mongo 2.22.0 → 2.24.0

data/lib/mongo/crypt/handle.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2020 MongoDB Inc.
 #
@@ -20,15 +19,13 @@ require 'base64'
 
 module Mongo
   module Crypt
-
     # A handle to the libmongocrypt library that wraps a mongocrypt_t object,
     # allowing clients to set options on that object or perform operations such
     # as encryption and decryption
     #
     # @api private
     class Handle
-
-      # @returns [ Crypt::KMS::Credentials ] Credentials for KMS providers.
+      # @return [ Crypt::KMS::Credentials ] Credentials for KMS providers.
       attr_reader :kms_providers
 
       # Creates a new Handle object and initializes it with options
@@ -62,9 +59,14 @@ module Mongo
       # @option options [ Boolean | nil ] :explicit_encryption_only Whether this
       #   handle is going to be used only for explicit encryption. If true,
       #   libmongocrypt is instructed not to load crypt shared library.
+      # @option options [ Boolean | nil ] :disable_crypt_shared_lib_search When
+      #   true, suppresses the automatic "$SYSTEM" search for crypt_shared. Use
+      #   this when a previous Handle in the same process has already loaded the
+      #   library via a path override and you want to avoid the conflicting-load
+      #   error that libmongocrypt raises on a subsequent "$SYSTEM" search.
       # @option options [ Logger ] :logger A Logger object to which libmongocrypt logs
       #   will be sent
-      def initialize(kms_providers, kms_tls_options, options={})
+      def initialize(kms_providers, kms_tls_options, options = {})
         # FFI::AutoPointer uses a custom release strategy to automatically free
         # the pointer once this object goes out of scope
         @mongocrypt = FFI::AutoPointer.new(
@@ -73,7 +75,7 @@ module Mongo
         )
         Binding.kms_ctx_setopt_retry_kms(self, true)
         @kms_providers = kms_providers
-        @kms_tls_options =  kms_tls_options
+        @kms_tls_options = kms_tls_options
 
         maybe_set_schema_map(options)
 
@@ -85,10 +87,11 @@ module Mongo
 
         @crypt_shared_lib_path = options[:crypt_shared_lib_path]
         @explicit_encryption_only = options[:explicit_encryption_only]
+        @disable_crypt_shared_lib_search = options[:disable_crypt_shared_lib_search]
         if @crypt_shared_lib_path
           Binding.setopt_set_crypt_shared_lib_path_override(self, @crypt_shared_lib_path)
-        elsif !@bypass_query_analysis && !@explicit_encryption_only
-          Binding.setopt_append_crypt_shared_lib_search_path(self, "$SYSTEM")
+        elsif !@bypass_query_analysis && !@explicit_encryption_only && !@disable_crypt_shared_lib_search
+          Binding.setopt_append_crypt_shared_lib_search_path(self, '$SYSTEM')
         end
 
         @logger = options[:logger]
@@ -105,11 +108,11 @@ module Mongo
         initialize_mongocrypt
 
         @crypt_shared_lib_required = !!options[:crypt_shared_lib_required]
-        if @crypt_shared_lib_required && crypt_shared_lib_version == 0
-          raise Mongo::Error::CryptError.new(
-            "Crypt shared library is required, but cannot be loaded  according to libmongocrypt"
-          )
-        end
+        return unless @crypt_shared_lib_required && crypt_shared_lib_version == 0
+
+        raise Mongo::Error::CryptError.new(
+          'Crypt shared library is required, but cannot be loaded  according to libmongocrypt'
+        )
       end
 
       # Return the reference to the underlying @mongocrypt object
@@ -145,7 +148,7 @@ module Mongo
           @schema_map = nil
         elsif options[:schema_map] && options[:schema_map_path]
           raise ArgumentError.new(
-            "Cannot set both schema_map and schema_map_path options."
+            'Cannot set both schema_map and schema_map_path options.'
           )
         elsif options[:schema_map]
           unless options[:schema_map].is_a?(Hash)
@@ -176,7 +179,7 @@ module Mongo
       end
 
       def set_bypass_query_analysis
-        unless [true, false].include?(@bypass_query_analysis)
+        unless [ true, false ].include?(@bypass_query_analysis)
           raise ArgumentError.new(
             "#{@bypass_query_analysis} is an invalid bypass_query_analysis value; must be a Boolean or nil"
           )
@@ -187,7 +190,7 @@ module Mongo
 
       # Send the logs from libmongocrypt to the Mongo::Logger
       def set_logger_callback
-        @log_callback = Proc.new do |level, msg|
+        @log_callback = proc do |level, msg|
           @logger.send(level, msg)
         end
 
@@ -207,15 +210,13 @@ module Mongo
       # @return [ true | false ] Whether block executed without raising
       #   exceptions.
       def handle_error(status_p)
-        begin
-          yield
-
-          true
-        rescue => e
-          status = Status.from_pointer(status_p)
-          status.update(:error_client, 1, "#{e.class}: #{e}")
-          false
-        end
+        yield
+
+        true
+      rescue StandardError => e
+        status = Status.from_pointer(status_p)
+        status.update(:error_client, 1, "#{e.class}: #{e}")
+        false
       end
 
       # Yields to the provided block and writes the return value of block
@@ -242,7 +243,7 @@ module Mongo
       # Perform AES encryption or decryption and write the output to the
       # provided mongocrypt_binary_t object.
       def do_aes(key_binary_p, iv_binary_p, input_binary_p, output_binary_p,
-        response_length_p, status_p, decrypt: false, mode: :CBC)
+                 response_length_p, status_p, decrypt: false, mode: :CBC)
         key = Binary.from_pointer(key_binary_p).to_s
         iv = Binary.from_pointer(iv_binary_p).to_s
         input = Binary.from_pointer(input_binary_p).to_s
@@ -258,7 +259,7 @@ module Mongo
       # Perform HMAC SHA encryption and write the output to the provided
       # mongocrypt_binary_t object.
       def do_hmac_sha(digest_name, key_binary_p, input_binary_p,
-        output_binary_p, status_p)
+                      output_binary_p, status_p)
         key = Binary.from_pointer(key_binary_p).to_s
         input = Binary.from_pointer(input_binary_p).to_s
 
@@ -270,7 +271,7 @@ module Mongo
       # Perform signing using RSASSA-PKCS1-v1_5 with SHA256 hash and write
       # the output to the provided mongocrypt_binary_t object.
       def do_rsaes_pkcs_signature(key_binary_p, input_binary_p,
-        output_binary_p, status_p)
+                                  output_binary_p, status_p)
         key = Binary.from_pointer(key_binary_p).to_s
         input = Binary.from_pointer(input_binary_p).to_s
 
@@ -287,8 +288,7 @@ module Mongo
       # Every crypto binding ignores its first argument, which is an option
       # mongocrypt_ctx_t object and is not required to use crypto hooks.
       def set_crypto_hooks
-        @aes_encrypt = Proc.new do |_, key_binary_p, iv_binary_p, input_binary_p,
-          output_binary_p, response_length_p, status_p|
+        @aes_encrypt = proc do |_, key_binary_p, iv_binary_p, input_binary_p, output_binary_p, response_length_p, status_p|
           do_aes(
             key_binary_p,
             iv_binary_p,
@@ -299,8 +299,7 @@ module Mongo
           )
         end
 
-        @aes_decrypt = Proc.new do |_, key_binary_p, iv_binary_p, input_binary_p,
-          output_binary_p, response_length_p, status_p|
+        @aes_decrypt = proc do |_, key_binary_p, iv_binary_p, input_binary_p, output_binary_p, response_length_p, status_p|
           do_aes(
             key_binary_p,
             iv_binary_p,
@@ -312,23 +311,21 @@ module Mongo
           )
         end
 
-        @random = Proc.new do |_, output_binary_p, num_bytes, status_p|
+        @random = proc do |_, output_binary_p, num_bytes, status_p|
           write_binary_string_and_set_status(output_binary_p, status_p) do
             Hooks.random(num_bytes)
           end
         end
 
-        @hmac_sha_512 = Proc.new do |_, key_binary_p, input_binary_p,
-          output_binary_p, status_p|
+        @hmac_sha_512 = proc do |_, key_binary_p, input_binary_p, output_binary_p, status_p|
           do_hmac_sha('SHA512', key_binary_p, input_binary_p, output_binary_p, status_p)
         end
 
-        @hmac_sha_256 = Proc.new do |_, key_binary_p, input_binary_p,
-          output_binary_p, status_p|
+        @hmac_sha_256 = proc do |_, key_binary_p, input_binary_p, output_binary_p, status_p|
           do_hmac_sha('SHA256', key_binary_p, input_binary_p, output_binary_p, status_p)
         end
 
-        @hmac_hash = Proc.new do |_, input_binary_p, output_binary_p, status_p|
+        @hmac_hash = proc do |_, input_binary_p, output_binary_p, status_p|
           input = Binary.from_pointer(input_binary_p).to_s
 
           write_binary_string_and_set_status(output_binary_p, status_p) do
@@ -343,11 +340,10 @@ module Mongo
           @random,
           @hmac_sha_512,
           @hmac_sha_256,
-          @hmac_hash,
+          @hmac_hash
         )
 
-        @aes_ctr_encrypt = Proc.new do |_, key_binary_p, iv_binary_p, input_binary_p,
-          output_binary_p, response_length_p, status_p|
+        @aes_ctr_encrypt = proc do |_, key_binary_p, iv_binary_p, input_binary_p, output_binary_p, response_length_p, status_p|
           do_aes(
             key_binary_p,
             iv_binary_p,
@@ -355,12 +351,11 @@ module Mongo
             output_binary_p,
             response_length_p,
             status_p,
-            mode: :CTR,
+            mode: :CTR
           )
         end
 
-        @aes_ctr_decrypt = Proc.new do |_, key_binary_p, iv_binary_p, input_binary_p,
-          output_binary_p, response_length_p, status_p|
+        @aes_ctr_decrypt = proc do |_, key_binary_p, iv_binary_p, input_binary_p, output_binary_p, response_length_p, status_p|
           do_aes(
             key_binary_p,
             iv_binary_p,
@@ -369,18 +364,17 @@ module Mongo
             response_length_p,
             status_p,
             decrypt: true,
-            mode: :CTR,
+            mode: :CTR
           )
         end
 
         Binding.setopt_aes_256_ctr(
           self,
           @aes_ctr_encrypt,
-          @aes_ctr_decrypt,
+          @aes_ctr_decrypt
         )
 
-        @rsaes_pkcs_signature_cb = Proc.new do |_, key_binary_p, input_binary_p,
-          output_binary_p, status_p|
+        @rsaes_pkcs_signature_cb = proc do |_, key_binary_p, input_binary_p, output_binary_p, status_p|
           do_rsaes_pkcs_signature(key_binary_p, input_binary_p, output_binary_p, status_p)
         end
 

data/lib/mongo/crypt/hooks.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2020 MongoDB Inc.
 #
@@ -20,14 +19,12 @@ require 'digest'
 
 module Mongo
   module Crypt
-
     # A helper module that implements cryptography methods required
     # for native Ruby crypto hooks. These methods are passed into FFI
     # as C callbacks and called from the libmongocrypt library.
     #
     # @api private
     module Hooks
-
       # An AES encrypt or decrypt method.
       #
       # @param [ String ] key The 32-byte AES encryption key
@@ -48,7 +45,7 @@ module Mongo
         cipher.iv = iv
         cipher.padding = 0
 
-        encrypted = cipher.update(input)
+        cipher.update(input)
       end
       module_function :aes
 
@@ -98,17 +95,17 @@ module Mongo
       # @return [ String ] The signature.
       def rsaes_pkcs_signature(key, input)
         private_key = if BSON::Environment.jruby?
-          # JRuby cannot read DER format, we need to convert key into PEM first.
-          key_pem = [
-            "-----BEGIN PRIVATE KEY-----",
-            Base64.strict_encode64(Base64.decode64(key)).scan(/.{1,64}/),
-            "-----END PRIVATE KEY-----",
-          ].join("\n")
-          OpenSSL::PKey::RSA.new(key_pem)
-        else
-          OpenSSL::PKey.read(Base64.decode64(key))
-        end
-        private_key.sign(OpenSSL::Digest::SHA256.new, input)
+                        # JRuby cannot read DER format, we need to convert key into PEM first.
+                        key_pem = [
+                          '-----BEGIN PRIVATE KEY-----',
+                          Base64.strict_encode64(Base64.decode64(key)).scan(/.{1,64}/),
+                          '-----END PRIVATE KEY-----',
+                        ].join("\n")
+                        OpenSSL::PKey::RSA.new(key_pem)
+                      else
+                        OpenSSL::PKey.read(Base64.decode64(key))
+                      end
+        private_key.sign(OpenSSL::Digest.new('SHA256'), input)
       end
       module_function :rsaes_pkcs_signature
     end

data/lib/mongo/crypt/kms/aws/credentials.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2021 MongoDB Inc.
 #
@@ -19,7 +18,6 @@ module Mongo
   module Crypt
     module KMS
       module AWS
-
         # AWS KMS Credentials object contains credentials for using AWS KMS provider.
         #
         # @api private
@@ -39,8 +37,8 @@ module Mongo
           # @api private
           def_delegator :@opts, :empty?
 
-          FORMAT_HINT = "AWS KMS provider options must be in the format: " +
-            "{ access_key_id: 'YOUR-ACCESS-KEY-ID', secret_access_key: 'SECRET-ACCESS-KEY' }"
+          FORMAT_HINT = 'AWS KMS provider options must be in the format: ' +
+                        "{ access_key_id: 'YOUR-ACCESS-KEY-ID', secret_access_key: 'SECRET-ACCESS-KEY' }"
 
           # Creates an AWS KMS credentials object form a parameters hash.
           #
@@ -54,11 +52,11 @@ module Mongo
           #   formatted.
           def initialize(opts)
             @opts = opts
-            unless empty?
-              @access_key_id = validate_param(:access_key_id, opts, FORMAT_HINT)
-              @secret_access_key = validate_param(:secret_access_key, opts, FORMAT_HINT)
-              @session_token = validate_param(:session_token, opts, FORMAT_HINT, required: false)
-            end
+            return if empty?
+
+            @access_key_id = validate_param(:access_key_id, opts, FORMAT_HINT)
+            @secret_access_key = validate_param(:secret_access_key, opts, FORMAT_HINT)
+            @session_token = validate_param(:session_token, opts, FORMAT_HINT, required: false)
           end
 
           # Convert credentials object to a BSON document in libmongocrypt format.
@@ -66,13 +64,12 @@ module Mongo
           # @return [ BSON::Document ] AWS KMS credentials in libmongocrypt format.
           def to_document
             return BSON::Document.new if empty?
+
             BSON::Document.new({
-              accessKeyId: access_key_id,
-              secretAccessKey: secret_access_key,
-            }).tap do |bson|
-              unless session_token.nil?
-                bson.update({ sessionToken: session_token })
-              end
+                                 accessKeyId: access_key_id,
+                                 secretAccessKey: secret_access_key,
+                               }).tap do |bson|
+              bson.update({ sessionToken: session_token }) unless session_token.nil?
             end
           end
         end
@@ -80,4 +77,3 @@ module Mongo
     end
   end
 end
-

data/lib/mongo/crypt/kms/aws/master_document.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2021 MongoDB Inc.
 #
@@ -34,7 +33,7 @@ module Mongo
           # @return [ String | nil ] AWS KMS endpoint.
           attr_reader :endpoint
 
-          FORMAT_HINT = "AWS key document  must be in the format: " +
+          FORMAT_HINT = 'AWS key document  must be in the format: ' +
                         "{ region: 'REGION', key: 'KEY' }"
 
           # Creates a master key document object form a parameters hash.
@@ -62,13 +61,11 @@ module Mongo
           # @return [ BSON::Document ] AWS KMS master key document in libmongocrypt format.
           def to_document
             BSON::Document.new({
-              provider: 'aws',
-              region: region,
-              key: key,
-            }).tap do |bson|
-              unless endpoint.nil?
-                bson.update({ endpoint: endpoint })
-              end
+                                 provider: 'aws',
+                                 region: region,
+                                 key: key,
+                               }).tap do |bson|
+              bson.update({ endpoint: endpoint }) unless endpoint.nil?
             end
           end
         end

data/lib/mongo/crypt/kms/aws.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2021 MongoDB Inc.
 #
@@ -17,4 +16,3 @@
 
 require 'mongo/crypt/kms/aws/credentials'
 require 'mongo/crypt/kms/aws/master_document'
-

data/lib/mongo/crypt/kms/azure/credentials_retriever.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2021 MongoDB Inc.
 #
@@ -73,7 +72,7 @@ module Mongo
             req['Metadata'] = 'true'
             req['Accept'] = 'application/json'
             extra_headers.each { |k, v| req[k] = v }
-            [uri, req]
+            [ uri, req ]
           end
           private_class_method :prepare_request
 
@@ -116,11 +115,7 @@ module Mongo
           def self.do_request(uri, req, timeout_holder)
             timeout_holder&.check_timeout!
             timeout = timeout_holder&.remaining_timeout_sec || 10
-            exception_class = if timeout_holder&.csot?
-                                Error::TimeoutError
-                              else
-                                nil
-                              end
+            exception_class = (Error::TimeoutError if timeout_holder&.csot?)
             ::Timeout.timeout(timeout, exception_class) do
               Net::HTTP.start(uri.hostname, uri.port, use_ssl: false) do |http|
                 http.request(req)

data/lib/mongo/crypt/kms/azure/master_document.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2021 MongoDB Inc.
 #
@@ -34,18 +33,18 @@ module Mongo
           # @return [ String | nil ] Azure KMS key version.
           attr_reader :key_version
 
-          FORMAT_HINT = "Azure key document  must be in the format: " +
+          FORMAT_HINT = 'Azure key document  must be in the format: ' +
                         "{ key_vault_endpoint: 'KEY_VAULT_ENDPOINT', key_name: 'KEY_NAME' }"
 
-        # Creates a master key document object form a parameters hash.
-        #
-        # @param [ Hash ] opts A hash that contains master key options for
-        #   the Azure KMS provider.
-        # @option opts [ String ] :key_vault_endpoint Azure key vault endpoint.
-        # @option opts [ String ] :key_name Azure KMS key name.
-        # @option opts [ String | nil ] :key_version Azure KMS key version, optional.
-        #
-        # @raise [ ArgumentError ] If required options are missing or incorrectly.
+          # Creates a master key document object form a parameters hash.
+          #
+          # @param [ Hash ] opts A hash that contains master key options for
+          #   the Azure KMS provider.
+          # @option opts [ String ] :key_vault_endpoint Azure key vault endpoint.
+          # @option opts [ String ] :key_name Azure KMS key name.
+          # @option opts [ String | nil ] :key_version Azure KMS key version, optional.
+          #
+          # @raise [ ArgumentError ] If required options are missing or incorrectly.
           def initialize(opts)
             unless opts.is_a?(Hash)
               raise ArgumentError.new(
@@ -62,13 +61,11 @@ module Mongo
           # @return [ BSON::Document ] Azure KMS credentials in libmongocrypt format.
           def to_document
             BSON::Document.new({
-              provider: 'azure',
-              keyVaultEndpoint: key_vault_endpoint,
-              keyName: key_name,
-            }).tap do |bson|
-              unless key_version.nil?
-                bson.update({ keyVersion: key_version })
-              end
+                                 provider: 'azure',
+                                 keyVaultEndpoint: key_vault_endpoint,
+                                 keyName: key_name,
+                               }).tap do |bson|
+              bson.update({ keyVersion: key_version }) unless key_version.nil?
             end
           end
         end
@@ -76,4 +73,3 @@ module Mongo
     end
   end
 end
-

data/lib/mongo/crypt/kms/azure.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2021 MongoDB Inc.
 #

data/lib/mongo/crypt/kms/credentials.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2021 MongoDB Inc.
 #
@@ -18,12 +17,10 @@
 module Mongo
   module Crypt
     module KMS
-
       # KMS Credentials object contains credentials for using KMS providers.
       #
       # @api private
       class Credentials
-
         # @return [ Credentials::AWS | nil ] AWS KMS credentials.
         attr_reader :aws
 
@@ -52,30 +49,19 @@ module Mongo
         # @raise [ ArgumentError ] If required options are missing or incorrectly
         #   formatted.
         def initialize(kms_providers)
-          if kms_providers.nil?
-            raise ArgumentError.new("KMS providers options must not be nil")
-          end
-          if kms_providers.key?(:aws)
-            @aws = AWS::Credentials.new(kms_providers[:aws])
-          end
-          if kms_providers.key?(:azure)
-            @azure = Azure::Credentials.new(kms_providers[:azure])
-          end
-          if kms_providers.key?(:gcp)
-            @gcp = GCP::Credentials.new(kms_providers[:gcp])
-          end
-          if kms_providers.key?(:kmip)
-            @kmip = KMIP::Credentials.new(kms_providers[:kmip])
-          end
-          if kms_providers.key?(:local)
-            @local = Local::Credentials.new(kms_providers[:local])
-          end
-          if @aws.nil? && @azure.nil? && @gcp.nil? && @kmip.nil? && @local.nil?
-            raise ArgumentError.new(
-              "KMS providers options must have one of the following keys: " +
-              ":aws, :azure, :gcp, :kmip, :local"
-            )
-          end
+          raise ArgumentError.new('KMS providers options must not be nil') if kms_providers.nil?
+
+          @aws = AWS::Credentials.new(kms_providers[:aws]) if kms_providers.key?(:aws)
+          @azure = Azure::Credentials.new(kms_providers[:azure]) if kms_providers.key?(:azure)
+          @gcp = GCP::Credentials.new(kms_providers[:gcp]) if kms_providers.key?(:gcp)
+          @kmip = KMIP::Credentials.new(kms_providers[:kmip]) if kms_providers.key?(:kmip)
+          @local = Local::Credentials.new(kms_providers[:local]) if kms_providers.key?(:local)
+          return unless @aws.nil? && @azure.nil? && @gcp.nil? && @kmip.nil? && @local.nil?
+
+          raise ArgumentError.new(
+            'KMS providers options must have one of the following keys: ' +
+            ':aws, :azure, :gcp, :kmip, :local'
+          )
         end
 
         # Convert credentials object to a BSON document in libmongocrypt format.

data/lib/mongo/crypt/kms/gcp/credentials.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 # Copyright (C) 2019-2021 MongoDB Inc.
 #
@@ -42,8 +41,8 @@ module Mongo
           # @api private
           def_delegator :@opts, :empty?
 
-          FORMAT_HINT = "GCP KMS provider options must be in the format: " +
-              "{ email: 'EMAIL', private_key: 'PRIVATE-KEY' }"
+          FORMAT_HINT = 'GCP KMS provider options must be in the format: ' +
+                        "{ email: 'EMAIL', private_key: 'PRIVATE-KEY' }"
 
           # Creates an GCP KMS credentials object form a parameters hash.
           #
@@ -77,10 +76,10 @@ module Mongo
                   pkey = OpenSSL::PKey::RSA.new(private_key_opt)
                   # PEM it is, need to be converted to base64 encoded DER.
                   der = if pkey.respond_to?(:private_to_der)
-                    pkey.private_to_der
-                  else
-                    pkey.to_der
-                  end
+                          pkey.private_to_der
+                        else
+                          pkey.to_der
+                        end
                   Base64.encode64(der)
                 end
               rescue OpenSSL::PKey::RSAError
@@ -91,7 +90,7 @@ module Mongo
                   private_key_opt
                 rescue OpenSSL::PKey::PKeyError
                   raise ArgumentError.new(
-                    "The private_key option must be either either base64 encoded DER format, or PEM format."
+                    'The private_key option must be either either base64 encoded DER format, or PEM format.'
                   )
                 end
               end
@@ -107,16 +106,15 @@ module Mongo
           # @return [ BSON::Document ] Azure KMS credentials in libmongocrypt format.
           def to_document
             return BSON::Document.new if empty?
+
             if access_token
               BSON::Document.new({ accessToken: access_token })
             else
               BSON::Document.new({
-                email: email,
-                privateKey: BSON::Binary.new(private_key, :generic),
-              }).tap do |bson|
-                unless endpoint.nil?
-                  bson.update({ endpoint: endpoint })
-                end
+                                   email: email,
+                                   privateKey: BSON::Binary.new(private_key, :generic),
+                                 }).tap do |bson|
+                bson.update({ endpoint: endpoint }) unless endpoint.nil?
               end
             end
           end