mongodb 6.7.0-dev.20240613.sha.c1af6adc → 6.7.0-dev.20240614.sha.3ed6a2ad

package/src/client-side-encryption/client_encryption.ts

@@ -5,7 +5,7 @@ import type {
   MongoCryptOptions
 } from 'mongodb-client-encryption';
 
-import { type Binary, type Document, type Long, serialize, type UUID } from '../bson';
+import { type Binary, deserialize, type Document, type Long, serialize, type UUID } from '../bson';
 import { type AnyBulkWriteOperation, type BulkWriteResult } from '../bulk/common';
 import { type ProxyOptions } from '../cmap/connection';
 import { type Collection } from '../collection';
@@ -202,7 +202,7 @@ export class ClientEncryption {
       tlsOptions: this._tlsOptions
     });
 
-    const dataKey = await stateMachine.execute<DataKey>(this, context);
+    const dataKey = deserialize(await stateMachine.execute(this, context)) as DataKey;
 
     const { db: dbName, collection: collectionName } = MongoDBCollectionNamespace.fromString(
       this._keyVaultNamespace
@@ -259,7 +259,7 @@ export class ClientEncryption {
       tlsOptions: this._tlsOptions
     });
 
-    const { v: dataKeys } = await stateMachine.execute<{ v: DataKey[] }>(this, context);
+    const { v: dataKeys } = deserialize(await stateMachine.execute(this, context));
     if (dataKeys.length === 0) {
       return {};
     }
@@ -640,7 +640,7 @@ export class ClientEncryption {
       tlsOptions: this._tlsOptions
     });
 
-    const { v } = await stateMachine.execute<{ v: T }>(this, context);
+    const { v } = deserialize(await stateMachine.execute(this, context));
 
     return v;
   }
@@ -719,8 +719,8 @@ export class ClientEncryption {
     });
     const context = this._mongoCrypt.makeExplicitEncryptionContext(valueBuffer, contextOptions);
 
-    const result = await stateMachine.execute<{ v: Binary }>(this, context);
-    return result.v;
+    const { v } = deserialize(await stateMachine.execute(this, context));
+    return v;
   }
 }
 

package/src/client-side-encryption/state_machine.ts

@@ -114,6 +114,19 @@ export type CSFLEKMSTlsOptions = {
   [key: string]: ClientEncryptionTlsOptions | undefined;
 };
 
+/**
+ * This is kind of a hack.  For `rewrapManyDataKey`, we have tests that
+ * guarantee that when there are no matching keys, `rewrapManyDataKey` returns
+ * nothing.  We also have tests for auto encryption that guarantee for `encrypt`
+ * we return an error when there are no matching keys.  This error is generated in
+ * subsequent iterations of the state machine.
+ * Some apis (`encrypt`) throw if there are no filter matches and others (`rewrapManyDataKey`)
+ * do not.  We set the result manually here, and let the state machine continue.  `libmongocrypt`
+ * will inform us if we need to error by setting the state to `MONGOCRYPT_CTX_ERROR` but
+ * otherwise we'll return `{ v: [] }`.
+ */
+let EMPTY_V;
+
 /**
  * @internal
  *
@@ -156,16 +169,13 @@ export class StateMachine {
   /**
    * Executes the state machine according to the specification
    */
-  async execute<T extends Document>(
-    executor: StateMachineExecutable,
-    context: MongoCryptContext
-  ): Promise<T> {
+  async execute(executor: StateMachineExecutable, context: MongoCryptContext): Promise<Uint8Array> {
     const keyVaultNamespace = executor._keyVaultNamespace;
     const keyVaultClient = executor._keyVaultClient;
     const metaDataClient = executor._metaDataClient;
     const mongocryptdClient = executor._mongocryptdClient;
     const mongocryptdManager = executor._mongocryptdManager;
-    let result: T | null = null;
+    let result: Uint8Array | null = null;
 
     while (context.state !== MONGOCRYPT_CTX_DONE && context.state !== MONGOCRYPT_CTX_ERROR) {
       debug(`[context#${context.id}] ${stateToString.get(context.state) || context.state}`);
@@ -213,16 +223,8 @@ export class StateMachine {
           const keys = await this.fetchKeys(keyVaultClient, keyVaultNamespace, filter);
 
           if (keys.length === 0) {
-            // This is kind of a hack.  For `rewrapManyDataKey`, we have tests that
-            // guarantee that when there are no matching keys, `rewrapManyDataKey` returns
-            // nothing.  We also have tests for auto encryption that guarantee for `encrypt`
-            // we return an error when there are no matching keys.  This error is generated in
-            // subsequent iterations of the state machine.
-            // Some apis (`encrypt`) throw if there are no filter matches and others (`rewrapManyDataKey`)
-            // do not.  We set the result manually here, and let the state machine continue.  `libmongocrypt`
-            // will inform us if we need to error by setting the state to `MONGOCRYPT_CTX_ERROR` but
-            // otherwise we'll return `{ v: [] }`.
-            result = { v: [] } as any as T;
+            // See docs on EMPTY_V
+            result = EMPTY_V ??= serialize({ v: [] });
           }
           for await (const key of keys) {
             context.addMongoOperationResponse(serialize(key));
@@ -254,7 +256,7 @@ export class StateMachine {
             const message = context.status.message || 'Finalization error';
             throw new MongoCryptError(message);
           }
-          result = deserialize(finalizedContext, this.options) as T;
+          result = finalizedContext;
           break;
         }
 

package/src/cmap/connection.ts

@@ -1,14 +1,15 @@
 import { type Readable, Transform, type TransformCallback } from 'stream';
 import { clearTimeout, setTimeout } from 'timers';
 
-import type { BSONSerializeOptions, Document, ObjectId } from '../bson';
-import type { AutoEncrypter } from '../client-side-encryption/auto_encrypter';
+import { type BSONSerializeOptions, deserialize, type Document, type ObjectId } from '../bson';
+import { type AutoEncrypter } from '../client-side-encryption/auto_encrypter';
 import {
   CLOSE,
   CLUSTER_TIME_RECEIVED,
   COMMAND_FAILED,
   COMMAND_STARTED,
   COMMAND_SUCCEEDED,
+  kDecorateResult,
   PINNED,
   UNPINNED
 } from '../constants';
@@ -19,8 +20,7 @@ import {
   MongoNetworkTimeoutError,
   MongoParseError,
   MongoServerError,
-  MongoUnexpectedServerResponseError,
-  MongoWriteConcernError
+  MongoUnexpectedServerResponseError
 } from '../error';
 import type { ServerApi, SupportedNodeConnectionOptions } from '../mongo_client';
 import { type MongoClientAuthProviders } from '../mongo_client_auth_providers';
@@ -33,6 +33,7 @@ import {
   BufferPool,
   calculateDurationInMs,
   type Callback,
+  decorateDecryptionResult,
   HostAddress,
   maxWireVersion,
   type MongoDBNamespace,
@@ -63,7 +64,7 @@ import { StreamDescription, type StreamDescriptionOptions } from './stream_descr
 import { type CompressorName, decompressResponse } from './wire_protocol/compression';
 import { onData } from './wire_protocol/on_data';
 import {
-  isErrorResponse,
+  CursorResponse,
   MongoDBResponse,
   type MongoDBResponseConstructor
 } from './wire_protocol/responses';
@@ -448,12 +449,7 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
         this.socket.setTimeout(0);
         const bson = response.parse();
 
-        const document =
-          responseType == null
-            ? new MongoDBResponse(bson)
-            : isErrorResponse(bson)
-            ? new MongoDBResponse(bson)
-            : new responseType(bson);
+        const document = (responseType ?? MongoDBResponse).make(bson);
 
         yield document;
         this.throwIfAborted();
@@ -517,12 +513,7 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
           this.emit(Connection.CLUSTER_TIME_RECEIVED, document.$clusterTime);
         }
 
-        if (document.has('writeConcernError')) {
-          object ??= document.toObject(bsonOptions);
-          throw new MongoWriteConcernError(object.writeConcernError, object);
-        }
-
-        if (document.isError) {
+        if (document.ok === 0) {
           throw new MongoServerError((object ??= document.toObject(bsonOptions)));
         }
 
@@ -552,40 +543,25 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
       }
     } catch (error) {
       if (this.shouldEmitAndLogCommand) {
-        if (error.name === 'MongoWriteConcernError') {
-          this.emitAndLogCommand(
-            this.monitorCommands,
-            Connection.COMMAND_SUCCEEDED,
-            message.databaseName,
-            this.established,
-            new CommandSucceededEvent(
-              this,
-              message,
-              options.noResponse ? undefined : (object ??= document?.toObject(bsonOptions)),
-              started,
-              this.description.serverConnectionId
-            )
-          );
-        } else {
-          this.emitAndLogCommand(
-            this.monitorCommands,
-            Connection.COMMAND_FAILED,
-            message.databaseName,
-            this.established,
-            new CommandFailedEvent(
-              this,
-              message,
-              error,
-              started,
-              this.description.serverConnectionId
-            )
-          );
-        }
+        this.emitAndLogCommand(
+          this.monitorCommands,
+          Connection.COMMAND_FAILED,
+          message.databaseName,
+          this.established,
+          new CommandFailedEvent(this, message, error, started, this.description.serverConnectionId)
+        );
       }
       throw error;
     }
   }
 
+  public async command<T extends MongoDBResponseConstructor>(
+    ns: MongoDBNamespace,
+    command: Document,
+    options: CommandOptions | undefined,
+    responseType: T
+  ): Promise<InstanceType<T>>;
+
   public async command<T extends MongoDBResponseConstructor>(
     ns: MongoDBNamespace,
     command: Document,
@@ -749,7 +725,7 @@ export class CryptoConnection extends Connection {
     ns: MongoDBNamespace,
     cmd: Document,
     options?: CommandOptions,
-    _responseType?: T | undefined
+    responseType?: T | undefined
   ): Promise<Document> {
     const { autoEncrypter } = this;
     if (!autoEncrypter) {
@@ -763,7 +739,7 @@ export class CryptoConnection extends Connection {
     const serverWireVersion = maxWireVersion(this);
     if (serverWireVersion === 0) {
       // This means the initial handshake hasn't happened yet
-      return await super.command<T>(ns, cmd, options, undefined);
+      return await super.command<T>(ns, cmd, options, responseType);
     }
 
     if (serverWireVersion < 8) {
@@ -797,8 +773,28 @@ export class CryptoConnection extends Connection {
       }
     }
 
-    const response = await super.command<T>(ns, encrypted, options, undefined);
+    const encryptedResponse = await super.command(
+      ns,
+      encrypted,
+      options,
+      // Eventually we want to require `responseType` which means we would satisfy `T` as the return type.
+      // In the meantime, we want encryptedResponse to always be _at least_ a MongoDBResponse if not a more specific subclass
+      // So that we can ensure we have access to the on-demand APIs for decorate response
+      responseType ?? MongoDBResponse
+    );
+
+    const result = await autoEncrypter.decrypt(encryptedResponse.toBytes(), options);
+
+    const decryptedResponse = responseType?.make(result) ?? deserialize(result, options);
+
+    if (autoEncrypter[kDecorateResult]) {
+      if (responseType == null) {
+        decorateDecryptionResult(decryptedResponse, encryptedResponse.toObject(), true);
+      } else if (decryptedResponse instanceof CursorResponse) {
+        decryptedResponse.encryptedResponse = encryptedResponse;
+      }
+    }
 
-    return await autoEncrypter.decrypt(response, options);
+    return decryptedResponse;
   }
 }

package/src/cmap/wire_protocol/on_demand/document.ts

@@ -66,9 +66,11 @@ export class OnDemandDocument {
     /** The start of the document */
     private readonly offset = 0,
     /** If this is an embedded document, indicates if this was a BSON array */
-    public readonly isArray = false
+    public readonly isArray = false,
+    /** If elements was already calculated */
+    elements?: BSONElement[]
   ) {
-    this.elements = parseToElementsToArray(this.bson, offset);
+    this.elements = elements ?? parseToElementsToArray(this.bson, offset);
   }
 
   /** Only supports basic latin strings */
@@ -78,8 +80,13 @@ export class OnDemandDocument {
 
     if (name.length !== nameLength) return false;
 
-    for (let i = 0; i < name.length; i++) {
-      if (this.bson[nameOffset + i] !== name.charCodeAt(i)) return false;
+    const nameEnd = nameOffset + nameLength;
+    for (
+      let byteIndex = nameOffset, charIndex = 0;
+      charIndex < name.length && byteIndex < nameEnd;
+      charIndex++, byteIndex++
+    ) {
+      if (this.bson[byteIndex] !== name.charCodeAt(charIndex)) return false;
     }
 
     return true;
@@ -125,7 +132,7 @@ export class OnDemandDocument {
       const element = this.elements[index];
 
       // skip this element if it has already been associated with a name
-      if (!this.indexFound[index] && this.isElementName(name, element)) {
+      if (!(index in this.indexFound) && this.isElementName(name, element)) {
         const cachedElement = { element, value: undefined };
         this.cache[name] = cachedElement;
         this.indexFound[index] = true;
@@ -247,7 +254,7 @@ export class OnDemandDocument {
   public get<const T extends keyof JSTypeOf>(
     name: string | number,
     as: T,
-    required?: false | undefined
+    required?: boolean | undefined
   ): JSTypeOf[T] | null;
 
   /** `required` will make `get` throw if name does not exist or is null/undefined */

package/src/cmap/wire_protocol/responses.ts

@@ -1,15 +1,17 @@
 import {
+  type BSONElement,
   type BSONSerializeOptions,
   BSONType,
   type Document,
   Long,
   parseToElementsToArray,
+  pluckBSONSerializeOptions,
   type Timestamp
 } from '../../bson';
 import { MongoUnexpectedServerResponseError } from '../../error';
 import { type ClusterTime } from '../../sdam/common';
-import { type MongoDBNamespace, ns } from '../../utils';
-import { OnDemandDocument } from './on_demand/document';
+import { decorateDecryptionResult, ns } from '../../utils';
+import { type JSTypeOf, OnDemandDocument } from './on_demand/document';
 
 // eslint-disable-next-line no-restricted-syntax
 const enum BSONElementOffset {
@@ -30,8 +32,7 @@ const enum BSONElementOffset {
  *
  * @param bytes - BSON document returned from the server
  */
-export function isErrorResponse(bson: Uint8Array): boolean {
-  const elements = parseToElementsToArray(bson, 0);
+export function isErrorResponse(bson: Uint8Array, elements: BSONElement[]): boolean {
   for (let eIdx = 0; eIdx < elements.length; eIdx++) {
     const element = elements[eIdx];
 
@@ -60,26 +61,49 @@ export function isErrorResponse(bson: Uint8Array): boolean {
 /** @internal */
 export type MongoDBResponseConstructor = {
   new (bson: Uint8Array, offset?: number, isArray?: boolean): MongoDBResponse;
+  make(bson: Uint8Array): MongoDBResponse;
 };
 
 /** @internal */
 export class MongoDBResponse extends OnDemandDocument {
+  // Wrap error thrown from BSON
+  public override get<const T extends keyof JSTypeOf>(
+    name: string | number,
+    as: T,
+    required?: false | undefined
+  ): JSTypeOf[T] | null;
+  public override get<const T extends keyof JSTypeOf>(
+    name: string | number,
+    as: T,
+    required: true
+  ): JSTypeOf[T];
+  public override get<const T extends keyof JSTypeOf>(
+    name: string | number,
+    as: T,
+    required?: boolean | undefined
+  ): JSTypeOf[T] | null {
+    try {
+      return super.get(name, as, required);
+    } catch (cause) {
+      throw new MongoUnexpectedServerResponseError(cause.message, { cause });
+    }
+  }
+
   static is(value: unknown): value is MongoDBResponse {
     return value instanceof MongoDBResponse;
   }
 
+  static make(bson: Uint8Array) {
+    const elements = parseToElementsToArray(bson, 0);
+    const isError = isErrorResponse(bson, elements);
+    return isError
+      ? new MongoDBResponse(bson, 0, false, elements)
+      : new this(bson, 0, false, elements);
+  }
+
   // {ok:1}
   static empty = new MongoDBResponse(new Uint8Array([13, 0, 0, 0, 16, 111, 107, 0, 1, 0, 0, 0, 0]));
 
-  /** Indicates this document is a server error */
-  public get isError() {
-    let isError = this.ok === 0;
-    isError ||= this.has('errmsg');
-    isError ||= this.has('code');
-    isError ||= this.has('$err'); // The '$err' field is used in OP_REPLY responses
-    return isError;
-  }
-
   /**
    * Drivers can safely assume that the `recoveryToken` field is always a BSON document but drivers MUST NOT modify the
    * contents of the document.
@@ -110,6 +134,7 @@ export class MongoDBResponse extends OnDemandDocument {
     return this.get('operationTime', BSONType.timestamp);
   }
 
+  /** Normalizes whatever BSON value is "ok" to a JS number 1 or 0. */
   public get ok(): 0 | 1 {
     return this.getNumber('ok') ? 1 : 0;
   }
@@ -144,13 +169,7 @@ export class MongoDBResponse extends OnDemandDocument {
 
   public override toObject(options?: BSONSerializeOptions): Record<string, any> {
     const exactBSONOptions = {
-      useBigInt64: options?.useBigInt64,
-      promoteLongs: options?.promoteLongs,
-      promoteValues: options?.promoteValues,
-      promoteBuffers: options?.promoteBuffers,
-      bsonRegExp: options?.bsonRegExp,
-      raw: options?.raw ?? false,
-      fieldsAsRaw: options?.fieldsAsRaw ?? {},
+      ...pluckBSONSerializeOptions(options ?? {}),
       validation: this.parseBsonSerializationOptions(options)
     };
     return super.toObject(exactBSONOptions);
@@ -169,69 +188,145 @@ export class MongoDBResponse extends OnDemandDocument {
 
 /** @internal */
 export class CursorResponse extends MongoDBResponse {
+  /**
+   * Devtools need to know which keys were encrypted before the driver automatically decrypted them.
+   * If decorating is enabled (`Symbol.for('@@mdb.decorateDecryptionResult')`), this field will be set,
+   * storing the original encrypted response from the server, so that we can build an object that has
+   * the list of BSON keys that were encrypted stored at a well known symbol: `Symbol.for('@@mdb.decryptedKeys')`.
+   */
+  encryptedResponse?: MongoDBResponse;
   /**
    * This supports a feature of the FindCursor.
    * It is an optimization to avoid an extra getMore when the limit has been reached
    */
-  static emptyGetMore = { id: new Long(0), length: 0, shift: () => null };
+  static emptyGetMore: CursorResponse = {
+    id: new Long(0),
+    length: 0,
+    shift: () => null
+  } as unknown as CursorResponse;
 
   static override is(value: unknown): value is CursorResponse {
     return value instanceof CursorResponse || value === CursorResponse.emptyGetMore;
   }
 
-  public id: Long;
-  public ns: MongoDBNamespace | null = null;
-  public batchSize = 0;
-
-  private batch: OnDemandDocument;
+  private _batch: OnDemandDocument | null = null;
   private iterated = 0;
 
-  constructor(bytes: Uint8Array, offset?: number, isArray?: boolean) {
-    super(bytes, offset, isArray);
+  get cursor() {
+    return this.get('cursor', BSONType.object, true);
+  }
 
-    const cursor = this.get('cursor', BSONType.object, true);
+  public get id(): Long {
+    try {
+      return Long.fromBigInt(this.cursor.get('id', BSONType.long, true));
+    } catch (cause) {
+      throw new MongoUnexpectedServerResponseError(cause.message, { cause });
+    }
+  }
 
-    const id = cursor.get('id', BSONType.long, true);
-    this.id = new Long(Number(id & 0xffff_ffffn), Number((id >> 32n) & 0xffff_ffffn));
+  public get ns() {
+    const namespace = this.cursor.get('ns', BSONType.string);
+    if (namespace != null) return ns(namespace);
+    return null;
+  }
+
+  public get length() {
+    return Math.max(this.batchSize - this.iterated, 0);
+  }
 
-    const namespace = cursor.get('ns', BSONType.string);
-    if (namespace != null) this.ns = ns(namespace);
+  private _encryptedBatch: OnDemandDocument | null = null;
+  get encryptedBatch() {
+    if (this.encryptedResponse == null) return null;
+    if (this._encryptedBatch != null) return this._encryptedBatch;
 
-    if (cursor.has('firstBatch')) this.batch = cursor.get('firstBatch', BSONType.array, true);
-    else if (cursor.has('nextBatch')) this.batch = cursor.get('nextBatch', BSONType.array, true);
+    const cursor = this.encryptedResponse?.get('cursor', BSONType.object);
+    if (cursor?.has('firstBatch'))
+      this._encryptedBatch = cursor.get('firstBatch', BSONType.array, true);
+    else if (cursor?.has('nextBatch'))
+      this._encryptedBatch = cursor.get('nextBatch', BSONType.array, true);
     else throw new MongoUnexpectedServerResponseError('Cursor document did not contain a batch');
 
-    this.batchSize = this.batch.size();
+    return this._encryptedBatch;
   }
 
-  get length() {
-    return Math.max(this.batchSize - this.iterated, 0);
+  private get batch() {
+    if (this._batch != null) return this._batch;
+    const cursor = this.cursor;
+    if (cursor.has('firstBatch')) this._batch = cursor.get('firstBatch', BSONType.array, true);
+    else if (cursor.has('nextBatch')) this._batch = cursor.get('nextBatch', BSONType.array, true);
+    else throw new MongoUnexpectedServerResponseError('Cursor document did not contain a batch');
+    return this._batch;
+  }
+
+  public get batchSize() {
+    return this.batch?.size();
   }
 
-  shift(options?: BSONSerializeOptions): any {
+  public get postBatchResumeToken() {
+    return (
+      this.cursor.get('postBatchResumeToken', BSONType.object)?.toObject({
+        promoteValues: false,
+        promoteLongs: false,
+        promoteBuffers: false
+      }) ?? null
+    );
+  }
+
+  public shift(options?: BSONSerializeOptions): any {
     if (this.iterated >= this.batchSize) {
       return null;
     }
 
     const result = this.batch.get(this.iterated, BSONType.object, true) ?? null;
+    const encryptedResult = this.encryptedBatch?.get(this.iterated, BSONType.object, true) ?? null;
+
     this.iterated += 1;
 
     if (options?.raw) {
       return result.toBytes();
     } else {
-      return result.toObject(options);
+      const object = result.toObject(options);
+      if (encryptedResult) {
+        decorateDecryptionResult(object, encryptedResult.toObject(options), true);
+      }
+      return object;
     }
   }
 
-  clear() {
+  public clear() {
     this.iterated = this.batchSize;
   }
+}
+
+/**
+ * Explain responses have nothing to do with cursor responses
+ * This class serves to temporarily avoid refactoring how cursors handle
+ * explain responses which is to detect that the response is not cursor-like and return the explain
+ * result as the "first and only" document in the "batch" and end the "cursor"
+ */
+export class ExplainedCursorResponse extends CursorResponse {
+  isExplain = true;
+
+  override get id(): Long {
+    return Long.fromBigInt(0n);
+  }
+
+  override get batchSize() {
+    return 0;
+  }
+
+  override get ns() {
+    return null;
+  }
 
-  pushMany() {
-    throw new Error('pushMany Unsupported method');
+  _length = 1;
+  override get length(): number {
+    return this._length;
   }
 
-  push() {
-    throw new Error('push Unsupported method');
+  override shift(options?: BSONSerializeOptions | undefined) {
+    if (this._length === 0) return null;
+    this._length -= 1;
+    return this.toObject(options);
   }
 }

package/src/constants.ts

@@ -165,3 +165,12 @@ export const LEGACY_HELLO_COMMAND = 'ismaster';
  * The legacy hello command that was deprecated in MongoDB 5.0.
  */
 export const LEGACY_HELLO_COMMAND_CAMEL_CASE = 'isMaster';
+
+// Typescript errors if we index objects with `Symbol.for(...)`, so
+// to avoid TS errors we pull them out into variables.  Then we can type
+// the objects (and class) that we expect to see them on and prevent TS
+// errors.
+/** @internal */
+export const kDecorateResult = Symbol.for('@@mdb.decorateDecryptionResult');
+/** @internal */
+export const kDecoratedKeys = Symbol.for('@@mdb.decryptedKeys');