-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: 1.3.1
-
Component/s: Field Level Encryption
-
None
-
2
-
Not Needed
-
Iteration Zanzibar
https://www.mongodb.com/docs/v5.0/reference/method/getKeyVault/#mongodb-method-getKeyVault says:
The getKeyVault() method automatically creates a unique index on the keyAltNames field with a partial index filter for only documents where keyAltNames exists. getKeyVault() creates this index in the key vault collection. This prevents any two data encryption keys in the same key vault from having the same key alternative name and therefore avoids ambiguity around which data encryption key is appropriate for encryption/decryption.
and the legacy shell KeyVault constructor contains:
this.keyColl.createIndex( {keyAltNames: 1}, {unique: true, partialFilterExpression: {keyAltNames: {$exists: true}}});
We should also add this. We may want to wrap the createIndex call in a try/catch and print a warning using printWarning() if it fails, in case the user lacks privileges.
As a drive-by fix, it would make sense to also remove our usage of keyVaultNamespace.split('.') to get the namespace and instead properly handle collections with a . in them (e.g. https://github.com/mongodb/libmongocrypt/blob/8dbf45e96cb147f3d50d66f0d96bf1003e6b6d8d/bindings/node/lib/common.js#L15-L32). Additionally, we could use this as an opportunity to ensure that KeyVault is only instantiated once per Mongo object.