chore: merge fips initialisation and error handling

kmruiz · kmruiz · commit 1826c1916c71 · 2025-08-11T15:01:21.000+02:00
This diverges a bit on how mongosh does it, but it should
be safe enough.
diff --git a/src/index.ts b/src/index.ts
@@ -1,18 +1,36 @@
 #!/usr/bin/env node
 
-let fipsError: Error | undefined;
 function enableFipsIfRequested(): void {
-    if (process.argv.includes("--tlsFIPSMode")) {
-        // FIPS mode should be enabled before we run any other code, including any dependencies.
-        // We still wrap this into a function so we can also call it immediately after
-        // entering the snapshot main function.
+    let fipsError: Error | undefined;
+    const tlsFIPSMode = process.argv.includes("--tlsFIPSMode");
+
+    if (tlsFIPSMode) {
         try {
             // eslint-disable-next-line
             require("crypto").setFips(1);
         } catch (err: unknown) {
             fipsError ??= err as Error;
         }
     }
+
+    if (tlsFIPSMode) {
+        if (!fipsError && !crypto.getFips()) {
+            fipsError = new Error("FIPS mode not enabled despite requested due to unknown error.");
+        }
+    }
+
+    if (fipsError) {
+        if (process.config.variables.node_shared_openssl) {
+            console.error(
+                "Could not enable FIPS mode. Please ensure that your system OpenSSL installation supports FIPS."
+            );
+        } else {
+            console.error("Could not enable FIPS mode. This installation does not appear to support FIPS.");
+        }
+        console.error("Error details:");
+        console.error(fipsError);
+        process.exit(1);
+    }
 }
 
 enableFipsIfRequested();
@@ -28,7 +46,6 @@ import { systemCA } from "@mongodb-js/devtools-proxy-support";
 async function main(): Promise<void> {
     systemCA().catch(() => undefined); // load system CA asynchronously as in mongosh
 
-    assertFIPSMode();
     assertHelpMode();
     assertVersionMode();
 
@@ -105,27 +122,6 @@ main().catch((error: unknown) => {
     process.exit(1);
 });
 
-function assertFIPSMode(): void | never {
-    if (config.tlsFIPSMode) {
-        if (!fipsError && !crypto.getFips()) {
-            fipsError = new Error("FIPS mode not enabled despite requested.");
-        }
-    }
-
-    if (fipsError) {
-        if (process.config.variables.node_shared_openssl) {
-            console.error(
-                "Could not enable FIPS mode. Please ensure that your system OpenSSL installation supports FIPS."
-            );
-        } else {
-            console.error("Could not enable FIPS mode. This installation does not appear to support FIPS.");
-        }
-        console.error("Error details:");
-        console.error(fipsError);
-        process.exit(1);
-    }
-}
-
 function assertHelpMode(): void | never {
     if (config.help) {
         console.log("For usage information refer to the README.md:");
