RUST-1479 Add prose test for mongocrypt client bypass (#786)

abr-egn · web-flow · commit f9e79dbbb11a · 2022-12-01T13:01:22.000-05:00
diff --git a/src/client/csfle/state_machine.rs b/src/client/csfle/state_machine.rs
@@ -83,6 +83,11 @@ impl CryptExecutor {
         self.mongocryptd.is_some()
     }
 
+    #[cfg(test)]
+    pub(crate) fn has_mongocryptd_client(&self) -> bool {
+        self.mongocryptd_client.is_some()
+    }
+
     pub(crate) async fn run_ctx(&self, ctx: Ctx, db: Option<&str>) -> Result<RawDocumentBuf> {
         let mut result = None;
         // This needs to be a `Result` so that the `Ctx` can be temporarily owned by the processing
diff --git a/src/client/mod.rs b/src/client/mod.rs
@@ -197,6 +197,16 @@ impl Client {
             .map_or(false, |cs| cs.exec().mongocryptd_spawned())
     }
 
+    #[cfg(all(test, feature = "csfle"))]
+    pub(crate) async fn has_mongocryptd_client(&self) -> bool {
+        self.inner
+            .csfle
+            .read()
+            .await
+            .as_ref()
+            .map_or(false, |cs| cs.exec().has_mongocryptd_client())
+    }
+
     #[cfg(not(feature = "tracing-unstable"))]
     pub(crate) fn emit_command_event(&self, generate_event: impl FnOnce() -> CommandEvent) {
         if let Some(ref handler) = self.inner.options.command_event_handler {
diff --git a/src/test/csfle.rs b/src/test/csfle.rs
@@ -1,10 +1,16 @@
 use std::{
     collections::HashMap,
     path::PathBuf,
-    sync::{Arc, Mutex},
+    sync::{
+        atomic::{AtomicBool, Ordering},
+        Arc,
+        Mutex,
+    },
     time::Duration,
 };
 
+#[cfg(not(feature = "tokio-runtime"))]
+use async_std::net::TcpListener;
 use bson::{
     doc,
     spec::{BinarySubtype, ElementType},
@@ -16,6 +22,8 @@ use bson::{
 use futures_util::TryStreamExt;
 use lazy_static::lazy_static;
 use mongocrypt::ctx::{Algorithm, KmsProvider};
+#[cfg(feature = "tokio-runtime")]
+use tokio::net::TcpListener;
 
 use crate::{
     client::{auth::Credential, options::TlsOptions},
@@ -35,6 +43,7 @@ use crate::{
         CommandSucceededEvent,
     },
     options::{IndexOptions, ReadConcern, WriteConcern},
+    runtime,
     test::{Event, EventHandler, SdamEvent},
     Client,
     Collection,
@@ -1313,6 +1322,62 @@ async fn custom_endpoint_kmip_invalid_endpoint() -> Result<()> {
     Ok(())
 }
 
+// Prose test 8. Bypass Spawning mongocryptd (Via loading shared library)
+#[cfg_attr(feature = "tokio-runtime", tokio::test)]
+#[cfg_attr(feature = "async-std-runtime", async_std::test)]
+async fn bypass_mongocryptd_via_shared_library() -> Result<()> {
+    if !check_env("bypass_mongocryptd_via_shared_library", false) {
+        return Ok(());
+    }
+    let _guard = LOCK.run_exclusively().await;
+
+    if *DISABLE_CRYPT_SHARED {
+        log_uncaptured(
+            "Skipping bypass mongocryptd via shared library test: crypt_shared is disabled.",
+        );
+        return Ok(());
+    }
+
+    // Setup: encrypted client.
+    let client_encrypted = Client::encrypted_builder(
+        CLIENT_OPTIONS.get().await.clone(),
+        KV_NAMESPACE.clone(),
+        LOCAL_KMS.clone(),
+    )?
+    .schema_map({
+        [(
+            "db.coll".to_string(),
+            load_testdata("external-schema.json")?,
+        )]
+        .into_iter()
+        .collect::<HashMap<String, Document>>()
+    })
+    .extra_options(doc! {
+        "mongocryptdURI": "mongodb://localhost:27021/db?serverSelectionTimeoutMS=1000",
+        "mongocryptdSpawnArgs": ["--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=27021"],
+        "cryptSharedLibPath": EXTRA_OPTIONS.get("cryptSharedLibPath").unwrap(),
+        "cryptSharedRequired": true,
+    })
+    .build()
+    .await?;
+
+    // Test: insert succeeds.
+    client_encrypted
+        .database("db")
+        .collection::<Document>("coll")
+        .insert_one(doc! { "unencrypted": "test" }, None)
+        .await?;
+    // Test: mongocryptd not spawned.
+    assert!(!client_encrypted.mongocryptd_spawned().await);
+    // Test: attempting to connect fails.
+    let client =
+        Client::with_uri_str("mongodb://localhost:27021/?serverSelectionTimeoutMS=1000").await?;
+    let result = client.list_database_names(None, None).await;
+    assert!(result.unwrap_err().is_server_selection_error());
+
+    Ok(())
+}
+
 // Prose test 8. Bypass Spawning mongocryptd (Via mongocryptdBypassSpawn)
 #[cfg_attr(feature = "tokio-runtime", tokio::test)]
 #[cfg_attr(feature = "async-std-runtime", async_std::test)]
@@ -2712,3 +2777,65 @@ impl CommandEventHandler for DecryptionEventsHandler {
 // TODO RUST-1417: implement prose test 17. On-demand GCP Credentials
 
 // TODO RUST-1442: implement prose test 18. Azure IMDS Credentials
+
+// TODO RUST-1442: implement prose test 19. Azure IMDS Credentials Integration Test
+
+// Prose test 20. Bypass creating mongocryptd client when shared library is loaded
+#[cfg_attr(feature = "tokio-runtime", tokio::test)]
+#[cfg_attr(feature = "async-std-runtime", async_std::test)]
+async fn bypass_mongocryptd_client() -> Result<()> {
+    if !check_env("bypass_mongocryptd_client", false) {
+        return Ok(());
+    }
+    let _guard = LOCK.run_exclusively().await;
+
+    if *DISABLE_CRYPT_SHARED {
+        log_uncaptured("Skipping bypass mongocryptd client test: crypt_shared is disabled.");
+        return Ok(());
+    }
+
+    let connected = Arc::new(AtomicBool::new(false));
+    {
+        let connected = Arc::clone(&connected);
+        let listener = bind("127.0.0.1:27021").await?;
+        runtime::spawn(async move {
+            let _ = listener.accept().await;
+            log_uncaptured("test failure: connection accepted");
+            connected.store(true, Ordering::SeqCst);
+        })
+    };
+
+    let client_encrypted = Client::encrypted_builder(
+        CLIENT_OPTIONS.get().await.clone(),
+        KV_NAMESPACE.clone(),
+        LOCAL_KMS.clone(),
+    )?
+    .extra_options({
+        let mut extra_options = EXTRA_OPTIONS.clone();
+        extra_options.insert("mongocryptdURI", "mongodb://localhost:27021");
+        extra_options
+    })
+    .build()
+    .await?;
+    client_encrypted
+        .database("db")
+        .collection::<Document>("coll")
+        .insert_one(doc! { "unencrypted": "test" }, None)
+        .await?;
+
+    assert!(!client_encrypted.has_mongocryptd_client().await);
+    assert!(!connected.load(Ordering::SeqCst));
+
+    Ok(())
+}
+
+async fn bind(addr: &str) -> Result<TcpListener> {
+    #[cfg(feature = "tokio-runtime")]
+    {
+        Ok(TcpListener::bind(addr.parse::<std::net::SocketAddr>()?).await?)
+    }
+    #[cfg(not(feature = "tokio-runtime"))]
+    {
+        Ok(TcpListener::bind(addr).await?)
+    }
+}
