Add support for deriving json schema for encrypted properties.

This commit introduces support for creating a MongoJsonSchema containing encrypted fields for a given type based on mapping metadata.
Using the Encrypted annotation allows to derive required encryptMetadata and encrypt properties within a given (mapping)context.

@document
@Encrypted(keyId = "...")
static class Patient {

    // ...

    @Encrypted(algorithm = "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic")
    private Integer ssn;

}

MongoJsonSchemaCreator schemaCreator = MongoJsonSchemaCreator.create(mappingContext);
MongoJsonSchema patientSchema = schemaCreator
    .filter(MongoJsonSchemaCreator.encryptedOnly())
    .createSchemaFor(Patient.class);

Closes: #3800
Original pull request: #3801.

Author: christophstrobl

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/EncryptionAlgorithms.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.data.mongodb.core;
+
+/**
+ * Encryption algorithms supported by MongoDB Client Side Field Level Encryption.
+ *
+ * @author Christoph Strobl
+ * @since 3.3
+ */
+public final class EncryptionAlgorithms {
+
+	public static final String AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic = "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic";
+	public static final String AEAD_AES_256_CBC_HMAC_SHA_512_Random = "AEAD_AES_256_CBC_HMAC_SHA_512-Random";
+
+}

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/MappingMongoJsonSchemaCreator.java

@@ -20,24 +20,32 @@
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
 
+import org.bson.Document;
 import org.springframework.data.mapping.PersistentProperty;
 import org.springframework.data.mapping.context.MappingContext;
 import org.springframework.data.mongodb.core.convert.MongoConverter;
+import org.springframework.data.mongodb.core.mapping.BasicMongoPersistentEntity;
+import org.springframework.data.mongodb.core.mapping.Encrypted;
 import org.springframework.data.mongodb.core.mapping.Field;
 import org.springframework.data.mongodb.core.mapping.MongoPersistentEntity;
 import org.springframework.data.mongodb.core.mapping.MongoPersistentProperty;
+import org.springframework.data.mongodb.core.schema.IdentifiableJsonSchemaProperty.EncryptedJsonSchemaProperty;
 import org.springframework.data.mongodb.core.schema.IdentifiableJsonSchemaProperty.ObjectJsonSchemaProperty;
 import org.springframework.data.mongodb.core.schema.JsonSchemaObject;
 import org.springframework.data.mongodb.core.schema.JsonSchemaObject.Type;
 import org.springframework.data.mongodb.core.schema.JsonSchemaProperty;
 import org.springframework.data.mongodb.core.schema.MongoJsonSchema;
 import org.springframework.data.mongodb.core.schema.MongoJsonSchema.MongoJsonSchemaBuilder;
 import org.springframework.data.mongodb.core.schema.TypedJsonSchemaObject;
+import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.ObjectUtils;
+import org.springframework.util.StringUtils;
 
 /**
  * {@link MongoJsonSchemaCreator} implementation using both {@link MongoConverter} and {@link MappingContext} to obtain
@@ -52,6 +60,7 @@ class MappingMongoJsonSchemaCreator implements MongoJsonSchemaCreator {
 
 	private final MongoConverter converter;
 	private final MappingContext<MongoPersistentEntity<?>, MongoPersistentProperty> mappingContext;
+	private final Predicate<JsonSchemaPropertyContext> filter;
 
 	/**
 	 * Create a new instance of {@link MappingMongoJsonSchemaCreator}.
@@ -61,10 +70,24 @@ class MappingMongoJsonSchemaCreator implements MongoJsonSchemaCreator {
 	@SuppressWarnings("unchecked")
 	MappingMongoJsonSchemaCreator(MongoConverter converter) {
 
+		this(converter, (MappingContext<MongoPersistentEntity<?>, MongoPersistentProperty>) converter.getMappingContext(),
+				(property) -> true);
+	}
+
+	@SuppressWarnings("unchecked")
+	MappingMongoJsonSchemaCreator(MongoConverter converter,
+			MappingContext<MongoPersistentEntity<?>, MongoPersistentProperty> mappingContext,
+			Predicate<JsonSchemaPropertyContext> filter) {
+
 		Assert.notNull(converter, "Converter must not be null!");
 		this.converter = converter;
-		this.mappingContext = (MappingContext<MongoPersistentEntity<?>, MongoPersistentProperty>) converter
-				.getMappingContext();
+		this.mappingContext = mappingContext;
+		this.filter = filter;
+	}
+
+	@Override
+	public MongoJsonSchemaCreator filter(Predicate<JsonSchemaPropertyContext> filter) {
+		return new MappingMongoJsonSchemaCreator(converter, mappingContext, filter);
 	}
 
 	/*
@@ -77,11 +100,29 @@ public MongoJsonSchema createSchemaFor(Class<?> type) {
 		MongoPersistentEntity<?> entity = mappingContext.getRequiredPersistentEntity(type);
 		MongoJsonSchemaBuilder schemaBuilder = MongoJsonSchema.builder();
 
+		{
+			Encrypted encrypted = entity.findAnnotation(Encrypted.class);
+			if (encrypted != null) {
+
+				Document encryptionMetadata = new Document();
+
+				Collection<Object> encryptionKeyIds = entity.getEncryptionKeyIds();
+				if (!CollectionUtils.isEmpty(encryptionKeyIds)) {
+					encryptionMetadata.append("keyId", encryptionKeyIds);
+				}
+
+				if (StringUtils.hasText(encrypted.algorithm())) {
+					encryptionMetadata.append("algorithm", encrypted.algorithm());
+				}
+
+				schemaBuilder.encryptionMetadata(encryptionMetadata);
+			}
+		}
+
 		List<JsonSchemaProperty> schemaProperties = computePropertiesForEntity(Collections.emptyList(), entity);
 		schemaBuilder.properties(schemaProperties.toArray(new JsonSchemaProperty[0]));
 
 		return schemaBuilder.build();
-
 	}
 
 	private List<JsonSchemaProperty> computePropertiesForEntity(List<MongoPersistentProperty> path,
@@ -93,6 +134,11 @@ private List<JsonSchemaProperty> computePropertiesForEntity(List<MongoPersistent
 
 			List<MongoPersistentProperty> currentPath = new ArrayList<>(path);
 
+			if (!filter.test(new PropertyContext(
+					currentPath.stream().map(PersistentProperty::getName).collect(Collectors.joining(".")), nested))) {
+				continue;
+			}
+
 			if (path.contains(nested)) { // cycle guard
 				schemaProperties.add(createSchemaProperty(computePropertyFieldName(CollectionUtils.lastElement(currentPath)),
 						Object.class, false));
@@ -120,15 +166,38 @@ private JsonSchemaProperty computeSchemaForProperty(List<MongoPersistentProperty
 
 		String fieldName = computePropertyFieldName(property);
 
+		JsonSchemaProperty schemaProperty;
 		if (property.isCollectionLike()) {
-			return createSchemaProperty(fieldName, targetType, required);
+			schemaProperty = createSchemaProperty(fieldName, targetType, required);
 		} else if (property.isMap()) {
-			return createSchemaProperty(fieldName, Type.objectType(), required);
+			schemaProperty = createSchemaProperty(fieldName, Type.objectType(), required);
 		} else if (ClassUtils.isAssignable(Enum.class, targetType)) {
-			return createEnumSchemaProperty(fieldName, targetType, required);
+			schemaProperty = createEnumSchemaProperty(fieldName, targetType, required);
+		} else {
+			schemaProperty = createSchemaProperty(fieldName, targetType, required);
 		}
 
-		return createSchemaProperty(fieldName, targetType, required);
+		return applyEncryptionDataIfNecessary(property, schemaProperty);
+	}
+
+	@Nullable
+	private JsonSchemaProperty applyEncryptionDataIfNecessary(MongoPersistentProperty property,
+			JsonSchemaProperty schemaProperty) {
+
+		Encrypted encrypted = property.findAnnotation(Encrypted.class);
+		if (encrypted == null) {
+			return schemaProperty;
+		}
+
+		EncryptedJsonSchemaProperty enc = new EncryptedJsonSchemaProperty(schemaProperty);
+		if (StringUtils.hasText(encrypted.algorithm())) {
+			enc = enc.algorithm(encrypted.algorithm());
+		}
+		if (!ObjectUtils.isEmpty(encrypted.keyId())) {
+			enc = enc.keys(property.getEncryptionKeyIds());
+		}
+		return enc;
+
 	}
 
 	private JsonSchemaProperty createObjectSchemaPropertyForEntity(List<MongoPersistentProperty> path,
@@ -207,4 +276,30 @@ static JsonSchemaProperty createPotentiallyRequiredSchemaProperty(JsonSchemaProp
 
 		return JsonSchemaProperty.required(property);
 	}
+
+	class PropertyContext implements JsonSchemaPropertyContext {
+
+		private String path;
+		private MongoPersistentProperty property;
+
+		public PropertyContext(String path, MongoPersistentProperty property) {
+			this.path = path;
+			this.property = property;
+		}
+
+		@Override
+		public String getPath() {
+			return path;
+		}
+
+		@Override
+		public MongoPersistentProperty getProperty() {
+			return property;
+		}
+
+		@Override
+		public <T> MongoPersistentEntity<T> resolveEntity(MongoPersistentProperty property) {
+			return (MongoPersistentEntity<T>) mappingContext.getPersistentEntity(property);
+		}
+	}
 }

spring-data-mongodb/src/main/java/org/springframework/data/mongodb/core/MongoJsonSchemaCreator.java

@@ -15,7 +15,23 @@
  */
 package org.springframework.data.mongodb.core;
 
+import java.util.HashSet;
+import java.util.Set;
+import java.util.function.Predicate;
+
+import org.springframework.data.mapping.PersistentProperty;
+import org.springframework.data.mapping.context.MappingContext;
+import org.springframework.data.mongodb.core.convert.MappingMongoConverter;
 import org.springframework.data.mongodb.core.convert.MongoConverter;
+import org.springframework.data.mongodb.core.convert.MongoCustomConversions;
+import org.springframework.data.mongodb.core.convert.NoOpDbRefResolver;
+import org.springframework.data.mongodb.core.mapping.Encrypted;
+import org.springframework.data.mongodb.core.mapping.MongoMappingContext;
+import org.springframework.data.mongodb.core.mapping.MongoPersistentEntity;
+import org.springframework.data.mongodb.core.mapping.MongoPersistentProperty;
+import org.springframework.data.mongodb.core.mapping.MongoSimpleTypes;
+import org.springframework.data.mongodb.core.mapping.Unwrapped.Nullable;
+import org.springframework.data.mongodb.core.schema.JsonSchemaProperty;
 import org.springframework.data.mongodb.core.schema.MongoJsonSchema;
 import org.springframework.util.Assert;
 
@@ -46,6 +62,7 @@
  * {@link org.bson.types.ObjectId} like {@link String} will be mapped to {@code type : 'object'} unless there is more
  * specific information available via the {@link org.springframework.data.mongodb.core.mapping.MongoId} annotation.
  * </p>
+ * {@link Encrypted} properties will contain {@literal encrypt} information.
  *
  * @author Christoph Strobl
  * @since 2.2
@@ -60,6 +77,88 @@ public interface MongoJsonSchemaCreator {
 	 */
 	MongoJsonSchema createSchemaFor(Class<?> type);
 
+	/**
+	 * Filter matching {@link JsonSchemaProperty properties}.
+	 *
+	 * @param filter the {@link Predicate} to evaluate for inclusion. Must not be {@literal null}.
+	 * @return new instance of {@link MongoJsonSchemaCreator}.
+	 * @since 3.3
+	 */
+	MongoJsonSchemaCreator filter(Predicate<JsonSchemaPropertyContext> filter);
+
+	/**
+	 * The context in which a specific {@link #getProperty()} is encountered during schema creation.
+	 * 
+	 * @since 3.3
+	 */
+	interface JsonSchemaPropertyContext {
+
+		/**
+		 * The path to a given field/property in dot notation.
+		 * 
+		 * @return never {@literal null}.
+		 */
+		String getPath();
+
+		/**
+		 * The current property.
+		 * 
+		 * @return never {@literal null}.
+		 */
+		MongoPersistentProperty getProperty();
+
+		/**
+		 * Obtain the {@link MongoPersistentEntity} for a given property.
+		 * 
+		 * @param property must not be {@literal null}.
+		 * @param <T>
+		 * @return {@literal null} if the property is not an entity. It is nevertheless recommend to check
+		 *         {@link PersistentProperty#isEntity()} first.
+		 */
+		@Nullable
+		<T> MongoPersistentEntity<T> resolveEntity(MongoPersistentProperty property);
+
+	}
+
+	/**
+	 * A filter {@link Predicate} that matches {@link Encrypted encrypted properties} and those having nested ones.
+	 *
+	 * @return new instance of {@link Predicate}.
+	 * @since 3.3
+	 */
+	static Predicate<JsonSchemaPropertyContext> encryptedOnly() {
+
+		return new Predicate<JsonSchemaPropertyContext>() {
+
+			// cycle guard
+			private final Set<MongoPersistentProperty> seen = new HashSet<>();
+
+			@Override
+			public boolean test(JsonSchemaPropertyContext context) {
+				return extracted(context.getProperty(), context);
+			}
+
+			private boolean extracted(MongoPersistentProperty property, JsonSchemaPropertyContext context) {
+				if (property.isAnnotationPresent(Encrypted.class)) {
+					return true;
+				}
+
+				if (!property.isEntity() || seen.contains(property)) {
+					return false;
+				}
+
+				seen.add(property);
+
+				for (MongoPersistentProperty nested : context.resolveEntity(property)) {
+					if (extracted(nested, context)) {
+						return true;
+					}
+				}
+				return false;
+			}
+		};
+	}
+
 	/**
 	 * Creates a new {@link MongoJsonSchemaCreator} that is aware of conversions applied by the given
 	 * {@link MongoConverter}.
@@ -72,4 +171,41 @@ static MongoJsonSchemaCreator create(MongoConverter mongoConverter) {
 		Assert.notNull(mongoConverter, "MongoConverter must not be null!");
 		return new MappingMongoJsonSchemaCreator(mongoConverter);
 	}
+
+	/**
+	 * Creates a new {@link MongoJsonSchemaCreator} that is aware of type mappings and potential
+	 * {@link org.springframework.data.spel.spi.EvaluationContextExtension extensions}.
+	 *
+	 * @param mappingContext must not be {@literal null}.
+	 * @return new instance of {@link MongoJsonSchemaCreator}.
+	 * @since 3.3
+	 */
+	static MongoJsonSchemaCreator create(MappingContext mappingContext) {
+
+		MappingMongoConverter converter = new MappingMongoConverter(NoOpDbRefResolver.INSTANCE, mappingContext);
+		converter.setCustomConversions(MongoCustomConversions.create(config -> {}));
+		converter.afterPropertiesSet();
+
+		return create(converter);
+	}
+
+	/**
+	 * Creates a new {@link MongoJsonSchemaCreator} that does not consider potential extensions - suitable for testing. We
+	 * recommend to use {@link #create(MappingContext)}.
+	 *
+	 * @return new instance of {@link MongoJsonSchemaCreator}.
+	 * @since 3.3
+	 */
+	static MongoJsonSchemaCreator create() {
+
+		MongoMappingContext mappingContext = new MongoMappingContext();
+		mappingContext.setSimpleTypeHolder(MongoSimpleTypes.HOLDER);
+		mappingContext.afterPropertiesSet();
+
+		MappingMongoConverter converter = new MappingMongoConverter(NoOpDbRefResolver.INSTANCE, mappingContext);
+		converter.setCustomConversions(MongoCustomConversions.create(config -> {}));
+		converter.afterPropertiesSet();
+
+		return create(converter);
+	}
 }