GODRIVER-3321 Fix CSE SetTLSConfig option.

matthewdale · matthewdale · commit 6ade8190984a · 2024-11-25T15:57:19.000-08:00
diff --git a/internal/integration/client_side_encryption_prose_test.go b/internal/integration/client_side_encryption_prose_test.go
@@ -1444,6 +1444,10 @@ func TestClientSideEncryptionProse(t *testing.T) {
 		if os.Getenv("KMS_MOCK_SERVERS_RUNNING") == "" {
 			mt.Skipf("Skipping test as KMS_MOCK_SERVERS_RUNNING is not set")
 		}
+		if tlsCAFileKMIP == "" || tlsClientCertificateKeyFileKMIP == "" {
+			mt.Fatal("Env vars CSFLE_TLS_CA_FILE and CSFLE_TLS_CLIENT_CERT_FILE must be set")
+		}
+
 		validKmsProviders := map[string]map[string]interface{}{
 			"aws": {
 				"accessKeyId":     awsAccessKeyID,
@@ -1514,37 +1518,33 @@ func TestClientSideEncryptionProse(t *testing.T) {
 
 		// make TLS opts containing client certificate and CA file
 		tlsConfig := make(map[string]*tls.Config)
-		if tlsCAFileKMIP != "" && tlsClientCertificateKeyFileKMIP != "" {
-			clientAndCATlsMap := map[string]interface{}{
-				"tlsCertificateKeyFile": tlsClientCertificateKeyFileKMIP,
-				"tlsCAFile":             tlsCAFileKMIP,
-			}
-			certConfig, err := options.BuildTLSConfig(clientAndCATlsMap)
-			assert.Nil(mt, err, "BuildTLSConfig error: %v", err)
-			tlsConfig["aws"] = certConfig
-			tlsConfig["azure"] = certConfig
-			tlsConfig["gcp"] = certConfig
-			tlsConfig["kmip"] = certConfig
+		clientAndCATlsMap := map[string]interface{}{
+			"tlsCertificateKeyFile": tlsClientCertificateKeyFileKMIP,
+			"tlsCAFile":             tlsCAFileKMIP,
 		}
+		certConfig, err := options.BuildTLSConfig(clientAndCATlsMap)
+		assert.Nil(mt, err, "BuildTLSConfig error: %v", err)
+		tlsConfig["aws"] = certConfig
+		tlsConfig["azure"] = certConfig
+		tlsConfig["gcp"] = certConfig
+		tlsConfig["kmip"] = certConfig
 
 		// create valid Client Encryption options and set valid TLS options
 		validClientEncryptionOptionsWithTLS := options.ClientEncryption().
 			SetKmsProviders(validKmsProviders).
 			SetKeyVaultNamespace(kvNamespace).
 			SetTLSConfig(tlsConfig)
 
-		// make TLS opts containing only CA file
-		if tlsCAFileKMIP != "" {
-			caTlsMap := map[string]interface{}{
-				"tlsCAFile": tlsCAFileKMIP,
-			}
-			certConfig, err := options.BuildTLSConfig(caTlsMap)
-			assert.Nil(mt, err, "BuildTLSConfig error: %v", err)
-			tlsConfig["aws"] = certConfig
-			tlsConfig["azure"] = certConfig
-			tlsConfig["gcp"] = certConfig
-			tlsConfig["kmip"] = certConfig
+			// make TLS opts containing only CA file
+		caTlsMap := map[string]interface{}{
+			"tlsCAFile": tlsCAFileKMIP,
 		}
+		certConfig, err = options.BuildTLSConfig(caTlsMap)
+		assert.Nil(mt, err, "BuildTLSConfig error: %v", err)
+		tlsConfig["aws"] = certConfig
+		tlsConfig["azure"] = certConfig
+		tlsConfig["gcp"] = certConfig
+		tlsConfig["kmip"] = certConfig
 
 		// create invalid Client Encryption options with expired credentials
 		expiredClientEncryptionOptions := options.ClientEncryption().
@@ -1622,7 +1622,8 @@ func TestClientSideEncryptionProse(t *testing.T) {
 
 				possibleErrors := []string{
 					"x509: certificate signed by unknown authority",                   // Windows
-					"x509: “valid.testing.golang.invalid” certificate is not trusted", // MacOS
+					"x509: “valid.testing.golang.invalid” certificate is not trusted", // macOS
+					"x509: “server” certificate is not standards compliant",           // macOS
 					"x509: certificate is not authorized to sign other certificates",  // All others
 				}
 
diff --git a/mongo/options/autoencryptionoptions.go b/mongo/options/autoencryptionoptions.go
@@ -185,15 +185,17 @@ func (a *AutoEncryptionOptionsBuilder) SetExtraOptions(extraOpts map[string]inte
 //
 // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12.
 func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *AutoEncryptionOptionsBuilder {
-	a.Opts = append(a.Opts, func(args *AutoEncryptionOptions) error {
-		tlsConfigs := make(map[string]*tls.Config)
-		for provider, config := range tlsOpts {
-			// use TLS min version 1.2 to enforce more secure hash algorithms and advanced cipher suites
-			if config.MinVersion == 0 {
-				config.MinVersion = tls.VersionTLS12
-			}
-			tlsConfigs[provider] = config
+	tlsConfigs := make(map[string]*tls.Config)
+	for provider, config := range tlsOpts {
+		// Use TLS min version 1.2 to enforce more secure hash algorithms and
+		// advanced cipher suites.
+		if config.MinVersion == 0 {
+			config.MinVersion = tls.VersionTLS12
 		}
+		tlsConfigs[provider] = config
+	}
+
+	a.Opts = append(a.Opts, func(args *AutoEncryptionOptions) error {
 		args.TLSConfig = tlsConfigs
 
 		return nil
diff --git a/mongo/options/clientencryptionoptions.go b/mongo/options/clientencryptionoptions.go
@@ -71,18 +71,22 @@ func (c *ClientEncryptionOptionsBuilder) SetKmsProviders(providers map[string]ma
 //
 // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12.
 func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *ClientEncryptionOptionsBuilder {
-	c.Opts = append(c.Opts, func(opts *ClientEncryptionOptions) error {
-		tlsConfigs := make(map[string]*tls.Config)
-		for provider, config := range tlsOpts {
-			// use TLS min version 1.2 to enforce more secure hash algorithms and advanced cipher suites
-			if config.MinVersion == 0 {
-				config.MinVersion = tls.VersionTLS12
-			}
-			tlsConfigs[provider] = config
+	tlsConfigs := make(map[string]*tls.Config)
+	for provider, config := range tlsOpts {
+		// Use TLS min version 1.2 to enforce more secure hash algorithms and
+		// advanced cipher suites.
+		if config.MinVersion == 0 {
+			config.MinVersion = tls.VersionTLS12
 		}
+		tlsConfigs[provider] = config
+	}
+
+	c.Opts = append(c.Opts, func(opts *ClientEncryptionOptions) error {
 		opts.TLSConfig = tlsConfigs
+
 		return nil
 	})
+
 	return c
 }
 
