DRIVERS-2920 CSFLE/QE Support for HTTP Proxies#1956
Conversation
Co-authored-by: Kevin Albertson <kevin.eric.albertson@gmail.com>
kevinAlbs
left a comment
There was a problem hiding this comment.
LGTM with some additional formatting suggestions.
| type is intentionally left unspecified so that drivers may use the type that best fits their language (e.g., a function, | ||
| a callable object). | ||
|
|
||
| Drivers supporting CSOT must pass a time limit if set. |
There was a problem hiding this comment.
I suggest moving this sentence up the the "When provided" paragraph to group it with the other description of arguments. And capitalize "must" to clarify it is a spec requirement.
Co-authored-by: Kevin Albertson <kevin.eric.albertson@gmail.com>
| type is intentionally left unspecified so that drivers may use the type that best fits their language (e.g., a function, | ||
| a callable object). | ||
|
|
||
| Drivers supporting CSOT must pass a time limit if set. |
There was a problem hiding this comment.
Spec text only says "Drivers supporting CSOT must pass a time limit if set," and pose test Case 5 asserts "non-zero timeout." But nothing specifies what the callback receives — whether it's a remaining-budget duration vs. an absolute deadline. I assume it's probably remaining-budget duration but we should be explicit about that.
| 5. Return a socket-like object. | ||
|
|
||
| A `kmsConnectCallback` for an **HTTPS proxy** on port 9005 works the same way, except step 2 opens a TLS connection to | ||
| `127.0.0.1:9005` using [drivers-evergreen-tools/.evergreen/x509gen/ca.pem](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/x509gen/ca.pem). to verify the proxy's certificate. |
There was a problem hiding this comment.
Typo. The HTTPS callback paragraph:" ...x509gen/ca.pem). to verify the proxy's certificate" — stray period after the link.
Summary
Adds
kmsConnectCallbacktoAutoEncryptionOptsandClientEncryptionOpts, enabling drivers to override how TCP connections to KMS hosts are established. The primary use case is routing KMS traffic through an HTTP proxy via HTTPS CONNECT.Spec changes
Added
kmsConnectCallback: Optional<Callback>to both opts types. The callback receives (host, port) and returns a socket- or stream-like object (exact type is up to implementers). Drivers that provide an alternative proxy mechanism MAY omit the callback.Prose tests
Added prose test 28, KMS Connect Callback:
Case 1:
createDataKey()via a plain HTTP proxy; asserts proxy received a CONNECT.Case 2: Same via an HTTPS proxy (proxy connection itself is TLS).
Case 3: Full auto encryption pipeline — creates a data key, inserts an auto-encrypted document, finds and decrypts it, verifies the raw document is encrypted, and asserts the proxy was used throughout.
The tests use kms_http_proxy.py as the local proxy server and run on AWS.
C Driver implementation
mongodb/mongo-c-driver#2318