fix(NODE-3166): allowInvalidHostnames and allowInvalidCertificates fl…

…ags are ignored (#2784)
mongodb · Apr 22, 2021 · a769cf8 · a769cf8
1 parent 76b110e
commit a769cf8
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 4 deletions.
diff --git a/src/connection_string.ts b/src/connection_string.ts
@@ -938,10 +938,18 @@ export const OPTIONS = {
     type: 'boolean'
   },
   tlsAllowInvalidCertificates: {
-    type: 'boolean'
+    target: 'rejectUnauthorized',
+    transform({ name, values: [value] }) {
+      // allowInvalidCertificates is the inverse of rejectUnauthorized
+      return !getBoolean(name, value);
+    }
   },
   tlsAllowInvalidHostnames: {
-    type: 'boolean'
+    target: 'checkServerIdentity',
+    transform({ name, values: [value] }) {
+      // tlsAllowInvalidHostnames means setting the checkServerIdentity function to a noop
+      return getBoolean(name, value) ? () => undefined : undefined;
+    }
   },
   tlsCAFile: {
     target: 'ca',
@@ -969,10 +977,12 @@ export const OPTIONS = {
     transform({ name, options, values: [value] }) {
       const tlsInsecure = getBoolean(name, value);
       if (tlsInsecure) {
-        options.checkServerIdentity = undefined;
+        options.checkServerIdentity = () => undefined;
         options.rejectUnauthorized = false;
       } else {
-        options.checkServerIdentity = options.tlsAllowInvalidHostnames ? undefined : (true as any);
+        options.checkServerIdentity = options.tlsAllowInvalidHostnames
+          ? () => undefined
+          : undefined;
         options.rejectUnauthorized = options.tlsAllowInvalidCertificates ? false : true;
       }
       return tlsInsecure;

diff --git a/test/unit/mongo_client_options.test.js b/test/unit/mongo_client_options.test.js
@@ -296,4 +296,44 @@ describe('MongoOptions', function () {
     expect(options.credentials.username).to.equal('USERNAME');
     expect(options.credentials.password).to.equal('PASSWORD');
   });
+
+  it('transforms tlsAllowInvalidCertificates and tlsAllowInvalidHostnames correctly', function () {
+    const optionsTrue = parseOptions('mongodb://localhost/', {
+      tlsAllowInvalidCertificates: true,
+      tlsAllowInvalidHostnames: true
+    });
+    expect(optionsTrue.rejectUnauthorized).to.equal(false);
+    expect(optionsTrue.checkServerIdentity).to.be.a('function');
+    expect(optionsTrue.checkServerIdentity()).to.equal(undefined);
+
+    const optionsFalse = parseOptions('mongodb://localhost/', {
+      tlsAllowInvalidCertificates: false,
+      tlsAllowInvalidHostnames: false
+    });
+    expect(optionsFalse.rejectUnauthorized).to.equal(true);
+    expect(optionsFalse.checkServerIdentity).to.equal(undefined);
+
+    const optionsUndefined = parseOptions('mongodb://localhost/');
+    expect(optionsUndefined.rejectUnauthorized).to.equal(undefined);
+    expect(optionsUndefined.checkServerIdentity).to.equal(undefined);
+  });
+
+  it('transforms tlsInsecure correctly', function () {
+    const optionsTrue = parseOptions('mongodb://localhost/', {
+      tlsInsecure: true
+    });
+    expect(optionsTrue.rejectUnauthorized).to.equal(false);
+    expect(optionsTrue.checkServerIdentity).to.be.a('function');
+    expect(optionsTrue.checkServerIdentity()).to.equal(undefined);
+
+    const optionsFalse = parseOptions('mongodb://localhost/', {
+      tlsInsecure: false
+    });
+    expect(optionsFalse.rejectUnauthorized).to.equal(true);
+    expect(optionsFalse.checkServerIdentity).to.equal(undefined);
+
+    const optionsUndefined = parseOptions('mongodb://localhost/');
+    expect(optionsUndefined.rejectUnauthorized).to.equal(undefined);
+    expect(optionsUndefined.checkServerIdentity).to.equal(undefined);
+  });
 });