CDRIVER-2875 auto encryption and decryption

mongodb · Nov 4, 2019 · 1de613a · 1de613a
1 parent ce14000
commit 1de613a
Show file tree

Hide file tree

Showing 71 changed files with 11,362 additions and 144 deletions.
diff --git a/.lsan-suppressions b/.lsan-suppressions
@@ -1,3 +1,4 @@
 leak:ccrng_cryptographic_init_once
 leak:ccrng_cryptographic_generate
 leak:res_9_ninit
+leak:SSLCreateContext
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -55,6 +55,7 @@ option (ENABLE_RDTSCP
 option (ENABLE_APPLE_FRAMEWORK "Build libraries as frameworks on darwin platforms" OFF) 
 set (ENABLE_ICU AUTO CACHE STRING "Enable ICU support, necessary to use non-ASCII usernames or passwords, default AUTO.")
 option (ENABLE_UNINSTALL "Enable creation of uninstall script and associated uninstall build target." ON)
+set (ENABLE_CLIENT_SIDE_ENCRYPTION AUTO CACHE STRING "Enable Client-Side Field Level Encryption support. Requires libmongocrypt. Set to ON/AUTO/OFF, default AUTO.")
 
 project (mongo-c-driver C)
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -223,6 +223,11 @@ The mock server timeout threshold for future functions can be set with:
 
 This is useful for debugging, so future calls don't timeout when stepping through code.
 
+Tests of Client-Side Field Level Encryption require credentials to an AWS user which has list and read permissions to AWS KMS.
+
+* `MONGOC_TEST_AWS_SECRET_ACCESS_KEY=<string>`
+* `MONGOC_TEST_AWS_ACCESS_KEY_ID=<string>`
+
 All tests should pass before submitting a patch.
 
 ## Configuring the test runner

diff --git a/src/libmongoc/CMakeLists.txt b/src/libmongoc/CMakeLists.txt
@@ -396,6 +396,35 @@ if (NOT ENABLE_ICU STREQUAL OFF)
    endif()
 endif()
 
+# Configure client side encryption.
+set (MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION 0)
+if (NOT ENABLE_CLIENT_SIDE_ENCRYPTION MATCHES "AUTO|ON|OFF")
+   message (FATAL_ERROR, "ENABLE_CLIENT_SIDE_ENCRYPTION option must be AUTO, ON, or OFF")
+endif ()
+
+if (NOT MONGOC_ENABLE_SSL)
+   if (ENABLE_CLIENT_SIDE_ENCRYPTION STREQUAL ON)
+      message (FATAL_ERROR "SSL disabled, but is required for Client-Side Field Level Encryption support.")
+   elseif (ENABLE_CLIENT_SIDE_ENCRYPTION STREQUAL AUTO)
+      message (STATUS "SSL disabled. Configuring without Client-Side Field Level Encryption support.")
+   endif ()
+elseif (NOT ENABLE_CLIENT_SIDE_ENCRYPTION STREQUAL OFF)
+   message ("Searching for libmongocrypt")
+   find_package (mongocrypt)
+   if (mongocrypt_FOUND)
+      set (CLIENT_SIDE_ENCRYPTION_LIBRARIES mongo::mongocrypt)
+      get_target_property (LIBMONGOCRYPT_LOCATION mongo::mongocrypt LOCATION)
+      get_target_property (LIBMONGOCRYPT_INCLUDE_DIRECTORIES mongo::mongocrypt INTERFACE_INCLUDE_DIRECTORIES)
+      message ("--   libmongocrypt found at ${LIBMONGOCRYPT_LOCATION}")
+      message ("--   libmongocrypt include path ${LIBMONGOCRYPT_INCLUDE_DIRECTORIES}")
+      set (MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION 1)
+   elseif (ENABLE_CLIENT_SIDE_ENCRYPTION STREQUAL ON)
+      message (FATAL_ERROR "Required library (libmongocrypt) not found.")
+   else ()
+      message (STATUS "libmongocrypt not found. Configuring without Client-Side Field Level Encryption support.")
+   endif ()
+endif ()
+
 configure_file (
    "${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-config.h.in"
    "${PROJECT_BINARY_DIR}/src/mongoc/mongoc-config.h"
@@ -428,6 +457,7 @@ set (SOURCES ${SOURCES}
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-change-stream.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client-pool.c
+   ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client-side-encryption.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-sasl.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-collection.c
@@ -507,6 +537,7 @@ set (HEADERS
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-change-stream.h
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client.h
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client-pool.h
+   ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client-side-encryption.h
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-collection.h
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cursor.h
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-database.h
@@ -633,11 +664,11 @@ endif ()
 
 set (LIBRARIES
    ${SASL_LIBRARIES} ${SSL_LIBRARIES} ${SHM_LIBRARIES} ${RESOLV_LIBRARIES}
-   ${SNAPPY_LIBRARIES} ${ZLIB_LIBRARIES} ${MONGOC_ZSTD_LIBRARIES} Threads::Threads ${ICU_LIBRARIES}
+   ${SNAPPY_LIBRARIES} ${ZLIB_LIBRARIES} ${MONGOC_ZSTD_LIBRARIES} Threads::Threads ${ICU_LIBRARIES} ${CLIENT_SIDE_ENCRYPTION_LIBRARIES}
 )
 set (STATIC_LIBRARIES
    ${SASL_LIBRARIES} ${SSL_LIBRARIES} ${SHM_LIBRARIES} ${RESOLV_LIBRARIES}
-   ${SNAPPY_LIBRARIES} ${ZLIB_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT} ${ICU_LIBRARIES}
+   ${SNAPPY_LIBRARIES} ${ZLIB_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT} ${ICU_LIBRARIES} ${CLIENT_SIDE_ENCRYPTION_LIBRARIES}
 )
 
 if (WIN32)
@@ -772,6 +803,7 @@ set (test-libmongoc-sources
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-change-stream.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-client.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-client-pool.c
+   ${PROJECT_SOURCE_DIR}/tests/test-mongoc-client-side-encryption.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-cluster.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-collection.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-collection-find.c

diff --git a/src/libmongoc/doc/api.rst b/src/libmongoc/doc/api.rst
@@ -10,6 +10,7 @@ API Reference
    errors
    lifecycle
    gridfs
+   mongoc_auto_encryption_opts_t
    mongoc_bulk_operation_t
    mongoc_change_stream_t
    mongoc_client_pool_t