chore: remove secure context preference

durran · durran · commit 9d3a8048f081 · 2025-07-22T22:43:44.000+02:00
diff --git a/src/client-side-encryption/state_machine.ts b/src/client-side-encryption/state_machine.ts
@@ -103,8 +103,6 @@ declare module 'mongodb-client-encryption' {
  *  - tlsInsecure
  *
  * These options are not included in the type, and are ignored if provided.
- *
- * Note that if a secureContext option is provided, all other TLS options will be ignored.
  */
 export type ClientEncryptionTlsOptions = Pick<
   MongoClientOptions,
@@ -523,20 +521,19 @@ export class StateMachine {
     tlsOptions: ClientEncryptionTlsOptions,
     options: tls.ConnectionOptions
   ): Promise<void> {
-    // If a secureContext is provided, it takes precedence over the other options.
+    // If a secureContext is provided, ensure it is set.
     if (tlsOptions.secureContext) {
       options.secureContext = tlsOptions.secureContext;
-    } else {
-      if (tlsOptions.tlsCertificateKeyFile) {
-        const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);
-        options.cert = options.key = cert;
-      }
-      if (tlsOptions.tlsCAFile) {
-        options.ca = await fs.readFile(tlsOptions.tlsCAFile);
-      }
-      if (tlsOptions.tlsCertificateKeyFilePassword) {
-        options.passphrase = tlsOptions.tlsCertificateKeyFilePassword;
-      }
+    }
+    if (tlsOptions.tlsCertificateKeyFile) {
+      const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);
+      options.cert = options.key = cert;
+    }
+    if (tlsOptions.tlsCAFile) {
+      options.ca = await fs.readFile(tlsOptions.tlsCAFile);
+    }
+    if (tlsOptions.tlsCertificateKeyFilePassword) {
+      options.passphrase = tlsOptions.tlsCertificateKeyFilePassword;
     }
   }
 
diff --git a/test/integration/client-side-encryption/driver.test.ts b/test/integration/client-side-encryption/driver.test.ts
@@ -1326,7 +1326,7 @@ describe('CSOT', function () {
         });
       });
 
-      context('when driver specific TLS options are provided', function () {
+      context('when driver specific TLS options are provided with a secure context', function () {
         let client;
         let clientEncryption;
         // Note we set tlsCAFile and tlsCertificateKeyFile to 'nofilename' to also
@@ -1337,9 +1337,8 @@ describe('CSOT', function () {
           tlsOptions: {
             aws: {
               secureContext: tls.createSecureContext(secureContextOptions),
-              tlsCAFile: 'nofilename',
-              tlsCertificateKeyFile: 'nofilename',
-              tlsCertificateKeyFilePassword: 'invalid'
+              tlsCAFile: process.env.CSFLE_TLS_CA_FILE,
+              tlsCertificateKeyFile: process.env.CSFLE_TLS_CLIENT_CERT_FILE
             }
           },
           extraOptions: getEncryptExtraOptions()
@@ -1356,28 +1355,24 @@ describe('CSOT', function () {
           await client.close();
         });
 
-        it(
-          'successfully connects with TLS without attempting to parse the driver specific options',
-          metadata,
-          async function () {
-            // Use client encryption to create a data key. If this succeeds, then TLS worked.
-            const awsDatakeyId = await clientEncryption.createDataKey('aws', {
-              masterKey,
-              keyAltNames: ['aws_altname']
-            });
-            expect(awsDatakeyId).to.have.property('sub_type', 4);
-            // Use the client to get the data key. If this succeeds, then the TLS connection
-            // for auto encryption worked.
-            const results = await client
-              .db(keyVaultDbName)
-              .collection(keyVaultCollName)
-              .find({ _id: awsDatakeyId })
-              .toArray();
-            expect(results)
-              .to.have.a.lengthOf(1)
-              .and.to.have.nested.property('0.masterKey.provider', 'aws');
-          }
-        );
+        it('successfully connects with TLS', metadata, async function () {
+          // Use client encryption to create a data key. If this succeeds, then TLS worked.
+          const awsDatakeyId = await clientEncryption.createDataKey('aws', {
+            masterKey,
+            keyAltNames: ['aws_altname']
+          });
+          expect(awsDatakeyId).to.have.property('sub_type', 4);
+          // Use the client to get the data key. If this succeeds, then the TLS connection
+          // for auto encryption worked.
+          const results = await client
+            .db(keyVaultDbName)
+            .collection(keyVaultCollName)
+            .find({ _id: awsDatakeyId })
+            .toArray();
+          expect(results)
+            .to.have.a.lengthOf(1)
+            .and.to.have.nested.property('0.masterKey.provider', 'aws');
+        });
       });
     });
   });
