CDRIVER-6300 CSFLE/QE Support for HTTP Proxies

src/libmongoc/src/mongoc/mongoc-client-side-encryption.c

@@ -54,6 +54,7 @@ struct _mongoc_auto_encryption_opts_t {
    bool bypass_auto_encryption;
    bool bypass_query_analysis;
    mc_kms_credentials_callback creds_cb;
+   mc_kms_connect_callback connect_cb;
    bson_t *extra;
    mcd_optional_u64_t cache_expiration_ms;
 };
@@ -236,6 +237,18 @@ mongoc_auto_encryption_opts_set_kms_credential_provider_callback(mongoc_auto_enc
    _set_creds_callback(&opts->creds_cb, fn, userdata);
 }
 
+void
+mongoc_auto_encryption_opts_set_kms_connect_callback(mongoc_auto_encryption_opts_t *opts,
+                                                     mongoc_kms_connect_callback_fn fn,
+                                                     void *userdata)
+{
+   if (!opts) {
+      return;
+   }
+   opts->connect_cb.fn = fn;
+   opts->connect_cb.userdata = userdata;
+}
+
 /*--------------------------------------------------------------------------
  * Client Encryption options.
  *--------------------------------------------------------------------------
@@ -247,6 +260,7 @@ struct _mongoc_client_encryption_opts_t {
    bson_t *kms_providers;
    bson_t *tls_opts;
    mc_kms_credentials_callback creds_cb;
+   mc_kms_connect_callback connect_cb;
    mcd_optional_u64_t cache_expiration_ms;
 };
 
@@ -329,6 +343,18 @@ mongoc_client_encryption_opts_set_kms_credential_provider_callback(mongoc_client
    opts->creds_cb.userdata = userdata;
 }
 
+void
+mongoc_client_encryption_opts_set_kms_connect_callback(mongoc_client_encryption_opts_t *opts,
+                                                       mongoc_kms_connect_callback_fn fn,
+                                                       void *userdata)
+{
+   if (!opts) {
+      return;
+   }
+   opts->connect_cb.fn = fn;
+   opts->connect_cb.userdata = userdata;
+}
+
 void
 mongoc_client_encryption_opts_set_key_expiration(mongoc_client_encryption_opts_t *opts, uint64_t cache_expiration_ms)
 {
@@ -2089,6 +2115,7 @@ _mongoc_cse_client_enable_auto_encryption(mongoc_client_t *client,
                         opts->bypass_auto_encryption,
                         opts->bypass_query_analysis,
                         opts->creds_cb,
+                        opts->connect_cb,
                         opts->cache_expiration_ms,
                         error);
    if (!client->topology->crypt) {
@@ -2229,6 +2256,7 @@ _mongoc_cse_client_pool_enable_auto_encryption(mongoc_topology_t *topology,
                                        opts->bypass_auto_encryption,
                                        opts->bypass_query_analysis,
                                        opts->creds_cb,
+                                       opts->connect_cb,
                                        opts->cache_expiration_ms,
                                        error);
    if (!topology->crypt) {
@@ -2328,6 +2356,7 @@ mongoc_client_encryption_new(mongoc_client_encryption_opts_t *opts, bson_error_t
                                                 false,
                                                 /* bypass_query_analysis. Not applicable. */
                                                 opts->creds_cb,
+                                                opts->connect_cb,
                                                 opts->cache_expiration_ms,
                                                 error);
    if (!client_encryption->crypt) {

src/libmongoc/src/mongoc/mongoc-client-side-encryption.h

@@ -20,6 +20,7 @@
 #define MONGOC_CLIENT_SIDE_ENCRYPTION_H
 
 #include <mongoc/mongoc-macros.h>
+#include <mongoc/mongoc-stream.h>
 
 #include <bson/bson.h>
 
@@ -56,6 +57,13 @@ typedef bool(BSON_CALL *mongoc_kms_credentials_provider_callback_fn)(void *userd
                                                                      bson_t *out,
                                                                      bson_error_t *error);
 
+/* Returns a connected stream to (host, port). The driver wraps the returned
+ * stream with TLS. Return NULL and set @error on failure. */
+typedef mongoc_stream_t *(BSON_CALL *mongoc_kms_connect_callback_fn)(const char *host,
+                                                                     int32_t port,
+                                                                     void *userdata,
+                                                                     bson_error_t *error);
+
 MONGOC_EXPORT(mongoc_auto_encryption_opts_t *)
 mongoc_auto_encryption_opts_new(void) BSON_GNUC_WARN_UNUSED_RESULT;
 
@@ -105,6 +113,11 @@ mongoc_auto_encryption_opts_set_kms_credential_provider_callback(mongoc_auto_enc
                                                                  mongoc_kms_credentials_provider_callback_fn fn,
                                                                  void *userdata);
 
+MONGOC_EXPORT(void)
+mongoc_auto_encryption_opts_set_kms_connect_callback(mongoc_auto_encryption_opts_t *opts,
+                                                     mongoc_kms_connect_callback_fn fn,
+                                                     void *userdata);
+
 typedef struct _mongoc_client_encryption_opts_t mongoc_client_encryption_opts_t;
 typedef struct _mongoc_client_encryption_t mongoc_client_encryption_t;
 typedef struct _mongoc_client_encryption_encrypt_range_opts_t mongoc_client_encryption_encrypt_range_opts_t;
@@ -143,6 +156,11 @@ mongoc_client_encryption_opts_set_kms_credential_provider_callback(mongoc_client
                                                                    mongoc_kms_credentials_provider_callback_fn fn,
                                                                    void *userdata);
 
+MONGOC_EXPORT(void)
+mongoc_client_encryption_opts_set_kms_connect_callback(mongoc_client_encryption_opts_t *opts,
+                                                       mongoc_kms_connect_callback_fn fn,
+                                                       void *userdata);
+
 MONGOC_EXPORT(void)
 mongoc_client_encryption_opts_set_key_expiration(mongoc_client_encryption_opts_t *opts, uint64_t cache_expiration_ms);
 

src/libmongoc/src/mongoc/mongoc-crypt-private.h

@@ -29,6 +29,11 @@ typedef struct mc_kms_credentials_callback {
    void *userdata;
 } mc_kms_credentials_callback;
 
+typedef struct mc_kms_connect_callback {
+   mongoc_kms_connect_callback_fn fn;
+   void *userdata;
+} mc_kms_connect_callback;
+
 #ifdef MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION
 
 /* For interacting with libmongocrypt */
@@ -53,6 +58,7 @@ _mongoc_crypt_new(const bson_t *kms_providers,
                   bool bypass_auto_encryption,
                   bool bypass_query_analysis,
                   mc_kms_credentials_callback creds_cb,
+                  mc_kms_connect_callback connect_cb,
                   mcd_optional_u64_t cache_expiration_ms,
                   bson_error_t *error);
 

src/libmongoc/src/mongoc/mongoc-crypt.c

@@ -134,6 +134,10 @@ struct __mongoc_crypt_t {
    /// credentials.
    bson_t kms_providers;
    mc_kms_credentials_callback creds_cb;
+   /// Optional callback to obtain the base socket to KMS. When set, the
+   /// driver uses it instead of `mongoc_client_connect_tcp` and still wraps
+   /// the returned stream with TLS.
+   mc_kms_connect_callback connect_cb;
 
    /// The most recently auto-acquired Azure token, on null if it was destroyed
    /// or not yet acquired.
@@ -507,7 +511,11 @@ _state_need_mongo_keys(_state_machine_t *state_machine, bson_error_t *error)
 }
 
 static mongoc_stream_t *
-_get_stream(const char *endpoint, int32_t connecttimeoutms, const mongoc_ssl_opt_t *ssl_opt, bson_error_t *error)
+_get_stream(const char *endpoint,
+            int32_t connecttimeoutms,
+            const mongoc_ssl_opt_t *ssl_opt,
+            const mc_kms_connect_callback *connect_cb,
+            bson_error_t *error)
 {
    mongoc_stream_t *base_stream = NULL;
    mongoc_stream_t *tls_stream = NULL;
@@ -519,9 +527,23 @@ _get_stream(const char *endpoint, int32_t connecttimeoutms, const mongoc_ssl_opt
       goto fail;
    }
 
-   base_stream = mongoc_client_connect_tcp(connecttimeoutms, &host, error);
-   if (!base_stream) {
-      goto fail;
+   if (connect_cb && connect_cb->fn) {
+      base_stream = connect_cb->fn(host.host, (int32_t)host.port, connect_cb->userdata, error);
+      if (!base_stream) {
+         if (error && error->code == 0) {
+            _mongoc_set_error(error,
+                              MONGOC_ERROR_STREAM,
+                              MONGOC_ERROR_STREAM_CONNECT,
+                              "KMS connect callback returned NULL for endpoint: %s",
+                              endpoint);
+         }
+         goto fail;
+      }
+   } else {
+      base_stream = mongoc_client_connect_tcp(connecttimeoutms, &host, error);
+      if (!base_stream) {
+         goto fail;
+      }
    }
 
    /* Wrap in a tls_stream. */
@@ -602,11 +624,11 @@ _state_need_kms(_state_machine_t *state_machine, bson_error_t *error)
       mlib_sleep_for(sleep_usec, us);
 
       mongoc_stream_destroy(tls_stream);
-      tls_stream = _get_stream(endpoint, sockettimeout, ssl_opt, error);
+      tls_stream = _get_stream(endpoint, sockettimeout, ssl_opt, &state_machine->crypt->connect_cb, error);
 #ifdef MONGOC_ENABLE_SSL_SECURE_CHANNEL
       /* Retry once with schannel as a workaround for CDRIVER-3566. */
       if (!tls_stream) {
-         tls_stream = _get_stream(endpoint, sockettimeout, ssl_opt, error);
+         tls_stream = _get_stream(endpoint, sockettimeout, ssl_opt, &state_machine->crypt->connect_cb, error);
       }
 #endif
       if (!tls_stream) {
@@ -1403,6 +1425,7 @@ _mongoc_crypt_new(const bson_t *kms_providers,
                   bool bypass_auto_encryption,
                   bool bypass_query_analysis,
                   mc_kms_credentials_callback creds_cb,
+                  mc_kms_connect_callback connect_cb,
                   mcd_optional_u64_t cache_expiration_ms,
                   bson_error_t *error)
 {
@@ -1517,6 +1540,7 @@ _mongoc_crypt_new(const bson_t *kms_providers,
    }
 
    crypt->creds_cb = creds_cb;
+   crypt->connect_cb = connect_cb;
 
    success = true;
 fail: