mongodb 6.7.0-dev.20240608.sha.0655c730 → 6.7.0-dev.20240614.sha.3ed6a2ad

package/src/client-side-encryption/providers/index.ts

@@ -4,124 +4,152 @@ import { loadGCPCredentials } from './gcp';
 
 /**
  * @public
+ *
+ * A data key provider.  Allowed values:
+ *
+ * - aws, gcp, local, kmip or azure
+ * - (`mongodb-client-encryption>=6.0.1` only) a named key, in the form of:
+ *    `aws:<name>`, `gcp:<name>`, `local:<name>`, `kmip:<name>`, `azure:<name>`
+ *  where `name` is an alphanumeric string, underscores allowed.
  */
-export type ClientEncryptionDataKeyProvider = 'aws' | 'azure' | 'gcp' | 'local' | 'kmip';
+export type ClientEncryptionDataKeyProvider = string;
+
+/** @public */
+export interface AWSKMSProviderConfiguration {
+  /**
+   * The access key used for the AWS KMS provider
+   */
+  accessKeyId: string;
+
+  /**
+   * The secret access key used for the AWS KMS provider
+   */
+  secretAccessKey: string;
+
+  /**
+   * An optional AWS session token that will be used as the
+   * X-Amz-Security-Token header for AWS requests.
+   */
+  sessionToken?: string;
+}
+
+/** @public */
+export interface LocalKMSProviderConfiguration {
+  /**
+   * The master key used to encrypt/decrypt data keys.
+   * A 96-byte long Buffer or base64 encoded string.
+   */
+  key: Buffer | string;
+}
+
+/** @public */
+export interface KMIPKMSProviderConfiguration {
+  /**
+   * The output endpoint string.
+   * The endpoint consists of a hostname and port separated by a colon.
+   * E.g. "example.com:123". A port is always present.
+   */
+  endpoint?: string;
+}
+
+/** @public */
+export type AzureKMSProviderConfiguration =
+  | {
+      /**
+       * The tenant ID identifies the organization for the account
+       */
+      tenantId: string;
+
+      /**
+       * The client ID to authenticate a registered application
+       */
+      clientId: string;
+
+      /**
+       * The client secret to authenticate a registered application
+       */
+      clientSecret: string;
+
+      /**
+       * If present, a host with optional port. E.g. "example.com" or "example.com:443".
+       * This is optional, and only needed if customer is using a non-commercial Azure instance
+       * (e.g. a government or China account, which use different URLs).
+       * Defaults to "login.microsoftonline.com"
+       */
+      identityPlatformEndpoint?: string | undefined;
+    }
+  | {
+      /**
+       * If present, an access token to authenticate with Azure.
+       */
+      accessToken: string;
+    };
+
+/** @public */
+export type GCPKMSProviderConfiguration =
+  | {
+      /**
+       * The service account email to authenticate
+       */
+      email: string;
+
+      /**
+       * A PKCS#8 encrypted key. This can either be a base64 string or a binary representation
+       */
+      privateKey: string | Buffer;
+
+      /**
+       * If present, a host with optional port. E.g. "example.com" or "example.com:443".
+       * Defaults to "oauth2.googleapis.com"
+       */
+      endpoint?: string | undefined;
+    }
+  | {
+      /**
+       * If present, an access token to authenticate with GCP.
+       */
+      accessToken: string;
+    };
 
 /**
  * @public
  * Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.
+ *
+ * Named KMS providers _are not supported_ for automatic KMS credential fetching.
  */
 export interface KMSProviders {
   /**
    * Configuration options for using 'aws' as your KMS provider
    */
-  aws?:
-    | {
-        /**
-         * The access key used for the AWS KMS provider
-         */
-        accessKeyId: string;
-
-        /**
-         * The secret access key used for the AWS KMS provider
-         */
-        secretAccessKey: string;
-
-        /**
-         * An optional AWS session token that will be used as the
-         * X-Amz-Security-Token header for AWS requests.
-         */
-        sessionToken?: string;
-      }
-    | Record<string, never>;
+  aws?: AWSKMSProviderConfiguration | Record<string, never>;
 
   /**
    * Configuration options for using 'local' as your KMS provider
    */
-  local?: {
-    /**
-     * The master key used to encrypt/decrypt data keys.
-     * A 96-byte long Buffer or base64 encoded string.
-     */
-    key: Buffer | string;
-  };
+  local?: LocalKMSProviderConfiguration;
 
   /**
    * Configuration options for using 'kmip' as your KMS provider
    */
-  kmip?: {
-    /**
-     * The output endpoint string.
-     * The endpoint consists of a hostname and port separated by a colon.
-     * E.g. "example.com:123". A port is always present.
-     */
-    endpoint?: string;
-  };
+  kmip?: KMIPKMSProviderConfiguration;
 
   /**
    * Configuration options for using 'azure' as your KMS provider
    */
-  azure?:
-    | {
-        /**
-         * The tenant ID identifies the organization for the account
-         */
-        tenantId: string;
-
-        /**
-         * The client ID to authenticate a registered application
-         */
-        clientId: string;
-
-        /**
-         * The client secret to authenticate a registered application
-         */
-        clientSecret: string;
-
-        /**
-         * If present, a host with optional port. E.g. "example.com" or "example.com:443".
-         * This is optional, and only needed if customer is using a non-commercial Azure instance
-         * (e.g. a government or China account, which use different URLs).
-         * Defaults to "login.microsoftonline.com"
-         */
-        identityPlatformEndpoint?: string | undefined;
-      }
-    | {
-        /**
-         * If present, an access token to authenticate with Azure.
-         */
-        accessToken: string;
-      }
-    | Record<string, never>;
+  azure?: AzureKMSProviderConfiguration | Record<string, never>;
 
   /**
    * Configuration options for using 'gcp' as your KMS provider
    */
-  gcp?:
-    | {
-        /**
-         * The service account email to authenticate
-         */
-        email: string;
-
-        /**
-         * A PKCS#8 encrypted key. This can either be a base64 string or a binary representation
-         */
-        privateKey: string | Buffer;
-
-        /**
-         * If present, a host with optional port. E.g. "example.com" or "example.com:443".
-         * Defaults to "oauth2.googleapis.com"
-         */
-        endpoint?: string | undefined;
-      }
-    | {
-        /**
-         * If present, an access token to authenticate with GCP.
-         */
-        accessToken: string;
-      }
-    | Record<string, never>;
+  gcp?: GCPKMSProviderConfiguration | Record<string, never>;
+
+  [key: string]:
+    | AWSKMSProviderConfiguration
+    | LocalKMSProviderConfiguration
+    | KMIPKMSProviderConfiguration
+    | AzureKMSProviderConfiguration
+    | GCPKMSProviderConfiguration
+    | undefined;
 }
 
 /**

package/src/client-side-encryption/state_machine.ts

@@ -17,7 +17,7 @@ import { BufferPool, MongoDBCollectionNamespace, promiseWithResolvers } from '..
 import { type DataKey } from './client_encryption';
 import { MongoCryptError } from './errors';
 import { type MongocryptdManager } from './mongocryptd_manager';
-import { type ClientEncryptionDataKeyProvider, type KMSProviders } from './providers';
+import { type KMSProviders } from './providers';
 
 let socks: SocksLib | null = null;
 function loadSocks(): SocksLib {
@@ -110,8 +110,23 @@ export type CSFLEKMSTlsOptions = {
   kmip?: ClientEncryptionTlsOptions;
   local?: ClientEncryptionTlsOptions;
   azure?: ClientEncryptionTlsOptions;
+
+  [key: string]: ClientEncryptionTlsOptions | undefined;
 };
 
+/**
+ * This is kind of a hack.  For `rewrapManyDataKey`, we have tests that
+ * guarantee that when there are no matching keys, `rewrapManyDataKey` returns
+ * nothing.  We also have tests for auto encryption that guarantee for `encrypt`
+ * we return an error when there are no matching keys.  This error is generated in
+ * subsequent iterations of the state machine.
+ * Some apis (`encrypt`) throw if there are no filter matches and others (`rewrapManyDataKey`)
+ * do not.  We set the result manually here, and let the state machine continue.  `libmongocrypt`
+ * will inform us if we need to error by setting the state to `MONGOCRYPT_CTX_ERROR` but
+ * otherwise we'll return `{ v: [] }`.
+ */
+let EMPTY_V;
+
 /**
  * @internal
  *
@@ -154,16 +169,13 @@ export class StateMachine {
   /**
    * Executes the state machine according to the specification
    */
-  async execute<T extends Document>(
-    executor: StateMachineExecutable,
-    context: MongoCryptContext
-  ): Promise<T> {
+  async execute(executor: StateMachineExecutable, context: MongoCryptContext): Promise<Uint8Array> {
     const keyVaultNamespace = executor._keyVaultNamespace;
     const keyVaultClient = executor._keyVaultClient;
     const metaDataClient = executor._metaDataClient;
     const mongocryptdClient = executor._mongocryptdClient;
     const mongocryptdManager = executor._mongocryptdManager;
-    let result: T | null = null;
+    let result: Uint8Array | null = null;
 
     while (context.state !== MONGOCRYPT_CTX_DONE && context.state !== MONGOCRYPT_CTX_ERROR) {
       debug(`[context#${context.id}] ${stateToString.get(context.state) || context.state}`);
@@ -211,16 +223,8 @@ export class StateMachine {
           const keys = await this.fetchKeys(keyVaultClient, keyVaultNamespace, filter);
 
           if (keys.length === 0) {
-            // This is kind of a hack.  For `rewrapManyDataKey`, we have tests that
-            // guarantee that when there are no matching keys, `rewrapManyDataKey` returns
-            // nothing.  We also have tests for auto encryption that guarantee for `encrypt`
-            // we return an error when there are no matching keys.  This error is generated in
-            // subsequent iterations of the state machine.
-            // Some apis (`encrypt`) throw if there are no filter matches and others (`rewrapManyDataKey`)
-            // do not.  We set the result manually here, and let the state machine continue.  `libmongocrypt`
-            // will inform us if we need to error by setting the state to `MONGOCRYPT_CTX_ERROR` but
-            // otherwise we'll return `{ v: [] }`.
-            result = { v: [] } as any as T;
+            // See docs on EMPTY_V
+            result = EMPTY_V ??= serialize({ v: [] });
           }
           for await (const key of keys) {
             context.addMongoOperationResponse(serialize(key));
@@ -252,7 +256,7 @@ export class StateMachine {
             const message = context.status.message || 'Finalization error';
             throw new MongoCryptError(message);
           }
-          result = deserialize(finalizedContext, this.options) as T;
+          result = finalizedContext;
           break;
         }
 
@@ -319,7 +323,7 @@ export class StateMachine {
 
     const tlsOptions = this.options.tlsOptions;
     if (tlsOptions) {
-      const kmsProvider = request.kmsProvider as ClientEncryptionDataKeyProvider;
+      const kmsProvider = request.kmsProvider;
       const providerTlsOptions = tlsOptions[kmsProvider];
       if (providerTlsOptions) {
         const error = this.validateTlsOptions(kmsProvider, providerTlsOptions);

package/src/cmap/connection.ts

@@ -1,14 +1,15 @@
 import { type Readable, Transform, type TransformCallback } from 'stream';
 import { clearTimeout, setTimeout } from 'timers';
 
-import type { BSONSerializeOptions, Document, ObjectId } from '../bson';
-import type { AutoEncrypter } from '../client-side-encryption/auto_encrypter';
+import { type BSONSerializeOptions, deserialize, type Document, type ObjectId } from '../bson';
+import { type AutoEncrypter } from '../client-side-encryption/auto_encrypter';
 import {
   CLOSE,
   CLUSTER_TIME_RECEIVED,
   COMMAND_FAILED,
   COMMAND_STARTED,
   COMMAND_SUCCEEDED,
+  kDecorateResult,
   PINNED,
   UNPINNED
 } from '../constants';
@@ -19,8 +20,7 @@ import {
   MongoNetworkTimeoutError,
   MongoParseError,
   MongoServerError,
-  MongoUnexpectedServerResponseError,
-  MongoWriteConcernError
+  MongoUnexpectedServerResponseError
 } from '../error';
 import type { ServerApi, SupportedNodeConnectionOptions } from '../mongo_client';
 import { type MongoClientAuthProviders } from '../mongo_client_auth_providers';
@@ -33,6 +33,7 @@ import {
   BufferPool,
   calculateDurationInMs,
   type Callback,
+  decorateDecryptionResult,
   HostAddress,
   maxWireVersion,
   type MongoDBNamespace,
@@ -63,7 +64,7 @@ import { StreamDescription, type StreamDescriptionOptions } from './stream_descr
 import { type CompressorName, decompressResponse } from './wire_protocol/compression';
 import { onData } from './wire_protocol/on_data';
 import {
-  isErrorResponse,
+  CursorResponse,
   MongoDBResponse,
   type MongoDBResponseConstructor
 } from './wire_protocol/responses';
@@ -448,12 +449,7 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
         this.socket.setTimeout(0);
         const bson = response.parse();
 
-        const document =
-          responseType == null
-            ? new MongoDBResponse(bson)
-            : isErrorResponse(bson)
-            ? new MongoDBResponse(bson)
-            : new responseType(bson);
+        const document = (responseType ?? MongoDBResponse).make(bson);
 
         yield document;
         this.throwIfAborted();
@@ -517,12 +513,7 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
           this.emit(Connection.CLUSTER_TIME_RECEIVED, document.$clusterTime);
         }
 
-        if (document.has('writeConcernError')) {
-          object ??= document.toObject(bsonOptions);
-          throw new MongoWriteConcernError(object.writeConcernError, object);
-        }
-
-        if (document.isError) {
+        if (document.ok === 0) {
           throw new MongoServerError((object ??= document.toObject(bsonOptions)));
         }
 
@@ -552,40 +543,25 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
       }
     } catch (error) {
       if (this.shouldEmitAndLogCommand) {
-        if (error.name === 'MongoWriteConcernError') {
-          this.emitAndLogCommand(
-            this.monitorCommands,
-            Connection.COMMAND_SUCCEEDED,
-            message.databaseName,
-            this.established,
-            new CommandSucceededEvent(
-              this,
-              message,
-              options.noResponse ? undefined : (object ??= document?.toObject(bsonOptions)),
-              started,
-              this.description.serverConnectionId
-            )
-          );
-        } else {
-          this.emitAndLogCommand(
-            this.monitorCommands,
-            Connection.COMMAND_FAILED,
-            message.databaseName,
-            this.established,
-            new CommandFailedEvent(
-              this,
-              message,
-              error,
-              started,
-              this.description.serverConnectionId
-            )
-          );
-        }
+        this.emitAndLogCommand(
+          this.monitorCommands,
+          Connection.COMMAND_FAILED,
+          message.databaseName,
+          this.established,
+          new CommandFailedEvent(this, message, error, started, this.description.serverConnectionId)
+        );
       }
       throw error;
     }
   }
 
+  public async command<T extends MongoDBResponseConstructor>(
+    ns: MongoDBNamespace,
+    command: Document,
+    options: CommandOptions | undefined,
+    responseType: T
+  ): Promise<InstanceType<T>>;
+
   public async command<T extends MongoDBResponseConstructor>(
     ns: MongoDBNamespace,
     command: Document,
@@ -749,7 +725,7 @@ export class CryptoConnection extends Connection {
     ns: MongoDBNamespace,
     cmd: Document,
     options?: CommandOptions,
-    _responseType?: T | undefined
+    responseType?: T | undefined
   ): Promise<Document> {
     const { autoEncrypter } = this;
     if (!autoEncrypter) {
@@ -763,7 +739,7 @@ export class CryptoConnection extends Connection {
     const serverWireVersion = maxWireVersion(this);
     if (serverWireVersion === 0) {
       // This means the initial handshake hasn't happened yet
-      return await super.command<T>(ns, cmd, options, undefined);
+      return await super.command<T>(ns, cmd, options, responseType);
     }
 
     if (serverWireVersion < 8) {
@@ -797,8 +773,28 @@ export class CryptoConnection extends Connection {
       }
     }
 
-    const response = await super.command<T>(ns, encrypted, options, undefined);
+    const encryptedResponse = await super.command(
+      ns,
+      encrypted,
+      options,
+      // Eventually we want to require `responseType` which means we would satisfy `T` as the return type.
+      // In the meantime, we want encryptedResponse to always be _at least_ a MongoDBResponse if not a more specific subclass
+      // So that we can ensure we have access to the on-demand APIs for decorate response
+      responseType ?? MongoDBResponse
+    );
+
+    const result = await autoEncrypter.decrypt(encryptedResponse.toBytes(), options);
+
+    const decryptedResponse = responseType?.make(result) ?? deserialize(result, options);
+
+    if (autoEncrypter[kDecorateResult]) {
+      if (responseType == null) {
+        decorateDecryptionResult(decryptedResponse, encryptedResponse.toObject(), true);
+      } else if (decryptedResponse instanceof CursorResponse) {
+        decryptedResponse.encryptedResponse = encryptedResponse;
+      }
+    }
 
-    return await autoEncrypter.decrypt(response, options);
+    return decryptedResponse;
   }
 }

package/src/cmap/wire_protocol/on_demand/document.ts

@@ -66,9 +66,11 @@ export class OnDemandDocument {
     /** The start of the document */
     private readonly offset = 0,
     /** If this is an embedded document, indicates if this was a BSON array */
-    public readonly isArray = false
+    public readonly isArray = false,
+    /** If elements was already calculated */
+    elements?: BSONElement[]
   ) {
-    this.elements = parseToElementsToArray(this.bson, offset);
+    this.elements = elements ?? parseToElementsToArray(this.bson, offset);
   }
 
   /** Only supports basic latin strings */
@@ -78,8 +80,13 @@ export class OnDemandDocument {
 
     if (name.length !== nameLength) return false;
 
-    for (let i = 0; i < name.length; i++) {
-      if (this.bson[nameOffset + i] !== name.charCodeAt(i)) return false;
+    const nameEnd = nameOffset + nameLength;
+    for (
+      let byteIndex = nameOffset, charIndex = 0;
+      charIndex < name.length && byteIndex < nameEnd;
+      charIndex++, byteIndex++
+    ) {
+      if (this.bson[byteIndex] !== name.charCodeAt(charIndex)) return false;
     }
 
     return true;
@@ -125,7 +132,7 @@ export class OnDemandDocument {
       const element = this.elements[index];
 
       // skip this element if it has already been associated with a name
-      if (!this.indexFound[index] && this.isElementName(name, element)) {
+      if (!(index in this.indexFound) && this.isElementName(name, element)) {
         const cachedElement = { element, value: undefined };
         this.cache[name] = cachedElement;
         this.indexFound[index] = true;
@@ -247,7 +254,7 @@ export class OnDemandDocument {
   public get<const T extends keyof JSTypeOf>(
     name: string | number,
     as: T,
-    required?: false | undefined
+    required?: boolean | undefined
   ): JSTypeOf[T] | null;
 
   /** `required` will make `get` throw if name does not exist or is null/undefined */