RUST-1536: tidy the client-side encryption API (#768)

Author: abr-egn

src/client/csfle.rs

@@ -1,3 +1,4 @@
+pub(crate) mod client_builder;
 pub mod client_encryption;
 pub mod options;
 mod state_machine;
@@ -47,7 +48,7 @@ impl ClientState {
     const MONGOCRYPTD_DEFAULT_URI: &'static str = "mongodb://localhost:27020";
     const MONGOCRYPTD_SERVER_SELECTION_TIMEOUT: Duration = Duration::from_millis(10_000);
 
-    pub(super) async fn new(client: &Client, mut opts: AutoEncryptionOptions) -> Result<Self> {
+    pub(super) async fn new(client: &Client, opts: AutoEncryptionOptions) -> Result<Self> {
         let crypt = Self::make_crypt(&opts)?;
         let mongocryptd_opts = Self::make_mongocryptd_opts(&opts, &crypt)?;
         let aux_clients = Self::make_aux_clients(client, &opts)?;
@@ -68,7 +69,7 @@ impl ClientState {
         let exec = CryptExecutor::new_implicit(
             aux_clients.key_vault_client,
             opts.key_vault_namespace.clone(),
-            opts.tls_options.take(),
+            opts.kms_providers.tls_options().clone(),
             mongocryptd_opts,
             mongocryptd_client,
             aux_clients.metadata_client,
@@ -96,8 +97,7 @@ impl ClientState {
     }
 
     fn make_crypt(opts: &AutoEncryptionOptions) -> Result<Crypt> {
-        let mut builder =
-            Crypt::builder().kms_providers(&bson::to_document(&opts.kms_providers)?)?;
+        let mut builder = Crypt::builder().kms_providers(&opts.kms_providers.credentials()?)?;
         if let Some(m) = &opts.schema_map {
             builder = builder.schema_map(&bson::to_document(m)?)?;
         }

src/client/csfle/client_builder.rs

@@ -0,0 +1,112 @@
+use crate::{bson::Document, error::Result, options::ClientOptions, Client, Namespace};
+
+use super::options::{AutoEncryptionOptions, KmsProviders};
+
+/// A builder for constructing a `Client` with auto-encryption enabled.
+///
+/// ```no_run
+/// # use bson::doc;
+/// # use mongocrypt::ctx::KmsProvider;
+/// # use mongodb::Client;
+/// # use mongodb::error::Result;
+/// # async fn func() -> Result<()> {
+/// # let client_options = todo!();
+/// # let key_vault_namespace = todo!();
+/// # let key_vault_client: Client = todo!();
+/// # let local_key: bson::Binary = todo!();
+/// let encrypted_client = Client::encrypted_builder(
+///     client_options,
+///     key_vault_namespace,
+///     [(KmsProvider::Local, doc! { "key": local_key }, None)],
+/// )?
+/// .key_vault_client(key_vault_client)
+/// .build()
+/// .await?;
+/// # Ok(())
+/// # }
+/// ```
+pub struct EncryptedClientBuilder {
+    client_options: ClientOptions,
+    enc_opts: AutoEncryptionOptions,
+}
+
+impl EncryptedClientBuilder {
+    pub(crate) fn new(
+        client_options: ClientOptions,
+        key_vault_namespace: Namespace,
+        kms_providers: KmsProviders,
+    ) -> Self {
+        EncryptedClientBuilder {
+            client_options,
+            enc_opts: AutoEncryptionOptions::new(key_vault_namespace, kms_providers),
+        }
+    }
+
+    /// Set the client used for data key queries.  Will default to an internal client if not set.
+    pub fn key_vault_client(mut self, client: impl Into<Option<Client>>) -> Self {
+        self.enc_opts.key_vault_client = client.into();
+        self
+    }
+
+    /// Specify a JSONSchema locally.
+    ///
+    /// Supplying a `schema_map` provides more security than relying on JSON Schemas obtained from
+    /// the server. It protects against a malicious server advertising a false JSON Schema, which
+    /// could trick the client into sending unencrypted data that should be encrypted.
+    ///
+    /// Schemas supplied in the `schema_map` only apply to configuring automatic encryption for
+    /// client side encryption. Other validation rules in the JSON schema will not be enforced by
+    /// the driver and will result in an error.
+    pub fn schema_map(mut self, map: impl IntoIterator<Item = (String, Document)>) -> Self {
+        self.enc_opts.schema_map = Some(map.into_iter().collect());
+        self
+    }
+
+    /// Disable automatic encryption and do not spawn mongocryptd.  Defaults to false.
+    pub fn bypass_auto_encryption(mut self, bypass: impl Into<Option<bool>>) -> Self {
+        self.enc_opts.bypass_auto_encryption = bypass.into();
+        self
+    }
+
+    /// Set options related to mongocryptd.
+    pub fn extra_options(mut self, extra_opts: impl Into<Option<Document>>) -> Self {
+        self.enc_opts.extra_options = extra_opts.into();
+        self
+    }
+
+    /// Maps namespace to encrypted fields.
+    ///
+    /// Supplying an `encrypted_fields_map` provides more security than relying on an
+    /// encryptedFields obtained from the server. It protects against a malicious server
+    /// advertising a false encryptedFields.
+    pub fn encrypted_fields_map(
+        mut self,
+        map: impl IntoIterator<Item = (String, Document)>,
+    ) -> Self {
+        self.enc_opts.encrypted_fields_map = Some(map.into_iter().collect());
+        self
+    }
+
+    /// Disable serverside processing of encrypted indexed fields, allowing use of explicit
+    /// encryption with queryable encryption.
+    pub fn bypass_query_analysis(mut self, bypass: impl Into<Option<bool>>) -> Self {
+        self.enc_opts.bypass_query_analysis = bypass.into();
+        self
+    }
+
+    /// Disable loading crypt_shared.
+    #[cfg(test)]
+    pub(crate) fn disable_crypt_shared(mut self, disable: bool) -> Self {
+        self.enc_opts.disable_crypt_shared = Some(disable);
+        self
+    }
+
+    /// Constructs a new `Client` using automatic encryption.  May perform DNS lookups as part of
+    /// `Client` initialization.
+    pub async fn build(self) -> Result<Client> {
+        let client = Client::with_options(self.client_options)?;
+        *client.inner.csfle.write().await =
+            Some(super::ClientState::new(&client, self.enc_opts).await?);
+        Ok(client)
+    }
+}