ci(NODE-6505): Setup CI

.github/workflows/encryption-tests.yml

@@ -0,0 +1,47 @@
+name: Encryption Tests 
+
+on:
+  push: 
+    branches: ['master']
+  pull_request:
+    branches: [ 'master' ]
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
+jobs:
+  run-tests:
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
+    runs-on: ubuntu-latest
+    name: Encryption tests
+    env:
+      FORCE_COLOR: true
+    steps:
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Setup node
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        with:
+          node-version: latest
+      - name: Install Dependencies
+        run: npm install
+      - name: Install mongodb-client-encryption
+        run: npm install mongodb-client-encryption
+      - name: Set up cluster
+        id: setup-cluster
+        uses: mongodb-labs/drivers-evergreen-tools@master
+        with:
+          version: 8.0.0
+          topology: sharded_cluster 
+          auth: auth
+      - name: Run Tests
+        run: npm run test-encryption
+        env:
+          MONGOOSE_TEST_URI: ${{ steps.setup-cluster.outputs.cluster-uri }}
+          CRYPT_SHARED_LIB_PATH: ${{ steps.setup-cluster.outputs.crypt-shared-lib-path }}

.gitignore

@@ -67,3 +67,5 @@ examples/ecommerce-netlify-functions/.netlify/state.json
 
 notes.md
 list.out
+
+encrypted-cluster

CONTRIBUTING.md

@@ -46,6 +46,7 @@ If you have a question about Mongoose (not a bug report) please post it to eithe
   * execute `npm run test-tsd` to run the typescript tests
   * execute `npm run ts-benchmark` to run the typescript benchmark "performance test" for a single time.
   * execute `npm run ts-benchmark-watch` to run the typescript benchmark "performance test" while watching changes on types folder. Note: Make sure to commit all changes before executing this command.
+* in order to run tests that require an encrypted cluster locally, run `npm run test-encryption-local`. Alternatively, you can start an encrypted cluster using the `scripts/start-encrypted-cluster.sh` file.
 
 ## Documentation
 

package.json

@@ -104,6 +104,8 @@
     "test-deno": "deno run --allow-env --allow-read --allow-net --allow-run --allow-sys --allow-write ./test/deno.js",
     "test-rs": "START_REPLICA_SET=1 mocha --timeout 30000 --exit ./test/*.test.js",
     "test-tsd": "node ./test/types/check-types-filename && tsd",
+    "test-encryption": "mocha --exit ./test/encryption/*.test.js",
+    "test-encryption-local": "chmod +x scripts/run-encryption-tests-local.sh && scripts/run-encryption-tests-local.sh",
     "tdd": "mocha ./test/*.test.js --inspect --watch --recursive --watch-files ./**/*.{js,ts}",
     "test-coverage": "nyc --reporter=html --reporter=text npm test",
     "ts-benchmark": "cd ./benchmarks/typescript/simple && npm install && npm run benchmark | node ../../../scripts/tsc-diagnostics-check"

scripts/run-encryption-tests-local.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# sets up an encrypted mongodb cluster
+
+export CWD=$(pwd);
+
+if [ -d "encrypted-cluster" ]; then
+  cd encrypted-cluster
+else
+  source $CWD/scripts/start-encrypted-cluster.sh
+fi
+
+# IMPORTANT: extracts mongodb-uri, and starts the cluster of servers, store the uri for GitHub output
+
+read -r -d '' SOURCE_SCRIPT << EOM
+const fs = require('fs');
+const file = fs.readFileSync('mo-expansion.yml', { encoding: 'utf-8' })
+	.trim().split('\\n');
+const regex = /^(?<key>.*): "(?<value>.*)"$/;
+const variables = file.map(
+	(line) => regex.exec(line.trim()).groups
+).map(
+	({key, value}) => \`export \${key}='\${value}'\`
+).join('\n');
+
+process.stdout.write(variables);
+process.stdout.write('\n');
+EOM
+
+node --eval "$SOURCE_SCRIPT" | tee expansions.sh
+source expansions.sh
+
+export MONGOOSE_TEST_URI=$MONGODB_URI
+
+npm run test-encryption

scripts/start-encrypted-cluster.sh

@@ -0,0 +1,27 @@
+
+export CWD=$(pwd);
+mkdir encrypted-cluster
+cd encrypted-cluster
+
+if [ ! -d "drivers-evergreen-tools/" ]; then
+ git clone --depth=1 "https://github.com/mongodb-labs/drivers-evergreen-tools.git"
+fi
+
+export DRIVERS_TOOLS=$CWD/encrypted-cluster/drivers-evergreen-tools
+export MONGODB_VERSION=8.0
+export AUTH=true
+export MONGODB_BINARIES=$DRIVERS_TOOLS/mongodb/bin
+export NODE_DRIVER=~/dev/node-mongodb-native
+export MONGO_ORCHESTRATION_HOME=$DRIVERS_TOOLS/mo
+export PROJECT_ORCHESTRATION_HOME=$DRIVERS_TOOLS/.evergreen/orchestration
+export TOPOLOGY=sharded_cluster
+export SSL=nossl
+
+cd $DRIVERS_TOOLS
+rm -rf mongosh mongodb mo
+mkdir mo
+cd -
+
+rm expansions.sh 2> /dev/null
+
+bash $DRIVERS_TOOLS/.evergreen/run-orchestration.sh

test/encryption/encryption.test.js

@@ -0,0 +1,97 @@
+'use strict';
+
+const assert = require('assert');
+const mdb = require('mongodb');
+const isBsonType = require('../../lib/helpers/isBsonType');
+
+const LOCAL_KEY = Buffer.from('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk', 'base64');
+
+describe('environmental variables', () => {
+  it('MONGOOSE_TEST_URI is set', async function() {
+    const uri = process.env.MONGOOSE_TEST_URI;
+    assert.ok(uri);
+  });
+
+  it('CRYPT_SHARED_LIB_PATH is set', async function() {
+    const shared_library_path = process.env.CRYPT_SHARED_LIB_PATH;
+    assert.ok(shared_library_path);
+  });
+});
+
+describe('basic integration', () => {
+  let keyVaultClient;
+  let dataKey;
+  let encryptedClient;
+  let dummyClient;
+
+  beforeEach(async function() {
+    keyVaultClient = new mdb.MongoClient(process.env.MONGOOSE_TEST_URI);
+    await keyVaultClient.connect();
+    await keyVaultClient.db('keyvault').collection('datakeys');
+    const clientEncryption = new mdb.ClientEncryption(keyVaultClient, {
+      keyVaultNamespace: 'keyvault.datakeys',
+      kmsProviders: { local: { key: LOCAL_KEY } }
+    });
+    dataKey = await clientEncryption.createDataKey('local');
+
+    encryptedClient = new mdb.MongoClient(
+      process.env.MONGOOSE_TEST_URI,
+      {
+        autoEncryption: {
+          keyVaultNamespace: 'keyvault.datakeys',
+          kmsProviders: { local: { key: LOCAL_KEY } },
+          schemaMap: {
+            'db.coll': {
+              bsonType: 'object',
+              encryptMetadata: {
+                keyId: [dataKey]
+              },
+              properties: {
+                a: {
+                  encrypt: {
+                    bsonType: 'int',
+                    algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random',
+                    keyId: [dataKey]
+                  }
+                }
+              }
+            }
+          },
+          extraOptions: {
+            cryptdSharedLibRequired: true,
+            cryptSharedLibPath: process.env.CRYPT_SHARED_LIB_PATH
+          }
+        }
+      }
+    );
+
+    dummyClient = new mdb.MongoClient(process.env.MONGOOSE_TEST_URI);
+  });
+
+  afterEach(async function() {
+    await keyVaultClient.close();
+    await encryptedClient.close();
+    await dummyClient.close();
+  });
+
+  it('supports mongodb csfle auto-encryption integration', async() => {
+    await encryptedClient.connect();
+    await encryptedClient.db('db').collection('coll').insertOne({ a: 1 });
+
+    const { insertedId } = await encryptedClient.db('db').collection('coll').insertOne({ a: 1 });
+
+    // a dummyClient not configured with autoEncryption, returns a encrypted binary type, meaning that encryption succeeded
+    const encryptedResult = await dummyClient.db('db').collection('coll').findOne({ _id: insertedId });
+
+    assert.ok(encryptedResult);
+    assert.ok(encryptedResult.a);
+    assert.ok(isBsonType(encryptedResult.a, 'Binary'));
+    assert.ok(encryptedResult.a.sub_type === 6);
+
+    // when the encryptedClient runs a find, the original unencrypted value is returned
+    const unencryptedCursor = await encryptedClient.db('db').collection('coll').find();
+    const unencryptedResult = await unencryptedCursor.next();
+    assert.ok(unencryptedResult);
+    assert.ok(unencryptedResult.a === 1);
+  });
+});