DOCSP-12575: Python CSFLE updates for Azure (#684)

* DOCSP-12575: add Azure instructions for Python

Author: Chris Cho

source/includes/steps-fle-convert-to-a-remote-master-key.yaml renamed to source/includes/steps-fle-convert-to-a-remote-master-key-aws.yaml

@@ -181,6 +181,11 @@ content: |
            )
            data_key_id = client_encryption.create_data_key("aws")
 
+        .. note::
+
+           To use AWS KMS, you must use `pymongocrypt <https://pypi.org/project/pymongocrypt/>`__
+           version 1.0 or later in your application's environment.
+
 ---
 title: Update the Automatic Encryption JSON Schema
 ref: update-the-json-schema

source/includes/steps-fle-convert-to-a-remote-master-key-azure.yaml

@@ -0,0 +1,238 @@
+title: Register an Azure Application
+ref: create-an-azure-user
+content: |
+  Register a new application in Azure Active directory if you do not already
+  have one for this CSFLE-enabled client. See the Azure documentation on
+  `Applications and service principals <https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals>`__
+  for more information.
+
+  Once you register the application, take note of the following credentials
+  needed to authenticate for access to the Key Vault:
+
+  - **tenant id**
+  - **client id**
+  - **client secret**
+
+---
+title: Create the Master Key
+ref: create-the-master-key
+content: |
+
+  The following diagram shows the process of creating a **master key** on
+  a KMS provider:
+
+  .. image:: /figures/CSFLE_Master_Key_KMS.png
+     :alt: Diagram that describes creating a master key on a KMS provider
+
+  You can create a master key with the Azure CLI by following Microsoft's
+  `Secrets Guide <https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets>`__.
+  Follow the instructions in one of the :guilabel:`Quickstarts` sections that
+  corresponds to your preferred method to create and configure your key.
+  For example, the `Portal Quickstart <https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal>`__
+  demonstrates how to create a new vault and key.
+
+  Make sure you provide the ``list`` and ``read`` permissions to the
+  principal used by your client application.
+
+  .. important::
+
+     The client user *should not* have administrative permissions for the
+     master key.
+---
+title: Specify the Azure Credentials
+ref: specify-the-azure-credentials
+content: |
+  Unlike the local key provider, the Azure Key Vault does not read the
+  master key directly from the client application. Instead, it retrieves
+  the key using your Azure credentials and the key vault details.
+
+  Configure your client application with the following authorization
+  credentials:
+
+  .. list-table::
+   :header-rows: 1
+   :stub-columns: 1
+
+   * - Field
+     - Required
+     - Description
+
+   * - azure.tenantId
+     - Yes
+     - Identifies the organization of the account
+
+   * - azure.clientId
+     - Yes
+     - Identifies the clientId to authenticate your registered application
+
+   * - azure.clientSecret
+     - Yes
+     - Used to authenticate your registered application
+
+   * - azure.identityPlatformEndpoint
+     - No
+     - Specifies a hostname and port number for the authentication server.
+       Defaults to login.microsoftonline.com and is only needed for
+       non-commercial Azure instances such as a government or China account.
+
+  Update the KMS Provider configuration in your CSFLE-enabled client
+  creation code:
+
+  .. tabs-drivers::
+
+     .. tab::
+        :tabid: java-sync
+
+
+        .. code-block:: java
+
+           // TODO: verify correctness
+           Map<String, Object> providerDetails = new HashMap<String, Object>();
+
+           providerDetails.put("tenantId", new BsonString("<Azure account organization>"));
+           providerDetails.put("clientId", new BsonString("<Azure client ID>"));
+           providerDetails.put("clientSecret", new BsonString("<Azure client secret>"));
+
+           Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>();
+           kmsProviders.put("azure", providerDetails);
+
+     .. tab::
+        :tabid: nodejs
+
+        .. code-block:: javascript
+
+           // TODO: verify correctness
+           kms_providers = {
+             azure: {
+               tenantId: "<Azure account organization>",
+               clientId: "<Azure client ID>",
+               clientSecret: "<Azure client secret>"
+             }
+           }
+
+     .. tab::
+        :tabid: python
+
+        In ``app.py``, define the following dictionary to pass to your call to
+        construct a ``ClientEncryption`` instance:
+
+
+        .. code-block:: python
+
+           kms_providers = {
+              "azure": {
+                  "tenantId": "<Azure account organization>",
+                  "clientId": "<Azure client ID>",
+                  "clientSecret": "<Azure client secret>"
+              }
+           }
+---
+title: Create a New Data Encryption Key
+ref: create-a-new-data-key
+content: |
+
+  In this step, we generate a new **data encryption key** using the
+  **master key** in the remote KMS. The following diagram shows the
+  requests you make from the client application to create and store a
+  new data encryption key:
+
+  .. image:: /figures/CSFLE_Data_Key_KMS.png
+     :alt: Diagram that describes creating a data encryption key when using a KMS provider
+
+  Provide your client with the following information to access the master key:
+
+  .. list-table::
+   :header-rows: 1
+   :stub-columns: 1
+
+   * - Field
+     - Required
+     - Description
+
+   * - keyName
+     - Yes
+     - Name of the master key
+
+   * - keyVersion
+     - No
+     - Version of the master key
+
+   * - keyVaultEndpoint
+     - Yes
+     - URL of the key vault. E.g. myVaultName.vault.azure.net
+
+  Once you have the required information, run the following code to
+  generate the new data encryption key:
+
+  .. tabs-drivers::
+
+     .. tab::
+        :tabid: java-sync
+
+        .. code-block:: Java
+
+           // TODO: update for Azure
+           ClientEncryption clientEncryption = ClientEncryptions.create(ClientEncryptionSettings.builder()
+               .keyVaultMongoClientSettings(MongoClientSettings.builder()
+                   .applyConnectionString(new ConnectionString("mongodb://localhost:27017"))
+                   .build())
+               .keyVaultNamespace(keyVaultNamespace)
+               .kmsProviders(kmsProviders)
+               .build());
+
+           BsonString masterKeyRegion = new BsonString("<Master Key AWS Region>"); // e.g. "us-east-2"
+           BsonString masterKeyArn = new BsonString("<Master Key ARN>"); // e.g. "arn:aws:kms:us-east-2:111122223333:alias/test-key"
+           DataKeyOptions dataKeyOptions = new DataKeyOptions().masterKey(
+               new BsonDocument()
+                   .append("region", masterKeyRegion)
+                   .append("key", masterKeyArn));
+
+           BsonBinary dataKeyId = clientEncryption.createDataKey("aws", dataKeyOptions);
+           String base64DataKeyId = Base64.getEncoder().encodeToString(dataKeyId.getData());
+
+           System.out.println("DataKeyId [base64]: " + base64DataKeyId);
+
+     .. tab::
+        :tabid: nodejs
+
+        .. code-block:: javascript
+
+           // TODO: update for Azure
+           const encryption = new ClientEncryption(client, {
+               keyVaultNamespace,
+               kmsProviders
+           });
+           const key = await encryption.createDataKey('aws', {
+              masterKey: {
+                key: '<Master Key ARN>', // e.g. 'arn:aws:kms:us-east-2:111122223333:alias/test-key'
+              }
+           });
+
+           const base64DataKeyId = key.toString('base64');
+           console.log('DataKeyId [base64]: ', base64DataKeyId);
+
+     .. tab::
+        :tabid: python
+
+        In ``app.py``, define the following dictionary to pass to your call to
+        ``create_data_key()``:
+
+        .. code-block:: python
+
+           master_key = {
+             "keyName": "<Azure key name>",
+             "keyVersion": "<Azure key version>",
+             "keyVaultEndpoint": "<Azure key vault endpoint>"
+           }
+
+        .. note::
+
+           To use the Azure Key Vault, you must use `pymongocrypt <https://pypi.org/project/pymongocrypt/>`__
+           version 1.1 or later in your application's environment.
+
+---
+title: Update the Automatic Encryption JSON Schema
+ref: update-the-json-schema
+content: |
+  Update your :ref:`JSON Schema <fle-define-a-json-schema>` to reference your
+  new data encryption key id.