GODRIVER-3289 Add option to configure DEK cache lifetime.

internal/integration/json_helpers_test.go

@@ -162,6 +162,8 @@ func createAutoEncryptionOptions(t testing.TB, opts bson.Raw) *options.AutoEncry
 			aeo.SetEncryptedFieldsMap(encryptedFieldsMap)
 		case "bypassQueryAnalysis":
 			aeo.SetBypassQueryAnalysis(opt.Boolean())
+		case "keyExpirationMS":
+			aeo.SetKeyExpiration(time.Duration(opt.Int32()) * time.Millisecond)
 		default:
 			t.Fatalf("unrecognized auto encryption option: %v", name)
 		}

internal/integration/unified/client_encryption_operation_execution.go

@@ -391,3 +391,26 @@ func executeRewrapManyDataKey(ctx context.Context, operation *operation) (*opera
 	}
 	return rewrapManyDataKeyResultsOpResult(result)
 }
+
+// executeDecrypt will decrypt the given value.
+func executeDecrypt(ctx context.Context, operation *operation) (*operationResult, error) {
+	cee, err := entities(ctx).clientEncryption(operation.Object)
+	if err != nil {
+		return nil, err
+	}
+
+	rawValue, err := operation.Arguments.LookupErr("value")
+	if err != nil {
+		return nil, err
+	}
+	t, d, ok := rawValue.BinaryOK()
+	if !ok {
+		return nil, fmt.Errorf("'value' argument is not a BSON binary")
+	}
+
+	rawValue, err = cee.Decrypt(ctx, bson.Binary{Subtype: t, Data: d})
+	if err != nil {
+		return newErrorResult(err), nil
+	}
+	return newValueResult(rawValue.Type, rawValue.Value, err), nil
+}

internal/integration/unified/entity.go

@@ -179,6 +179,7 @@ type clientEncryptionOpts struct {
 	KeyVaultClient    string              `bson:"keyVaultClient"`
 	KeyVaultNamespace string              `bson:"keyVaultNamespace"`
 	KmsProviders      map[string]bson.Raw `bson:"kmsProviders"`
+	KeyExpirationMS   *int64              `bson:"keyExpirationMS"`
 }
 
 // EntityMap is used to store entities during tests. This type enforces uniqueness so no two entities can have the same
@@ -735,12 +736,15 @@ func (em *EntityMap) addClientEncryptionEntity(entityOptions *entityOptions) err
 		return newEntityNotFoundError("client", ceo.KeyVaultClient)
 	}
 
-	ce, err := mongo.NewClientEncryption(
-		keyVaultClient.Client,
-		options.ClientEncryption().
-			SetKeyVaultNamespace(ceo.KeyVaultNamespace).
-			SetTLSConfig(tlsconf).
-			SetKmsProviders(kmsProviders))
+	opts := options.ClientEncryption().
+		SetKeyVaultNamespace(ceo.KeyVaultNamespace).
+		SetTLSConfig(tlsconf).
+		SetKmsProviders(kmsProviders)
+	if ceo.KeyExpirationMS != nil {
+		opts.SetKeyExpiration(time.Duration(*ceo.KeyExpirationMS) * time.Millisecond)
+	}
+
+	ce, err := mongo.NewClientEncryption(keyVaultClient.Client, opts)
 	if err != nil {
 		return err
 	}

internal/integration/unified/operation.go

@@ -270,6 +270,8 @@ func (op *operation) run(ctx context.Context, loopDone <-chan struct{}) (*operat
 		return executeDeleteKey(ctx, op)
 	case "addKeyAltName":
 		return executeAddKeyAltName(ctx, op)
+	case "decrypt":
+		return executeDecrypt(ctx, op)
 
 	// Unsupported operations
 	case "count", "listIndexNames":

internal/integration/unified/schema_version.go

@@ -16,7 +16,7 @@ import (
 
 var (
 	supportedSchemaVersions = map[int]string{
-		1: "1.21",
+		1: "1.22",
 	}
 )
 

mongo/client.go

@@ -609,7 +609,8 @@ func (c *Client) newMongoCrypt(opts *options.AutoEncryptionOptions) (*mongocrypt
 		SetEncryptedFieldsMap(cryptEncryptedFieldsMap).
 		SetCryptSharedLibDisabled(cryptSharedLibDisabled || bypassAutoEncryption).
 		SetCryptSharedLibOverridePath(cryptSharedLibPath).
-		SetHTTPClient(opts.HTTPClient))
+		SetHTTPClient(opts.HTTPClient).
+		SetKeyExpiration(opts.KeyExpiration))
 	if err != nil {
 		return nil, err
 	}

mongo/client_encryption.go

@@ -59,7 +59,8 @@ func NewClientEncryption(keyVaultClient *Client, opts ...options.Lister[options.
 		// ClientEncryption because it's only needed for AutoEncryption and we don't expect users to
 		// have the crypt_shared library installed if they're using ClientEncryption.
 		SetCryptSharedLibDisabled(true).
-		SetHTTPClient(cea.HTTPClient))
+		SetHTTPClient(cea.HTTPClient).
+		SetKeyExpiration(cea.KeyExpiration))
 	if err != nil {
 		return nil, err
 	}

mongo/options/autoencryptionoptions.go

@@ -9,6 +9,7 @@ package options
 import (
 	"crypto/tls"
 	"net/http"
+	"time"
 
 	"go.mongodb.org/mongo-driver/v2/internal/httputil"
 )
@@ -40,6 +41,7 @@ type AutoEncryptionOptions struct {
 	HTTPClient            *http.Client
 	EncryptedFieldsMap    map[string]interface{}
 	BypassQueryAnalysis   *bool
+	KeyExpiration         *time.Duration
 }
 
 // AutoEncryption creates a new AutoEncryptionOptions configured with default values.
@@ -164,3 +166,11 @@ func (a *AutoEncryptionOptions) SetBypassQueryAnalysis(bypass bool) *AutoEncrypt
 
 	return a
 }
+
+// SetKeyExpiration specifies duration for the key expiration. 0 or negative value means "never expire".
+// The granularity is in milliseconds. Any sub-millisecond fraction will be rounded up.
+func (a *AutoEncryptionOptions) SetKeyExpiration(expiration time.Duration) *AutoEncryptionOptions {
+	a.KeyExpiration = &expiration
+
+	return a
+}

mongo/options/clientencryptionoptions.go

@@ -10,6 +10,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"time"
 
 	"go.mongodb.org/mongo-driver/v2/internal/httputil"
 )
@@ -22,6 +23,7 @@ type ClientEncryptionOptions struct {
 	KmsProviders      map[string]map[string]interface{}
 	TLSConfig         map[string]*tls.Config
 	HTTPClient        *http.Client
+	KeyExpiration     *time.Duration
 }
 
 // ClientEncryptionOptionsBuilder contains options to configure client
@@ -80,6 +82,18 @@ func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config
 	return c
 }
 
+// SetKeyExpiration specifies duration for the key expiration. 0 or negative value means "never expire".
+// The granularity is in milliseconds. Any sub-millisecond fraction will be rounded up.
+func (c *ClientEncryptionOptionsBuilder) SetKeyExpiration(expiration time.Duration) *ClientEncryptionOptionsBuilder {
+	c.Opts = append(c.Opts, func(opts *ClientEncryptionOptions) error {
+		opts.KeyExpiration = &expiration
+
+		return nil
+	})
+
+	return c
+}
+
 // BuildTLSConfig specifies tls.Config options for each KMS provider to use to configure TLS on all connections created
 // to the KMS provider. The input map should contain a mapping from each KMS provider to a document containing the necessary
 // options, as follows: