From a2399ef0cbad62b71d82bf5204e04a71bd724aaf Mon Sep 17 00:00:00 2001 From: Matt Dale <9760375+matthewdale@users.noreply.github.com> Date: Mon, 2 Dec 2024 21:53:21 -0800 Subject: [PATCH] Don't override the minimum TLS version for a tls.Config. Use map literals for CSE prose test 11. --- .../client_side_encryption_prose_test.go | 36 +++++++++++-------- mongo/options/autoencryptionoptions.go | 14 ++------ mongo/options/clientencryptionoptions.go | 14 ++------ 3 files changed, 25 insertions(+), 39 deletions(-) diff --git a/internal/integration/client_side_encryption_prose_test.go b/internal/integration/client_side_encryption_prose_test.go index 5e35758bbf..1f3dd71cab 100644 --- a/internal/integration/client_side_encryption_prose_test.go +++ b/internal/integration/client_side_encryption_prose_test.go @@ -1517,46 +1517,52 @@ func TestClientSideEncryptionProse(t *testing.T) { SetKeyVaultNamespace(kvNamespace) // make TLS opts containing client certificate and CA file - tlsConfig := make(map[string]*tls.Config) clientAndCATlsMap := map[string]interface{}{ "tlsCertificateKeyFile": tlsClientCertificateKeyFileKMIP, "tlsCAFile": tlsCAFileKMIP, } - certConfig, err := options.BuildTLSConfig(clientAndCATlsMap) + clientAndCATLSConfig, err := options.BuildTLSConfig(clientAndCATlsMap) assert.Nil(mt, err, "BuildTLSConfig error: %v", err) - tlsConfig["aws"] = certConfig - tlsConfig["azure"] = certConfig - tlsConfig["gcp"] = certConfig - tlsConfig["kmip"] = certConfig // create valid Client Encryption options and set valid TLS options validClientEncryptionOptionsWithTLS := options.ClientEncryption(). SetKmsProviders(validKmsProviders). SetKeyVaultNamespace(kvNamespace). - SetTLSConfig(tlsConfig) + SetTLSConfig(map[string]*tls.Config{ + "aws": clientAndCATLSConfig, + "azure": clientAndCATLSConfig, + "gcp": clientAndCATLSConfig, + "kmip": clientAndCATLSConfig, + }) // make TLS opts containing only CA file - caTlsMap := map[string]interface{}{ + caTlSMap := map[string]interface{}{ "tlsCAFile": tlsCAFileKMIP, } - certConfig, err = options.BuildTLSConfig(caTlsMap) + caTLSConfig, err := options.BuildTLSConfig(caTlSMap) assert.Nil(mt, err, "BuildTLSConfig error: %v", err) - tlsConfig["aws"] = certConfig - tlsConfig["azure"] = certConfig - tlsConfig["gcp"] = certConfig - tlsConfig["kmip"] = certConfig // create invalid Client Encryption options with expired credentials expiredClientEncryptionOptions := options.ClientEncryption(). SetKmsProviders(expiredKmsProviders). SetKeyVaultNamespace(kvNamespace). - SetTLSConfig(tlsConfig) + SetTLSConfig(map[string]*tls.Config{ + "aws": caTLSConfig, + "azure": caTLSConfig, + "gcp": caTLSConfig, + "kmip": caTLSConfig, + }) // create invalid Client Encryption options with invalid hostnames invalidHostnameClientEncryptionOptions := options.ClientEncryption(). SetKmsProviders(invalidKmsProviders). SetKeyVaultNamespace(kvNamespace). - SetTLSConfig(tlsConfig) + SetTLSConfig(map[string]*tls.Config{ + "aws": caTLSConfig, + "azure": caTLSConfig, + "gcp": caTLSConfig, + "kmip": caTLSConfig, + }) awsMasterKeyNoClientCert := map[string]interface{}{ "region": "us-east-1", diff --git a/mongo/options/autoencryptionoptions.go b/mongo/options/autoencryptionoptions.go index ce2ee8ea48..81f16cf028 100644 --- a/mongo/options/autoencryptionoptions.go +++ b/mongo/options/autoencryptionoptions.go @@ -184,19 +184,9 @@ func (a *AutoEncryptionOptionsBuilder) SetExtraOptions(extraOpts map[string]inte // to the KMS provider. // // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12. -func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *AutoEncryptionOptionsBuilder { - tlsConfigs := make(map[string]*tls.Config) - for provider, config := range tlsOpts { - // Use TLS min version 1.2 to enforce more secure hash algorithms and - // advanced cipher suites. - if config.MinVersion == 0 { - config.MinVersion = tls.VersionTLS12 - } - tlsConfigs[provider] = config - } - +func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config) *AutoEncryptionOptionsBuilder { a.Opts = append(a.Opts, func(args *AutoEncryptionOptions) error { - args.TLSConfig = tlsConfigs + args.TLSConfig = cfg return nil }) diff --git a/mongo/options/clientencryptionoptions.go b/mongo/options/clientencryptionoptions.go index a47b69111a..3f9b3745ed 100644 --- a/mongo/options/clientencryptionoptions.go +++ b/mongo/options/clientencryptionoptions.go @@ -70,19 +70,9 @@ func (c *ClientEncryptionOptionsBuilder) SetKmsProviders(providers map[string]ma // to the KMS provider. // // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12. -func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *ClientEncryptionOptionsBuilder { - tlsConfigs := make(map[string]*tls.Config) - for provider, config := range tlsOpts { - // Use TLS min version 1.2 to enforce more secure hash algorithms and - // advanced cipher suites. - if config.MinVersion == 0 { - config.MinVersion = tls.VersionTLS12 - } - tlsConfigs[provider] = config - } - +func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config) *ClientEncryptionOptionsBuilder { c.Opts = append(c.Opts, func(opts *ClientEncryptionOptions) error { - opts.TLSConfig = tlsConfigs + opts.TLSConfig = cfg return nil })