require 'spec_helper'

describe 'Client-Side Encryption' do
  describe 'Prose tests: External Key Vault Test' do
    require_libmongocrypt
    require_enterprise
    min_server_fcv '4.2'

    include_context 'define shared FLE helpers'

    let(:client) do
      new_local_client(
        SpecConfig.instance.addresses,
        SpecConfig.instance.test_options
      )
    end

    let(:test_schema_map) do
      {
        'db.coll' => BSON::ExtJSON.parse(File.read('spec/support/crypt/external/external-schema.json'))
      }
    end

    let(:external_key_vault_client) do
      new_local_client(
        SpecConfig.instance.addresses,
        SpecConfig.instance.test_options.merge(
          user: 'fake-user',
          password: 'fake-pwd'
        )
      )
    end

    let(:data_key_id) do
      BSON::Binary.new(Base64.decode64('LOCALAAAAAAAAAAAAAAAAA=='), :uuid)
    end

    before do
      client.use(:admin)[:datakeys].drop
      client.use(:db)[:coll].drop

      data_key = BSON::ExtJSON.parse(File.read('spec/support/crypt/external/external-key.json'))
      client.use(:admin)[:datakeys].insert_one(data_key)
    end

    context 'with default key vault client' do
      let(:client_encrypted) do
        new_local_client(
          SpecConfig.instance.addresses,
          SpecConfig.instance.test_options.merge(
            auto_encryption_options: {
              kms_providers: local_kms_providers,
              key_vault_namespace: 'admin.datakeys',
              schema_map: test_schema_map,
            },
            database: :db,
          )
        )
      end

      let(:client_encryption) do
        Mongo::ClientEncryption.new(
          client,
          {
            kms_providers: local_kms_providers,
            key_vault_namespace: 'admin.datakeys',
          }
        )
      end

      it 'inserts an encrypted document with client' do
        result = client_encrypted[:coll].insert_one(encrypted: 'test')
        expect(result).to be_ok

        encrypted = client.use(:db)[:coll].find.first['encrypted']
        expect(encrypted).to be_ciphertext
      end

      it 'encrypts a value with client encryption' do
        encrypted = client_encryption.encrypt(
          'test',
          {
            key_id: data_key_id,
            algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic',
          }
        )

        expect(encrypted).to be_ciphertext
      end
    end

    context 'with external key vault client' do
      let(:client_encrypted) do
        new_local_client(
          SpecConfig.instance.addresses,
          SpecConfig.instance.test_options.merge(
            auto_encryption_options: {
              kms_providers: local_kms_providers,
              key_vault_namespace: 'admin.datakeys',
              schema_map: test_schema_map,
              key_vault_client: external_key_vault_client,
            },
            database: :db,
          )
        )
      end

      let(:client_encryption) do
        Mongo::ClientEncryption.new(
          external_key_vault_client,
          {
            kms_providers: local_kms_providers,
            key_vault_namespace: 'admin.datakeys',
          }
        )
      end

       it 'raises an authentication exception when auto encrypting' do
        expect do
          client_encrypted[:coll].insert_one(encrypted: 'test')
        end.to raise_error(Mongo::Auth::Unauthorized, /fake-user/)
      end

      it 'raises an authentication exception when explicit encrypting' do
        expect do
          client_encryption.encrypt(
            'test',
            {
              key_id: data_key_id,
              algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic',
            }
          )
        end.to raise_error(Mongo::Auth::Unauthorized, /fake-user/)
      end
    end
  end
end