doctrine
diff --git a/‎docs/encryption.rst
Lines changed: 39 additions & 23 deletions b/‎docs/encryption.rst
Lines changed: 39 additions & 23 deletions
diff --git a/‎src/Command/DumpEncryptedFieldsMapCommand.php
Lines changed: 3 additions & 4 deletions b/‎src/Command/DumpEncryptedFieldsMapCommand.php
Lines changed: 3 additions & 4 deletions
diff --git a/‎src/DependencyInjection/Configuration.php
Lines changed: 17 additions & 13 deletions b/‎src/DependencyInjection/Configuration.php
Lines changed: 17 additions & 13 deletions
diff --git a/‎src/DependencyInjection/DoctrineMongoDBExtension.php
Lines changed: 1 addition & 1 deletion b/‎src/DependencyInjection/DoctrineMongoDBExtension.php
Lines changed: 1 addition & 1 deletion
@@ -79,26 +79,37 @@ Example of configuration for AWS
 Encrypted Fields Map
 --------------------
 
-You can configure which fields are encrypted in each collection by specifying the
+The encrypted fields are set to the collection when you create it, and the MongoDB
+client will query the server for the collection schema before performing any
+operations. For additional security, you can also specify the encrypted fields
+in the connection configuration, which allows the client to use local rules
+instead of downloading the remote schema from the server, that could potentially
+be tampered with if an attacker compromises the server.
+
+The Encrypted Fields Maps is a list of all encrypted fields associated with all
+the collection namespaces that has encryption enabled. To configure it, you
+can run a command that extract the encrypted fields from the server and generate
+the ``encryptedFieldsMap`` configuration.
+
+.. code-block:: console
+
+    php bin/console doctrine:mongodb:dump-encrypted-fields-map --format yaml
+
+The output of the command will be a YAML configuration for the
 ``autoEncryption.encryptedFieldsMap`` option in the connection configuration.
-This setting is **recommended** for improved security and performance.
 
 - If the connection ``encryptedFieldsMap`` object contains a key for the specified
-  collection, the client uses that object to perform automatic Queryable Encryption,
-  rather than using the remote schema. At minimum, the local rules must encrypt
-  all fields that the remote schema does.
+  collection namespace, the client uses that object to perform automatic
+  Queryable Encryption, rather than using the remote schema. At minimum, the
+  local rules must encrypt all fields that the remote schema does.
 
 - If the connection ``encryptedFieldsMap`` object doesn't contain a key for the
-  specified collection, the client downloads the server-side remote schema for
-  the collection and uses it instead.
+  specified collection namespace, the client downloads the server-side remote
+  schema for the collection and uses it instead.
 
 For more details, see the official MongoDB documentation:
 `Encrypted Fields and Enabled Queries <https://www.mongodb.com/docs/manual/core/queryable-encryption/fundamentals/encrypt-and-query/>`_.
 
-Note that there is no ``fields`` key in the configuration of each collection
-for the bundle configuration. Instead, you directly specify the list of
-encrypted fields as an array under the collection namespace.
-
 .. tabs::
 
     .. group-tab:: YAML
@@ -111,9 +122,10 @@ encrypted fields as an array under the collection namespace.
                         autoEncryption:
                             encryptedFieldsMap:
                                 "mydatabase.mycollection":
-                                    - keyId: { $binary: { base64: 2CSosXLSTEKaYphcSnUuCw==, subType: '04' } }
-                                      path: "sensitive_field"
-                                      bsonType: "string"
+                                    fields:
+                                        - keyId: { $binary: { base64: 2CSosXLSTEKaYphcSnUuCw==, subType: '04' } }
+                                          path: "sensitive_field"
+                                          bsonType: "string"
 
     .. group-tab:: XML
 
@@ -124,11 +136,13 @@ encrypted fields as an array under the collection namespace.
                     <doctrine:encryptedFieldsMap>
                         <![CDATA[
                             {
-                                "mydatabase.mycollection": [
-                                    "keyId": { "$binary": { "base64": "2CSosXLSTEKaYphcSnUuCw==", "subType": "04" } },
-                                    "path": "sensitive_field",
-                                    "bsonType": "string"
-                                ]
+                                "mydatabase.mycollection": {
+                                    fields: [
+                                        "keyId": { "$binary": { "base64": "2CSosXLSTEKaYphcSnUuCw==", "subType": "04" } },
+                                        "path": "sensitive_field",
+                                        "bsonType": "string"
+                                    ]
+                                }
                             }
                         ]]>
                     </doctrine:encryptedFieldsMap>
@@ -146,10 +160,12 @@ encrypted fields as an array under the collection namespace.
                     ->autoEncryption([
                         'encryptedFieldsMap' => [
                             'mydatabase.mycollection' => [
-                                [
-                                    'path' => 'sensitive_field',
-                                    'keyId' => ['$binary' => ['base64' => '2CSosXLSTEKaYphcSnUuCw==', 'subType' => '04' ] ],
-                                    'bsonType' => 'string',
+                                'fields' => [
+                                    [
+                                        'path' => 'sensitive_field',
+                                        'keyId' => ['$binary' => ['base64' => '2CSosXLSTEKaYphcSnUuCw==', 'subType' => '04' ] ],
+                                        'bsonType' => 'string',
+                                    ],
                                 ],
                             ],
                         ],
 
@@ -77,7 +77,8 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             }
 
             foreach ($encryptedFieldsMap as $ns => $encryptedFields) {
-                $encryptedFieldsMap[$ns] = json_decode(PackedArray::fromPHP($encryptedFields['fields'])->toRelaxedExtendedJSON(), true);
+                // Keep only the "fields" key and ignore "escCollection" and "ecocCollection"
+                $encryptedFieldsMap[$ns] = ['fields' => json_decode(PackedArray::fromPHP($encryptedFields['fields'])->toRelaxedExtendedJSON(), true)];
             }
 
             $io->section(sprintf('Dumping encrypted fields map for document manager "%s"', $name));
@@ -105,9 +106,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 
     private function getDocumentNamespace(ClassMetadata $metadata, string $defaultDb): string
     {
-        $db = $metadata->getDatabase();
-        $db = $db ?: $defaultDb;
-        $db = $db ?: 'doctrine';
+        $db = $metadata->getDatabase() ?: $defaultDb ?: 'doctrine';
 
         return $db . '.' . $metadata->getCollection();
     }
 
@@ -407,20 +407,24 @@ private function addConnectionsSection(ArrayNodeDefinition $rootNode): void
                                                 return $v;
                                             })->end()
                                         ->prototype('array')
-                                            ->prototype('array')
-                                                ->children()
-                                                    ->scalarNode('path')->isRequired()->cannotBeEmpty()->end()
-                                                    ->scalarNode('bsonType')->isRequired()->cannotBeEmpty()->end()
-                                                    ->variableNode('keyId')->isRequired()->cannotBeEmpty()->end()
-                                                    ->arrayNode('queries')
+                                            ->children()
+                                                ->arrayNode('fields')
+                                                    ->prototype('array')
                                                         ->children()
-                                                            ->scalarNode('queryType')->isRequired()->cannotBeEmpty()->end()
-                                                            ->variableNode('min')->end()
-                                                            ->variableNode('max')->end()
-                                                            ->integerNode('sparsity')->end()
-                                                            ->integerNode('precision')->end()
-                                                            ->integerNode('trimFactor')->end()
-                                                            ->integerNode('contention')->end()
+                                                            ->scalarNode('path')->isRequired()->cannotBeEmpty()->end()
+                                                            ->scalarNode('bsonType')->isRequired()->cannotBeEmpty()->end()
+                                                            ->variableNode('keyId')->isRequired()->cannotBeEmpty()->end()
+                                                            ->arrayNode('queries')
+                                                                ->children()
+                                                                    ->scalarNode('queryType')->isRequired()->cannotBeEmpty()->end()
+                                                                    ->variableNode('min')->end()
+                                                                    ->variableNode('max')->end()
+                                                                    ->integerNode('sparsity')->end()
+                                                                    ->integerNode('precision')->end()
+                                                                    ->integerNode('trimFactor')->end()
+                                                                    ->integerNode('contention')->end()
+                                                                ->end()
+                                                            ->end()
                                                         ->end()
                                                     ->end()
                                                 ->end()
 
@@ -549,7 +549,7 @@ private function normalizeAutoEncryption(array $autoEncryption, string $defaultD
             foreach ($autoEncryption['encryptedFieldsMap'] as &$value) {
                 // Wrap the encrypted fields in a 'fields' key as required the encryptedFieldsMap structure.
                 // Some values can be BSON binary, date or numbers, the extended JSON format is used to convert them BSON document.
-                $value = (new Definition(BsonDocument::class))->setFactory([BsonDocument::class, 'fromJSON'])->setArguments([json_encode(['fields' => $value])]);
+                $value = (new Definition(BsonDocument::class))->setFactory([BsonDocument::class, 'fromJSON'])->setArguments([json_encode($value)]);
             }
         }
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,8 @@ protected function execute(InputInterface $input, OutputInterface $output): int`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`foreach ($encryptedFieldsMap as $ns => $encryptedFields) {`
`80`		`- $encryptedFieldsMap[$ns] = json_decode(PackedArray::fromPHP($encryptedFields['fields'])->toRelaxedExtendedJSON(), true);`
	`80`	`+ // Keep only the "fields" key and ignore "escCollection" and "ecocCollection"`
	`81`	`+ $encryptedFieldsMap[$ns] = ['fields' => json_decode(PackedArray::fromPHP($encryptedFields['fields'])->toRelaxedExtendedJSON(), true)];`
`81`	`82`	`}`
`82`	`83`
`83`	`84`	`$io->section(sprintf('Dumping encrypted fields map for document manager "%s"', $name));`
`@@ -105,9 +106,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int`
`105`	`106`
`106`	`107`	`private function getDocumentNamespace(ClassMetadata $metadata, string $defaultDb): string`
`107`	`108`	`{`
`108`		`- $db = $metadata->getDatabase();`
`109`		`- $db = $db ?: $defaultDb;`
`110`		`- $db = $db ?: 'doctrine';`
	`109`	`+ $db = $metadata->getDatabase() ?: $defaultDb ?: 'doctrine';`
`111`	`110`
`112`	`111`	`return $db . '.' . $metadata->getCollection();`
`113`	`112`	`}`
Original file line number	Diff line number	Diff line change
`@@ -549,7 +549,7 @@ private function normalizeAutoEncryption(array $autoEncryption, string $defaultD`
`549`	`549`	`foreach ($autoEncryption['encryptedFieldsMap'] as &$value) {`
`550`	`550`	`// Wrap the encrypted fields in a 'fields' key as required the encryptedFieldsMap structure.`
`551`	`551`	`// Some values can be BSON binary, date or numbers, the extended JSON format is used to convert them BSON document.`
`552`		`- $value = (new Definition(BsonDocument::class))->setFactory([BsonDocument::class, 'fromJSON'])->setArguments([json_encode(['fields' => $value])]);`
	`552`	`+ $value = (new Definition(BsonDocument::class))->setFactory([BsonDocument::class, 'fromJSON'])->setArguments([json_encode($value)]);`
`553`	`553`	`}`
`554`	`554`	`}`
`555`	`555`