mongodb
diff --git a/‎.evergreen/config.yml
Lines changed: 67 additions & 3 deletions b/‎.evergreen/config.yml
Lines changed: 67 additions & 3 deletions
diff --git a/‎.evergreen/run-tests.sh
Lines changed: 27 additions & 0 deletions b/‎.evergreen/run-tests.sh
Lines changed: 27 additions & 0 deletions
diff --git a/‎.golangci.yml
Lines changed: 5 additions & 3 deletions b/‎.golangci.yml
Lines changed: 5 additions & 3 deletions
diff --git a/‎mongo/client.go
Lines changed: 82 additions & 26 deletions b/‎mongo/client.go
Lines changed: 82 additions & 26 deletions
@@ -12,6 +12,9 @@ stepback: true
 # Actual testing tasks are marked with `type: test`
 command_type: setup
 
+# Fail builds when pre tasks fail.
+pre_error_fails_task: true
+
 # Protect ourself against rogue test case, or curl gone wild, that runs forever
 # 12 minutes is the longest we'll ever run
 exec_timeout_secs: 3600 # 12 minutes is the longest we'll ever run
@@ -159,6 +162,32 @@ functions:
           # initialize submodules
           git submodule init
           git submodule update
+    - command: shell.exec
+      params:
+        working_dir: src/go.mongodb.org/mongo-driver
+        script: |
+          ${PREPARE_SHELL}
+
+          # Skip the crypt_shared library download if there is no crypt_shared build for the current
+          # platform. Don't try to determine this automatically to prevent misconfiguration errors
+          # from silently skipping the crypt_shared download and changing the testing conditions.
+          if [ "${SKIP_CRYPT_SHARED_LIB_DOWNLOAD}" = "true" ]; then
+            echo "There is no crypt_shared library for this platform, skipping download..."
+            exit 0
+          fi
+
+          # Download the crypt_shared dynamic library for the current platform to the current working
+          # directory. The run-tests.sh and versioned API test scripts expect to find a
+          # mongo_crypt_v1.* file in the "src/go.mongodb.org/mongo-driver" working directory.
+          # TODO(GODRIVER-2437): Update version to "latest-stable" once the crypt_shared library has a
+          # feature-complete stable release.
+          ${PYTHON3_BINARY} $DRIVERS_TOOLS/.evergreen/mongodl.py \
+            --component crypt_shared \
+            --version latest \
+            --edition enterprise \
+            --out . \
+            --only "**/mongo_crypt_v1.*" \
+            --strip-path-components 1
 
   install-linters:
     - command: shell.exec
@@ -274,8 +303,8 @@ functions:
             cat $i | tr -d '\r' > $i.new
             mv $i.new $i
           done
-          # Copy client certificate because symlinks do not work on Windows.
-          cp ${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem ${MONGO_ORCHESTRATION_HOME}/lib/client.pem
+          # Copy client certificate because symlinks do not work on Windows. Ignore any copy errors.
+          cp ${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem ${MONGO_ORCHESTRATION_HOME}/lib/client.pem || echo "Ignoring copy error"
 
   make-files-executable:
     - command: shell.exec
@@ -460,6 +489,33 @@ functions:
           fi
           . ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh
 
+          # If the task doesn't have the SKIP_CRYPT_SHARED_LIB_DOWNLOAD variable set, try to find the
+          # crypt_shared library downloaded in the "prepare-resources" task and set the CRYPT_SHARED_LIB_PATH
+          # environment variable with a path to the file.
+          if [ "${SKIP_CRYPT_SHARED_LIB_DOWNLOAD}" != "true" ]; then
+            # Find the crypt_shared library file in the current directory and set the CRYPT_SHARED_LIB_PATH to
+            # the path of that file. Only look for .so, .dll, or .dylib files to prevent matching any other
+            # downloaded files.
+            export CRYPT_SHARED_LIB_PATH="$(find $(pwd) -maxdepth 1 -type f \
+              -name 'mongo_crypt_v1.so' -o \
+              -name 'mongo_crypt_v1.dll' -o \
+              -name 'mongo_crypt_v1.dylib')"
+
+            # Expect that we always find a crypt_shared library file and set the CRYPT_SHARED_LIB_PATH
+            # environment variable. If we didn't, print an error message and exit.
+            if [ -z "$CRYPT_SHARED_LIB_PATH" ]; then
+              echo 'SKIP_CRYPT_SHARED_LIB_DOWNLOAD is not "true", but CRYPT_SHARED_LIB_PATH is empty. Exiting.'
+              exit 1
+            fi
+
+            # If we're on Windows, convert the "cygdrive"  path to Windows-style paths.
+            if [ "Windows_NT" = "$OS" ]; then
+                export CRYPT_SHARED_LIB_PATH=$(cygpath -m $CRYPT_SHARED_LIB_PATH)
+            fi
+
+            echo "CRYPT_SHARED_LIB_PATH=$CRYPT_SHARED_LIB_PATH"
+          fi
+
           export GOFLAGS=-mod=vendor
           AUTH="${AUTH}" \
           SSL="${SSL}" \
@@ -652,7 +708,9 @@ functions:
     - command: shell.exec
       params:
         script: |
-          DRIVERS_TOOLS=${DRIVERS_TOOLS} MONGODB_URI=${MONGODB_URI} bash ${DRIVERS_TOOLS}/.evergreen/run-load-balancer.sh stop
+          # Attempt to shut down a running load balancer. Ignore any errors that happen if the load
+          # balancer is not running.
+          DRIVERS_TOOLS=${DRIVERS_TOOLS} MONGODB_URI=${MONGODB_URI} bash ${DRIVERS_TOOLS}/.evergreen/run-load-balancer.sh stop || echo "Ignoring load balancer stop error"
 
   add-aws-auth-variables-to-file:
     - command: shell.exec
@@ -1916,6 +1974,9 @@ axes:
           # to prevent attempting to link the client-side encryption (libmongocrypt) binaries when
           # running Go tests.
           GO_BUILD_TAGS: ""
+          # There is no crypt_shared library download for Ubuntu 14.04. Skip downloading it and let the
+          # tests use mongocryptd instead.
+          SKIP_CRYPT_SHARED_LIB_DOWNLOAD: "true"
 
   # OSes that require >= 3.2 for SSL
   - id: os-ssl-32
@@ -1936,6 +1997,9 @@ axes:
         variables:
           GO_DIST: "/opt/golang/go1.17"
           PYTHON3_BINARY: "/opt/python/3.8/bin/python3"
+          # There is no crypt_shared library download for Ubuntu 16.04. Skip downloading it and let the
+          # tests use mongocryptd instead.
+          SKIP_CRYPT_SHARED_LIB_DOWNLOAD: "true"
       - id: "osx-go-1-17"
         display_name: "MacOS 10.14"
         run_on: macos-1014
 
@@ -84,6 +84,33 @@ if [ -z ${GO_BUILD_TAGS+x} ]; then
   GO_BUILD_TAGS="cse"
 fi
 
+# If the task doesn't have the SKIP_CRYPT_SHARED_LIB_DOWNLOAD variable set, try to find the
+# crypt_shared library downloaded in the "prepare-resources" task and set the CRYPT_SHARED_LIB_PATH
+# environment variable with a path to the file.
+if [ "${SKIP_CRYPT_SHARED_LIB_DOWNLOAD}" != "true" ]; then
+  # Find the crypt_shared library file in the current directory and set the CRYPT_SHARED_LIB_PATH to
+  # the path of that file. Only look for .so, .dll, or .dylib files to prevent matching any other
+  # downloaded files.
+  export CRYPT_SHARED_LIB_PATH="$(find $(pwd) -maxdepth 1 -type f \
+    -name 'mongo_crypt_v1.so' -o \
+    -name 'mongo_crypt_v1.dll' -o \
+    -name 'mongo_crypt_v1.dylib')"
+
+  # Expect that we always find a crypt_shared library file and set the CRYPT_SHARED_LIB_PATH
+  # environment variable. If we didn't, print an error message and exit.
+  if [ -z "$CRYPT_SHARED_LIB_PATH" ]; then
+    echo 'SKIP_CRYPT_SHARED_LIB_DOWNLOAD is not "true", but CRYPT_SHARED_LIB_PATH is empty. Exiting.'
+    exit 1
+  fi
+
+  # If we're on Windows, convert the "cygdrive"  path to Windows-style paths.
+  if [ "Windows_NT" = "$OS" ]; then
+      export CRYPT_SHARED_LIB_PATH=$(cygpath -m $CRYPT_SHARED_LIB_PATH)
+  fi
+
+  echo "CRYPT_SHARED_LIB_PATH=$CRYPT_SHARED_LIB_PATH"
+fi
+
 AUTH=${AUTH} \
 SSL=${SSL} \
 MONGO_GO_DRIVER_CA_FILE=${MONGO_GO_DRIVER_CA_FILE} \
 
@@ -98,9 +98,11 @@ issues:
       linters:
         - unused
         - structcheck
-    # Disable "unused" linter for "crypt.go" because the linter doesn't work correctly without
-    # enabling CGO.
-    - path: x/mongo/driver/crypt.go
+    # Disable "unused" linter for code files that depend on the "mongocrypt.MongoCrypt" type because
+    # the linter build doesn't work correctly with CGO enabled. As a result, all calls to a
+    # "mongocrypt.MongoCrypt" API appear to always panic (see mongocrypt_not_enabled.go), leading
+    # to confusing messages about unused code.
+    - path: x/mongo/driver/crypt.go|mongo/(crypt_retrievers|mongocryptd).go
       linters:
         - unused
     # Ignore "TLS MinVersion too low", "TLS InsecureSkipVerify set true", and "Use of weak random
 
@@ -26,6 +26,8 @@ import (
 	"go.mongodb.org/mongo-driver/x/bsonx/bsoncore"
 	"go.mongodb.org/mongo-driver/x/mongo/driver"
 	"go.mongodb.org/mongo-driver/x/mongo/driver/auth"
+	"go.mongodb.org/mongo-driver/x/mongo/driver/mongocrypt"
+	mcopts "go.mongodb.org/mongo-driver/x/mongo/driver/mongocrypt/options"
 	"go.mongodb.org/mongo-driver/x/mongo/driver/ocsp"
 	"go.mongodb.org/mongo-driver/x/mongo/driver/operation"
 	"go.mongodb.org/mongo-driver/x/mongo/driver/session"
@@ -71,7 +73,7 @@ type Client struct {
 	// client-side encryption fields
 	keyVaultClientFLE  *Client
 	keyVaultCollFLE    *Collection
-	mongocryptdFLE     *mcryptClient
+	mongocryptdFLE     *mongocryptdClient
 	cryptFLE           driver.Crypt
 	metadataClientFLE  *Client
 	internalClientFLE  *Client
@@ -720,10 +722,23 @@ func (c *Client) configureAutoEncryption(clientOpts *options.ClientOptions) erro
 	if err := c.configureMetadataClientFLE(clientOpts); err != nil {
 		return err
 	}
-	if err := c.configureMongocryptdClientFLE(clientOpts.AutoEncryptionOptions); err != nil {
+
+	mc, err := c.newMongoCrypt(clientOpts.AutoEncryptionOptions)
+	if err != nil {
 		return err
 	}
-	return c.configureCryptFLE(clientOpts.AutoEncryptionOptions)
+
+	// If the crypt_shared library was loaded successfully, signal to the mongocryptd client creator
+	// that it can bypass spawning mongocryptd.
+	cryptSharedLibAvailable := mc.CryptSharedLibVersionString() != ""
+	mongocryptdFLE, err := newMongocryptdClient(cryptSharedLibAvailable, clientOpts.AutoEncryptionOptions)
+	if err != nil {
+		return err
+	}
+	c.mongocryptdFLE = mongocryptdFLE
+
+	c.configureCryptFLE(mc, clientOpts.AutoEncryptionOptions)
+	return nil
 }
 
 func (c *Client) getOrCreateInternalClient(clientOpts *options.ClientOptions) (*Client, error) {
@@ -778,19 +793,13 @@ func (c *Client) configureMetadataClientFLE(clientOpts *options.ClientOptions) e
 	return err
 }
 
-func (c *Client) configureMongocryptdClientFLE(opts *options.AutoEncryptionOptions) error {
-	var err error
-	c.mongocryptdFLE, err = newMcryptClient(opts)
-	return err
-}
-
-func (c *Client) configureCryptFLE(opts *options.AutoEncryptionOptions) error {
+func (c *Client) newMongoCrypt(opts *options.AutoEncryptionOptions) (*mongocrypt.MongoCrypt, error) {
 	// convert schemas in SchemaMap to bsoncore documents
 	cryptSchemaMap := make(map[string]bsoncore.Document)
 	for k, v := range opts.SchemaMap {
 		schema, err := transformBsoncoreDocument(c.registry, v, true, "schemaMap")
 		if err != nil {
-			return err
+			return nil, err
 		}
 		cryptSchemaMap[k] = schema
 	}
@@ -800,21 +809,74 @@ func (c *Client) configureCryptFLE(opts *options.AutoEncryptionOptions) error {
 	for k, v := range opts.EncryptedFieldsMap {
 		encryptedFields, err := transformBsoncoreDocument(c.registry, v, true, "encryptedFieldsMap")
 		if err != nil {
-			return err
+			return nil, err
 		}
 		cryptEncryptedFieldsMap[k] = encryptedFields
 	}
 
 	kmsProviders, err := transformBsoncoreDocument(c.registry, opts.KmsProviders, true, "kmsProviders")
 	if err != nil {
-		return fmt.Errorf("error creating KMS providers document: %v", err)
+		return nil, fmt.Errorf("error creating KMS providers document: %v", err)
+	}
+
+	// Set the crypt_shared library override path from the "cryptSharedLibPath" extra option if one
+	// was set.
+	cryptSharedLibPath := ""
+	if val, ok := opts.ExtraOptions["cryptSharedLibPath"]; ok {
+		str, ok := val.(string)
+		if !ok {
+			return nil, fmt.Errorf(
+				`expected AutoEncryption extra option "cryptSharedLibPath" to be a string, but is a %T`, val)
+		}
+		cryptSharedLibPath = str
+	}
+
+	// Explicitly disable loading the crypt_shared library if requested. Note that this is ONLY
+	// intended for use from tests; there is no supported public API for explicitly disabling
+	// loading the crypt_shared library.
+	cryptSharedLibDisabled := false
+	if v, ok := opts.ExtraOptions["__cryptSharedLibDisabledForTestOnly"]; ok {
+		cryptSharedLibDisabled = v.(bool)
+	}
+
+	bypassAutoEncryption := opts.BypassAutoEncryption != nil && *opts.BypassAutoEncryption
+	bypassQueryAnalysis := opts.BypassQueryAnalysis != nil && *opts.BypassQueryAnalysis
+
+	mc, err := mongocrypt.NewMongoCrypt(mcopts.MongoCrypt().
+		SetKmsProviders(kmsProviders).
+		SetLocalSchemaMap(cryptSchemaMap).
+		SetBypassQueryAnalysis(bypassQueryAnalysis).
+		SetEncryptedFieldsMap(cryptEncryptedFieldsMap).
+		SetCryptSharedLibDisabled(cryptSharedLibDisabled || bypassAutoEncryption).
+		SetCryptSharedLibOverridePath(cryptSharedLibPath))
+	if err != nil {
+		return nil, err
 	}
 
-	// configure options
-	var bypass bool
-	if opts.BypassAutoEncryption != nil {
-		bypass = *opts.BypassAutoEncryption
+	var cryptSharedLibRequired bool
+	if val, ok := opts.ExtraOptions["cryptSharedLibRequired"]; ok {
+		b, ok := val.(bool)
+		if !ok {
+			return nil, fmt.Errorf(
+				`expected AutoEncryption extra option "cryptSharedLibRequired" to be a bool, but is a %T`, val)
+		}
+		cryptSharedLibRequired = b
 	}
+
+	// If the "cryptSharedLibRequired" extra option is set to true, check the MongoCrypt version
+	// string to confirm that the library was successfully loaded. If the version string is empty,
+	// return an error indicating that we couldn't load the crypt_shared library.
+	if cryptSharedLibRequired && mc.CryptSharedLibVersionString() == "" {
+		return nil, errors.New(
+			`AutoEncryption extra option "cryptSharedLibRequired" is true, but we failed to load the crypt_shared library`)
+	}
+
+	return mc, nil
+}
+
+//nolint:unused // the unused linter thinks that this function is unreachable because "c.newMongoCrypt" always panics without the "cse" build tag set.
+func (c *Client) configureCryptFLE(mc *mongocrypt.MongoCrypt, opts *options.AutoEncryptionOptions) {
+	bypass := opts.BypassAutoEncryption != nil && *opts.BypassAutoEncryption
 	kr := keyRetriever{coll: c.keyVaultCollFLE}
 	var cir collInfoRetriever
 	// If bypass is true, c.metadataClientFLE is nil and the collInfoRetriever
@@ -824,20 +886,14 @@ func (c *Client) configureCryptFLE(opts *options.AutoEncryptionOptions) error {
 		cir = collInfoRetriever{client: c.metadataClientFLE}
 	}
 
-	cryptOpts := &driver.CryptOptions{
+	c.cryptFLE = driver.NewCrypt(&driver.CryptOptions{
+		MongoCrypt:           mc,
 		CollInfoFn:           cir.cryptCollInfo,
 		KeyFn:                kr.cryptKeys,
 		MarkFn:               c.mongocryptdFLE.markCommand,
-		KmsProviders:         kmsProviders,
 		TLSConfig:            opts.TLSConfig,
 		BypassAutoEncryption: bypass,
-		SchemaMap:            cryptSchemaMap,
-		BypassQueryAnalysis:  opts.BypassQueryAnalysis != nil && *opts.BypassQueryAnalysis,
-		EncryptedFieldsMap:   cryptEncryptedFieldsMap,
-	}
-
-	c.cryptFLE, err = driver.NewCrypt(cryptOpts)
-	return err
+	})
 }
 
 // validSession returns an error if the session doesn't belong to the client