DOCSP-30527: tls guide (#96)

(cherry picked from commit dca5c09)

Author: rustagir

source/fundamentals/connections.txt

@@ -9,9 +9,9 @@ Connections
    /fundamentals/connections/connection-guide
    /fundamentals/connections/connection-options
    /fundamentals/connections/network-compression
+   /fundamentals/connections/tls
 
 ..
-   /fundamentals/connections/tls
    Connect to MongoDB Atlas from AWS Lambda <https://www.mongodb.com/docs/atlas/manage-connections-aws-lambda/>
 
 .. contents:: On this page
@@ -29,11 +29,11 @@ connection to a MongoDB deployment in the following sections:
 - :ref:`Connection Guide <rust-connect-to-mongodb>`
 - :ref:`Connection Options <rust-connection-options>`
 - :ref:`Enable Network Compression <rust-network-compression>`
+- :ref:`Enable and Configure TLS <rust-connect-tls>`
 
-.. - :ref:`Enable TLS on a Connection <rust-connect-tls>`
 .. - :atlas:`Connect to MongoDB Atlas from AWS Lambda </manage-connections-aws-lambda/>`
 
-.. To learn how to authenticate to MongoDB, see the following pages:
+To learn how to authenticate to MongoDB, see the following guides:
 
-.. - :ref:`rust-authentication-mechanisms`
-.. - :ref:`rust-enterprise-authentication-mechanisms`
+- :ref:`rust-authentication`
+- :ref:`rust-enterprise-auth`

source/fundamentals/connections/network-compression.txt

@@ -197,6 +197,9 @@ documentation:
 API Documentation
 ~~~~~~~~~~~~~~~~~
 
+To learn more about any of the methods or types mentioned in this
+guide, see the following API documentation:
+
 - `Client <{+api+}/struct.Client.html>`__
 - `with_uri_str() <{+api+}/struct.Client.html#method.with_uri_str>`__
 - `parse() <{+api+}/options/struct.ClientOptions.html#method.parse>`__

source/fundamentals/connections/tls.txt

@@ -0,0 +1,219 @@
+.. _rust-connect-tls:
+
+========================
+Enable and Configure TLS
+========================
+
+.. facet::
+   :name: genre
+   :values: reference
+
+.. meta::
+   :keywords: code example, security, connection options
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+Overview
+--------
+
+In this guide, you can learn how to use the **TLS protocol** to secure 
+your connection to a MongoDB deployment. TLS is a cryptographic protocol
+that secures communication between your application and MongoDB. To
+configure your connection to use TLS, enable the TLS option and provide
+your certificates for validation when creating a client.
+
+This guide includes the following sections:
+
+- :ref:`Enable TLS <rust-enable-tls>` describes ways to enable TLS on
+  your connection
+
+- :ref:`Configure Certificates <rust-configure-tls-certificates>`
+  describes the certificates required to configure TLS
+
+- :ref:`Reference Certificates in a Client <rust-client-tls-connect>`
+  provides an example of how to create a ``TlsOptions`` struct to configure your
+  TLS options
+
+- :ref:`Additional Information <rust-tls-addtl-info>`
+  provides links to resources and API documentation for types
+  and methods mentioned in this guide
+
+.. tip::
+   
+   To learn more about TLS, see the Wikipedia entry on
+   :wikipedia:`Transport Layer Security <w/index.php?title=Transport_Layer_Security&oldid=1184063676>`.
+
+.. _rust-enable-tls:
+
+Enable TLS
+----------
+
+You can enable TLS on a connection to your MongoDB instance
+in one of the following ways:
+
+- Setting the ``tls`` option to ``true`` in your connection string
+- Setting the ``tls`` field of a ``ClientOptions`` instance to
+  the ``Tls::Enabled`` variant with an empty ``TlsOptions`` struct and
+  instantiating a ``Client`` with those options
+
+Select from the following :guilabel:`Connection String` and
+:guilabel:`ClientOptions` tabs to see a corresponding code sample:
+
+.. tabs::
+
+   .. tab:: Connection String
+      :tabid: connection string tls true
+
+      .. code-block:: rust
+         :emphasize-lines: 1
+
+         let uri = "mongodb://<hostname>:<port>?tls=true"
+         let client = Client::with_uri_str(uri).await?;
+
+   .. tab:: ClientOptions
+      :tabid: clientoptions tls true
+      
+      .. code-block:: rust
+         :emphasize-lines: 4-5
+         
+         let uri = "<connection string>"
+         let mut client_options = ClientOptions::parse(uri).await?;
+
+         let tls_opts = TlsOptions::builder().build();
+         client_options.tls = Some(Tls::Enabled(tls_opts));
+         
+         let client = Client::with_options(client_options)?;
+
+.. note::
+   
+   If your connection string uses a DNS SRV record by including
+   the ``mongodb+srv`` prefix, TLS is enabled on your connection by
+   default.
+
+For a full list of client options, see the
+:ref:`rust-connection-options` guide.
+
+.. _rust-configure-tls-certificates:
+
+Configure Certificates
+----------------------
+
+To successfully initiate a TLS request, your application must present 
+cryptographic certificates to prove its identity. Your application's
+certificates must be stored as Privacy Enhanced Mail (PEM) files to
+enable TLS when connecting to a MongoDB deployment. The PEM file format
+is a container format for cryptographic certificates.
+
+.. important::
+
+   For production use, we recommend that your MongoDB deployment use valid
+   certificates generated and signed by the same certificate authority.
+   For testing, your deployment can use self-signed certificates.
+
+The following list describes the components that your client must
+present to establish a TLS-enabled connection:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 30 70
+
+   * - TLS Component
+     - Description
+
+   * - Certificate Authority (CA)
+     - One or more certificate authorities to
+       trust when making a TLS connection
+
+   * - Client Certificate
+     - A digital certificate that allows the server to verify the identity
+       of your application to establish an encrypted network connection
+
+   * - Certificate Key
+     - The client certificate private key file, often
+       included within the certificate file itself
+
+   * - Passphrase
+     - The password to decrypt the private client key if it is encrypted
+
+.. _rust-client-tls-connect:
+
+Reference Certificates in a Client
+----------------------------------
+
+You must reference your certificates in your ``TlsOptions``
+struct so that the server can validate them before the client connects.
+
+You must first convert your certificate filepaths to
+``PathBuf`` types, so you must import this type from the ``std::path``
+module. Then, call the ``TlsOptions`` struct's builder functions
+to set the ``ca_file_path`` and ``cert_key_file_path`` fields to the
+certificate filepaths.
+
+Within your ``TlsOptions`` instance, you can set optional
+fields to configure TLS on your connection. For **testing purposes**,
+you can set the ``allow_invalid_certificates`` and
+``allow_invalid_hostnames`` fields.
+
+Setting the ``allow_invalid_certificates`` option to ``true`` disables
+hostname verification, and setting the
+``allow_invalid_hostnames`` to ``true`` disables certificate
+validation.
+
+.. warning::
+
+   Specifying either of these options in a production environment makes
+   your application insecure and potentially vulnerable to expired
+   certificates and to foreign processes posing as valid client
+   instances.
+
+.. _rust-tls-full-example:
+
+Example
+~~~~~~~
+
+This example performs the following actions to create a ``TlsOptions``
+instance and a ``Client`` instance that is configured for TLS:
+
+1. Creates variables to reference the certificate filepaths in
+   ``PathBuf`` instances.
+
+#. Instantiates a ``TlsOptions`` struct and sets the ``ca_file_path`` and
+   ``cert_key_file_path`` fields to the relevant filepaths.
+
+#. Passes the ``TlsOptions`` instance to the ``Enabled`` variant of the
+   ``Tls`` enum.
+
+#. Sets the ``tls`` field of the ``ClientOptions`` struct to the
+   ``Tls::Enabled`` variant containing the ``TlsOptions`` instance.
+
+#. Creates a ``Client`` instance with these options.
+
+.. literalinclude:: /includes/fundamentals/code-snippets/tls.rs
+   :language: rust
+
+.. _rust-tls-addtl-info:
+
+Additional Information
+----------------------
+
+To learn more about enabling TLS on a connection, see the
+following Server manual documentation:
+
+- :manual:`TLS/SSL (Transport Encryption) </core/security-transport-encryption/>`
+- :manual:`TLS/SSL Configuration for Clients </tutorial/configure-ssl-clients/>`
+
+API Documentation
+~~~~~~~~~~~~~~~~~
+
+To learn more about any of the methods or types mentioned in this
+guide, see the following API documentation:
+
+- `ClientOptions <{+api+}/options/struct.ClientOptions.html>`__
+- `Client <{+api+}/struct.Client.html>`__
+- `Tls <{+api+}/options/enum.Tls.html>`__
+- `TlsOptions <{+api+}/options/struct.TlsOptions.html>`__
+- `PathBuf <https://doc.rust-lang.org/nightly/std/path/struct.PathBuf.html>`__

source/includes/fundamentals/code-snippets/tls.rs

@@ -0,0 +1,22 @@
+use std::path::PathBuf;
+use mongodb::{ options::{ ClientOptions, TlsOptions, Tls }, Client };
+
+#[tokio::main]
+async fn main() -> mongodb::error::Result<()> {
+    let uri = "<connection string>";
+
+    let mut client_options = ClientOptions::parse(uri).await?;
+
+    let ca_file = PathBuf::from(r"<path to CA certificate>");
+    let key_file = PathBuf::from(r"<path to client certificate>");
+
+    let tls_opts = TlsOptions::builder()
+        .ca_file_path(ca_file)
+        .cert_key_file_path(key_file)
+        .build();
+
+    client_options.tls = Some(Tls::Enabled(tls_opts));
+    let _client = Client::with_options(client_options)?;
+
+    Ok(())
+}