node-mongodb-native/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts at 242e764e25d02e3bfaa8b7e571211c7e0a722abc · mongodb/node-mongodb-native · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import { expect } from 'chai';
import * as process from 'process';
import { satisfies } from 'semver';

import { getCSFLEKMSProviders } from '../../csfle-kms-providers';
import { ClientEncryption, type MongoClient } from '../../mongodb';

const metadata: MongoDBMetadataUI = {
  requires: {
    clientSideEncryption: true,
    predicate: () =>
      satisfies(process.version, '<25.0.0') ? true : 'TODO(NODE-7252): fix these tests in v25'
  }
};

describe('10. KMS TLS Tests', function () {
  const keyVaultNamespace = 'keyvault.datakeys';
  const masterKeyBase = {
    region: 'us-east-1',
    key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0'
  };

  let client: MongoClient;
  let clientEncryption: ClientEncryption;

  beforeEach(async function () {
    client = this.configuration.newClient();
    await client.connect();

    clientEncryption = new ClientEncryption(client, {
      keyVaultNamespace,
      kmsProviders: { aws: getCSFLEKMSProviders().aws },
      tlsOptions: {
        aws: {
          tlsCAFile: process.env.CSFLE_TLS_CA_FILE,
          tlsCertificateKeyFile: process.env.CSFLE_TLS_CLIENT_CERT_FILE
        }
      }
    });
  });

  afterEach(async function () {
    await client.close();
  });

  it('should fail with an expired certificate', metadata, async function () {
    const masterKey = { ...masterKeyBase, endpoint: '127.0.0.1:9000' };

    const error = await clientEncryption.createDataKey('aws', { masterKey }).then(
      () => null,
      error => error
    );

    expect(error).to.exist;
    expect(error, error.stack).to.have.property('cause').that.is.instanceOf(Error);
    expect(error.cause.message, error.stack).to.include('certificate has expired');
  });

  it('should fail with an invalid hostname', metadata, async function () {
    const masterKey = { ...masterKeyBase, endpoint: '127.0.0.1:9001' };

    const error = await clientEncryption.createDataKey('aws', { masterKey }).then(
      () => null,
      error => error
    );

    expect(error).to.exist;
    expect(error, error.stack).to.have.property('cause').that.is.instanceOf(Error);
    expect(error.cause.message, error.stack).to.include('does not match certificate');
  });
});