fix(cli-repl): spawn one mongocryptd per FLE-using shell MONGOSH-595 (#746)

See the ticket for motivation.

Author: addaleax

packages/cli-repl/src/cli-repl.ts

@@ -1,7 +1,7 @@
 import { MongoshInternalError, MongoshWarning } from '@mongosh/errors';
 import { redactPassword } from '@mongosh/history';
 import i18n from '@mongosh/i18n';
-import { bson } from '@mongosh/service-provider-core';
+import { bson, AutoEncryptionOptions } from '@mongosh/service-provider-core';
 import { CliOptions, CliServiceProvider, MongoClientOptions } from '@mongosh/service-provider-server';
 import Analytics from 'analytics-node';
 import askpassword from 'askpassword';
@@ -12,6 +12,7 @@ import { Readable, Writable } from 'stream';
 import type { StyleDefinition } from './clr';
 import { ConfigManager, ShellHomeDirectory, ShellHomePaths } from './config-directory';
 import { CliReplErrors } from './error-codes';
+import { MongocryptdManager } from './mongocryptd-manager';
 import MongoshNodeRepl, { MongoshNodeReplOptions } from './mongosh-repl';
 import setupLoggerAndTelemetry from './setup-logger-and-telemetry';
 import { MongoshBus, UserConfig } from '@mongosh/types';
@@ -32,7 +33,8 @@ type AnalyticsOptions = {
 };
 
 export type CliReplOptions = {
-  shellCliOptions: CliOptions & { mongocryptdSpawnPath?: string },
+  shellCliOptions: CliOptions;
+  mongocryptdSpawnPaths?: string[][],
   input: Readable;
   output: Writable;
   shellHomePaths: ShellHomePaths;
@@ -47,6 +49,7 @@ class CliRepl {
   mongoshRepl: MongoshNodeRepl;
   bus: MongoshBus;
   cliOptions: CliOptions;
+  mongocryptdManager: MongocryptdManager;
   shellHomeDirectory: ShellHomeDirectory;
   configDirectory: ConfigManager<UserConfig>;
   config: UserConfig = new UserConfig();
@@ -81,6 +84,11 @@ class CliRepl {
       .on('update-config', (config: UserConfig) =>
         this.bus.emit('mongosh:update-user', config.userId, config.enableTelemetry));
 
+    this.mongocryptdManager = new MongocryptdManager(
+      options.mongocryptdSpawnPaths ?? [],
+      this.shellHomeDirectory,
+      this.bus);
+
     // We can't really do anything meaningfull if the output stream is broken or
     // closed. To avoid throwing an error while writing to it, let's send it to
     // the telemetry instead
@@ -149,6 +157,15 @@ class CliRepl {
       this.warnAboutInaccessibleFile(err);
     }
 
+    if (driverOptions.autoEncryption) {
+      const extraOptions = {
+        ...(driverOptions.autoEncryption.extraOptions ?? {}),
+        ...(await this.startMongocryptd())
+      };
+
+      driverOptions.autoEncryption = { ...driverOptions.autoEncryption, extraOptions };
+    }
+
     const initialServiceProvider = await this.connect(driverUri, driverOptions);
     const initialized = await this.mongoshRepl.initialize(initialServiceProvider);
     const commandLineLoadFiles = this.listCommandLineLoadFiles();
@@ -374,6 +391,7 @@ class CliRepl {
         await promisify(analytics.flush.bind(analytics))();
       } catch { /* ignore */ }
     }
+    await this.mongocryptdManager.close();
     this.bus.emit('mongosh:closed');
   }
 
@@ -397,6 +415,10 @@ class CliRepl {
   clr(text: string, style: StyleDefinition): string {
     return this.mongoshRepl.clr(text, style);
   }
+
+  async startMongocryptd(): Promise<AutoEncryptionOptions['extraOptions']> {
+    return await this.mongocryptdManager.start();
+  }
 }
 
 export default CliRepl;

packages/cli-repl/src/index.ts

@@ -4,7 +4,7 @@ import CliRepl from './cli-repl';
 import clr from './clr';
 import { getStoragePaths } from './config-directory';
 import { MONGOSH_WIKI, TELEMETRY_GREETING_MESSAGE, USAGE } from './constants';
-import { getMongocryptdPath } from './mongocryptd-path';
+import { getMongocryptdPaths } from './mongocryptd-manager';
 import { runSmokeTests } from './smoke-tests';
 
 export default CliRepl;
@@ -18,6 +18,6 @@ export {
   parseCliArgs,
   mapCliToDriver,
   getStoragePaths,
-  getMongocryptdPath,
+  getMongocryptdPaths,
   runSmokeTests
 };

packages/cli-repl/src/mongocryptd-manager.spec.ts

@@ -0,0 +1,187 @@
+/* eslint-disable chai-friendly/no-unused-expressions */
+import Nanobus from 'nanobus';
+import { promises as fs } from 'fs';
+import path from 'path';
+import { promisify } from 'util';
+import { getMongocryptdPaths, MongocryptdManager } from './mongocryptd-manager';
+import type { MongoshBus } from '@mongosh/types';
+import { ShellHomeDirectory } from './config-directory';
+import { startTestServer } from '../../../testing/integration-testing-hooks';
+import { expect } from 'chai';
+
+describe('getMongocryptdPaths', () => {
+  it('always includes plain `mongocryptd`', async() => {
+    expect(await getMongocryptdPaths()).to.deep.include(['mongocryptd']);
+  });
+});
+
+describe('MongocryptdManager', () => {
+  let basePath: string;
+  let bus: MongoshBus;
+  let shellHomeDirectory: ShellHomeDirectory;
+  let spawnPaths: string[][];
+  let manager: MongocryptdManager;
+  let events: { event: string, data: any }[];
+  const makeManager = () => {
+    manager = new MongocryptdManager(spawnPaths, shellHomeDirectory, bus);
+    return manager;
+  };
+
+  const fakeMongocryptdDir = path.resolve(__dirname, '..', 'test', 'fixtures', 'fake-mongocryptd');
+
+  beforeEach(() => {
+    const nanobus = new Nanobus();
+    events = [];
+    nanobus.on('*', (event, data) => events.push({ event, data }));
+    bus = nanobus;
+
+    spawnPaths = [];
+    basePath = path.resolve(__dirname, '..', '..', '..', 'tmp', 'test', `${Date.now()}`, `${Math.random()}`);
+    shellHomeDirectory = new ShellHomeDirectory({
+      shellRoamingDataPath: basePath,
+      shellLocalDataPath: basePath,
+      shellRcPath: basePath
+    });
+  });
+  afterEach(() => {
+    manager?.close();
+  });
+
+  it('does a no-op close when not initialized', () => {
+    expect(makeManager().close().state).to.equal(null);
+  });
+
+  for (const otherMongocryptd of ['none', 'missing', 'broken', 'weirdlog']) {
+    for (const version of ['4.2', '4.4']) {
+      for (const variant of ['withunix', 'nounix']) {
+        // eslint-disable-next-line no-loop-func
+        it(`spawns a working mongocryptd (${version}, ${variant}, other mongocryptd: ${otherMongocryptd})`, async() => {
+          spawnPaths = [
+            [
+              process.execPath,
+              path.resolve(fakeMongocryptdDir, `working-${version}-${variant}.js`)
+            ]
+          ];
+          if (otherMongocryptd === 'missing') {
+            spawnPaths.unshift([ path.resolve(fakeMongocryptdDir, 'nonexistent') ]);
+          }
+          if (otherMongocryptd === 'broken') {
+            spawnPaths.unshift([ process.execPath, path.resolve(fakeMongocryptdDir, 'exit1') ]);
+          }
+          if (otherMongocryptd === 'weirdlog') {
+            spawnPaths.unshift([ process.execPath, path.resolve(fakeMongocryptdDir, 'weirdlog') ]);
+          }
+          expect(await makeManager().start()).to.deep.equal({
+            mongocryptdURI: variant === 'nounix' ?
+              'mongodb://localhost:27020' :
+              'mongodb://%2Ftmp%2Fmongocryptd.sock',
+            mongocryptdBypassSpawn: true
+          });
+
+          const tryspawns = events.filter(({ event }) => event === 'mongosh:mongocryptd-tryspawn');
+          expect(tryspawns).to.have.lengthOf(otherMongocryptd === 'none' ? 1 : 2);
+        });
+      }
+    }
+  }
+
+  it('passes relevant arguments to mongocryptd', async() => {
+    spawnPaths = [[process.execPath, path.resolve(fakeMongocryptdDir, 'writepidfile.js')]];
+    await makeManager().start();
+    const pidfile = path.join(manager.path, 'mongocryptd.pid');
+    expect(JSON.parse(await fs.readFile(pidfile, 'utf8')).args).to.deep.equal([
+      ...spawnPaths[0],
+      '--idleShutdownTimeoutSecs', '60',
+      '--pidfilepath', pidfile,
+      '--port', '0',
+      ...(process.platform !== 'win32' ? ['--unixSocketPrefix', path.dirname(pidfile)] : [])
+    ]);
+  });
+
+  it('multiple start() calls are no-ops', async() => {
+    spawnPaths = [[process.execPath, path.resolve(fakeMongocryptdDir, 'writepidfile.js')]];
+    const manager = makeManager();
+    await manager.start();
+    const pid1 = manager.state.proc.pid;
+    await manager.start();
+    expect(manager.state.proc.pid).to.equal(pid1);
+  });
+
+  it('handles synchronous throws from child_process.spawn', async() => {
+    spawnPaths = [['']];
+    try {
+      await makeManager().start();
+      expect.fail('missed exception');
+    } catch (e) {
+      expect(e.code).to.equal('ERR_INVALID_ARG_VALUE');
+    }
+  });
+
+  it('throws if no spawn paths are provided at all', async() => {
+    spawnPaths = [];
+    try {
+      await makeManager().start();
+      expect.fail('missed exception');
+    } catch (e) {
+      expect(e.name).to.equal('MongoshInternalError');
+    }
+  });
+
+  it('includes stderr in the log if stdout is unparseable', async() => {
+    spawnPaths = [[process.execPath, path.resolve(fakeMongocryptdDir, 'weirdlog.js')]];
+    try {
+      await makeManager().start();
+      expect.fail('missed exception');
+    } catch (e) {
+      expect(e.name).to.equal('MongoshInternalError');
+    }
+    const nostdoutErrors = events.filter(({ event, data }) => {
+      return event === 'mongosh:mongocryptd-error' && data.cause === 'nostdout';
+    });
+    expect(nostdoutErrors).to.deep.equal([{
+      event: 'mongosh:mongocryptd-error',
+      data: { cause: 'nostdout', stderr: 'Diagnostic message!\n' }
+    }]);
+  });
+
+  it('cleans up previously created, empty directory entries', async() => {
+    spawnPaths = [[process.execPath, path.resolve(fakeMongocryptdDir, 'writepidfile.js')]];
+
+    const manager = makeManager();
+    await manager.start();
+    const pidfile = path.join(manager.path, 'mongocryptd.pid');
+    expect(JSON.parse(await fs.readFile(pidfile, 'utf8')).pid).to.be.a('number');
+    manager.close();
+
+    // The file remains after close, but is gone after creating a new one:
+    await fs.stat(pidfile);
+    await makeManager().start();
+    try {
+      await fs.stat(pidfile);
+      expect.fail('missed exception');
+    } catch (e) {
+      expect(e.code).to.equal('ENOENT');
+    }
+  });
+
+  context('with network testing', () => {
+    const testServer = startTestServer('shared');
+
+    beforeEach(async() => {
+      process.env.MONGOSH_TEST_PROXY_TARGET_PORT = await testServer.port();
+    });
+    afterEach(() => {
+      delete process.env.MONGOSH_TEST_PROXY_TARGET_PORT;
+    });
+
+    it('performs keepalive pings', async() => {
+      spawnPaths = [[process.execPath, path.resolve(fakeMongocryptdDir, 'withnetworking.js')]];
+      const manager = makeManager();
+      manager.idleShutdownTimeoutSecs = 1;
+      await manager.start();
+      const pidfile = path.join(manager.path, 'mongocryptd.pid');
+      await promisify(setTimeout)(2000);
+      expect(JSON.parse(await fs.readFile(pidfile, 'utf8')).connections).to.be.greaterThan(1);
+    });
+  });
+});