for data governance controls' is 'Currently in development'

(Edit)

- dododo
- July 10, 2023 at 9:40 pm
- 0 votes
0
See below:
1. When you set bypassAutoEncryption=true, then you skip all encryption logic, so only decryption could happen if the field was encrypted previously.
2. "there is no exceptions thrown to identify the issue." – it’s expected, the only goal of schemaMap is to provide a path to the encrypted field, it doesn’t validate the document and if the path leads to not existed field – then the whole encryption logic is skipped.
3. "a Azure Cosmos DB for MongoDB account, server version 4.2. The MongoDB.Driver version is 2.20.0." – I’m not 100% sure whether CSFLE (version 1) logic even can work with cosmosdb. At the very least you should spawn mongocryptd daemon from mongo (not cosmos) server binaries and I will not be surprised if it’s not the only question in this case. Also, a newly released querable encryption (CSFLE version 2) definitely won’t work with cosmos since it includes server workflow
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.