From dcba53c12a87055b5ce9031dd6cbaa076e4f094a Mon Sep 17 00:00:00 2001 From: Neal Beeken Date: Fri, 9 Apr 2021 16:06:12 -0400 Subject: [PATCH 1/4] fix(NODE-3166): allowInvalidHostnames and allowInvalidCertificates flags are ignored --- src/connection_string.ts | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/connection_string.ts b/src/connection_string.ts index 519d337830..3d367b4611 100644 --- a/src/connection_string.ts +++ b/src/connection_string.ts @@ -938,10 +938,18 @@ export const OPTIONS = { type: 'boolean' }, tlsAllowInvalidCertificates: { - type: 'boolean' + target: 'rejectUnauthorized', + transform({ name, values: [value] }) { + // allowInvalidCertificates is the inverse of rejectUnauthorized + return !getBoolean(name, value); + } }, tlsAllowInvalidHostnames: { - type: 'boolean' + target: 'checkServerIdentity', + transform({ name, values: [value] }) { + // tlsAllowInvalidHostnames means setting the checkServerIdentity function to a noop + return getBoolean(name, value) ? () => undefined : undefined; + } }, tlsCAFile: { target: 'ca', @@ -969,10 +977,12 @@ export const OPTIONS = { transform({ name, options, values: [value] }) { const tlsInsecure = getBoolean(name, value); if (tlsInsecure) { - options.checkServerIdentity = undefined; + options.checkServerIdentity = () => undefined; options.rejectUnauthorized = false; } else { - options.checkServerIdentity = options.tlsAllowInvalidHostnames ? undefined : (true as any); + options.checkServerIdentity = options.tlsAllowInvalidHostnames + ? () => undefined + : undefined; options.rejectUnauthorized = options.tlsAllowInvalidCertificates ? false : true; } return tlsInsecure; From 2075d4d317c962254cfa4bf26272908752b52611 Mon Sep 17 00:00:00 2001 From: Neal Beeken Date: Mon, 19 Apr 2021 16:31:42 -0400 Subject: [PATCH 2/4] test: Add unit testing for option transformation --- test/unit/mongo_client_options.test.js | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/test/unit/mongo_client_options.test.js b/test/unit/mongo_client_options.test.js index 4be3b2f168..06157366e5 100644 --- a/test/unit/mongo_client_options.test.js +++ b/test/unit/mongo_client_options.test.js @@ -296,4 +296,23 @@ describe('MongoOptions', function () { expect(options.credentials.username).to.equal('USERNAME'); expect(options.credentials.password).to.equal('PASSWORD'); }); + + it('transforms tlsAllowInvalidCertificates and tlsAllowInvalidHostnames correctly', function () { + const options = parseOptions('mongodb://localhost/', { + tlsAllowInvalidCertificates: true, + tlsAllowInvalidHostnames: true + }); + expect(options.rejectUnauthorized).to.equal(false); + expect(options.checkServerIdentity).to.be.a('function'); + expect(options.checkServerIdentity()).to.equal(undefined); + }); + + it('transforms tlsInsecure correctly', function () { + const options = parseOptions('mongodb://localhost/', { + tlsInsecure: true + }); + expect(options.rejectUnauthorized).to.equal(false); + expect(options.checkServerIdentity).to.be.a('function'); + expect(options.checkServerIdentity()).to.equal(undefined); + }); }); From d04c0190eae676c1252df1bebef4e86fdbcdbd28 Mon Sep 17 00:00:00 2001 From: Neal Beeken Date: Tue, 20 Apr 2021 13:29:30 -0400 Subject: [PATCH 3/4] test: add all configurations to testing --- test/unit/mongo_client_options.test.js | 37 ++++++++++++++++++++------ 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/test/unit/mongo_client_options.test.js b/test/unit/mongo_client_options.test.js index 06157366e5..59af4ebf4f 100644 --- a/test/unit/mongo_client_options.test.js +++ b/test/unit/mongo_client_options.test.js @@ -298,21 +298,42 @@ describe('MongoOptions', function () { }); it('transforms tlsAllowInvalidCertificates and tlsAllowInvalidHostnames correctly', function () { - const options = parseOptions('mongodb://localhost/', { + const optionsTrue = parseOptions('mongodb://localhost/', { tlsAllowInvalidCertificates: true, tlsAllowInvalidHostnames: true }); - expect(options.rejectUnauthorized).to.equal(false); - expect(options.checkServerIdentity).to.be.a('function'); - expect(options.checkServerIdentity()).to.equal(undefined); + expect(optionsTrue.rejectUnauthorized).to.equal(false); + expect(optionsTrue.checkServerIdentity).to.be.a('function'); + expect(optionsTrue.checkServerIdentity()).to.equal(undefined); + + const optionsFalse = parseOptions('mongodb://localhost/', { + tlsAllowInvalidCertificates: false, + tlsAllowInvalidHostnames: false + }); + expect(optionsFalse.rejectUnauthorized).to.equal(true); + expect(optionsFalse.checkServerIdentity).not.exist; + + const optionsUndefined = parseOptions('mongodb://localhost/'); + expect(optionsUndefined.rejectUnauthorized).not.exist; + expect(optionsUndefined.checkServerIdentity).not.exist; }); it('transforms tlsInsecure correctly', function () { - const options = parseOptions('mongodb://localhost/', { + const optionsTrue = parseOptions('mongodb://localhost/', { tlsInsecure: true }); - expect(options.rejectUnauthorized).to.equal(false); - expect(options.checkServerIdentity).to.be.a('function'); - expect(options.checkServerIdentity()).to.equal(undefined); + expect(optionsTrue.rejectUnauthorized).to.equal(false); + expect(optionsTrue.checkServerIdentity).to.be.a('function'); + expect(optionsTrue.checkServerIdentity()).to.equal(undefined); + + const optionsFalse = parseOptions('mongodb://localhost/', { + tlsInsecure: false + }); + expect(optionsFalse.rejectUnauthorized).to.equal(true); + expect(optionsFalse.checkServerIdentity).to.not.exist; + + const optionsUndefined = parseOptions('mongodb://localhost/'); + expect(optionsUndefined.rejectUnauthorized).to.not.exist; + expect(optionsUndefined.checkServerIdentity).to.not.exist; }); }); From d62b14a970234b659895d4e798ba69670f510319 Mon Sep 17 00:00:00 2001 From: Neal Beeken Date: Tue, 20 Apr 2021 17:30:05 -0400 Subject: [PATCH 4/4] fix: more explicit exist checks --- test/unit/mongo_client_options.test.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/test/unit/mongo_client_options.test.js b/test/unit/mongo_client_options.test.js index 59af4ebf4f..c848809f5b 100644 --- a/test/unit/mongo_client_options.test.js +++ b/test/unit/mongo_client_options.test.js @@ -311,11 +311,11 @@ describe('MongoOptions', function () { tlsAllowInvalidHostnames: false }); expect(optionsFalse.rejectUnauthorized).to.equal(true); - expect(optionsFalse.checkServerIdentity).not.exist; + expect(optionsFalse.checkServerIdentity).to.equal(undefined); const optionsUndefined = parseOptions('mongodb://localhost/'); - expect(optionsUndefined.rejectUnauthorized).not.exist; - expect(optionsUndefined.checkServerIdentity).not.exist; + expect(optionsUndefined.rejectUnauthorized).to.equal(undefined); + expect(optionsUndefined.checkServerIdentity).to.equal(undefined); }); it('transforms tlsInsecure correctly', function () { @@ -330,10 +330,10 @@ describe('MongoOptions', function () { tlsInsecure: false }); expect(optionsFalse.rejectUnauthorized).to.equal(true); - expect(optionsFalse.checkServerIdentity).to.not.exist; + expect(optionsFalse.checkServerIdentity).to.equal(undefined); const optionsUndefined = parseOptions('mongodb://localhost/'); - expect(optionsUndefined.rejectUnauthorized).to.not.exist; - expect(optionsUndefined.checkServerIdentity).to.not.exist; + expect(optionsUndefined.rejectUnauthorized).to.equal(undefined); + expect(optionsUndefined.checkServerIdentity).to.equal(undefined); }); });