mongodb 6.7.0-dev.20240608.sha.0655c730 → 6.7.0-dev.20240614.sha.3ed6a2ad

package/mongodb.d.ts

@@ -735,6 +735,23 @@ export declare interface AWSEncryptionKeyOptions {
     endpoint?: string | undefined;
 }
 
+/** @public */
+export declare interface AWSKMSProviderConfiguration {
+    /**
+     * The access key used for the AWS KMS provider
+     */
+    accessKeyId: string;
+    /**
+     * The secret access key used for the AWS KMS provider
+     */
+    secretAccessKey: string;
+    /**
+     * An optional AWS session token that will be used as the
+     * X-Amz-Security-Token header for AWS requests.
+     */
+    sessionToken?: string;
+}
+
 /**
  * @public
  * Configuration options for making an Azure encryption key
@@ -754,6 +771,34 @@ export declare interface AzureEncryptionKeyOptions {
     keyVersion?: string | undefined;
 }
 
+/** @public */
+export declare type AzureKMSProviderConfiguration = {
+    /**
+     * The tenant ID identifies the organization for the account
+     */
+    tenantId: string;
+    /**
+     * The client ID to authenticate a registered application
+     */
+    clientId: string;
+    /**
+     * The client secret to authenticate a registered application
+     */
+    clientSecret: string;
+    /**
+     * If present, a host with optional port. E.g. "example.com" or "example.com:443".
+     * This is optional, and only needed if customer is using a non-commercial Azure instance
+     * (e.g. a government or China account, which use different URLs).
+     * Defaults to "login.microsoftonline.com"
+     */
+    identityPlatformEndpoint?: string | undefined;
+} | {
+    /**
+     * If present, an access token to authenticate with Azure.
+     */
+    accessToken: string;
+};
+
 /**
  * Keeps the state of a unordered batch so we can rewrite the results
  * correctly after command execution
@@ -788,6 +833,7 @@ export declare type BitwiseFilter = number /** numeric bit mask */ | Binary /**
 
 export { BSON }
 
+/* Excluded from this release type: BSONElement */
 export { BSONRegExp }
 
 /**
@@ -1078,8 +1124,6 @@ export declare class ChangeStream<TSchema extends Document = Document, TChange e
     /* Excluded from this release type: _processErrorIteratorMode */
 }
 
-/* Excluded from this release type: ChangeStreamAggregateRawResult */
-
 /**
  * Only present when the `showExpandedEvents` flag is enabled.
  * @public
@@ -1770,8 +1814,15 @@ export declare interface ClientEncryptionCreateDataKeyProviderOptions {
 
 /**
  * @public
+ *
+ * A data key provider.  Allowed values:
+ *
+ * - aws, gcp, local, kmip or azure
+ * - (`mongodb-client-encryption>=6.0.1` only) a named key, in the form of:
+ *    `aws:<name>`, `gcp:<name>`, `local:<name>`, `kmip:<name>`, `azure:<name>`
+ *  where `name` is an alphanumeric string, underscores allowed.
  */
-export declare type ClientEncryptionDataKeyProvider = 'aws' | 'azure' | 'gcp' | 'local' | 'kmip';
+export declare type ClientEncryptionDataKeyProvider = string;
 
 /**
  * @public
@@ -3163,6 +3214,7 @@ export declare type CSFLEKMSTlsOptions = {
     kmip?: ClientEncryptionTlsOptions;
     local?: ClientEncryptionTlsOptions;
     azure?: ClientEncryptionTlsOptions;
+    [key: string]: ClientEncryptionTlsOptions | undefined;
 };
 
 /** @public */
@@ -3577,8 +3629,6 @@ export declare type EventEmitterWithState = {
  */
 export declare type EventsDescription = Record<string, GenericListener>;
 
-/* Excluded from this release type: ExecutionResult */
-
 /* Excluded from this release type: Explain */
 
 /** @public */
@@ -3985,6 +4035,28 @@ export declare interface GCPEncryptionKeyOptions {
     endpoint?: string | undefined;
 }
 
+/** @public */
+export declare type GCPKMSProviderConfiguration = {
+    /**
+     * The service account email to authenticate
+     */
+    email: string;
+    /**
+     * A PKCS#8 encrypted key. This can either be a base64 string or a binary representation
+     */
+    privateKey: string | Buffer;
+    /**
+     * If present, a host with optional port. E.g. "example.com" or "example.com:443".
+     * Defaults to "oauth2.googleapis.com"
+     */
+    endpoint?: string | undefined;
+} | {
+    /**
+     * If present, an access token to authenticate with GCP.
+     */
+    accessToken: string;
+};
+
 /** @public */
 export declare type GenericListener = (...args: any[]) => void;
 
@@ -4376,6 +4448,8 @@ export declare type InferIdType<TSchema> = TSchema extends {
     _id?: infer IdType;
 } ? unknown extends IdType ? ObjectId : IdType : ObjectId;
 
+/* Excluded from this release type: InitialCursorResponse */
+
 /** @public */
 export declare interface InsertManyResult<TSchema = Document> {
     /** Indicates whether this write result was acknowledged. If not, then all other members of this result will be undefined */
@@ -4493,6 +4567,16 @@ export declare interface KMIPEncryptionKeyOptions {
     delegated?: boolean;
 }
 
+/** @public */
+export declare interface KMIPKMSProviderConfiguration {
+    /**
+     * The output endpoint string.
+     * The endpoint consists of a hostname and port separated by a colon.
+     * E.g. "example.com:123". A port is always present.
+     */
+    endpoint?: string;
+}
+
 /* Excluded from this release type: kMode */
 
 /* Excluded from this release type: kMonitorId */
@@ -4500,99 +4584,31 @@ export declare interface KMIPEncryptionKeyOptions {
 /**
  * @public
  * Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.
+ *
+ * Named KMS providers _are not supported_ for automatic KMS credential fetching.
  */
 export declare interface KMSProviders {
     /**
      * Configuration options for using 'aws' as your KMS provider
      */
-    aws?: {
-        /**
-         * The access key used for the AWS KMS provider
-         */
-        accessKeyId: string;
-        /**
-         * The secret access key used for the AWS KMS provider
-         */
-        secretAccessKey: string;
-        /**
-         * An optional AWS session token that will be used as the
-         * X-Amz-Security-Token header for AWS requests.
-         */
-        sessionToken?: string;
-    } | Record<string, never>;
+    aws?: AWSKMSProviderConfiguration | Record<string, never>;
     /**
      * Configuration options for using 'local' as your KMS provider
      */
-    local?: {
-        /**
-         * The master key used to encrypt/decrypt data keys.
-         * A 96-byte long Buffer or base64 encoded string.
-         */
-        key: Buffer | string;
-    };
+    local?: LocalKMSProviderConfiguration;
     /**
      * Configuration options for using 'kmip' as your KMS provider
      */
-    kmip?: {
-        /**
-         * The output endpoint string.
-         * The endpoint consists of a hostname and port separated by a colon.
-         * E.g. "example.com:123". A port is always present.
-         */
-        endpoint?: string;
-    };
+    kmip?: KMIPKMSProviderConfiguration;
     /**
      * Configuration options for using 'azure' as your KMS provider
      */
-    azure?: {
-        /**
-         * The tenant ID identifies the organization for the account
-         */
-        tenantId: string;
-        /**
-         * The client ID to authenticate a registered application
-         */
-        clientId: string;
-        /**
-         * The client secret to authenticate a registered application
-         */
-        clientSecret: string;
-        /**
-         * If present, a host with optional port. E.g. "example.com" or "example.com:443".
-         * This is optional, and only needed if customer is using a non-commercial Azure instance
-         * (e.g. a government or China account, which use different URLs).
-         * Defaults to "login.microsoftonline.com"
-         */
-        identityPlatformEndpoint?: string | undefined;
-    } | {
-        /**
-         * If present, an access token to authenticate with Azure.
-         */
-        accessToken: string;
-    } | Record<string, never>;
+    azure?: AzureKMSProviderConfiguration | Record<string, never>;
     /**
      * Configuration options for using 'gcp' as your KMS provider
      */
-    gcp?: {
-        /**
-         * The service account email to authenticate
-         */
-        email: string;
-        /**
-         * A PKCS#8 encrypted key. This can either be a base64 string or a binary representation
-         */
-        privateKey: string | Buffer;
-        /**
-         * If present, a host with optional port. E.g. "example.com" or "example.com:443".
-         * Defaults to "oauth2.googleapis.com"
-         */
-        endpoint?: string | undefined;
-    } | {
-        /**
-         * If present, an access token to authenticate with GCP.
-         */
-        accessToken: string;
-    } | Record<string, never>;
+    gcp?: GCPKMSProviderConfiguration | Record<string, never>;
+    [key: string]: AWSKMSProviderConfiguration | LocalKMSProviderConfiguration | KMIPKMSProviderConfiguration | AzureKMSProviderConfiguration | GCPKMSProviderConfiguration | undefined;
 }
 
 /* Excluded from this release type: kOptions */
@@ -4699,6 +4715,15 @@ export declare class ListSearchIndexesCursor extends AggregationCursor<{
 /** @public */
 export declare type ListSearchIndexesOptions = Omit<AggregateOptions, 'readConcern' | 'writeConcern'>;
 
+/** @public */
+export declare interface LocalKMSProviderConfiguration {
+    /**
+     * The master key used to encrypt/decrypt data keys.
+     * A 96-byte long Buffer or base64 encoded string.
+     */
+    key: Buffer | string;
+}
+
 /* Excluded from this release type: Log */
 
 /* Excluded from this release type: LogComponentSeveritiesClientOptions */
@@ -6175,7 +6200,9 @@ export declare class MongoUnexpectedServerResponseError extends MongoRuntimeErro
      *
      * @public
      **/
-    constructor(message: string);
+    constructor(message: string, options?: {
+        cause?: Error;
+    });
     get name(): string;
 }
 
@@ -6185,8 +6212,8 @@ export declare class MongoUnexpectedServerResponseError extends MongoRuntimeErro
  * @category Error
  */
 export declare class MongoWriteConcernError extends MongoServerError {
-    /** The result document (provided if ok: 1) */
-    result?: Document;
+    /** The result document */
+    result: Document;
     /**
      * **Do not use this constructor!**
      *
@@ -6198,7 +6225,15 @@ export declare class MongoWriteConcernError extends MongoServerError {
      *
      * @public
      **/
-    constructor(message: ErrorDescription, result?: Document);
+    constructor(result: {
+        writeConcernError: {
+            code: number;
+            errmsg: string;
+            codeName?: string;
+            errInfo?: Document;
+        };
+        errorLabels?: string[];
+    });
     get name(): string;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mongodb",
-  "version": "6.7.0-dev.20240608.sha.0655c730",
+  "version": "6.7.0-dev.20240614.sha.3ed6a2ad",
   "description": "The official MongoDB driver for Node.js",
   "main": "lib/index.js",
   "files": [

package/src/bson.ts

@@ -27,6 +27,7 @@ export {
   UUID
 } from 'bson';
 
+/** @internal */
 export type BSONElement = BSON.OnDemand['BSONElement'];
 
 export function parseToElementsToArray(bytes: Uint8Array, offset?: number): BSONElement[] {

package/src/client-side-encryption/auto_encrypter.ts

@@ -6,6 +6,7 @@ import {
 
 import { deserialize, type Document, serialize } from '../bson';
 import { type CommandOptions, type ProxyOptions } from '../cmap/connection';
+import { kDecorateResult } from '../constants';
 import { getMongoDBClientEncryption } from '../deps';
 import { MongoRuntimeError } from '../error';
 import { MongoClient, type MongoClientOptions } from '../mongo_client';
@@ -212,15 +213,6 @@ export const AutoEncryptionLoggerLevel = Object.freeze({
 export type AutoEncryptionLoggerLevel =
   (typeof AutoEncryptionLoggerLevel)[keyof typeof AutoEncryptionLoggerLevel];
 
-// Typescript errors if we index objects with `Symbol.for(...)`, so
-// to avoid TS errors we pull them out into variables.  Then we can type
-// the objects (and class) that we expect to see them on and prevent TS
-// errors.
-/** @internal */
-const kDecorateResult = Symbol.for('@@mdb.decorateDecryptionResult');
-/** @internal */
-const kDecoratedKeys = Symbol.for('@@mdb.decryptedKeys');
-
 /**
  * @internal An internal class to be used by the driver for auto encryption
  * **NOTE**: Not meant to be instantiated directly, this is for internal use only.
@@ -467,16 +459,18 @@ export class AutoEncrypter {
       proxyOptions: this._proxyOptions,
       tlsOptions: this._tlsOptions
     });
-    return await stateMachine.execute<Document>(this, context);
+
+    return deserialize(await stateMachine.execute(this, context), {
+      promoteValues: false,
+      promoteLongs: false
+    });
   }
 
   /**
    * Decrypt a command response
    */
-  async decrypt(response: Uint8Array | Document, options: CommandOptions = {}): Promise<Document> {
-    const buffer = Buffer.isBuffer(response) ? response : serialize(response, options);
-
-    const context = this._mongocrypt.makeDecryptionContext(buffer);
+  async decrypt(response: Uint8Array, options: CommandOptions = {}): Promise<Uint8Array> {
+    const context = this._mongocrypt.makeDecryptionContext(response);
 
     context.id = this._contextCounter++;
 
@@ -486,12 +480,7 @@ export class AutoEncrypter {
       tlsOptions: this._tlsOptions
     });
 
-    const decorateResult = this[kDecorateResult];
-    const result = await stateMachine.execute<Document>(this, context);
-    if (decorateResult) {
-      decorateDecryptionResult(result, response);
-    }
-    return result;
+    return await stateMachine.execute(this, context);
   }
 
   /**
@@ -518,53 +507,3 @@ export class AutoEncrypter {
     return AutoEncrypter.getMongoCrypt().libmongocryptVersion;
   }
 }
-
-/**
- * Recurse through the (identically-shaped) `decrypted` and `original`
- * objects and attach a `decryptedKeys` property on each sub-object that
- * contained encrypted fields. Because we only call this on BSON responses,
- * we do not need to worry about circular references.
- *
- * @internal
- */
-function decorateDecryptionResult(
-  decrypted: Document & { [kDecoratedKeys]?: Array<string> },
-  original: Document,
-  isTopLevelDecorateCall = true
-): void {
-  if (isTopLevelDecorateCall) {
-    // The original value could have been either a JS object or a BSON buffer
-    if (Buffer.isBuffer(original)) {
-      original = deserialize(original);
-    }
-    if (Buffer.isBuffer(decrypted)) {
-      throw new MongoRuntimeError('Expected result of decryption to be deserialized BSON object');
-    }
-  }
-
-  if (!decrypted || typeof decrypted !== 'object') return;
-  for (const k of Object.keys(decrypted)) {
-    const originalValue = original[k];
-
-    // An object was decrypted by libmongocrypt if and only if it was
-    // a BSON Binary object with subtype 6.
-    if (originalValue && originalValue._bsontype === 'Binary' && originalValue.sub_type === 6) {
-      if (!decrypted[kDecoratedKeys]) {
-        Object.defineProperty(decrypted, kDecoratedKeys, {
-          value: [],
-          configurable: true,
-          enumerable: false,
-          writable: false
-        });
-      }
-      // this is defined in the preceding if-statement
-      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-      decrypted[kDecoratedKeys]!.push(k);
-      // Do not recurse into this decrypted value. It could be a sub-document/array,
-      // in which case there is no original value associated with its subfields.
-      continue;
-    }
-
-    decorateDecryptionResult(decrypted[k], originalValue, false);
-  }
-}

package/src/client-side-encryption/client_encryption.ts

@@ -5,7 +5,7 @@ import type {
   MongoCryptOptions
 } from 'mongodb-client-encryption';
 
-import { type Binary, type Document, type Long, serialize, type UUID } from '../bson';
+import { type Binary, deserialize, type Document, type Long, serialize, type UUID } from '../bson';
 import { type AnyBulkWriteOperation, type BulkWriteResult } from '../bulk/common';
 import { type ProxyOptions } from '../cmap/connection';
 import { type Collection } from '../collection';
@@ -202,7 +202,7 @@ export class ClientEncryption {
       tlsOptions: this._tlsOptions
     });
 
-    const dataKey = await stateMachine.execute<DataKey>(this, context);
+    const dataKey = deserialize(await stateMachine.execute(this, context)) as DataKey;
 
     const { db: dbName, collection: collectionName } = MongoDBCollectionNamespace.fromString(
       this._keyVaultNamespace
@@ -259,7 +259,7 @@ export class ClientEncryption {
       tlsOptions: this._tlsOptions
     });
 
-    const { v: dataKeys } = await stateMachine.execute<{ v: DataKey[] }>(this, context);
+    const { v: dataKeys } = deserialize(await stateMachine.execute(this, context));
     if (dataKeys.length === 0) {
       return {};
     }
@@ -640,7 +640,7 @@ export class ClientEncryption {
       tlsOptions: this._tlsOptions
     });
 
-    const { v } = await stateMachine.execute<{ v: T }>(this, context);
+    const { v } = deserialize(await stateMachine.execute(this, context));
 
     return v;
   }
@@ -719,8 +719,8 @@ export class ClientEncryption {
     });
     const context = this._mongoCrypt.makeExplicitEncryptionContext(valueBuffer, contextOptions);
 
-    const result = await stateMachine.execute<{ v: Binary }>(this, context);
-    return result.v;
+    const { v } = deserialize(await stateMachine.execute(this, context));
+    return v;
   }
 }