Enable auto encryption

config/command.php

@@ -3,10 +3,10 @@
 declare(strict_types=1);
 
 use Doctrine\Bundle\MongoDBBundle\Command\ClearMetadataCacheDoctrineODMCommand;
-use Doctrine\Bundle\MongoDBBundle\Command\ConnectionDiagnosticCommand;
 use Doctrine\Bundle\MongoDBBundle\Command\CreateSchemaDoctrineODMCommand;
 use Doctrine\Bundle\MongoDBBundle\Command\DropSchemaDoctrineODMCommand;
-use Doctrine\Bundle\MongoDBBundle\Command\DumpEncryptedFieldsMapCommand;
+use Doctrine\Bundle\MongoDBBundle\Command\EncryptionDiagnosticCommand;
+use Doctrine\Bundle\MongoDBBundle\Command\EncryptionDumpFieldsMapCommand;
 use Doctrine\Bundle\MongoDBBundle\Command\GenerateHydratorsDoctrineODMCommand;
 use Doctrine\Bundle\MongoDBBundle\Command\GenerateProxiesDoctrineODMCommand;
 use Doctrine\Bundle\MongoDBBundle\Command\InfoDoctrineODMCommand;
@@ -24,12 +24,12 @@
         ->set('doctrine_mongodb.odm.command.clear_metadata_cache', ClearMetadataCacheDoctrineODMCommand::class)
             ->tag('console.command', ['command' => 'doctrine:mongodb:cache:clear-metadata'])
 
-        ->set('doctrine_mongodb.odm.command.connection_diagnostic', ConnectionDiagnosticCommand::class)
-            ->tag('console.command', ['command' => 'doctrine:mongodb:connection:diagnostic'])
+        ->set('doctrine_mongodb.odm.command.connection_diagnostic', EncryptionDiagnosticCommand::class)
+            ->tag('console.command', ['command' => 'doctrine:mongodb:encryption:diagnostic'])
             ->args([tagged_locator('doctrine_mongodb.connection_diagnostic', 'name')])
 
-        ->set('doctrine_mongodb.odm.command.dump_encrypted_fields_map', DumpEncryptedFieldsMapCommand::class)
-            ->tag('console.command', ['command' => 'doctrine:mongodb:dump-encrypted-fields-map'])
+        ->set('doctrine_mongodb.odm.command.dump_encrypted_fields_map', EncryptionDumpFieldsMapCommand::class)
+            ->tag('console.command', ['command' => 'doctrine:mongodb:encryption:dump-fields-map'])
             ->args([tagged_locator('doctrine_mongodb.odm.document_manager', 'name')])
 
         ->set('doctrine_mongodb.odm.command.create_schema', CreateSchemaDoctrineODMCommand::class)

docs/config.rst

@@ -852,7 +852,6 @@ Full Default Configuration
 
             $config->connection('id')
                 ->server('mongodb://localhost')
-                ->driverOptions(['context' => null]), // stream context to use for connection
                 ->autoEncryption([ // Options for client-side field-level encryption
                     'bypassAutoEncryption' => false, // Disables auto-encryption
                     'keyVaultClient' => null,  // Service ID of a MongoDB\Driver\Manager for the key vault
@@ -872,11 +871,7 @@ Full Default Configuration
                         // 'tlsCAFile' => null,  // Path to CA file, e.g., /path/to/key-vault-ca.pem
                         // 'tlsCertificateKeyFile' => null,  // Path to client cert/key file, e.g., /path/to/key-vault-client.pem
                         // 'tlsCertificateKeyFilePassword' => null,  // Password for client cert/key file
-                        // 'tlsAllowInvalidCertificates' => false, // Bypass server certificate validation (use with caution)
-                        // 'tlsAllowInvalidHostnames' => false, // Bypass server hostname validation (use with caution)
-                        // 'tlsDisableCertificateRevocation' => false, // Disable CRL checks
                         // 'tlsDisableOCSPEndpointCheck' => false, // Disable OCSP checks
-                        // 'tlsInsecure' => false, // Allow invalid/no server cert (use with extreme caution)
                     ],
                 ])
                 ->options([

docs/encryption.rst

@@ -86,14 +86,14 @@ in the connection configuration, which allows the client to use local rules
 instead of downloading the remote schema from the server, that could potentially
 be tampered with if an attacker compromises the server.
 
-The Encrypted Fields Maps is a list of all encrypted fields associated with all
+The Encrypted Fields Map is a list of all encrypted fields associated with all
 the collection namespaces that has encryption enabled. To configure it, you
 can run a command that extract the encrypted fields from the server and generate
 the ``encryptedFieldsMap`` configuration.
 
 .. code-block:: console
 
-    php bin/console doctrine:mongodb:dump-encrypted-fields-map --format yaml
+    php bin/console doctrine:mongodb:encryption:dump-fields-map --format yaml
 
 The output of the command will be a YAML configuration for the
 ``autoEncryption.encryptedFieldsMap`` option in the connection configuration.
@@ -163,6 +163,8 @@ For more details, see the official MongoDB documentation:
                                 'fields' => [
                                     [
                                         'path' => 'sensitive_field',
+                                        // Extended JSON representation of a BSON binary type
+                                        // The MongoDB\BSON\Binary class cannot be used here
                                         'keyId' => ['$binary' => ['base64' => '2CSosXLSTEKaYphcSnUuCw==', 'subType' => '04' ] ],
                                         'bsonType' => 'string',
                                     ],
@@ -245,12 +247,12 @@ TLS settings for the internal key vault client using the ``tlsOptions`` key:
 
             <doctrine:connection>
                 <doctrine:autoEncryption>
-                    <doctrine:tlsOptions>
-                        <doctrine:tlsCAFile>/path/to/key-vault-ca.pem</doctrine:tlsCAFile>
-                        <doctrine:tlsCertificateKeyFile>/path/to/key-vault-client.pem</doctrine:tlsCertificateKeyFile>
-                        <doctrine:tlsCertificateKeyFilePassword>keyvaultclientpassword</doctrine:tlsCertificateKeyFilePassword>
-                        <doctrine:tlsDisableOCSPEndpointCheck>false</doctrine:tlsAllowInvalidCertificates>
-                    </doctrine:tlsOptions>
+                    <doctrine:tlsOptions
+                        tlsCAFile="/path/to/key-vault-ca.pem"
+                        tlsCertificateKeyFile="/path/to/key-vault-client.pem"
+                        tlsCertificateKeyFilePassword="keyvaultclientpassword"
+                        tlsDisableOCSPEndpointCheck="false"
+                    />
                 </doctrine:autoEncryption>
             </doctrine:connection>
 
@@ -272,31 +274,6 @@ TLS settings for the internal key vault client using the ``tlsOptions`` key:
                     ]);
             };
 
-Context Service for SSL
------------------------
-
-You can use a Symfony service to provide a stream context for SSL options:
-
-.. code-block:: yaml
-
-    services:
-        app.mongodb.context_service:
-            class: 'resource'
-            factory: 'stream_context_create'
-            arguments:
-                - { ssl: { verify_expiry: true } }
-
-Then reference this service in your connection configuration:
-
-.. code-block:: yaml
-
-    doctrine_mongodb:
-        connections:
-            default:
-                server: "mongodb://localhost:27017"
-                driver_options:
-                    context: "app.mongodb.context_service"
-
 Further Reading
 ---------------
 

src/Command/ConnectionDiagnosticCommand.php → src/Command/EncryptionDiagnosticCommand.php

@@ -22,10 +22,10 @@
 
 /** @internal */
 #[AsCommand(
-    name: 'doctrine:mongodb:connection:diagnostic',
+    name: 'doctrine:mongodb:encryption:diagnostic',
     description: 'Diagnose MongoDB configuration and server capabilities for each connection.',
 )]
-final class ConnectionDiagnosticCommand extends Command
+final class EncryptionDiagnosticCommand extends Command
 {
     /** @param ServiceProviderInterface<ConnectionDiagnostic> $diagnostics */
     public function __construct(

src/Command/DumpEncryptedFieldsMapCommand.php → src/Command/EncryptionDumpFieldsMapCommand.php

@@ -28,10 +28,10 @@
 
 /** @internal */
 #[AsCommand(
-    name: 'doctrine:mongodb:dump-encrypted-fields-map',
+    name: 'doctrine:mongodb:encryption:dump-fields-map',
     description: 'Dumps the encrypted fields map for all documents in the configured connections.',
 )]
-final class DumpEncryptedFieldsMapCommand extends Command
+final class EncryptionDumpFieldsMapCommand extends Command
 {
     /** @param ServiceCollectionInterface<DocumentManager> $documentManagers */
     public function __construct(private readonly ServiceCollectionInterface $documentManagers)
@@ -45,7 +45,7 @@ protected function configure(): void
             'format',
             'f',
             InputOption::VALUE_REQUIRED,
-            'The output format for the encrypted fields map (yaml, php)',
+            'The output format for the encrypted fields map (yaml, json, php)',
             'yaml',
             ['yaml', 'php', 'json']
         );
@@ -76,9 +76,24 @@ protected function execute(InputInterface $input, OutputInterface $output): int
                 continue;
             }
 
+            // The min/max query options must have the same type as the field.
+            // But the PHP driver always convert to "int" or "float" when the value fit in the range
             foreach ($encryptedFieldsMap as $ns => $encryptedFields) {
+                $fields = json_decode(PackedArray::fromPHP($encryptedFields['fields'])->toCanonicalExtendedJSON(), true);
+                foreach ($fields as &$field) {
+                    if ($field['bsonType'] === 'long') {
+                        if (isset($field['queries']['min']['$numberInt'])) {
+                            $field['queries']['min'] = ['$numberLong' => $field['queries']['min']['$numberInt']];
+                        }
+
+                        if (isset($field['queries']['max']['$numberInt'])) {
+                            $field['queries']['max'] = ['$numberLong' => $field['queries']['max']['$numberInt']];
+                        }
+                    }
+                }
+
                 // Keep only the "fields" key and ignore "escCollection" and "ecocCollection"
-                $encryptedFieldsMap[$ns] = ['fields' => json_decode(PackedArray::fromPHP($encryptedFields['fields'])->toRelaxedExtendedJSON(), true)];
+                $encryptedFieldsMap[$ns] = ['fields' => $fields];
             }
 
             $io->section(sprintf('Dumping encrypted fields map for document manager "%s"', $name));
@@ -98,7 +113,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
                     return Command::FAILURE;
             }
 
-            $io->block($outputContent);
+            $output->writeln($outputContent, OutputInterface::VERBOSITY_QUIET);
         }
 
         return Command::SUCCESS;

src/DependencyInjection/DoctrineMongoDBExtension.php

@@ -402,8 +402,7 @@ protected function loadDocumentManager(array $documentManager, string|null $defa
      */
     protected function loadConnections(array $connections, ContainerBuilder $container, array $config): void
     {
-        $cons        = [];
-        $diagnostics = [];
+        $cons = [];
         foreach ($connections as $name => $connection) {
             // Define an event manager for this connection
             $eventManagerId = sprintf('doctrine_mongodb.odm.%s_connection.event_manager', $name);

tests/Command/ConnectionDiagnosticCommandTest.php

@@ -15,7 +15,7 @@ public function testExecute(): void
         $kernel      = new CommandTestKernel('test', false);
         $application = new Application($kernel);
 
-        $command       = $application->find('doctrine:mongodb:connection:diagnostic');
+        $command       = $application->find('doctrine:mongodb:encryption:diagnostic');
         $commandTester = new CommandTester($command);
         $commandTester->execute([]);