I’ve recently updated my app from Micronaut 2 to Micronaut 3, and as a result all Mongo automatic CSFLE encryption/decryption has stopped working.
If I create a ClientEncryption object and manually decrypt the field, that works, and the logging shows that it is fetching KMS and key information needed to decrypt it:
INFO org.mongodb.driver.client - executeStateMachine: READY
INFO org.mongodb.driver.client - executeStateMachine: NEED_MONGO_KEYS
INFO org.mongodb.driver.client - executeStateMachine: NEED_KMS
// manual decryption result here
But for the automatic process, it just prints the READY state only, and no encryption/decryption takes place.
Is there any examples showing automatic CSFLE working with Micronaut 3, or has anyone run into this issue? Could this be a bug with Micronaut 3?
The two relevant dependencies in the Micronaut 3 upgrade are:
implementation "io.micronaut.mongodb:micronaut-mongo-reactive:4.2.0" // driver
implementation "org.mongodb:mongodb-crypt:1.5.2" // uses libmongocrypt
and the mongodb-enterprise-cryptd v5.0.6 binary is installed on the ubuntu:20.04 OS that we’re running the app on. The mongocryptdSpawnPath extra options property in the Mongo connection is pointed at the location of the installation.
- Server version: Enterprise 4.2.21
I can’t give exact schemaMap and DB details, but here is a similar one generated by the same code, for a DB called zoo and two collections using CSFLE called dogAnimals and catAnimals.
sample dogAnimals document:
{
"basicDetails": {
"dogName":"Barney", // should be encrypted
"age":5,
},
"furtherDetails": {
"dogBreedInfo": { // should be encrypted
"breedName": "Golden Retriever",
"averageLifeSpanInYears": 20
}
}
}
sample catAnimals document:
{
"catName":"Mrs Miggins", // should be encrypted
"age":2,
"catFacts": {
"favouriteHuman": "Robert Bingley", // should be encrypted
"mood": "snob"
}
}
Matching schemaMap:
{
"zoo.dogAnimals": {
"bsonType": "object",
"encryptMetadata": {
"keyId": [
{
"$binary": {
"base64": "12345678",
"subType": "04"
}
}
]
},
"properties": {
"basicDetails": {
"bsonType": "object",
"properties": {
"dogName": {
"encrypt": {
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
}
}
}
},
"futherDetails": {
"bsonType": "object",
"properties": {
"dogBreedInfo": {
"encrypt": {
"bsonType": "object",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
}
}
}
}
}
},
"zoo.catAnimals": {
"bsonType": "object",
"encryptMetadata": {
"keyId": [
{
"$binary": {
"base64": "12345678",
"subType": "04"
}
}
]
},
"properties": {
"catName": {
"encrypt": {
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
}
},
"catFacts": {
"bsonType": "object",
"properties": {
"favouriteHuman": {
"encrypt": {
"bsonType": "string",
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
}
}
}
}
}
}
}
2
Answers
After much debugging it turns out the JNA library being used is not invoking the crypto binaries correctly, so it sounds like a bug. Will report this to Mongo and see if they can help fix this....
Writing as answer since it’s quite big.
AFAIK, this doesn’t say a lot since this information can be cached from previous attempts (if it’s not first run).
I’ve tried your above documents and schemaMap and it encrypts 3 fields from 4 your cases with auto encryption, but it doesn’t work with dogs.furtherDetails, because you have a typo:
furtherDetailsvsfutherDetails. So make sure there are no other typos in your schemaMap.