wip

Author: comandeo-mongo

lib/mongo/crypt/auto_encrypter.rb

@@ -245,16 +245,6 @@ def set_default_options(options)
         extra_options = opts.delete(:extra_options) || Options::Redacted.new
         extra_options = DEFAULT_EXTRA_OPTIONS.merge(extra_options)
 
-        # When no explicit crypt_shared_lib_path is provided and the caller has
-        # not opted out of crypt_shared entirely, fall back to the environment
-        # variable. This ensures every Handle in the same process uses the same
-        # explicit-path load mechanism, preventing the "An existing crypt_shared
-        # library is loaded" conflict on macOS when multiple Handle instances are
-        # created after a prior path-override load.
-        if extra_options[:crypt_shared_lib_path].nil? && !extra_options[:disable_crypt_shared_lib_search]
-          env_path = ENV['MONGO_RUBY_DRIVER_CRYPT_SHARED_LIB_PATH']
-          extra_options[:crypt_shared_lib_path] = env_path if env_path
-        end
 
         has_timeout_string_arg = extra_options[:mongocryptd_spawn_args].any? do |elem|
           elem.is_a?(String) && elem.match(/\A--idleShutdownTimeoutSecs=\d+\z/)

spec/integration/client_side_encryption/auto_encryption_mongocryptd_spawn_spec.rb

@@ -21,7 +21,11 @@
             schema_map: { 'auto_encryption.users' => schema_map },
             extra_options: {
               mongocryptd_spawn_path: 'echo hello world',
-              mongocryptd_spawn_args: []
+              mongocryptd_spawn_args: [],
+              # Suppress $SYSTEM crypt_shared search to avoid "existing library"
+              # conflicts on macOS when another spec in the same process has
+              # already loaded crypt_shared via an explicit path override.
+              disable_crypt_shared_lib_search: true,
             }
           },
           database: 'auto_encryption'

spec/integration/client_side_encryption/bypass_mongocryptd_spawn_spec.rb

@@ -31,6 +31,7 @@
                 mongocryptd_bypass_spawn: true,
                 mongocryptd_uri: "mongodb://localhost:#{mongocryptd_port}/db?serverSelectionTimeoutMS=1000",
                 mongocryptd_spawn_args: [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=#{mongocryptd_port}"],
+                disable_crypt_shared_lib_search: true,
               },
             },
             database: 'db'
@@ -56,6 +57,7 @@
               bypass_auto_encryption: true,
               extra_options: {
                 mongocryptd_spawn_args: [ "--pidfilepath=bypass-spawning-mongocryptd.pid", "--port=#{mongocryptd_port}"],
+                disable_crypt_shared_lib_search: true,
               },
             },
             database: 'db'

spec/integration/client_side_encryption/data_key_spec.rb

@@ -171,7 +171,10 @@
 
         expect do
           client_encrypted['coll'].insert_one(encrypted_placeholder: encrypted)
-        end.to raise_error(Mongo::Error::OperationFailure, /Cannot encrypt element of type(: encrypted binary data| binData)/)
+        # With mongocryptd the error comes back as OperationFailure from the
+        # markForEncryption command response; with crypt_shared it is raised
+        # directly by libmongocrypt as a CryptError. Both are Mongo::Error subclasses.
+        end.to raise_error(Mongo::Error, /Cannot encrypt element of type(: encrypted binary data| binData)/)
       end
     end
 

spec/mongo/client_construction_spec.rb

@@ -317,11 +317,20 @@
 
             context 'with default extra options' do
               let(:auto_encryption_options) do
-                {
+                opts = {
                   key_vault_namespace: key_vault_namespace,
                   kms_providers: kms_providers,
                   schema_map: schema_map,
                 }
+                # When the env var is set, pass the explicit crypt_shared path so
+                # that Handle in this process uses the same load mechanism as any
+                # prior Handle, avoiding the "existing library" conflict on macOS.
+                # The test assertions only check mongocryptd default values, so this
+                # does not affect what is being verified.
+                if (path = SpecConfig.instance.crypt_shared_lib_path)
+                  opts[:extra_options] = { crypt_shared_lib_path: path }
+                end
+                opts
               end
 
               it 'sets key_vault_client with no encryption options' do