mongodb
diff --git a/‎.evergreen/.evg.yml
Lines changed: 11 additions & 0 deletions b/‎.evergreen/.evg.yml
Lines changed: 11 additions & 0 deletions
diff --git a/‎.evergreen/run-tests.sh
Lines changed: 1 addition & 0 deletions b/‎.evergreen/run-tests.sh
Lines changed: 1 addition & 0 deletions
diff --git a/‎config/checkstyle/suppressions.xml
Lines changed: 1 addition & 0 deletions b/‎config/checkstyle/suppressions.xml
Lines changed: 1 addition & 0 deletions
diff --git a/‎driver-core/src/main/com/mongodb/AutoEncryptionSettings.java
Lines changed: 11 additions & 2 deletions b/‎driver-core/src/main/com/mongodb/AutoEncryptionSettings.java
Lines changed: 11 additions & 2 deletions
diff --git a/‎driver-core/src/main/com/mongodb/internal/capi/MongoCryptHelper.java
Lines changed: 40 additions & 33 deletions b/‎driver-core/src/main/com/mongodb/internal/capi/MongoCryptHelper.java
Lines changed: 40 additions & 33 deletions
diff --git a/‎driver-core/src/test/functional/com/mongodb/internal/capi/MongoCryptHelperTest.java
Lines changed: 103 additions & 0 deletions b/‎driver-core/src/test/functional/com/mongodb/internal/capi/MongoCryptHelperTest.java
Lines changed: 103 additions & 0 deletions
@@ -165,6 +165,15 @@ functions:
         script: |
           DRIVERS_TOOLS="${DRIVERS_TOOLS}" sh ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/run-mongohouse-local.sh
 
+  "download crypt_shared":
+    - command: shell.exec
+      params:
+        background: true
+        script: |
+          ${PREPARE_SHELL}
+          /opt/mongodbtoolchain/v3/bin/python3 ${DRIVERS_TOOLS}/.evergreen/mongodl.py --component crypt_shared --version latest \
+          --only=lib/mongo_crypt_v1.so --out ${PROJECT_DIRECTORY}/crypt_shared/
+
   "run load-balancer":
     - command: shell.exec
       params:
@@ -229,6 +238,7 @@ functions:
           AZURE_TENANT_ID=${azure_tenant_id} AZURE_CLIENT_ID=${azure_client_id} AZURE_CLIENT_SECRET=${azure_client_secret} \
           GCP_EMAIL=${gcp_email} GCP_PRIVATE_KEY=${gcp_private_key} \
           REQUIRE_API_VERSION=${REQUIRE_API_VERSION} \
+          CRYPT_SHARED_LIB_PATH="${PROJECT_DIRECTORY}/crypt_shared/lib/mongo_crypt_v1.so" \
           .evergreen/run-tests.sh
 
   "run load-balancer tests":
@@ -784,6 +794,7 @@ tasks:
       commands:
         - func: "start-kms-kmip-server"
         - func: "bootstrap mongo-orchestration"
+        - func: "download crypt_shared"
         - func: "run tests"
 
     - name: load-balancer-test
 
@@ -144,6 +144,7 @@ else
               -Dorg.mongodb.test.azureTenantId=${AZURE_TENANT_ID} -Dorg.mongodb.test.azureClientId=${AZURE_CLIENT_ID} -Dorg.mongodb.test.azureClientSecret=${AZURE_CLIENT_SECRET} \
               -Dorg.mongodb.test.gcpEmail=${GCP_EMAIL} -Dorg.mongodb.test.gcpPrivateKey=${GCP_PRIVATE_KEY} \
               ${MULTI_MONGOS_URI_SYSTEM_PROPERTY} ${API_VERSION} ${GRADLE_EXTRA_VARS} ${ASYNC_TYPE} \
+              -Dorg.mongodb.test.crypt.shared.lib..path=${CRYPT_SHARED_LIB_PATH} \
               ${JAVA_SYSPROP_NETTY_SSL_PROVIDER} \
               --stacktrace --info --continue test
 fi
@@ -31,6 +31,7 @@
 
     <suppress checks="MethodLength" files="PojoRoundTripTest"/>
     <suppress checks="MethodLength" files="AbstractUnifiedTest"/>
+    <suppress checks="MethodLength" files="AbstractClientSideEncryptionTest"/>
     <suppress checks="MethodLength" files="AggregatesSearchIntegrationTest"/>
     <suppress checks="MethodLength" files="ConnectionString"/>
 
 
@@ -172,6 +172,11 @@ public Builder schemaMap(final Map<String, BsonDocument> schemaMap) {
         /**
          * Sets the extra options.
          *
+         * <p>
+         *      <strong>Note:</strong> When setting {@code cryptSharedLibPath}, the override path must be given as a path to the shared
+         *      crypt library file itself, and not simply the directory that contains it.
+         * </p>
+         *
          * @param extraOptions the extra options, which may not be null
          * @return this
          * @see #getExtraOptions()
@@ -218,7 +223,7 @@ public Builder encryptedFieldsMap(final Map<String, BsonDocument> encryptedField
          * Enable or disable automatic analysis of outgoing commands.
          *
          * <p>Set bypassQueryAnalysis to true to use explicit encryption on indexed fields
-         * without the MongoDB Enterprise Advanced licensed csfle shared library.</p>
+         * without the MongoDB Enterprise Advanced licensed crypt shared library.</p>
          *
          * @param bypassQueryAnalysis whether query analysis should be bypassed
          * @return this
@@ -413,6 +418,10 @@ public Map<String, BsonDocument> getSchemaMap() {
      * the system path.</li>
      * <li>mongocryptdSpawnArgs: Used to control the behavior of mongocryptd when the driver spawns it. By default, the driver spawns
      * mongocryptd with the single command line argument {@code "--idleShutdownTimeoutSecs=60"}</li>
+     * <li>cryptSharedLibPath: Optional, override the path used to load the crypt shared library. Note: All MongoClient objects in the
+     * same process should use the same setting for cryptSharedLibPath, as it is an error to load more that one crypt shared library
+     * simultaneously in a single operating system process.</li>
+     * <li>cryptSharedLibRequired: boolean, if 'true', refuse to continue encryption without a crypt shared library.</li>
      * </ul>
      *
      * @return the extra options map
@@ -460,7 +469,7 @@ public Map<String, BsonDocument> getEncryptedFieldsMap() {
      * Gets whether automatic analysis of outgoing commands is set.
      *
      * <p>Set bypassQueryAnalysis to true to use explicit encryption on indexed fields
-     * without the MongoDB Enterprise Advanced licensed csfle shared library.</p>
+     * without the MongoDB Enterprise Advanced licensed crypt shared library.</p>
      *
      * @return true if query analysis should be bypassed
      * @since 4.7
 
@@ -16,14 +16,13 @@
 
 package com.mongodb.internal.capi;
 
+import com.mongodb.AutoEncryptionSettings;
 import com.mongodb.AwsCredential;
-import com.mongodb.Block;
+import com.mongodb.ClientEncryptionSettings;
 import com.mongodb.ConnectionString;
 import com.mongodb.MongoClientException;
 import com.mongodb.MongoClientSettings;
 import com.mongodb.MongoConfigurationException;
-import com.mongodb.connection.ClusterSettings;
-import com.mongodb.connection.SocketSettings;
 import com.mongodb.crypt.capi.MongoCryptOptions;
 import com.mongodb.internal.authentication.AwsCredentialHelper;
 import com.mongodb.lang.Nullable;
@@ -41,25 +40,41 @@
 import java.util.function.Supplier;
 
 import static java.lang.String.format;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.emptyMap;
+import static java.util.Collections.singletonList;
 
 public final class MongoCryptHelper {
 
-    public static MongoCryptOptions createMongoCryptOptions(final Map<String, Map<String, Object>> kmsProviders) {
-        return createMongoCryptOptions(kmsProviders, null, null, false);
+    public static MongoCryptOptions createMongoCryptOptions(final ClientEncryptionSettings settings) {
+        return createMongoCryptOptions(settings.getKmsProviders(), false, emptyList(), emptyMap(), null, null);
     }
 
-    public static MongoCryptOptions createMongoCryptOptions(final Map<String, Map<String, Object>> kmsProviders,
+    public static MongoCryptOptions createMongoCryptOptions(final AutoEncryptionSettings settings) {
+        return createMongoCryptOptions(
+                settings.getKmsProviders(),
+                settings.isBypassQueryAnalysis(),
+                settings.isBypassAutoEncryption() ? emptyList() :  singletonList("$SYSTEM"),
+                settings.getExtraOptions(),
+                settings.getSchemaMap(),
+                settings.getEncryptedFieldsMap());
+    }
+
+    private static MongoCryptOptions createMongoCryptOptions(
+            final Map<String, Map<String, Object>> kmsProviders,
+            final boolean bypassQueryAnalysis,
+            final List<String> searchPaths,
+            @Nullable final Map<String, Object> extraOptions,
             @Nullable final Map<String, BsonDocument> localSchemaMap,
-            @Nullable final Map<String, BsonDocument> encryptedFieldsMap,
-            final boolean bypassQueryAnalysis) {
+            @Nullable final Map<String, BsonDocument> encryptedFieldsMap) {
         MongoCryptOptions.Builder mongoCryptOptionsBuilder = MongoCryptOptions.builder();
-
-        BsonDocument bsonKmsProviders = getKmsProvidersAsBsonDocument(kmsProviders);
-        mongoCryptOptionsBuilder.kmsProviderOptions(bsonKmsProviders);
-        mongoCryptOptionsBuilder.needsKmsCredentialsStateEnabled(true);
+        mongoCryptOptionsBuilder.kmsProviderOptions(getKmsProvidersAsBsonDocument(kmsProviders));
+        mongoCryptOptionsBuilder.bypassQueryAnalysis(bypassQueryAnalysis);
+        mongoCryptOptionsBuilder.searchPaths(searchPaths);
+        mongoCryptOptionsBuilder.extraOptions(toBsonDocument(extraOptions));
         mongoCryptOptionsBuilder.localSchemaMap(localSchemaMap);
         mongoCryptOptionsBuilder.encryptedFieldsMap(encryptedFieldsMap);
-        mongoCryptOptionsBuilder.bypassQueryAnalysis(bypassQueryAnalysis);
+        mongoCryptOptionsBuilder.needsKmsCredentialsStateEnabled(true);
         return mongoCryptOptionsBuilder.build();
     }
     public static BsonDocument fetchCredentials(final Map<String, Map<String, Object>> kmsProviders,
@@ -82,7 +97,7 @@ public static BsonDocument fetchCredentials(final Map<String, Map<String, Object
                                 + " The returned value is %s.",
                         kmsProviderName, kmsProviderCredential == null ? "null" : "empty"));
             }
-            addToKmsProviderDocument(kmsProvidersDocument, kmsProviderName, kmsProviderCredential);
+            kmsProvidersDocument.put(kmsProviderName, toBsonDocument(kmsProviderCredential));
         }
         if (kmsProvidersDocument.containsKey("aws") && kmsProvidersDocument.get("aws").asDocument().isEmpty()) {
             AwsCredential awsCredential = AwsCredentialHelper.obtainFromEnvironment();
@@ -101,20 +116,20 @@ public static BsonDocument fetchCredentials(final Map<String, Map<String, Object
 
     private static BsonDocument getKmsProvidersAsBsonDocument(final Map<String, Map<String, Object>> kmsProviders) {
         BsonDocument bsonKmsProviders = new BsonDocument();
-        for (Map.Entry<String, Map<String, Object>> entry : kmsProviders.entrySet()) {
-            addToKmsProviderDocument(bsonKmsProviders, entry.getKey(), entry.getValue());
-        }
+        kmsProviders.forEach((k, v) -> bsonKmsProviders.put(k, toBsonDocument(v)));
         return bsonKmsProviders;
     }
 
-    private static void addToKmsProviderDocument(final BsonDocument kmsProvidersDocument, final String kmsProvider,
-            final Map<String, Object> kmsProviderCredential) {
-        kmsProvidersDocument.put(kmsProvider, new BsonDocumentWrapper<>(new Document(kmsProviderCredential), new DocumentCodec()));
+    private static BsonDocument toBsonDocument(final Map<String, Object> optionsMap) {
+        if (optionsMap == null) {
+            return new BsonDocument();
+        }
+        return new BsonDocumentWrapper<>(new Document(optionsMap), new DocumentCodec());
     }
 
     @SuppressWarnings("unchecked")
     public static List<String> createMongocryptdSpawnArgs(final Map<String, Object> options) {
-        List<String> spawnArgs = new ArrayList<String>();
+        List<String> spawnArgs = new ArrayList<>();
 
         String path = options.containsKey("mongocryptdSpawnPath")
                 ? (String) options.get("mongocryptdSpawnPath")
@@ -135,18 +150,10 @@ public static List<String> createMongocryptdSpawnArgs(final Map<String, Object>
     public static MongoClientSettings createMongocryptdClientSettings(final String connectionString) {
 
         return MongoClientSettings.builder()
-                .applyToClusterSettings(new Block<ClusterSettings.Builder>() {
-                    @Override
-                    public void apply(final ClusterSettings.Builder builder) {
-                        builder.serverSelectionTimeout(10, TimeUnit.SECONDS);
-                    }
-                })
-                .applyToSocketSettings(new Block<SocketSettings.Builder>() {
-                    @Override
-                    public void apply(final SocketSettings.Builder builder) {
-                        builder.readTimeout(10, TimeUnit.SECONDS);
-                        builder.connectTimeout(10, TimeUnit.SECONDS);
-                    }
+                .applyToClusterSettings(builder -> builder.serverSelectionTimeout(10, TimeUnit.SECONDS))
+                .applyToSocketSettings(builder -> {
+                    builder.readTimeout(10, TimeUnit.SECONDS);
+                    builder.connectTimeout(10, TimeUnit.SECONDS);
                 })
                 .applyConnectionString(new ConnectionString((connectionString != null)
                         ? connectionString : "mongodb://localhost:27020"))
 
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.internal.capi;
+
+import com.mongodb.AutoEncryptionSettings;
+import com.mongodb.ClientEncryptionSettings;
+import com.mongodb.crypt.capi.MongoCryptOptions;
+import org.bson.BsonDocument;
+import org.junit.jupiter.api.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static java.util.Collections.emptyList;
+import static java.util.Collections.emptyMap;
+import static java.util.Collections.singletonList;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class MongoCryptHelperTest {
+
+    @Test
+    public void createsExpectedMongoCryptOptionsUsingClientEncryptionSettings() {
+
+        Map<String, Map<String, Object>> kmsProvidersRaw = new HashMap<>();
+        kmsProvidersRaw.put("provider", new HashMap<String, Object>(){{
+            put("test", "test");
+        }});
+
+        ClientEncryptionSettings settings = ClientEncryptionSettings
+                .builder()
+                .kmsProviders(kmsProvidersRaw)
+                .keyVaultNamespace("a.b")
+                .build();
+        MongoCryptOptions mongoCryptOptions = MongoCryptHelper.createMongoCryptOptions(settings);
+
+
+        BsonDocument expectedKmsProviders = BsonDocument.parse("{provider: {test: 'test'}}");
+        MongoCryptOptions expectedMongoCryptOptions = MongoCryptOptions
+                .builder()
+                .kmsProviderOptions(expectedKmsProviders)
+                .needsKmsCredentialsStateEnabled(true)
+                .build();
+
+        assertMongoCryptOptions(expectedMongoCryptOptions, mongoCryptOptions);
+    }
+
+    @Test
+    public void createsExpectedMongoCryptOptionsUsingAutoEncryptionSettings() {
+
+        Map<String, Map<String, Object>> kmsProvidersRaw = new HashMap<>();
+        kmsProvidersRaw.put("provider", new HashMap<String, Object>(){{
+            put("test", "test");
+        }});
+
+        AutoEncryptionSettings.Builder autoEncryptionSettingsBuilder = AutoEncryptionSettings
+                .builder()
+                .kmsProviders(kmsProvidersRaw)
+                .keyVaultNamespace("a.b");
+        MongoCryptOptions mongoCryptOptions = MongoCryptHelper.createMongoCryptOptions(autoEncryptionSettingsBuilder.build());
+
+        BsonDocument expectedKmsProviders = BsonDocument.parse("{provider: {test: 'test'}}");
+        MongoCryptOptions.Builder mongoCryptOptionsBuilder = MongoCryptOptions
+                .builder()
+                .kmsProviderOptions(expectedKmsProviders)
+                .needsKmsCredentialsStateEnabled(true)
+                .encryptedFieldsMap(emptyMap())
+                .localSchemaMap(emptyMap())
+                .searchPaths(singletonList("$SYSTEM"));
+
+        assertMongoCryptOptions(mongoCryptOptionsBuilder.build(), mongoCryptOptions);
+
+        // Ensure search Paths is empty when bypassAutoEncryption is true
+        autoEncryptionSettingsBuilder.bypassAutoEncryption(true);
+        mongoCryptOptions = MongoCryptHelper.createMongoCryptOptions(autoEncryptionSettingsBuilder.build());
+        assertMongoCryptOptions(mongoCryptOptionsBuilder.searchPaths(emptyList()).build(), mongoCryptOptions);
+    }
+
+    void assertMongoCryptOptions(final MongoCryptOptions expected, final MongoCryptOptions actual) {
+        assertEquals(expected.getAwsKmsProviderOptions(), actual.getAwsKmsProviderOptions(), "AwsKmsProviderOptions not equal");
+        assertEquals(expected.getEncryptedFieldsMap(), actual.getEncryptedFieldsMap(), "EncryptedFieldsMap not equal");
+        assertEquals(expected.getExtraOptions(), actual.getExtraOptions(), "ExtraOptions not equal");
+        assertEquals(expected.getKmsProviderOptions(), actual.getKmsProviderOptions(), "KmsProviderOptions not equal");
+        assertEquals(expected.getLocalKmsProviderOptions(), actual.getLocalKmsProviderOptions(), "LocalKmsProviderOptions not equal");
+        assertEquals(expected.getLocalSchemaMap(), actual.getLocalSchemaMap(), "LocalSchemaMap not equal");
+        assertEquals(expected.getSearchPaths(), actual.getSearchPaths(), "SearchPaths not equal");
+        assertEquals(expected.isBypassQueryAnalysis(), actual.isBypassQueryAnalysis(), "isBypassQueryAnalysis not equal");
+        assertEquals(expected.isNeedsKmsCredentialsStateEnabled(), actual.isNeedsKmsCredentialsStateEnabled(), "isNeedsKmsCredentialsStateEnabled not equal");
+    }
+}