diff --git a/internal/integration/client_side_encryption_prose_test.go b/internal/integration/client_side_encryption_prose_test.go index bc949a637c..a925af2be4 100644 --- a/internal/integration/client_side_encryption_prose_test.go +++ b/internal/integration/client_side_encryption_prose_test.go @@ -1444,6 +1444,10 @@ func TestClientSideEncryptionProse(t *testing.T) { if os.Getenv("KMS_MOCK_SERVERS_RUNNING") == "" { mt.Skipf("Skipping test as KMS_MOCK_SERVERS_RUNNING is not set") } + if tlsCAFileKMIP == "" || tlsClientCertificateKeyFileKMIP == "" { + mt.Fatal("Env vars CSFLE_TLS_CA_FILE and CSFLE_TLS_CLIENT_CERT_FILE must be set") + } + validKmsProviders := map[string]map[string]interface{}{ "aws": { "accessKeyId": awsAccessKeyID, @@ -1513,50 +1517,50 @@ func TestClientSideEncryptionProse(t *testing.T) { SetKeyVaultNamespace(kvNamespace) // make TLS opts containing client certificate and CA file - tlsConfig := make(map[string]*tls.Config) - if tlsCAFileKMIP != "" && tlsClientCertificateKeyFileKMIP != "" { - clientAndCATlsMap := map[string]interface{}{ - "tlsCertificateKeyFile": tlsClientCertificateKeyFileKMIP, - "tlsCAFile": tlsCAFileKMIP, - } - certConfig, err := options.BuildTLSConfig(clientAndCATlsMap) - assert.Nil(mt, err, "BuildTLSConfig error: %v", err) - tlsConfig["aws"] = certConfig - tlsConfig["azure"] = certConfig - tlsConfig["gcp"] = certConfig - tlsConfig["kmip"] = certConfig - } + clientAndCATLSConfig, err := options.BuildTLSConfig(map[string]interface{}{ + "tlsCertificateKeyFile": tlsClientCertificateKeyFileKMIP, + "tlsCAFile": tlsCAFileKMIP, + }) + assert.Nil(mt, err, "BuildTLSConfig error: %v", err) // create valid Client Encryption options and set valid TLS options validClientEncryptionOptionsWithTLS := options.ClientEncryption(). SetKmsProviders(validKmsProviders). SetKeyVaultNamespace(kvNamespace). - SetTLSConfig(tlsConfig) + SetTLSConfig(map[string]*tls.Config{ + "aws": clientAndCATLSConfig, + "azure": clientAndCATLSConfig, + "gcp": clientAndCATLSConfig, + "kmip": clientAndCATLSConfig, + }) // make TLS opts containing only CA file - if tlsCAFileKMIP != "" { - caTlsMap := map[string]interface{}{ - "tlsCAFile": tlsCAFileKMIP, - } - certConfig, err := options.BuildTLSConfig(caTlsMap) - assert.Nil(mt, err, "BuildTLSConfig error: %v", err) - tlsConfig["aws"] = certConfig - tlsConfig["azure"] = certConfig - tlsConfig["gcp"] = certConfig - tlsConfig["kmip"] = certConfig - } + caTLSConfig, err := options.BuildTLSConfig(map[string]interface{}{ + "tlsCAFile": tlsCAFileKMIP, + }) + assert.Nil(mt, err, "BuildTLSConfig error: %v", err) // create invalid Client Encryption options with expired credentials expiredClientEncryptionOptions := options.ClientEncryption(). SetKmsProviders(expiredKmsProviders). SetKeyVaultNamespace(kvNamespace). - SetTLSConfig(tlsConfig) + SetTLSConfig(map[string]*tls.Config{ + "aws": caTLSConfig, + "azure": caTLSConfig, + "gcp": caTLSConfig, + "kmip": caTLSConfig, + }) // create invalid Client Encryption options with invalid hostnames invalidHostnameClientEncryptionOptions := options.ClientEncryption(). SetKmsProviders(invalidKmsProviders). SetKeyVaultNamespace(kvNamespace). - SetTLSConfig(tlsConfig) + SetTLSConfig(map[string]*tls.Config{ + "aws": caTLSConfig, + "azure": caTLSConfig, + "gcp": caTLSConfig, + "kmip": caTLSConfig, + }) awsMasterKeyNoClientCert := map[string]interface{}{ "region": "us-east-1", @@ -1622,7 +1626,8 @@ func TestClientSideEncryptionProse(t *testing.T) { possibleErrors := []string{ "x509: certificate signed by unknown authority", // Windows - "x509: “valid.testing.golang.invalid” certificate is not trusted", // MacOS + "x509: “valid.testing.golang.invalid” certificate is not trusted", // macOS + "x509: “server” certificate is not standards compliant", // macOS "x509: certificate is not authorized to sign other certificates", // All others } diff --git a/mongo/options/autoencryptionoptions.go b/mongo/options/autoencryptionoptions.go index 180b90e676..81f16cf028 100644 --- a/mongo/options/autoencryptionoptions.go +++ b/mongo/options/autoencryptionoptions.go @@ -184,17 +184,9 @@ func (a *AutoEncryptionOptionsBuilder) SetExtraOptions(extraOpts map[string]inte // to the KMS provider. // // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12. -func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *AutoEncryptionOptionsBuilder { +func (a *AutoEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config) *AutoEncryptionOptionsBuilder { a.Opts = append(a.Opts, func(args *AutoEncryptionOptions) error { - tlsConfigs := make(map[string]*tls.Config) - for provider, config := range tlsOpts { - // use TLS min version 1.2 to enforce more secure hash algorithms and advanced cipher suites - if config.MinVersion == 0 { - config.MinVersion = tls.VersionTLS12 - } - tlsConfigs[provider] = config - } - args.TLSConfig = tlsConfigs + args.TLSConfig = cfg return nil }) diff --git a/mongo/options/clientencryptionoptions.go b/mongo/options/clientencryptionoptions.go index 2d6d5f0e61..3f9b3745ed 100644 --- a/mongo/options/clientencryptionoptions.go +++ b/mongo/options/clientencryptionoptions.go @@ -70,19 +70,13 @@ func (c *ClientEncryptionOptionsBuilder) SetKmsProviders(providers map[string]ma // to the KMS provider. // // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12. -func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(tlsOpts map[string]*tls.Config) *ClientEncryptionOptionsBuilder { +func (c *ClientEncryptionOptionsBuilder) SetTLSConfig(cfg map[string]*tls.Config) *ClientEncryptionOptionsBuilder { c.Opts = append(c.Opts, func(opts *ClientEncryptionOptions) error { - tlsConfigs := make(map[string]*tls.Config) - for provider, config := range tlsOpts { - // use TLS min version 1.2 to enforce more secure hash algorithms and advanced cipher suites - if config.MinVersion == 0 { - config.MinVersion = tls.VersionTLS12 - } - tlsConfigs[provider] = config - } - opts.TLSConfig = tlsConfigs + opts.TLSConfig = cfg + return nil }) + return c }