Skip to content

CDRIVER-4206 KMIP support #881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 93 commits into from
Nov 13, 2021
Merged

CDRIVER-4206 KMIP support #881

merged 93 commits into from
Nov 13, 2021

Conversation

kevinAlbs
Copy link
Collaborator

@kevinAlbs kevinAlbs commented Oct 16, 2021
edited
Loading

Summary

Implements the specification changes of DRIVERS-1353. Please see the comments of DRIVERS-1353 for the linked specification change commits.

  • Add mongoc_auto_encryption_opts_set_tls_opts and mongoc_client_encryption_opts_set_tls_opts to set custom TLS options on KMS connections.
  • Update specification tests and prose tests.
  • Update CSFLE documentation:
    • Add KMIP KMS provider.
    • Add missing documentation for Azure and GCP KMS providers (CDRIVER-4087).
    • Fix documentation for local KMS provider (CDRIVER-4088).

Rejected alternatives

Passing TLS options with mongoc_ssl_opt_t

The specification is not prescriptive in the API for passing TLS options:

Drivers SHOULD provide API that is consistent with configuring TLS options for MongoDB server TLS connections. New API to support the options MUST be independent of the KMS provider to permit future extension. The following is an example:

I considered an alternative API for passing TLS options:

void
mongoc_auto_encryption_opts_set_tls_opts (
   mongoc_auto_encryption_opts_t *opts,
   const char* provider,
   const mongoc_ssl_opt_t *ssl_opt
);

It is more consistent with mongoc_client_set_ssl_opts. But I chose to reject it because:

  • The mongoc_ssl_opt_t does not permit configuring all TLS options supported in the URI specification (tlsDisableOCSPEndpointCheck, tlsDisableCertificateRevocationCheck).
  • mongoc_ssl_opt_t includes insecure options (allow_invalid_hostname and weak_cert_validation) which are prohibited in the specification, as well as C specific options ca_dir and crl_file, which are not required and are not supported on all TLS implementations.
  • SSL is a deprecated term in favor of TLS. E.g. mongoc_uri_get_ssl is deprecated for mongoc_uri_get_tls.

Caveats

  • Error messages in the "no client certificate" cases are empty. Commented inline.

@kevinAlbs kevinAlbs mentioned this pull request Oct 20, 2021
Merged
@kevinAlbs kevinAlbs changed the title DRIVERS-1535 KMIP support POC CDRIVER-4100 KMIP support POC Nov 4, 2021
@kevinAlbs kevinAlbs changed the title CDRIVER-4100 KMIP support POC CDRIVER-4100 KMIP support Nov 7, 2021
@kevinAlbs kevinAlbs changed the title CDRIVER-4100 KMIP support CDRIVER-4206 KMIP support Nov 8, 2021
@kevinAlbs
add failing kmsKMIP test
1c8d9db
@kevinAlbs
get kmsKMIP test passing with hardcoded TLS options
0b42575
@kevinAlbs
CDRIVER-4087 document Azure and GCP KMS providers
f9e52a4
@kevinAlbs
fix URI documentation, include "FILE" in MONGOC_URI_TLSCERTIFICATEKEY…
6a5e42c 
…FILEPASSWORD
@kevinAlbs
document "kmip" KMS provider opts
66a7742
@kevinAlbs
SCAFFOLDING - debug log each ctx state
413ddf4
@kevinAlbs
parse kmip.tls from KMS providers, and use for TLS streams to kmip
2513fa5
@kevinAlbs
add MONGOC_TEST_KMIP_TLS_CA_FILE
d7bdada 
MONGOC_TEST_KMIP_TLS_CERTIFICATE_KEY_FILE to test runner
@kevinAlbs
fix leak in _parse_kms_providers
90b3a87
@kevinAlbs
add datakey/double encryption + custom endpoint prose tests
a9dcb0e
@kevinAlbs
add corpus tests
cfe8446
@kevinAlbs
WIP: add KMIP server to run kms servers
98b2b94
@kevinAlbs
WIP: use kevinAlbs/libmongocrypt
1e6133c
@kevinAlbs
WIP: add env vars to run KMIP tests
e8ab473
@kevinAlbs
add more error logs
2aadc55
@kevinAlbs
TEMP: faster compile-unix.sh
d8d84af
@kevinAlbs
TEMP: fix test subselector
82d5e6f
@kevinAlbs
TEMP: add more logging
a79042b
@kevinAlbs
run only kmipKMS
8433381
@kevinAlbs
fix windows BUILD_VERSION
bfe5247
@kevinAlbs
add sleep for KMS server
ca6175f
@kevinAlbs
TEMP: increase timeout
4254ba0
@kevinAlbs
add fflush to MONGOC_DEBUG
03dc47d
@kevinAlbs
TEMP add --no-fork to windows
6a040b8
@kevinAlbs kevinAlbs requested a review from chardan November 9, 2021 01:19
vector-of-bool
vector-of-bool reviewed Nov 10, 2021
View reviewed changes
chardan
chardan suggested changes Nov 11, 2021
View reviewed changes
Copy link
Contributor

@chardan chardan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lots of work in here! I especially appreciate the careful documentation. Please take a look at just a few things in here.

eramongodb
eramongodb reviewed Nov 11, 2021
View reviewed changes
kevinAlbs and others added 13 commits November 12, 2021 01:34
@kevinAlbs @eramongodb
Apply suggestions from code review
f9e753d 
Co-authored-by: Ezra Chung <[email protected]>
@kevinAlbs @eramongodb
Update src/libmongoc/tests/test-mongoc-client-side-encryption.c
02c74e0 
Co-authored-by: Ezra Chung <[email protected]>
@kevinAlbs
update error message for insecure TLS options
9eed051
@kevinAlbs
remove unnecessary else-ifs
0901446
@kevinAlbs
doc fixups
ebdd3dc
@kevinAlbs
remove unused args in example
ac9ca20
@kevinAlbs
Reject duplicate fields in _parse_all_tls_opts. Always leave out_opt …
c4699f0 
…safe to clean up in `_parse_one_tls_opts`.
@kevinAlbs
Test the assumption that it is safe to call _mongoc_ssl_opts_cleanup …
571472f 
…on a zero struct.
@kevinAlbs
remove kmip arg from _make_tls_opts
eba179d
@kevinAlbs
add test_framework_getenv_required
0ee3375
@kevinAlbs
add all CSFLE env vars to test_framework_skip_if_no_client_side_encry…
e96bced 
…ption
@kevinAlbs
use test_framework_getenv_required
eb7c833
@kevinAlbs
extract encrypt/decrypt from custom endpoint test into separate macro
6d0a1c4
eramongodb
eramongodb approved these changes Nov 12, 2021
View reviewed changes
Copy link
Contributor

@eramongodb eramongodb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than some minor formatting, LGTM. 👍

chardan
chardan approved these changes Nov 12, 2021
View reviewed changes
Copy link
Contributor

@chardan chardan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strong improvements! Just a couple of things you may want to consider, but +1 from me.

@kevinAlbs kevinAlbs merged commit 2078ab2 into mongodb:master Nov 13, 2021
@kevinAlbs kevinAlbs deleted the kmip.DRIVERS-1353 branch November 13, 2021 22:20
kevinAlbs added a commit to kevinAlbs/mongo-c-driver that referenced this pull request Dec 5, 2021
@kevinAlbs @eramongodb
CDRIVER-4206 KMIP support (mongodb#881)
89d00d4 
Co-authored-by: Ezra Chung <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chardan chardan chardan approved these changes

@vector-of-bool vector-of-bool vector-of-bool approved these changes

@eramongodb eramongodb eramongodb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kevinAlbs @chardan @vector-of-bool @eramongodb