fix(NODE-5548): ensure that tlsCertificateKeyFile maps to cert and key (

#3819) Co-authored-by: Durran Jordan <durran@gmail.com>
mongodb · Aug 22, 2023 · a0955bd · a0955bd
1 parent bf00e32
commit a0955bd
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 6 deletions.
diff --git a/src/mongo_client.ts b/src/mongo_client.ts
@@ -435,10 +435,14 @@ export class MongoClient extends TypedEventEmitter<MongoClientEvents> {
 
  if (options.tls) {
  if (typeof options.tlsCAFile === 'string') {
- options.ca ??= await fs.readFile(options.tlsCAFile, { encoding: 'utf8' });
+ options.ca ??= await fs.readFile(options.tlsCAFile);
  }
  if (typeof options.tlsCertificateKeyFile === 'string') {
- options.key ??= await fs.readFile(options.tlsCertificateKeyFile, { encoding: 'utf8' });
+ if (!options.key || !options.cert) {
+ const contents = await fs.readFile(options.tlsCertificateKeyFile);
+ options.key ??= contents;
+ options.cert ??= contents;
+ }
  }
  }
  if (typeof options.srvHost === 'string') {
@@ -787,6 +791,7 @@ export interface MongoOptions
  * |:----------------------|:----------------------------------------------|:-------------------|
  * | `ca` | `tlsCAFile` | `string` |
  * | `crl` | N/A | `string` |
+ * | `cert` | `tlsCertificateKeyFile` | `string` |
  * | `key` | `tlsCertificateKeyFile` | `string` |
  * | `passphrase` | `tlsCertificateKeyFilePassword` | `string` |
  * | `rejectUnauthorized` | `tlsAllowInvalidCertificates` | `boolean` |
@@ -804,9 +809,9 @@ export interface MongoOptions
  *
  * The files specified by the paths passed in to the `tlsCAFile` and `tlsCertificateKeyFile` fields
  * are read lazily on the first call to `MongoClient.connect`. Once these files have been read and
- * the `ca` and `key` fields are populated, they will not be read again on subsequent calls to
- * `MongoClient.connect`. As a result, until the first call to `MongoClient.connect`, the `ca`
- * and `key` fields will be undefined.
+ * the `ca`, `cert` and `key` fields are populated, they will not be read again on subsequent calls to
+ * `MongoClient.connect`. As a result, until the first call to `MongoClient.connect`, the `ca`,
+ * `cert` and `key` fields will be undefined.
  */
  tls: boolean;
 

diff --git a/test/manual/tls_support.test.ts b/test/manual/tls_support.test.ts
@@ -1,7 +1,12 @@
 import { expect } from 'chai';
 import { promises as fs } from 'fs';
 
-import { LEGACY_HELLO_COMMAND, MongoClient, type MongoClientOptions } from '../mongodb';
+import {
+ LEGACY_HELLO_COMMAND,
+ MongoClient,
+ type MongoClientOptions,
+ MongoServerSelectionError
+} from '../mongodb';
 
 const REQUIRED_ENV = ['MONGODB_URI', 'SSL_KEY_FILE', 'SSL_CA_FILE'];
 
@@ -51,11 +56,13 @@ describe('TLS Support', function () {
  expect(client.options).property('tlsCertificateKeyFile', TLS_CERT_KEY_FILE);
  expect(client.options).not.have.property('ca');
  expect(client.options).not.have.property('key');
+ expect(client.options).not.have.property('cert');
 
  await client.connect();
 
  expect(client.options).property('ca').to.exist;
  expect(client.options).property('key').to.exist;
+ expect(client.options).property('cert').to.exist;
  });
 
  context('when client has been opened and closed more than once', function () {
@@ -106,6 +113,44 @@ describe('TLS Support', function () {
  });
  });
  });
+
+ context('when tlsCertificateKeyFile is provided, but tlsCAFile is missing', () => {
+ let client: MongoClient;
+ beforeEach(() => {
+ client = new MongoClient(CONNECTION_STRING, {
+ tls: true,
+ tlsCertificateKeyFile: TLS_CERT_KEY_FILE,
+ serverSelectionTimeoutMS: 5000,
+ connectTimeoutMS: 5000
+ });
+ });
+ afterEach(async () => {
+ if (client) await client.close();
+ });
+
+ it('throws a MongoServerSelectionError', async () => {
+ const err = await client.connect().catch(e => e);
+ expect(err).to.be.instanceOf(MongoServerSelectionError);
+ });
+ });
+
+ context('when tlsCAFile is provided, but tlsCertificateKeyFile is missing', () => {
+ let client: MongoClient;
+ beforeEach(() => {
+ client = new MongoClient(CONNECTION_STRING, {
+ tls: true,
+ tlsCAFile: TLS_CA_FILE
+ });
+ });
+ afterEach(async () => {
+ if (client) await client.close();
+ });
+
+ it('connects without error', async () => {
+ const clientOrError = await client.connect().catch(e => e);
+ expect(clientOrError).to.be.instanceOf(MongoClient);
+ });
+ });
 });
 
 function makeConnectionTest(connectionString: string, clientOptions?: MongoClientOptions) {

diff --git a/test/unit/mongo_client.test.js b/test/unit/mongo_client.test.js
@@ -58,6 +58,7 @@ describe('MongoOptions', function () {
  expect(options).to.not.have.property('tlsCertificateKeyFilePassword');
  expect(options).to.not.have.property('key');
  expect(options).to.not.have.property('ca');
+ expect(options).to.not.have.property('cert');
  expect(options).to.have.property('tlsCertificateKeyFile', filename);
  expect(options).to.have.property('tlsCAFile', filename);
  expect(options).has.property('passphrase', 'tlsCertificateKeyFilePassword');