[Encryption] Fix XML configuration (#910)

* Add keyVaultClient to XML configuration

* Require 1 kms provider in the XML config

* Remove tls attributes from kms-provider node

* Add cryptSharedLibRequired to XSD and test

* Clean tlsOptions and wrap into an array with the kms provider name as key

* Add comment for duplicate options

Author: GromNaN

config/schema/mongodb-1.0.xsd

@@ -125,8 +125,9 @@
 
   <xsd:complexType name="auto-encryption">
     <xsd:sequence>
-      <xsd:element name="kmsProvider" type="kms-provider" minOccurs="0" maxOccurs="1" />
+      <xsd:element name="kmsProvider" type="kms-provider" minOccurs="1" maxOccurs="1" />
       <xsd:element name="masterKey" type="master-key" minOccurs="0" maxOccurs="1" />
+      <xsd:element name="keyVaultClient" type="xsd:string" minOccurs="0" maxOccurs="1" />
       <xsd:element name="keyVaultNamespace" type="xsd:string" minOccurs="0" maxOccurs="1" />
       <xsd:element name="tlsOptions" type="tls-options" minOccurs="0" maxOccurs="1" />
       <xsd:element name="encryptedFieldsMap" type="encrypted-fields-map" minOccurs="0" maxOccurs="1" />
@@ -157,13 +158,11 @@
     <xsd:attribute name="projectId" type="xsd:string" use="optional" />
     <xsd:attribute name="location" type="xsd:string" use="optional" />
     <xsd:attribute name="keyRing" type="xsd:string" use="optional" />
+    <!-- Attribute already present for another KMS type -->
     <!-- <xsd:attribute name="keyName" type="xsd:string" use="optional" /> -->
     <!-- <xsd:attribute name="keyVersion" type="xsd:string" use="optional" /> -->
     <!-- KMIP -->
     <!-- <xsd:attribute name="endpoint" type="xsd:string" use="optional" /> -->
-    <xsd:attribute name="tlsCAFile" type="xsd:string" use="optional" />
-    <xsd:attribute name="tlsClientCertificateKeyFile" type="xsd:string" use="optional" />
-    <xsd:attribute name="tlsClientCertificateKeyFilePassword" type="xsd:string" use="optional" />
     <!-- Local -->
     <xsd:attribute name="key" type="xsd:string" use="optional" />
   </xsd:complexType>
@@ -197,6 +196,7 @@
     <xsd:attribute name="mongocryptdSpawnPath" type="xsd:string" use="optional" />
     <xsd:attribute name="mongocryptdSpawnArgs" type="xsd:string" use="optional" />
     <xsd:attribute name="cryptSharedLibPath" type="xsd:string" use="optional" />
+    <xsd:attribute name="cryptSharedLibRequired" type="xsd:boolean" use="optional" />
   </xsd:complexType>
 
   <xsd:complexType name="document-manager">

src/DependencyInjection/Configuration.php

@@ -384,13 +384,11 @@ private function addConnectionsSection(ArrayNodeDefinition $rootNode): void
                                             ->scalarNode('projectId')->end()
                                             ->scalarNode('location')->end()
                                             ->scalarNode('keyRing')->end()
+                                            // Attribute already present for another KMS type
                                             //->scalarNode('keyName')->end()
                                             //->scalarNode('keyVersion')->end()
                                             // KMIP
                                             //->scalarNode('endpoint')->end()
-                                            ->scalarNode('tlsCAFile')->end()
-                                            ->scalarNode('tlsClientCertificateKeyFile')->end()
-                                            ->scalarNode('tlsClientCertificateKeyFilePassword')->end()
                                             // Local
                                             ->scalarNode('key')->end()
                                         ->end()
@@ -438,11 +436,7 @@ private function addConnectionsSection(ArrayNodeDefinition $rootNode): void
                                             ->scalarNode('tlsCAFile')->end()
                                             ->scalarNode('tlsCertificateKeyFile')->end()
                                             ->scalarNode('tlsCertificateKeyFilePassword')->end()
-                                            ->booleanNode('tlsAllowInvalidCertificates')->end()
-                                            ->booleanNode('tlsAllowInvalidHostnames')->end()
-                                            ->booleanNode('tlsDisableCertificateRevocationCheck')->end()
                                             ->booleanNode('tlsDisableOCSPEndpointCheck')->end()
-                                            ->booleanNode('tlsInsecure')->end()
                                         ->end()
                                     ->end()
                                 ->end()

src/DependencyInjection/DoctrineMongoDBExtension.php

@@ -528,9 +528,14 @@ private function normalizeAutoEncryption(array $autoEncryption, string $defaultD
             throw new InvalidArgumentException('The "kmsProvider" option must contain a "type" key.');
         }
 
+        $provider                       = $autoEncryption['kmsProvider']['type'];
         $autoEncryption['kmsProviders'] = [
-            $autoEncryption['kmsProvider']['type'] => array_diff_key($autoEncryption['kmsProvider'], ['type' => true]),
+            $provider => array_diff_key($autoEncryption['kmsProvider'], ['type' => true]),
         ];
+        if (isset($autoEncryption['tlsOptions'])) {
+            $autoEncryption['tlsOptions'] = [$provider => $autoEncryption['tlsOptions']];
+        }
+
         unset($autoEncryption['kmsProvider']);
         unset($autoEncryption['masterKey']);
 

tests/DependencyInjection/ConfigurationTest.php

@@ -137,6 +137,7 @@ public function testFullConfiguration(array $config): void
                             'sessionToken' => 'MONGODB_AWS_SESSION_TOKEN',
                         ],
                         'masterKey' => ['key' => 'MONGODB_AWS_MASTER_KEY'],
+                        'keyVaultClient' => 'my_key_vault_client_service',
                         'keyVaultNamespace' => 'encryption.__keyVault',
                         'tlsOptions' => [
                             'tlsCAFile' => '%kernel.project_dir%/config/certificates/mongodb-ca.pem',
@@ -258,6 +259,7 @@ public function testFullConfiguration(array $config): void
                             'mongocryptdSpawnPath' => '%kernel.project_dir%/bin/mongocryptd',
                             'mongocryptdSpawnArgs' => '--pidfilepath=%kernel.project_dir%/var/mongocryptd.pid --idleShutdownTimeoutSecs=60',
                             'cryptSharedLibPath' => '%kernel.project_dir%/bin/mongo_crypt_v1.dylib',
+                            'cryptSharedLibRequired' => true,
                         ],
                     ],
                 ],

tests/DependencyInjection/Fixtures/config/xml/full.xml

@@ -78,6 +78,7 @@
                     sessionToken="MONGODB_AWS_SESSION_TOKEN"
                 />
                 <doctrine:masterKey key="MONGODB_AWS_MASTER_KEY" />
+                <doctrine:keyVaultClient>my_key_vault_client_service</doctrine:keyVaultClient>
                 <doctrine:keyVaultNamespace>encryption.__keyVault</doctrine:keyVaultNamespace>
                 <doctrine:tlsOptions
                     tlsCAFile="%kernel.project_dir%/config/certificates/mongodb-ca.pem"
@@ -183,6 +184,7 @@
                     mongocryptdSpawnPath="%kernel.project_dir%/bin/mongocryptd"
                     mongocryptdSpawnArgs="--pidfilepath=%kernel.project_dir%/var/mongocryptd.pid --idleShutdownTimeoutSecs=60"
                     cryptSharedLibPath="%kernel.project_dir%/bin/mongo_crypt_v1.dylib"
+                    cryptSharedLibRequired="true"
                 />
             </doctrine:autoEncryption>
         </doctrine:connection>

tests/DependencyInjection/Fixtures/config/yml/full.yml

@@ -64,6 +64,7 @@ doctrine_mongodb:
                 masterKey:
                     key: 'MONGODB_AWS_MASTER_KEY'
                 keyVaultNamespace: 'encryption.__keyVault'
+                keyVaultClient: 'my_key_vault_client_service'
                 tlsOptions:
                     tlsCAFile: '%kernel.project_dir%/config/certificates/mongodb-ca.pem'
                     tlsCertificateKeyFile: '%kernel.project_dir%/config/certificates/mongodb-client.pem'
@@ -131,6 +132,7 @@ doctrine_mongodb:
                     mongocryptdSpawnPath: '%kernel.project_dir%/bin/mongocryptd'
                     mongocryptdSpawnArgs: '--pidfilepath=%kernel.project_dir%/var/mongocryptd.pid --idleShutdownTimeoutSecs=60'
                     cryptSharedLibPath: '%kernel.project_dir%/bin/mongo_crypt_v1.dylib'
+                    cryptSharedLibRequired: true
 
         conn2:
             server: mongodb://otherhost