SERVER-52707 Make tenant migration recipient use x509 certificate to connect to donor

4 files changed, 32 insertions, 12 deletions

diff --git a/src/mongo/client/connection_string.h b/src/mongo/client/connection_string.h
index 77f5f73a277..d505e1e5d24 100644
--- a/src/mongo/client/connection_string.h
+++ b/src/mongo/client/connection_string.h
@@ -46,6 +46,7 @@ namespace mongo {
 class ClientAPIVersionParameters;
 class DBClientBase;
 class MongoURI;
+struct TransientSSLParams;
 
 /**
  * ConnectionString handles parsing different ways to connect to mongo and determining method
@@ -150,7 +151,8 @@ public:
         std::string& errmsg,
         double socketTimeout = 0,
         const MongoURI* uri = nullptr,
-        const ClientAPIVersionParameters* apiParameters = nullptr) const;
+        const ClientAPIVersionParameters* apiParameters = nullptr,
+        const TransientSSLParams* transientSSLParams = nullptr) const;
 
     static StatusWith<ConnectionString> parse(const std::string& url);
 
diff --git a/src/mongo/client/connection_string_connect.cpp b/src/mongo/client/connection_string_connect.cpp
index ae4bf55d6fd..28cc448639c 100644
--- a/src/mongo/client/connection_string_connect.cpp
+++ b/src/mongo/client/connection_string_connect.cpp
@@ -51,7 +51,8 @@ std::unique_ptr<DBClientBase> ConnectionString::connect(
     std::string& errmsg,
     double socketTimeout,
     const MongoURI* uri,
-    const ClientAPIVersionParameters* apiParameters) const {
+    const ClientAPIVersionParameters* apiParameters,
+    const TransientSSLParams* transientSSLParams) const {
     MongoURI newURI{};
     if (uri) {
         newURI = *uri;
@@ -69,7 +70,11 @@ std::unique_ptr<DBClientBase> ConnectionString::connect(
                             "Creating new connection to: {hostAndPort}",
                             "Creating new connection",
                             "hostAndPort"_attr = server);
-                if (!c->connect(server, applicationName, errmsg)) {
+                if (!c->connect(server,
+                                applicationName,
+                                errmsg,
+                                transientSSLParams ? boost::make_optional(*transientSSLParams)
+                                                   : boost::none)) {
                     continue;
                 }
                 LOGV2_DEBUG(20110, 1, "Connected connection!");
diff --git a/src/mongo/client/dbclient_connection.cpp b/src/mongo/client/dbclient_connection.cpp
index 49b581d5d2d..383be9ee5d7 100644
--- a/src/mongo/client/dbclient_connection.cpp
+++ b/src/mongo/client/dbclient_connection.cpp
@@ -275,8 +275,9 @@ Status DBClientConnection::authenticateInternalUser(auth::StepDownBehavior stepD
 
 bool DBClientConnection::connect(const HostAndPort& server,
                                  StringData applicationName,
-                                 std::string& errmsg) {
-    auto connectStatus = connect(server, applicationName);
+                                 std::string& errmsg,
+                                 boost::optional<TransientSSLParams> transientSSLParams) {
+    auto connectStatus = connect(server, applicationName, transientSSLParams);
     if (!connectStatus.isOK()) {
         errmsg = connectStatus.reason();
         return false;
@@ -284,8 +285,10 @@ bool DBClientConnection::connect(const HostAndPort& server,
     return true;
 }
 
-Status DBClientConnection::connect(const HostAndPort& serverAddress, StringData applicationName) {
-    auto connectStatus = connectSocketOnly(serverAddress);
+Status DBClientConnection::connect(const HostAndPort& serverAddress,
+                                   StringData applicationName,
+                                   boost::optional<TransientSSLParams> transientSSLParams) {
+    auto connectStatus = connectSocketOnly(serverAddress, transientSSLParams);
     if (!connectStatus.isOK()) {
         return connectStatus;
     }
@@ -391,7 +394,8 @@ Status DBClientConnection::connect(const HostAndPort& serverAddress, StringData
     return Status::OK();
 }
 
-Status DBClientConnection::connectSocketOnly(const HostAndPort& serverAddress) {
+Status DBClientConnection::connectSocketOnly(
+    const HostAndPort& serverAddress, boost::optional<TransientSSLParams> transientSSLParams) {
     _serverAddress = serverAddress;
     _markFailed(kReleaseSession);
 
@@ -415,7 +419,10 @@ Status DBClientConnection::connectSocketOnly(const HostAndPort& serverAddress) {
     }
 
     auto sws = getGlobalServiceContext()->getTransportLayer()->connect(
-        serverAddress, _uri.getSSLMode(), _socketTimeout.value_or(Milliseconds{5000}));
+        serverAddress,
+        transientSSLParams ? transport::kEnableSSL : _uri.getSSLMode(),
+        _socketTimeout.value_or(Milliseconds{5000}),
+        transientSSLParams);
     if (!sws.isOK()) {
         return Status(ErrorCodes::HostUnreachable,
                       str::stream() << "couldn't connect to server " << _serverAddress.toString()
diff --git a/src/mongo/client/dbclient_connection.h b/src/mongo/client/dbclient_connection.h
index 8532ddf231f..845af96d900 100644
--- a/src/mongo/client/dbclient_connection.h
+++ b/src/mongo/client/dbclient_connection.h
@@ -112,7 +112,10 @@ public:
      * @param errmsg any relevant error message will appended to the string
      * @return false if fails to connect.
      */
-    bool connect(const HostAndPort& server, StringData applicationName, std::string& errmsg);
+    bool connect(const HostAndPort& server,
+                 StringData applicationName,
+                 std::string& errmsg,
+                 boost::optional<TransientSSLParams> transientSSLParams = boost::none);
 
     /**
      * Semantically equivalent to the previous connect method, but returns a Status
@@ -120,7 +123,9 @@ public:
      *
      * @param server The server to connect to.
      */
-    virtual Status connect(const HostAndPort& server, StringData applicationName);
+    virtual Status connect(const HostAndPort& server,
+                           StringData applicationName,
+                           boost::optional<TransientSSLParams> transientSSLParams = boost::none);
 
     /**
      * This version of connect does not run 'isMaster' after creating a TCP connection to the
@@ -129,7 +134,8 @@ public:
      *
      * @param server The server to connect to.
      */
-    Status connectSocketOnly(const HostAndPort& server);
+    Status connectSocketOnly(const HostAndPort& server,
+                             boost::optional<TransientSSLParams> transientSSLParams = boost::none);
 
     /**
      * Logs out the connection for the given database.