mongodb · DmitryLukyanov · Dec 14, 2022 · Nov 21, 2022 · Nov 22, 2022 · Nov 25, 2022
diff --git a/src/MongoDB.Driver.Core/Core/Encryption/EncryptedCollectionHelper.cs b/src/MongoDB.Driver.Core/Core/Encryption/EncryptedCollectionHelper.cs
@@ -76,6 +76,40 @@ public static BsonDocument GetEffectiveEncryptedFields(CollectionNamespace colle
             }
         }
 
+        public static IEnumerable<BsonDocument> IterateEmptyKeyIds(CollectionNamespace collectionNamespace, BsonDocument encryptedFields)
+        {
+            if (!EncryptedCollectionHelper.TryGetEffectiveEncryptedFields(collectionNamespace, encryptedFields, encryptedFieldsMap: null, out var storedEncryptedFields))
+            {
+                throw new InvalidOperationException("There are no encrypted fields defined for the collection.");
+            }
+
+            if (storedEncryptedFields.TryGetValue("fields", out var fields) && fields is BsonArray fieldsArray)
+            {
+                foreach (var field in fieldsArray)
+                {
+                    if (field is BsonDocument fieldDocument)
+                    {
+                        if (fieldDocument.TryGetElement("keyId", out var keyId) && keyId.Value == BsonNull.Value)
+                        {
+                            yield return fieldDocument;
+                        }
+                    }
+                    else
+                    {
+                        // If `F` is not a document element, skip it.
+                        continue;
+                    }
+                }
+            }
+
+            yield break;
+        }
+
+        public static void ModifyEndryptedFields(BsonDocument fieldDocument, Guid dataKey)
+        {
+            fieldDocument["keyId"] = new BsonBinaryData(dataKey, GuidRepresentation.Standard);
+        }
+
         public enum HelperCollectionForEncryption
         {
             Esc,

diff --git a/src/MongoDB.Driver/Encryption/ClientEncryption.cs b/src/MongoDB.Driver/Encryption/ClientEncryption.cs
@@ -78,6 +78,64 @@ public BsonDocument AddAlternateKeyName(Guid id, string alternateKeyName, Cancel
         public Task<BsonDocument> AddAlternateKeyNameAsync(Guid id, string alternateKeyName, CancellationToken cancellationToken = default) =>
             _libMongoCryptController.AddAlternateKeyNameAsync(id, alternateKeyName, cancellationToken);
 
+        /// <summary>
+        /// Create encrypted collection.
+        /// </summary>
+        /// <param name="collectionNamespace">The collection namespace.</param>
+        /// <param name="createCollectionOptions">The create collection options.</param>
+        /// <param name="kmsProvider">The kms provider.</param>
+        /// <param name="dataKeyOptions">The datakey options.</param>
+        /// <param name="cancellationToken">The cancellation token.</param>
+        public (IMongoCollection<TCollection> Collection, BsonDocument EncryptedFields) CreateEncryptedCollection<TCollection>(CollectionNamespace collectionNamespace, CreateCollectionOptions createCollectionOptions, string kmsProvider, DataKeyOptions dataKeyOptions, CancellationToken cancellationToken = default)
+        {
+            var effectiveEncryptedFields = createCollectionOptions?.EncryptedFields?.DeepClone()?.AsBsonDocument;
+
+            foreach (var fieldDocument in EncryptedCollectionHelper.IterateEmptyKeyIds(collectionNamespace, effectiveEncryptedFields))
+            {
+                var dataKey = CreateDataKey(kmsProvider, dataKeyOptions, cancellationToken);
+                EncryptedCollectionHelper.ModifyEndryptedFields(fieldDocument, dataKey);
+            }
+
+            var database = _libMongoCryptController.KeyVaultClient.GetDatabase(collectionNamespace.DatabaseNamespace.DatabaseName);
+
+            createCollectionOptions.EncryptedFields = effectiveEncryptedFields;
+
+            database.CreateCollection(collectionNamespace.CollectionName, createCollectionOptions, cancellationToken);
+
+            var collection = database.GetCollection<TCollection>(collectionNamespace.CollectionName);
+
+            return (collection, effectiveEncryptedFields);
+        }
+
+        /// <summary>
+        /// Create encrypted collection.
+        /// </summary>
+        /// <param name="collectionNamespace">The collection namespace.</param>
+        /// <param name="createCollectionOptions">The create collection options.</param>
+        /// <param name="kmsProvider">The kms provider.</param>
+        /// <param name="dataKeyOptions">The datakey options.</param>
+        /// <param name="cancellationToken">The cancellation token.</param>
+        public async Task<(IMongoCollection<TCollection> Collection, BsonDocument EncryptedFields)> CreateEncryptedCollectionAsync<TCollection>(CollectionNamespace collectionNamespace, CreateCollectionOptions createCollectionOptions, string kmsProvider, DataKeyOptions dataKeyOptions, CancellationToken cancellationToken = default)
+        {
+            var effectiveEncryptedFields = createCollectionOptions?.EncryptedFields?.DeepClone()?.AsBsonDocument;
+
+            foreach (var fieldDocument in EncryptedCollectionHelper.IterateEmptyKeyIds(collectionNamespace, effectiveEncryptedFields))
+            {
+                var dataKey = await CreateDataKeyAsync(kmsProvider, dataKeyOptions, cancellationToken).ConfigureAwait(false);
+                EncryptedCollectionHelper.ModifyEndryptedFields(fieldDocument, dataKey);
+            }
+
+            var database = _libMongoCryptController.KeyVaultClient.GetDatabase(collectionNamespace.DatabaseNamespace.DatabaseName);
+
+            createCollectionOptions.EncryptedFields = effectiveEncryptedFields;
+
+            await database.CreateCollectionAsync(collectionNamespace.CollectionName, createCollectionOptions, cancellationToken).ConfigureAwait(false);
+
+            var collection = database.GetCollection<TCollection>(collectionNamespace.CollectionName);
+
+            return (collection, effectiveEncryptedFields);
+        }
+
         /// <summary>
         /// An alias function equivalent to createKey.
         /// </summary>

diff --git a/src/MongoDB.Driver/Encryption/LibMongoCryptControllerBase.cs b/src/MongoDB.Driver/Encryption/LibMongoCryptControllerBase.cs
@@ -61,6 +61,9 @@ protected LibMongoCryptControllerBase(
             _tlsOptions = Ensure.IsNotNull(encryptionOptions.TlsOptions, nameof(encryptionOptions.TlsOptions));
         }
 
+        // public proeprties
+        public IMongoClient KeyVaultClient => _keyVaultClient;
+
         // protected methods
         protected void FeedResult(CryptContext context, BsonDocument document)
         {

diff --git a/...ver.Tests/Specifications/client-side-encryption/prose-tests/ClientEncryptionProseTests.cs b/...ver.Tests/Specifications/client-side-encryption/prose-tests/ClientEncryptionProseTests.cs
@@ -33,7 +33,6 @@
 using MongoDB.Driver.Core.Authentication.External;
 using MongoDB.Driver.Core.Bindings;
 using MongoDB.Driver.Core.Clusters;
-using MongoDB.Driver.Core.Configuration;
 using MongoDB.Driver.Core.Events;
 using MongoDB.Driver.Core.Misc;
 using MongoDB.Driver.Core.Operations;
@@ -84,6 +83,69 @@ public ClientEncryptionProseTests(ITestOutputHelper testOutputHelper)
         }
 
         // public methods
+        [SkippableTheory]
+        [ParameterAttributeData]
+        public void AutomaticDataEncryptionKeys(
+            [Range(1, 3)] int testCase,
+            [Values(false, true)] bool async)
+        {
+            RequireServer.Check().Supports(Feature.Csfle2).ClusterTypes(ClusterType.ReplicaSet, ClusterType.Sharded, ClusterType.LoadBalanced);
+
+            var kmsProvider = "local";
+            using (var client = ConfigureClient())
+            using (var clientEncryption = ConfigureClientEncryption(client, kmsProviderFilter: kmsProvider))
+            {
+                var encryptedFields = BsonDocument.Parse($@"
+                {{
+                    fields:
+                    [
+                    {{
+                        path: ""ssn"",
+                        bsonType: ""string"",
+                        keyId: null
+                    }}
+                    ]
+                }}");
+
+                DropCollection(__collCollectionNamespace, encryptedFields);
+
+                RunTestCase(testCase);
+
+                void RunTestCase(int testCase)
+                {
+                    switch (testCase)
+                    {
+                        case 1: // Case 1: Simple Creation and Validation
+                            {
+                                var collection = CreateEncryptedCollection(client, clientEncryption, __collCollectionNamespace, encryptedFields, kmsProvider, async).Collection;
+
+                                var exception = Record.Exception(() => Insert(collection, async, new BsonDocument("ssn", "123-45-6789")));
+                                exception.Should().BeOfType<MongoBulkWriteException<BsonDocument>>().Which.Message.Should().Contain("Document failed validation");
+                            }
+                            break;
+                        case 2: // Case 2: Missing ``encryptedFields``
+                            {
+                                var exception = Record.Exception(() => CreateEncryptedCollection(client, clientEncryption, __collCollectionNamespace, encryptedFields: null, kmsProvider, async).Collection);
+
+                                exception.Should().BeOfType<InvalidOperationException>().Which.Message.Should().Contain("There are no encrypted fields defined for the collection.") ;
+                            }
+                            break;
+                        case 3: // Case 3: Invalid ``keyId``
+                            {
+                                var effectiveEncryptedFields = encryptedFields.DeepClone();
+                                effectiveEncryptedFields["fields"].AsBsonArray[0].AsBsonDocument["keyId"] = true;
+                                var collection = CreateEncryptedCollection(client, clientEncryption, __collCollectionNamespace, encryptedFields, kmsProvider, async).Collection;
+
+                                var exception = Record.Exception(() => Insert(collection, async, new BsonDocument("ssn", "123-45-6789")));
+                                exception.Should().BeOfType<MongoBulkWriteException<BsonDocument>>().Which.Message.Should().Contain("Document failed validation");
+                            }
+                            break;
+                        default: throw new Exception($"Unexpected test case {testCase}.");
+                    }
+                }
+            }
+        }
+
         [SkippableTheory]
         [ParameterAttributeData]
         public void BsonSizeLimitAndBatchSizeSplittingTest(
@@ -1025,6 +1087,7 @@ void RunTestCase(IMongoCollection<BsonDocument> decryptionEventsCollection, int
                             reply["cursor"]["firstBatch"].AsBsonArray.Single()["encrypted"].AsBsonBinaryData.SubType.Should().Be(BsonBinarySubType.Encrypted);
                         }
                         break;
+                    default: throw new Exception($"Unexpected test case {testCase}.");
                 }
             }
 
@@ -1873,7 +1936,7 @@ public void ViewAreProhibitedTest([Values(false, true)] bool async)
             using (var client = ConfigureClient(false))
             using (var clientEncrypted = ConfigureClientEncrypted(kmsProviderFilter: "local"))
             {
-                DropView(viewName);
+                DropCollection(viewName);
                 client
                     .GetDatabase(viewName.DatabaseNamespace.DatabaseName)
                     .CreateView(
@@ -2201,6 +2264,16 @@ private void CreateCollection(IMongoClient client, CollectionNamespace collectio
                     });
         }
 
+        private (IMongoCollection<BsonDocument> Collection, BsonDocument EncryptedFields) CreateEncryptedCollection(IMongoClient client, ClientEncryption clientEncryption, CollectionNamespace collectionNamespace, BsonDocument encryptedFields, string kmsProvider, bool async)
+        {
+            var createCollectionOptions = new CreateCollectionOptions { EncryptedFields = encryptedFields };
+            var datakeyOptions = CreateDataKeyOptions(kmsProvider);
+
+            return async
+                ? clientEncryption.CreateEncryptedCollectionAsync<BsonDocument>(collectionNamespace, createCollectionOptions, kmsProvider, datakeyOptions, cancellationToken: default).GetAwaiter().GetResult()
+                : clientEncryption.CreateEncryptedCollection<BsonDocument>(collectionNamespace, createCollectionOptions, kmsProvider, datakeyOptions, cancellationToken: default);
+        }
+
         private Guid CreateDataKey(
             ClientEncryption clientEncryption,
             string kmsProvider,
@@ -2351,9 +2424,9 @@ private MongoClientSettings CreateMongoClientSettings(
             return mongoClientSettings;
         }
 
-        private void DropView(CollectionNamespace viewNamespace)
+        private void DropCollection(CollectionNamespace viewNamespace, BsonDocument encryptedFields = null)
         {
-            var operation = new DropCollectionOperation(viewNamespace, CoreTestConfiguration.MessageEncoderSettings);
+            var operation = DropCollectionOperation.CreateEncryptedDropCollectionOperationIfConfigured(viewNamespace, encryptedFields, CoreTestConfiguration.MessageEncoderSettings, configureDropCollectionConfigurator: null);
             using (var session = CoreTestConfiguration.StartSession(_cluster))
             using (var binding = new WritableServerBinding(_cluster, session.Fork()))
             using (var bindingHandle = new ReadWriteBindingHandle(binding))