chore: remove secure context preference

Author: durran

src/client-side-encryption/state_machine.ts

@@ -103,8 +103,6 @@ declare module 'mongodb-client-encryption' {
  * - tlsInsecure
  *
  * These options are not included in the type, and are ignored if provided.
- *
- * Note that if a secureContext option is provided, all other TLS options will be ignored.
  */
 export type ClientEncryptionTlsOptions = Pick<
  MongoClientOptions,
@@ -523,20 +521,19 @@ export class StateMachine {
  tlsOptions: ClientEncryptionTlsOptions,
  options: tls.ConnectionOptions
  ): Promise<void> {
- // If a secureContext is provided, it takes precedence over the other options.
+ // If a secureContext is provided, ensure it is set.
  if (tlsOptions.secureContext) {
  options.secureContext = tlsOptions.secureContext;
- } else {
- if (tlsOptions.tlsCertificateKeyFile) {
- const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);
- options.cert = options.key = cert;
- }
- if (tlsOptions.tlsCAFile) {
- options.ca = await fs.readFile(tlsOptions.tlsCAFile);
- }
- if (tlsOptions.tlsCertificateKeyFilePassword) {
- options.passphrase = tlsOptions.tlsCertificateKeyFilePassword;
- }
+ }
+ if (tlsOptions.tlsCertificateKeyFile) {
+ const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);
+ options.cert = options.key = cert;
+ }
+ if (tlsOptions.tlsCAFile) {
+ options.ca = await fs.readFile(tlsOptions.tlsCAFile);
+ }
+ if (tlsOptions.tlsCertificateKeyFilePassword) {
+ options.passphrase = tlsOptions.tlsCertificateKeyFilePassword;
  }
  }
 

test/integration/client-side-encryption/driver.test.ts

@@ -1326,7 +1326,7 @@ describe('CSOT', function () {
  });
  });
 
- context('when driver specific TLS options are provided', function () {
+ context('when driver specific TLS options are provided with a secure context', function () {
  let client;
  let clientEncryption;
  // Note we set tlsCAFile and tlsCertificateKeyFile to 'nofilename' to also
@@ -1337,9 +1337,8 @@ describe('CSOT', function () {
  tlsOptions: {
  aws: {
  secureContext: tls.createSecureContext(secureContextOptions),
- tlsCAFile: 'nofilename',
- tlsCertificateKeyFile: 'nofilename',
- tlsCertificateKeyFilePassword: 'invalid'
+ tlsCAFile: process.env.CSFLE_TLS_CA_FILE,
+ tlsCertificateKeyFile: process.env.CSFLE_TLS_CLIENT_CERT_FILE
  }
  },
  extraOptions: getEncryptExtraOptions()
@@ -1356,28 +1355,24 @@ describe('CSOT', function () {
  await client.close();
  });
 
- it(
- 'successfully connects with TLS without attempting to parse the driver specific options',
- metadata,
- async function () {
- // Use client encryption to create a data key. If this succeeds, then TLS worked.
- const awsDatakeyId = await clientEncryption.createDataKey('aws', {
- masterKey,
- keyAltNames: ['aws_altname']
- });
- expect(awsDatakeyId).to.have.property('sub_type', 4);
- // Use the client to get the data key. If this succeeds, then the TLS connection
- // for auto encryption worked.
- const results = await client
- .db(keyVaultDbName)
- .collection(keyVaultCollName)
- .find({ _id: awsDatakeyId })
- .toArray();
- expect(results)
- .to.have.a.lengthOf(1)
- .and.to.have.nested.property('0.masterKey.provider', 'aws');
- }
- );
+ it('successfully connects with TLS', metadata, async function () {
+ // Use client encryption to create a data key. If this succeeds, then TLS worked.
+ const awsDatakeyId = await clientEncryption.createDataKey('aws', {
+ masterKey,
+ keyAltNames: ['aws_altname']
+ });
+ expect(awsDatakeyId).to.have.property('sub_type', 4);
+ // Use the client to get the data key. If this succeeds, then the TLS connection
+ // for auto encryption worked.
+ const results = await client
+ .db(keyVaultDbName)
+ .collection(keyVaultCollName)
+ .find({ _id: awsDatakeyId })
+ .toArray();
+ expect(results)
+ .to.have.a.lengthOf(1)
+ .and.to.have.nested.property('0.masterKey.provider', 'aws');
+ });
  });
  });
  });