PYTHON-3589 createEncryptedCollection should not accept keyAltNames (#1147)

2023-02-03 21:10:30 -08:00 · 2023-02-03 21:10:30 -08:00 · 79ccf4e287
commit 79ccf4e287
parent 540562a606
2 changed files with 5 additions and 15 deletions
--- a/pymongo/encryption.py
+++ b/pymongo/encryption.py
@ -562,12 +562,13 @@ class ClientEncryption(Generic[_DocumentType]):
        encrypted_fields: Mapping[str, Any],
        kms_provider: Optional[str] = None,
        master_key: Optional[Mapping[str, Any]] = None,
-        key_alt_names: Optional[Sequence[str]] = None,
-        key_material: Optional[bytes] = None,
        **kwargs: Any,
    ) -> Tuple[Collection[_DocumentType], Mapping[str, Any]]:
        """Create a collection with encryptedFields.

+        .. note:: Support for Queryable Encryption is in beta.
+           Backwards-breaking changes may be made before the final release.
+
        .. warning::
            This function does not update the encryptedFieldsMap in the client's
            AutoEncryptionOpts, thus the user must create a new client after calling this function with
@ -607,12 +608,6 @@ class ClientEncryption(Generic[_DocumentType]):
          - `master_key` (optional): Identifies a KMS-specific key used to encrypt the
            new data key. If the kmsProvider is "local" the `master_key` is
            not applicable and may be omitted.
-          - `key_alt_names` (optional): An optional list of string alternate
-            names used to reference a key. If a key is created with alternate
-            names, then encryption may refer to the key by the unique alternate
-            name instead of by ``key_id``.
-          - `key_material` (optional): Sets the custom key material to be used
-            by the data key for encryption and decryption.
          - `**kwargs` (optional): additional keyword arguments are the same as "create_collection".

        All optional `create collection command`_ parameters should be passed
@ -632,8 +627,6 @@ class ClientEncryption(Generic[_DocumentType]):
                    encrypted_fields["fields"][i]["keyId"] = self.create_data_key(
                        kms_provider=kms_provider,  # type:ignore[arg-type]
                        master_key=master_key,
-                        key_alt_names=key_alt_names,
-                        key_material=key_material,
                    )
                except EncryptionError as exc:
                    raise EncryptionError(
--- a/test/test_encryption.py
+++ b/test/test_encryption.py
@ -2826,7 +2826,7 @@ class TestAutomaticDecryptionKeys(EncryptionIntegrationTest):
        # Make sure the error message includes the previous keys in the error message even when generating keys fails.
        with self.assertRaisesRegex(
            EncryptionError,
-            f"data key for field ssn with encryptedFields=.*{re.escape(repr(key))}.*keyId.*Binary.*keyId.*None",
+            f"data key for field dob with encryptedFields=.*{re.escape(repr(key))}.*keyId.*None",
        ):
            self.client_encryption.create_encrypted_collection(
                database=self.db,
@ -2835,12 +2835,9 @@ class TestAutomaticDecryptionKeys(EncryptionIntegrationTest):
                    "fields": [
                        {"path": "address", "bsonType": "string", "keyId": key},
                        {"path": "dob", "bsonType": "string", "keyId": None},
-                        # Because this is the second one to use the altName "1", it will fail when creating the data_key.
-                        {"path": "ssn", "bsonType": "string", "keyId": None},
                    ]
                },
-                kms_provider="local",
-                key_alt_names=["1"],
+                kms_provider="does not exist",
            )

    def test_create_failure(self):