SERVER-51811: No-op wiring of transient SSL params in related methods

19 files changed, 86 insertions, 42 deletions

diff --git a/src/mongo/client/async_client.cpp b/src/mongo/client/async_client.cpp
index 4045e3097b5..f637a3c0f17 100644
--- a/src/mongo/client/async_client.cpp
+++ b/src/mongo/client/async_client.cpp
@@ -63,9 +63,9 @@ Future<AsyncDBClient::Handle> AsyncDBClient::connect(
     ServiceContext* const context,
     transport::ReactorHandle reactor,
     Milliseconds timeout,
-    std::shared_ptr<transport::SSLConnectionContext> sslContextOverride) {
+    std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext) {
     auto tl = context->getTransportLayer();
-    return tl->asyncConnect(peer, sslMode, std::move(reactor), timeout, sslContextOverride)
+    return tl->asyncConnect(peer, sslMode, std::move(reactor), timeout, transientSSLContext)
         .then([peer, context](transport::SessionHandle session) {
             return std::make_shared<AsyncDBClient>(peer, std::move(session), context);
         });
diff --git a/src/mongo/client/async_client.h b/src/mongo/client/async_client.h
index 06640d0b505..1bfcdad04bd 100644
--- a/src/mongo/client/async_client.h
+++ b/src/mongo/client/async_client.h
@@ -61,7 +61,7 @@ public:
         ServiceContext* const context,
         transport::ReactorHandle reactor,
         Milliseconds timeout,
-        std::shared_ptr<transport::SSLConnectionContext> sslContextOverride = nullptr);
+        std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext = nullptr);
 
     Future<executor::RemoteCommandResponse> runCommandRequest(
         executor::RemoteCommandRequest request, const BatonHandle& baton = nullptr);
diff --git a/src/mongo/executor/connection_pool.cpp b/src/mongo/executor/connection_pool.cpp
index 38ff62eebf4..36275566ce0 100644
--- a/src/mongo/executor/connection_pool.cpp
+++ b/src/mongo/executor/connection_pool.cpp
@@ -450,12 +450,15 @@ auto ConnectionPool::SpecificPool::make(std::shared_ptr<ConnectionPool> parent,
 const Status ConnectionPool::kConnectionStateUnknown =
     Status(ErrorCodes::InternalError, "Connection is in an unknown state");
 
-ConnectionPool::ConnectionPool(std::shared_ptr<DependentTypeFactoryInterface> impl,
-                               std::string name,
-                               Options options)
+ConnectionPool::ConnectionPool(
+    std::shared_ptr<DependentTypeFactoryInterface> impl,
+    std::string name,
+    Options options,
+    std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext)
     : _name(std::move(name)),
       _factory(std::move(impl)),
       _options(std::move(options)),
+      _transientSSLContext(std::move(transientSSLContext)),
       _controller(_options.controllerFactory()),
       _manager(options.egressTagCloserManager) {
     if (_manager) {
diff --git a/src/mongo/executor/connection_pool.h b/src/mongo/executor/connection_pool.h
index 88348a34423..64ee4c22cbb 100644
--- a/src/mongo/executor/connection_pool.h
+++ b/src/mongo/executor/connection_pool.h
@@ -33,6 +33,7 @@
 #include <memory>
 #include <queue>
 
+#include "mongo/config.h"
 #include "mongo/executor/egress_tag_closer.h"
 #include "mongo/executor/egress_tag_closer_manager.h"
 #include "mongo/platform/mutex.h"
@@ -43,6 +44,7 @@
 #include "mongo/util/future.h"
 #include "mongo/util/hierarchical_acquisition.h"
 #include "mongo/util/net/hostandport.h"
+#include "mongo/util/net/ssl_options.h"
 #include "mongo/util/out_of_line_executor.h"
 #include "mongo/util/time_support.h"
 
@@ -150,6 +152,14 @@ public:
          */
         bool skipAuthentication = false;
 
+#ifdef MONGO_CONFIG_SSL
+        /**
+         * Provides SSL params if the egress cluster connection requires custom SSL certificates
+         * different from the global (default) certificates.
+         */
+        boost::optional<TransientSSLParams> transientSSLParams;
+#endif
+
         std::function<std::shared_ptr<ControllerInterface>(void)> controllerFactory =
             &ConnectionPool::makeLimitController;
     };
@@ -226,9 +236,11 @@ public:
         bool canShutdown = false;
     };
 
-    explicit ConnectionPool(std::shared_ptr<DependentTypeFactoryInterface> impl,
-                            std::string name,
-                            Options options = Options{});
+    explicit ConnectionPool(
+        std::shared_ptr<DependentTypeFactoryInterface> impl,
+        std::string name,
+        Options options = Options{},
+        std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext = {});
 
     ~ConnectionPool();
 
@@ -257,7 +269,10 @@ private:
     std::string _name;
 
     const std::shared_ptr<DependentTypeFactoryInterface> _factory;
-    Options _options;
+    const Options _options;
+
+    // SSL context for the connections that require non-default SSL paramaeters.
+    std::shared_ptr<const transport::SSLConnectionContext> _transientSSLContext;
 
     std::shared_ptr<ControllerInterface> _controller;
 
diff --git a/src/mongo/executor/connection_pool_tl.cpp b/src/mongo/executor/connection_pool_tl.cpp
index 1961c9b21d1..4ae4faf570a 100644
--- a/src/mongo/executor/connection_pool_tl.cpp
+++ b/src/mongo/executor/connection_pool_tl.cpp
@@ -271,7 +271,8 @@ void TLConnection::setup(Milliseconds timeout, SetupCallback cb) {
 
     auto isMasterHook = std::make_shared<TLConnectionSetupHook>(_onConnectHook);
 
-    AsyncDBClient::connect(_peer, _sslMode, _serviceContext, _reactor, timeout, _sslContextOverride)
+    AsyncDBClient::connect(
+        _peer, _sslMode, _serviceContext, _reactor, timeout, _transientSSLContext)
         .thenRunOn(_reactor)
         .onError([](StatusWith<AsyncDBClient::Handle> swc) -> StatusWith<AsyncDBClient::Handle> {
             return Status(ErrorCodes::HostUnreachable, swc.getStatus().reason());
diff --git a/src/mongo/executor/connection_pool_tl.h b/src/mongo/executor/connection_pool_tl.h
index a1338c98b86..a147071f54d 100644
--- a/src/mongo/executor/connection_pool_tl.h
+++ b/src/mongo/executor/connection_pool_tl.h
@@ -134,15 +134,16 @@ private:
 
 class TLConnection final : public ConnectionPool::ConnectionInterface, public TLTypeFactory::Type {
 public:
-    TLConnection(const std::shared_ptr<TLTypeFactory>& factory,
-                 transport::ReactorHandle reactor,
-                 ServiceContext* serviceContext,
-                 HostAndPort peer,
-                 transport::ConnectSSLMode sslMode,
-                 size_t generation,
-                 NetworkConnectionHook* onConnectHook,
-                 bool skipAuth,
-                 std::shared_ptr<transport::SSLConnectionContext> sslContextOverride = nullptr)
+    TLConnection(
+        const std::shared_ptr<TLTypeFactory>& factory,
+        transport::ReactorHandle reactor,
+        ServiceContext* serviceContext,
+        HostAndPort peer,
+        transport::ConnectSSLMode sslMode,
+        size_t generation,
+        NetworkConnectionHook* onConnectHook,
+        bool skipAuth,
+        std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext = nullptr)
         : ConnectionInterface(generation),
           TLTypeFactory::Type(factory),
           _reactor(reactor),
@@ -152,7 +153,7 @@ public:
           _peer(std::move(peer)),
           _sslMode(sslMode),
           _onConnectHook(onConnectHook),
-          _sslContextOverride(sslContextOverride) {}
+          _transientSSLContext(transientSSLContext) {}
     ~TLConnection() {
         // Release must be the first expression of this dtor
         release();
@@ -190,7 +191,8 @@ private:
     HostAndPort _peer;
     transport::ConnectSSLMode _sslMode;
     NetworkConnectionHook* const _onConnectHook;
-    std::shared_ptr<transport::SSLConnectionContext> _sslContextOverride;
+    // SSL context to use intead of the default one for this pool.
+    std::shared_ptr<const transport::SSLConnectionContext> _transientSSLContext;
     AsyncDBClient::Handle _client;
 };
 
diff --git a/src/mongo/executor/network_interface_integration_fixture.cpp b/src/mongo/executor/network_interface_integration_fixture.cpp
index 77ea859440b..7577c7c2a1e 100644
--- a/src/mongo/executor/network_interface_integration_fixture.cpp
+++ b/src/mongo/executor/network_interface_integration_fixture.cpp
@@ -48,8 +48,7 @@ namespace mongo {
 namespace executor {
 
 void NetworkInterfaceIntegrationFixture::createNet(
-    std::unique_ptr<NetworkConnectionHook> connectHook) {
-    ConnectionPool::Options options;
+    std::unique_ptr<NetworkConnectionHook> connectHook, ConnectionPool::Options options) {
 
     options.minConnections = 0u;
 
diff --git a/src/mongo/executor/network_interface_integration_fixture.h b/src/mongo/executor/network_interface_integration_fixture.h
index b52a5bb28d4..c98b7e70393 100644
--- a/src/mongo/executor/network_interface_integration_fixture.h
+++ b/src/mongo/executor/network_interface_integration_fixture.h
@@ -31,6 +31,7 @@
 #include "mongo/unittest/unittest.h"
 
 #include "mongo/client/connection_string.h"
+#include "mongo/executor/connection_pool.h"
 #include "mongo/executor/network_connection_hook.h"
 #include "mongo/executor/network_interface.h"
 #include "mongo/executor/task_executor.h"
@@ -63,7 +64,8 @@ using StartCommandCB = std::function<void(const RemoteCommandResponse&)>;
 
 class NetworkInterfaceIntegrationFixture : public mongo::unittest::Test {
 public:
-    void createNet(std::unique_ptr<NetworkConnectionHook> connectHook = nullptr);
+    void createNet(std::unique_ptr<NetworkConnectionHook> connectHook = nullptr,
+                   ConnectionPool::Options options = {});
     void startNet(std::unique_ptr<NetworkConnectionHook> connectHook = nullptr);
     void tearDown() override;
 
diff --git a/src/mongo/executor/network_interface_tl.cpp b/src/mongo/executor/network_interface_tl.cpp
index ecc650fd17f..d74e3bf9ce6 100644
--- a/src/mongo/executor/network_interface_tl.cpp
+++ b/src/mongo/executor/network_interface_tl.cpp
@@ -124,11 +124,23 @@ NetworkInterfaceTL::NetworkInterfaceTL(std::string instanceName,
         _tl = _ownedTransportLayer.get();
     }
 
+    std::shared_ptr<const transport::SSLConnectionContext> transientSSLContext;
+    if (_connPoolOpts.transientSSLParams) {
+        // TODO: uncomment when changes for SERVER-51599 are submitted.
+        // auto statusOrContext = _tl->createTransientSSLContext(
+        //     _connPoolOpts.transientSSLParams.get(), nullptr, true /* asyncOCSPStaple */);
+        // uassertStatusOK(statusOrContext.getStatus());
+        // transientSSLContext = std::make_shared<const transport::SSLConnectionContext>(
+        //     std::move(statusOrContext.getValue()));
+    }
+
     _reactor = _tl->getReactor(transport::TransportLayer::kNewReactor);
     auto typeFactory = std::make_unique<connection_pool_tl::TLTypeFactory>(
         _reactor, _tl, std::move(_onConnectHook), _connPoolOpts);
-    _pool = std::make_shared<ConnectionPool>(
-        std::move(typeFactory), std::string("NetworkInterfaceTL-") + _instanceName, _connPoolOpts);
+    _pool = std::make_shared<ConnectionPool>(std::move(typeFactory),
+                                             std::string("NetworkInterfaceTL-") + _instanceName,
+                                             _connPoolOpts,
+                                             transientSSLContext);
 
     if (TestingProctor::instance().isEnabled()) {
         _counters = std::make_unique<SynchronizedCounters>();
diff --git a/src/mongo/executor/network_interface_tl.h b/src/mongo/executor/network_interface_tl.h
index 7dfb40fbba4..4dde6c8fdfd 100644
--- a/src/mongo/executor/network_interface_tl.h
+++ b/src/mongo/executor/network_interface_tl.h
@@ -342,7 +342,7 @@ private:
 
     mutable Mutex _mutex =
         MONGO_MAKE_LATCH(HierarchicalAcquisitionLevel(3), "NetworkInterfaceTL::_mutex");
-    ConnectionPool::Options _connPoolOpts;
+    const ConnectionPool::Options _connPoolOpts;
     std::unique_ptr<NetworkConnectionHook> _onConnectHook;
     std::shared_ptr<ConnectionPool> _pool;
 
diff --git a/src/mongo/transport/session_asio.h b/src/mongo/transport/session_asio.h
index e0d4a627426..a6864b37189 100644
--- a/src/mongo/transport/session_asio.h
+++ b/src/mongo/transport/session_asio.h
@@ -88,7 +88,7 @@ public:
                 GenericSocket socket,
                 bool isIngressSession,
                 Endpoint endpoint = Endpoint(),
-                std::shared_ptr<SSLConnectionContext> overrideSSLContext = nullptr) try
+                std::shared_ptr<const SSLConnectionContext> transientSSLContext = nullptr) try
         : _socket(std::move(socket)),
           _tl(tl),
           _isIngressSession(isIngressSession) {
@@ -113,7 +113,7 @@ public:
         _local = HostAndPort(_localAddr.toString(true));
         _remote = HostAndPort(_remoteAddr.toString(true));
 #ifdef MONGO_CONFIG_SSL
-        _sslContext = overrideSSLContext ? overrideSSLContext : *tl->_sslContext;
+        _sslContext = transientSSLContext ? transientSSLContext : *tl->_sslContext;
 #endif
     } catch (const DBException&) {
         throw;
@@ -818,7 +818,7 @@ private:
 #ifdef MONGO_CONFIG_SSL
     boost::optional<asio::ssl::stream<decltype(_socket)>> _sslSocket;
     bool _ranHandshake = false;
-    std::shared_ptr<SSLConnectionContext> _sslContext;
+    std::shared_ptr<const SSLConnectionContext> _sslContext;
 #endif
 
     TransportLayerASIO* const _tl;
diff --git a/src/mongo/transport/transport_layer.h b/src/mongo/transport/transport_layer.h
index 672f768f889..126b6ec7898 100644
--- a/src/mongo/transport/transport_layer.h
+++ b/src/mongo/transport/transport_layer.h
@@ -95,7 +95,7 @@ public:
         ConnectSSLMode sslMode,
         const ReactorHandle& reactor,
         Milliseconds timeout,
-        std::shared_ptr<SSLConnectionContext> sslContextOverride) = 0;
+        std::shared_ptr<const SSLConnectionContext> transientSSLContext) = 0;
 
     /**
      * Start the TransportLayer. After this point, the TransportLayer will begin accepting active
diff --git a/src/mongo/transport/transport_layer_asio.cpp b/src/mongo/transport/transport_layer_asio.cpp
index 453b2eb3fc3..0517f8d9af3 100644
--- a/src/mongo/transport/transport_layer_asio.cpp
+++ b/src/mongo/transport/transport_layer_asio.cpp
@@ -569,7 +569,7 @@ Future<SessionHandle> TransportLayerASIO::asyncConnect(
     ConnectSSLMode sslMode,
     const ReactorHandle& reactor,
     Milliseconds timeout,
-    std::shared_ptr<SSLConnectionContext> sslContextOverride) {
+    std::shared_ptr<const SSLConnectionContext> transientSSLContext) {
 
     struct AsyncConnectState {
         AsyncConnectState(HostAndPort peer,
@@ -662,13 +662,13 @@ Future<SessionHandle> TransportLayerASIO::asyncConnect(
 #endif
             return connector->socket.async_connect(*connector->resolvedEndpoint, UseFuture{});
         })
-        .then([this, connector, sslMode, sslContextOverride]() -> Future<void> {
+        .then([this, connector, sslMode, transientSSLContext]() -> Future<void> {
             stdx::unique_lock<Latch> lk(connector->mutex);
             connector->session = std::make_shared<ASIOSession>(this,
                                                                std::move(connector->socket),
                                                                false,
                                                                *connector->resolvedEndpoint,
-                                                               sslContextOverride);
+                                                               transientSSLContext);
             connector->session->ensureAsync();
 
 #ifndef MONGO_CONFIG_SSL
diff --git a/src/mongo/transport/transport_layer_asio.h b/src/mongo/transport/transport_layer_asio.h
index 076485a34a3..d710ec1c89e 100644
--- a/src/mongo/transport/transport_layer_asio.h
+++ b/src/mongo/transport/transport_layer_asio.h
@@ -129,7 +129,7 @@ public:
         ConnectSSLMode sslMode,
         const ReactorHandle& reactor,
         Milliseconds timeout,
-        std::shared_ptr<SSLConnectionContext> sslContextOverride = nullptr) final;
+        std::shared_ptr<const SSLConnectionContext> transientSSLContext = nullptr) final;
 
     Status setup() final;
 
@@ -207,7 +207,7 @@ private:
     std::shared_ptr<ASIOReactor> _acceptorReactor;
 
 #ifdef MONGO_CONFIG_SSL
-    synchronized_value<std::shared_ptr<SSLConnectionContext>> _sslContext;
+    synchronized_value<std::shared_ptr<const SSLConnectionContext>> _sslContext;
 #endif
 
     std::vector<std::pair<SockAddr, GenericAcceptor>> _acceptors;
diff --git a/src/mongo/transport/transport_layer_manager.cpp b/src/mongo/transport/transport_layer_manager.cpp
index 641ac5e527f..b291671eb9a 100644
--- a/src/mongo/transport/transport_layer_manager.cpp
+++ b/src/mongo/transport/transport_layer_manager.cpp
@@ -72,8 +72,8 @@ Future<SessionHandle> TransportLayerManager::asyncConnect(
     ConnectSSLMode sslMode,
     const ReactorHandle& reactor,
     Milliseconds timeout,
-    std::shared_ptr<SSLConnectionContext> sslContextOverride) {
-    return _tls.front()->asyncConnect(peer, sslMode, reactor, timeout, sslContextOverride);
+    std::shared_ptr<const SSLConnectionContext> transientSSLContext) {
+    return _tls.front()->asyncConnect(peer, sslMode, reactor, timeout, transientSSLContext);
 }
 
 ReactorHandle TransportLayerManager::getReactor(WhichReactor which) {
diff --git a/src/mongo/transport/transport_layer_manager.h b/src/mongo/transport/transport_layer_manager.h
index d6356621f52..a4fd33cd863 100644
--- a/src/mongo/transport/transport_layer_manager.h
+++ b/src/mongo/transport/transport_layer_manager.h
@@ -71,7 +71,7 @@ public:
         ConnectSSLMode sslMode,
         const ReactorHandle& reactor,
         Milliseconds timeout,
-        std::shared_ptr<SSLConnectionContext> sslContextOverride = nullptr) override;
+        std::shared_ptr<const SSLConnectionContext> transientSSLContext = nullptr) override;
 
     Status start() override;
     void shutdown() override;
diff --git a/src/mongo/transport/transport_layer_mock.cpp b/src/mongo/transport/transport_layer_mock.cpp
index c17bda62a4c..6fca645649d 100644
--- a/src/mongo/transport/transport_layer_mock.cpp
+++ b/src/mongo/transport/transport_layer_mock.cpp
@@ -72,7 +72,7 @@ Future<SessionHandle> TransportLayerMock::asyncConnect(
     ConnectSSLMode sslMode,
     const ReactorHandle& reactor,
     Milliseconds timeout,
-    std::shared_ptr<SSLConnectionContext> sslContextOverride) {
+    std::shared_ptr<const SSLConnectionContext> transientSSLContext) {
     MONGO_UNREACHABLE;
 }
 
diff --git a/src/mongo/transport/transport_layer_mock.h b/src/mongo/transport/transport_layer_mock.h
index bf48a5a6cc4..b1e778e1e8c 100644
--- a/src/mongo/transport/transport_layer_mock.h
+++ b/src/mongo/transport/transport_layer_mock.h
@@ -65,7 +65,7 @@ public:
         ConnectSSLMode sslMode,
         const ReactorHandle& reactor,
         Milliseconds timeout,
-        std::shared_ptr<SSLConnectionContext> sslContextOverride = nullptr) override;
+        std::shared_ptr<const SSLConnectionContext> transientSSLContext = nullptr) override;
 
     Status setup() override;
     Status start() override;
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index aa7aff1451d..755cfb030c3 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -37,6 +37,7 @@
 
 #include "mongo/base/status.h"
 #include "mongo/base/status_with.h"
+#include "mongo/client/connection_string.h"
 #include "mongo/config.h"
 #include "mongo/crypto/sha256_block.h"
 #include "mongo/db/auth/role_name.h"
@@ -133,6 +134,15 @@ struct SSLParams {
 
 extern SSLParams sslGlobalParams;
 
+
+// Additional SSL Params that could be used to augment a particular connection
+// or have limited lifetime. In all cases, the fields stored here are not appropriate
+// to be part of sslGlobalParams.
+struct TransientSSLParams {
+    ConnectionString targetedClusterConnectionString;
+    std::string sslClusterPEMPayload;
+};
+
 /**
  * Older versions of mongod/mongos accepted --sslDisabledProtocols values
  * in the form 'noTLS1_0,noTLS1_1'.  kAcceptNegativePrefix allows us to