feat: add support for --tlsUseSystemCA flag COMPASS-4105 (#1205)

Author: addaleax

README.md

@@ -60,6 +60,7 @@ variable. For detailed instructions for each of our supported platforms, please
         --tlsCertificateSelector [arg]         TLS Certificate in system store (Windows and macOS only)
         --tlsCRLFile [arg]                     Specifies the .pem file that contains the Certificate Revocation List
         --tlsDisabledProtocols [arg]           Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]
+        --tlsUseSystemCA                       Load the operating system trusted certificate list
 
   API version options:
 

package-lock.json

@@ -99,7 +99,7 @@
     "@typescript-eslint/parser": "^4.28.4",
     "aws-sdk": "^2.674.0",
     "axios": "^0.21.1",
-    "boxednode": "^1.10.5",
+    "boxednode": "^1.10.6",
     "browserify": "^16.5.0",
     "chai": "^4.2.0",
     "command-exists": "^1.2.9",

package.json

@@ -73,6 +73,10 @@ export class SignableCompiler {
       path: await findModulePath('service-provider-server', 'os-dns-native'),
       requireRegexp: /\bos_dns_native\.node$/
     };
+    // Warning! Until https://jira.mongodb.org/browse/MONGOSH-990,
+    // packages/service-provider-server *also* has a copy of these.
+    // We use the versions included in packages/cli-repl here, so these
+    // should be kept in sync!
     const winCAAddon = process.platform === 'win32' ? {
       path: await findModulePath('cli-repl', 'win-export-certificate-and-key'),
       requireRegexp: /\bwin_export_cert\.node$/

packages/build/src/compile/signable-compiler.ts

@@ -41,6 +41,7 @@ CLI interface for [MongoDB Shell][mongosh], an extension to Node.js REPL with Mo
         --tlsAllowInvalidCertificates          Allow connections to servers with invalid certificates
         --tlsCertificateSelector [arg]         TLS Certificate in system store (Windows and macOS only)
         --tlsDisabledProtocols [arg]           Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]
+        --tlsUseSystemCA                       Load the operating system trusted certificate list
 
   API version options:
 

packages/cli-repl/README.md

@@ -82,8 +82,8 @@
     "moment": "^2.29.1"
   },
   "optionalDependencies": {
-    "macos-export-certificate-and-key": "^1.0.2",
-    "win-export-certificate-and-key": "^1.0.4",
+    "macos-export-certificate-and-key": "^1.1.1",
+    "win-export-certificate-and-key": "^1.1.1",
     "get-console-process-list": "^1.0.4"
   }
 }

packages/cli-repl/package-lock.json

@@ -1,5 +1,5 @@
 import { CommonErrors, MongoshInvalidInputError, MongoshUnimplementedError } from '@mongosh/errors';
-import { CliOptions, MongoClientOptions } from '@mongosh/service-provider-server';
+import { CliOptions, DevtoolsConnectOptions } from '@mongosh/service-provider-server';
 import setValue from 'lodash.set';
 
 /**
@@ -29,6 +29,7 @@ const MAPPINGS = {
   tlsCRLFile: 'sslCRL',
   tlsCertificateKeyFile: 'tlsCertificateKeyFile',
   tlsCertificateKeyFilePassword: 'tlsCertificateKeyFilePassword',
+  tlsUseSystemCA: 'useSystemCA',
   username: 'auth.username',
   verbose: { opt: 'loggerLevel', val: 'debug' }
 };
@@ -45,8 +46,8 @@ function isExistingMappingKey(key: string, options: CliOptions): key is keyof ty
  *
  * @returns {} The driver options.
  */
-function mapCliToDriver(options: CliOptions): MongoClientOptions {
-  const nodeOptions: MongoClientOptions = {};
+function mapCliToDriver(options: CliOptions): DevtoolsConnectOptions {
+  const nodeOptions: DevtoolsConnectOptions = {};
   for (const cliOption of Object.keys(MAPPINGS)) {
     if (isExistingMappingKey(cliOption, options)) {
       const mapping = MAPPINGS[cliOption as keyof typeof MAPPINGS];

packages/cli-repl/package.json

@@ -69,6 +69,7 @@ const OPTIONS = {
     'tlsAllowInvalidCertificates',
     'tlsAllowInvalidHostnames',
     'tlsFIPSMode',
+    'tlsUseSystemCA',
     'verbose',
     'version'
   ],

packages/cli-repl/src/arg-mapper.ts

@@ -2,7 +2,7 @@ import { MongoshInternalError, MongoshRuntimeError, MongoshWarning } from '@mong
 import { redactURICredentials } from '@mongosh/history';
 import i18n from '@mongosh/i18n';
 import { bson, AutoEncryptionOptions } from '@mongosh/service-provider-core';
-import { CliOptions, CliServiceProvider, MongoClientOptions } from '@mongosh/service-provider-server';
+import { CliOptions, CliServiceProvider, DevtoolsConnectOptions } from '@mongosh/service-provider-server';
 import { SnippetManager } from '@mongosh/snippet-manager';
 import { Editor } from '@mongosh/editor';
 import { redactSensitiveData } from '@mongosh/history';
@@ -159,10 +159,10 @@ class CliRepl implements MongoshIOProvider {
    * information, external editor, and finally start the repl.
    *
    * @param {string} driverUri - The driver URI.
-   * @param {MongoClientOptions} driverOptions - The driver options.
+   * @param {DevtoolsConnectOptions} driverOptions - The driver options.
    */
   // eslint-disable-next-line complexity
-  async start(driverUri: string, driverOptions: MongoClientOptions): Promise<void> {
+  async start(driverUri: string, driverOptions: DevtoolsConnectOptions): Promise<void> {
     const { version } = require('../package.json');
     await this.verifyNodeVersion();
 
@@ -451,9 +451,9 @@ class CliRepl implements MongoshIOProvider {
    * Connect to the cluster.
    *
    * @param {string} driverUri - The driver URI.
-   * @param {MongoClientOptions} driverOptions - The driver options.
+   * @param {DevtoolsConnectOptions} driverOptions - The driver options.
    */
-  async connect(driverUri: string, driverOptions: MongoClientOptions): Promise<CliServiceProvider> {
+  async connect(driverUri: string, driverOptions: DevtoolsConnectOptions): Promise<CliServiceProvider> {
     if (!this.cliOptions.nodb && !this.cliOptions.quiet) {
       this.output.write(i18n.__(CONNECTING) + '\t\t' + this.clr(redactURICredentials(driverUri), 'mongosh:uri') + '\n');
     }
@@ -523,11 +523,11 @@ class CliRepl implements MongoshIOProvider {
   /**
    * Is the password missing from the options?
    *
-   * @param {MongoClientOptions} driverOptions - The driver options.
+   * @param {DevtoolsConnectOptions} driverOptions - The driver options.
    *
    * @returns {boolean} If the password is missing.
    */
-  isPasswordMissingOptions(driverOptions: MongoClientOptions): boolean {
+  isPasswordMissingOptions(driverOptions: DevtoolsConnectOptions): boolean {
     return !!(
       driverOptions.auth &&
       driverOptions.auth.username &&
@@ -556,7 +556,7 @@ class CliRepl implements MongoshIOProvider {
    * object is present with a truthy username. This is required by the driver, e.g.
    * in the case of password-less Kerberos authentication.
    */
-  ensurePasswordFieldIsPresentInAuth(driverOptions: MongoClientOptions): void {
+  ensurePasswordFieldIsPresentInAuth(driverOptions: DevtoolsConnectOptions): void {
     if (driverOptions.auth && driverOptions.auth.username && !('password' in driverOptions.auth)) {
       driverOptions.auth.password = undefined;
     }
@@ -566,7 +566,7 @@ class CliRepl implements MongoshIOProvider {
    * Require the user to enter a password.
    *
    * @param {string} driverUrl - The driver URI.
-   * @param {MongoClientOptions} driverOptions - The driver options.
+   * @param {DevtoolsConnectOptions} driverOptions - The driver options.
    */
   async requirePassword(): Promise<string> {
     const passwordPromise = askpassword({