mongodb-client-encryption
Advanced tools
Comparing version 2.0.0-beta.0 to 2.0.0-beta.1
@@ -5,2 +5,4 @@ # Changelog | ||
## [2.0.0-beta.1](https://github.com/mongodb/libmongocrypt/compare/node-v2.0.0-beta.0...node-v2.0.0-beta.1) (2021-12-21) | ||
## [2.0.0-beta.0](https://github.com/mongodb/libmongocrypt/compare/node-v1.2.7...node-v2.0.0-beta.0) (2021-10-07) | ||
@@ -7,0 +9,0 @@ |
import type { Binary } from 'bson'; | ||
import type { MongoClient } from 'mongodb'; | ||
export type ClientEncryptionDataKeyProvider = 'aws' | 'azure' | 'gcp' | 'local'; | ||
export type ClientEncryptionDataKeyProvider = 'aws' | 'azure' | 'gcp' | 'local' | 'kmip'; | ||
@@ -12,2 +12,12 @@ /** | ||
/** | ||
* A set of options for specifying a Socks5 proxy. | ||
*/ | ||
export interface ProxyOptions { | ||
host: string; | ||
port?: number; | ||
username?: string; | ||
password?: string; | ||
} | ||
export interface ClientEncryptionCreateDataKeyCallback { | ||
@@ -74,2 +84,14 @@ /** | ||
/** | ||
* Configuration options for using 'kmip' as your KMS provider | ||
*/ | ||
kmip?: { | ||
/** | ||
* The output endpoint string. | ||
* The endpoint consists of a hostname and port separated by a colon. | ||
* E.g. "example.com:123". A port is always present. | ||
*/ | ||
endpoint?: string; | ||
}; | ||
/** | ||
* Configuration options for using 'azure' as your KMS provider | ||
@@ -125,2 +147,37 @@ */ | ||
/** | ||
* TLS options to use when connecting. The spec specifically calls out which insecure | ||
* tls options are not allowed: | ||
* | ||
* - tlsAllowInvalidCertificates | ||
* - tlsAllowInvalidHostnames | ||
* - tlsInsecure | ||
* - tlsDisableOCSPEndpointCheck | ||
* - tlsDisableCertificateRevocationCheck | ||
*/ | ||
export interface ClientEncryptionTLSOptions { | ||
/** | ||
* Enables or disables TLS/SSL for the connection. | ||
*/ | ||
tls?: boolean; | ||
/** | ||
* Specifies the location of a local .pem file that contains | ||
* either the client's TLS/SSL certificate and key or only the | ||
* client's TLS/SSL key when tlsCertificateFile is used to | ||
* provide the certificate. | ||
*/ | ||
tlsCertificateKeyFile?: string; | ||
/** | ||
* Specifies the password to de-crypt the tlsCertificateKeyFile. | ||
*/ | ||
tlsCertificateKeyFilePassword?: string; | ||
/** | ||
* Specifies the location of a local .pem file that contains the | ||
* root certificate chain from the Certificate Authority. | ||
* This file is used to validate the certificate presented by the | ||
* KMS provider. | ||
*/ | ||
tlsCAFile?: string; | ||
} | ||
/** | ||
* Additional settings to provide when creating a new `ClientEncryption` instance. | ||
@@ -143,2 +200,12 @@ */ | ||
kmsProviders?: KMSProviders; | ||
/** | ||
* Options for specifying a Socks5 proxy to use for connecting to the KMS. | ||
*/ | ||
proxyOptions?: ProxyOptions; | ||
/** | ||
* TLS options for kms providers to use. | ||
*/ | ||
tlsOptions?: ClientEncryptionTLSOptions; | ||
} | ||
@@ -145,0 +212,0 @@ |
@@ -101,3 +101,3 @@ 'use strict'; | ||
useUnifiedTopology: true, | ||
serverSelectionTimeoutMS: 1000 | ||
serverSelectionTimeoutMS: 10000 | ||
}); | ||
@@ -216,3 +216,3 @@ } | ||
const stateMachine = new StateMachine(Object.assign({ bson }, options)); | ||
const stateMachine = new StateMachine({ bson, ...options, proxyOptions: this._proxyOptions }); | ||
stateMachine.execute(this, context, callback); | ||
@@ -248,3 +248,3 @@ } | ||
const stateMachine = new StateMachine(Object.assign({ bson }, options)); | ||
const stateMachine = new StateMachine({ bson, ...options, proxyOptions: this._proxyOptions }); | ||
stateMachine.execute(this, context, callback); | ||
@@ -251,0 +251,0 @@ } |
@@ -68,2 +68,3 @@ 'use strict'; | ||
this._bson = options.bson || client.topology.bson; | ||
this._proxyOptions = options.proxyOptions; | ||
@@ -202,3 +203,3 @@ if (options.keyVaultNamespace == null) { | ||
const context = this._mongoCrypt.makeDataKeyContext(dataKeyBson, { keyAltNames }); | ||
const stateMachine = new StateMachine({ bson }); | ||
const stateMachine = new StateMachine({ bson, proxyOptions: this._proxyOptions }); | ||
@@ -295,3 +296,3 @@ return promiseOrCallback(callback, cb => { | ||
const stateMachine = new StateMachine({ bson }); | ||
const stateMachine = new StateMachine({ bson, proxyOptions: this._proxyOptions }); | ||
const context = this._mongoCrypt.makeExplicitEncryptionContext(valueBuffer, contextOptions); | ||
@@ -341,3 +342,3 @@ | ||
const stateMachine = new StateMachine({ bson }); | ||
const stateMachine = new StateMachine({ bson, proxyOptions: this._proxyOptions }); | ||
@@ -344,0 +345,0 @@ return promiseOrCallback(callback, cb => { |
@@ -5,2 +5,5 @@ 'use strict'; | ||
const tls = require('tls'); | ||
const net = require('net'); | ||
const { once } = require('events'); | ||
const { SocksClient } = require('socks'); | ||
@@ -228,23 +231,65 @@ // Try first to import 4.x name, fallback to 3.x name | ||
return new Promise((resolve, reject) => { | ||
return new Promise(async (resolve, reject) => { | ||
const buffer = new BufferList(); | ||
const socket = tls.connect(options, () => { | ||
socket.write(message); | ||
}); | ||
socket.once('timeout', () => { | ||
socket.removeAllListeners(); | ||
socket.destroy(); | ||
let socket; | ||
let rawSocket; | ||
function destroySockets() { | ||
for (const sock of [socket, rawSocket]) { | ||
if (sock) { | ||
sock.removeAllListeners(); | ||
sock.destroy(); | ||
} | ||
} | ||
} | ||
function ontimeout() { | ||
destroySockets(); | ||
reject(new MongoCryptError('KMS request timed out')); | ||
}); | ||
} | ||
socket.once('error', err => { | ||
socket.removeAllListeners(); | ||
socket.destroy(); | ||
function onerror(err) { | ||
destroySockets(); | ||
const mcError = new MongoCryptError('KMS request failed'); | ||
mcError.originalError = err; | ||
reject(mcError); | ||
} | ||
if (this.options.proxyOptions && this.options.proxyOptions.host) { | ||
rawSocket = net.connect({ | ||
host: this.options.proxyOptions.host, | ||
port: this.options.proxyOptions.port || 1080 | ||
}); | ||
rawSocket.on('timeout', ontimeout); | ||
rawSocket.on('error', onerror); | ||
try { | ||
await once(rawSocket, 'connect'); | ||
options.socket = ( | ||
await SocksClient.createConnection({ | ||
existing_socket: rawSocket, | ||
command: 'connect', | ||
destination: { host: options.host, port: options.port }, | ||
proxy: { | ||
host: 'locahost', | ||
port: 0, | ||
type: 5, | ||
userId: this.options.proxyOptions.username, | ||
password: this.options.proxyOptions.username | ||
} | ||
}) | ||
).socket; | ||
} catch (err) { | ||
return onerror(err); | ||
} | ||
} | ||
socket = tls.connect(options, () => { | ||
socket.write(message); | ||
}); | ||
socket.once('timeout', ontimeout); | ||
socket.once('error', onerror); | ||
socket.on('data', data => { | ||
@@ -251,0 +296,0 @@ buffer.append(data); |
{ | ||
"name": "mongodb-client-encryption", | ||
"version": "2.0.0-beta.0", | ||
"version": "2.0.0-beta.1", | ||
"description": "Official client encryption module for the MongoDB Node.js driver", | ||
@@ -43,3 +43,4 @@ "main": "index.js", | ||
"node-addon-api": "^4.1.0", | ||
"prebuild-install": "6.1.2" | ||
"prebuild-install": "6.1.2", | ||
"socks": "^2.6.1" | ||
}, | ||
@@ -46,0 +47,0 @@ "devDependencies": { |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
127555
1520
6
+ Addedsocks@^2.6.1
+ Addedip-address@9.0.5(transitive)
+ Addedjsbn@1.1.0(transitive)
+ Addedsmart-buffer@4.2.0(transitive)
+ Addedsocks@2.8.3(transitive)
+ Addedsprintf-js@1.1.3(transitive)