Client Side Encryption bypassAutoEncryption fix

If auto encryption is bypassed then the driver no longer tries
to spawn mongocryptd.

JAVA-3554

Author: rozza

driver-core/src/main/com/mongodb/internal/async/client/CommandMarker.java

@@ -38,23 +38,27 @@ class CommandMarker implements Closeable {
     private AsyncMongoClient client;
     private final ProcessBuilder processBuilder;
 
-    CommandMarker(final Map<String, Object> options) {
-        String connectionString;
+    CommandMarker(final boolean isBypassAutoEncryption, final Map<String, Object> options) {
 
-        if (options.containsKey("mongocryptdURI")) {
-            connectionString = (String) options.get("mongocryptdURI");
+        if (isBypassAutoEncryption) {
+            processBuilder = null;
+            client = null;
         } else {
-            connectionString = "mongodb://localhost:27020";
-        }
+            if (!options.containsKey("mongocryptdBypassSpawn") || !((Boolean) options.get("mongocryptdBypassSpawn"))) {
+                processBuilder = new ProcessBuilder(createMongocryptdSpawnArgs(options));
+                startProcess();
+            } else {
+                processBuilder = null;
+            }
 
-        if (!options.containsKey("mongocryptdBypassSpawn") || !((Boolean) options.get("mongocryptdBypassSpawn"))) {
-            processBuilder = new ProcessBuilder(createMongocryptdSpawnArgs(options));
-            startProcess();
-        } else {
-            processBuilder = null;
-        }
+            String connectionString;
+            if (options.containsKey("mongocryptdURI")) {
+                connectionString = (String) options.get("mongocryptdURI");
+            } else {
+                connectionString = "mongodb://localhost:27020";
+            }
 
-        client = AsyncMongoClients.create(MongoClientSettings.builder()
+            client = AsyncMongoClients.create(MongoClientSettings.builder()
                 .applyConnectionString(new ConnectionString(connectionString))
                 .applyToClusterSettings(new Block<ClusterSettings.Builder>() {
                     @Override
@@ -63,45 +67,53 @@ public void apply(final ClusterSettings.Builder builder) {
                     }
                 })
                 .build());
+
+        }
     }
 
     void mark(final String databaseName, final RawBsonDocument command, final SingleResultCallback<RawBsonDocument> callback) {
-        final SingleResultCallback<RawBsonDocument> wrappedCallback = new SingleResultCallback<RawBsonDocument>() {
-            @Override
-            public void onResult(final RawBsonDocument result, final Throwable t) {
-                if (t != null) {
-                    callback.onResult(null, new MongoClientException("Exception in encryption library: " + t.getMessage(), t));
-                } else {
-                    callback.onResult(result, null);
+        if (client != null) {
+            final SingleResultCallback<RawBsonDocument> wrappedCallback = new SingleResultCallback<RawBsonDocument>() {
+                @Override
+                public void onResult(final RawBsonDocument result, final Throwable t) {
+                    if (t != null) {
+                        callback.onResult(null, new MongoClientException("Exception in encryption library: " + t.getMessage(), t));
+                    } else {
+                        callback.onResult(result, null);
+                    }
                 }
-            }
-        };
-        runCommand(databaseName, command, new SingleResultCallback<RawBsonDocument>() {
-            @Override
-            public void onResult(final RawBsonDocument result, final Throwable t) {
-                if (t == null) {
-                    wrappedCallback.onResult(result, null);
-                } else if (t instanceof MongoTimeoutException && processBuilder != null) {
-                    startProcessAndContinue(new SingleResultCallback<Void>() {
-                        @Override
-                        public void onResult(final Void result, final Throwable t) {
-                            if (t != null) {
-                                callback.onResult(null, t);
-                            } else {
-                                runCommand(databaseName, command, wrappedCallback);
+            };
+            runCommand(databaseName, command, new SingleResultCallback<RawBsonDocument>() {
+                @Override
+                public void onResult(final RawBsonDocument result, final Throwable t) {
+                    if (t == null) {
+                        wrappedCallback.onResult(result, null);
+                    } else if (t instanceof MongoTimeoutException && processBuilder != null) {
+                        startProcessAndContinue(new SingleResultCallback<Void>() {
+                            @Override
+                            public void onResult(final Void result, final Throwable t) {
+                                if (t != null) {
+                                    callback.onResult(null, t);
+                                } else {
+                                    runCommand(databaseName, command, wrappedCallback);
+                                }
                             }
-                        }
-                    });
-                } else {
-                    wrappedCallback.onResult(null, t);
+                        });
+                    } else {
+                        wrappedCallback.onResult(null, t);
+                    }
                 }
-            }
-        });
+            });
+        } else {
+            callback.onResult(command, null);
+        }
     }
 
     @Override
     public void close() {
-        client.close();
+        if (client != null) {
+            client.close();
+        }
     }
 
     private void runCommand(final String databaseName, final RawBsonDocument command,

driver-core/src/main/com/mongodb/internal/async/client/Crypts.java

@@ -33,7 +33,7 @@ public final class Crypts {
     public static Crypt createCrypt(final AsyncMongoClient client, final AutoEncryptionSettings options) {
         return new Crypt(MongoCrypts.create(createMongoCryptOptions(options.getKmsProviders(), options.getSchemaMap())),
                 new CollectionInfoRetriever(client),
-                new CommandMarker(options.getExtraOptions()),
+                new CommandMarker(options.isBypassAutoEncryption(), options.getExtraOptions()),
                 createKeyRetriever(client, options.getKeyVaultMongoClientSettings(), options.getKeyVaultNamespace()),
                 createKeyManagementService(),
                 options.isBypassAutoEncryption());

driver-core/src/test/functional/com/mongodb/internal/async/client/Fixture.java

@@ -54,6 +54,10 @@ public static synchronized AsyncMongoClient getMongoClient() {
         return mongoClient;
     }
 
+    public static MongoClientSettings.Builder getMongoClientSettingsBuilder() {
+        return getMongoClientBuilderFromConnectionString();
+    }
+
     public static MongoClientSettings getMongoClientSettings() {
         return getMongoClientBuilderFromConnectionString().build();
     }

driver-reactive-streams/src/test/functional/com/mongodb/reactivestreams/client/ClientSideEncryptionBypassAutoEncryptionTest.java

@@ -0,0 +1,123 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.reactivestreams.client;
+
+import com.mongodb.AutoEncryptionSettings;
+import com.mongodb.ClientEncryptionSettings;
+import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoNamespace;
+import com.mongodb.client.model.vault.DataKeyOptions;
+import com.mongodb.client.model.vault.EncryptOptions;
+import com.mongodb.client.result.InsertOneResult;
+import com.mongodb.reactivestreams.client.vault.ClientEncryption;
+import com.mongodb.reactivestreams.client.vault.ClientEncryptions;
+import org.bson.BsonBinary;
+import org.bson.BsonString;
+import org.bson.Document;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import static reactivestreams.helpers.SubscriberHelpers.ObservableSubscriber;
+import static reactivestreams.helpers.SubscriberHelpers.OperationSubscriber;
+
+import java.security.SecureRandom;
+import java.util.HashMap;
+import java.util.Map;
+
+
+import static com.mongodb.ClusterFixture.serverVersionAtLeast;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assume.assumeTrue;
+
+public class ClientSideEncryptionBypassAutoEncryptionTest {
+    private MongoClient clientEncrypted;
+    private ClientEncryption clientEncryption;
+
+    @Before
+    public void setUp() throws Throwable {
+        assumeTrue(serverVersionAtLeast(4, 1));
+
+        MongoClient mongoClient = Fixture.getMongoClient();
+
+        final byte[] localMasterKey = new byte[96];
+        new SecureRandom().nextBytes(localMasterKey);
+
+        Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>() {{
+            put("local", new HashMap<String, Object>() {{
+                put("key", localMasterKey);
+            }});
+        }};
+
+
+        MongoNamespace keyVaultNamespace = new MongoNamespace(Fixture.getDefaultDatabaseName(), "testKeyVault");
+
+        Fixture.dropDatabase(Fixture.getDefaultDatabaseName());
+
+        ClientEncryptionSettings clientEncryptionSettings = ClientEncryptionSettings.builder()
+                .keyVaultMongoClientSettings(Fixture.getMongoClientSettings())
+                .keyVaultNamespace(keyVaultNamespace.getFullName())
+                .kmsProviders(kmsProviders)
+                .build();
+
+        clientEncryption = ClientEncryptions.create(clientEncryptionSettings);
+
+        AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder()
+                .keyVaultNamespace(keyVaultNamespace.getFullName())
+                .kmsProviders(kmsProviders)
+                .bypassAutoEncryption(true)
+                .build();
+
+        MongoClientSettings clientSettings = Fixture.getMongoClientSettingsBuilder()
+                .autoEncryptionSettings(autoEncryptionSettings)
+                .build();
+        clientEncrypted = MongoClients.create(clientSettings);
+    }
+
+    @Test
+    public void shouldAutoDecryptManuallyEncryptedData() {
+        String fieldValue = "123456789";
+
+        ObservableSubscriber<BsonBinary> binarySubscriber = new OperationSubscriber<>();
+        clientEncryption.createDataKey("local", new DataKeyOptions()).subscribe(binarySubscriber);
+        BsonBinary dataKeyId = binarySubscriber.get().get(0);
+
+        binarySubscriber = new OperationSubscriber<>();
+        clientEncryption.encrypt(new BsonString(fieldValue),
+                new EncryptOptions("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic").keyId(dataKeyId))
+                .subscribe(binarySubscriber);
+        BsonBinary encryptedFieldValue = binarySubscriber.get().get(0);
+
+        MongoCollection<Document> collection = clientEncrypted.getDatabase(Fixture.getDefaultDatabaseName()).getCollection("test");
+
+        ObservableSubscriber<InsertOneResult> insertSubscriber = new OperationSubscriber<>();
+        collection.insertOne(new Document("encryptedField", encryptedFieldValue)).subscribe(insertSubscriber);
+        insertSubscriber.await();
+
+        ObservableSubscriber<Document> resultSubscriber = new OperationSubscriber<>();
+        collection.find().first().subscribe(resultSubscriber);
+
+        assertEquals(fieldValue, resultSubscriber.get().get(0).getString("encryptedField"));
+    }
+
+    @After
+    public void after() throws Throwable {
+        if (clientEncrypted != null) {
+            Fixture.dropDatabase(Fixture.getDefaultDatabaseName());
+            clientEncrypted.close();
+        }
+    }
+}

driver-reactive-streams/src/test/functional/com/mongodb/reactivestreams/client/Fixture.java

@@ -17,6 +17,7 @@
 package com.mongodb.reactivestreams.client;
 
 import com.mongodb.ClusterFixture;
+import com.mongodb.MongoClientSettings;
 import com.mongodb.MongoCommandException;
 import com.mongodb.MongoNamespace;
 import com.mongodb.MongoTimeoutException;
@@ -48,14 +49,22 @@ private Fixture() {
 
     public static synchronized MongoClient getMongoClient() {
         if (mongoClient == null) {
-            mongoClient = MongoClients.create(ClusterFixture.getConnectionString());
+            mongoClient = MongoClients.create(getMongoClientSettings());
             serverVersion = getServerVersion();
             clusterType = getClusterType();
             Runtime.getRuntime().addShutdownHook(new ShutdownHook());
         }
         return mongoClient;
     }
 
+    public static MongoClientSettings getMongoClientSettings() {
+        return getMongoClientSettingsBuilder().build();
+    }
+
+    public static MongoClientSettings.Builder getMongoClientSettingsBuilder() {
+        return MongoClientSettings.builder().applyConnectionString(ClusterFixture.getConnectionString());
+    }
+
     public static String getDefaultDatabaseName() {
         return ClusterFixture.getDefaultDatabaseName();
     }

driver-scala/src/it/scala/org/mongodb/scala/ClientSideEncryptionBypassAutoEncryptionSpec.scala

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.mongodb.scala
+
+import java.security.SecureRandom
+
+import org.mongodb.scala.MongoClient.DEFAULT_CODEC_REGISTRY
+import org.mongodb.scala.bson.BsonString
+import org.mongodb.scala.model.vault.{ DataKeyOptions, EncryptOptions }
+import org.mongodb.scala.vault.ClientEncryptions
+
+import scala.collection.JavaConverters._
+
+class ClientSideEncryptionBypassAutoEncryptionSpec extends RequiresMongoDBISpec with FuturesSpec {
+
+  "ClientSideEncryption" should "be able to bypass auto encryption" in withDatabase { db =>
+    assume(serverVersionAtLeast(List(4, 1, 0)))
+
+    val localMasterKey = new Array[Byte](96)
+    new SecureRandom().nextBytes(localMasterKey)
+
+    val kmsProviders = Map("local" -> Map[String, AnyRef]("key" -> localMasterKey).asJava).asJava
+
+    val keyVaultNamespace: MongoNamespace = new MongoNamespace(databaseName, "testKeyVault")
+
+    db.drop().futureValue
+
+    val clientEncryptionSettings: ClientEncryptionSettings = ClientEncryptionSettings
+      .builder()
+      .keyVaultMongoClientSettings(mongoClientSettings)
+      .keyVaultNamespace(keyVaultNamespace.getFullName)
+      .kmsProviders(kmsProviders)
+      .build()
+
+    val clientEncryption = ClientEncryptions.create(clientEncryptionSettings)
+
+    val autoEncryptionSettings: AutoEncryptionSettings = AutoEncryptionSettings
+      .builder()
+      .keyVaultNamespace(keyVaultNamespace.getFullName)
+      .kmsProviders(kmsProviders)
+      .bypassAutoEncryption(true)
+      .build()
+
+    val clientSettings: MongoClientSettings = mongoClientSettingsBuilder
+      .autoEncryptionSettings(autoEncryptionSettings)
+      .codecRegistry(DEFAULT_CODEC_REGISTRY)
+      .build
+
+    val clientEncrypted = MongoClient(clientSettings)
+
+    val fieldValue = BsonString("123456789")
+
+    val dataKeyId = clientEncryption.createDataKey("local", DataKeyOptions()).head().futureValue
+
+    val encryptedFieldValue = clientEncryption
+      .encrypt(fieldValue, EncryptOptions("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic").keyId(dataKeyId))
+      .head()
+      .futureValue
+
+    val collection: MongoCollection[Document] =
+      clientEncrypted.getDatabase(databaseName).getCollection[Document]("test")
+
+    collection.insertOne(Document("encryptedField" -> encryptedFieldValue)).futureValue
+
+    val result = collection.find().first().head().futureValue
+
+    result.get[BsonString]("encryptedField") should equal(Some(fieldValue))
+  }
+
+}