remove support for multiple kms providers

Author: timgraham

django_mongodb_backend/__init__.py

@@ -14,7 +14,6 @@
 from .indexes import register_indexes  # noqa: E402
 from .lookups import register_lookups  # noqa: E402
 from .query import register_nodes  # noqa: E402
-from .routers import register_routers  # noqa: E402
 
 __all__ = ["parse_uri"]
 
@@ -26,4 +25,3 @@
 register_indexes()
 register_lookups()
 register_nodes()
-register_routers()

django_mongodb_backend/routers.py

@@ -1,6 +1,4 @@
 from django.apps import apps
-from django.core.exceptions import ImproperlyConfigured
-from django.db.utils import ConnectionRouter
 
 
 class MongoRouter:
@@ -18,22 +16,3 @@ def allow_migrate(self, db, app_label, model_name=None, **hints):
         except LookupError:
             return None
         return False if issubclass(model, EmbeddedModel) else None
-
-
-# This function is intended to be monkey-patched as a method of ConnectionRouter.
-def kms_provider(self, model, *args, **kwargs):
-    """
-    Return the Key Management Service (KMS) provider for a given model.
-
-    Call each router's kms_provider() method (if present), and return the
-    first non-None result. Raise ImproperlyConfigured if no provider is found.
-    """
-    for router in self.routers:
-        func = getattr(router, "kms_provider", None)
-        if func and callable(func) and (result := func(model, *args, **kwargs)):
-            return result
-    raise ImproperlyConfigured("No kms_provider found in database routers.")
-
-
-def register_routers():
-    ConnectionRouter.kms_provider = kms_provider

django_mongodb_backend/schema.py

@@ -1,7 +1,7 @@
 from time import monotonic, sleep
 
 from django.core.exceptions import ImproperlyConfigured
-from django.db import router
+from django.db import NotSupportedError
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db.models import Index, UniqueConstraint
 from pymongo.operations import SearchIndexModel
@@ -508,9 +508,12 @@ def _get_encrypted_fields(
         if len(kms_providers) == 1:
             # If one provider is configured, no need to consult the router.
             kms_provider = next(iter(kms_providers.keys()))
-        else:
-            # Otherwise, call the user-defined router.kms_provider().
-            kms_provider = router.kms_provider(model)
+        else:  # (Since PyMongo requires at least one KMS provider.)
+            raise NotSupportedError(
+                "Multiple KMS providers per database aren't supported. "
+                "Please create a feature request with details about your "
+                "use case."
+            )
         if kms_provider == "local":
             master_key = None
         else:

docs/howto/queryable-encryption.rst

@@ -263,18 +263,6 @@ Here's an example of KMS configuration with ``aws``::
         },
     }
 
-(TODO: If there's a use case for multiple providers, motivate with a use case
-and add a test.)
-
-If you've configured multiple KMS providers, you must define logic to determine
-the provider for each model in your :ref:`database router
-<qe-configuring-database-routers-setting>`::
-
-    class EncryptedRouter:
-        # ...
-        def kms_provider(self, model, **hints):
-            return "aws"
-
 .. _qe-configuring-encrypted-fields-map:
 
 Configuring the ``encrypted_fields_map`` option

tests/encryption_/test_schema.py

@@ -1,6 +1,6 @@
 from bson.binary import Binary
 from django.core.exceptions import ImproperlyConfigured
-from django.db import connections
+from django.db import NotSupportedError, connections
 
 from . import models
 from .models import EncryptionKey
@@ -150,3 +150,23 @@ def test_missing_auto_encryption_opts(self):
             connection.schema_editor() as editor,
         ):
             editor.create_model(models.Patient)
+
+    def test_multiple_kms_providers(self):
+        connection = connections["encrypted"]
+        auto_encryption_opts = connection.connection._options.auto_encryption_opts
+        kms_providers = auto_encryption_opts._kms_providers
+        # Mock multiple kms_providers by using a list of length > 1.
+        auto_encryption_opts._kms_providers = [{}, {}]
+        msg = (
+            "Multiple KMS providers per database aren't supported. Please "
+            "create a feature request with details about your use case."
+        )
+        try:
+            with (
+                self.assertRaisesMessage(NotSupportedError, msg),
+                connection.schema_editor() as editor,
+            ):
+                editor.create_model(models.Patient)
+        finally:
+            # Restore the original value.
+            auto_encryption_opts._kms_providers = kms_providers