SERVER-51811: No-op wiring of transient SSL params in related methods

8 files changed, 59 insertions, 25 deletions

diff --git a/src/mongo/executor/connection_pool.cpp b/src/mongo/executor/connection_pool.cpp
index 38ff62eebf4..36275566ce0 100644
--- a/src/mongo/executor/connection_pool.cpp
+++ b/src/mongo/executor/connection_pool.cpp
@@ -450,12 +450,15 @@ auto ConnectionPool::SpecificPool::make(std::shared_ptr<ConnectionPool> parent,
 const Status ConnectionPool::kConnectionStateUnknown =
     Status(ErrorCodes::InternalError, "Connection is in an unknown state");
 
-ConnectionPool::ConnectionPool(std::shared_ptr<DependentTypeFactoryInterface> impl,
-                               std::string name,
-                               Options options)
+ConnectionPool::ConnectionPool(
+    std::shared_ptr<DependentTypeFactoryInterface> impl,
+    std::string name,
+    Options options,
+    std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext)
     : _name(std::move(name)),
       _factory(std::move(impl)),
       _options(std::move(options)),
+      _transientSSLContext(std::move(transientSSLContext)),
       _controller(_options.controllerFactory()),
       _manager(options.egressTagCloserManager) {
     if (_manager) {
diff --git a/src/mongo/executor/connection_pool.h b/src/mongo/executor/connection_pool.h
index 88348a34423..64ee4c22cbb 100644
--- a/src/mongo/executor/connection_pool.h
+++ b/src/mongo/executor/connection_pool.h
@@ -33,6 +33,7 @@
 #include <memory>
 #include <queue>
 
+#include "mongo/config.h"
 #include "mongo/executor/egress_tag_closer.h"
 #include "mongo/executor/egress_tag_closer_manager.h"
 #include "mongo/platform/mutex.h"
@@ -43,6 +44,7 @@
 #include "mongo/util/future.h"
 #include "mongo/util/hierarchical_acquisition.h"
 #include "mongo/util/net/hostandport.h"
+#include "mongo/util/net/ssl_options.h"
 #include "mongo/util/out_of_line_executor.h"
 #include "mongo/util/time_support.h"
 
@@ -150,6 +152,14 @@ public:
          */
         bool skipAuthentication = false;
 
+#ifdef MONGO_CONFIG_SSL
+        /**
+         * Provides SSL params if the egress cluster connection requires custom SSL certificates
+         * different from the global (default) certificates.
+         */
+        boost::optional<TransientSSLParams> transientSSLParams;
+#endif
+
         std::function<std::shared_ptr<ControllerInterface>(void)> controllerFactory =
             &ConnectionPool::makeLimitController;
     };
@@ -226,9 +236,11 @@ public:
         bool canShutdown = false;
     };
 
-    explicit ConnectionPool(std::shared_ptr<DependentTypeFactoryInterface> impl,
-                            std::string name,
-                            Options options = Options{});
+    explicit ConnectionPool(
+        std::shared_ptr<DependentTypeFactoryInterface> impl,
+        std::string name,
+        Options options = Options{},
+        std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext = {});
 
     ~ConnectionPool();
 
@@ -257,7 +269,10 @@ private:
     std::string _name;
 
     const std::shared_ptr<DependentTypeFactoryInterface> _factory;
-    Options _options;
+    const Options _options;
+
+    // SSL context for the connections that require non-default SSL paramaeters.
+    std::shared_ptr<const transport::SSLConnectionContext> _transientSSLContext;
 
     std::shared_ptr<ControllerInterface> _controller;
 
diff --git a/src/mongo/executor/connection_pool_tl.cpp b/src/mongo/executor/connection_pool_tl.cpp
index 1961c9b21d1..4ae4faf570a 100644
--- a/src/mongo/executor/connection_pool_tl.cpp
+++ b/src/mongo/executor/connection_pool_tl.cpp
@@ -271,7 +271,8 @@ void TLConnection::setup(Milliseconds timeout, SetupCallback cb) {
 
     auto isMasterHook = std::make_shared<TLConnectionSetupHook>(_onConnectHook);
 
-    AsyncDBClient::connect(_peer, _sslMode, _serviceContext, _reactor, timeout, _sslContextOverride)
+    AsyncDBClient::connect(
+        _peer, _sslMode, _serviceContext, _reactor, timeout, _transientSSLContext)
         .thenRunOn(_reactor)
         .onError([](StatusWith<AsyncDBClient::Handle> swc) -> StatusWith<AsyncDBClient::Handle> {
             return Status(ErrorCodes::HostUnreachable, swc.getStatus().reason());
diff --git a/src/mongo/executor/connection_pool_tl.h b/src/mongo/executor/connection_pool_tl.h
index a1338c98b86..a147071f54d 100644
--- a/src/mongo/executor/connection_pool_tl.h
+++ b/src/mongo/executor/connection_pool_tl.h
@@ -134,15 +134,16 @@ private:
 
 class TLConnection final : public ConnectionPool::ConnectionInterface, public TLTypeFactory::Type {
 public:
-    TLConnection(const std::shared_ptr<TLTypeFactory>& factory,
-                 transport::ReactorHandle reactor,
-                 ServiceContext* serviceContext,
-                 HostAndPort peer,
-                 transport::ConnectSSLMode sslMode,
-                 size_t generation,
-                 NetworkConnectionHook* onConnectHook,
-                 bool skipAuth,
-                 std::shared_ptr<transport::SSLConnectionContext> sslContextOverride = nullptr)
+    TLConnection(
+        const std::shared_ptr<TLTypeFactory>& factory,
+        transport::ReactorHandle reactor,
+        ServiceContext* serviceContext,
+        HostAndPort peer,
+        transport::ConnectSSLMode sslMode,
+        size_t generation,
+        NetworkConnectionHook* onConnectHook,
+        bool skipAuth,
+        std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext = nullptr)
         : ConnectionInterface(generation),
           TLTypeFactory::Type(factory),
           _reactor(reactor),
@@ -152,7 +153,7 @@ public:
           _peer(std::move(peer)),
           _sslMode(sslMode),
           _onConnectHook(onConnectHook),
-          _sslContextOverride(sslContextOverride) {}
+          _transientSSLContext(transientSSLContext) {}
     ~TLConnection() {
         // Release must be the first expression of this dtor
         release();
@@ -190,7 +191,8 @@ private:
     HostAndPort _peer;
     transport::ConnectSSLMode _sslMode;
     NetworkConnectionHook* const _onConnectHook;
-    std::shared_ptr<transport::SSLConnectionContext> _sslContextOverride;
+    // SSL context to use intead of the default one for this pool.
+    std::shared_ptr<const transport::SSLConnectionContext> _transientSSLContext;
     AsyncDBClient::Handle _client;
 };
 
diff --git a/src/mongo/executor/network_interface_integration_fixture.cpp b/src/mongo/executor/network_interface_integration_fixture.cpp
index 77ea859440b..7577c7c2a1e 100644
--- a/src/mongo/executor/network_interface_integration_fixture.cpp
+++ b/src/mongo/executor/network_interface_integration_fixture.cpp
@@ -48,8 +48,7 @@ namespace mongo {
 namespace executor {
 
 void NetworkInterfaceIntegrationFixture::createNet(
-    std::unique_ptr<NetworkConnectionHook> connectHook) {
-    ConnectionPool::Options options;
+    std::unique_ptr<NetworkConnectionHook> connectHook, ConnectionPool::Options options) {
 
     options.minConnections = 0u;
 
diff --git a/src/mongo/executor/network_interface_integration_fixture.h b/src/mongo/executor/network_interface_integration_fixture.h
index b52a5bb28d4..c98b7e70393 100644
--- a/src/mongo/executor/network_interface_integration_fixture.h
+++ b/src/mongo/executor/network_interface_integration_fixture.h
@@ -31,6 +31,7 @@
 #include "mongo/unittest/unittest.h"
 
 #include "mongo/client/connection_string.h"
+#include "mongo/executor/connection_pool.h"
 #include "mongo/executor/network_connection_hook.h"
 #include "mongo/executor/network_interface.h"
 #include "mongo/executor/task_executor.h"
@@ -63,7 +64,8 @@ using StartCommandCB = std::function<void(const RemoteCommandResponse&)>;
 
 class NetworkInterfaceIntegrationFixture : public mongo::unittest::Test {
 public:
-    void createNet(std::unique_ptr<NetworkConnectionHook> connectHook = nullptr);
+    void createNet(std::unique_ptr<NetworkConnectionHook> connectHook = nullptr,
+                   ConnectionPool::Options options = {});
     void startNet(std::unique_ptr<NetworkConnectionHook> connectHook = nullptr);
     void tearDown() override;
 
diff --git a/src/mongo/executor/network_interface_tl.cpp b/src/mongo/executor/network_interface_tl.cpp
index ecc650fd17f..d74e3bf9ce6 100644
--- a/src/mongo/executor/network_interface_tl.cpp
+++ b/src/mongo/executor/network_interface_tl.cpp
@@ -124,11 +124,23 @@ NetworkInterfaceTL::NetworkInterfaceTL(std::string instanceName,
         _tl = _ownedTransportLayer.get();
     }
 
+    std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext;
+    if (_connPoolOpts.transientSSLParams) {
+        // TODO: uncomment when changes for SERVER-51599 are submitted.
+        // auto statusOrContext = _tl->createTransientSSLContext(
+        //     _connPoolOpts.transientSSLParams.get(), nullptr, true /* asyncOCSPStaple */);
+        // uassertStatusOK(statusOrContext.getStatus());
+        // transientSSLContext = std::make_shared<const transport::SSLConnectionContext>(
+        //     std::move(statusOrContext.getValue()));
+    }
+
     _reactor = _tl->getReactor(transport::TransportLayer::kNewReactor);
     auto typeFactory = std::make_unique<connection_pool_tl::TLTypeFactory>(
         _reactor, _tl, std::move(_onConnectHook), _connPoolOpts);
-    _pool = std::make_shared<ConnectionPool>(
-        std::move(typeFactory), std::string("NetworkInterfaceTL-") + _instanceName, _connPoolOpts);
+    _pool = std::make_shared<ConnectionPool>(std::move(typeFactory),
+                                             std::string("NetworkInterfaceTL-") + _instanceName,
+                                             _connPoolOpts,
+                                             transientSSLContext);
 
     if (TestingProctor::instance().isEnabled()) {
         _counters = std::make_unique<SynchronizedCounters>();
diff --git a/src/mongo/executor/network_interface_tl.h b/src/mongo/executor/network_interface_tl.h
index 7dfb40fbba4..4dde6c8fdfd 100644
--- a/src/mongo/executor/network_interface_tl.h
+++ b/src/mongo/executor/network_interface_tl.h
@@ -342,7 +342,7 @@ private:
 
     mutable Mutex _mutex =
         MONGO_MAKE_LATCH(HierarchicalAcquisitionLevel(3), "NetworkInterfaceTL::_mutex");
-    ConnectionPool::Options _connPoolOpts;
+    const ConnectionPool::Options _connPoolOpts;
     std::unique_ptr<NetworkConnectionHook> _onConnectHook;
     std::shared_ptr<ConnectionPool> _pool;