From 31612b94ee18f87a85380eeb64657da8c50b84dc Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Mon, 29 Sep 2025 14:02:09 -0400 Subject: [PATCH 01/13] DRIVERS-3294 Update test error message substring --- source/client-side-encryption/tests/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index ce5370c210..af42f3d683 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3673,7 +3673,8 @@ Run an aggregate operation on `db.csfle` with the following pipeline: ] ``` -Expect an exception to be thrown with a message containing the substring `not supported`. +Expect an exception to be thrown with a message containing the substring `Cannot specify both encryptionInformation and +csfleEncryptionSchemas unless csfleEncryptionSchemas only contains non-encryption JSON schema validators`. #### Case 9: test error with \<8.1 From c293e1b3a2a701a027afe6dc486a29cf1f52988f Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Mon, 29 Sep 2025 14:31:27 -0400 Subject: [PATCH 02/13] DRIVERS-3294 Update changelog --- source/client-side-encryption/client-side-encryption.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index 29f7e4eba3..6f4dd81cfb 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -2519,6 +2519,8 @@ explicit session parameter as described in the [Drivers Sessions Specification]( ## Changelog +- 2025-09-29: Update expected error substring in case 8 of `$lookup` prose test. + - 2025-08-06: Add `TextPreview` algorithm. - 2024-02-19: Add custom options AWS credential provider. From 9f97bbd1aa94491fad900503278ce98c2488da72 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Mon, 29 Sep 2025 14:52:24 -0400 Subject: [PATCH 03/13] Fix linter error --- source/client-side-encryption/tests/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index af42f3d683..cbd4543d0a 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3673,8 +3673,8 @@ Run an aggregate operation on `db.csfle` with the following pipeline: ] ``` -Expect an exception to be thrown with a message containing the substring `Cannot specify both encryptionInformation and -csfleEncryptionSchemas unless csfleEncryptionSchemas only contains non-encryption JSON schema validators`. +Expect an exception to be thrown with a message containing the substring +`Cannot specify both encryptionInformation and csfleEncryptionSchemas unless csfleEncryptionSchemas only contains non-encryption JSON schema validators`. #### Case 9: test error with \<8.1 From 4953b79d04043d4cee7d019a5fdc413df2550237 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Mon, 29 Sep 2025 15:02:41 -0400 Subject: [PATCH 04/13] DRIVERS-3294 Update server version requirements --- source/client-side-encryption/tests/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index cbd4543d0a..bbf309236c 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3652,7 +3652,7 @@ Expect one document to be returned matching: #### Case 8: `db.csfle` joins `db.qe` -Test requires server 8.1+ and mongocryptd/crypt_shared 8.1+. +Test requires server 8.2+ and mongocryptd/crypt_shared 8.2+. Recreate `encryptedClient` with the same `AutoEncryptionOpts` as the setup. (Recreating prevents schema caching from impacting the test). From 2a0d2f220ba6db3fa24aedf5215f83768b665638 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 14:43:18 -0400 Subject: [PATCH 05/13] DRIVERS-3294 Relax version requirement --- source/client-side-encryption/tests/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index bbf309236c..e96dda41d2 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3652,7 +3652,7 @@ Expect one document to be returned matching: #### Case 8: `db.csfle` joins `db.qe` -Test requires server 8.2+ and mongocryptd/crypt_shared 8.2+. +Test requires server 8.1+ and mongocryptd/crypt_shared 8.1+. Recreate `encryptedClient` with the same `AutoEncryptionOpts` as the setup. (Recreating prevents schema caching from impacting the test). @@ -3673,7 +3673,10 @@ Run an aggregate operation on `db.csfle` with the following pipeline: ] ``` -Expect an exception to be thrown with a message containing the substring +Expect an exception to be thrown with a message containing one of the following substrings depending on the mongocryptd/crypt_shared version: + +- Below version 8.2: `not supported`. +- Version 8.2 and above: `Cannot specify both encryptionInformation and csfleEncryptionSchemas unless csfleEncryptionSchemas only contains non-encryption JSON schema validators`. #### Case 9: test error with \<8.1 From cc0720f72cd08814ba2696e65afc3f3d088f8227 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 15:03:14 -0400 Subject: [PATCH 06/13] DRIVERS-3294 Add test case for QE joining non-CSFLE schema --- .../client-side-encryption.md | 2 +- .../etc/data/lookup/schema-non-csfle.json | 3 +++ source/client-side-encryption/tests/README.md | 27 +++++++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 source/client-side-encryption/etc/data/lookup/schema-non-csfle.json diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index 6f4dd81cfb..3bbf2dc3bc 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -2519,7 +2519,7 @@ explicit session parameter as described in the [Drivers Sessions Specification]( ## Changelog -- 2025-09-29: Update expected error substring in case 8 of `$lookup` prose test. +- 2025-09-30: Update `$lookup` prose test to reflect 8.2 changes. - 2025-08-06: Add `TextPreview` algorithm. diff --git a/source/client-side-encryption/etc/data/lookup/schema-non-csfle.json b/source/client-side-encryption/etc/data/lookup/schema-non-csfle.json new file mode 100644 index 0000000000..3edd12c8f4 --- /dev/null +++ b/source/client-side-encryption/etc/data/lookup/schema-non-csfle.json @@ -0,0 +1,3 @@ +{ + "bsonType": "object" +} diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index e96dda41d2..8aacc9dc64 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3457,6 +3457,7 @@ Use `encryptedClient` to drop and create the following collections: - `db.qe2` with options: `{ "encryptedFields": ""}`. - `db.no_schema` with no options. - `db.no_schema2` with no options. +- `db.non_csfle_schema` with options: `{ "validator": { "$jsonSchema": ""}}` Create an unencrypted MongoClient named `unencryptedClient`. @@ -3472,6 +3473,7 @@ Insert documents with `encryptedClient`: - Use `unencryptedClient` to retrieve it. Assert the `qe2` field is BSON binary. - `{"no_schema": "no_schema"}` into `db.no_schema` - `{"no_schema2": "no_schema2"}` into `db.no_schema2` +- `{"non_csfle_schema": "non_csfle_schema"}` into `db.non_csfle_schema` #### Case 1: `db.csfle` joins `db.no_schema` @@ -3704,6 +3706,31 @@ Run an aggregate operation on `db.csfle` with the following pipeline: Expect an exception to be thrown with a message containing the substring `Upgrade`. +#### Case 10: `db.qe` joins `db.non_csfle_schema` + +Test requires server 8.2+ and mongocryptd/crypt_shared 8.2+. + +Recreate `encryptedClient` with the same `AutoEncryptionOpts` as the setup. (Recreating prevents schema caching from +impacting the test). + +Run an aggregate operation on `db.qe` with the following pipline: + +```json +[ + {"$match" : {"qe" : "qe"}}, + { + "$lookup" : { + "from" : "non_csfle_schema", + "as" : "matched", + "pipeline" : [ {"$match" : {"non_csfle_schema" : "non_csfle_schema"}}, {"$project" : {"_id" : 0}} ] + } + }, + {"$project" : {"_id" : 0}} +] +``` + +Expect one document to be returned matching: `{"qe" : "qe", "matched" : [ {"non_csfle_schema" : "non_csfle_schema"} ]}`. + ### 26. Custom AWS Credentials These tests require valid AWS credentials for the remote KMS provider via the secrets manager (FLE_AWS_KEY and From 201f2c2a6a34fd3838954799736eb6f4966dc452 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 15:07:39 -0400 Subject: [PATCH 07/13] DRIVERS-3294 Fix linter errors --- source/client-side-encryption/tests/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index 8aacc9dc64..d6d8e56a7a 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3675,11 +3675,12 @@ Run an aggregate operation on `db.csfle` with the following pipeline: ] ``` -Expect an exception to be thrown with a message containing one of the following substrings depending on the mongocryptd/crypt_shared version: +Expect an exception to be thrown with a message containing one of the following substrings depending on the +mongocryptd/crypt_shared version: - Below version 8.2: `not supported`. - Version 8.2 and above: -`Cannot specify both encryptionInformation and csfleEncryptionSchemas unless csfleEncryptionSchemas only contains non-encryption JSON schema validators`. + `Cannot specify both encryptionInformation and csfleEncryptionSchemas unless csfleEncryptionSchemas only contains non-encryption JSON schema validators`. #### Case 9: test error with \<8.1 From 12a4a1cfc467425c8ca9d5483f7737847f6e82e7 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Tue, 30 Sep 2025 15:11:25 -0400 Subject: [PATCH 08/13] DRIVERS-3294 Fix typo --- source/client-side-encryption/tests/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index d6d8e56a7a..89baf6fe57 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3714,7 +3714,7 @@ Test requires server 8.2+ and mongocryptd/crypt_shared 8.2+. Recreate `encryptedClient` with the same `AutoEncryptionOpts` as the setup. (Recreating prevents schema caching from impacting the test). -Run an aggregate operation on `db.qe` with the following pipline: +Run an aggregate operation on `db.qe` with the following pipeline: ```json [ From 42186f0bcb41c3b84027245f53132ffd72933537 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Wed, 1 Oct 2025 09:40:00 -0400 Subject: [PATCH 09/13] DRIVERS-3294 Specify safe content in lookup --- source/client-side-encryption/tests/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index 89baf6fe57..7d8e9766f4 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3723,10 +3723,10 @@ Run an aggregate operation on `db.qe` with the following pipeline: "$lookup" : { "from" : "non_csfle_schema", "as" : "matched", - "pipeline" : [ {"$match" : {"non_csfle_schema" : "non_csfle_schema"}}, {"$project" : {"_id" : 0}} ] + "pipeline" : [ {"$match" : {"non_csfle_schema" : "non_csfle_schema"}}, {"$project" : {"_id" : 0, "__safeContent__" : 0}} ] } }, - {"$project" : {"_id" : 0}} + {"$project" : {"_id" : 0, "__safeContent__" : 0}} ] ``` From fb505df46779baead2df2df3a6af85dd3be201c2 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Wed, 1 Oct 2025 16:57:13 -0400 Subject: [PATCH 10/13] DRIVERS-3294 Make suggested PR changes --- source/client-side-encryption/client-side-encryption.md | 2 +- source/client-side-encryption/tests/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index 3bbf2dc3bc..c99fcc0273 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -2519,7 +2519,7 @@ explicit session parameter as described in the [Drivers Sessions Specification]( ## Changelog -- 2025-09-30: Update `$lookup` prose test to reflect 8.2 changes. +- 2025-09-30: Update `$lookup` prose test to reflect changes in [MONGOCRYPT-793](https://jira.mongodb.org/browse/MONGOCRYPT-793). - 2025-08-06: Add `TextPreview` algorithm. diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index 7d8e9766f4..23f8ad6c76 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3654,7 +3654,7 @@ Expect one document to be returned matching: #### Case 8: `db.csfle` joins `db.qe` -Test requires server 8.1+ and mongocryptd/crypt_shared 8.1+. +Test requires server 8.1+, mongocryptd/crypt_shared 8.1+, and libmongocrypt 1.17.0+. Recreate `encryptedClient` with the same `AutoEncryptionOpts` as the setup. (Recreating prevents schema caching from impacting the test). @@ -3709,7 +3709,7 @@ Expect an exception to be thrown with a message containing the substring `Upgrad #### Case 10: `db.qe` joins `db.non_csfle_schema` -Test requires server 8.2+ and mongocryptd/crypt_shared 8.2+. +Test requires server 8.2+, mongocryptd/crypt_shared 8.2+, and libmongocrypt 1.17.0+. Recreate `encryptedClient` with the same `AutoEncryptionOpts` as the setup. (Recreating prevents schema caching from impacting the test). From ae5509484427fab5f6a4ef3ee68a10b55bde0f89 Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Wed, 1 Oct 2025 17:14:21 -0400 Subject: [PATCH 11/13] DRIVERS-3294 Fix linter errors --- source/client-side-encryption/client-side-encryption.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/client-side-encryption/client-side-encryption.md b/source/client-side-encryption/client-side-encryption.md index c99fcc0273..3aeeb709ee 100644 --- a/source/client-side-encryption/client-side-encryption.md +++ b/source/client-side-encryption/client-side-encryption.md @@ -2519,7 +2519,8 @@ explicit session parameter as described in the [Drivers Sessions Specification]( ## Changelog -- 2025-09-30: Update `$lookup` prose test to reflect changes in [MONGOCRYPT-793](https://jira.mongodb.org/browse/MONGOCRYPT-793). +- 2025-09-30: Update `$lookup` prose test to reflect changes in + [MONGOCRYPT-793](https://jira.mongodb.org/browse/MONGOCRYPT-793). - 2025-08-06: Add `TextPreview` algorithm. From 7888bf6dd1ba1ad9bb3b89f8259f7be5e7161d2f Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Thu, 2 Oct 2025 08:20:36 -0400 Subject: [PATCH 12/13] DRIVERS-3294 Change libmongocrypt version requirement --- source/client-side-encryption/tests/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index 23f8ad6c76..3ce82ed045 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3654,7 +3654,7 @@ Expect one document to be returned matching: #### Case 8: `db.csfle` joins `db.qe` -Test requires server 8.1+, mongocryptd/crypt_shared 8.1+, and libmongocrypt 1.17.0+. +Test requires server 8.1+ and mongocryptd/crypt_shared 8.1+ Recreate `encryptedClient` with the same `AutoEncryptionOpts` as the setup. (Recreating prevents schema caching from impacting the test). @@ -3676,10 +3676,10 @@ Run an aggregate operation on `db.csfle` with the following pipeline: ``` Expect an exception to be thrown with a message containing one of the following substrings depending on the -mongocryptd/crypt_shared version: +mongocryptd/crypt_shared and libmongocrypt versions: -- Below version 8.2: `not supported`. -- Version 8.2 and above: +- mongocryptd/crypt_shared <8.2 **or** libmongocrypt <1.17.0: `not supported`. +- mongocryptd/crypt_shared >=8.2 **and** libmongocrypt >=1.17.0: `Cannot specify both encryptionInformation and csfleEncryptionSchemas unless csfleEncryptionSchemas only contains non-encryption JSON schema validators`. #### Case 9: test error with \<8.1 From deb7e9a80a0c925376c133cf03c241cd64a04e6b Mon Sep 17 00:00:00 2001 From: Connor MacDonald Date: Thu, 2 Oct 2025 08:26:34 -0400 Subject: [PATCH 13/13] DRIVERS-3294 Fix linter errors --- source/client-side-encryption/tests/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/client-side-encryption/tests/README.md b/source/client-side-encryption/tests/README.md index 3ce82ed045..b10c66e810 100644 --- a/source/client-side-encryption/tests/README.md +++ b/source/client-side-encryption/tests/README.md @@ -3678,8 +3678,8 @@ Run an aggregate operation on `db.csfle` with the following pipeline: Expect an exception to be thrown with a message containing one of the following substrings depending on the mongocryptd/crypt_shared and libmongocrypt versions: -- mongocryptd/crypt_shared <8.2 **or** libmongocrypt <1.17.0: `not supported`. -- mongocryptd/crypt_shared >=8.2 **and** libmongocrypt >=1.17.0: +- mongocryptd/crypt_shared \<8.2 **or** libmongocrypt \<1.17.0: `not supported`. +- mongocryptd/crypt_shared 8.2+ **and** libmongocrypt 1.17.0+: `Cannot specify both encryptionInformation and csfleEncryptionSchemas unless csfleEncryptionSchemas only contains non-encryption JSON schema validators`. #### Case 9: test error with \<8.1