Class: Mongo::Crypt::ExplicitEncrypter Private
Relationships & Source Files | |
Super Chains via Extension / Inclusion / Inheritance | |
Class Chain:
self,
Forwardable
|
|
Inherits: | Object |
Defined in: | lib/mongo/crypt/explicit_encrypter.rb |
Overview
An ExplicitEncrypter is an object that performs explicit encryption operations and handles all associated options and instance variables.
Class Method Summary
-
.new(key_vault_client, key_vault_namespace, kms_providers, kms_tls_options) ⇒ ExplicitEncrypter
constructor
Internal use only
Create a new
ExplicitEncrypter
object.
Instance Method Summary
-
#add_key_alt_name(id, key_alt_name) ⇒ BSON::Document | nil
Internal use only
Adds a key_alt_name for the key in the key vault collection with the given id.
-
#create_and_insert_data_key(master_key_document, key_alt_names, key_material = nil) ⇒ BSON::Binary
Internal use only
Generates a data key used for encryption/decryption and stores that key in the
KMS
collection. -
#decrypt(value) ⇒ Object
Internal use only
Decrypts a value that has already been encrypted.
-
#encrypt(value, options) ⇒ BSON::Binary
Internal use only
Encrypts a value using the specified encryption key and algorithm.
-
#encrypt_expression(expression, options) ⇒ BSON::Binary
Internal use only
Encrypts a Match Expression or Aggregate Expression to query a range index.
-
#rewrap_many_data_key(filter, opts = {}) ⇒ Crypt::RewrapManyDataKeyResult
Internal use only
Decrypts multiple data keys and (re-)encrypts them with a new master_key,.
-
#master_key_for_provider(opts) ⇒ KMS::MasterKeyDocument | nil
private
Internal use only
If a
:provider
is given, construct a new master key document with that provider. -
#updates_from_data_key_documents(documents) ⇒ Array<Hash>
private
Internal use only
Returns the corresponding update document for each for of the given data key documents.
-
#validate_rewrap_options!(opts)
private
Internal use only
Ensures the consistency of the options passed to #rewrap_many_data_keys.
Instance Method Details
#add_key_alt_name(id, key_alt_name) ⇒ BSON::Document
| nil
Adds a key_alt_name for the key in the key vault collection with the given id.
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 197
def add_key_alt_name(id, key_alt_name) @encryption_io.add_key_alt_name(id, key_alt_name) end
#create_and_insert_data_key(master_key_document, key_alt_names, key_material = nil) ⇒ BSON::Binary
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 67
def create_and_insert_data_key(master_key_document, key_alt_names, key_material = nil) data_key_document = Crypt::DataKeyContext.new( @crypt_handle, @encryption_io, master_key_document, key_alt_names, key_material ).run_state_machine @encryption_io.insert_data_key(data_key_document).inserted_id end
#decrypt(value) ⇒ Object
Decrypts a value that has already been encrypted
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 182
def decrypt(value) Crypt::ExplicitDecryptionContext.new( @crypt_handle, @encryption_io, { v: value } ).run_state_machine['v'] end
#encrypt(value, options) ⇒ BSON::Binary
The :key_id
and :key_alt_name
options are mutually exclusive. Only one is required to perform explicit encryption.
Encrypts a value using the specified encryption key and algorithm
if encryption algorithm is set to “Indexed”. Query type should be set
only if encryption algorithm is set to "Indexed". The only allowed
value is "equality".
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 108
def encrypt(value, ) Crypt::ExplicitEncryptionContext.new( @crypt_handle, @encryption_io, { v: value }, ).run_state_machine['v'] end
#encrypt_expression(expression, options) ⇒ BSON::Binary
The RangePreview algorithm is experimental only. It is not
The :key_id
and :key_alt_name
options are mutually exclusive. Only one is required to perform explicit encryption.
Encrypts a Match Expression or Aggregate Expression to query a range index.
Only supported when queryType is “rangePreview” and algorithm is “RangePreview”. @note: The Range algorithm is experimental only. It is not intended
for public use. It is subject to breaking changes.
@param [ Hash ] options
intended for public use.
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 167
def encrypt_expression(expression, ) Crypt::ExplicitEncryptionExpressionContext.new( @crypt_handle, @encryption_io, { v: expression }, ).run_state_machine['v'] end
#master_key_for_provider(opts) ⇒ KMS::MasterKeyDocument | nil
(private)
If a :provider
is given, construct a new master key document with that provider.
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 291
def master_key_for_provider(opts) return nil unless opts[:provider] = opts.dup provider = .delete(:provider) KMS::MasterKeyDocument.new(provider, ) end
#rewrap_many_data_key(filter, opts = {}) ⇒ Crypt::RewrapManyDataKeyResult
Decrypts multiple data keys and (re-)encrypts them with a new master_key,
or with their current master_key if a new one is not given.
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 250
def rewrap_many_data_key(filter, opts = {}) (opts) master_key_document = master_key_for_provider(opts) rewrap_result = Crypt::RewrapManyDataKeyContext.new( @crypt_handle, @encryption_io, filter, master_key_document ).run_state_machine return RewrapManyDataKeyResult.new(nil) if rewrap_result.nil? updates = updates_from_data_key_documents(rewrap_result.fetch('v')) RewrapManyDataKeyResult.new(@encryption_io.update_data_keys(updates)) end
#updates_from_data_key_documents(documents) ⇒ Array
<Hash
> (private)
Returns the corresponding update document for each for of the given data key documents.
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 305
def updates_from_data_key_documents(documents) documents.map do |doc| { update_one: { filter: { _id: doc[:_id] }, update: { '$set' => { masterKey: doc[:masterKey], keyMaterial: doc[:keyMaterial] }, '$currentDate' => { updateDate: true }, }, } } end end
#validate_rewrap_options!(opts) (private)
Ensures the consistency of the options passed to #rewrap_many_data_keys.
# File 'lib/mongo/crypt/explicit_encrypter.rb', line 276
def (opts) return unless opts.key?(:master_key) && !opts.key?(:provider) raise ArgumentError, 'If :master_key is specified, :provider must also be given' end