CSHARP-2796: FLE GA Spec changes.

Author: DmitryLukyanov

Docs/reference/content/reference/driver/crud/client_side_encryption.md

@@ -50,23 +50,18 @@ client-side. The following example has been adapted from
 [`ClientSideEncryptionExamples.cs`](https://github.com/mongodb/mongo-csharp-driver/blob/master/tests/MongoDB.Driver.Examples/ClientEncryptionExamples.cs), which can be found on GitHub along with the driver source. 
 
 ```csharp
-using MongoDB.Driver.Core.Misc;
-using MongoDB.Driver.Core.TestHelpers.XunitExtensions;
 using System;
 using System.Collections.Generic;
-using System.Threading;
 using MongoDB.Bson;
 using MongoDB.Driver.Encryption;
-using Xunit;
-using Xunit.Abstractions;
 
 namespace MongoDB.Driver.Examples
 {
     public class ClientEncryptionExamples
     {
         private const string LocalMasterKey = "Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk";
 
-        public void ClientSideEncryptionSimpleTour()
+        public static void Main(string[] args)
         {
             var localMasterKey = Convert.FromBase64String(LocalMasterKey);
 
@@ -109,23 +104,19 @@ example has been adapted from
 which can be found on Github along with the driver source.
 
 ```csharp
-using MongoDB.Driver.Core.Misc;
-using MongoDB.Driver.Core.TestHelpers.XunitExtensions;
 using System;
 using System.Collections.Generic;
 using System.Threading;
 using MongoDB.Bson;
 using MongoDB.Driver.Encryption;
-using Xunit;
-using Xunit.Abstractions;
 
 namespace MongoDB.Driver.Examples
 {
     public class ClientEncryptionExamples
     {
         private const string LocalMasterKey = "Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk";
 
-        public void ClientSideEncryptionAutoEncryptionSettingsTour()
+        public static void Main(string[] args)
         {
             var localMasterKey = Convert.FromBase64String(LocalMasterKey);
 

src/MongoDB.Driver.Core/Core/WireProtocol/CommandMessageFieldEncryptor.cs

@@ -169,12 +169,10 @@ private byte[] GetUnencryptedCommandBytes(CommandRequestMessage unencryptedReque
         }
 
         private void WriteUnencryptedRequestMessageToStream(
-            Stream stream, 
+            Stream stream,
             CommandRequestMessage unencryptedRequestMessage)
         {
             var clonedMessageEncoderSettings = _messageEncoderSettings.Clone();
-            clonedMessageEncoderSettings.Set(MessageEncoderSettingsName.MaxDocumentSize, 2097152);
-            clonedMessageEncoderSettings.Set(MessageEncoderSettingsName.MaxMessageSize, 2097152 + 16384);
             var encoderFactory = new BinaryMessageEncoderFactory(stream, clonedMessageEncoderSettings, compressorSource: null);
             var encoder = encoderFactory.GetCommandRequestMessageEncoder();
             encoder.WriteMessage(unencryptedRequestMessage);

src/MongoDB.Driver.Core/Core/WireProtocol/Messages/Encoders/BinaryEncoders/CommandMessageBinaryEncoder.cs

@@ -289,17 +289,25 @@ private void WriteType1Section(BsonBinaryWriter writer, Type1CommandMessageSecti
             var stream = writer.BsonStream;
             var serializer = section.DocumentSerializer;
             var context = BsonSerializationContext.CreateRoot(writer);
-            var maxMessageSize = MaxMessageSize;
+
+            int? maxMessageSize;
+            if (IsEncryptionConfigured)
+            {
+                var maxBatchSize = 2 * 1024 * 1024; // 2 MiB
+                var maxMessageEndPosition = stream.Position + maxBatchSize;
+                maxMessageSize = (int)(maxMessageEndPosition - messageStartPosition);
+            }
+            else
+            {
+                maxMessageSize = MaxMessageSize;
+            }
 
             var payloadStartPosition = stream.Position;
             stream.WriteInt32(0); // size
             stream.WriteCString(section.Identifier);
 
             var batch = section.Documents;
-            var maxDocumentSize = 
-                IsEncryptionConfigured && MaxDocumentSize.HasValue
-                    ? MaxDocumentSize.Value 
-                    : section.MaxDocumentSize ?? writer.Settings.MaxDocumentSize;
+            var maxDocumentSize = section.MaxDocumentSize ?? writer.Settings.MaxDocumentSize;
             writer.PushSettings(s => ((BsonBinaryWriterSettings)s).MaxDocumentSize = maxDocumentSize);
             writer.PushElementNameValidator(section.ElementNameValidator);
             try
@@ -313,7 +321,7 @@ private void WriteType1Section(BsonBinaryWriter writer, Type1CommandMessageSecti
                     serializer.Serialize(context, document);
 
                     var messageSize = stream.Position - messageStartPosition;
-                    if (messageSize > maxMessageSize && batch.CanBeSplit)
+                    if (messageSize > maxMessageSize && batch.CanBeSplit && i > 0)
                     {
                         stream.Position = documentStartPosition;
                         stream.SetLength(documentStartPosition);

src/MongoDB.Driver.Core/MongoDB.Driver.Core.csproj

@@ -45,7 +45,7 @@
   <ItemGroup>
     <PackageReference Include="DnsClient" Version="1.2.0" />
     <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="2.6.2" PrivateAssets="All" />
-    <PackageReference Include="MongoDB.Libmongocrypt" Version="1.0.0-beta01" />
+    <PackageReference Include="MongoDB.Libmongocrypt" Version="1.0.0-beta03" />
     <PackageReference Include="SharpCompress" Version="0.23.0" />
   </ItemGroup>
 

src/MongoDB.Driver/Encryption/ExplicitEncryptionLibMongoCryptController.cs

@@ -231,10 +231,9 @@ private IKmsKeyId GetKmsKeyId(string kmsProvider, IReadOnlyList<string> alternat
             {
                 case "aws":
                     var customerMasterKey = masterKey["key"].ToString();
+                    var endpoint = masterKey.GetValue("endpoint", null)?.ToString();
                     var region = masterKey["region"].ToString();
-                    return wrappedAlternateKeyNamesBytes != null
-                        ? new AwsKeyId(customerMasterKey, region, wrappedAlternateKeyNamesBytes)
-                        : new AwsKeyId(customerMasterKey, region);
+                    return new AwsKeyId(customerMasterKey, region, wrappedAlternateKeyNamesBytes, endpoint);
                 case "local":
                     return wrappedAlternateKeyNamesBytes != null ? new LocalKeyId(wrappedAlternateKeyNamesBytes) : new LocalKeyId();
                 default:

src/MongoDB.Driver/Encryption/LibMongoCryptControllerBase.cs

@@ -15,12 +15,15 @@
 
 using System;
 using System.Collections.Generic;
+using System.Net;
 using System.Net.Security;
 using System.Net.Sockets;
+using System.Text.RegularExpressions;
 using System.Threading;
 using System.Threading.Tasks;
 using MongoDB.Bson;
 using MongoDB.Bson.IO;
+using MongoDB.Driver.Core.Misc;
 using MongoDB.Libmongocrypt;
 
 namespace MongoDB.Driver.Encryption
@@ -133,7 +136,28 @@ protected async Task<byte[]> ProcessStatesAsync(CryptContext context, string dat
         private IMongoCollection<BsonDocument> GetKeyVaultCollection()
         {
             var keyVaultDatabase = _keyVaultClient.GetDatabase(_keyVaultNamespace.DatabaseNamespace.DatabaseName);
-            return keyVaultDatabase.GetCollection<BsonDocument>(_keyVaultNamespace.CollectionName);
+
+            var collectionSettings = new MongoCollectionSettings
+            {
+                ReadConcern = ReadConcern.Majority,
+                WriteConcern = WriteConcern.WMajority
+            };
+            return keyVaultDatabase.GetCollection<BsonDocument>(_keyVaultNamespace.CollectionName, collectionSettings);
+        }
+
+        private void ParseKmsEndPoint(string value, out string host, out int port)
+        {
+            var match = Regex.Match(value, @"^(?<host>.*):(?<port>\d+)$");
+            if (match.Success)
+            {
+                host = match.Groups["host"].Value;
+                port = int.Parse(match.Groups["port"].Value);
+            }
+            else
+            {
+                host = value;
+                port = 443;
+            }
         }
 
         private void ProcessNeedKmsState(CryptContext context, CancellationToken cancellationToken)
@@ -184,15 +208,16 @@ private byte[] ProcessReadyState(CryptContext context)
         private void SendKmsRequest(KmsRequest request, CancellationToken cancellation)
         {
             var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
-            socket.Connect(request.Endpoint, 443);
+            ParseKmsEndPoint(request.Endpoint, out var host, out var port);
+            socket.Connect(host, port);
 
             using (var networkStream = new NetworkStream(socket, ownsSocket: true))
             using (var sslStream = new SslStream(networkStream, leaveInnerStreamOpen: false))
             {
 #if NETSTANDARD1_5
-                sslStream.AuthenticateAsClientAsync(request.Endpoint).ConfigureAwait(false).GetAwaiter().GetResult();
+                sslStream.AuthenticateAsClientAsync(host).ConfigureAwait(false).GetAwaiter().GetResult();
 #else
-                sslStream.AuthenticateAsClient(request.Endpoint);
+                sslStream.AuthenticateAsClient(host);
 #endif
 
                 var requestBytes = request.Message.ToArray();
@@ -212,16 +237,17 @@ private void SendKmsRequest(KmsRequest request, CancellationToken cancellation)
         private async Task SendKmsRequestAsync(KmsRequest request, CancellationToken cancellation)
         {
             var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
+            ParseKmsEndPoint(request.Endpoint, out var host, out var port);
 #if NETSTANDARD1_5
-            await socket.ConnectAsync(request.Endpoint, 443).ConfigureAwait(false);
+            await socket.ConnectAsync(host, port).ConfigureAwait(false);
 #else
-            await Task.Factory.FromAsync(socket.BeginConnect(request.Endpoint, 443, null, null), socket.EndConnect).ConfigureAwait(false);
+            await Task.Factory.FromAsync(socket.BeginConnect(host, port, null, null), socket.EndConnect).ConfigureAwait(false);
 #endif
 
             using (var networkStream = new NetworkStream(socket, ownsSocket: true))
             using (var sslStream = new SslStream(networkStream, leaveInnerStreamOpen: false))
             {
-                await sslStream.AuthenticateAsClientAsync(request.Endpoint).ConfigureAwait(false);
+                await sslStream.AuthenticateAsClientAsync(host).ConfigureAwait(false);
 
                 var requestBytes = request.Message.ToArray();
                 await sslStream.WriteAsync(requestBytes, 0, requestBytes.Length).ConfigureAwait(false);

src/MongoDB.Driver/Encryption/MongocryptdFactory.cs

@@ -127,7 +127,6 @@ private bool ShouldMongocryptdBeSpawned(out string path, out string args)
                 args = string.Empty;
                 if (_extraOptions.TryGetValue("mongocryptdSpawnArgs", out var mongocryptdSpawnArgs))
                 {
-                    string trimStartHyphens(string str) => str.TrimStart('-').TrimStart('-');
                     switch (mongocryptdSpawnArgs)
                     {
                         case string str:
@@ -136,7 +135,7 @@ private bool ShouldMongocryptdBeSpawned(out string path, out string args)
                         case IEnumerable enumerable:
                             foreach (var item in enumerable)
                             {
-                                args += $"--{trimStartHyphens(item.ToString())} ";
+                                args += $"--{item.ToString().TrimStart('-')} ";
                             }
                             break;
                         default:
@@ -149,6 +148,17 @@ private bool ShouldMongocryptdBeSpawned(out string path, out string args)
                 {
                     args += " --idleShutdownTimeoutSecs 60";
                 }
+
+                if (!args.Contains("logpath")) // disable logging by the mongocryptd process
+                {
+                    // "nul" is the windows specific value. Unix-based platforms should use "/dev/null"
+                    args += " --logpath nul";
+
+                    if (!args.Contains("logappend"))
+                    {
+                        args += " --logappend";
+                    }
+                }
                 args = args.Trim();
 
                 return true;

src/MongoDB.Driver/MongoDB.Driver.csproj

@@ -42,7 +42,7 @@
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="2.6.2" PrivateAssets="All" />
-    <PackageReference Include="MongoDB.Libmongocrypt" Version="1.0.0-beta01" />
+    <PackageReference Include="MongoDB.Libmongocrypt" Version="1.0.0-beta03" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard1.5'">

tests/MongoDB.Driver.Tests/MongocryptdFactoryTests.cs

@@ -42,21 +42,29 @@ public void CreateMongocryptdConnectionString_should_create_expected_connection_
 
         [SkippableTheory]
         [InlineData("{ mongocryptdBypassSpawn : true }", null, null, false)]
-        [InlineData(null, "mongocryptd.exe", "--idleShutdownTimeoutSecs 60", true)]
-        [InlineData("{ mongocryptdBypassSpawn : false }", "mongocryptd.exe", "--idleShutdownTimeoutSecs 60", true)]
-        [InlineData("{ mongocryptdBypassSpawn : false }", "mongocryptd.exe", "--idleShutdownTimeoutSecs 60", true)]
-        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnPath : 'c:/' }", "c:/mongocryptd.exe", "--idleShutdownTimeoutSecs 60", true)]
-        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnPath : 'c:/mgcr.exe' }", "c:/mgcr.exe", "--idleShutdownTimeoutSecs 60", true)]
-        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnPath : 'c:/mgcr.exe' }", "c:/mgcr.exe", "--idleShutdownTimeoutSecs 60", true)]
+        [InlineData(null, "mongocryptd.exe", "--idleShutdownTimeoutSecs 60 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdBypassSpawn : false }", "mongocryptd.exe", "--idleShutdownTimeoutSecs 60 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdBypassSpawn : false }", "mongocryptd.exe", "--idleShutdownTimeoutSecs 60 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnPath : 'c:/' }", "c:/mongocryptd.exe", "--idleShutdownTimeoutSecs 60 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnPath : 'c:/mgcr.exe' }", "c:/mgcr.exe", "--idleShutdownTimeoutSecs 60 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnPath : 'c:/mgcr.exe' }", "c:/mgcr.exe", "--idleShutdownTimeoutSecs 60 --logpath nul --logappend", true)]
         // args string
-        [InlineData("{ mongocryptdSpawnArgs : '--arg1 A --arg2 B' }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 60", true)]
-        [InlineData("{ mongocryptdSpawnArgs : '--arg1 A --arg2 B --idleShutdownTimeoutSecs 50' }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50", true)]
-        // args list
-        [InlineData("{ mongocryptdSpawnArgs : [ 'arg1 A', 'arg2 B'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 60", true)]
-        [InlineData("{ mongocryptdSpawnArgs : [ 'arg1 A', 'arg2 B', 'idleShutdownTimeoutSecs 50'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50", true)]
-        [InlineData("{ mongocryptdSpawnArgs : [ '--arg1 A', '--arg2 B', '--idleShutdownTimeoutSecs 50'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50", true)]
+        [InlineData("{ mongocryptdSpawnArgs : '--arg1 A --arg2 B' }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 60 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdSpawnArgs : '--arg1 A --arg2 B --idleShutdownTimeoutSecs 50' }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdSpawnArgs : '--arg1 A --arg2 B --logpath path.txt' }", "mongocryptd.exe", "--arg1 A --arg2 B --logpath path.txt --idleShutdownTimeoutSecs 60", true)]
+        [InlineData("{ mongocryptdSpawnArgs : '--arg1 A --arg2 B --logpath path.txt --logappend' }", "mongocryptd.exe", "--arg1 A --arg2 B --logpath path.txt --logappend --idleShutdownTimeoutSecs 60", true)]
+        [InlineData("{ mongocryptdSpawnArgs : '--arg1 A --arg2 B --logappend' }", "mongocryptd.exe", "--arg1 A --arg2 B --logappend --idleShutdownTimeoutSecs 60 --logpath nul", true)]
+        // args IEnumerable
+        [InlineData("{ mongocryptdSpawnArgs : ['arg1 A', 'arg2 B'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 60 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdSpawnArgs : ['arg1 A', 'arg2 B', 'idleShutdownTimeoutSecs 50'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdSpawnArgs : ['arg1 A', '--arg2 B', '--idleShutdownTimeoutSecs 50'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50 --logpath nul --logappend", true)]
+        [InlineData("{ mongocryptdSpawnArgs : ['arg1 A', 'arg2 B', '--logpath path.txt'] }", "mongocryptd.exe", "--arg1 A --arg2 B --logpath path.txt --idleShutdownTimeoutSecs 60", true)]
+        [InlineData("{ mongocryptdSpawnArgs : ['arg1 A', 'arg2 B', '--logpath path.txt', '--logappend'] }", "mongocryptd.exe", "--arg1 A --arg2 B --logpath path.txt --logappend --idleShutdownTimeoutSecs 60", true)]
+        [InlineData("{ mongocryptdSpawnArgs : ['arg1 A', 'arg2 B', '--logappend'] }", "mongocryptd.exe", "--arg1 A --arg2 B --logappend --idleShutdownTimeoutSecs 60 --logpath nul", true)]
 
-        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnArgs : [ '--arg1 A', '--arg2 B', '--idleShutdownTimeoutSecs 50'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50", true)]
+        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnArgs : [ '--arg1 A', '--arg2 B', '--idleShutdownTimeoutSecs 50'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50 --logpath nul --logappend", true)]
+
+        [InlineData("{ mongocryptdBypassSpawn : false, mongocryptdSpawnArgs : [ '--arg1 A', '--arg2 B', '--idleShutdownTimeoutSecs 50'] }", "mongocryptd.exe", "--arg1 A --arg2 B --idleShutdownTimeoutSecs 50 --logpath nul --logappend", true)]
         public void Mongocryptd_should_be_spawned_with_correct_extra_arguments(
             string stringExtraOptions,
             string expectedPath,

tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/ClientSideEncryptionTestRunner.cs

@@ -111,12 +111,13 @@ protected override void InsertData(IMongoClient client, string databaseName, str
             if (shared.TryGetValue("key_vault_data", out var keyVaultData))
             {
                 var adminDatabase = client.GetDatabase("admin");
-                var keyVaultCollection = adminDatabase.GetCollection<BsonDocument>(
-                    "datakeys",
-                    new MongoCollectionSettings
-                    {
-                        AssignIdOnInsert = false
-                    });
+                var collectionSettings = new MongoCollectionSettings
+                {
+                    AssignIdOnInsert = false,
+                    ReadConcern = ReadConcern.Majority,
+                    WriteConcern = WriteConcern.WMajority
+                };
+                var keyVaultCollection = adminDatabase.GetCollection<BsonDocument>("datakeys", collectionSettings);
                 var keyVaultDocuments = keyVaultData.AsBsonArray.Select(c => c.AsBsonDocument);
                 keyVaultCollection.InsertMany(keyVaultDocuments);
             }