MONGOSH-523 - AutoEncryption only run on enterprise

aherlihy · aherlihy · commit d410602e0f05 · 2021-01-12T18:13:21.000+01:00
diff --git a/packages/service-provider-server/src/cli-service-provider.spec.ts b/packages/service-provider-server/src/cli-service-provider.spec.ts
@@ -3,7 +3,7 @@ import chai, { expect } from 'chai';
 import { Collection, Db, MongoClient } from 'mongodb';
 import sinonChai from 'sinon-chai';
 import sinon, { StubbedInstance, stubInterface } from 'ts-sinon';
-import CliServiceProvider from './cli-service-provider';
+import CliServiceProvider, { connectMongoClient } from './cli-service-provider';
 
 chai.use(sinonChai);
 
@@ -34,6 +34,78 @@ describe('CliServiceProvider', () => {
   let serviceProvider: CliServiceProvider;
   let collectionStub: StubbedInstance<Collection>;
 
+  describe('connectMongoClient', () => {
+    it('connects once when no AutoEncryption set', async() => {
+      const uri = 'localhost:27017';
+      const mClientType = stubInterface<typeof MongoClient>();
+      const mClient = stubInterface<MongoClient>();
+      mClientType.connect.onFirstCall().resolves(mClient);
+      const result = await connectMongoClient(uri, {}, mClientType);
+      const calls = mClientType.connect.getCalls();
+      expect(calls.length).to.equal(1);
+      expect(calls[0].args).to.deep.equal([
+        uri, {}
+      ]);
+      expect(result).to.equal(mClient);
+    });
+    it('connects once when bypassAutoEncryption is true', async() => {
+      const uri = 'localhost:27017';
+      const opts = { autoEncryption: { bypassAutoEncryption: true } };
+      const mClientType = stubInterface<typeof MongoClient>();
+      const mClient = stubInterface<MongoClient>();
+      mClientType.connect.onFirstCall().resolves(mClient);
+      const result = await connectMongoClient(uri, opts, mClientType);
+      const calls = mClientType.connect.getCalls();
+      expect(calls.length).to.equal(1);
+      expect(calls[0].args).to.deep.equal([
+        uri, opts
+      ]);
+      expect(result).to.equal(mClient);
+    });
+    it('connects twice when bypassAutoEncryption is false and enterprise via modules', async() => {
+      const uri = 'localhost:27017';
+      const opts = { autoEncryption: { bypassAutoEncryption: false } };
+      const mClientType = stubInterface<typeof MongoClient>();
+      const mClientFirst = stubInterface<MongoClient>();
+      const commandSpy = sinon.spy();
+      mClientFirst.db.returns({ admin: () => ({ command: (...args) => {
+        commandSpy(...args);
+        return { modules: [ 'enterprise' ] };
+      } } as any) } as any);
+      const mClientSecond = stubInterface<MongoClient>();
+      mClientType.connect.onFirstCall().resolves(mClientFirst);
+      mClientType.connect.onSecondCall().resolves(mClientSecond);
+      const result = await connectMongoClient(uri, opts, mClientType);
+      const calls = mClientType.connect.getCalls();
+      expect(calls.length).to.equal(2);
+      expect(calls[0].args).to.deep.equal([
+        uri, {}
+      ]);
+      expect(commandSpy).to.have.been.calledOnceWithExactly({ buildInfo: 1 });
+      expect(result).to.equal(mClientSecond);
+    });
+    it('errors when bypassAutoEncryption is falsy and not enterprise', async() => {
+      const uri = 'localhost:27017';
+      const opts = { autoEncryption: {} };
+      const mClientType = stubInterface<typeof MongoClient>();
+      const mClientFirst = stubInterface<MongoClient>();
+      const commandSpy = sinon.spy();
+      mClientFirst.db.returns({ admin: () => ({ command: (...args) => {
+        commandSpy(...args);
+        return { modules: [] };
+      } } as any) } as any);
+      const mClientSecond = stubInterface<MongoClient>();
+      mClientType.connect.onFirstCall().resolves(mClientFirst);
+      mClientType.connect.onSecondCall().resolves(mClientSecond);
+      try {
+        await connectMongoClient(uri, opts, mClientType);
+      } catch (e) {
+        return expect(e.message).to.include('automatic encryption');
+      }
+      expect.fail('Failed to throw expected error');
+    });
+  });
+
   describe('#constructor', () => {
     const mongoClient: any = sinon.spy();
     serviceProvider = new CliServiceProvider(mongoClient);
diff --git a/packages/service-provider-server/src/cli-service-provider.ts b/packages/service-provider-server/src/cli-service-provider.ts
@@ -73,7 +73,7 @@ import {
   bson as BSON
 } from '@mongosh/service-provider-core';
 
-import { MongoshCommandFailed, MongoshInternalError } from '@mongosh/errors';
+import { MongoshCommandFailed, MongoshInternalError, MongoshRuntimeError } from '@mongosh/errors';
 
 const bsonlib = {
   Binary,
@@ -119,7 +119,35 @@ const DEFAULT_BASE_OPTIONS = Object.freeze({
 });
 
 /**
- * Encapsulates logic for the service provider for the mongosh CLI.
+ * Connect a MongoClient. If AutoEncryption is requested, first connect without the encryption options and verify that
+ * the connection is to an enterprise cluster. If not, then error, otherwise close the connection and reconnect with the
+ * options the user initially specified. Provide the client class as an additional argument in order to test.
+ * @param uri {String}
+ * @param clientOptions {MongoClientOptions}
+ * @param mClient {MongoClient}
+ */
+export async function connectMongoClient(uri: string, clientOptions: MongoClientOptions, mClient = MongoClient): Promise<MongoClient | void> {
+  if (clientOptions.autoEncryption !== undefined &&
+    !clientOptions.autoEncryption.bypassAutoEncryption) {
+    // connect first without autoEncryptionOptions
+    const optionsWithoutFLE = { ...clientOptions };
+    delete optionsWithoutFLE.autoEncryption;
+    const client = await mClient.connect(uri, optionsWithoutFLE);
+    const buildInfo = await client.db('admin').admin().command({ buildInfo: 1 });
+    if (
+      !(buildInfo.gitVersion && buildInfo.gitVersion.match(/enterprise/)) &&
+      !(buildInfo.modules && buildInfo.modules.indexOf('enterprise') !== -1)
+    ) {
+      await client.close();
+      throw new MongoshRuntimeError('Cannot turn on automatic encryption for connections to non-enterprise hosts');
+    }
+    await client.close();
+  }
+  return mClient.connect(uri, clientOptions);
+}
+
+/**
+   * Encapsulates logic for the service provider for the mongosh CLI.
  */
 class CliServiceProvider extends ServiceProviderCore implements ServiceProvider {
   /**
@@ -142,10 +170,10 @@ class CliServiceProvider extends ServiceProviderCore implements ServiceProvider
     };
 
     const mongoClient = !cliOptions.nodb ?
-      await MongoClient.connect(
+      await connectMongoClient(
         uri,
         clientOptions
-      ) :
+      ) as MongoClient :
       new MongoClient(uri || 'mongodb://nodb/', clientOptions);
 
     return new CliServiceProvider(mongoClient, clientOptions, uri);
@@ -192,10 +220,10 @@ class CliServiceProvider extends ServiceProviderCore implements ServiceProvider
       ...options
     };
 
-    const mongoClient = await MongoClient.connect(
+    const mongoClient = await connectMongoClient(
       uri,
       clientOptions
-    );
+    ) as MongoClient;
     return new CliServiceProvider(mongoClient, uri);
   }
 
@@ -1023,10 +1051,10 @@ class CliServiceProvider extends ServiceProviderCore implements ServiceProvider
     };
     if (authDoc.mechanism) clientOptions.authMechanism = authDoc.mechanism as AuthMechanismId;
     if (authDoc.authDb) clientOptions.authSource = authDoc.authDb;
-    const mc = await MongoClient.connect(
+    const mc = await connectMongoClient(
       this.uri as string,
       clientOptions
-    );
+    ) as MongoClient;
     try {
       await this.mongoClient.close();
       // eslint-disable-next-line no-empty
@@ -1092,10 +1120,10 @@ class CliServiceProvider extends ServiceProviderCore implements ServiceProvider
       ...this.initialOptions,
       ...options
     };
-    const mc = await MongoClient.connect(
+    const mc = await connectMongoClient(
       this.uri as string,
       clientOptions
-    );
+    ) as MongoClient;
     try {
       await this.mongoClient.close();
       // eslint-disable-next-line no-empty
