Fix various FLE issues (#5669)

Author: comandeo-mongo

docs/tutorials/automatic-encryption.txt

@@ -50,7 +50,6 @@ dependencies in `the driver documentation. <https://www.mongodb.com/docs/ruby-dr
 Note the version of the Ruby driver being used in your application and select
 the appropriate steps below.
 
-
 Install ``libmongocrypt``
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -239,12 +238,29 @@ Now we can tell Mongoid what should be encrypted:
     # policy_number_key field.
     field :policy_number, type: Integer, encrypt: {
         deterministic: false,
-        key_field_name: :policy_number_key
+        key_name_field: :policy_number_key
     }
 
     embedded_in :patient
   end
 
+.. note::
+  If you are developing a Rails application, it is recommended to set
+  ``preload_models`` to ``true`` in ``mongoid.yml``. This will ensure that
+  Mongoid loads all models before the application starts, and the encryption
+  schema is configured before any data is read or written.
+
+Known Limitations
+~~~~~~~~~~~~~~~~~
+
+* MongoDB CSFLE has some limitations that are described in
+  `the server documentation. <https://www.mongodb.com/docs/manual/core/csfle/reference/limitations/>`_
+  These limitations also apply to Mongoid.
+* Mongoid does not support encryption of ``embeds_many`` relations.
+* If you use ``:key_name_field`` option, the field must be encrypted using
+  non-deterministic algorithm. To encrypt your field deterministically, you must
+  specify ``:key_id`` option instead.
+
 Working with Data
 =================
 

lib/mongoid/clients.rb

@@ -60,6 +60,9 @@ def with_name(name)
         name_as_symbol = name.to_sym
         return clients[name_as_symbol] if clients[name_as_symbol]
         CREATE_LOCK.synchronize do
+          if (key_vault_client = Mongoid.clients.dig(name_as_symbol, :options, :auto_encryption_options, :key_vault_client))
+            clients[key_vault_client.to_sym] ||= Clients::Factory.create(key_vault_client)
+          end
           clients[name_as_symbol] ||= Clients::Factory.create(name)
         end
       end

lib/mongoid/clients/factory.rb

@@ -98,7 +98,7 @@ def build_auto_encryption_options(opts, database)
             auto_encryption_options[:schema_map] = Mongoid.config.encryption_schema_map(database)
           end
           if auto_encryption_options.key?(:key_vault_client)
-            auto_encryption_options[:key_vault_client] = Mongoid::Clients.with_name(
+            auto_encryption_options[:key_vault_client] = Mongoid.client(
               auto_encryption_options[:key_vault_client]
             )
           end

lib/mongoid/config/encryption.rb

@@ -147,11 +147,10 @@ def properties_for_fields(model)
       def properties_for_relations(model, visited)
         model.relations.each_with_object({}) do |(name, relation), props|
           next if visited.include?(relation.relation_class)
-          visited << relation.relation_class
-          next unless relation.is_a?(Association::Embedded::EmbedsMany) ||
-                      relation.is_a?(Association::Embedded::EmbedsOne)
+          next unless relation.is_a?(Association::Embedded::EmbedsOne)
           next unless relation.relation_class.encrypted?
 
+          visited << relation.relation_class
           metadata_for(
             relation.relation_class
           ).merge(

lib/mongoid/encryptable.rb

@@ -18,7 +18,10 @@ module ClassMethods
       #
       # @param [ Hash ] options The encryption metadata.
       # @option options [ String ] :key_id The base64-encoded UUID of the key
-      #   used to encrypt fields.
+      #   used to encrypt fields. Mutually exclusive with :key_name_field option.
+      # @option options [ String ] :key_name_field The name of the field that
+      #   contains the key alt name to use for encryption. Mutually exclusive
+      #   with :key_id option.
       # @option options [ true | false ] :deterministic Whether the encryption
       # is deterministic or not.
       def encrypt_with(options = {})