Support configuration of KMS provider credentials with a Supplier (#894)

JAVA-4504

Co-authored-by: Valentin Kovalenko <[email protected]>

Author: jyemin

driver-core/src/main/com/mongodb/AutoEncryptionSettings.java

@@ -24,6 +24,7 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.Supplier;
 
 import static com.mongodb.assertions.Assertions.notNull;
 import static java.util.Collections.unmodifiableMap;
@@ -62,6 +63,7 @@ public final class AutoEncryptionSettings {
     private final String keyVaultNamespace;
     private final Map<String, Map<String, Object>> kmsProviders;
     private final Map<String, SSLContext> kmsProviderSslContextMap;
+    private final Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers;
     private final Map<String, BsonDocument> schemaMap;
     private final Map<String, Object> extraOptions;
     private final boolean bypassAutoEncryption;
@@ -76,6 +78,7 @@ public static final class Builder {
         private String keyVaultNamespace;
         private Map<String, Map<String, Object>> kmsProviders;
         private Map<String, SSLContext> kmsProviderSslContextMap = new HashMap<>();
+        private Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers = new HashMap<>();
         private Map<String, BsonDocument> schemaMap = Collections.emptyMap();
         private Map<String, Object> extraOptions = Collections.emptyMap();
         private boolean bypassAutoEncryption;
@@ -109,13 +112,30 @@ public Builder keyVaultNamespace(final String keyVaultNamespace) {
          *
          * @param kmsProviders the KMS providers map, which may not be null
          * @return this
+         * @see #kmsProviderPropertySuppliers(Map)
          * @see #getKmsProviders()
          */
         public Builder kmsProviders(final Map<String, Map<String, Object>> kmsProviders) {
             this.kmsProviders = notNull("kmsProviders", kmsProviders);
             return this;
         }
 
+        /**
+         * This method is similar to {@link #kmsProviders(Map)}, but instead of configuring properties for KMS providers,
+         * it configures {@link Supplier}s of properties.
+         *
+         * @param kmsProviderPropertySuppliers A {@link Map} where keys identify KMS providers,
+         * and values specify {@link Supplier}s of properties for the KMS providers.
+         * Must not be null. Each {@link Supplier} must return non-empty properties.
+         * @return this
+         * @see #getKmsProviderPropertySuppliers()
+         * @since 4.6
+         */
+        public Builder kmsProviderPropertySuppliers(final Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers) {
+            this.kmsProviderPropertySuppliers = notNull("kmsProviderPropertySuppliers", kmsProviderPropertySuppliers);
+            return this;
+        }
+
         /**
          * Sets the KMS provider to SSLContext map
          *
@@ -265,12 +285,34 @@ public String getKeyVaultNamespace() {
      *     <li>key: byte[] of length 96, the local key</li>
      * </ul>
      *
+     * <p>
+     * It is also permitted for the value of a kms provider to be an empty map, in which case the driver will first
+     * </p>
+     * <ul>
+     *  <li>use the {@link Supplier} configured in {@link #getKmsProviderPropertySuppliers()} to obtain a non-empty map</li>
+     *  <li>attempt to obtain the properties from the environment</li>
+     * </ul>
+     *
      * @return map of KMS provider properties
+     * @see #getKmsProviderPropertySuppliers()
      */
     public Map<String, Map<String, Object>> getKmsProviders() {
         return unmodifiableMap(kmsProviders);
     }
 
+    /**
+     * This method is similar to {@link #getKmsProviders()}, but instead of getting properties for KMS providers,
+     * it gets {@link Supplier}s of properties.
+     * <p>If {@link #getKmsProviders()} returns empty properties for a KMS provider,
+     * the driver will use a {@link Supplier} of properties configured for the KMS provider to obtain non-empty properties.</p>
+     *
+     * @return A {@link Map} where keys identify KMS providers, and values specify {@link Supplier}s of properties for the KMS providers.
+     * @since 4.6
+     */
+    public Map<String, Supplier<Map<String, Object>>> getKmsProviderPropertySuppliers() {
+        return unmodifiableMap(kmsProviderPropertySuppliers);
+    }
+
     /**
      * Gets the KMS provider to SSLContext map.
      *
@@ -355,6 +397,7 @@ private AutoEncryptionSettings(final Builder builder) {
         this.keyVaultNamespace = notNull("keyVaultNamespace", builder.keyVaultNamespace);
         this.kmsProviders = notNull("kmsProviders", builder.kmsProviders);
         this.kmsProviderSslContextMap = notNull("kmsProviderSslContextMap", builder.kmsProviderSslContextMap);
+        this.kmsProviderPropertySuppliers = notNull("kmsProviderPropertySuppliers", builder.kmsProviderPropertySuppliers);
         this.schemaMap = notNull("schemaMap", builder.schemaMap);
         this.extraOptions = notNull("extraOptions", builder.extraOptions);
         this.bypassAutoEncryption = builder.bypassAutoEncryption;

driver-core/src/main/com/mongodb/ClientEncryptionSettings.java

@@ -21,6 +21,7 @@
 import javax.net.ssl.SSLContext;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.Supplier;
 
 import static com.mongodb.assertions.Assertions.notNull;
 import static java.util.Collections.unmodifiableMap;
@@ -39,6 +40,7 @@ public final class ClientEncryptionSettings {
     private final MongoClientSettings keyVaultMongoClientSettings;
     private final String keyVaultNamespace;
     private final Map<String, Map<String, Object>> kmsProviders;
+    private final Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers;
     private final Map<String, SSLContext> kmsProviderSslContextMap;
     /**
      * A builder for {@code ClientEncryptionSettings} so that {@code ClientEncryptionSettings} can be immutable, and to support easier
@@ -49,6 +51,7 @@ public static final class Builder {
         private MongoClientSettings keyVaultMongoClientSettings;
         private String keyVaultNamespace;
         private Map<String, Map<String, Object>> kmsProviders;
+        private Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers = new HashMap<>();
         private Map<String, SSLContext> kmsProviderSslContextMap = new HashMap<>();
 
         /**
@@ -80,13 +83,30 @@ public Builder keyVaultNamespace(final String keyVaultNamespace) {
          *
          * @param kmsProviders the KMS providers map, which may not be null
          * @return this
+         * @see #kmsProviderPropertySuppliers(Map)
          * @see #getKmsProviders()
          */
         public Builder kmsProviders(final Map<String, Map<String, Object>> kmsProviders) {
             this.kmsProviders = notNull("kmsProviders", kmsProviders);
             return this;
         }
 
+        /**
+         * This method is similar to {@link #kmsProviders(Map)}, but instead of setting properties for KMS providers,
+         * it sets {@link Supplier}s of properties.
+         *
+         * @param kmsProviderPropertySuppliers A {@link Map} where keys identify KMS providers,
+         * and values specify {@link Supplier}s of properties for the KMS providers.
+         * Must not be null. Each {@link Supplier} must return non-empty properties.
+         * @return this
+         * @see #getKmsProviderPropertySuppliers()
+         * @since 4.6
+         */
+        public Builder kmsProviderPropertySuppliers(final Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers) {
+            this.kmsProviderPropertySuppliers = notNull("kmsProviderPropertySuppliers", kmsProviderPropertySuppliers);
+            return this;
+        }
+
         /**
          * Sets the KMS provider to SSLContext map
          *
@@ -197,13 +217,33 @@ public String getKeyVaultNamespace() {
      * <ul>
      *     <li>key: byte[] of length 96, the local key</li>
      * </ul>
-     *
+     * <p>
+     * It is also permitted for the value of a kms provider to be an empty map, in which case the driver will first
+     * </p>
+     * <ul>
+     *  <li>use the {@link Supplier} configured in {@link #getKmsProviderPropertySuppliers()} to obtain a non-empty map</li>
+     *  <li>attempt to obtain the properties from the environment</li>
+     * </ul>
      * @return map of KMS provider properties
+     * @see #getKmsProviderPropertySuppliers()
      */
     public Map<String, Map<String, Object>> getKmsProviders() {
         return unmodifiableMap(kmsProviders);
     }
 
+    /**
+     * This method is similar to {@link #getKmsProviders()}, but instead of getting properties for KMS providers,
+     * it gets {@link Supplier}s of properties.
+     * <p>If {@link #getKmsProviders()} returns empty properties for a KMS provider,
+     * the driver will use a {@link Supplier} of properties configured for the KMS provider to obtain non-empty properties.</p>
+     *
+     * @return A {@link Map} where keys identify KMS providers, and values specify {@link Supplier}s of properties for the KMS providers.
+     * @since 4.6
+     */
+    public Map<String, Supplier<Map<String, Object>>> getKmsProviderPropertySuppliers() {
+        return unmodifiableMap(kmsProviderPropertySuppliers);
+    }
+
     /**
      * Gets the KMS provider to SSLContext map.
      *
@@ -223,6 +263,7 @@ private ClientEncryptionSettings(final Builder builder) {
         this.keyVaultMongoClientSettings = builder.keyVaultMongoClientSettings;
         this.keyVaultNamespace = notNull("keyVaultNamespace", builder.keyVaultNamespace);
         this.kmsProviders = notNull("kmsProviders", builder.kmsProviders);
+        this.kmsProviderPropertySuppliers = notNull("kmsProviderPropertySuppliers", builder.kmsProviderPropertySuppliers);
         this.kmsProviderSslContextMap = notNull("kmsProviderSslContextMap", builder.kmsProviderSslContextMap);
     }
 

driver-core/src/main/com/mongodb/internal/capi/MongoCryptHelper.java

@@ -21,6 +21,7 @@
 import com.mongodb.ConnectionString;
 import com.mongodb.MongoClientException;
 import com.mongodb.MongoClientSettings;
+import com.mongodb.MongoConfigurationException;
 import com.mongodb.connection.ClusterSettings;
 import com.mongodb.connection.SocketSettings;
 import com.mongodb.crypt.capi.MongoCryptOptions;
@@ -36,6 +37,9 @@
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Supplier;
+
+import static java.lang.String.format;
 
 public final class MongoCryptHelper {
 
@@ -50,8 +54,28 @@ public static MongoCryptOptions createMongoCryptOptions(final Map<String, Map<St
         return mongoCryptOptionsBuilder.build();
     }
 
-    public static BsonDocument fetchCredentials(final Map<String, Map<String, Object>> kmsProviders) {
+    public static BsonDocument fetchCredentials(final Map<String, Map<String, Object>> kmsProviders,
+            final Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers) {
         BsonDocument kmsProvidersDocument = MongoCryptHelper.getKmsProvidersAsBsonDocument(kmsProviders);
+        for (Map.Entry<String, Supplier<Map<String, Object>>> entry : kmsProviderPropertySuppliers.entrySet()) {
+            String kmsProviderName = entry.getKey();
+            if (!kmsProvidersDocument.get(kmsProviderName).asDocument().isEmpty()) {
+                continue;
+            }
+            Map<String, Object> kmsProviderCredential;
+            try {
+                kmsProviderCredential = entry.getValue().get();
+            } catch (Exception e) {
+                throw new MongoConfigurationException(format("Exception getting credential for kms provider %s from configured Supplier.",
+                        kmsProviderName), e);
+            }
+            if (kmsProviderCredential == null || kmsProviderCredential.isEmpty()) {
+                throw new MongoConfigurationException(format("Exception getting credential for kms provider %s from configured Supplier."
+                                + " The returned value is %s.",
+                        kmsProviderName, kmsProviderCredential == null ? "null" : "empty"));
+            }
+            addToKmsProviderDocument(kmsProvidersDocument, kmsProviderName, kmsProviderCredential);
+        }
         if (kmsProvidersDocument.containsKey("aws") && kmsProvidersDocument.get("aws").asDocument().isEmpty()) {
             AwsCredential awsCredential = AwsCredentialHelper.obtainFromEnvironment();
             if (awsCredential != null) {
@@ -70,11 +94,16 @@ public static BsonDocument fetchCredentials(final Map<String, Map<String, Object
     private static BsonDocument getKmsProvidersAsBsonDocument(final Map<String, Map<String, Object>> kmsProviders) {
         BsonDocument bsonKmsProviders = new BsonDocument();
         for (Map.Entry<String, Map<String, Object>> entry : kmsProviders.entrySet()) {
-            bsonKmsProviders.put(entry.getKey(), new BsonDocumentWrapper<>(new Document(entry.getValue()), new DocumentCodec()));
+            addToKmsProviderDocument(bsonKmsProviders, entry.getKey(), entry.getValue());
         }
         return bsonKmsProviders;
     }
 
+    private static void addToKmsProviderDocument(final BsonDocument kmsProvidersDocument, final String kmsProvider,
+            final Map<String, Object> kmsProviderCredential) {
+        kmsProvidersDocument.put(kmsProvider, new BsonDocumentWrapper<>(new Document(kmsProviderCredential), new DocumentCodec()));
+    }
+
     @SuppressWarnings("unchecked")
     public static List<String> createMongocryptdSpawnArgs(final Map<String, Object> options) {
         List<String> spawnArgs = new ArrayList<String>();

driver-reactive-streams/src/main/com/mongodb/reactivestreams/client/internal/crypt/Crypt.java

@@ -51,6 +51,7 @@ public class Crypt implements Closeable {
     private static final Logger LOGGER = Loggers.getLogger("client");
     private final MongoCrypt mongoCrypt;
     private final Map<String, Map<String, Object>> kmsProviders;
+    private final Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers;
     private final CollectionInfoRetriever collectionInfoRetriever;
     private final CommandMarker commandMarker;
     private final KeyRetriever keyRetriever;
@@ -67,9 +68,11 @@ public class Crypt implements Closeable {
      * @param keyRetriever         the key retriever
      * @param keyManagementService the key management service
      */
-    Crypt(final MongoCrypt mongoCrypt, final Map<String, Map<String, Object>> kmsProviders, final KeyRetriever keyRetriever,
+    Crypt(final MongoCrypt mongoCrypt, final Map<String, Map<String, Object>> kmsProviders,
+            final Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers,
+            final KeyRetriever keyRetriever,
             final KeyManagementService keyManagementService) {
-        this(mongoCrypt, kmsProviders, null, null, keyRetriever, keyManagementService, false, null);
+        this(mongoCrypt, kmsProviders, kmsProviderPropertySuppliers, null, null, keyRetriever, keyManagementService, false, null);
     }
 
     /**
@@ -83,6 +86,7 @@ public class Crypt implements Closeable {
      */
     Crypt(final MongoCrypt mongoCrypt,
           final Map<String, Map<String, Object>> kmsProviders,
+          final Map<String, Supplier<Map<String, Object>>> kmsProviderPropertySuppliers,
           @Nullable final CollectionInfoRetriever collectionInfoRetriever,
           @Nullable final CommandMarker commandMarker,
           final KeyRetriever keyRetriever,
@@ -91,6 +95,7 @@ public class Crypt implements Closeable {
           @Nullable final MongoClient internalClient) {
         this.mongoCrypt = mongoCrypt;
         this.kmsProviders = kmsProviders;
+        this.kmsProviderPropertySuppliers = kmsProviderPropertySuppliers;
         this.collectionInfoRetriever = collectionInfoRetriever;
         this.commandMarker = commandMarker;
         this.keyRetriever = keyRetriever;
@@ -240,7 +245,7 @@ private void executeStateMachineWithSink(final MongoCryptContext cryptContext, @
     private void fetchCredentials(final MongoCryptContext cryptContext, @Nullable final String databaseName,
             final MonoSink<RawBsonDocument> sink) {
         try {
-            cryptContext.provideKmsProviderCredentials(MongoCryptHelper.fetchCredentials(kmsProviders));
+            cryptContext.provideKmsProviderCredentials(MongoCryptHelper.fetchCredentials(kmsProviders, kmsProviderPropertySuppliers));
             executeStateMachineWithSink(cryptContext, databaseName, sink);
         } catch (Exception e) {
             sink.error(e);

driver-reactive-streams/src/main/com/mongodb/reactivestreams/client/internal/crypt/Crypts.java

@@ -53,6 +53,7 @@ public static Crypt createCrypt(final MongoClientImpl client, final AutoEncrypti
         return new Crypt(MongoCrypts.create(createMongoCryptOptions(options.getKmsProviders(),
                 options.getSchemaMap())),
                 options.getKmsProviders(),
+                options.getKmsProviderPropertySuppliers(),
                 options.isBypassAutoEncryption() ? null : new CollectionInfoRetriever(collectionInfoRetrieverClient),
                 new CommandMarker(options.isBypassAutoEncryption(), options.getExtraOptions()),
                 new KeyRetriever(keyVaultClient, new MongoNamespace(options.getKeyVaultNamespace())),
@@ -65,6 +66,7 @@ public static Crypt create(final MongoClient keyVaultClient, final ClientEncrypt
         return new Crypt(MongoCrypts.create(
                 createMongoCryptOptions(options.getKmsProviders(), null)),
                          options.getKmsProviders(),
+                         options.getKmsProviderPropertySuppliers(),
                          new KeyRetriever(keyVaultClient, new MongoNamespace(options.getKeyVaultNamespace())),
                          createKeyManagementService(options.getKmsProviderSslContextMap()));
     }