Add client-side encryption support (POC)

JAVA-3071

Author: jyemin

.evergreen/.evg.yml

@@ -237,7 +237,7 @@ functions:
         working_dir: "src"
         script: |
           ${PREPARE_SHELL}
-          AUTH="${AUTH}" SSL="${SSL}" MONGODB_URI="${MONGODB_URI}" SAFE_FOR_MULTI_MONGOS="${SAFE_FOR_MULTI_MONGOS}" TOPOLOGY="${TOPOLOGY}" COMPRESSOR="${COMPRESSOR}" JDK="${JDK}" .evergreen/run-tests.sh
+          AUTH="${AUTH}" SSL="${SSL}" MONGODB_URI="${MONGODB_URI}" SAFE_FOR_MULTI_MONGOS="${SAFE_FOR_MULTI_MONGOS}" TOPOLOGY="${TOPOLOGY}" COMPRESSOR="${COMPRESSOR}" JDK="${JDK}" AWS_ACCESS_KEY_ID=${aws_access_key_id} AWS_SECRET_ACCESS_KEY=${aws_secret_access_key} .evergreen/run-tests.sh
 
   "run slow tests":
   - command: shell.exec

.evergreen/run-tests.sh

@@ -13,6 +13,9 @@ set -o errexit  # Exit the script with error if any of the commands fail
 #       JDK                     Set the version of java to be used.  Java versions can be set from the java toolchain /opt/java
 #                               "jdk5", "jdk6", "jdk7", "jdk8", "jdk9"
 #       SLOW_TESTS_ONLY         Set to true to only run the slow tests
+#       AWS_ACCESS_KEY_ID       The AWS access key identifier for client-side encryption
+#       AWS_SECRET_ACCESS_KEY   The AWS secret access key for client-side encryption
+
 AUTH=${AUTH:-noauth}
 SSL=${SSL:-nossl}
 MONGODB_URI=${MONGODB_URI:-}
@@ -43,12 +46,12 @@ provision_ssl () {
   if [ ! -f client.pkc ]; then
     openssl pkcs12 -CAfile ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem -export -in ${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem -out client.pkc -password pass:bithere
   fi
-  if [ ! -f mongo-truststore ]; then
-    ${JAVA_HOME}/bin/keytool -importcert -trustcacerts -file ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem -keystore mongo-truststore -storepass hithere -storetype JKS -noprompt
-  fi
+
+  cp ${JAVA_HOME}/lib/security/cacerts mongo-truststore
+  ${JAVA_HOME}/bin/keytool -importcert -trustcacerts -file ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem -keystore mongo-truststore -storepass changeit -storetype JKS -noprompt
 
   # We add extra gradle arguments for SSL
-  export GRADLE_EXTRA_VARS="-Pssl.enabled=true -Pssl.keyStoreType=pkcs12 -Pssl.keyStore=`pwd`/client.pkc -Pssl.keyStorePassword=bithere -Pssl.trustStoreType=jks -Pssl.trustStore=`pwd`/mongo-truststore -Pssl.trustStorePassword=hithere"
+  export GRADLE_EXTRA_VARS="-Pssl.enabled=true -Pssl.keyStoreType=pkcs12 -Pssl.keyStore=`pwd`/client.pkc -Pssl.keyStorePassword=bithere -Pssl.trustStoreType=jks -Pssl.trustStore=`pwd`/mongo-truststore -Pssl.trustStorePassword=changeit"
   # Arguments for auth + SSL
   if [ "$AUTH" != "noauth" ] || [ "$TOPOLOGY" == "replica_set" ]; then
     export MONGODB_URI="${MONGODB_URI}&ssl=true&sslInvalidHostNameAllowed=true"
@@ -118,5 +121,6 @@ if [ "$SLOW_TESTS_ONLY" == "true" ]; then
               ${TRANSACTION_URI} ${GRADLE_EXTRA_VARS} ${ASYNC_TYPE} --stacktrace --info testSlowOnly
 else
     ./gradlew -PjdkHome=/opt/java/${JDK} -Dorg.mongodb.test.uri=${MONGODB_URI} \
+              -Dorg.mongodb.test.awsAccessKeyId=${AWS_ACCESS_KEY_ID} -Dorg.mongodb.test.awsSecretAccessKey=${AWS_SECRET_ACCESS_KEY} \
               ${TRANSACTION_URI} ${GRADLE_EXTRA_VARS} ${ASYNC_TYPE} --stacktrace --info test
 fi

build.gradle

@@ -42,6 +42,7 @@ ext {
     nettyVersion = '4.1.17.Final'
     snappyVersion = '1.1.4'
     zstdVersion = '1.3.8-3'
+    mongoCryptVersion = '1.0.0-SNAPSHOT'
     gitVersion = getGitVersion()
 }
 
@@ -134,6 +135,9 @@ configure(javaCodeCheckedProjects) {
                 'org.mongodb.useSocket': System.getProperty('org.mongodb.useSocket', 'false'),
                 'org.mongodb.disableAsync': System.getProperty('org.mongodb.disableAsync', 'false'),
                 'org.mongodb.async.type': System.getProperty('org.mongodb.async.type', 'nio2'),
+                'org.mongodb.test.awsAccessKeyId': System.getProperty('org.mongodb.test.awsAccessKeyId'),
+                'org.mongodb.test.awsSecretAccessKey': System.getProperty('org.mongodb.test.awsSecretAccessKey'),
+                'jna.library.path': System.getProperty('jna.library.path')
         )
 
         project.ext.buildingWith = { propertyName ->

config/codenarc/codenarc.xml

@@ -80,6 +80,7 @@
     <ruleset-ref path='rulesets/formatting.xml'>
         <rule-config name='LineLength'>
             <property name='length' value='140'/>
+            <property name='doNotApplyToFileNames' value='ClientSideEncryptionProseTestSpecification.groovy'/>
         </rule-config>
         <!-- this check is failing '})' when it shouldn't -->
         <exclude name='SpaceAfterClosingBrace'/>

config/findbugs-exclude.xml

@@ -147,4 +147,10 @@
         <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"/>
     </Match>
 
+    <Match>
+        <Class name="com.mongodb.client.internal.CryptConnection"/>
+        <Method name="retain"/>
+        <Bug pattern="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT"/>
+    </Match>
+
 </FindBugsFilter>

driver-async/src/test/unit/com/mongodb/async/client/MongoClientSettingsSpecification.groovy

@@ -490,7 +490,9 @@ class MongoClientSettingsSpecification extends Specification {
         def extras = ['credentialList', 'clusterSettings', 'connectionPoolSettings', 'heartbeatSocketSettings', 'serverSettings',
                       'socketSettings' , 'sslSettings']
         def actual = MongoClientSettings.Builder.declaredMethods.grep { !it.synthetic } *.name.sort() - extras
-        def expected = com.mongodb.MongoClientSettings.Builder.declaredMethods.grep { !it.synthetic } *.name.sort() - 'commandListenerList'
+        def expected = com.mongodb.MongoClientSettings.Builder.declaredMethods.grep { !it.synthetic } *.name.sort()
+        expected -= 'commandListenerList'
+        expected -= 'autoEncryptionSettings'
 
         then:
         actual == expected

driver-core/build.gradle

@@ -42,7 +42,8 @@ dependencies {
     compile "io.netty:netty-handler:$nettyVersion", optional
     compile "org.xerial.snappy:snappy-java:$snappyVersion", optional
     compile "com.github.luben:zstd-jni:$zstdVersion", optional
-    
+    compile "org.mongodb:mongocrypt:$mongoCryptVersion", optional
+
     testCompile project(':bson').sourceSets.test.output
 }
 

driver-core/src/main/com/mongodb/AutoEncryptionSettings.java

@@ -0,0 +1,206 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb;
+
+import com.mongodb.annotations.NotThreadSafe;
+import com.mongodb.lang.Nullable;
+import org.bson.BsonDocument;
+
+import java.util.Collections;
+import java.util.Map;
+
+import static com.mongodb.assertions.Assertions.notNull;
+
+/**
+ * The auto-encryption options.
+ *
+ * @since 3.11
+ */
+public final class AutoEncryptionSettings {
+    private final MongoClientSettings keyVaultMongoClientSettings;
+    private final String keyVaultNamespace;
+    private final Map<String, Map<String, Object>> kmsProviders;
+    private final Map<String, BsonDocument> namespaceToLocalSchemaDocumentMap;
+    private final Map<String, Object> extraOptions;
+    private final boolean bypassAutoEncryption;
+
+    /**
+     * A builder for {@code AutoEncryptionSettings} so that {@code AutoEncryptionSettings} can be immutable, and to support easier
+     * construction through chaining.
+     */
+    @NotThreadSafe
+    public static final class Builder {
+        private MongoClientSettings keyVaultMongoClientSettings;
+        private String keyVaultNamespace;
+        private Map<String, Map<String, Object>> kmsProviders;
+        private Map<String, BsonDocument> namespaceToLocalSchemaDocumentMap = Collections.emptyMap();
+        private Map<String, Object> extraOptions = Collections.emptyMap();
+        private boolean bypassAutoEncryption;
+
+        /**
+         * Sets the key vault settings.
+         *
+         * @param keyVaultMongoClientSettings the key vault mongo client settings, which may be null.
+         * @return this
+         */
+        public Builder keyVaultMongoClientSettings(final MongoClientSettings keyVaultMongoClientSettings) {
+            this.keyVaultMongoClientSettings = keyVaultMongoClientSettings;
+            return this;
+        }
+
+        /**
+         * Sets the key vault namespace
+         *
+         * @param keyVaultNamespace the key vault namespace, which may not be null
+         * @return this
+         */
+        public Builder keyVaultNamespace(final String keyVaultNamespace) {
+            this.keyVaultNamespace = notNull("keyVaultNamespace", keyVaultNamespace);
+            return this;
+        }
+
+        /**
+         * Sets the KMS providers map.
+         *
+         * @param kmsProviders the KMS providers map, which may not be null
+         * @return this
+         */
+        public Builder kmsProviders(final Map<String, Map<String, Object>> kmsProviders) {
+            this.kmsProviders = notNull("kmsProviders", kmsProviders);
+            return this;
+        }
+
+        /**
+         * Sets the map from namespace to local schema document
+         *
+         * @param namespaceToLocalSchemaDocumentMap the map from namespace to local schema document
+         * @return this
+         */
+        public Builder namespaceToLocalSchemaDocumentMap(final Map<String, BsonDocument> namespaceToLocalSchemaDocumentMap) {
+            this.namespaceToLocalSchemaDocumentMap = notNull("namespaceToLocalSchemaDocumentMap", namespaceToLocalSchemaDocumentMap);
+            return this;
+        }
+
+        /**
+         * Sets the extra options.
+         *
+         * @param extraOptions the extra options, which may not be null
+         * @return this
+         */
+        public Builder extraOptions(final Map<String, Object> extraOptions) {
+            this.extraOptions = notNull("extraOptions", extraOptions);
+            return this;
+        }
+
+        /**
+         * Sets whether auto-encryption should be bypassed.
+         *
+         * @param bypassAutoEncryption whether auto-encryption should be bypassed
+         * @return this
+         */
+        public Builder bypassAutoEncryption(final boolean bypassAutoEncryption) {
+            this.bypassAutoEncryption = bypassAutoEncryption;
+            return this;
+        }
+
+        /**
+         * Build an instance of {@code AutoEncryptionSettings}.
+         *
+         * @return the settings from this builder
+         */
+        public AutoEncryptionSettings build() {
+            return new AutoEncryptionSettings(this);
+        }
+
+        private Builder() {
+        }
+    }
+
+    /**
+     * Convenience method to create a Builder.
+     *
+     * @return a builder
+     */
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    /**
+     * Gets the key vault settings.
+     *
+     * @return the key vault settings, which may be null to indicate that the same {@code MongoClient} should be used to access the key
+     * vault collection as is used for the rest of the application.
+     */
+    @Nullable
+    public MongoClientSettings getKeyVaultMongoClientSettings() {
+        return keyVaultMongoClientSettings;
+    }
+
+    /**
+     * Gets the key vault namespace.
+     *
+     * @return the key vault namespace, which may not be null
+     */
+    public String getKeyVaultNamespace() {
+        return keyVaultNamespace;
+    }
+
+    /**
+     * Gets the map of KMS provider properties
+     *
+     * @return map of KMS provider properties
+     */
+    public Map<String, Map<String, Object>> getKmsProviders() {
+        return kmsProviders;
+    }
+
+    /**
+     * Gets the map of namespace to local JSON schema
+     *
+     * @return map of namespace to local JSON schema
+     */
+    public Map<String, BsonDocument> getNamespaceToLocalSchemaDocumentMap() {
+        return namespaceToLocalSchemaDocumentMap;
+    }
+
+    /**
+     * Gets the extra options that control the behavior of auto-encryption components.
+     *
+     * @return the extra options
+     */
+    public Map<String, Object> getExtraOptions() {
+        return extraOptions;
+    }
+
+    /**
+     * Gets whether auto-encryption should be bypassed.  Even when this option is true, auto-decryption is still enabled.
+     *
+     * @return true if auto-encryption should be bypassed
+     */
+    public boolean isBypassAutoEncryption() {
+        return bypassAutoEncryption;
+    }
+
+    private AutoEncryptionSettings(final Builder builder) {
+        this.keyVaultMongoClientSettings = builder.keyVaultMongoClientSettings;
+        this.keyVaultNamespace = notNull("keyVaultNamespace", builder.keyVaultNamespace);
+        this.kmsProviders = notNull("kmsProviders", builder.kmsProviders);
+        this.namespaceToLocalSchemaDocumentMap = notNull("namespaceToLocalSchemaDocumentMap", builder.namespaceToLocalSchemaDocumentMap);
+        this.extraOptions = notNull("extraOptions", builder.extraOptions);
+        this.bypassAutoEncryption = builder.bypassAutoEncryption;
+    }
+}