Skip to content

feat(NODE-3777): set tls options per kms provider #235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
durran merged 12 commits into from
Jan 20, 2022
Merged

feat(NODE-3777): set tls options per kms provider #235

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
8df13f3
feat(NODE-3777): tls options map to kms provider
durran Jan 17, 2022
91b090e
feat(NODE-3777): set tls options per kms provider
durran Jan 17, 2022
4b7edaa
feat(NODE-3777): set both cert and key in tls opts
durran Jan 18, 2022
1616f7a
fix(NODE-3777): auto encrypter missing tls opts
durran Jan 18, 2022
4155f32
feat(NODE-3777): validate tls insecure options
durran Jan 18, 2022
6641530
fix(NODE-3777): fix linter error
durran Jan 18, 2022
52fe6e9
test(NODE-3777): add insecure tls tests
durran Jan 18, 2022
65af834
feat(NODE-3777): improve tls validation message
durran Jan 18, 2022
0913828
test(NODE-3777): test secure tls options
durran Jan 18, 2022
51fb6d6
fix(NODE-3777): change tls options to buffers
durran Jan 18, 2022
047b19f
feat(NODE-3777): optimise tls options ts
durran Jan 19, 2022
396545d
feat(NODE-3777): add api docs for tls options
durran Jan 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion bindings/node/index.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,13 @@ export interface ClientEncryptionOptions {
/**
* TLS options for kms providers to use.
*/
tlsOptions?: ClientEncryptionTLSOptions;
tlsOptions?: {
Copy link
Member Author

@durran durran Jan 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TLS options to KMS providers are configured on a per KMS provider basis for future flexibility.

aws?: ClientEncryptionTLSOptions;
local?: ClientEncryptionTLSOptions;
azure?: ClientEncryptionTLSOptions;
gcp?: ClientEncryptionTLSOptions;
kmip?: ClientEncryptionTLSOptions;
}
}

/**
Expand Down
19 changes: 16 additions & 3 deletions bindings/node/lib/clientEncryption.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ module.exports = function(modules) {
this._client = client;
this._bson = options.bson || client.topology.bson;
this._proxyOptions = options.proxyOptions;
this._tlsOptions = options.tlsOptions;

if (options.keyVaultNamespace == null) {
throw new TypeError('Missing required option `keyVaultNamespace`');
Expand Down Expand Up @@ -199,7 +200,11 @@ module.exports = function(modules) {

const dataKeyBson = bson.serialize(dataKey);
const context = this._mongoCrypt.makeDataKeyContext(dataKeyBson, { keyAltNames });
const stateMachine = new StateMachine({ bson, proxyOptions: this._proxyOptions });
const stateMachine = new StateMachine({
bson,
proxyOptions: this._proxyOptions,
tlsOptions: this._tlsOptions
});

return promiseOrCallback(callback, cb => {
stateMachine.execute(this, context, (err, dataKey) => {
Expand Down Expand Up @@ -291,7 +296,11 @@ module.exports = function(modules) {
contextOptions.keyAltName = bson.serialize({ keyAltName });
}

const stateMachine = new StateMachine({ bson, proxyOptions: this._proxyOptions });
const stateMachine = new StateMachine({
bson,
proxyOptions: this._proxyOptions,
tlsOptions: this._tlsOptions
});
const context = this._mongoCrypt.makeExplicitEncryptionContext(valueBuffer, contextOptions);

return promiseOrCallback(callback, cb => {
Expand Down Expand Up @@ -336,7 +345,11 @@ module.exports = function(modules) {
const valueBuffer = bson.serialize({ v: value });
const context = this._mongoCrypt.makeExplicitDecryptionContext(valueBuffer);

const stateMachine = new StateMachine({ bson, proxyOptions: this._proxyOptions });
const stateMachine = new StateMachine({
bson,
proxyOptions: this._proxyOptions,
tlsOptions: this._tlsOptions
});

return promiseOrCallback(callback, cb => {
stateMachine.execute(this, context, (err, result) => {
Expand Down
24 changes: 24 additions & 0 deletions bindings/node/lib/stateMachine.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
module.exports = function(modules) {
const tls = require('tls');
const net = require('net');
const { readFile } = require('fs/promises');
const { once } = require('events');
const { SocksClient } = require('socks');

Expand Down Expand Up @@ -283,6 +284,7 @@ module.exports = function(modules) {
}
}

await this.setTlsOptions(request.kmsProvider, options);
socket = tls.connect(options, () => {
socket.write(message);
});
Expand All @@ -305,6 +307,28 @@ module.exports = function(modules) {
});
}

/**
* @ignore
* Sets the Node TLS options if provided for the specific KMS provider.
*/
async setTlsOptions(kmsProvider, options) {
const tlsOptions = this.options.tlsOptions;
if (tlsOptions) {
const providerTlsOptions = tlsOptions[kmsProvider];
if (providerTlsOptions) {
if (providerTlsOptions.tlsCertificateKeyFile) {
options.cert = await readFile(providerTlsOptions.tlsCertificateKeyFile, { encoding: 'ascii' });
}
if (providerTlsOptions.tlsCAFile) {
options.ca = await readFile(providerTlsOptions.tlsCAFile, { encoding: 'ascii' });
}
if (providerTlsOptions.tlsCertificateKeyFilePassword) {
options.passphrase = providerTlsOptions.tlsCertificateKeyFilePassword;
}
}
}
}

/**
* @ignore
* Fetches collection info for a provided namespace, when libmongocrypt
Expand Down