Skip to content

DRIVERS-2924 test accessToken form of KMS providers#1914

Open
kevinAlbs wants to merge 10 commits intomongodb:masterfrom
kevinAlbs:D2924
Open

DRIVERS-2924 test accessToken form of KMS providers#1914
kevinAlbs wants to merge 10 commits intomongodb:masterfrom
kevinAlbs:D2924

Conversation

@kevinAlbs
Copy link
Copy Markdown
Contributor

@kevinAlbs kevinAlbs commented Mar 19, 2026
edited
Loading

Summary

Test accessToken form of KMS providers

Background & Motivation

See DRIVERS-2924. The Azure and GCP KMS providers support specifying an accessToken within libmongocrypt. Though the accessToken form is specified, there were no specification tests prior to this PR.

Schema 1.28 is a copy of 1.27 with the accessToken form of KMS providers added. The copy and addition are on separate commits to ease review. Caveat: schema 1.28 is only added to support accessToken. I briefly considered prose tests, but I expect that is more manual changes for driver teams. Updating the unified test runner to support the accessToken field was a small effort in the C driver.

DOCSP-58569 was filed to document the accessToken form of KMS providers in the mongodb.com docs.

Running tests

The new spec tests include KMS provider configuration using the $$placeholder value:

azure: { accessToken: { $$placeholder: 1 } }
gcp: { accessToken: { $$placeholder: 1 } }

mongodb-labs/drivers-evergreen-tools#751 generates access tokens to test. Spec tests were tested in the C driver: mongodb/mongo-c-driver#2253

Please complete the following before merging:

@kevinAlbs kevinAlbs requested a review from eramongodb March 19, 2026 18:10
@kevinAlbs kevinAlbs marked this pull request as ready for review March 19, 2026 18:11
@kevinAlbs kevinAlbs requested review from a team as code owners March 19, 2026 18:11
@kevinAlbs kevinAlbs requested review from alcaeus, katcharov and rozza and removed request for a team and katcharov March 19, 2026 18:11
eramongodb
eramongodb requested changes Mar 19, 2026
View reviewed changes
@kevinAlbs
use oneOf and required
9cd1818 
`oneOf` better fits the intent. `oneOf` means "exactly" one. Use `required` to prevent an empty document from matching both choices.
@kevinAlbs
clarify changelog entry
1975796
@kevinAlbs kevinAlbs requested a review from eramongodb March 19, 2026 19:44
eramongodb
eramongodb approved these changes Mar 19, 2026
View reviewed changes
alcaeus
alcaeus reviewed Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@alcaeus alcaeus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes themselves LGTM. You should add schema tests (see the tests/valid and tests/invalid directories) to ensure correct behaviour of anyOf and allOf.

@kevinAlbs
Copy link
Copy Markdown
Contributor Author

kevinAlbs commented Mar 23, 2026

add schema tests (see the tests/valid and tests/invalid directories) to ensure correct behaviour of anyOf and allOf.

AFAICT I cannot specifically test the change of anyOf to oneOf in this case. I.e. anyOf[A,B] where A and B are mutually exclusive, would match the same as oneOf[A,B]. The use of oneOf is intended to better convey the intent (matches exactly one condition).

However, I added invalid tests to add negative-test coverage over the new accessToken form.

@kevinAlbs kevinAlbs requested a review from alcaeus March 23, 2026 16:29
rozza
rozza approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rozza rozza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rozza rozza rozza approved these changes

@alcaeus alcaeus alcaeus approved these changes

@eramongodb eramongodb eramongodb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kevinAlbs @rozza @alcaeus @eramongodb