Skip to content

Commit

Permalink
Don't override the minimum TLS version for a tls.Config. Use map lite…
Browse files Browse the repository at this point in the history 
…rals for CSE prose test 11.
  • Loading branch information
@matthewdale
matthewdale committed Dec 3, 2024
1 parent b7a77c8 commit a2399ef
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 39 deletions.
36 changes: 21 additions & 15 deletions internal/integration/client_side_encryption_prose_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1517,46 +1517,52 @@ func TestClientSideEncryptionProse(t *testing.T) {
SetKeyVaultNamespace(kvNamespace)

// make TLS opts containing client certificate and CA file
tlsConfig := make(map[string]*tls.Config)
clientAndCATlsMap := map[string]interface{}{
"tlsCertificateKeyFile": tlsClientCertificateKeyFileKMIP,
"tlsCAFile": tlsCAFileKMIP,
}
certConfig, err := options.BuildTLSConfig(clientAndCATlsMap)
clientAndCATLSConfig, err := options.BuildTLSConfig(clientAndCATlsMap)
assert.Nil(mt, err, "BuildTLSConfig error: %v", err)
tlsConfig["aws"] = certConfig
tlsConfig["azure"] = certConfig
tlsConfig["gcp"] = certConfig
tlsConfig["kmip"] = certConfig

// create valid Client Encryption options and set valid TLS options
validClientEncryptionOptionsWithTLS := options.ClientEncryption().
SetKmsProviders(validKmsProviders).
SetKeyVaultNamespace(kvNamespace).
SetTLSConfig(tlsConfig)
SetTLSConfig(map[string]*tls.Config{
"aws": clientAndCATLSConfig,
"azure": clientAndCATLSConfig,
"gcp": clientAndCATLSConfig,
"kmip": clientAndCATLSConfig,
})

// make TLS opts containing only CA file
caTlsMap := map[string]interface{}{
caTlSMap := map[string]interface{}{
"tlsCAFile": tlsCAFileKMIP,
}
certConfig, err = options.BuildTLSConfig(caTlsMap)
caTLSConfig, err := options.BuildTLSConfig(caTlSMap)
assert.Nil(mt, err, "BuildTLSConfig error: %v", err)
tlsConfig["aws"] = certConfig
tlsConfig["azure"] = certConfig
tlsConfig["gcp"] = certConfig
tlsConfig["kmip"] = certConfig

// create invalid Client Encryption options with expired credentials
expiredClientEncryptionOptions := options.ClientEncryption().
SetKmsProviders(expiredKmsProviders).
SetKeyVaultNamespace(kvNamespace).
SetTLSConfig(tlsConfig)
SetTLSConfig(map[string]*tls.Config{
"aws": caTLSConfig,
"azure": caTLSConfig,
"gcp": caTLSConfig,
"kmip": caTLSConfig,
})

// create invalid Client Encryption options with invalid hostnames
invalidHostnameClientEncryptionOptions := options.ClientEncryption().
SetKmsProviders(invalidKmsProviders).
SetKeyVaultNamespace(kvNamespace).
SetTLSConfig(tlsConfig)
SetTLSConfig(map[string]*tls.Config{
"aws": caTLSConfig,
"azure": caTLSConfig,
"gcp": caTLSConfig,
"kmip": caTLSConfig,
})

awsMasterKeyNoClientCert := map[string]interface{}{
"region": "us-east-1",
Expand Down
14 changes: 2 additions & 12 deletions mongo/options/autoencryptionoptions.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,19 +184,9 @@ func (a *AutoEncryptionOptionsBuilder) SetExtraOptions(extraOpts map[string]inte
// to the KMS provider.
//
// This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12.
func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *AutoEncryptionOptionsBuilder {
tlsConfigs := make(map[string]*tls.Config)
for provider, config := range tlsOpts {
// Use TLS min version 1.2 to enforce more secure hash algorithms and
// advanced cipher suites.
if config.MinVersion == 0 {
config.MinVersion = tls.VersionTLS12
}
tlsConfigs[provider] = config
}

func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config) *AutoEncryptionOptionsBuilder {
a.Opts = append(a.Opts, func(args *AutoEncryptionOptions) error {
args.TLSConfig = tlsConfigs
args.TLSConfig = cfg

return nil
})
Expand Down
14 changes: 2 additions & 12 deletions mongo/options/clientencryptionoptions.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,19 +70,9 @@ func (c *ClientEncryptionOptionsBuilder) SetKmsProviders(providers map[string]ma
// to the KMS provider.
//
// This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12.
func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *ClientEncryptionOptionsBuilder {
tlsConfigs := make(map[string]*tls.Config)
for provider, config := range tlsOpts {
// Use TLS min version 1.2 to enforce more secure hash algorithms and
// advanced cipher suites.
if config.MinVersion == 0 {
config.MinVersion = tls.VersionTLS12
}
tlsConfigs[provider] = config
}

func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config) *ClientEncryptionOptionsBuilder {
c.Opts = append(c.Opts, func(opts *ClientEncryptionOptions) error {
opts.TLSConfig = tlsConfigs
opts.TLSConfig = cfg

return nil
})
Expand Down

0 comments on commit a2399ef

Please sign in to comment.