DRIVERS-2781 Add option to configure DEK cache lifetime (#1730)

Author: adriandole

source/client-side-encryption/client-side-encryption.md

@@ -376,6 +376,7 @@ class AutoEncryptionOpts {
    // Set bypassQueryAnalysis to true to use explicit encryption on indexed fields
    // without the MongoDB Enterprise Advanced licensed crypt_shared library.
    bypassQueryAnalysis: Optional<Boolean>; // Default false.
+   keyExpirationMS: Optional<Uint64>; // Default 60000.
 }
 ```
 
@@ -1048,6 +1049,7 @@ interface ClientEncryptionOpts {
    keyVaultNamespace: String;
    kmsProviders: KMSProviders;
    tlsOptions?: KMSProvidersTLSOptions; // Maps KMS provider to TLS options.
+   keyExpirationMS: Optional<Uint64>; // Default 60000.
 };
 
 interface KMSProvidersTLSOptions {

source/client-side-encryption/etc/test-templates/keyCache.yml.template

@@ -0,0 +1,69 @@
+runOn:
+  - minServerVersion: "4.1.10"
+database_name: &database_name "default"
+collection_name: &collection_name "default"
+
+data: []
+json_schema: {{schema()}}
+key_vault_data: [{{key()}}]
+
+tests:
+  - description: "Insert with deterministic encryption, then find it"
+    clientOptions:
+      autoEncryptOpts:
+        kmsProviders:
+          aws: {} # Credentials filled in from environment.
+        keyExpirationMS: 1
+    operations:
+      - name: insertOne
+        arguments:
+          document: &doc0 { _id: 1, encrypted_string: "string0" }
+      - name: wait
+        object: testRunner
+        arguments:
+          ms: 2
+      - name: find
+        arguments:
+          filter: { _id: 1 }
+        result: [*doc0]
+    expectations:
+      # Auto encryption will request the collection info.
+      - command_started_event:
+          command:
+            listCollections: 1
+            filter:
+              name: *collection_name
+          command_name: listCollections
+      # Then key is fetched from the key vault.
+      - command_started_event:
+          command:
+            find: datakeys
+            filter: {"$or": [{"_id": {"$in": [ {{key()["_id"]}} ] }}, {"keyAltNames": {"$in": []}}]}
+            $db: keyvault
+            readConcern: { level: "majority" }
+          command_name: find
+      - command_started_event:
+          command:
+            insert: *collection_name
+            documents:
+              - &doc0_encrypted { _id: 1, encrypted_string: {{ciphertext("string0", field="encrypted_string")}} }
+            ordered: true
+          command_name: insert
+      - command_started_event:
+          command:
+            find: *collection_name
+            filter: { _id: 1 }
+          command_name: find
+      # The cache has expired and the key must be fetched again
+      - command_started_event:
+          command:
+            find: datakeys
+            filter: {"$or": [{"_id": {"$in": [ {{key()["_id"]}} ] }}, {"keyAltNames": {"$in": []}}]}
+            $db: keyvault
+            readConcern: { level: "majority" }
+          command_name: find
+    outcome:
+      collection:
+        # Outcome is checked using a separate MongoClient without auto encryption.
+        data:
+          - *doc0_encrypted