chore(deps): bump devtools-shared packages, add regression test for MONGOSH-1878

Author: addaleax

package-lock.json

@@ -40,7 +40,7 @@
     "mongodb-connection-string-url": "^3.0.1"
   },
   "devDependencies": {
-    "@mongodb-js/devtools-connect": "^3.3.0",
+    "@mongodb-js/devtools-connect": "^3.3.3",
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",

packages/arg-parser/package.json

@@ -61,7 +61,7 @@
     }
   },
   "dependencies": {
-    "@mongodb-js/devtools-proxy-support": "^0.4.1",
+    "@mongodb-js/devtools-proxy-support": "^0.4.2",
     "@mongosh/arg-parser": "0.0.0-dev.0",
     "@mongosh/autocomplete": "0.0.0-dev.0",
     "@mongosh/editor": "0.0.0-dev.0",

packages/cli-repl/package.json

@@ -1,4 +1,4 @@
-import { assert, expect } from 'chai';
+import { expect } from 'chai';
 import { promises as fs } from 'fs';
 import path from 'path';
 import { startTestServer } from '../../../testing/integration-testing-hooks';
@@ -20,6 +20,10 @@ const INVALID_CLIENT_CERT = getCertPath('invalid-client.bundle.pem');
 const SERVER_KEY = getCertPath('server.bundle.pem');
 const SERVER_INVALIDHOST_KEY = getCertPath('server-invalidhost.bundle.pem');
 const CRL_INCLUDING_SERVER = getCertPath('ca-server.crl');
+const PARTIAL_TRUST_CHAIN_CA = getCertPath('partial-trust-chain/ca.pem');
+const PARTIAL_TRUST_CHAIN_KEY_AND_CERT = getCertPath(
+  'partial-trust-chain/key-and-cert.pem'
+);
 
 /**
  * @securityTest TLS End-to-End Tests
@@ -35,13 +39,19 @@ describe('e2e TLS', function () {
   const tmpdir = useTmpdir();
 
   before(async function () {
-    assert((await fs.stat(CA_CERT)).isFile());
-    assert((await fs.stat(NON_CA_CERT)).isFile());
-    assert((await fs.stat(CLIENT_CERT)).isFile());
-    assert((await fs.stat(CLIENT_CERT_PFX)).isFile());
-    assert((await fs.stat(INVALID_CLIENT_CERT)).isFile());
-    assert((await fs.stat(SERVER_KEY)).isFile());
-    assert((await fs.stat(CRL_INCLUDING_SERVER)).isFile());
+    for (const file of [
+      CA_CERT,
+      NON_CA_CERT,
+      CLIENT_CERT,
+      CLIENT_CERT_PFX,
+      INVALID_CLIENT_CERT,
+      SERVER_KEY,
+      CRL_INCLUDING_SERVER,
+      PARTIAL_TRUST_CHAIN_CA,
+      PARTIAL_TRUST_CHAIN_KEY_AND_CERT,
+    ]) {
+      expect((await fs.stat(file)).isFile()).to.be.true;
+    }
 
     const homeInfo = setTemporaryHomeDirectory();
     homedir = homeInfo.homedir;
@@ -304,6 +314,68 @@ describe('e2e TLS', function () {
     }
   );
 
+  // Certificate fixtures and general concept mirrors
+  // https://github.com/nodejs/node/blob/1b3420274ea8d8cca339a1f10301d2e80f577c4c/test/parallel/test-tls-client-allow-partial-trust-chain.js
+  // This basically tests that we pass allowPartialTrustChain: true in the TLS options
+  context(
+    'connecting without client cert to server with only partial trust chain',
+    function () {
+      const server = startTestServer('e2e-tls-partial-trust-chain', {
+        args: [
+          '--tlsMode',
+          'requireTLS',
+          '--tlsCertificateKeyFile',
+          PARTIAL_TRUST_CHAIN_KEY_AND_CERT,
+          '--tlsAllowConnectionsWithoutCertificates',
+          '--tlsCAFile',
+          PARTIAL_TRUST_CHAIN_CA,
+        ],
+      });
+
+      it('works with matching CA (connection string)', async function () {
+        const shell = this.startTestShell({
+          args: [
+            await connectionStringWithLocalhost(server, {
+              tls: 'true',
+              tlsCAFile: PARTIAL_TRUST_CHAIN_KEY_AND_CERT,
+              tlsAllowInvalidHostnames: 'true',
+            }),
+          ],
+        });
+        const result = await shell.waitForPromptOrExit();
+        expect(result.state).to.equal('prompt');
+      });
+
+      it('works with matching CA (system certs)', async function () {
+        //if (process.platform !== 'linux') {
+        //  return this.skip();
+        //}
+        await fs.mkdir(path.join(tmpdir.path, 'certs'), { recursive: true });
+        await fs.copyFile(
+          PARTIAL_TRUST_CHAIN_CA,
+          path.join(tmpdir.path, 'certs', 'somefilename.crt')
+        );
+
+        const shell = this.startTestShell({
+          args: [
+            await connectionStringWithLocalhost(server, {
+              serverSelectionTimeoutMS: '1500',
+              tlsAllowInvalidHostnames: 'true',
+            }),
+            '--tls',
+          ],
+          env: {
+            ...env,
+            SSL_CERT_FILE: path.join(tmpdir.path, 'certs', 'somefilename.crt'),
+          },
+        });
+
+        const prompt = await shell.waitForPromptOrExit();
+        expect(prompt.state).to.equal('prompt');
+      });
+    }
+  );
+
   context('connecting with client cert to server with valid cert', function () {
     after(async function () {
       const shell = this.startTestShell({

packages/e2e-tests/test/e2e-tls.spec.ts

@@ -17,7 +17,7 @@
     "node": ">=14.15.1"
   },
   "dependencies": {
-    "@mongodb-js/devtools-connect": "^3.3.0",
+    "@mongodb-js/devtools-connect": "^3.3.3",
     "@mongosh/errors": "0.0.0-dev.0",
     "@mongosh/history": "0.0.0-dev.0",
     "@mongosh/types": "0.0.0-dev.0",

packages/logging/package.json

@@ -47,7 +47,7 @@
     }
   },
   "dependencies": {
-    "@mongodb-js/devtools-connect": "^3.3.0",
+    "@mongodb-js/devtools-connect": "^3.3.3",
     "@mongodb-js/oidc-plugin": "^1.1.1",
     "@mongosh/errors": "0.0.0-dev.0",
     "@mongosh/service-provider-core": "0.0.0-dev.0",

packages/service-provider-node-driver/package.json

@@ -35,7 +35,7 @@
     "unitTestsOnly": true
   },
   "dependencies": {
-    "@mongodb-js/devtools-proxy-support": "^0.4.1",
+    "@mongodb-js/devtools-proxy-support": "^0.4.2",
     "@mongosh/errors": "0.0.0-dev.0",
     "@mongosh/shell-api": "0.0.0-dev.0",
     "@mongosh/types": "0.0.0-dev.0",

packages/snippet-manager/package.json

@@ -38,7 +38,7 @@
     "unitTestsOnly": true
   },
   "dependencies": {
-    "@mongodb-js/devtools-connect": "^3.3.0"
+    "@mongodb-js/devtools-connect": "^3.3.3"
   },
   "devDependencies": {
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",

packages/types/package.json

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDlDCCAnygAwIBAgIUFH02wcL3Qgben6tfIibXitsApCUwDQYJKoZIhvcNAQEL
+BQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G
+A1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANjYTExIDAe
+BgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMCAXDTIyMDkwMzIxNDAzN1oY
+DzIyOTYwNjE3MjE0MDM3WjB6MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ
+BgNVBAcMAlNGMQ8wDQYDVQQKDAZKb3llbnQxEDAOBgNVBAsMB05vZGUuanMxDDAK
+BgNVBAMMA2NhMzEgMB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC76GtbMvRM7E1diL6l/Y4qQuDK
+ubmGWYOpz7kkUcApfJTa8gIhQvfvNdU/itpLIf1Nhmp9cDRk3BV6gU3P4SetVP+V
+x3PSiZ6MJDbQXETn7cLJIewtMexGf8wJldTJ3wcv6/1dZDU3RM3ME7XCgNGBXPOj
+c/TOz2StEGf4iwXKE7MHV0D2/hquOwuctqLjV969w8jea6BNqQjcKbq5Y17V4sxH
+AO+epbpC88byAaMgmRcqlM660zpKdcsfjQZ/4Vzoce9OOSd/+aHdwLZM3BVL6vAI
+09UqkaB+3M4n2pK6dPCQtimbaDyo7QZYgWpmp3/YDN1Hhh6IBoMoQqSu+/DFAgMB
+AAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJwGWU3qa5eT
+EEP/IXeZUJuZhqND+kBvBPPUYTeCXSbVRI2c6WaU7NZUqYkDz+lVrAMMG+eGPCW1
+8h8DehudZLNDvrz8uEPsYbgvZD+grFRmWh5kUdc2yz6gVVzTTGwy7ARgSoebUqK0
+O4uI8BW/UlF+OpGSpimMBnHqAq13k1Eb9kjckyZw2qIhW02mCsv9PnVQ8waDUq+C
+3No8ZoNqgQVVOFSuJz9wxGFPdt0KhizYMh0n+BP7U5srTn0LwWBEXoPsHBWhudTC
+NWYtx++OIWK/3QEufal83p2W3ICxAW3yqY7Qy03Z2LW07BDDdAmoFN9NTYuZKGd4
+DQYB7oHNx8E=
+-----END CERTIFICATE-----

testing/certificates/partial-trust-chain/ca.pem

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgIUW3XXftx/tbf6nxQk2kxk+4Fdy94wDQYJKoZIhvcNAQEL
+BQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G
+A1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANjYTMxIDAe
+BgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMCAXDTIyMDkwMzIxNDAzN1oY
+DzIyOTYwNjE3MjE0MDM3WjB0MQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBl
+c3QxETAPBgNVBAoMCFRyZXNvcml0MRYwFAYDVQQDDA3DgWTDoW0gTGlwcGFpMScw
+JQYJKoZIhvcNAQkBFhhhZGFtLmxpcHBhaUB0cmVzb3JpdC5jb20wggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL+3lXygi/1QUopZMz1aW6eMvhbCWfm8/F
+a8rkI6Rc+7LNEWdG37c2V/kgh+xRjFKuwRfh0BWX4xDo77asV2ejTaz6yI5DrSJO
+paQdcKxgH9xqFsG96U+ODoqykXYSfO9E5qweFDZVPlUky18Ofv1k+dxQBSDAKJe3
+e9MSt3jgQ0vD3ZQIl9A2TOfRVJIbYcm0EQthQxpZSMA15W5FTdjMc4wB3i5tanH6
+NdKYV5L0cWGiLXAXkRYGmj/iQMSHipSazEHJAmmixuBa1HLGdwaUFziQ6syI0I2x
+bBqJkyj2OhiNWTFcGWHoQP1DePDfqcF5MIfDej7mRwnaL3qD27cFAgMBAAEwDQYJ
+KoZIhvcNAQELBQADggEBAFhJ0t5egdr3Z2zWuYmM+YQzOeLaGtfTQST7H5W64Ckx
+OHwkYH1LjO5pGs+HGvbaA0DIocCB6fliWaf+kxUo7t+wyHr1Dnr5Po3ZvpHe6AU5
+i/J9bmFUk1oE28Ijgk8ktL77Lj8baihcaq1ca0o03zM16MEaA7eiT95ds2QDXgPL
+8hdCsOHiEOllspcYRl3uh1WQQjzLOZmCi4dZI+nuTQ2rviD0T5KYZYJY4nzTssEK
+yzfYeUUwUu14J1wYGTgTxKXAWjN0IkxFNq1hX6rC/2U819sVEYF8uWUp9dWJ1slT
+z09yT9qZWiF5tebRaRNL1al/IjWkmN39W9DGEFMX2Vk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDlDCCAnygAwIBAgIUFH02wcL3Qgben6tfIibXitsApCUwDQYJKoZIhvcNAQEL
+BQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G
+A1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANjYTExIDAe
+BgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMCAXDTIyMDkwMzIxNDAzN1oY
+DzIyOTYwNjE3MjE0MDM3WjB6MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ
+BgNVBAcMAlNGMQ8wDQYDVQQKDAZKb3llbnQxEDAOBgNVBAsMB05vZGUuanMxDDAK
+BgNVBAMMA2NhMzEgMB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC76GtbMvRM7E1diL6l/Y4qQuDK
+ubmGWYOpz7kkUcApfJTa8gIhQvfvNdU/itpLIf1Nhmp9cDRk3BV6gU3P4SetVP+V
+x3PSiZ6MJDbQXETn7cLJIewtMexGf8wJldTJ3wcv6/1dZDU3RM3ME7XCgNGBXPOj
+c/TOz2StEGf4iwXKE7MHV0D2/hquOwuctqLjV969w8jea6BNqQjcKbq5Y17V4sxH
+AO+epbpC88byAaMgmRcqlM660zpKdcsfjQZ/4Vzoce9OOSd/+aHdwLZM3BVL6vAI
+09UqkaB+3M4n2pK6dPCQtimbaDyo7QZYgWpmp3/YDN1Hhh6IBoMoQqSu+/DFAgMB
+AAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJwGWU3qa5eT
+EEP/IXeZUJuZhqND+kBvBPPUYTeCXSbVRI2c6WaU7NZUqYkDz+lVrAMMG+eGPCW1
+8h8DehudZLNDvrz8uEPsYbgvZD+grFRmWh5kUdc2yz6gVVzTTGwy7ARgSoebUqK0
+O4uI8BW/UlF+OpGSpimMBnHqAq13k1Eb9kjckyZw2qIhW02mCsv9PnVQ8waDUq+C
+3No8ZoNqgQVVOFSuJz9wxGFPdt0KhizYMh0n+BP7U5srTn0LwWBEXoPsHBWhudTC
+NWYtx++OIWK/3QEufal83p2W3ICxAW3yqY7Qy03Z2LW07BDDdAmoFN9NTYuZKGd4
+DQYB7oHNx8E=
+-----END CERTIFICATE-----