test(NODE-6804): implement more invalid KMS tests and set strict unhandled rejection flag

Author: nbbeeken

.mocharc.js

@@ -17,5 +17,8 @@ module.exports = {
   reporter: 'test/tools/reporter/mongodb_reporter.js',
   sort: true,
   color: true,
-  'node-option': Number(major) >= 23 ? ['no-experimental-strip-types'] : undefined
+  'node-option': [
+    ...(Number(major) >= 23 ? ['no-experimental-strip-types'] : []),
+    'unhandled-rejections=strict'
+  ]
 };

test/csfle-kms-providers.js

@@ -39,7 +39,34 @@ const keys = [
 const isInEnvironment = key => typeof process.env[key] === 'string' && process.env[key].length > 0;
 const missingKeys = keys.filter(key => !isInEnvironment(key)).join(',');
 
+/**
+ * @deprecated Please use getCSFLEKMSProviders
+ *
+ * This helper was written for the JS tests in test/integration/client-side-encryption/client_side_encryption.prose.test.js
+ * As we migrate tests to bespoke files per prose numbered test we moved this helper here so we did not create a copy.
+ */
+const getKmsProviders = (localKey, kmipEndpoint, azureEndpoint, gcpEndpoint) => {
+  const result = getCSFLEKMSProviders();
+  if (localKey) {
+    result.local = { key: localKey };
+  }
+  result.kmip = {
+    endpoint: kmipEndpoint || 'localhost:5698'
+  };
+
+  if (result.azure && azureEndpoint) {
+    result.azure.identityPlatformEndpoint = azureEndpoint;
+  }
+
+  if (result.gcp && gcpEndpoint) {
+    result.gcp.endpoint = gcpEndpoint;
+  }
+
+  return result;
+};
+
 module.exports = {
+  getKmsProviders,
   getCSFLEKMSProviders,
   kmsCredentialsPresent: missingKeys === '',
   missingKeys

test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts

@@ -0,0 +1,85 @@
+import { expect } from 'chai';
+
+import { getCSFLEKMSProviders } from '../../csfle-kms-providers';
+import { ClientEncryption, type MongoClient } from '../../mongodb';
+
+const metadata: MongoDBMetadataUI = {
+  requires: {
+    clientSideEncryption: true,
+    mongodb: '>=4.2.0',
+    topology: '!load-balanced'
+  }
+};
+
+describe('10. KMS TLS Tests', metadata, () => {
+  let keyVaultClient: MongoClient;
+  let clientEncryption: ClientEncryption;
+
+  const keyVaultNamespace = 'keyvault.datakeys';
+
+  beforeEach(async function () {
+    keyVaultClient = this.configuration.newClient();
+    clientEncryption = new ClientEncryption(keyVaultClient, {
+      keyVaultNamespace,
+      kmsProviders: getCSFLEKMSProviders()
+    });
+  });
+
+  afterEach(async function () {
+    await keyVaultClient.close();
+  });
+
+  describe('Invalid KMS Certificate', function () {
+    const masterKey = {
+      region: 'us-east-1',
+      key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0',
+      endpoint: '127.0.0.1:9000'
+    };
+
+    it('fails with a relevant error message', metadata, async function () {
+      const error = await clientEncryption.createDataKey('aws', { masterKey }).then(
+        () => null,
+        error => error
+      );
+
+      /**
+       * Expect this to fail with an exception with a message referencing an expired certificate.
+       * This message will be language dependent.
+       * - In Python, this message is "certificate verify failed: certificate has expired".
+       * - In Go, this message is "certificate has expired or is not yet valid".
+       *
+       * If the language of implementation has a single, generic error message for all certificate validation errors, drivers may inspect other fields of the error to verify its meaning.
+       */
+
+      expect(error).to.have.property('cause').that.has.property('code', 'CERT_HAS_EXPIRED');
+    });
+  });
+
+  describe('Invalid Hostname in KMS Certificate', function () {
+    const masterKey = {
+      region: 'us-east-1',
+      key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0',
+      endpoint: '127.0.0.1:9001'
+    };
+
+    it('fails with a relevant error message', metadata, async function () {
+      const error = await clientEncryption.createDataKey('aws', { masterKey }).then(
+        () => null,
+        error => error
+      );
+
+      /**
+       * Expect this to fail with an exception with a message referencing an incorrect or unexpected host.
+       * This message will be language dependent.
+       * - In Python, this message is "certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'".
+       * - In Go, this message is "cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs".
+       *
+       * If the language of implementation has a single, generic error message for all certificate validation errors, drivers may inspect other fields of the error to verify its meaning.
+       */
+
+      expect(error)
+        .to.have.property('cause')
+        .that.has.property('code', 'SELF_SIGNED_CERT_IN_CHAIN');
+    });
+  });
+});