Add support for explicit field encryption (sync client)

pom.xml

@@ -5,7 +5,7 @@
 
 	<groupId>org.springframework.data</groupId>
 	<artifactId>spring-data-mongodb-parent</artifactId>
-	<version>4.1.0-SNAPSHOT</version>
+	<version>4.1.x-GH-4284-SNAPSHOT</version>
 	<packaging>pom</packaging>
 
 	<name>Spring Data MongoDB</name>

spring-data-mongodb-benchmarks/pom.xml

@@ -7,7 +7,7 @@
 	<parent>
 		<groupId>org.springframework.data</groupId>
 		<artifactId>spring-data-mongodb-parent</artifactId>
-		<version>4.1.0-SNAPSHOT</version>
+		<version>4.1.x-GH-4284-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

spring-data-mongodb-distribution/pom.xml

@@ -15,7 +15,7 @@
 	<parent>
 		<groupId>org.springframework.data</groupId>
 		<artifactId>spring-data-mongodb-parent</artifactId>
-		<version>4.1.0-SNAPSHOT</version>
+		<version>4.1.x-GH-4284-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

spring-data-mongodb/pom.xml

@@ -13,7 +13,7 @@
 	<parent>
 		<groupId>org.springframework.data</groupId>
 		<artifactId>spring-data-mongodb-parent</artifactId>
-		<version>4.1.0-SNAPSHOT</version>
+		<version>4.1.x-GH-4284-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 
@@ -112,6 +112,13 @@
 			<optional>true</optional>
 		</dependency>
 
+		<dependency>
+			<groupId>org.mongodb</groupId>
+			<artifactId>mongodb-crypt</artifactId>
+			<version>1.6.1</version>
+			<optional>true</optional>
+		</dependency>
+
 		<dependency>
 			<groupId>io.projectreactor</groupId>
 			<artifactId>reactor-core</artifactId>

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/MongoExceptionTranslator.java

@@ -68,6 +68,8 @@ public class MongoExceptionTranslator implements PersistenceExceptionTranslator
 	private static final Set<String> DATA_INTEGRITY_EXCEPTIONS = new HashSet<>(
 			Arrays.asList("WriteConcernException", "MongoWriteException", "MongoBulkWriteException"));
 
+	private static final Set<String> SECURITY_EXCEPTIONS = Set.of("MongoCryptException");
+
 	@Nullable
 	public DataAccessException translateExceptionIfPossible(RuntimeException ex) {
 
@@ -131,6 +133,8 @@ public DataAccessException translateExceptionIfPossible(RuntimeException ex) {
 				return new ClientSessionException(ex.getMessage(), ex);
 			} else if (MongoDbErrorCodes.isTransactionFailureCode(code)) {
 				return new MongoTransactionException(ex.getMessage(), ex);
+			} else if(ex.getCause() != null && SECURITY_EXCEPTIONS.contains(ClassUtils.getShortName(ex.getCause().getClass()))) {
+				return new PermissionDeniedDataAccessException(ex.getMessage(), ex);
 			}
 
 			return new UncategorizedMongoDbException(ex.getMessage(), ex);

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/convert/MappingMongoConverter.java

@@ -17,16 +17,7 @@
 
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
+import java.util.*;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
@@ -39,7 +30,6 @@
 import org.bson.conversions.Bson;
 import org.bson.json.JsonReader;
 import org.bson.types.ObjectId;
-
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.BeanClassLoaderAware;
 import org.springframework.context.ApplicationContext;
@@ -51,16 +41,7 @@
 import org.springframework.data.annotation.Reference;
 import org.springframework.data.convert.CustomConversions;
 import org.springframework.data.convert.TypeMapper;
-import org.springframework.data.mapping.AccessOptions;
-import org.springframework.data.mapping.Association;
-import org.springframework.data.mapping.InstanceCreatorMetadata;
-import org.springframework.data.mapping.MappingException;
-import org.springframework.data.mapping.Parameter;
-import org.springframework.data.mapping.PersistentEntity;
-import org.springframework.data.mapping.PersistentProperty;
-import org.springframework.data.mapping.PersistentPropertyAccessor;
-import org.springframework.data.mapping.PersistentPropertyPath;
-import org.springframework.data.mapping.PersistentPropertyPathAccessor;
+import org.springframework.data.mapping.*;
 import org.springframework.data.mapping.callback.EntityCallbacks;
 import org.springframework.data.mapping.context.MappingContext;
 import org.springframework.data.mapping.model.ConvertingPropertyAccessor;
@@ -331,7 +312,7 @@ private <R> R doReadProjection(ConversionContext context, Bson bson, EntityProje
 			PersistentPropertyAccessor<?> convertingAccessor = PropertyTranslatingPropertyAccessor
 					.create(new ConvertingPropertyAccessor<>(accessor, conversionService), propertyTranslator);
 			MongoDbPropertyValueProvider valueProvider = new MongoDbPropertyValueProvider(context, documentAccessor,
-					evaluator);
+					evaluator, spELContext);
 
 			readProperties(context, entity, convertingAccessor, documentAccessor, valueProvider, evaluator,
 					Predicates.isTrue());
@@ -367,7 +348,7 @@ String getFieldName(MongoPersistentProperty prop) {
 		populateProperties(context, mappedEntity, documentAccessor, evaluator, instance);
 
 		PersistentPropertyAccessor<?> convertingAccessor = new ConvertingPropertyAccessor<>(accessor, conversionService);
-		MongoDbPropertyValueProvider valueProvider = new MongoDbPropertyValueProvider(context, documentAccessor, evaluator);
+		MongoDbPropertyValueProvider valueProvider = new MongoDbPropertyValueProvider(context, documentAccessor, evaluator, spELContext);
 
 		readProperties(context, mappedEntity, convertingAccessor, documentAccessor, valueProvider, evaluator,
 				Predicates.isTrue());
@@ -529,7 +510,7 @@ private <S> S populateProperties(ConversionContext context, MongoPersistentEntit
 		ConversionContext contextToUse = context.withPath(currentPath);
 
 		MongoDbPropertyValueProvider valueProvider = new MongoDbPropertyValueProvider(contextToUse, documentAccessor,
-				evaluator);
+				evaluator, spELContext);
 
 		Predicate<MongoPersistentProperty> propertyFilter = isIdentifier(entity).or(isConstructorArgument(entity)).negate();
 		readProperties(contextToUse, entity, accessor, documentAccessor, valueProvider, evaluator, propertyFilter);
@@ -868,9 +849,9 @@ private void writeProperties(Bson bson, MongoPersistentEntity<?> entity, Persist
 					dbObjectAccessor.put(prop, null);
 				}
 			} else if (!conversions.isSimpleType(value.getClass())) {
-				writePropertyInternal(value, dbObjectAccessor, prop);
+				writePropertyInternal(value, dbObjectAccessor, prop, accessor);
 			} else {
-				writeSimpleInternal(value, bson, prop);
+				writeSimpleInternal(value, bson, prop, accessor);
 			}
 		}
 	}
@@ -887,11 +868,11 @@ private void writeAssociation(Association<MongoPersistentProperty> association,
 			return;
 		}
 
-		writePropertyInternal(value, dbObjectAccessor, inverseProp);
+		writePropertyInternal(value, dbObjectAccessor, inverseProp, accessor);
 	}
 
 	@SuppressWarnings({ "unchecked" })
-	protected void writePropertyInternal(@Nullable Object obj, DocumentAccessor accessor, MongoPersistentProperty prop) {
+	protected void writePropertyInternal(@Nullable Object obj, DocumentAccessor accessor, MongoPersistentProperty prop, PersistentPropertyAccessor<?> persistentPropertyAccessor) {
 
 		if (obj == null) {
 			return;
@@ -902,7 +883,13 @@ protected void writePropertyInternal(@Nullable Object obj, DocumentAccessor acce
 
 		if (conversions.hasValueConverter(prop)) {
 			accessor.put(prop, conversions.getPropertyValueConversions().getValueConverter(prop).write(obj,
-					new MongoConversionContext(prop, this)));
+					new MongoConversionContext(new PropertyValueProvider<>() {
+						@Nullable
+						@Override
+						public <T> T getPropertyValue(MongoPersistentProperty property) {
+							return (T) persistentPropertyAccessor.getProperty(property);
+						}
+					}, prop, this, spELContext)));
 			return;
 		}
 
@@ -1234,12 +1221,18 @@ private void writeSimpleInternal(@Nullable Object value, Bson bson, String key)
 		BsonUtils.addToMap(bson, key, getPotentiallyConvertedSimpleWrite(value, Object.class));
 	}
 
-	private void writeSimpleInternal(@Nullable Object value, Bson bson, MongoPersistentProperty property) {
+	private void writeSimpleInternal(@Nullable Object value, Bson bson, MongoPersistentProperty property, PersistentPropertyAccessor<?> persistentPropertyAccessor) {
 		DocumentAccessor accessor = new DocumentAccessor(bson);
 
 		if (conversions.hasValueConverter(property)) {
 			accessor.put(property, conversions.getPropertyValueConversions().getValueConverter(property).write(value,
-					new MongoConversionContext(property, this)));
+					new MongoConversionContext(new PropertyValueProvider<>() {
+						@Nullable
+						@Override
+						public <T> T getPropertyValue(MongoPersistentProperty property) {
+							return (T) persistentPropertyAccessor.getProperty(property);
+						}
+					}, property, this, spELContext)));
 			return;
 		}
 
@@ -1845,6 +1838,7 @@ static class MongoDbPropertyValueProvider implements PropertyValueProvider<Mongo
 		final ConversionContext context;
 		final DocumentAccessor accessor;
 		final SpELExpressionEvaluator evaluator;
+		final SpELContext spELContext;
 
 		/**
 		 * Creates a new {@link MongoDbPropertyValueProvider} for the given source, {@link SpELExpressionEvaluator} and
@@ -1855,7 +1849,7 @@ static class MongoDbPropertyValueProvider implements PropertyValueProvider<Mongo
 		 * @param evaluator must not be {@literal null}.
 		 */
 		MongoDbPropertyValueProvider(ConversionContext context, Bson source, SpELExpressionEvaluator evaluator) {
-			this(context, new DocumentAccessor(source), evaluator);
+			this(context, new DocumentAccessor(source), evaluator, null);
 		}
 
 		/**
@@ -1867,7 +1861,7 @@ static class MongoDbPropertyValueProvider implements PropertyValueProvider<Mongo
 		 * @param evaluator must not be {@literal null}.
 		 */
 		MongoDbPropertyValueProvider(ConversionContext context, DocumentAccessor accessor,
-				SpELExpressionEvaluator evaluator) {
+				SpELExpressionEvaluator evaluator, SpELContext spELContext) {
 
 			Assert.notNull(context, "ConversionContext must no be null");
 			Assert.notNull(accessor, "DocumentAccessor must no be null");
@@ -1876,6 +1870,7 @@ static class MongoDbPropertyValueProvider implements PropertyValueProvider<Mongo
 			this.context = context;
 			this.accessor = accessor;
 			this.evaluator = evaluator;
+			this.spELContext = spELContext;
 		}
 
 		@Nullable
@@ -1892,7 +1887,7 @@ public <T> T getPropertyValue(MongoPersistentProperty property) {
 			CustomConversions conversions = context.getCustomConversions();
 			if (conversions.hasValueConverter(property)) {
 				return (T) conversions.getPropertyValueConversions().getValueConverter(property).read(value,
-						new MongoConversionContext(property, context.getSourceConverter()));
+						new MongoConversionContext(this, property, context.getSourceConverter(), spELContext));
 			}
 
 			ConversionContext contextToUse = context.forProperty(property);
@@ -1902,7 +1897,7 @@ public <T> T getPropertyValue(MongoPersistentProperty property) {
 
 		public MongoDbPropertyValueProvider withContext(ConversionContext context) {
 
-			return context == this.context ? this : new MongoDbPropertyValueProvider(context, accessor, evaluator);
+			return context == this.context ? this : new MongoDbPropertyValueProvider(context, accessor, evaluator, spELContext);
 		}
 	}
 
@@ -1925,7 +1920,7 @@ class AssociationAwareMongoDbPropertyValueProvider extends MongoDbPropertyValueP
 		 */
 		AssociationAwareMongoDbPropertyValueProvider(ConversionContext context, DocumentAccessor source,
 				SpELExpressionEvaluator evaluator) {
-			super(context, source, evaluator);
+			super(context, source, evaluator, MappingMongoConverter.this.spELContext);
 		}
 
 		@Override

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/convert/MongoConversionContext.java

@@ -17,6 +17,8 @@
 
 import org.bson.conversions.Bson;
 import org.springframework.data.convert.ValueConversionContext;
+import org.springframework.data.mapping.model.PropertyValueProvider;
+import org.springframework.data.mapping.model.SpELContext;
 import org.springframework.data.mongodb.core.mapping.MongoPersistentProperty;
 import org.springframework.data.util.TypeInformation;
 import org.springframework.lang.Nullable;
@@ -29,21 +31,39 @@
  */
 public class MongoConversionContext implements ValueConversionContext<MongoPersistentProperty> {
 
+	private final PropertyValueProvider<MongoPersistentProperty> accessor; // TODO: generics
 	private final MongoPersistentProperty persistentProperty;
 	private final MongoConverter mongoConverter;
 
-	public MongoConversionContext(MongoPersistentProperty persistentProperty, MongoConverter mongoConverter) {
+	@Nullable
+	private final SpELContext spELContext;
 
+	public MongoConversionContext(PropertyValueProvider<MongoPersistentProperty> accessor,
+			MongoPersistentProperty persistentProperty, MongoConverter mongoConverter) {
+		this(accessor, persistentProperty, mongoConverter, null);
+	}
+
+	public MongoConversionContext(PropertyValueProvider<MongoPersistentProperty> accessor,
+			MongoPersistentProperty persistentProperty, MongoConverter mongoConverter, @Nullable SpELContext spELContext) {
+
+		this.accessor = accessor;
 		this.persistentProperty = persistentProperty;
 		this.mongoConverter = mongoConverter;
+		this.spELContext = spELContext;
 	}
 
 	@Override
 	public MongoPersistentProperty getProperty() {
 		return persistentProperty;
 	}
 
+	@Nullable
+	public Object getValue(String propertyPath) {
+		return accessor.getPropertyValue(persistentProperty.getOwner().getRequiredPersistentProperty(propertyPath));
+	}
+
 	@Override
+	@SuppressWarnings("unchecked")
 	public <T> T write(@Nullable Object value, TypeInformation<T> target) {
 		return (T) mongoConverter.convertToMongoType(value, target);
 	}
@@ -53,4 +73,9 @@ public <T> T read(@Nullable Object value, TypeInformation<T> target) {
 		return value instanceof Bson ? mongoConverter.read(target.getType(), (Bson) value)
 				: ValueConversionContext.super.read(value, target);
 	}
+
+	@Nullable
+	public SpELContext getSpELContext() {
+		return spELContext;
+	}
 }

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/convert/QueryMapper.java

@@ -437,7 +437,7 @@ protected Object getMappedValue(Field documentField, Object sourceValue) {
 				&& converter.getCustomConversions().hasValueConverter(documentField.getProperty())) {
 			return converter.getCustomConversions().getPropertyValueConversions()
 					.getValueConverter(documentField.getProperty())
-					.write(value, new MongoConversionContext(documentField.getProperty(), converter));
+					.write(value, new MongoConversionContext(null, documentField.getProperty(), converter));
 		}
 
 		if (documentField.isIdField() && !documentField.isAssociation()) {

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/convert/encryption/EncryptingConverter.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.data.mongodb.core.convert.encryption;
+
+import org.springframework.data.mongodb.core.convert.MongoConversionContext;
+import org.springframework.data.mongodb.core.convert.MongoValueConverter;
+import org.springframework.data.mongodb.core.encryption.EncryptionContext;
+
+/**
+ * A specialized {@link MongoValueConverter} for {@literal encryptiong} and {@literal decrypting} properties.
+ *
+ * @author Christoph Strobl
+ * @since 4.1
+ */
+public interface EncryptingConverter<S, T> extends MongoValueConverter<S, T> {
+
+	@Override
+	default S read(Object value, MongoConversionContext context) {
+		return decrypt(value, buildEncryptionContext(context));
+	}
+
+	/**
+	 * Decrypt the given encrypted source value within the given {@link EncryptionContext context}.
+	 *
+	 * @param encryptedValue the encrypted source.
+	 * @param context the context to operate in.
+	 * @return never {@literal null}.
+	 */
+	S decrypt(Object encryptedValue, EncryptionContext context);
+
+	@Override
+	default T write(Object value, MongoConversionContext context) {
+		return encrypt(value, buildEncryptionContext(context));
+	}
+
+	/**
+	 * Encrypt the given raw source value within the given {@link EncryptionContext context}.
+	 *
+	 * @param value the encrypted source.
+	 * @param context the context to operate in.
+	 * @return never {@literal null}.
+	 */
+	T encrypt(Object value, EncryptionContext context);
+
+	/**
+	 * Obtain the {@link EncryptionContext} for a given {@link MongoConversionContext value conversion context}.
+	 *
+	 * @param context the current MongoDB specific {@link org.springframework.data.convert.ValueConversionContext}.
+	 * @return the {@link EncryptionContext} to operate in.
+	 * @see org.springframework.data.convert.ValueConversionContext
+	 */
+	EncryptionContext buildEncryptionContext(MongoConversionContext context);
+}