feat(data-service): add CSFLE options in ConnectionOptions COMPASS-5640 (#2923)

addaleax · web-flow · commit acd5e6bef4a1 · 2022-03-28T15:54:03.000+02:00
diff --git a/packages/data-service/src/connection-options.ts b/packages/data-service/src/connection-options.ts
@@ -1,3 +1,5 @@
+import type { AutoEncryptionOptions } from 'mongodb';
+
 export interface ConnectionOptions {
   /**
    * The connection string to connect to the MongoDB instance including all options set by the user.
@@ -13,6 +15,23 @@ export interface ConnectionOptions {
    * If true, the connection uses the system CA store instead of tlsCAFile or the default Node.js store.
    */
   useSystemCA?: boolean;
+
+  /**
+   * Options related to client-side field-level encryption.
+   */
+  fleOptions?: ConnectionFleOptions;
+}
+
+export interface ConnectionFleOptions {
+  /**
+   * Whether to store KMS credentials to disk or not.
+   */
+  storeCredentials: boolean;
+
+  /**
+   * Encryption options passed to the driver verbatim.
+   */
+  autoEncryption: AutoEncryptionOptions;
 }
 
 export interface ConnectionSshOptions {
diff --git a/packages/data-service/src/connection-secrets.spec.ts b/packages/data-service/src/connection-secrets.spec.ts
@@ -147,6 +147,58 @@ describe('connection secrets', function () {
             port: 22,
             identityKeyPassphrase: 'passphrase',
           },
+          fleOptions: {
+            storeCredentials: true,
+            autoEncryption: {
+              keyVaultNamespace: 'keyVaultNamespace',
+              kmsProviders: {
+                aws: {
+                  accessKeyId: 'accessKeyId',
+                  secretAccessKey: 'secretAccessKey',
+                  sessionToken: 'sessionToken',
+                },
+                local: {
+                  key: 'key',
+                },
+                azure: {
+                  tenantId: 'tenantId',
+                  clientId: 'clientId',
+                  clientSecret: 'clientSecret',
+                  identityPlatformEndpoint: 'identityPlatformEndpoint',
+                },
+                gcp: {
+                  email: 'email',
+                  privateKey: 'privateKey',
+                  endpoint: 'endpoint',
+                },
+                kmip: {
+                  endpoint: 'endpoint',
+                },
+              },
+              tlsOptions: {
+                aws: {
+                  tlsCertificateKeyFile: 'file',
+                  tlsCertificateKeyFilePassword: 'pwd',
+                },
+                local: {
+                  tlsCertificateKeyFile: 'file',
+                  tlsCertificateKeyFilePassword: 'pwd',
+                },
+                azure: {
+                  tlsCertificateKeyFile: 'file',
+                  tlsCertificateKeyFilePassword: 'pwd',
+                },
+                gcp: {
+                  tlsCertificateKeyFile: 'file',
+                  tlsCertificateKeyFilePassword: 'pwd',
+                },
+                kmip: {
+                  tlsCertificateKeyFile: 'file',
+                  tlsCertificateKeyFilePassword: 'pwd',
+                },
+              },
+            },
+          },
         },
       };
 
@@ -163,6 +215,47 @@ describe('connection secrets', function () {
             username: 'user',
             port: 22,
           },
+          fleOptions: {
+            storeCredentials: true,
+            autoEncryption: {
+              keyVaultNamespace: 'keyVaultNamespace',
+              kmsProviders: {
+                aws: {
+                  accessKeyId: 'accessKeyId',
+                },
+                local: {},
+                azure: {
+                  tenantId: 'tenantId',
+                  clientId: 'clientId',
+                  identityPlatformEndpoint: 'identityPlatformEndpoint',
+                },
+                gcp: {
+                  email: 'email',
+                  endpoint: 'endpoint',
+                },
+                kmip: {
+                  endpoint: 'endpoint',
+                },
+              },
+              tlsOptions: {
+                aws: {
+                  tlsCertificateKeyFile: 'file',
+                },
+                local: {
+                  tlsCertificateKeyFile: 'file',
+                },
+                azure: {
+                  tlsCertificateKeyFile: 'file',
+                },
+                gcp: {
+                  tlsCertificateKeyFile: 'file',
+                },
+                kmip: {
+                  tlsCertificateKeyFile: 'file',
+                },
+              },
+            },
+          },
         },
       } as ConnectionInfo);
 
@@ -173,6 +266,40 @@ describe('connection secrets', function () {
         sshTunnelPassphrase: 'passphrase',
         tlsCertificateKeyFilePassword: 'tlsCertPassword',
         proxyPassword: 'bar',
+        autoEncryption: {
+          kmsProviders: {
+            aws: {
+              secretAccessKey: 'secretAccessKey',
+              sessionToken: 'sessionToken',
+            },
+            local: {
+              key: 'key',
+            },
+            azure: {
+              clientSecret: 'clientSecret',
+            },
+            gcp: {
+              privateKey: 'privateKey',
+            },
+          },
+          tlsOptions: {
+            aws: {
+              tlsCertificateKeyFilePassword: 'pwd',
+            },
+            local: {
+              tlsCertificateKeyFilePassword: 'pwd',
+            },
+            azure: {
+              tlsCertificateKeyFilePassword: 'pwd',
+            },
+            gcp: {
+              tlsCertificateKeyFilePassword: 'pwd',
+            },
+            kmip: {
+              tlsCertificateKeyFilePassword: 'pwd',
+            },
+          },
+        },
       } as ConnectionSecrets);
     });
   });
diff --git a/packages/data-service/src/connection-secrets.ts b/packages/data-service/src/connection-secrets.ts
@@ -3,7 +3,11 @@ import ConnectionString, {
   CommaAndColonSeparatedRecord,
 } from 'mongodb-connection-string-url';
 import type { ConnectionInfo } from './connection-info';
-import type { MongoClientOptions, AuthMechanismProperties } from 'mongodb';
+import type {
+  MongoClientOptions,
+  AuthMechanismProperties,
+  AutoEncryptionOptions,
+} from 'mongodb';
 
 export interface ConnectionSecrets {
   password?: string;
@@ -12,6 +16,7 @@ export interface ConnectionSecrets {
   awsSessionToken?: string;
   tlsCertificateKeyFilePassword?: string;
   proxyPassword?: string;
+  autoEncryption?: AutoEncryptionOptions;
 }
 
 export function mergeSecrets(
@@ -27,10 +32,7 @@ export function mergeSecrets(
   const connectionOptions = connectionInfoWithSecrets.connectionOptions;
 
   const uri = new ConnectionString(connectionOptions.connectionString);
-  // can remove the proxyPassword addition once we have NODE-3633
-  const searchParams = uri.typedSearchParams<
-    MongoClientOptions & { proxyPassword?: string }
-  >();
+  const searchParams = uri.typedSearchParams<MongoClientOptions>();
 
   if (secrets.password) {
     uri.password = secrets.password;
@@ -45,6 +47,13 @@ export function mergeSecrets(
       secrets.sshTunnelPassphrase;
   }
 
+  if (secrets.autoEncryption && connectionOptions.fleOptions?.autoEncryption) {
+    _.merge(
+      connectionOptions.fleOptions?.autoEncryption,
+      secrets.autoEncryption
+    );
+  }
+
   if (secrets.tlsCertificateKeyFilePassword) {
     searchParams.set(
       'tlsCertificateKeyFilePassword',
@@ -84,10 +93,7 @@ export function extractSecrets(connectionInfo: Readonly<ConnectionInfo>): {
 
   const connectionOptions = connectionInfoWithoutSecrets.connectionOptions;
   const uri = new ConnectionString(connectionOptions.connectionString);
-  // can remove the proxyPassword addition once we have NODE-3633
-  const searchParams = uri.typedSearchParams<
-    MongoClientOptions & { proxyPassword?: string }
-  >();
+  const searchParams = uri.typedSearchParams<MongoClientOptions>();
 
   if (uri.password) {
     secrets.password = uri.password;
@@ -137,5 +143,25 @@ export function extractSecrets(connectionInfo: Readonly<ConnectionInfo>): {
 
   connectionInfoWithoutSecrets.connectionOptions.connectionString = uri.href;
 
+  if (connectionOptions.fleOptions?.autoEncryption) {
+    const { autoEncryption } = connectionOptions.fleOptions;
+    const kmsProviders = ['aws', 'local', 'azure', 'gcp', 'kmip'] as const;
+    const secretPaths = [
+      'kmsProviders.aws.secretAccessKey',
+      'kmsProviders.aws.sessionToken',
+      'kmsProviders.local.key',
+      'kmsProviders.azure.clientSecret',
+      'kmsProviders.gcp.privateKey',
+      ...kmsProviders.map(
+        (p) => `tlsOptions.${p}.tlsCertificateKeyFilePassword`
+      ),
+    ];
+    connectionOptions.fleOptions.autoEncryption = _.omit(
+      autoEncryption,
+      secretPaths
+    );
+    secrets.autoEncryption = _.pick(autoEncryption, secretPaths);
+  }
+
   return { connectionInfo: connectionInfoWithoutSecrets, secrets };
 }
