From afe4936cc74bbf7b991e385cdf112baede008712 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Mon, 7 Jul 2025 14:42:54 -0400 Subject: [PATCH 1/3] feat(NODE-3922): remove behaviour around ocsp tls options --- src/client-side-encryption/state_machine.ts | 7 +------ src/connection_string.ts | 5 ----- test/unit/assorted/uri_options.spec.test.ts | 3 ++- 3 files changed, 3 insertions(+), 12 deletions(-) diff --git a/src/client-side-encryption/state_machine.ts b/src/client-side-encryption/state_machine.ts index fd5a393ea84..4356d3f7a53 100644 --- a/src/client-side-encryption/state_machine.ts +++ b/src/client-side-encryption/state_machine.ts @@ -68,12 +68,7 @@ const stateToString = new Map([ const INSECURE_TLS_OPTIONS = [ 'tlsInsecure', 'tlsAllowInvalidCertificates', - 'tlsAllowInvalidHostnames', - - // These options are disallowed by the spec, so we explicitly filter them out if provided, even - // though the StateMachine does not declare support for these options. - 'tlsDisableOCSPEndpointCheck', - 'tlsDisableCertificateRevocationCheck' + 'tlsAllowInvalidHostnames' ]; /** diff --git a/src/connection_string.ts b/src/connection_string.ts index a32c1e155f1..89bcaf8bc94 100644 --- a/src/connection_string.ts +++ b/src/connection_string.ts @@ -172,11 +172,6 @@ function checkTLSOptions(allOptions: CaseInsensitiveMap): void { }; check('tlsInsecure', 'tlsAllowInvalidCertificates'); check('tlsInsecure', 'tlsAllowInvalidHostnames'); - check('tlsInsecure', 'tlsDisableCertificateRevocationCheck'); - check('tlsInsecure', 'tlsDisableOCSPEndpointCheck'); - check('tlsAllowInvalidCertificates', 'tlsDisableCertificateRevocationCheck'); - check('tlsAllowInvalidCertificates', 'tlsDisableOCSPEndpointCheck'); - check('tlsDisableCertificateRevocationCheck', 'tlsDisableOCSPEndpointCheck'); } function getBoolean(name: string, value: unknown): boolean { if (typeof value === 'boolean') return value; diff --git a/test/unit/assorted/uri_options.spec.test.ts b/test/unit/assorted/uri_options.spec.test.ts index e3f4e9112d9..2381dd87277 100644 --- a/test/unit/assorted/uri_options.spec.test.ts +++ b/test/unit/assorted/uri_options.spec.test.ts @@ -10,7 +10,8 @@ describe('URI option spec tests', function () { // Skipped because this does not apply to Node 'Valid options specific to single-threaded drivers are parsed correctly', - // TODO(NODE-3922): have not implemented option support + // These options are specific to OCSP which the driver does not implement + // and will not be implemented in the future. 'tlsDisableCertificateRevocationCheck can be set to true', 'tlsDisableCertificateRevocationCheck can be set to false', 'tlsDisableOCSPEndpointCheck can be set to true', From 64d5fac54256e71f57d2d193f1887bfed12d6110 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Mon, 7 Jul 2025 15:22:00 -0400 Subject: [PATCH 2/3] chore: update comment --- test/unit/assorted/uri_options.spec.test.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test/unit/assorted/uri_options.spec.test.ts b/test/unit/assorted/uri_options.spec.test.ts index 2381dd87277..349eedb33fb 100644 --- a/test/unit/assorted/uri_options.spec.test.ts +++ b/test/unit/assorted/uri_options.spec.test.ts @@ -11,7 +11,10 @@ describe('URI option spec tests', function () { 'Valid options specific to single-threaded drivers are parsed correctly', // These options are specific to OCSP which the driver does not implement - // and will not be implemented in the future. + // and will not be implemented in the future. Note that the other URI + // option tests that are testing these options are passing, simply because + // they are testing error conditions and the driver is throwing a MongoParseError + // when either of these options are provided. 'tlsDisableCertificateRevocationCheck can be set to true', 'tlsDisableCertificateRevocationCheck can be set to false', 'tlsDisableOCSPEndpointCheck can be set to true', From 4e2c6523de51577b82487ee3344fd6ce04f1827e Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Mon, 7 Jul 2025 17:02:57 -0400 Subject: [PATCH 3/3] test: fix options test --- .../state_machine.test.ts | 36 +++++++++---------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/test/unit/client-side-encryption/state_machine.test.ts b/test/unit/client-side-encryption/state_machine.test.ts index 1f43b57007b..920ce567dde 100644 --- a/test/unit/client-side-encryption/state_machine.test.ts +++ b/test/unit/client-side-encryption/state_machine.test.ts @@ -190,27 +190,25 @@ describe('StateMachine', function () { context('when tls options are provided', function () { context('when the options are insecure', function () { - [ - 'tlsInsecure', - 'tlsAllowInvalidCertificates', - 'tlsAllowInvalidHostnames', - 'tlsDisableOCSPEndpointCheck', - 'tlsDisableCertificateRevocationCheck' - ].forEach(function (option) { - context(`when the option is ${option}`, function () { - const stateMachine = new StateMachine({ - tlsOptions: { aws: { [option]: true } } - } as any); - const request = new MockRequest(Buffer.from('foobar'), 500); - - it('rejects with the validation error', function (done) { - stateMachine.kmsRequest(request).catch(err => { - expect(err.message).to.equal(`Insecure TLS options prohibited for aws: ${option}`); - done(); + ['tlsInsecure', 'tlsAllowInvalidCertificates', 'tlsAllowInvalidHostnames'].forEach( + function (option) { + context(`when the option is ${option}`, function () { + const stateMachine = new StateMachine({ + tlsOptions: { aws: { [option]: true } } + } as any); + const request = new MockRequest(Buffer.from('foobar'), 500); + + it('rejects with the validation error', function (done) { + stateMachine.kmsRequest(request).catch(err => { + expect(err.message).to.equal( + `Insecure TLS options prohibited for aws: ${option}` + ); + done(); + }); }); }); - }); - }); + } + ); }); context('when the options are secure', function () {