MongoDB C++ Driver  mongocxx-3.10.2
Public Types | Public Member Functions | List of all members
mongocxx::v_noabi::options::auto_encryption Class Reference

Class representing options for automatic client-side encryption. More...

#include <auto_encryption.hpp>

Public Types

using ns_pair = std::pair< std::string, std::string >
 Sets the namespace to use to access the key vault collection, which contains all data keys used for encryption and decryption. More...
 

Public Member Functions

 auto_encryption () noexcept
 Default constructs a new auto_encryption object.
 
auto_encryptionkey_vault_client (mongocxx::v_noabi::client *client)
 When the key vault collection is on a separate MongoDB cluster, sets the optional client to use to route data key queries to that cluster. More...
 
const stdx::optional< mongocxx::v_noabi::client * > & key_vault_client () const
 Gets the key vault client. More...
 
auto_encryptionkey_vault_pool (mongocxx::v_noabi::pool *pool)
 When the key vault collection is on a separate MongoDB cluster, sets the optional client pool to use to route data key queries to that cluster. More...
 
const stdx::optional< mongocxx::v_noabi::pool * > & key_vault_pool () const
 Gets the key vault pool. More...
 
const stdx::optional< ns_pair > & key_vault_namespace () const
 Gets the key vault namespace. More...
 
auto_encryptionkms_providers (bsoncxx::v_noabi::document::view_or_value kms_providers)
 Sets the KMS providers to use for client side encryption. More...
 
const stdx::optional< bsoncxx::v_noabi::document::view_or_value > & kms_providers () const
 Gets the KMS providers. More...
 
auto_encryptiontls_opts (bsoncxx::v_noabi::document::view_or_value tls_opts)
 Sets the TLS options to use for client side encryption with a given KMS provider. More...
 
const stdx::optional< bsoncxx::v_noabi::document::view_or_value > & tls_opts () const
 Gets the TLS options. More...
 
auto_encryptionschema_map (bsoncxx::v_noabi::document::view_or_value schema_map)
 Sets a local JSON schema. More...
 
const stdx::optional< bsoncxx::v_noabi::document::view_or_value > & schema_map () const
 Gets the schema map. More...
 
auto_encryptionencrypted_fields_map (bsoncxx::v_noabi::document::view_or_value encrypted_fields_map)
 Sets the local encrypted fields map. More...
 
const stdx::optional< bsoncxx::v_noabi::document::view_or_value > & encrypted_fields_map () const
 Get encrypted fields map. More...
 
auto_encryptionbypass_auto_encryption (bool should_bypass)
 Automatic encryption is disabled when the 'bypassAutoEncryption' option is true. More...
 
bool bypass_auto_encryption () const
 Gets a boolean specifying whether or not auto encryption is bypassed. More...
 
auto_encryptionbypass_query_analysis (bool should_bypass)
 Query analysis is disabled when the 'bypassQueryAnalysis' option is true. More...
 
bool bypass_query_analysis () const
 Gets a boolean specifying whether or not query analysis is bypassed. More...
 
auto_encryptionextra_options (bsoncxx::v_noabi::document::view_or_value extra)
 Set extra options related to the mongocryptd process. More...
 
const stdx::optional< bsoncxx::v_noabi::document::view_or_value > & extra_options () const
 Gets extra options related to the mongocryptd process. More...
 

Detailed Description

Class representing options for automatic client-side encryption.

Member Typedef Documentation

◆ ns_pair

using mongocxx::v_noabi::options::auto_encryption::ns_pair = std::pair<std::string, std::string>

Sets the namespace to use to access the key vault collection, which contains all data keys used for encryption and decryption.

This option must be set:

auto_encryption.key_vault_namespace({ "db", "coll" });

Parameters
nsA std::pair of strings representing the db and collection to use to access the key vault.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

Member Function Documentation

◆ bypass_auto_encryption() [1/2]

bool mongocxx::v_noabi::options::auto_encryption::bypass_auto_encryption ( ) const

Gets a boolean specifying whether or not auto encryption is bypassed.

Returns
A boolean specifying whether auto encryption is bypassed.

◆ bypass_auto_encryption() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::bypass_auto_encryption ( bool  should_bypass)

Automatic encryption is disabled when the 'bypassAutoEncryption' option is true.

Default is 'false,' so auto encryption is enabled.

Parameters
should_bypassWhether or not to bypass automatic encryption.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

◆ bypass_query_analysis() [1/2]

bool mongocxx::v_noabi::options::auto_encryption::bypass_query_analysis ( ) const

Gets a boolean specifying whether or not query analysis is bypassed.

Returns
A boolean specifying whether query analysis is bypassed.

◆ bypass_query_analysis() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::bypass_query_analysis ( bool  should_bypass)

Query analysis is disabled when the 'bypassQueryAnalysis' option is true.

Default is 'false' (i.e. query analysis is enabled).

Parameters
should_bypassWhether or not to bypass query analysis.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

◆ encrypted_fields_map() [1/2]

const stdx::optional<bsoncxx::v_noabi::document::view_or_value>& mongocxx::v_noabi::options::auto_encryption::encrypted_fields_map ( ) const

Get encrypted fields map.

Returns
An optional document containing the encrypted fields map

◆ encrypted_fields_map() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::encrypted_fields_map ( bsoncxx::v_noabi::document::view_or_value  encrypted_fields_map)

Sets the local encrypted fields map.

Supplying an encryptedFieldsMap provides more security than relying on an encryptedFields obtained from the server. It protects against a malicious server advertising a false encryptedFields.

Parameters
encrypted_fields_mapThe mapping of which fields to encrypt.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

◆ extra_options() [1/2]

const stdx::optional<bsoncxx::v_noabi::document::view_or_value>& mongocxx::v_noabi::options::auto_encryption::extra_options ( ) const

Gets extra options related to the mongocryptd process.

Returns
An optional document containing the extra options.

◆ extra_options() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::extra_options ( bsoncxx::v_noabi::document::view_or_value  extra)

Set extra options related to the mongocryptd process.

This options document may include the following fields:

  • mongocryptdURI: string, defaults to "mongodb://localhost:27020".
  • mongocryptdBypassSpawn: bool, defaults to false.
  • mongocryptdSpawnPath: string, defaults to "" and spawns mongocryptd from the system path.
  • mongocryptdSpawnArgs: array[strings], options passed to mongocryptd when spawing. Defaults to ["--idleShutdownTimeoutSecs=60"].
  • cryptSharedLibPath - Set a filepath string referring to a crypt_shared library file. Unset by default. If not set (the default), libmongocrypt will attempt to load crypt_shared using the host system’s default dynamic-library-search system.

    If set, the given path should identify the crypt_shared dynamic library file itself, not the directory that contains it.

    If the given path is a relative path and the first path component is $ORIGIN, the $ORIGIN component will be replaced with the absolute path to the directory containing the libmongocrypt library in use by the application.

    Note No other RPATH/RUNPATH-style substitutions are available. If the given path is a relative path, the path will be resolved relative to the working directory of the operating system process.

    If this option is set and libmongocrypt fails to load crypt_shared from the given filepath, libmongocrypt will fail to initialize and will not attempt to search for crypt_shared in any other locations.

  • cryptSharedLibRequired - If set to true, and libmongocrypt fails to load a crypt_shared library, initialization of auto-encryption will fail immediately and will not attempt to spawn mongocryptd.

    If set to false (the default), cryptSharedLibPath is not set, and libmongocrypt fails to load crypt_shared, then libmongocrypt will proceed without crypt_shared and fall back to using mongocryptd.

Parameters
extraThe extra options to set.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

◆ key_vault_client() [1/2]

const stdx::optional<mongocxx::v_noabi::client*>& mongocxx::v_noabi::options::auto_encryption::key_vault_client ( ) const

Gets the key vault client.

Returns
An optional pointer to the key vault client.

◆ key_vault_client() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::key_vault_client ( mongocxx::v_noabi::client client)

When the key vault collection is on a separate MongoDB cluster, sets the optional client to use to route data key queries to that cluster.

The given key vault client MUST outlive any client that has been enabled to use it through these options.

Parameters
clientA client to use for routing queries to the key vault collection.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

◆ key_vault_namespace()

const stdx::optional<ns_pair>& mongocxx::v_noabi::options::auto_encryption::key_vault_namespace ( ) const

Gets the key vault namespace.

Returns
An optional pair of strings representing the namespace of the key vault collection.

◆ key_vault_pool() [1/2]

const stdx::optional<mongocxx::v_noabi::pool*>& mongocxx::v_noabi::options::auto_encryption::key_vault_pool ( ) const

Gets the key vault pool.

Returns
An optional pointer to the key vault pool.

◆ key_vault_pool() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::key_vault_pool ( mongocxx::v_noabi::pool pool)

When the key vault collection is on a separate MongoDB cluster, sets the optional client pool to use to route data key queries to that cluster.

This option may not be used if a key_vault_client is set.

The given key vault pool MUST outlive any pool that has been enabled to use it through these options.

May only be set when enabling automatic encryption on a pool.

Parameters
poolA pool to use for routing queries to the key vault collection.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

◆ kms_providers() [1/2]

const stdx::optional<bsoncxx::v_noabi::document::view_or_value>& mongocxx::v_noabi::options::auto_encryption::kms_providers ( ) const

Gets the KMS providers.

Returns
An optional document containing the KMS providers.

◆ kms_providers() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::kms_providers ( bsoncxx::v_noabi::document::view_or_value  kms_providers)

Sets the KMS providers to use for client side encryption.

Multiple KMS providers may be specified. The following KMS providers are supported: "aws", "azure", "gcp", "kmip", and "local". The kmsProviders map values differ by provider:

aws: {
accessKeyId: String,
secretAccessKey: String
}
azure: {
tenantId: String,
clientId: String,
clientSecret: String,
identityPlatformEndpoint: Optional<String> // Defaults to login.microsoftonline.com
}
gcp: {
email: String,
privateKey: byte[] or String, // May be passed as a base64 encoded string.
endpoint: Optional<String> // Defaults to oauth2.googleapis.com
}
kmip: {
endpoint: String
}
local: {
key: byte[96] // The master key used to encrypt/decrypt data keys.
}
Parameters
kms_providersA document containing the KMS providers.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

◆ schema_map() [1/2]

const stdx::optional<bsoncxx::v_noabi::document::view_or_value>& mongocxx::v_noabi::options::auto_encryption::schema_map ( ) const

Gets the schema map.

Returns
An optional document containing the schema map.

◆ schema_map() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::schema_map ( bsoncxx::v_noabi::document::view_or_value  schema_map)

Sets a local JSON schema.

Supplying a schemaMap provides more security than relying on JSON schemas obtained from the server. It protects against a malicious server advertising a false JSON Schema, which could trick the client into sending unencrypted data that should be encrypted.

Schemas supplied in the schemaMap only apply to configuring automatic encryption for client side encryption. Other validation rules in the JSON schema will not be enforced by the driver and will result in an error.

Parameters
schema_mapThe JSON schema to use.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

◆ tls_opts() [1/2]

const stdx::optional<bsoncxx::v_noabi::document::view_or_value>& mongocxx::v_noabi::options::auto_encryption::tls_opts ( ) const

Gets the TLS options.

Returns
An optional document containing the TLS options.

◆ tls_opts() [2/2]

auto_encryption& mongocxx::v_noabi::options::auto_encryption::tls_opts ( bsoncxx::v_noabi::document::view_or_value  tls_opts)

Sets the TLS options to use for client side encryption with a given KMS provider.

Multiple KMS providers may be specified. Supported KMS providers are "aws", "azure", "gcp", and "kmip". The map value has the same form for all supported providers:

<KMS provider name>: {
tlsCaFile: Optional<String>
tlsCertificateKeyFile: Optional<String>
tlsCertificateKeyFilePassword: Optional<String>
}
Parameters
tls_optsA document containing the TLS options.
Returns
A reference to this object to facilitate method chaining.
See also
https://www.mongodb.com/docs/manual/core/security-client-side-encryption/

The documentation for this class was generated from the following file: