Apply client-side encryption in transactions on sharded clusters

This fixes a bug in both sync and async drivers where client-side
encryption is not applied when in a transaction.

JAVA-3752

Author: jyemin

driver-async/src/main/com/mongodb/async/client/ClientSessionBinding.java

@@ -21,7 +21,6 @@
 import com.mongodb.async.SingleResultCallback;
 import com.mongodb.binding.AsyncConnectionSource;
 import com.mongodb.binding.AsyncReadWriteBinding;
-import com.mongodb.binding.AsyncSingleServerBinding;
 import com.mongodb.connection.AsyncConnection;
 import com.mongodb.connection.ClusterType;
 import com.mongodb.connection.Server;
@@ -53,77 +52,45 @@ public ReadPreference getReadPreference() {
 
     @Override
     public void getReadConnectionSource(final SingleResultCallback<AsyncConnectionSource> callback) {
-        wrapped.getReadConnectionSource(new SingleResultCallback<AsyncConnectionSource>() {
-            @Override
-            public void onResult(final AsyncConnectionSource result, final Throwable t) {
-                if (t != null) {
-                    callback.onResult(null, t);
-                } else {
-                    wrapConnectionSource(result, callback);
-                }
-            }
-        });
+        if (isActiveShardedTxn()) {
+            getPinnedConnectionSource(callback);
+        } else {
+            wrapped.getReadConnectionSource(new WrappingCallback(callback));
+        }
     }
 
     public void getWriteConnectionSource(final SingleResultCallback<AsyncConnectionSource> callback) {
-        wrapped.getWriteConnectionSource(new SingleResultCallback<AsyncConnectionSource>() {
-            @Override
-            public void onResult(final AsyncConnectionSource result, final Throwable t) {
-                if (t != null) {
-                    callback.onResult(null, t);
-                } else {
-                    wrapConnectionSource(result, callback);
-                }
-            }
-        });
+        if (isActiveShardedTxn()) {
+            getPinnedConnectionSource(callback);
+        } else {
+            wrapped.getWriteConnectionSource(new WrappingCallback(callback));
+        }
     }
 
     @Override
     public SessionContext getSessionContext() {
         return sessionContext;
     }
 
-    private void wrapConnectionSource(final AsyncConnectionSource connectionSource,
-                                      final SingleResultCallback<AsyncConnectionSource> callback) {
-        if (isActiveShardedTxn()) {
-            if (session.getPinnedServerAddress() == null) {
-                wrapped.getCluster().selectServerAsync(
-                        new ReadPreferenceServerSelector(wrapped.getReadPreference()),
-                        new SingleResultCallback<Server>() {
-                            @Override
-                            public void onResult(final Server server, final Throwable t) {
-                                if (t != null) {
-                                    callback.onResult(null, t);
-                                } else {
-                                    session.setPinnedServerAddress(server.getDescription().getAddress());
-                                    setSingleServerBindingConnectionSource(callback);
-                                }
+    private void getPinnedConnectionSource(final SingleResultCallback<AsyncConnectionSource> callback) {
+        if (session.getPinnedServerAddress() == null) {
+            wrapped.getCluster().selectServerAsync(
+                    new ReadPreferenceServerSelector(wrapped.getReadPreference()), new SingleResultCallback<Server>() {
+                        @Override
+                        public void onResult(final Server server, final Throwable t) {
+                            if (t != null) {
+                                callback.onResult(null, t);
+                            } else {
+                                session.setPinnedServerAddress(server.getDescription().getAddress());
+                                wrapped.getConnectionSource(session.getPinnedServerAddress(), new WrappingCallback(callback));
                             }
-                        });
-            } else {
-                setSingleServerBindingConnectionSource(callback);
-            }
+                        }
+                    });
         } else {
-            callback.onResult(new SessionBindingAsyncConnectionSource(connectionSource), null);
+            wrapped.getConnectionSource(session.getPinnedServerAddress(), new WrappingCallback(callback));
         }
     }
 
-    private void setSingleServerBindingConnectionSource(final SingleResultCallback<AsyncConnectionSource> callback) {
-        final AsyncSingleServerBinding binding =
-                new AsyncSingleServerBinding(wrapped.getCluster(), session.getPinnedServerAddress(), wrapped.getReadPreference());
-        binding.getWriteConnectionSource(new SingleResultCallback<AsyncConnectionSource>() {
-            @Override
-            public void onResult(final AsyncConnectionSource result, final Throwable t) {
-                binding.release();
-                if (t != null) {
-                    callback.onResult(null, t);
-                } else {
-                    callback.onResult(new SessionBindingAsyncConnectionSource(result), null);
-                }
-            }
-        });
-    }
-
     @Override
     public int getCount() {
         return wrapped.getCount();
@@ -225,4 +192,21 @@ public ReadConcern getReadConcern() {
             }
         }
     }
+
+    private class WrappingCallback implements SingleResultCallback<AsyncConnectionSource> {
+        private final SingleResultCallback<AsyncConnectionSource> callback;
+
+        WrappingCallback(final SingleResultCallback<AsyncConnectionSource> callback) {
+            this.callback = callback;
+        }
+
+        @Override
+        public void onResult(final AsyncConnectionSource result, final Throwable t) {
+            if (t != null) {
+                callback.onResult(null, t);
+            } else {
+                callback.onResult(new SessionBindingAsyncConnectionSource(result), null);
+            }
+        }
+    }
 }

driver-async/src/main/com/mongodb/async/client/internal/AsyncCryptBinding.java

@@ -17,6 +17,7 @@
 package com.mongodb.async.client.internal;
 
 import com.mongodb.ReadPreference;
+import com.mongodb.ServerAddress;
 import com.mongodb.async.SingleResultCallback;
 import com.mongodb.binding.AsyncConnectionSource;
 import com.mongodb.binding.AsyncReadWriteBinding;
@@ -74,6 +75,20 @@ public void onResult(final AsyncConnectionSource result, final Throwable t) {
         });
     }
 
+    @Override
+    public void getConnectionSource(final ServerAddress serverAddress, final SingleResultCallback<AsyncConnectionSource> callback) {
+        wrapped.getConnectionSource(serverAddress, new SingleResultCallback<AsyncConnectionSource>() {
+            @Override
+            public void onResult(final AsyncConnectionSource result, final Throwable t) {
+                if (t != null) {
+                    callback.onResult(null, t);
+                } else {
+                    callback.onResult(new AsyncCryptConnectionSource(result), null);
+                }
+            }
+        });
+    }
+
     @Override
     public int getCount() {
         return wrapped.getCount();

driver-async/src/test/functional/com/mongodb/async/client/ClientSideEncryptionSessionTest.java

@@ -0,0 +1,172 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.async.client;
+
+import com.mongodb.AutoEncryptionSettings;
+import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoNamespace;
+import com.mongodb.WriteConcern;
+import com.mongodb.async.FutureResultCallback;
+import com.mongodb.client.test.CollectionHelper;
+import org.bson.BsonDocument;
+import org.bson.BsonString;
+import org.bson.codecs.BsonDocumentCodec;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.mongodb.ClusterFixture.isNotAtLeastJava8;
+import static com.mongodb.ClusterFixture.isStandalone;
+import static com.mongodb.ClusterFixture.serverVersionAtLeast;
+import static com.mongodb.async.client.Fixture.getDefaultDatabaseName;
+import static com.mongodb.async.client.Fixture.getMongoClient;
+import static com.mongodb.async.client.Fixture.getMongoClientBuilderFromConnectionString;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeTrue;
+import static util.JsonPoweredTestHelper.getTestDocument;
+
+@RunWith(Parameterized.class)
+public class ClientSideEncryptionSessionTest {
+    private static final String COLLECTION_NAME = "clientSideEncryptionSessionsTest";
+
+    private MongoClient client = getMongoClient();
+    private MongoClient clientEncrypted;
+    private final boolean useTransaction;
+
+    @Parameterized.Parameters(name = "useTransaction: {0}")
+    public static Collection<Object[]> data() {
+        return Arrays.asList(new Object[]{true}, new Object[]{false});
+    }
+
+    public ClientSideEncryptionSessionTest(final boolean useTransaction) {
+        this.useTransaction = useTransaction;
+    }
+
+    @Before
+    public void setUp() throws Throwable {
+        assumeFalse(isNotAtLeastJava8());
+        assumeTrue(serverVersionAtLeast(4, 2));
+        assumeFalse(isStandalone());
+
+        /* Step 1: get unencrypted client and recreate keys collection */
+        client = getMongoClient();
+        MongoDatabase keyVaultDatabase = client.getDatabase("keyvault");
+        MongoCollection<BsonDocument> dataKeys = keyVaultDatabase.getCollection("datakeys", BsonDocument.class)
+                .withWriteConcern(WriteConcern.MAJORITY);
+        FutureResultCallback<Void> voidCallback = new FutureResultCallback<Void>();
+        dataKeys.drop(voidCallback);
+        voidCallback.get();
+
+        voidCallback = new FutureResultCallback<Void>();
+        dataKeys.insertOne(bsonDocumentFromPath("external-key.json"), voidCallback);
+        voidCallback.get();
+
+        /* Step 2: create encryption objects. */
+        Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>();
+        Map<String, Object> localMasterkey = new HashMap<String, Object>();
+        Map<String, BsonDocument> schemaMap = new HashMap<String, BsonDocument>();
+
+        byte[] localMasterKeyBytes = Base64.getDecoder().decode("Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBM"
+                                                                + "UN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk");
+        localMasterkey.put("key", localMasterKeyBytes);
+        kmsProviders.put("local", localMasterkey);
+        schemaMap.put(getDefaultDatabaseName() + "." + COLLECTION_NAME, bsonDocumentFromPath("external-schema.json"));
+
+        MongoClientSettings clientSettings = getMongoClientBuilderFromConnectionString()
+                .autoEncryptionSettings(AutoEncryptionSettings.builder()
+                        .keyVaultNamespace("keyvault.datakeys")
+                        .kmsProviders(kmsProviders)
+                        .schemaMap(schemaMap).build())
+                .build();
+        clientEncrypted = MongoClients.create(clientSettings);
+
+        CollectionHelper<BsonDocument> collectionHelper =
+        new CollectionHelper<BsonDocument>(new BsonDocumentCodec(), new MongoNamespace(getDefaultDatabaseName(), COLLECTION_NAME));
+        collectionHelper.drop();
+        collectionHelper.create();
+    }
+
+    @After
+    public void after() {
+        if (clientEncrypted != null) {
+            try {
+                clientEncrypted.close();
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+    }
+
+    @Test
+    public void testWithExplicitSession() throws Throwable {
+        BsonString unencryptedValue = new BsonString("test");
+
+        FutureResultCallback<ClientSession> clientSessionCallback = new FutureResultCallback<ClientSession>();
+        clientEncrypted.startSession(clientSessionCallback);
+        ClientSession clientSession = clientSessionCallback.get();
+        try {
+            if (useTransaction) {
+                clientSession.startTransaction();
+            }
+            MongoCollection<BsonDocument> autoEncryptedCollection = clientEncrypted.getDatabase(getDefaultDatabaseName())
+                    .getCollection(COLLECTION_NAME, BsonDocument.class);
+            FutureResultCallback<Void> insertCallback = new FutureResultCallback<Void>();
+            autoEncryptedCollection.insertOne(clientSession, new BsonDocument().append("encrypted", new BsonString("test")),
+                                              insertCallback);
+            insertCallback.get();
+
+            FutureResultCallback<BsonDocument> findCallback = new FutureResultCallback<BsonDocument>();
+            autoEncryptedCollection.find(clientSession).first(findCallback);
+            BsonDocument unencryptedDocument = findCallback.get();
+            assertEquals(unencryptedValue, unencryptedDocument.getString("encrypted"));
+
+            if (useTransaction) {
+                FutureResultCallback<Void> commitCallback = new FutureResultCallback<Void>();
+                clientSession.commitTransaction(commitCallback);
+                commitCallback.get();
+            }
+        } finally {
+            clientSession.close();
+        }
+
+        MongoCollection<BsonDocument> encryptedCollection = client.getDatabase(getDefaultDatabaseName())
+                .getCollection(COLLECTION_NAME, BsonDocument.class);
+        FutureResultCallback<BsonDocument> findCallback = new FutureResultCallback<BsonDocument>();
+        encryptedCollection.find().first(findCallback);
+        BsonDocument encryptedDocument = findCallback.get();
+        assertTrue(encryptedDocument.isBinary("encrypted"));
+        assertEquals(6, encryptedDocument.getBinary("encrypted").getType());
+    }
+
+    private static BsonDocument bsonDocumentFromPath(final String path) throws IOException, URISyntaxException {
+        return getTestDocument(new File(ClientSideEncryptionSessionTest.class
+                .getResource("/client-side-encryption-external/" + path).toURI()));
+    }
+}

driver-core/src/main/com/mongodb/binding/AsyncClusterBinding.java

@@ -18,6 +18,7 @@
 
 import com.mongodb.ReadConcern;
 import com.mongodb.ReadPreference;
+import com.mongodb.ServerAddress;
 import com.mongodb.async.SingleResultCallback;
 import com.mongodb.connection.AsyncConnection;
 import com.mongodb.connection.Cluster;
@@ -27,6 +28,7 @@
 import com.mongodb.internal.binding.AsyncClusterAwareReadWriteBinding;
 import com.mongodb.internal.connection.ReadConcernAwareNoOpSessionContext;
 import com.mongodb.selector.ReadPreferenceServerSelector;
+import com.mongodb.selector.ServerAddressSelector;
 import com.mongodb.selector.ServerSelector;
 import com.mongodb.selector.WritableServerSelector;
 import com.mongodb.session.SessionContext;
@@ -102,6 +104,11 @@ public void getWriteConnectionSource(final SingleResultCallback<AsyncConnectionS
         getAsyncClusterBindingConnectionSource(new WritableServerSelector(), callback);
     }
 
+    @Override
+    public void getConnectionSource(final ServerAddress serverAddress, final SingleResultCallback<AsyncConnectionSource> callback) {
+        getAsyncClusterBindingConnectionSource(new ServerAddressSelector(serverAddress), callback);
+    }
+
     private void getAsyncClusterBindingConnectionSource(final ServerSelector serverSelector,
                                                         final SingleResultCallback<AsyncConnectionSource> callback) {
         cluster.selectServerAsync(serverSelector, new SingleResultCallback<Server>() {