Skip to content

DRIVERS-2920 CSFLE/QE Support for HTTP Proxies#1956

Open
mdb-ad wants to merge 14 commits into
mongodb:masterfrom
mdb-ad:http-proxy
Open

DRIVERS-2920 CSFLE/QE Support for HTTP Proxies#1956
mdb-ad wants to merge 14 commits into
mongodb:masterfrom
mdb-ad:http-proxy

Conversation

@mdb-ad

@mdb-ad mdb-ad commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds kmsConnectCallback to AutoEncryptionOpts and ClientEncryptionOpts, enabling drivers to override how TCP connections to KMS hosts are established. The primary use case is routing KMS traffic through an HTTP proxy via HTTPS CONNECT.

Spec changes

Added kmsConnectCallback: Optional<Callback> to both opts types. The callback receives (host, port) and returns a socket- or stream-like object (exact type is up to implementers). Drivers that provide an alternative proxy mechanism MAY omit the callback.

Prose tests

Added prose test 28, KMS Connect Callback:
Case 1: createDataKey() via a plain HTTP proxy; asserts proxy received a CONNECT.
Case 2: Same via an HTTPS proxy (proxy connection itself is TLS).
Case 3: Full auto encryption pipeline — creates a data key, inserts an auto-encrypted document, finds and decrypts it, verifies the raw document is encrypted, and asserts the proxy was used throughout.

The tests use kms_http_proxy.py as the local proxy server and run on AWS.

C Driver implementation

mongodb/mongo-c-driver#2318

@mdb-ad mdb-ad marked this pull request as ready for review June 25, 2026 20:19
@mdb-ad mdb-ad requested a review from a team as a code owner June 25, 2026 20:19
Comment thread source/client-side-encryption/client-side-encryption.md Outdated
Comment thread source/client-side-encryption/tests/README.md Outdated
Comment thread source/client-side-encryption/tests/README.md Outdated
Comment thread source/client-side-encryption/tests/README.md Outdated
Comment thread source/client-side-encryption/tests/README.md Outdated
Comment thread source/client-side-encryption/tests/README.md
Comment thread source/client-side-encryption/client-side-encryption.md
@mdb-ad mdb-ad requested a review from kevinAlbs July 2, 2026 07:11

@kevinAlbs kevinAlbs left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with some additional formatting suggestions.

Comment thread source/client-side-encryption/tests/README.md Outdated
Comment thread source/client-side-encryption/tests/README.md Outdated
type is intentionally left unspecified so that drivers may use the type that best fits their language (e.g., a function,
a callable object).

Drivers supporting CSOT must pass a time limit if set.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest moving this sentence up the the "When provided" paragraph to group it with the other description of arguments. And capitalize "must" to clarify it is a spec requirement.

Comment thread source/client-side-encryption/tests/README.md Outdated
Co-authored-by: Kevin Albertson <kevin.eric.albertson@gmail.com>
type is intentionally left unspecified so that drivers may use the type that best fits their language (e.g., a function,
a callable object).

Drivers supporting CSOT must pass a time limit if set.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spec text only says "Drivers supporting CSOT must pass a time limit if set," and pose test Case 5 asserts "non-zero timeout." But nothing specifies what the callback receives — whether it's a remaining-budget duration vs. an absolute deadline. I assume it's probably remaining-budget duration but we should be explicit about that.

5. Return a socket-like object.

A `kmsConnectCallback` for an **HTTPS proxy** on port 9005 works the same way, except step 2 opens a TLS connection to
`127.0.0.1:9005` using [drivers-evergreen-tools/.evergreen/x509gen/ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). to verify the proxy's certificate.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo. The HTTPS callback paragraph:" ...x509gen/ca.pem). to verify the proxy's certificate" — stray period after the link.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants