Client Side Encryption bypassAutoEncryption fix

If auto encryption is bypassed then the driver no longer tries
to spawn mongocryptd.

JAVA-3554

Author: rozza

driver-async/src/main/com/mongodb/async/client/internal/CommandMarker.java

@@ -33,20 +33,19 @@
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
+import static com.mongodb.assertions.Assertions.notNull;
 import static com.mongodb.internal.capi.MongoCryptOptionsHelper.createMongocryptdSpawnArgs;
 
 @SuppressWarnings("UseOfProcessBuilder")
 class CommandMarker implements Closeable {
-    private MongoClient client;
+    private final MongoClient client;
     private final ProcessBuilder processBuilder;
 
-    CommandMarker(final Map<String, Object> options) {
-        String connectionString;
-
-        if (options.containsKey("mongocryptdURI")) {
-            connectionString = (String) options.get("mongocryptdURI");
-        } else {
-            connectionString = "mongodb://localhost:27020";
+    CommandMarker(final boolean isBypassAutoEncryption, final Map<String, Object> options) {
+        if (isBypassAutoEncryption) {
+            processBuilder = null;
+            client = null;
+            return;
         }
 
         if (!options.containsKey("mongocryptdBypassSpawn") || !((Boolean) options.get("mongocryptdBypassSpawn"))) {
@@ -56,6 +55,14 @@ class CommandMarker implements Closeable {
             processBuilder = null;
         }
 
+        String connectionString;
+
+        if (options.containsKey("mongocryptdURI")) {
+            connectionString = (String) options.get("mongocryptdURI");
+        } else {
+            connectionString = "mongodb://localhost:27020";
+        }
+
         client = MongoClients.create(MongoClientSettings.builder()
                 .applyConnectionString(new ConnectionString(connectionString))
                 .applyToClusterSettings(new Block<ClusterSettings.Builder>() {
@@ -68,6 +75,8 @@ public void apply(final ClusterSettings.Builder builder) {
     }
 
     void mark(final String databaseName, final RawBsonDocument command, final SingleResultCallback<RawBsonDocument> callback) {
+        notNull("client", client, callback);
+
         final SingleResultCallback<RawBsonDocument> wrappedCallback = new SingleResultCallback<RawBsonDocument>() {
             @Override
             public void onResult(final RawBsonDocument result, final Throwable t) {
@@ -103,7 +112,9 @@ public void onResult(final Void result, final Throwable t) {
 
     @Override
     public void close() {
-        client.close();
+        if (client != null) {
+            client.close();
+        }
     }
 
     private void runCommand(final String databaseName, final RawBsonDocument command,

driver-async/src/main/com/mongodb/async/client/internal/Crypts.java

@@ -35,7 +35,7 @@ public final class Crypts {
     public static Crypt createCrypt(final MongoClient client, final AutoEncryptionSettings options) {
         return new Crypt(MongoCrypts.create(createMongoCryptOptions(options.getKmsProviders(), options.getSchemaMap())),
                 new CollectionInfoRetriever(client),
-                new CommandMarker(options.getExtraOptions()),
+                new CommandMarker(options.isBypassAutoEncryption(), options.getExtraOptions()),
                 createKeyRetriever(client, options.getKeyVaultMongoClientSettings(), options.getKeyVaultNamespace()),
                 createKeyManagementService(),
                 options.isBypassAutoEncryption());

driver-async/src/test/functional/com/mongodb/async/client/ClientSideEncryptionBypassAutoEncryptionTest.java

@@ -0,0 +1,124 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.async.client;
+
+import com.mongodb.AutoEncryptionSettings;
+import com.mongodb.ClientEncryptionSettings;
+import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoNamespace;
+import com.mongodb.async.FutureResultCallback;
+import com.mongodb.async.client.vault.ClientEncryption;
+import com.mongodb.async.client.vault.ClientEncryptions;
+import com.mongodb.client.model.vault.DataKeyOptions;
+import com.mongodb.client.model.vault.EncryptOptions;
+import org.bson.BsonBinary;
+import org.bson.BsonString;
+import org.bson.Document;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.security.SecureRandom;
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.mongodb.ClusterFixture.isNotAtLeastJava8;
+import static com.mongodb.ClusterFixture.serverVersionAtLeast;
+import static com.mongodb.async.client.Fixture.getDefaultDatabaseName;
+import static com.mongodb.async.client.Fixture.getMongoClient;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeTrue;
+
+public class ClientSideEncryptionBypassAutoEncryptionTest {
+    private MongoClient clientEncrypted;
+    private ClientEncryption clientEncryption;
+
+    @Before
+    public void setUp() {
+        assumeFalse(isNotAtLeastJava8());
+        assumeTrue(serverVersionAtLeast(4, 1));
+
+        MongoClient mongoClient = getMongoClient();
+
+        final byte[] localMasterKey = new byte[96];
+        new SecureRandom().nextBytes(localMasterKey);
+
+        Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>() {{
+            put("local", new HashMap<String, Object>() {{
+                put("key", localMasterKey);
+            }});
+        }};
+
+
+        MongoNamespace keyVaultNamespace = new MongoNamespace(Fixture.getDefaultDatabaseName(), "testKeyVault");
+
+        Fixture.dropDatabase(Fixture.getDefaultDatabaseName());
+
+        ClientEncryptionSettings clientEncryptionSettings = ClientEncryptionSettings.builder()
+                .keyVaultMongoClientSettings(Fixture.getMongoClientSettings())
+                .keyVaultNamespace(keyVaultNamespace.getFullName())
+                .kmsProviders(kmsProviders)
+                .build();
+
+        clientEncryption = ClientEncryptions.create(clientEncryptionSettings);
+
+        AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder()
+                .keyVaultNamespace(keyVaultNamespace.getFullName())
+                .kmsProviders(kmsProviders)
+                .bypassAutoEncryption(true)
+                .build();
+
+        MongoClientSettings clientSettings = Fixture.getMongoClientSettingsBuilder()
+                .autoEncryptionSettings(autoEncryptionSettings)
+                .build();
+        clientEncrypted = MongoClients.create(clientSettings);
+    }
+
+    @Test
+    public void shouldAutoDecryptManuallyEncryptedData() {
+        String fieldValue = "123456789";
+
+        FutureResultCallback<BsonBinary> binaryCallback = new FutureResultCallback<BsonBinary>();
+        clientEncryption.createDataKey("local", new DataKeyOptions(), binaryCallback);
+        BsonBinary dataKeyId = binaryCallback.get();
+
+        binaryCallback = new FutureResultCallback<BsonBinary>();
+        clientEncryption.encrypt(new BsonString(fieldValue),
+                new EncryptOptions("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic").keyId(dataKeyId), binaryCallback);
+        BsonBinary encryptedFieldValue = binaryCallback.get();
+
+        MongoCollection<Document> collection = clientEncrypted.getDatabase(Fixture.getDefaultDatabaseName()).getCollection("test");
+
+        FutureResultCallback<Void> insertCallback = new FutureResultCallback<Void>();
+        collection.insertOne(new Document("encryptedField", encryptedFieldValue), insertCallback);
+        insertCallback.get();
+
+        FutureResultCallback<Document> resultCallback = new FutureResultCallback<Document>();
+        collection.find().first(resultCallback);
+
+        assertEquals(fieldValue, resultCallback.get().getString("encryptedField"));
+    }
+
+    @After
+    public void after() {
+        if (clientEncrypted != null) {
+            Fixture.dropDatabase(getDefaultDatabaseName());
+            clientEncrypted.close();
+        }
+    }
+}

driver-async/src/test/functional/com/mongodb/async/client/ClientSideEncryptionMongocryptdSpawnBypassTest.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.async.client;
+
+import com.mongodb.AutoEncryptionSettings;
+import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoNamespace;
+import com.mongodb.async.FutureResultCallback;
+import org.bson.Document;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.SecureRandom;
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.mongodb.ClusterFixture.serverVersionAtLeast;
+import static java.util.Arrays.asList;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeTrue;
+
+
+public class ClientSideEncryptionMongocryptdSpawnBypassTest extends DatabaseTestCase {
+    private final File pidFile;
+    private final Map<String, Map<String, Object>> kmsProviders;
+    private final MongoNamespace keyVaultNamespace = new MongoNamespace("admin.datakeys");
+
+    public ClientSideEncryptionMongocryptdSpawnBypassTest() throws IOException {
+        super();
+        pidFile = new File("bypass-spawning-mongocryptd.pid");
+
+        byte[] localMasterKey = new byte[96];
+        new SecureRandom().nextBytes(localMasterKey);
+
+        Map<String, Object> keyMap = new HashMap<String, Object>();
+        keyMap.put("key", localMasterKey);
+        kmsProviders = new HashMap<String, Map<String, Object>>();
+        kmsProviders.put("local", keyMap);
+    }
+
+
+    @Test
+    public void shouldNotSpawnWhenMongocryptdBypassSpawnIsTrue() {
+        assumeTrue(serverVersionAtLeast(4, 1));
+        Map<String, Object> extraOptions = new HashMap<String, Object>();
+        extraOptions.put("mongocryptdBypassSpawn", true);
+        extraOptions.put("mongocryptdSpawnArgs", asList("--pidfilepath=" + pidFile.getAbsolutePath(), "--port=27099"));
+
+        AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder()
+                .keyVaultNamespace(keyVaultNamespace.getFullName())
+                .kmsProviders(kmsProviders)
+                .extraOptions(extraOptions)
+                .build();
+
+        MongoClientSettings clientSettings = Fixture.getMongoClientSettingsBuilder()
+                .autoEncryptionSettings(autoEncryptionSettings)
+                .build();
+        MongoClient clientEncrypted = MongoClients.create(clientSettings);
+        try {
+            FutureResultCallback<Document> pingCallback = new FutureResultCallback<Document>();
+            clientEncrypted.getDatabase("admin").runCommand(new Document("ping", 1), pingCallback);
+            pingCallback.get();
+
+            assertFalse(pidFile.exists());
+        } finally {
+            clientEncrypted.close();
+        }
+    }
+
+    @Test
+    public void shouldNotSpawnWhenBypassAutoEncryptionIsTrue() {
+        assumeTrue(serverVersionAtLeast(4, 1));
+        Map<String, Object> extraOptions = new HashMap<String, Object>();
+        extraOptions.put("mongocryptdSpawnArgs", asList("--pidfilepath=" + pidFile.getAbsolutePath(), "--port=27099"));
+
+        AutoEncryptionSettings autoEncryptionSettings = AutoEncryptionSettings.builder()
+                .keyVaultNamespace(keyVaultNamespace.getFullName())
+                .kmsProviders(kmsProviders)
+                .extraOptions(extraOptions)
+                .bypassAutoEncryption(true)
+                .build();
+
+        MongoClientSettings clientSettings = Fixture.getMongoClientSettingsBuilder()
+                .autoEncryptionSettings(autoEncryptionSettings)
+                .build();
+        MongoClient clientEncrypted = MongoClients.create(clientSettings);
+
+        try {
+            FutureResultCallback<Document> pingCallback = new FutureResultCallback<Document>();
+            clientEncrypted.getDatabase("admin").runCommand(new Document("ping", 1), pingCallback);
+            pingCallback.get();
+
+            assertFalse(pidFile.exists());
+        } finally {
+            clientEncrypted.close();
+        }
+    }
+}

driver-async/src/test/functional/com/mongodb/async/client/Fixture.java

@@ -59,6 +59,10 @@ public static synchronized MongoClient getMongoClient() {
         return mongoClient;
     }
 
+    public static MongoClientSettings.Builder getMongoClientSettingsBuilder() {
+        return getMongoClientBuilderFromConnectionString();
+    }
+
     public static MongoClientSettings getMongoClientSettings() {
         return getMongoClientBuilderFromConnectionString().build();
     }