chore: comments

durran · durran · commit 6617c9ecb916 · 2025-07-10T10:52:03.000-04:00
diff --git a/test/integration/client-side-encryption/driver.test.ts b/test/integration/client-side-encryption/driver.test.ts
@@ -242,7 +242,6 @@ describe('Client Side Encryption Functional', function () {
           Object.freeze(['1', 1] as const),
           Object.freeze(['0', 1] as const)
         ]);
-        // @ts-expect-error: Our findOne API does not accept readonly input
         await collection.findOne({}, { sort });
         const findEvent = events.find(event => !!event.command.find);
         expect(findEvent).to.have.property('commandName', 'find');
@@ -258,7 +257,6 @@ describe('Client Side Encryption Functional', function () {
           Object.freeze(['1', 1] as const),
           Object.freeze(['0', 1] as const)
         ]);
-        // @ts-expect-error: Our findOneAndUpdate API does not accept readonly input
         await collection.findOneAndUpdate({}, { $setOnInsert: { a: 1 } }, { sort });
         const findAndModifyEvent = events.find(event => !!event.command.findAndModify);
         expect(findAndModifyEvent).to.have.property('commandName', 'findAndModify');
@@ -1245,134 +1243,141 @@ describe('CSOT', function () {
     });
   });
 
-  context('when providing node specific TLS options', function () {
-    const dataDbName = 'db';
-    const dataCollName = 'coll';
-    const dataNamespace = `${dataDbName}.${dataCollName}`;
-    const keyVaultDbName = 'keyvault';
-    const keyVaultCollName = 'datakeys';
-    const keyVaultNamespace = `${keyVaultDbName}.${keyVaultCollName}`;
-    const masterKey = {
-      region: 'us-east-1',
-      key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0'
-    };
-    const schemaMap = {
-      [dataNamespace]: {
-        bsonType: 'object',
-        properties: {
-          encrypted_placeholder: {
-            encrypt: {
-              keyId: '/placeholder',
-              bsonType: 'string',
-              algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'
+  describe('TLS Authentication with Client Encryption and Auto Encryption', function () {
+    context('when providing node specific secureContext TLS option', function () {
+      const dataDbName = 'db';
+      const dataCollName = 'coll';
+      const dataNamespace = `${dataDbName}.${dataCollName}`;
+      const keyVaultDbName = 'keyvault';
+      const keyVaultCollName = 'datakeys';
+      const keyVaultNamespace = `${keyVaultDbName}.${keyVaultCollName}`;
+      const masterKey = {
+        region: 'us-east-1',
+        key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0'
+      };
+      const schemaMap = {
+        [dataNamespace]: {
+          bsonType: 'object',
+          properties: {
+            encrypted_placeholder: {
+              encrypt: {
+                keyId: '/placeholder',
+                bsonType: 'string',
+                algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'
+              }
             }
           }
         }
-      }
-    };
-    let secureContextOptions;
-
-    beforeEach(async function () {
-      const caFile = await fs.readFile(process.env.CSFLE_TLS_CA_FILE);
-      const certFile = await fs.readFile(process.env.CSFLE_TLS_CLIENT_CERT_FILE);
-      secureContextOptions = {
-        ca: caFile,
-        key: certFile,
-        cert: certFile
-      };
-    });
-
-    context('when no driver specific TLS options are provided', function () {
-      let client;
-      let clientEncryption;
-      const options = {
-        keyVaultNamespace,
-        kmsProviders: { aws: getCSFLEKMSProviders().aws },
-        tlsOptions: {
-          aws: {
-            secureContext: tls.createSecureContext(secureContextOptions)
-          }
-        },
-        extraOptions: getEncryptExtraOptions()
       };
+      let secureContextOptions;
 
       beforeEach(async function () {
-        client = this.configuration.newClient({}, { autoEncryption: { ...options, schemaMap } });
-        clientEncryption = new ClientEncryption(client, options);
-        await client.connect();
+        const caFile = await fs.readFile(process.env.CSFLE_TLS_CA_FILE);
+        const certFile = await fs.readFile(process.env.CSFLE_TLS_CLIENT_CERT_FILE);
+        secureContextOptions = {
+          ca: caFile,
+          key: certFile,
+          cert: certFile
+        };
       });
 
-      afterEach(async function () {
-        await client.db(keyVaultDbName).collection(keyVaultCollName).deleteMany();
-        await client.close();
-      });
+      context('when no driver specific TLS options are provided', function () {
+        let client;
+        let clientEncryption;
+        const options = {
+          keyVaultNamespace,
+          kmsProviders: { aws: getCSFLEKMSProviders().aws },
+          tlsOptions: {
+            aws: {
+              secureContext: tls.createSecureContext(secureContextOptions)
+            }
+          },
+          extraOptions: getEncryptExtraOptions()
+        };
 
-      it('succeeds to connect', metadata, async function () {
-        // Use client encryption to create a data key. If this succeeds, then TLS worked.
-        const awsDatakeyId = await clientEncryption.createDataKey('aws', {
-          masterKey,
-          keyAltNames: ['aws_altname']
+        beforeEach(async function () {
+          client = this.configuration.newClient({}, { autoEncryption: { ...options, schemaMap } });
+          clientEncryption = new ClientEncryption(client, options);
+          await client.connect();
         });
-        expect(awsDatakeyId).to.have.property('sub_type', 4);
-        // Use the client to get the data key. If this succeeds, then the TLS connection
-        // for auto encryption worked.
-        const results = await client
-          .db(keyVaultDbName)
-          .collection(keyVaultCollName)
-          .find({ _id: awsDatakeyId })
-          .toArray();
-        expect(results)
-          .to.have.a.lengthOf(1)
-          .and.to.have.nested.property('0.masterKey.provider', 'aws');
-      });
-    });
 
-    context('when driver specific TLS options are provided', function () {
-      let client;
-      let clientEncryption;
-      // Note we set tlsCAFile and tlsCertificateKeyFile to 'nofilename' to also
-      // test that the driver does not attempt to read these files in this case.
-      const options = {
-        keyVaultNamespace,
-        kmsProviders: { aws: getCSFLEKMSProviders().aws },
-        tlsOptions: {
-          aws: {
-            secureContext: tls.createSecureContext(secureContextOptions),
-            tlsCAFile: 'nofilename',
-            tlsCertificateKeyFile: 'nofilename'
-          }
-        },
-        extraOptions: getEncryptExtraOptions()
-      };
+        afterEach(async function () {
+          await client.db(keyVaultDbName).collection(keyVaultCollName).deleteMany();
+          await client.close();
+        });
 
-      beforeEach(async function () {
-        client = this.configuration.newClient({}, { autoEncryption: { ...options, schemaMap } });
-        clientEncryption = new ClientEncryption(client, options);
-        await client.connect();
+        it('successfully connects with TLS', metadata, async function () {
+          // Use client encryption to create a data key. If this succeeds, then TLS worked.
+          const awsDatakeyId = await clientEncryption.createDataKey('aws', {
+            masterKey,
+            keyAltNames: ['aws_altname']
+          });
+          expect(awsDatakeyId).to.have.property('sub_type', 4);
+          // Use the client to get the data key. If this succeeds, then the TLS connection
+          // for auto encryption worked.
+          const results = await client
+            .db(keyVaultDbName)
+            .collection(keyVaultCollName)
+            .find({ _id: awsDatakeyId })
+            .toArray();
+          expect(results)
+            .to.have.a.lengthOf(1)
+            .and.to.have.nested.property('0.masterKey.provider', 'aws');
+        });
       });
 
-      afterEach(async function () {
-        await client.db(keyVaultDbName).collection(keyVaultCollName).deleteMany();
-        await client.close();
-      });
+      context('when driver specific TLS options are provided', function () {
+        let client;
+        let clientEncryption;
+        // Note we set tlsCAFile and tlsCertificateKeyFile to 'nofilename' to also
+        // test that the driver does not attempt to read these files in this case.
+        const options = {
+          keyVaultNamespace,
+          kmsProviders: { aws: getCSFLEKMSProviders().aws },
+          tlsOptions: {
+            aws: {
+              secureContext: tls.createSecureContext(secureContextOptions),
+              tlsCAFile: 'nofilename',
+              tlsCertificateKeyFile: 'nofilename',
+              tlsCertificateKeyFilePassword: 'invalid'
+            }
+          },
+          extraOptions: getEncryptExtraOptions()
+        };
+
+        beforeEach(async function () {
+          client = this.configuration.newClient({}, { autoEncryption: { ...options, schemaMap } });
+          clientEncryption = new ClientEncryption(client, options);
+          await client.connect();
+        });
 
-      it('succeeds to connect', metadata, async function () {
-        // Use client encryption to create a data key. If this succeeds, then TLS worked.
-        const awsDatakeyId = await clientEncryption.createDataKey('aws', {
-          masterKey,
-          keyAltNames: ['aws_altname']
+        afterEach(async function () {
+          await client.db(keyVaultDbName).collection(keyVaultCollName).deleteMany();
+          await client.close();
         });
-        expect(awsDatakeyId).to.have.property('sub_type', 4);
-        // Use the client to get the data key. If this succeeds, then the TLS connection
-        // for auto encryption worked.
-        const results = await client
-          .db(keyVaultDbName)
-          .collection(keyVaultCollName)
-          .find({ _id: awsDatakeyId })
-          .toArray();
-        expect(results)
-          .to.have.a.lengthOf(1)
-          .and.to.have.nested.property('0.masterKey.provider', 'aws');
+
+        it(
+          'successfully connects with TLS without attempting to parse the driver specific options',
+          metadata,
+          async function () {
+            // Use client encryption to create a data key. If this succeeds, then TLS worked.
+            const awsDatakeyId = await clientEncryption.createDataKey('aws', {
+              masterKey,
+              keyAltNames: ['aws_altname']
+            });
+            expect(awsDatakeyId).to.have.property('sub_type', 4);
+            // Use the client to get the data key. If this succeeds, then the TLS connection
+            // for auto encryption worked.
+            const results = await client
+              .db(keyVaultDbName)
+              .collection(keyVaultCollName)
+              .find({ _id: awsDatakeyId })
+              .toArray();
+            expect(results)
+              .to.have.a.lengthOf(1)
+              .and.to.have.nested.property('0.masterKey.provider', 'aws');
+          }
+        );
       });
     });
   });
diff --git a/test/tsconfig.json b/test/tsconfig.json
@@ -3,8 +3,7 @@
     "compilerOptions": {
         "strict": false,
         "allowJs": true,
-        "checkJs": false,
-        "resolveJsonModule": true
+        "checkJs": false
     },
     "include": [
         "../node_modules/@types/mocha/index.d.ts",
