CSHARP-5205: Add option to configure DEK cache lifetime (#1614)

Author: papafe

specifications/client-side-encryption/tests/unified/keyCache.json

@@ -0,0 +1,198 @@
+{
+  "description": "keyCache-explicit",
+  "schemaVersion": "1.22",
+  "runOnRequirements": [
+    {
+      "csfle": true
+    }
+  ],
+  "createEntities": [
+    {
+      "client": {
+        "id": "client0",
+        "observeEvents": [
+          "commandStartedEvent"
+        ]
+      }
+    },
+    {
+      "clientEncryption": {
+        "id": "clientEncryption0",
+        "clientEncryptionOpts": {
+          "keyVaultClient": "client0",
+          "keyVaultNamespace": "keyvault.datakeys",
+          "kmsProviders": {
+            "local": {
+              "key": "OCTP9uKPPmvuqpHlqq83gPk4U6rUPxKVRRyVtrjFmVjdoa4Xzm1SzUbr7aIhNI42czkUBmrCtZKF31eaaJnxEBkqf0RFukA9Mo3NEHQWgAQ2cn9duOcRbaFUQo2z0/rB"
+            }
+          },
+          "keyExpirationMS": 1
+        }
+      }
+    },
+    {
+      "database": {
+        "id": "database0",
+        "client": "client0",
+        "databaseName": "keyvault"
+      }
+    },
+    {
+      "collection": {
+        "id": "collection0",
+        "database": "database0",
+        "collectionName": "datakeys"
+      }
+    }
+  ],
+  "initialData": [
+    {
+      "databaseName": "keyvault",
+      "collectionName": "datakeys",
+      "documents": [
+        {
+          "_id": {
+            "$binary": {
+              "base64": "a+YWzdygTAG62/cNUkqZiQ==",
+              "subType": "04"
+            }
+          },
+          "keyAltNames": [],
+          "keyMaterial": {
+            "$binary": {
+              "base64": "iocBkhO3YBokiJ+FtxDTS71/qKXQ7tSWhWbcnFTXBcMjarsepvALeJ5li+SdUd9ePuatjidxAdMo7vh1V2ZESLMkQWdpPJ9PaJjA67gKQKbbbB4Ik5F2uKjULvrMBnFNVRMup4JNUwWFQJpqbfMveXnUVcD06+pUpAkml/f+DSXrV3e5rxciiNVtz03dAG8wJrsKsFXWj6vTjFhsfknyBA==",
+              "subType": "00"
+            }
+          },
+          "creationDate": {
+            "$date": {
+              "$numberLong": "1552949630483"
+            }
+          },
+          "updateDate": {
+            "$date": {
+              "$numberLong": "1552949630483"
+            }
+          },
+          "status": {
+            "$numberInt": "0"
+          },
+          "masterKey": {
+            "provider": "local"
+          }
+        }
+      ]
+    }
+  ],
+  "tests": [
+    {
+      "description": "decrypt, wait, and decrypt again",
+      "operations": [
+        {
+          "name": "decrypt",
+          "object": "clientEncryption0",
+          "arguments": {
+            "value": {
+              "$binary": {
+                "base64": "AWvmFs3coEwButv3DVJKmYkCJ6lUzRX9R28WNlw5uyndb+8gurA+p8q14s7GZ04K2ZvghieRlAr5UwZbow3PMq27u5EIhDDczwBFcbdP1amllw==",
+                "subType": "06"
+              }
+            }
+          },
+          "expectResult": "foobar"
+        },
+        {
+          "name": "wait",
+          "object": "testRunner",
+          "arguments": {
+            "ms": 50
+          }
+        },
+        {
+          "name": "decrypt",
+          "object": "clientEncryption0",
+          "arguments": {
+            "value": {
+              "$binary": {
+                "base64": "AWvmFs3coEwButv3DVJKmYkCJ6lUzRX9R28WNlw5uyndb+8gurA+p8q14s7GZ04K2ZvghieRlAr5UwZbow3PMq27u5EIhDDczwBFcbdP1amllw==",
+                "subType": "06"
+              }
+            }
+          },
+          "expectResult": "foobar"
+        }
+      ],
+      "expectEvents": [
+        {
+          "client": "client0",
+          "events": [
+            {
+              "commandStartedEvent": {
+                "command": {
+                  "find": "datakeys",
+                  "filter": {
+                    "$or": [
+                      {
+                        "_id": {
+                          "$in": [
+                            {
+                              "$binary": {
+                                "base64": "a+YWzdygTAG62/cNUkqZiQ==",
+                                "subType": "04"
+                              }
+                            }
+                          ]
+                        }
+                      },
+                      {
+                        "keyAltNames": {
+                          "$in": []
+                        }
+                      }
+                    ]
+                  },
+                  "$db": "keyvault",
+                  "readConcern": {
+                    "level": "majority"
+                  }
+                }
+              }
+            },
+            {
+              "commandStartedEvent": {
+                "command": {
+                  "find": "datakeys",
+                  "filter": {
+                    "$or": [
+                      {
+                        "_id": {
+                          "$in": [
+                            {
+                              "$binary": {
+                                "base64": "a+YWzdygTAG62/cNUkqZiQ==",
+                                "subType": "04"
+                              }
+                            }
+                          ]
+                        }
+                      },
+                      {
+                        "keyAltNames": {
+                          "$in": []
+                        }
+                      }
+                    ]
+                  },
+                  "$db": "keyvault",
+                  "readConcern": {
+                    "level": "majority"
+                  }
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

specifications/client-side-encryption/tests/unified/keyCache.yml

@@ -0,0 +1,85 @@
+description: keyCache-explicit
+
+schemaVersion: "1.22"
+
+runOnRequirements:
+  - csfle: true
+
+createEntities:
+  - client:
+      id: &client0 client0
+      observeEvents:
+        - commandStartedEvent
+  - clientEncryption:
+      id: &clientEncryption0 clientEncryption0
+      clientEncryptionOpts:
+        keyVaultClient: *client0
+        keyVaultNamespace: keyvault.datakeys
+        kmsProviders:
+          "local" : { key: "OCTP9uKPPmvuqpHlqq83gPk4U6rUPxKVRRyVtrjFmVjdoa4Xzm1SzUbr7aIhNI42czkUBmrCtZKF31eaaJnxEBkqf0RFukA9Mo3NEHQWgAQ2cn9duOcRbaFUQo2z0/rB" }
+        keyExpirationMS: 1
+  - database:
+      id: &database0 database0
+      client: *client0
+      databaseName: &database0Name keyvault
+  - collection:
+      id: &collection0 collection0
+      database: *database0
+      collectionName: &collection0Name datakeys
+
+initialData:
+  - databaseName: *database0Name
+    collectionName: *collection0Name
+    documents:
+      - {
+            "_id": {
+                "$binary": {
+                    "base64": "a+YWzdygTAG62/cNUkqZiQ==",
+                    "subType": "04"
+                }
+            },
+            "keyAltNames": [],
+            "keyMaterial": {
+                "$binary": {
+                    "base64": "iocBkhO3YBokiJ+FtxDTS71/qKXQ7tSWhWbcnFTXBcMjarsepvALeJ5li+SdUd9ePuatjidxAdMo7vh1V2ZESLMkQWdpPJ9PaJjA67gKQKbbbB4Ik5F2uKjULvrMBnFNVRMup4JNUwWFQJpqbfMveXnUVcD06+pUpAkml/f+DSXrV3e5rxciiNVtz03dAG8wJrsKsFXWj6vTjFhsfknyBA==",
+                    "subType": "00"
+                }
+            },
+            "creationDate": {"$date": {"$numberLong": "1552949630483"}},
+            "updateDate": {"$date": {"$numberLong": "1552949630483"}},
+            "status": {"$numberInt": "0"},
+            "masterKey": {"provider": "local"}
+        }
+
+tests:
+  - description: decrypt, wait, and decrypt again
+    operations:
+      - name: decrypt
+        object: *clientEncryption0
+        arguments:
+          value: { "$binary" : { "base64" : "AWvmFs3coEwButv3DVJKmYkCJ6lUzRX9R28WNlw5uyndb+8gurA+p8q14s7GZ04K2ZvghieRlAr5UwZbow3PMq27u5EIhDDczwBFcbdP1amllw==", "subType" : "06" } }
+        expectResult: "foobar"
+      - name: wait
+        object: testRunner
+        arguments:
+          ms: 50 # Wait long enough to account for coarse time resolution on Windows (CDRIVER-4526).
+      - name: decrypt
+        object: *clientEncryption0
+        arguments:
+          value: { "$binary" : { "base64" : "AWvmFs3coEwButv3DVJKmYkCJ6lUzRX9R28WNlw5uyndb+8gurA+p8q14s7GZ04K2ZvghieRlAr5UwZbow3PMq27u5EIhDDczwBFcbdP1amllw==", "subType" : "06" } }
+        expectResult: "foobar"
+    expectEvents:
+      - client: *client0
+        events:
+          - commandStartedEvent:
+              command:
+                find: datakeys
+                filter: {"$or": [{"_id": {"$in": [ {'$binary': {'base64': 'a+YWzdygTAG62/cNUkqZiQ==', 'subType': '04'}} ] }}, {"keyAltNames": {"$in": []}}]}
+                $db: keyvault
+                readConcern: { level: "majority" }
+          - commandStartedEvent:
+              command:
+                find: datakeys
+                filter: {"$or": [{"_id": {"$in": [ {'$binary': {'base64': 'a+YWzdygTAG62/cNUkqZiQ==', 'subType': '04'}} ] }}, {"keyAltNames": {"$in": []}}]}
+                $db: keyvault
+                readConcern: { level: "majority" }

src/MongoDB.Driver.Encryption/ClientEncryption.cs

@@ -48,7 +48,8 @@ public ClientEncryption(ClientEncryptionOptions clientEncryptionOptions)
                 encryptedFieldsMap: null,
                 isCryptSharedLibRequired: null,
                 kmsProviders: clientEncryptionOptions.KmsProviders,
-                schemaMap: null);
+                schemaMap: null,
+                keyExpiration: clientEncryptionOptions.KeyExpiration);
 
             _cryptClient = CryptClientFactory.Create(cryptClientSettings);
 

src/MongoDB.Driver.Encryption/ClientEncryptionOptions.cs

@@ -25,6 +25,7 @@ namespace MongoDB.Driver.Encryption
     public sealed class ClientEncryptionOptions
     {
         // private fields
+        private TimeSpan? _keyExpiration;
         private readonly IMongoClient _keyVaultClient;
         private readonly CollectionNamespace _keyVaultNamespace;
         private readonly IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> _kmsProviders;
@@ -43,17 +44,34 @@ public ClientEncryptionOptions(
             CollectionNamespace keyVaultNamespace,
             IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> kmsProviders,
             Optional<IReadOnlyDictionary<string, SslSettings>> tlsOptions = default)
+            : this(keyVaultClient, keyVaultNamespace, kmsProviders, tlsOptions, keyExpiration: null)
+        {
+        }
+
+        private ClientEncryptionOptions(
+            IMongoClient keyVaultClient,
+            CollectionNamespace keyVaultNamespace,
+            IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> kmsProviders,
+            Optional<IReadOnlyDictionary<string, SslSettings>> tlsOptions = default,
+            Optional<TimeSpan?> keyExpiration = default)
         {
             _keyVaultClient = Ensure.IsNotNull(keyVaultClient, nameof(keyVaultClient));
             _keyVaultNamespace = Ensure.IsNotNull(keyVaultNamespace, nameof(keyVaultNamespace));
             _kmsProviders = Ensure.IsNotNull(kmsProviders, nameof(kmsProviders));
             _tlsOptions = tlsOptions.WithDefault(new Dictionary<string, SslSettings>());
+            _keyExpiration = keyExpiration.WithDefault(null);
 
             EnsureKmsProvidersAreValid(_kmsProviders);
             EnsureKmsProvidersTlsSettingsAreValid(_tlsOptions);
         }
 
         // public properties
+
+        /// <summary>
+        /// Gets the data encryption key cache expiration time.
+        /// </summary>
+        public TimeSpan? KeyExpiration => _keyExpiration;
+
         /// <summary>
         /// Gets the key vault client.
         /// </summary>
@@ -104,7 +122,18 @@ public ClientEncryptionOptions With(
                 keyVaultClient: keyVaultClient.WithDefault(_keyVaultClient),
                 keyVaultNamespace: keyVaultNamespace.WithDefault(_keyVaultNamespace),
                 kmsProviders: kmsProviders.WithDefault(_kmsProviders),
-                tlsOptions: Optional.Create(tlsOptions.WithDefault(_tlsOptions)));
+                tlsOptions: Optional.Create(tlsOptions.WithDefault(_tlsOptions)),
+                keyExpiration: _keyExpiration);
+        }
+
+        /// <summary>
+        /// Sets the data encryption key cache expiration time. If not set, it defaults to 60 seconds.
+        /// If set to TimeSpan.Zero, the cache never expires.
+        /// </summary>
+        /// <param name="keyExpiration">The data encryption key cache expiration time.</param>
+        public void SetKeyExpiration(TimeSpan? keyExpiration)
+        {
+            _keyExpiration = keyExpiration;
         }
 
         private static void EnsureKmsProvidersAreValid(IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> kmsProviders)

src/MongoDB.Driver.Encryption/CryptClientFactory.cs

@@ -82,7 +82,8 @@ public static CryptClient Create(CryptClientSettings cryptClientSettings)
                 bypassQueryAnalysis: cryptClientSettings.BypassQueryAnalysis.GetValueOrDefault(false),
                 cryptClientSettings.CryptSharedLibPath,
                 cryptClientSettings.CryptSharedLibSearchPath,
-                cryptClientSettings.IsCryptSharedLibRequired ?? false);
+                cryptClientSettings.IsCryptSharedLibRequired ?? false,
+                (long?)cryptClientSettings.KeyExpiration?.TotalMilliseconds);
 
             return Create(cryptOptions);
         }
@@ -161,6 +162,11 @@ public static CryptClient Create(CryptOptions options)
                     Library.mongocrypt_setopt_append_crypt_shared_lib_search_path(handle, options.CryptSharedLibSearchPath);
                 }
 
+                if (options.KeyExpirationMs != null)
+                {
+                    Library.mongocrypt_setopt_key_expiration(handle, (ulong)options.KeyExpirationMs.Value);
+                }
+
                 Library.mongocrypt_setopt_use_need_kms_credentials_state(handle);
                 Library.mongocrypt_setopt_enable_multiple_collinfo(handle);
                 Library.mongocrypt_setopt_retry_kms(handle, true);