Remove create_data_keys until use case manifests

In addition to removing the arg from the showencryptedfields
command, reduces complexity in schema editor with removal of the
`create_data_keys` boolean. Previous logic may have been flawed in
looking up existing keys.

Author: aclark4life

django_mongodb_backend/management/commands/showencryptedfieldsmap.py

@@ -22,27 +22,16 @@ def add_arguments(self, parser):
             help="""
             Specifies the database to use. Defaults to ``default``.""",
         )
-        parser.add_argument(
-            "--create-data-keys",
-            action="store_true",
-            help="""
-            If specified, this option will create and show new encryption
-            keys instead of showing existing keys from the configured key vault.
-            """,
-        )
 
     def handle(self, *args, **options):
         db = options["database"]
-        create_data_keys = options.get("create_data_keys", False)
         connection = connections[db]
         connection.ensure_connection()
         encrypted_fields_map = {}
         with connection.schema_editor() as editor:
             for app_config in apps.get_app_configs():
                 for model in router.get_migratable_models(app_config, db):
                     if model_has_encrypted_fields(model):
-                        fields = editor._get_encrypted_fields(
-                            model, create_data_keys=create_data_keys
-                        )
+                        fields = editor._get_encrypted_fields(model)
                         encrypted_fields_map[model._meta.db_table] = fields
         self.stdout.write(json_util.dumps(encrypted_fields_map, indent=2))

django_mongodb_backend/schema.py

@@ -475,7 +475,7 @@ def _create_collection(self, model):
             encrypted_fields_map = getattr(auto_encryption_opts, "_encrypted_fields_map", None)
 
             if not encrypted_fields_map:
-                encrypted_fields = self._get_encrypted_fields(model, create_data_keys=True)
+                encrypted_fields = self._get_encrypted_fields(model)
             else:
                 encrypted_fields = encrypted_fields_map.get(db_table)
 
@@ -488,9 +488,7 @@ def _create_collection(self, model):
             # Unencrypted path
             db.create_collection(db_table)
 
-    def _get_encrypted_fields(
-        self, model, create_data_keys=False, key_alt_name=None, path_prefix=None
-    ):
+    def _get_encrypted_fields(self, model, key_alt_name=None, path_prefix=None):
         """
         Recursively collect encryption schema data for only encrypted fields in a model.
         Returns None if no encrypted fields are found anywhere in the model hierarchy.
@@ -520,7 +518,6 @@ def _get_encrypted_fields(
             if isinstance(field, EmbeddedModelField) and not getattr(field, "encrypted", False):
                 embedded_result = self._get_encrypted_fields(
                     field.embedded_model,
-                    create_data_keys=create_data_keys,
                     key_alt_name=new_key_alt_name,
                     path_prefix=path,
                 )
@@ -530,15 +527,15 @@ def _get_encrypted_fields(
 
             if getattr(field, "encrypted", False):
                 bson_type = field.db_type(connection)
-                if create_data_keys:
+                data_key = key_vault_collection.find_one({"keyAltNames": new_key_alt_name})
+                if data_key:
+                    data_key = data_key["_id"]
+                else:
                     data_key = client_encryption.create_data_key(
                         kms_provider=kms_provider,
                         master_key=master_key,
                         key_alt_names=[new_key_alt_name],
                     )
-                else:
-                    key = key_vault_collection.find_one({"keyAltNames": new_key_alt_name})
-                    data_key = key["_id"]
                 field_dict = {
                     "bsonType": bson_type,
                     "path": path,

docs/howto/queryable-encryption.rst

@@ -211,24 +211,7 @@ run the following command::
 
 You can then use the output of the :djadmin:`showencryptedfieldsmap` command
 to set the ``encrypted_fields_map`` in
-:class:`pymongo.encryption_options.AutoEncryptionOpts` in your Django settings
-if you want to use a pre-defined encrypted fields map in the client instead of
-letting Django MongoDB Backend create them for you.
-
-.. try to explain the chicken/egg scenario here
-
-Of course, if you do this after Django MongoDB Backend has already created the
-collections, you will need to drop the collections first before using the
-pre-defined encrypted fields map.
-
-If you do not want to use the data keys created by Django MongoDB Backend (when
-``python manage.py migrate`` is run), you can generate new data keys with::
-
-    $ python manage.py showencryptedfieldsmap --database encrypted \
-        --create-data-keys
-
-In this scenario, Django MongoDB Backend will use the newly created data keys
-to create collections for models with encrypted fields.
+:class:`pymongo.encryption_options.AutoEncryptionOpts` in your Django settings.
 
 Here is an example of how to configure the
 ``encrypted_fields_map`` in your Django settings:

docs/ref/django-admin.rst

@@ -23,14 +23,8 @@ Available commands
 
     This command shows the mapping of encrypted fields to attributes including
     data type, data keys and query types. It can be used to set the
-    ``encrypted_fields_map`` in ``AutoEncryptionOpts``. Defaults to showing
-    existing keys from the configured key vault.
+    ``encrypted_fields_map`` in ``AutoEncryptionOpts``.
 
     .. django-admin-option:: --database DATABASE
 
         Specifies the database to use. Defaults to ``default``.
-
-    .. django-admin-option:: --create-data-keys
-
-        If specified, this option will create and show new encryption keys
-        instead of showing existing keys from the configured key vault.

tests/encryption_/test_management.py

@@ -109,20 +109,3 @@ def test_show_encrypted_fields_map(self):
             with self.subTest(model=model_key):
                 self.assertIn(model_key, command_output)
                 self._compare_output(expected, command_output[model_key])
-
-    def test_create_new_keys(self):
-        out = StringIO()
-        call_command(
-            "showencryptedfieldsmap",
-            "--database",
-            "encrypted",
-            "--create-data-keys",
-            verbosity=0,
-            stdout=out,
-        )
-        command_output = json_util.loads(out.getvalue())
-
-        for model_key, expected in self.expected_maps.items():
-            with self.subTest(model=model_key):
-                self.assertIn(model_key, command_output)
-                self._compare_output(expected, command_output[model_key])

tests/encryption_/test_schema.py

@@ -109,7 +109,7 @@ def test_get_encrypted_fields_all_models(self):
 
     def test_key_creation_and_lookup(self):
         """
-        Use _get_encrypted_fields(create_data_keys=True) to
+        Use _get_encrypted_fields to
         generate and store a data key in the vault, then
         query the vault with the keyAltName.
         """
@@ -124,9 +124,8 @@ def test_key_creation_and_lookup(self):
         test_key_alt_name = f"{model_class._meta.db_table}.value"
         vault_coll.delete_many({"keyAltNames": test_key_alt_name})
 
-        # Call _get_encrypted_fields with create_data_keys=True
         with connection.schema_editor() as editor:
-            encrypted_fields = editor._get_encrypted_fields(model_class, create_data_keys=True)
+            encrypted_fields = editor._get_encrypted_fields(model_class)
 
         # Validate schema contains a keyId for our field
         self.assertTrue(encrypted_fields["fields"])