[CDRIVER-4414] Get crypt_shared version on a client/encryption object (#1083)

* An API to get the crypt_shared version used for encryption

* Test that we bypassSpawn when using crypt_shared

* Fix: Don't spawn mongocryptd if we successfully loaded a crypt_shared

Author: vector-of-bool

src/libmongoc/doc/mongoc_client_encryption_get_crypt_shared_version.rst

@@ -0,0 +1,37 @@
+:man_page: mongoc_client_encryption_get_crypt_shared_version
+
+mongoc_client_encryption_get_crypt_shared_version()
+===================================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+  const char*
+  mongoc_client_encryption_get_crypt_shared_version (mongoc_client_encryption_t const *enc)
+      BSON_GNUC_WARN_UNUSED_RESULT;
+
+Obtain the version string of the crypt_shared_ that is loaded for the given
+explicit encryption object. If no crypt_shared_ library is loaded, the returned
+pointer will be ``NULL``.
+
+Parameters
+----------
+
+* ``enc``: A live :symbol:`mongoc_client_encryption_t`
+
+Returns
+-------
+
+A pointer to a null-terminated character array string designating the version of
+crypt_shared_ that was loaded for ``enc``. If no crypt_shared_ library is
+loaded, the returned pointer will be ``NULL``. The pointed-to array must not be
+modified or freed. The returned pointer is only valid for the lifetime of
+``enc``.
+
+.. _crypt_shared: https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#crypt-shared
+
+.. seealso::
+
+  - :symbol:`mongoc_client_get_crypt_shared_version`

src/libmongoc/doc/mongoc_client_encryption_t.rst

@@ -37,6 +37,7 @@ The key vault client, configured via :symbol:`mongoc_client_encryption_opts_set_
     mongoc_client_encryption_create_datakey
     mongoc_client_encryption_rewrap_many_datakey
     mongoc_client_encryption_delete_key
+    mongoc_client_encryption_get_crypt_shared_version
     mongoc_client_encryption_get_key
     mongoc_client_encryption_get_keys
     mongoc_client_encryption_add_key_alt_name

src/libmongoc/doc/mongoc_client_get_crypt_shared_version.rst

@@ -0,0 +1,38 @@
+:man_page: mongoc_client_get_crypt_shared_version
+
+mongoc_client_get_crypt_shared_version()
+========================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+  const char *
+  mongoc_client_get_crypt_shared_version (const mongoc_client_t *client)
+    BSON_GNUC_WARN_UNUSED_RESULT;
+
+Obtain the version string of the crypt_shared_ that is loaded for
+auto-encryption on the given ``client``. If no crypt_shared_ library is loaded,
+the returned pointer will be ``NULL``.
+
+Parameters
+----------
+
+* ``client``: A live :symbol:`mongoc_client_t`
+
+Returns
+-------
+
+A pointer to a null-terminated character array string designating the version of
+crypt_shared_ that was loaded for auto-encryption with ``client``. If no
+crypt_shared_ library is loaded, or auto-encryption is not loaded for the given
+``client``, the returned pointer will be ``NULL``. The pointed-to array must not
+be modified or freed. The returned pointer is only valid for the lifetime of
+``client``.
+
+.. _crypt_shared: https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#crypt-shared
+
+.. seealso::
+
+  - :symbol:`mongoc_client_encryption_get_crypt_shared_version`

src/libmongoc/doc/mongoc_client_t.rst

@@ -56,6 +56,7 @@ Example
     mongoc_client_enable_auto_encryption
     mongoc_client_find_databases_with_opts
     mongoc_client_get_collection
+    mongoc_client_get_crypt_shared_version
     mongoc_client_get_database
     mongoc_client_get_database_names
     mongoc_client_get_database_names_with_opts
@@ -91,5 +92,5 @@ Example
     mongoc_client_watch
     mongoc_client_write_command_with_opts
     mongoc_handshake_data_append
-    
+
 

src/libmongoc/src/mongoc/mongoc-client-side-encryption.c

@@ -1658,11 +1658,14 @@ _mongoc_cse_client_enable_auto_encryption (mongoc_client_t *client,
       GOTO (fail);
    }
 
+   const bool have_crypt_shared =
+      _mongoc_crypt_get_crypt_shared_version (client->topology->crypt) != NULL;
+
    client->topology->bypass_auto_encryption = opts->bypass_auto_encryption;
    client->topology->bypass_query_analysis = opts->bypass_query_analysis;
 
    if (!client->topology->bypass_auto_encryption &&
-       !client->topology->bypass_query_analysis) {
+       !client->topology->bypass_query_analysis && !have_crypt_shared) {
       if (!client->topology->mongocryptd_bypass_spawn) {
          if (!_spawn_mongocryptd (client->topology->mongocryptd_spawn_path,
                                   client->topology->mongocryptd_spawn_args,
@@ -2670,3 +2673,30 @@ _mongoc_cse_is_enabled (mongoc_client_t *client)
 }
 
 #endif /* MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION */
+
+
+const char *
+mongoc_client_encryption_get_crypt_shared_version (
+   const mongoc_client_encryption_t *enc)
+{
+#ifdef MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION
+   return _mongoc_crypt_get_crypt_shared_version (enc->crypt);
+#else
+   BSON_UNUSED (enc);
+   return NULL;
+#endif
+}
+
+const char *
+mongoc_client_get_crypt_shared_version (const mongoc_client_t *const client)
+{
+#ifdef MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION
+   if (!client->topology->crypt) {
+      return NULL;
+   }
+   return _mongoc_crypt_get_crypt_shared_version (client->topology->crypt);
+#else
+   BSON_UNUSED (client);
+   return NULL;
+#endif
+}

src/libmongoc/src/mongoc/mongoc-client-side-encryption.h

@@ -274,6 +274,10 @@ mongoc_client_encryption_datakey_opts_set_keymaterial (
    const uint8_t *data,
    uint32_t len);
 
+MONGOC_EXPORT (const char *)
+mongoc_client_encryption_get_crypt_shared_version (
+   mongoc_client_encryption_t const *enc) BSON_GNUC_WARN_UNUSED_RESULT;
+
 BSON_END_DECLS
 
 #endif /* MONGOC_CLIENT_SIDE_ENCRYPTION_H */

src/libmongoc/src/mongoc/mongoc-client.h

@@ -280,6 +280,10 @@ mongoc_client_enable_auto_encryption (mongoc_client_t *client,
                                       mongoc_auto_encryption_opts_t *opts,
                                       bson_error_t *error);
 
+MONGOC_EXPORT (const char *)
+mongoc_client_get_crypt_shared_version (const mongoc_client_t *client)
+   BSON_GNUC_WARN_UNUSED_RESULT;
+
 MONGOC_EXPORT (bool)
 mongoc_client_set_server_api (mongoc_client_t *client,
                               const mongoc_server_api_t *api,

src/libmongoc/src/mongoc/mongoc-crypt-private.h

@@ -147,5 +147,8 @@ _mongoc_crypt_rewrap_many_datakey (_mongoc_crypt_t *crypt,
                                    bson_t *doc_out,
                                    bson_error_t *error);
 
+const char *
+_mongoc_crypt_get_crypt_shared_version (const _mongoc_crypt_t *crypt);
+
 #endif /* MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION */
 #endif /* MONGOC_CRYPT_PRIVATE_H */

src/libmongoc/src/mongoc/mongoc-crypt.c

@@ -1651,6 +1651,12 @@ _mongoc_crypt_rewrap_many_datakey (_mongoc_crypt_t *crypt,
    return ret;
 }
 
+const char *
+_mongoc_crypt_get_crypt_shared_version (const _mongoc_crypt_t *crypt)
+{
+   return mongocrypt_crypt_shared_lib_version_string (crypt->handle, NULL);
+}
+
 #else
 /* ensure the translation unit is not empty */
 extern int no_mongoc_client_side_encryption;

src/libmongoc/tests/test-mongoc-client-side-encryption.c

@@ -2641,9 +2641,10 @@ test_bypass_spawning_via_helper (const char *auto_encryption_opt)
    mongoc_auto_encryption_opts_t *auto_encryption_opts;
    bson_t *kms_providers;
    bson_t *doc_to_insert;
-   bson_t *extra;
+   bson_t *extra = bson_new ();
    bool ret;
    bson_error_t error;
+   bool check_crypt_shared = false;
    mongoc_collection_t *coll;
 
    auto_encryption_opts = mongoc_auto_encryption_opts_new ();
@@ -2658,24 +2659,38 @@ test_bypass_spawning_via_helper (const char *auto_encryption_opt)
    } else if (0 == strcmp (auto_encryption_opt, "bypass_query_analysis")) {
       mongoc_auto_encryption_opts_set_bypass_query_analysis (
          auto_encryption_opts, true);
+   } else if (0 == strcmp (auto_encryption_opt, "cryptSharedLibRequired")) {
+      check_crypt_shared = true;
+      char *env_cryptSharedLibPath =
+         test_framework_getenv ("MONGOC_TEST_CRYPT_SHARED_LIB_PATH");
+      BSON_ASSERT (env_cryptSharedLibPath);
+      BSON_APPEND_UTF8 (extra, "cryptSharedLibPath", env_cryptSharedLibPath);
+      BSON_APPEND_BOOL (extra, "cryptSharedLibRequired", true);
+      bson_free (env_cryptSharedLibPath);
    } else {
       test_error ("Unexpected 'auto_encryption_opt' argument: %s",
                   auto_encryption_opt);
    }
 
    /* Create a MongoClient with encryption enabled */
    client_encrypted = test_framework_new_default_client ();
-   extra = BCON_NEW ("mongocryptdSpawnArgs",
-                     "[",
-                     "--pidfilepath=bypass-spawning-mongocryptd.pid",
-                     "--port=27021",
-                     "]");
+   BCON_APPEND (extra,
+                "mongocryptdSpawnArgs",
+                "[",
+                "--pidfilepath=bypass-spawning-mongocryptd.pid",
+                "--port=27021",
+                "]");
    mongoc_auto_encryption_opts_set_extra (auto_encryption_opts, extra);
    bson_destroy (extra);
    ret = mongoc_client_enable_auto_encryption (
       client_encrypted, auto_encryption_opts, &error);
    ASSERT_OR_PRINT (ret, error);
 
+   if (check_crypt_shared) {
+      BSON_ASSERT (mongoc_client_get_crypt_shared_version (client_encrypted) !=
+                   NULL);
+   }
+
    /* Insert { 'encrypt': 'test' }. Should succeed. */
    coll = mongoc_client_get_collection (client_encrypted, "db", "coll");
    doc_to_insert = BCON_NEW ("unencrypted", "test");
@@ -2710,6 +2725,24 @@ test_bypass_spawning_via_bypassQueryAnalysis (void *unused)
    test_bypass_spawning_via_helper ("bypass_query_analysis");
 }
 
+static void
+test_bypass_spawning_via_cryptSharedLibRequired (void *unused)
+{
+   BSON_UNUSED (unused);
+   test_bypass_spawning_via_helper ("cryptSharedLibRequired");
+}
+
+static int
+_skip_if_no_crypt_shared (void)
+{
+   char *env = test_framework_getenv ("MONGOC_TEST_CRYPT_SHARED_LIB_PATH");
+   if (!env) {
+      return 0; // Skip!
+   }
+   bson_free (env);
+   return 1; // Do not skip
+}
+
 static mongoc_client_encryption_t *
 _make_kms_certificate_client_encryption (mongoc_client_t *client,
                                          bson_error_t *error)
@@ -5413,6 +5446,15 @@ test_client_side_encryption_install (TestSuite *suite)
                       NULL,
                       test_framework_skip_if_no_client_side_encryption,
                       test_framework_skip_if_max_wire_version_less_than_8);
+   TestSuite_AddFull (suite,
+                      "/client_side_encryption/bypass_spawning_mongocryptd/"
+                      "cryptSharedLibRequired",
+                      test_bypass_spawning_via_cryptSharedLibRequired,
+                      NULL,
+                      NULL,
+                      test_framework_skip_if_no_client_side_encryption,
+                      test_framework_skip_if_max_wire_version_less_than_8,
+                      _skip_if_no_crypt_shared);
    TestSuite_AddFull (suite,
                       "/client_side_encryption/kms_tls/valid",
                       test_kms_tls_cert_valid,