update unified integration

qingyang-hu · qingyang-hu · commit a4788b59f59a · 2025-12-04T22:27:23.000-05:00
diff --git a/etc/install-libmongocrypt.sh b/etc/install-libmongocrypt.sh
@@ -3,7 +3,7 @@
 # This script installs libmongocrypt into an "install" directory.
 set -eux
 
-LIBMONGOCRYPT_TAG="1.12.0"
+LIBMONGOCRYPT_TAG="1.15.1"
 
 # Install libmongocrypt based on OS.
 if [ "Windows_NT" = "${OS:-}" ]; then
diff --git a/internal/integration/unified/client_entity.go b/internal/integration/unified/client_entity.go
@@ -7,6 +7,7 @@
 package unified
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"fmt"
@@ -41,11 +42,18 @@ var (
 		"createUser", "updateUser", "copydbgetnonce", "copydbsaslstart", "copydb",
 	}
 
-	awsAccessKeyID     = os.Getenv("FLE_AWS_KEY")
-	awsSecretAccessKey = os.Getenv("FLE_AWS_SECRET")
-	azureTenantID      = os.Getenv("FLE_AZURE_TENANTID")
-	azureClientID      = os.Getenv("FLE_AZURE_CLIENTID")
-	azureClientSecret  = os.Getenv("FLE_AZURE_CLIENTSECRET")
+	awsAccessKeyID         = os.Getenv("FLE_AWS_KEY")
+	awsSecretAccessKey     = os.Getenv("FLE_AWS_SECRET")
+	awsTempAccessKeyID     = os.Getenv("CSFLE_AWS_TEMP_ACCESS_KEY_ID")
+	awsTempSecretAccessKey = os.Getenv("CSFLE_AWS_TEMP_SECRET_ACCESS_KEY")
+	awsTempSessionToken    = os.Getenv("CSFLE_AWS_TEMP_SESSION_TOKEN")
+	azureTenantID          = os.Getenv("FLE_AZURE_TENANTID")
+	azureClientID          = os.Getenv("FLE_AZURE_CLIENTID")
+	azureClientSecret      = os.Getenv("FLE_AZURE_CLIENTSECRET")
+	gcpEmail               = os.Getenv("FLE_GCP_EMAIL")
+	gcpPrivateKey          = os.Getenv("FLE_GCP_PRIVATEKEY")
+
+	placeholderDoc = bsoncore.NewDocumentBuilder().AppendInt32("$$placeholder", 1).Build()
 )
 
 // clientEntity is a wrapper for a mongo.Client object that also holds additional information required during test
@@ -287,33 +295,112 @@ func createAutoEncryptionOptions(opts bson.Raw) (*options.AutoEncryptionOptions,
 			if err != nil {
 				return nil, err
 			}
+			retrieveProviderData := func(doc bson.Raw, key, defaultVal string) (any, error) {
+				e := doc.Lookup(key)
+				if e.IsZero() {
+					return nil, nil
+				}
+				switch e.Type {
+				case bson.TypeString:
+					return e.StringValue(), nil
+				case bson.TypeEmbeddedDocument:
+					if bytes.Equal(e.Document(), placeholderDoc) {
+						return defaultVal, nil
+					}
+				}
+				return nil, fmt.Errorf("unexpected %s in kms provider: %v", key, e)
+			}
 			for _, elem := range elems {
-				provider := elem.Key()
-				providerOpt := elem.Value()
-				switch provider {
+				provider := make(map[string]any)
+				providerT := elem.Key()
+				providerOpt := elem.Value().Document()
+				switch providerT {
 				case "aws":
-					providers["aws"] = map[string]any{
-						"accessKeyId":     awsAccessKeyID,
-						"secretAccessKey": awsSecretAccessKey,
+					accessKeyID := awsAccessKeyID
+					secretAccessKey := awsSecretAccessKey
+
+					// replace with temporary access, if sessionToken placeholder exists
+					v, err := retrieveProviderData(providerOpt, "sessionToken", "$$placeholder")
+					if err != nil {
+						return nil, err
+					}
+					if v == "$$placeholder" {
+						provider["sessionToken"] = awsTempSessionToken
+						accessKeyID = awsTempAccessKeyID
+						secretAccessKey = awsTempSecretAccessKey
+					} else if v != nil {
+						provider["sessionToken"] = v
+					}
+
+					for _, e := range []struct {
+						key        string
+						defaultVal string
+					}{
+						{"accessKeyId", accessKeyID},
+						{"secretAccessKey", secretAccessKey},
+					} {
+						v, err = retrieveProviderData(providerOpt, e.key, e.defaultVal)
+						if err != nil {
+							return nil, err
+						}
+						if v != nil {
+							provider[e.key] = v
+						}
 					}
 				case "azure":
-					providers["azure"] = map[string]any{
-						"tenantId":     azureTenantID,
-						"clientId":     azureClientID,
-						"clientSecret": azureClientSecret,
+					for _, e := range []struct {
+						key        string
+						defaultVal string
+					}{
+						{"tenantId", azureTenantID},
+						{"clientId", azureClientID},
+						{"clientSecret", azureClientSecret},
+					} {
+						v, err := retrieveProviderData(providerOpt, e.key, e.defaultVal)
+						if err != nil {
+							return nil, err
+						}
+						if v != nil {
+							provider[e.key] = v
+						}
 					}
-				case "local":
-					str := providerOpt.Document().Lookup("key").StringValue()
-					key, err := base64.StdEncoding.DecodeString(str)
+				case "gcp":
+					for _, e := range []struct {
+						key        string
+						defaultVal string
+					}{
+						{"email", gcpEmail},
+						{"privateKey", gcpPrivateKey},
+					} {
+						v, err := retrieveProviderData(providerOpt, e.key, e.defaultVal)
+						if err != nil {
+							return nil, err
+						}
+						if v != nil {
+							provider[e.key] = v
+						}
+					}
+				case "kmip":
+					v, err := retrieveProviderData(providerOpt, "endpoint", "localhost:5698")
 					if err != nil {
 						return nil, err
 					}
-					providers["local"] = map[string]any{
-						"key": key,
+					if v != nil {
+						provider["endpoint"] = v
 					}
+				case "local", "local:name2":
+					str := providerOpt.Lookup("key").StringValue()
+					key, err := base64.StdEncoding.DecodeString(str)
+					if err != nil {
+						return nil, err
+					}
+					provider["key"] = key
 				default:
 					return nil, fmt.Errorf("unrecognized KMS provider: %v", provider)
 				}
+				if len(provider) > 0 {
+					providers[providerT] = provider
+				}
 			}
 			aeo.SetKmsProviders(providers)
 		case "schemaMap":
@@ -328,6 +415,8 @@ func createAutoEncryptionOptions(opts bson.Raw) (*options.AutoEncryptionOptions,
 			aeo.SetKeyVaultNamespace(opt.StringValue())
 		case "bypassQueryAnalysis":
 			aeo.SetBypassQueryAnalysis(opt.Boolean())
+		case "bypassAutoEncryption":
+			aeo.SetBypassAutoEncryption(opt.Boolean())
 		default:
 			return nil, fmt.Errorf("unrecognized option: %v", name)
 		}
diff --git a/internal/integration/unified/collection_data.go b/internal/integration/unified/collection_data.go
@@ -27,9 +27,10 @@ type collectionData struct {
 }
 
 type createOptions struct {
-	Capped          *bool  `bson:"capped"`
-	SizeInBytes     *int64 `bson:"size"`
-	EncryptedFields any    `bson:"encryptedFields"`
+	Capped          *bool    `bson:"capped"`
+	SizeInBytes     *int64   `bson:"size"`
+	EncryptedFields any      `bson:"encryptedFields"`
+	Validator       bson.Raw `bson:"validator"`
 }
 
 // createCollection configures the collection represented by the receiver using the internal client. This function
@@ -53,6 +54,9 @@ func (c *collectionData) createCollection(ctx context.Context) error {
 		if c.Options.EncryptedFields != nil {
 			createOpts = createOpts.SetEncryptedFields(c.Options.EncryptedFields)
 		}
+		if c.Options.Validator != nil {
+			createOpts = createOpts.SetValidator(c.Options.Validator)
+		}
 
 		if err := db.CreateCollection(ctx, c.CollectionName, createOpts); err != nil {
 			return fmt.Errorf("error creating collection: %w", err)
diff --git a/internal/integration/unified/database_operation_execution.go b/internal/integration/unified/database_operation_execution.go
@@ -125,6 +125,8 @@ func executeCreateCollection(ctx context.Context, operation *operation) (*operat
 			cco.SetTimeSeriesOptions(tso)
 		case "clusteredIndex":
 			cco.SetClusteredIndex(val.Document())
+		case "validator":
+			cco.SetValidator(val.Document())
 		default:
 			return nil, fmt.Errorf("unrecognized createCollection option %q", key)
 		}

Original file line number	Diff line number	Diff line change
`@@ -125,6 +125,8 @@ func executeCreateCollection(ctx context.Context, operation operation) (operat`
`125`	`125`	`cco.SetTimeSeriesOptions(tso)`
`126`	`126`	`case "clusteredIndex":`
`127`	`127`	`cco.SetClusteredIndex(val.Document())`
	`128`	`+ case "validator":`
	`129`	`+ cco.SetValidator(val.Document())`
`128`	`130`	`default:`
`129`	`131`	`return nil, fmt.Errorf("unrecognized createCollection option %q", key)`
`130`	`132`	`}`