Add tests and update documentation.

Author: christophstrobl

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/CollectionOptions.java

@@ -688,8 +688,7 @@ public static class EncryptedFieldsOptions {
 			this(null, List.of());
 		}
 
-		private EncryptedFieldsOptions(@Nullable MongoJsonSchema schema,
-				List<JsonSchemaProperty> queryableProperties) {
+		private EncryptedFieldsOptions(@Nullable MongoJsonSchema schema, List<JsonSchemaProperty> queryableProperties) {
 
 			this.schema = schema;
 			this.properties = queryableProperties;
@@ -712,7 +711,7 @@ public static EncryptedFieldsOptions fromSchema(MongoJsonSchema schema) {
 		/**
 		 * @return new instance of {@link EncryptedFieldsOptions}.
 		 */
-		public static EncryptedFieldsOptions fromProperties(List<QueryableJsonSchemaProperty> properties) {
+		public static EncryptedFieldsOptions fromProperties(List<JsonSchemaProperty> properties) {
 			return new EncryptedFieldsOptions(null, List.copyOf(properties));
 		}
 
@@ -739,19 +738,36 @@ public EncryptedFieldsOptions queryable(JsonSchemaProperty property, QueryCharac
 			return new EncryptedFieldsOptions(schema, targetPropertyList);
 		}
 
+		/**
+		 * Add an {@link EncryptedJsonSchemaProperty encrypted property} that should not be queryable.
+		 *
+		 * @param property must not be {@literal null}.
+		 * @return new instance of {@link EncryptedFieldsOptions}.
+		 */
+		@Contract("_ -> new")
+		@CheckReturnValue
 		public EncryptedFieldsOptions with(EncryptedJsonSchemaProperty property) {
 			return encrypted(property, null);
 		}
 
+		/**
+		 * Add a {@link JsonSchemaProperty property} that should not be encrypted but not queryable.
+		 *
+		 * @param property must not be {@literal null}.
+		 * @param key can be {@literal null}.
+		 * @return new instance of {@link EncryptedFieldsOptions}.
+		 */
+		@Contract("_, _ -> new")
+		@CheckReturnValue
 		public EncryptedFieldsOptions encrypted(JsonSchemaProperty property, @Nullable Object key) {
 
 			List<JsonSchemaProperty> targetPropertyList = new ArrayList<>(properties.size() + 1);
 			targetPropertyList.addAll(properties);
-			if(property instanceof IdentifiableJsonSchemaProperty.EncryptedJsonSchemaProperty) {
+			if (property instanceof IdentifiableJsonSchemaProperty.EncryptedJsonSchemaProperty) {
 				targetPropertyList.add(property);
 			} else {
 				EncryptedJsonSchemaProperty encryptedJsonSchemaProperty = new EncryptedJsonSchemaProperty(property);
-				if(key != null) {
+				if (key != null) {
 					targetPropertyList.add(encryptedJsonSchemaProperty.keyId(key));
 				}
 			}
@@ -800,12 +816,11 @@ private List<Document> fromProperties() {
 							field.append("keyId", encrypted.getKeyId());
 						}
 					}
-				}
-				else if (property instanceof IdentifiableJsonSchemaProperty.EncryptedJsonSchemaProperty encrypted) {
+				} else if (property instanceof IdentifiableJsonSchemaProperty.EncryptedJsonSchemaProperty encrypted) {
 					if (encrypted.getKeyId() != null) {
 						if (encrypted.getKeyId() instanceof String stringKey) {
 							field.append("keyId",
-								new BsonBinary(BsonBinarySubType.UUID_STANDARD, stringKey.getBytes(StandardCharsets.UTF_8)));
+									new BsonBinary(BsonBinarySubType.UUID_STANDARD, stringKey.getBytes(StandardCharsets.UTF_8)));
 						} else {
 							field.append("keyId", encrypted.getKeyId());
 						}
@@ -814,7 +829,7 @@ else if (property instanceof IdentifiableJsonSchemaProperty.EncryptedJsonSchemaP
 
 				if (property instanceof QueryableJsonSchemaProperty qproperty) {
 					field.append("queries", StreamSupport.stream(qproperty.getCharacteristics().spliterator(), false)
-						.map(QueryCharacteristic::toDocument).toList());
+							.map(QueryCharacteristic::toDocument).toList());
 				}
 				if (!field.containsKey("keyId")) {
 					field.append("keyId", BsonNull.VALUE);
@@ -844,7 +859,7 @@ private List<Document> fromSchema() {
 					if (entry.getValue().containsKey("bsonType")) {
 						field.append("bsonType", entry.getValue().get("bsonType"));
 					}
-					if(entry.getValue().containsKey("queries")) {
+					if (entry.getValue().containsKey("queries")) {
 						field.put("queries", entry.getValue().get("queries"));
 					}
 					fields.add(field);

spring-data-mongodb/src/test/java/org/springframework/data/mongodb/core/CollectionOptionsUnitTests.java

@@ -89,22 +89,25 @@ void validatorEquals() {
 				.isNotEqualTo(empty().validator(Validator.document(new Document("one", "two"))).moderateValidation());
 	}
 
-	@Test // GH-4185
+	@Test // GH-4185, GH-4988
 	@SuppressWarnings("unchecked")
 	void queryableEncryptionOptionsFromSchemaRenderCorrectly() {
 
 		MongoJsonSchema schema = MongoJsonSchema.builder()
 				.property(JsonSchemaProperty.object("spring")
 						.properties(queryable(JsonSchemaProperty.encrypted(JsonSchemaProperty.int32("data")), List.of())))
-				.property(queryable(JsonSchemaProperty.encrypted(JsonSchemaProperty.int64("mongodb")), List.of())).build();
+				.property(queryable(JsonSchemaProperty.encrypted(JsonSchemaProperty.int64("mongodb")), List.of()))
+				.property(JsonSchemaProperty.encrypted(JsonSchemaProperty.string("rocks"))).build();
 
 		EncryptedFieldsOptions encryptionOptions = EncryptedFieldsOptions.fromSchema(schema);
 
-		assertThat(encryptionOptions.toDocument().get("fields", List.class)).hasSize(2)
+		assertThat(encryptionOptions.toDocument().get("fields", List.class)).hasSize(3)
 				.contains(new Document("path", "mongodb").append("bsonType", "long").append("queries", List.of())
 						.append("keyId", BsonNull.VALUE))
 				.contains(new Document("path", "spring.data").append("bsonType", "int").append("queries", List.of())
-						.append("keyId", BsonNull.VALUE));
+						.append("keyId", BsonNull.VALUE))
+				.contains(new Document("path", "rocks").append("bsonType", "string").append("keyId", BsonNull.VALUE));
+
 	}
 
 	@Test // GH-4185

spring-data-mongodb/src/test/java/org/springframework/data/mongodb/core/encryption/RangeEncryptionTests.java

@@ -15,8 +15,9 @@
  */
 package org.springframework.data.mongodb.core.encryption;
 
-import static org.assertj.core.api.Assertions.*;
-import static org.springframework.data.mongodb.core.query.Criteria.*;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.springframework.data.mongodb.core.query.Criteria.where;
 
 import java.security.SecureRandom;
 import java.util.LinkedHashMap;
@@ -32,13 +33,10 @@
 import org.bson.BsonInt32;
 import org.bson.BsonString;
 import org.bson.Document;
-import org.junit.Before;
 import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-
 import org.springframework.beans.factory.DisposableBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
@@ -125,18 +123,19 @@ void manuallyEncryptedValuesCanBeSavedAndRetrievedCorrectly() {
 
 		EncryptOptions equalityEncOptions = new EncryptOptions("Indexed").contentionFactor(0L)
 				.keyId(keyHolder.getEncryptionKey("age"));
-		;
 
 		EncryptOptions equalityEncOptionsString = new EncryptOptions("Indexed").contentionFactor(0L)
 				.keyId(keyHolder.getEncryptionKey("name"));
-		;
+
+		EncryptOptions justEncryptOptions = new EncryptOptions("Unindexed").keyId(keyHolder.getEncryptionKey("ssn"));
 
 		Document source = new Document("_id", "id-1");
 
 		source.put("name",
 				clientEncryption.getClientEncryption().encrypt(new BsonString("It's a Me, Mario!"), equalityEncOptionsString));
 		source.put("age", clientEncryption.getClientEncryption().encrypt(new BsonInt32(101), equalityEncOptions));
 		source.put("encryptedInt", clientEncryption.getClientEncryption().encrypt(new BsonInt32(101), encryptOptions));
+		source.put("ssn", clientEncryption.getClientEncryption().encrypt(new BsonString("6-4-20"), justEncryptOptions));
 		source.put("_class", Person.class.getName());
 
 		template.execute(Person.class, col -> col.insertOne(source));
@@ -151,6 +150,8 @@ void manuallyEncryptedValuesCanBeSavedAndRetrievedCorrectly() {
 		});
 
 		assertThat(result).containsEntry("encryptedInt", 101);
+		assertThat(result).containsEntry("age", 101);
+		assertThat(result).containsEntry("ssn", "6-4-20");
 	}
 
 	@Test // GH-4185
@@ -283,6 +284,7 @@ private Person createPerson() {
 		source.encryptedLong = 1001L;
 		source.nested = new NestedWithQEFields();
 		source.nested.value = "Luigi time!";
+		source.ssn = "6-4-20";
 		return source;
 	}
 
@@ -480,6 +482,10 @@ static class Person {
 				rangeOptions = "{\"min\": {\"$numberLong\": \"1000\"}, \"max\": {\"$numberLong\": \"9999\"}, \"trimFactor\": 1, \"sparsity\": 1}") //
 		Long encryptedLong;
 
+		@ValueConverter(MongoEncryptionConverter.class)
+		@Encrypted(algorithm = "Unindexed") // encrypted, nothing else!
+		String ssn;
+
 		NestedWithQEFields nested;
 
 		public String getId() {
@@ -514,6 +520,14 @@ public void setEncryptedLong(Long encryptedLong) {
 			this.encryptedLong = encryptedLong;
 		}
 
+		public String getSsn() {
+			return ssn;
+		}
+
+		public void setSsn(String ssn) {
+			this.ssn = ssn;
+		}
+
 		@Override
 		public boolean equals(Object o) {
 			if (o == this) {
@@ -525,18 +539,20 @@ public boolean equals(Object o) {
 			Person person = (Person) o;
 			return Objects.equals(id, person.id) && Objects.equals(unencryptedValue, person.unencryptedValue)
 					&& Objects.equals(name, person.name) && Objects.equals(age, person.age)
-					&& Objects.equals(encryptedInt, person.encryptedInt) && Objects.equals(encryptedLong, person.encryptedLong);
+					&& Objects.equals(encryptedInt, person.encryptedInt) && Objects.equals(encryptedLong, person.encryptedLong)
+					&& Objects.equals(ssn, person.ssn);
 		}
 
 		@Override
 		public int hashCode() {
-			return Objects.hash(id, unencryptedValue, name, age, encryptedInt, encryptedLong);
+			return Objects.hash(id, unencryptedValue, name, age, encryptedInt, encryptedLong, ssn);
 		}
 
 		@Override
 		public String toString() {
 			return "Person{" + "id='" + id + '\'' + ", unencryptedValue='" + unencryptedValue + '\'' + ", name='" + name
-					+ '\'' + ", age=" + age + ", encryptedInt=" + encryptedInt + ", encryptedLong=" + encryptedLong + '}';
+					+ '\'' + ", age=" + age + ", encryptedInt=" + encryptedInt + ", encryptedLong=" + encryptedLong + ", ssn="
+					+ ssn + '}';
 		}
 	}
 

src/main/antora/modules/ROOT/pages/mongodb/mongo-encryption.adoc

@@ -141,9 +141,10 @@ Manual Collection Setup::
 [source,java,indent=0,subs="verbatim,quotes",role="primary"]
 ----
 CollectionOptions collectionOptions = CollectionOptions.encryptedCollection(options -> options
-	.queryable(encrypted(string("ssn")).algorithm("Indexed"), equality().contention(0))
-	.queryable(encrypted(int32("age")).algorithm("Range"), range().contention(8).min(0).max(150))
-	.queryable(encrypted(int64("address.sign")).algorithm("Range"), range().contention(2).min(-10L).max(10L))
+    .queryable(encrypted(string("ssn")).algorithm("Indexed"), equality().contention(0))
+    .queryable(encrypted(int32("age")).algorithm("Range"), range().contention(8).min(0).max(150))
+    .encrypted(string("pin"))
+    .queryable(encrypted(int64("address.sign")).algorithm("Range"), range().contention(2).min(-10L).max(10L))
 );
 
 mongoTemplate.createCollection(Patient.class, collectionOptions); <1>
@@ -160,13 +161,16 @@ class Patient {
 
     @Id String id;
 
-    @Encrypted(algorithm = "Indexed") //
+    @Encrypted(algorithm = "Indexed")
     @Queryable(queryType = "equality", contentionFactor = 0)
     String ssn;
 
     @RangeEncrypted(contentionFactor = 8, rangeOptions = "{ 'min' : 0, 'max' : 150 }")
     Integer age;
 
+    @Encrypted(algorithm = "Unindexed")
+    String pin;
+
     Address address;
 }
 
@@ -210,6 +214,11 @@ MongoDB Collection Info::
             bsonType: 'int',
             queries: [ { queryType: 'range', contention: Long('8'), min: 0, max: 150 } ]
           },
+          {
+            keyId: ...,
+            path: 'pin',
+            bsonType: 'string'
+          },
           {
             keyId: ...,
             path: 'address.sign',