Code review fixes (2/2)

Author: aclark4life

.evergreen/config.yml

@@ -90,28 +90,6 @@ buildvariants:
     tasks:
       - name: run-tests
 
-  - name: tests-7-noauth-nossl
-    display_name: Run Tests 7.0 NoAuth NoSSL
-    run_on: rhel87-small
-    expansions:
-      MONGODB_VERSION: "7.0"
-      TOPOLOGY: server
-      AUTH: "noauth"
-      SSL: "nossl"
-    tasks:
-      - name: run-tests
-
-  - name: tests-7-auth-ssl
-    display_name: Run Tests 7.0 Auth SSL
-    run_on: rhel87-small
-    expansions:
-      MONGODB_VERSION: "7.0"
-      TOPOLOGY: server
-      AUTH: "auth"
-      SSL: "ssl"
-    tasks:
-      - name: run-tests
-
   - name: tests-8-noauth-nossl
     display_name: Run Tests 8.0 NoAuth NoSSL
     run_on: rhel87-small

django_mongodb_backend/routers.py

@@ -2,8 +2,6 @@
 from django.core.exceptions import ImproperlyConfigured
 from django.db.utils import ConnectionRouter
 
-from .model_utils import model_has_encrypted_fields
-
 
 class MongoRouter:
     def allow_migrate(self, db, app_label, model_name=None, **hints):
@@ -19,7 +17,6 @@ def allow_migrate(self, db, app_label, model_name=None, **hints):
             model = apps.get_model(app_label, model_name)
         except LookupError:
             return None
-
         return False if issubclass(model, EmbeddedModel) else None
 
 
@@ -30,9 +27,7 @@ def kms_provider(self, model, *args, **kwargs):
             result = func(model, *args, **kwargs)
             if result is not None:
                 return result
-    if model_has_encrypted_fields(model):
-        raise ImproperlyConfigured("No kms_provider found in database router.")
-    return None
+    raise ImproperlyConfigured("No kms_provider found in database router.")
 
 
 def register_routers():

django_mongodb_backend/schema.py

@@ -439,8 +439,7 @@ def _create_collection(self, model):
                 raise ImproperlyConfigured(
                     "Encrypted fields found but "
                     f"DATABASES[{self.connection.alias}]['OPTIONS'] is missing "
-                    "auto_encryption_opts. Please set `auto_encryption_opts` "
-                    "in the connection settings."
+                    "auto_encryption_opts."
                 )
             encrypted_fields_map = getattr(auto_encryption_opts, "_encrypted_fields_map", None)
             if not encrypted_fields_map:
@@ -475,17 +474,17 @@ def _get_encrypted_fields_map(self, model, client, create_new_keys=False):
         for field in fields:
             if getattr(field, "encrypted", False):
                 key_alt_name = f"{db_table}_{field.column}"
-                if not create_new_keys:
-                    key_doc = key_vault_collection.find_one({"keyAltNames": key_alt_name})
-                    if not key_doc:
-                        raise ValueError(f"No key found in keyvault for keyAltName={key_alt_name}")
-                    data_key = key_doc["_id"]
-                else:
+                if create_new_keys:
                     data_key = client_encryption.create_data_key(
                         kms_provider=kms_provider,
                         master_key=master_key,
                         key_alt_names=[key_alt_name],
                     )
+                else:
+                    key_doc = key_vault_collection.find_one({"keyAltNames": key_alt_name})
+                    if not key_doc:
+                        raise ValueError(f"No key found in keyvault for keyAltName={key_alt_name}")
+                    data_key = key_doc["_id"]
                 field_dict = {
                     "bsonType": field.db_type(connection),
                     "path": field.column,

docs/source/howto/queryable-encryption.rst

@@ -35,24 +35,22 @@ Encryption in Django, as well as a KMS provider and credentials.
 
 Here's how to set it up in your Django settings::
 
+    import os
+
     from django_mongodb_backend import parse_uri
     from pymongo.encryption_options import AutoEncryptionOpts
 
     DATABASES = {
-        "default": parse_uri(
-            DATABASE_URL,
-            db_name="my_database",
-        ),
+        …
         "encrypted": parse_uri(
             DATABASE_URL,
-            options: {
+            options={
                 "auto_encryption_opts": AutoEncryptionOpts(
                     key_vault_namespace="my_encrypted_database.keyvault",
                     kms_providers={"local": {"key": os.urandom(96)}},
-                ),
+                )
             },
-            db_name="my_encrypted_database",
-            "KMS_CREDENTIALS": {},
+            db_name="encrypted",
         ),
     }
 
@@ -123,6 +121,9 @@ Settings
 Now include the crypt shared library path and generated schema map in your
 Django settings::
 
+    from bson.binary import Binary
+    from pymongo.encryption_options import AutoEncryptionOpts
+
     …
     DATABASES["encrypted"] = {
         …

docs/source/ref/queryable-encryption.rst

@@ -33,6 +33,8 @@ before storing it in the database.
 +----------------------------------------+------------------------------------------------------+
 | ``EncryptedDecimalField``              | :class:`~django.db.models.DecimalField`              |
 +----------------------------------------+------------------------------------------------------+
+| ``EncryptedDurationField``             | :class:`~django.db.models.DurationField`             |
++----------------------------------------+------------------------------------------------------+
 | ``EncryptedFloatField``                | :class:`~django.db.models.FloatField`                |
 +----------------------------------------+------------------------------------------------------+
 | ``EncryptedGenericIPAddressField``     | :class:`~django.db.models.GenericIPAddressField`     |

docs/source/ref/settings.rst

@@ -7,19 +7,37 @@ Settings
 Queryable Encryption
 ====================
 
-The following :setting:`django:DATABASES` inner options have been added to
-support KMS configuration for Queryable Encryption.
-
-.. setting:: DATABASE-KMS-PROVIDERS
-
-``KMS_PROVIDERS``
------------------
-
-Default: ``{}``
+The following :setting:`django:DATABASES` inner options support KMS
+configuration for Queryable Encryption.
 
 .. setting:: DATABASE-KMS-CREDENTIALS
 
 ``KMS_CREDENTIALS``
 -------------------
 
 Default: ``{}``
+
+Queryable Encryption requires a KMS provider to encrypt and decrypt data. Django
+MongoDB Backend supports configuring KMS credentials and providers for Queryable
+Encryption via the ``KMS_CREDENTIALS`` setting in the ``DATABASES``
+configuration and the ``kms_provider`` method on the ``DatabaseRouter``.
+
+E.g. to configure AWS KMS credentials:
+
+.. code-block:: python
+
+    KMS_CREDENTIALS = {
+        "aws": {
+            "key": os.getenv("AWS_KEY_ARN", ""),
+            "region": os.getenv("AWS_KEY_REGION", ""),
+        },
+    }
+    DATABASES = {
+        # …
+    }
+    DATABASES["encrypted"]["KMS_CREDENTIALS"] = KMS_CREDENTIALS
+
+Please refer to :ref:`manual:qe-fundamentals-kms-providers` for more information
+on configuring KMS providers and credentials as well as
+:doc:`manual:core/queryable-encryption/fundamentals/keys-key-vaults` for
+information on creating and managing data encryption keys.

tests/encryption_/models.py

@@ -52,9 +52,7 @@ class PatientRecord(models.Model):
     ssn = EncryptedCharField(max_length=11, queries=EQUALITY_QUERY)
     birth_date = EncryptedDateField(queries=RANGE_QUERY)
     profile_picture = EncryptedBinaryField(queries=EQUALITY_QUERY)
-    patient_age = EncryptedSmallIntegerField(
-        "patient_age", queries={**RANGE_QUERY, "min": 0, "max": 100}
-    )
+    patient_age = EncryptedSmallIntegerField(queries={**RANGE_QUERY, "min": 0, "max": 100})
     weight = EncryptedFloatField(queries=RANGE_QUERY)
 
     # TODO: Embed Billing model
@@ -65,7 +63,7 @@ class Meta:
 
 
 class Patient(models.Model):
-    patient_id = EncryptedIntegerField("patient_id", queries=EQUALITY_QUERY)
+    patient_id = EncryptedIntegerField(queries=EQUALITY_QUERY)
     patient_name = EncryptedCharField(max_length=100)
     patient_notes = EncryptedTextField(queries=EQUALITY_QUERY)
     registration_date = EncryptedDateTimeField(queries=EQUALITY_QUERY)

tests/encryption_/test_base.py

@@ -19,6 +19,9 @@ class QueryableEncryptionTestCase(TransactionTestCase):
     available_apps = ["encryption_"]
 
     def setUp(self):
+        """
+        Used in schema and field tests.
+        """
         self.appointment = Appointment.objects.create(time="8:00")
         self.billing = Billing.objects.create(
             cc_type="Visa", cc_number=1234567890123456, account_balance=100.50
@@ -42,6 +45,3 @@ def setUp(self):
             is_active=True,
             email="john.doe@example.com",
         )
-
-        # TODO: Embed billing and patient_record models in patient model
-        # then add tests

tests/encryption_/test_fields.py

@@ -4,7 +4,7 @@
 from bson.binary import Binary
 from django.conf import settings
 from django.db import connections
-from django.test import override_settings, skipUnlessDBFeature
+from django.test import override_settings
 
 from .models import (
     Appointment,
@@ -18,40 +18,8 @@
 from .test_base import QueryableEncryptionTestCase
 
 
-@skipUnlessDBFeature("supports_queryable_encryption")
 @override_settings(DATABASE_ROUTERS=[TestEncryptedRouter()])
 class QueryableEncryptionFieldTests(QueryableEncryptionTestCase):
-    databases = {"default", "encrypted"}
-    available_apps = ["encryption_"]
-
-    def setUp(self):
-        self.appointment = Appointment.objects.create(time="8:00")
-        self.billing = Billing.objects.create(
-            cc_type="Visa", cc_number=1234567890123456, account_balance=100.50
-        )
-        self.portal_user = PatientPortalUser.objects.create(
-            ip_address="127.0.0.1",
-            url="https://example.com",
-        )
-        self.patientrecord = PatientRecord.objects.create(
-            ssn="123-45-6789",
-            birth_date="1970-01-01",
-            profile_picture=b"image data",
-            weight=175.5,
-            patient_age=47,
-        )
-        self.patient = Patient.objects.create(
-            patient_id=1,
-            patient_name="John Doe",
-            patient_notes="patient notes " * 25,
-            registration_date=datetime(2023, 10, 1, 12, 0, 0),
-            is_active=True,
-            email="john.doe@example.com",
-        )
-
-        # TODO: Embed billing and patient_record models in patient model
-        # then add tests
-
     def test_appointment(self):
         self.assertEqual(Appointment.objects.get(time="8:00").time, time(8, 0))
 

tests/encryption_/test_management.py

@@ -5,20 +5,18 @@
 from bson import json_util
 from django.core.management import call_command
 from django.db import connections
-from django.test import modify_settings, override_settings, skipUnlessDBFeature
+from django.test import modify_settings, override_settings
 from pymongo.encryption import AutoEncryptionOpts
 
 from .routers import TestEncryptedRouter
 from .test_base import QueryableEncryptionTestCase
 
 
-@skipUnlessDBFeature("supports_queryable_encryption")
 @modify_settings(
     INSTALLED_APPS={"prepend": "django_mongodb_backend"},
 )
 @override_settings(DATABASE_ROUTERS=[TestEncryptedRouter()])
 class QueryableEncryptionCommandTests(QueryableEncryptionTestCase):
-    databases = {"default", "encrypted"}
     available_apps = ["django_mongodb_backend", "encryption_"]
     maxDiff = None
     expected_patient_record = {