Code review fixes (3/x)

In the QE topics guide I'm going to explain how to develop a patient model
similar to the Python QE tutorial and the encryption test suite.

If embedding were possible now, I could present the same example. Since
embedded models are a WIP I may either:

- design the guide to work around that issue
- design the guide to anticipate resolution of that issue

In ether case, I'll try to wrap this 24-48 hour docs jam having covered
everything I know about QE and Django and having presented it to Django
folks in a way we can support.

Author: aclark4life

docs/source/howto/queryable-encryption.rst

@@ -4,6 +4,10 @@ Configuring Queryable Encryption
 
 .. versionadded:: 5.2.0rc1
 
+This guide is similar to the
+:doc:`manual:core/queryable-encryption/quick-start` but with some additional
+steps required to configure Queryable Encryption with Django MongoDB Backend.
+
 .. admonition:: MongoDB requirements
 
     Queryable Encryption can be used with MongoDB replica sets or sharded
@@ -94,27 +98,72 @@ configure a custom router for Queryable Encryption:
 
     DATABASE_ROUTERS = [EncryptedRouter]
 
-Configuring KMS Providers
-=========================
-
-To use Queryable Encryption, you must configure a Key Management Service (KMS)
-provider. The KMS provider is responsible for managing the encryption keys used
-to encrypt and decrypt data. The following table summarizes the available KMS
-provider options and how to configure them:
-
-+-------------------------------------------------------------------------+---------------------------------------+
-| :setting:`KMS_CREDENTIALS <DATABASE-KMS-CREDENTIALS>`                   | A dictionary of Key Management        |
-|                                                                         | Service (KMS) credentials             |
-|                                                                         | configured in the                     |
-|                                                                         | :setting:`django:DATABASES`           |
-|                                                                         | setting.                              |
-+-------------------------------------------------------------------------+---------------------------------------+
-| :class:`kms_providers <pymongo.encryption_options.AutoEncryptionOpts>`  | Map of KMS provider credentials and   |
-|                                                                         | options. The ``kms_providers`` map    |
-|                                                                         | values differ by provider and are     |
-|                                                                         | required to access KMS services.      |
-+-------------------------------------------------------------------------+---------------------------------------+
-| ``kms_provider``                                                        | A single KMS provider name            |
-|                                                                         | configured in your custom database    |
-|                                                                         | router.                               |
-+-------------------------------------------------------------------------+---------------------------------------+
+Configuring the Key Management Service (KMS)
+============================================
+
+To use Queryable Encryption, you must configure a Key Management Service (KMS).
+The KMS is responsible for managing the encryption keys used to encrypt and
+decrypt data. The following table summarizes the available KMS configuration
+options followed by an example of how to use them.
+
++-------------------------------------------------------------------------+--------------------------------------------------------+
+| :setting:`KMS_CREDENTIALS <DATABASE-KMS-CREDENTIALS>`                   | A dictionary of Key Management Service (KMS)           |
+|                                                                         | credentials configured in the                          |
+|                                                                         | :setting:`django:DATABASES` setting.                   |
++-------------------------------------------------------------------------+--------------------------------------------------------+
+| :class:`kms_providers <pymongo.encryption_options.AutoEncryptionOpts>`  | A dictionary of KMS provider credentials used to       |
+|                                                                         | access the KMS with                                    |
+|                                                                         | :setting:`KMS_CREDENTIALS <DATABASE-KMS-CREDENTIALS>`. |
++-------------------------------------------------------------------------+--------------------------------------------------------+
+| ``kms_provider``                                                        | A single KMS provider name                             |
+|                                                                         | configured in your custom database                     |
+|                                                                         | router.                                                |
++-------------------------------------------------------------------------+--------------------------------------------------------+
+
+Example of KMS configuration with AWS KMS:
+
+.. code-block:: python
+
+    from django_mongodb_backend import parse_uri
+    from pymongo.encryption_options import AutoEncryptionOpts
+
+    DATABASES = {
+        "encrypted": parse_uri(
+            DATABASE_URL,
+            options={
+                "auto_encryption_opts": AutoEncryptionOpts(
+                    key_vault_namespace="keyvault.keyvault",
+                    kms_providers={
+                        "aws": {
+                            "accessKeyId": "your-access-key-id",
+                            "secretAccessKey": "your-secret-access-key",
+                        }
+                    },
+                )
+            },
+            db_name="encrypted",
+        ),
+    }
+
+    DATABASES["encrypted"]["KMS_CREDENTIALS"] = {
+        "aws": {
+            "key": os.getenv("AWS_KEY_ARN", ""),
+            "region": os.getenv("AWS_KEY_REGION", ""),
+        },
+    }
+
+
+    class EncryptedRouter:
+        # ...
+        def kms_provider(self, model, **hints):
+            return "aws"
+
+
+Configuring the ``encrypted_fields_map``
+========================================
+
+Configuring the Crypt Shared Library
+====================================
+
+You are now ready to :doc:`develop with Queryable Encryption
+</topics/queryable-encryption>` in Django MongoDB Backend!

docs/source/ref/models/encrypted-fields.rst

@@ -36,8 +36,6 @@ Queryable Encryption.
 +----------------------------------------+------------------------------------------------------+
 | ``EncryptedIntegerField``              | :class:`~django.db.models.IntegerField`              |
 +----------------------------------------+------------------------------------------------------+
-| ``EncryptedPositiveBigIntegerField``   | :class:`~django.db.models.PositiveBigIntegerField`   |
-+----------------------------------------+------------------------------------------------------+
 | ``EncryptedPositiveIntegerField``      | :class:`~django.db.models.PositiveIntegerField`      |
 +----------------------------------------+------------------------------------------------------+
 | ``EncryptedPositiveSmallIntegerField`` | :class:`~django.db.models.PositiveSmallIntegerField` |

docs/source/topics/queryable-encryption.rst

@@ -3,3 +3,5 @@ Queryable Encryption
 ====================
 
 .. versionadded:: 5.2.0rc1
+
+Use :doc:`/ref/models/encrypted-fields` to structure your sensitive data.

tests/encryption_/models.py

@@ -11,7 +11,6 @@
     EncryptedFloatField,
     EncryptedGenericIPAddressField,
     EncryptedIntegerField,
-    EncryptedPositiveIntegerField,
     EncryptedPositiveSmallIntegerField,
     EncryptedSmallIntegerField,
     EncryptedTextField,
@@ -77,9 +76,8 @@ class Meta:
 
 
 class EncryptedNumbers(models.Model):
-    class Meta:
-        required_db_features = {"supports_queryable_encryption"}
-
-    pos_bigint = EncryptedPositiveIntegerField(queries=EQUALITY_QUERY)
     pos_smallint = EncryptedPositiveSmallIntegerField(queries=EQUALITY_QUERY)
     smallint = EncryptedSmallIntegerField(queries=EQUALITY_QUERY)
+
+    class Meta:
+        required_db_features = {"supports_queryable_encryption"}

tests/encryption_/test_base.py

@@ -5,6 +5,7 @@
 from .models import (
     Appointment,
     Billing,
+    EncryptedNumbers,
     Patient,
     PatientPortalUser,
     PatientRecord,
@@ -45,3 +46,7 @@ def setUp(self):
             is_active=True,
             email="[email protected]",
         )
+        EncryptedNumbers.objects.create(
+            pos_smallint=12345,
+            smallint=-12345,
+        )

tests/encryption_/test_fields.py

@@ -81,20 +81,10 @@ def test_patient(self):
         records = connections["encrypted"].database.encryption__patientrecord.find()
         self.assertTrue("__safeContent__" in records[0])
 
-    def test_numeric_fields(self):
-        """
-        Fields that have not been tested elsewhere.
-        """
-        EncryptedNumbers.objects.create(
-            pos_bigint=1000000,
-            pos_smallint=12345,
-            smallint=-12345,
-        )
-
-        obj = EncryptedNumbers.objects.get(pos_bigint=1000000)
+    def test_pos_small_int(self):
         obj = EncryptedNumbers.objects.get(pos_smallint=12345)
-        obj = EncryptedNumbers.objects.get(smallint=-12345)
-
-        self.assertEqual(obj.pos_bigint, 1000000)
         self.assertEqual(obj.pos_smallint, 12345)
+
+    def test_small_int(self):
+        obj = EncryptedNumbers.objects.get(smallint=-12345)
         self.assertEqual(obj.smallint, -12345)

tests/encryption_/test_management.py

@@ -1,12 +1,8 @@
-import os
 from io import StringIO
 
-import pymongo
 from bson import json_util
 from django.core.management import call_command
-from django.db import connections
 from django.test import modify_settings, override_settings
-from pymongo.encryption import AutoEncryptionOpts
 
 from .routers import TestEncryptedRouter
 from .test_base import QueryableEncryptionTestCase
@@ -81,32 +77,7 @@ def test_create_new_keys(self):
             stdout=out,
         )
         command_output = json_util.loads(out.getvalue())
-
-        # TODO: Until the todo below is fixed, you can test this feature
-        # manually by uncommenting the following line and pasting the output
-        # into your client-side `encrypted_fields_map` configuration. You also
-        # need to temporarily configure server-side encryption for this to
-        # procedure to work.
-        # print(command_output)
         self._compare_output(
             self.expected_patient_record,
             command_output["encryption__patientrecord"],
         )
-
-        # Create a new connection to verify that the keys can be used in a
-        # client-side configuration to migrate the encrypted fields.
-        conn_params = connections["encrypted"].get_connection_params()
-        auto_encryption_opts = AutoEncryptionOpts(
-            key_vault_namespace="encryption.__keyvault",
-            kms_providers={"local": {"key": os.urandom(96)}},
-            encrypted_fields_map=command_output,
-        )
-        if conn_params.pop("auto_encryption_opts", False):
-            # Call MongoClient instead of get_new_connection because
-            # get_new_connection will return the encrypted connection from the
-            # connection pool.
-            with pymongo.MongoClient(**conn_params, auto_encryption_opts=auto_encryption_opts):
-                call_command("migrate", "--database", "encrypted", verbosity=0)
-
-        # TODO: Check the key vault to ensure that the keys created by
-        # `showencryptedfieldsmap --create-new-keys` are in the key vault.