RUST-1387 Run csfle legacy spec tests (#781)

Author: abr-egn

.evergreen/config.yml

@@ -511,12 +511,19 @@ functions:
           export CSFLE_SHARED_LIB_PATH=$(.evergreen/find-crypt_shared.sh "$PROJECT_DIRECTORY/crypt_shared/lib/")
           export DISABLE_CRYPT_SHARED=${DISABLE_CRYPT_SHARED}
           export TLS_FEATURE=${TLS_FEATURE}
+          export PYTHON=${PYTHON}
+          ${PYTHON} -m pip install boto3
+
           # Exported without xtrace to avoid leaking credentials
           set +o xtrace
-          export KMS_PROVIDERS=$(cat << "EOF"
-          ${kms_providers}
-          EOF
-          )
+          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+          export AZURE_TENANT_ID=${AZURE_TENANT_ID}
+          export AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
+          export AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
+          export GCP_EMAIL=${GCP_EMAIL}
+          export GCP_PRIVATE_KEY=${GCP_PRIVATE_KEY}
+          export CSFLE_LOCAL_KEY=${CSFLE_LOCAL_KEY}
           set -o xtrace
 
           .evergreen/run-csfle-tests.sh

.evergreen/run-csfle-tests.sh

@@ -20,6 +20,9 @@ if [ "$OS" = "Windows_NT" ]; then
     export SSL_CERT_DIR=$(cygpath /etc/ssl/certs --windows)
 fi
 
+export AWS_DEFAULT_REGION=us-east-1
+. ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh
+
 echo "cargo test options: --features ${FEATURE_FLAGS} ${OPTIONS}"
 
 CARGO_RESULT=0

src/client/csfle.rs

@@ -97,10 +97,13 @@ impl ClientState {
     }
 
     fn make_crypt(opts: &AutoEncryptionOptions) -> Result<Crypt> {
-        let mut builder = Crypt::builder().kms_providers(&opts.kms_providers.credentials()?)?;
+        let mut builder = Crypt::builder().kms_providers(&opts.kms_providers.credentials_doc()?)?;
         if let Some(m) = &opts.schema_map {
             builder = builder.schema_map(&bson::to_document(m)?)?;
         }
+        if let Some(m) = &opts.encrypted_fields_map {
+            builder = builder.encrypted_field_config_map(&bson::to_document(m)?)?;
+        }
         #[cfg(not(test))]
         let disable_crypt_shared = false;
         #[cfg(test)]

src/client/csfle/client_builder.rs

@@ -1,6 +1,6 @@
-use crate::{bson::Document, error::Result, options::ClientOptions, Client, Namespace};
+use crate::{bson::Document, error::Result, options::ClientOptions, Client};
 
-use super::options::{AutoEncryptionOptions, KmsProviders};
+use super::options::AutoEncryptionOptions;
 
 /// A builder for constructing a `Client` with auto-encryption enabled.
 ///
@@ -31,14 +31,10 @@ pub struct EncryptedClientBuilder {
 }
 
 impl EncryptedClientBuilder {
-    pub(crate) fn new(
-        client_options: ClientOptions,
-        key_vault_namespace: Namespace,
-        kms_providers: KmsProviders,
-    ) -> Self {
+    pub(crate) fn new(client_options: ClientOptions, enc_opts: AutoEncryptionOptions) -> Self {
         EncryptedClientBuilder {
             client_options,
-            enc_opts: AutoEncryptionOptions::new(key_vault_namespace, kms_providers),
+            enc_opts,
         }
     }
 
@@ -101,8 +97,8 @@ impl EncryptedClientBuilder {
         self
     }
 
-    /// Constructs a new `Client` using automatic encryption.  May perform DNS lookups as part of
-    /// `Client` initialization.
+    /// Constructs a new `Client` using automatic encryption.  May perform DNS lookups and/or spawn
+    /// mongocryptd as part of `Client` initialization.
     pub async fn build(self) -> Result<Client> {
         let client = Client::with_options(self.client_options)?;
         *client.inner.csfle.write().await =

src/client/csfle/client_encryption.rs

@@ -59,7 +59,7 @@ impl ClientEncryption {
     ) -> Result<Self> {
         let kms_providers = KmsProviders::new(kms_providers)?;
         let crypt = Crypt::builder()
-            .kms_providers(&kms_providers.credentials()?)?
+            .kms_providers(&kms_providers.credentials_doc()?)?
             .build()?;
         let exec = CryptExecutor::new_explicit(
             key_vault_client.weak(),

src/client/csfle/options.rs

@@ -2,6 +2,7 @@ use std::collections::HashMap;
 
 use bson::Array;
 use mongocrypt::ctx::KmsProvider;
+use serde::Deserialize;
 
 use crate::{
     bson::{Bson, Document},
@@ -19,13 +20,15 @@ use crate::{
 /// https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#libmongocrypt-auto-encryption-allow-list
 /// )). To bypass automatic encryption for all operations, set bypassAutoEncryption=true in
 /// AutoEncryptionOpts.
-#[derive(Debug, Clone)]
-#[non_exhaustive]
+#[derive(Debug, Clone, Deserialize)]
+#[serde(rename_all = "camelCase", deny_unknown_fields)]
 pub(crate) struct AutoEncryptionOptions {
     /// Used for data key queries.  Will default to an internal client if not set.
+    #[serde(skip)]
     pub(crate) key_vault_client: Option<crate::Client>,
     /// A collection that contains all data keys used for encryption and decryption (aka the key
     /// vault collection).
+    #[serde(default = "default_key_vault_namespace")]
     pub(crate) key_vault_namespace: Namespace,
     /// Options individual to each KMS provider.
     pub(crate) kms_providers: KmsProviders,
@@ -54,9 +57,17 @@ pub(crate) struct AutoEncryptionOptions {
     pub(crate) bypass_query_analysis: Option<bool>,
     /// Disable loading crypt_shared.
     #[cfg(test)]
+    #[serde(skip)]
     pub(crate) disable_crypt_shared: Option<bool>,
 }
 
+fn default_key_vault_namespace() -> Namespace {
+    Namespace {
+        db: "keyvault".to_string(),
+        coll: "datakeys".to_string(),
+    }
+}
+
 impl AutoEncryptionOptions {
     pub(crate) fn new(key_vault_namespace: Namespace, kms_providers: KmsProviders) -> Self {
         Self {
@@ -74,9 +85,11 @@ impl AutoEncryptionOptions {
     }
 }
 
-#[derive(Debug, Clone)]
+#[derive(Deserialize, Debug, Clone)]
 pub(crate) struct KmsProviders {
+    #[serde(flatten)]
     credentials: HashMap<KmsProvider, Document>,
+    #[serde(skip)]
     tls_options: Option<KmsProvidersTlsOptions>,
 }
 
@@ -105,13 +118,36 @@ impl KmsProviders {
         })
     }
 
-    pub(crate) fn credentials(&self) -> Result<Document> {
+    pub(crate) fn credentials_doc(&self) -> Result<Document> {
         Ok(bson::to_document(&self.credentials)?)
     }
 
     pub(crate) fn tls_options(&self) -> &Option<KmsProvidersTlsOptions> {
         &self.tls_options
     }
+
+    #[cfg(test)]
+    pub(crate) fn credentials(&self) -> &HashMap<KmsProvider, Document> {
+        &self.credentials
+    }
+
+    #[cfg(test)]
+    pub(crate) fn set(&mut self, provider: KmsProvider, creds: Document, tls: Option<TlsOptions>) {
+        self.credentials.insert(provider.clone(), creds);
+        if let Some(tls) = tls {
+            self.tls_options
+                .get_or_insert_with(KmsProvidersTlsOptions::new)
+                .insert(provider, tls);
+        }
+    }
+
+    #[cfg(test)]
+    pub(crate) fn clear(&mut self, provider: &KmsProvider) {
+        self.credentials.remove(provider);
+        if let Some(tls_opts) = &mut self.tls_options {
+            tls_opts.remove(provider);
+        }
+    }
 }
 
 impl AutoEncryptionOptions {

src/client/csfle/state_machine.rs

@@ -15,8 +15,10 @@ use tokio::{
 
 use crate::{
     client::{options::ServerAddress, WeakClient},
+    coll::options::FindOptions,
     error::{Error, Result},
     operation::{RawOutput, RunCommand},
+    options::ReadConcern,
     runtime::{AsyncStream, Process, TlsConfig},
     Client,
     Namespace,
@@ -152,7 +154,14 @@ impl CryptExecutor {
                     let kv_coll = kv_client
                         .database(&kv_ns.db)
                         .collection::<RawDocumentBuf>(&kv_ns.coll);
-                    let mut cursor = kv_coll.find(filter, None).await?;
+                    let mut cursor = kv_coll
+                        .find(
+                            filter,
+                            FindOptions::builder()
+                                .read_concern(ReadConcern::MAJORITY)
+                                .build(),
+                        )
+                        .await?;
                     while cursor.advance().await? {
                         ctx.mongo_feed(cursor.current())?;
                     }

src/client/mod.rs

@@ -180,8 +180,10 @@ impl Client {
     ) -> Result<EncryptedClientBuilder> {
         Ok(EncryptedClientBuilder::new(
             client_options,
-            key_vault_namespace,
-            csfle::options::KmsProviders::new(kms_providers)?,
+            csfle::options::AutoEncryptionOptions::new(
+                key_vault_namespace,
+                csfle::options::KmsProviders::new(kms_providers)?,
+            ),
         ))
     }
 
@@ -562,6 +564,11 @@ impl Client {
         })
         .ok()
     }
+
+    #[cfg(test)]
+    pub(crate) fn options(&self) -> &ClientOptions {
+        &self.inner.options
+    }
 }
 
 #[cfg(feature = "csfle")]

src/coll/options.rs

@@ -1068,8 +1068,10 @@ pub struct DropCollectionOptions {
     pub write_concern: Option<WriteConcern>,
 
     /// Map of encrypted fields for the collection.
+    // Serialization is skipped because the server doesn't accept this option; it's needed for
+    // preprocessing.  Deserialization needs to remain because it's used in test files.
     #[cfg(feature = "csfle")]
-    #[serde(skip)]
+    #[serde(skip_serializing)]
     pub encrypted_fields: Option<Document>,
 }
 

src/error.rs

@@ -286,6 +286,9 @@ impl Error {
             }
             ErrorKind::Transaction { message } => Some(message.clone()),
             ErrorKind::IncompatibleServer { message } => Some(message.clone()),
+            ErrorKind::InvalidArgument { message } => Some(message.clone()),
+            #[cfg(feature = "csfle")]
+            ErrorKind::Csfle(err) => err.message.clone(),
             _ => None,
         }
     }