feat(NODE-5376)!: remove deprecated ssl options (#3755)

Author: durran

Diff for: etc/notes/CHANGES_6.0.0.md

@@ -0,0 +1,24 @@
+# Changes in the MongoDB Node.js Driver v6
+
+## About
+
+The following is a detailed collection of the changes in the major v6 release of the `mongodb` package for Node.js.
+
+## Contents
+
+- [Changes](#changes)
+  - [Deprecated SSL options removed](#deprecated-ssl-options-removed)
+
+## Changes
+
+### Deprecated SSL options removed
+
+The following deprecated SSL/TLS options have now been removed (-> indicating the corresponding option):
+
+  - `sslCA` -> `tlsCAFile`
+  - `sslCRL`
+  - `sslCert` -> `tlsCertificateKeyFile`
+  - `sslKey` -> `tlsCertificateKeyFile`
+  - `sslPass` -> `tlsCertificateKeyFilePassword`
+  - `sslValidate` -> `tlsAllowInvalidCertificates`
+  - `tlsCertificateFile` -> `tlsCertificateKeyFile`

Diff for: src/connection_string.ts

@@ -347,13 +347,6 @@ export function parseOptions(
     allProvidedOptions.set(key, values);
   }
 
-  if (
-    allProvidedOptions.has('tlsCertificateKeyFile') &&
-    !allProvidedOptions.has('tlsCertificateFile')
-  ) {
-    allProvidedOptions.set('tlsCertificateFile', allProvidedOptions.get('tlsCertificateKeyFile'));
-  }
-
   if (allProvidedOptions.has('tls') || allProvidedOptions.has('ssl')) {
     const tlsAndSslOpts = (allProvidedOptions.get('tls') || [])
       .concat(allProvidedOptions.get('ssl') || [])
@@ -1096,50 +1089,6 @@ export const OPTIONS = {
     target: 'tls',
     type: 'boolean'
   },
-  sslCA: {
-    deprecated:
-      'sslCA is deprecated and will be removed in the next major version. Please use tlsCAFile instead.',
-    target: 'ca',
-    transform({ values: [value] }) {
-      return fs.readFileSync(String(value), { encoding: 'ascii' });
-    }
-  },
-  sslCRL: {
-    deprecated:
-      'sslCRL is deprecated and will be removed in the next major version. Please use tlsCertificateKeyFile instead.',
-    target: 'crl',
-    transform({ values: [value] }) {
-      return fs.readFileSync(String(value), { encoding: 'ascii' });
-    }
-  },
-  sslCert: {
-    deprecated:
-      'sslCert is deprecated and will be removed in the next major version. Please use tlsCertificateKeyFile instead.',
-    target: 'cert',
-    transform({ values: [value] }) {
-      return fs.readFileSync(String(value), { encoding: 'ascii' });
-    }
-  },
-  sslKey: {
-    deprecated:
-      'sslKey is deprecated and will be removed in the next major version. Please use tlsCertificateKeyFile instead.',
-    target: 'key',
-    transform({ values: [value] }) {
-      return fs.readFileSync(String(value), { encoding: 'ascii' });
-    }
-  },
-  sslPass: {
-    deprecated:
-      'sslPass is deprecated and will be removed in the next major version. Please use tlsCertificateKeyFilePassword instead.',
-    target: 'passphrase',
-    type: 'string'
-  },
-  sslValidate: {
-    deprecated:
-      'sslValidate is deprecated and will be removed in the next major version. Please use tlsAllowInvalidCertificates instead.',
-    target: 'rejectUnauthorized',
-    type: 'boolean'
-  },
   tls: {
     type: 'boolean'
   },
@@ -1163,14 +1112,6 @@ export const OPTIONS = {
       return fs.readFileSync(String(value), { encoding: 'ascii' });
     }
   },
-  tlsCertificateFile: {
-    deprecated:
-      'tlsCertificateFile is deprecated and will be removed in the next major version. Please use tlsCertificateKeyFile instead.',
-    target: 'cert',
-    transform({ values: [value] }) {
-      return fs.readFileSync(String(value), { encoding: 'ascii' });
-    }
-  },
   tlsCertificateKeyFile: {
     target: 'key',
     transform({ values: [value] }) {

Diff for: src/deps.ts

@@ -208,9 +208,7 @@ export type AutoEncryptionLoggerLevel =
 export interface AutoEncryptionTlsOptions {
   /**
    * Specifies the location of a local .pem file that contains
-   * either the client's TLS/SSL certificate and key or only the
-   * client's TLS/SSL key when tlsCertificateFile is used to
-   * provide the certificate.
+   * either the client's TLS/SSL certificate and key.
    */
   tlsCertificateKeyFile?: string;
   /**

Diff for: src/mongo_client.ts

@@ -108,12 +108,7 @@ export interface MongoClientOptions extends BSONSerializeOptions, SupportedNodeC
   tls?: boolean;
   /** A boolean to enable or disables TLS/SSL for the connection. (The ssl option is equivalent to the tls option.) */
   ssl?: boolean;
-  /**
-   * Specifies the location of a local TLS Certificate
-   * @deprecated Will be removed in the next major version. Please use tlsCertificateKeyFile instead.
-   */
-  tlsCertificateFile?: string;
-  /** Specifies the location of a local .pem file that contains either the client's TLS/SSL certificate and key or only the client's TLS/SSL key when tlsCertificateFile is used to provide the certificate. */
+  /** Specifies the location of a local .pem file that contains either the client's TLS/SSL certificate and key. */
   tlsCertificateKeyFile?: string;
   /** Specifies the password to de-crypt the tlsCertificateKeyFile. */
   tlsCertificateKeyFilePassword?: string;
@@ -211,36 +206,6 @@ export interface MongoClientOptions extends BSONSerializeOptions, SupportedNodeC
    * @see https://www.mongodb.com/docs/manual/reference/write-concern/
    */
   writeConcern?: WriteConcern | WriteConcernSettings;
-  /**
-   * Validate mongod server certificate against Certificate Authority
-   * @deprecated Will be removed in the next major version. Please use tlsAllowInvalidCertificates instead.
-   */
-  sslValidate?: boolean;
-  /**
-   * SSL Certificate file path.
-   * @deprecated Will be removed in the next major version. Please use tlsCAFile instead.
-   */
-  sslCA?: string;
-  /**
-   * SSL Certificate file path.
-   * @deprecated Will be removed in the next major version. Please use tlsCertificateKeyFile instead.
-   */
-  sslCert?: string;
-  /**
-   * SSL Key file file path.
-   * @deprecated Will be removed in the next major version. Please use tlsCertificateKeyFile instead.
-   */
-  sslKey?: string;
-  /**
-   * SSL Certificate pass phrase.
-   * @deprecated Will be removed in the next major version. Please use tlsCertificateKeyFilePassword instead.
-   */
-  sslPass?: string;
-  /**
-   * SSL Certificate revocation list file path.
-   * @deprecated Will be removed in the next major version. Please use tlsCertificateKeyFile instead.
-   */
-  sslCRL?: string;
   /** TCP Connection no delay */
   noDelay?: boolean;
   /** @deprecated TCP Connection keep alive enabled. Will not be able to turn off in the future. */
@@ -805,16 +770,15 @@ export interface MongoOptions
    *
    * ### Additional options:
    *
-   * | nodejs native option  | driver spec compliant option name             | legacy option name | driver option type |
-   * |:----------------------|:----------------------------------------------|:-------------------|:-------------------|
-   * | `ca`                  | `tlsCAFile`                                   | `sslCA`            | `string`           |
-   * | `crl`                 | N/A                                           | `sslCRL`           | `string`           |
-   * | `cert`                | `tlsCertificateFile`, `tlsCertificateKeyFile` | `sslCert`          | `string`           |
-   * | `key`                 | `tlsCertificateKeyFile`                       | `sslKey`           | `string`           |
-   * | `passphrase`          | `tlsCertificateKeyFilePassword`               | `sslPass`          | `string`           |
-   * | `rejectUnauthorized`  | `tlsAllowInvalidCertificates`                 | `sslValidate`      | `boolean`          |
-   * | `checkServerIdentity` | `tlsAllowInvalidHostnames`                    | N/A                | `boolean`          |
-   * | see note below        | `tlsInsecure`                                 | N/A                | `boolean`          |
+   * | nodejs native option  | driver spec compliant option name             | driver option type |
+   * |:----------------------|:----------------------------------------------|:-------------------|
+   * | `ca`                  | `tlsCAFile`                                   | `string`           |
+   * | `crl`                 | N/A                                           | `string`           |
+   * | `key`                 | `tlsCertificateKeyFile`                       | `string`           |
+   * | `passphrase`          | `tlsCertificateKeyFilePassword`               | `string`           |
+   * | `rejectUnauthorized`  | `tlsAllowInvalidCertificates`                 | `boolean`          |
+   * | `checkServerIdentity` | `tlsAllowInvalidHostnames`                    | `boolean`          |
+   * | see note below        | `tlsInsecure`                                 | `boolean`          |
    *
    * If `tlsInsecure` is set to `true`, then it will set the node native options `checkServerIdentity`
    * to a no-op and `rejectUnauthorized` to `false`.

Diff for: test/integration/node-specific/bson-options/ignore_undefined.test.js

@@ -56,8 +56,7 @@ describe('Ignore Undefined', function () {
         const client = configuration.newClient(
           {},
           {
-            ignoreUndefined: true,
-            sslValidate: false
+            ignoreUndefined: true
           }
         );
 

Diff for: test/types/community/changes_from_36.test-d.ts

@@ -25,16 +25,6 @@ expectNotType<boolean>(options.readPreference);
 expectNotType<{}>(options.pkFactory);
 // .checkServerIdentity cannot be `true`
 expectNotType<true>(options.checkServerIdentity);
-// .sslCA cannot be string[]
-expectNotType<string[]>(options.sslCA);
-// .sslCRL cannot be string[]
-expectNotType<string[]>(options.sslCRL);
-// .sslCert cannot be a Buffer
-expectNotType<Buffer>(options.sslCert);
-// .sslKey cannot be a Buffer
-expectNotType<Buffer>(options.sslKey);
-// .sslPass cannot be a Buffer
-expectNotType<Buffer>(options.sslPass);
 
 // Legacy option kept
 expectType<PropExists<MongoClientOptions, 'w'>>(true);
@@ -60,7 +50,6 @@ expectType<ReadPreferenceMode | ReadPreference | undefined>(options.readPreferen
 expectType<boolean | undefined>(options.promoteValues);
 expectType<number | undefined>(options.family);
 expectType<boolean | undefined>(options.ssl);
-expectType<boolean | undefined>(options.sslValidate);
 expectAssignable<((host: string, cert: PeerCertificate) => Error | undefined) | undefined>(
   options.checkServerIdentity
 );

Diff for: test/types/community/client.test-d.ts

@@ -25,7 +25,7 @@ const options: MongoClientOptions = {
   maxPoolSize: 1,
   family: 4,
   ssl: true,
-  sslValidate: false,
+  tlsAllowInvalidCertificates: false,
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
   checkServerIdentity(host, cert) {
     return undefined;

Diff for: test/unit/mongo_client.test.js

@@ -34,11 +34,8 @@ describe('MongoOptions', function () {
     fs.closeSync(fs.openSync(filename, 'w'));
     const options = parseOptions('mongodb://localhost:27017/?ssl=true', {
       tlsCertificateKeyFile: filename,
-      tlsCertificateFile: filename,
       tlsCAFile: filename,
-      sslCRL: filename,
-      tlsCertificateKeyFilePassword: 'tlsCertificateKeyFilePassword',
-      sslValidate: false
+      tlsCertificateKeyFilePassword: 'tlsCertificateKeyFilePassword'
     });
     fs.unlinkSync(filename);
 
@@ -47,27 +44,24 @@ describe('MongoOptions', function () {
      *
      * ### Additional options:
      *
-     * |    nodejs option     | MongoDB equivalent                                 | type                                   |
-     * |:---------------------|----------------------------------------------------|:---------------------------------------|
-     * | `ca`                 | sslCA, tlsCAFile                                   | `string \| Buffer \| Buffer[]`         |
-     * | `crl`                | sslCRL                                             | `string \| Buffer \| Buffer[]`         |
-     * | `cert`               | sslCert, tlsCertificateFile                        | `string \| Buffer \| Buffer[]`         |
-     * | `key`                | sslKey, tlsCertificateKeyFile                      | `string \| Buffer \| KeyObject[]`      |
-     * | `passphrase`         | sslPass, tlsCertificateKeyFilePassword             | `string`                               |
-     * | `rejectUnauthorized` | sslValidate                                        | `boolean`                              |
+     * | nodejs native option  | driver spec compliant option name             | driver option type |
+     * |:----------------------|:----------------------------------------------|:-------------------|
+     * | `ca`                  | `tlsCAFile`                                   | `string`           |
+     * | `crl`                 | N/A                                           | `string`           |
+     * | `key`                 | `tlsCertificateKeyFile`                       | `string`           |
+     * | `passphrase`          | `tlsCertificateKeyFilePassword`               | `string`           |
+     * | `rejectUnauthorized`  | `tlsAllowInvalidCertificates`                 | `boolean`          |
+     * | `checkServerIdentity` | `tlsAllowInvalidHostnames`                    | `boolean`          |
+     * | see note below        | `tlsInsecure`                                 | `boolean`          |
      *
      */
     expect(options).to.not.have.property('tlsCertificateKeyFile');
     expect(options).to.not.have.property('tlsCAFile');
-    expect(options).to.not.have.property('sslCRL');
     expect(options).to.not.have.property('tlsCertificateKeyFilePassword');
     expect(options).has.property('ca', '');
-    expect(options).has.property('crl', '');
-    expect(options).has.property('cert', '');
     expect(options).has.property('key');
     expect(options.key).has.length(0);
     expect(options).has.property('passphrase', 'tlsCertificateKeyFilePassword');
-    expect(options).has.property('rejectUnauthorized', false);
     expect(options).has.property('tls', true);
   });
 
@@ -126,8 +120,6 @@ describe('MongoOptions', function () {
     serverApi: { version: '1' },
     socketTimeoutMS: 3,
     ssl: true,
-    sslPass: 'pass',
-    sslValidate: true,
     tls: true,
     tlsAllowInvalidCertificates: true,
     tlsAllowInvalidHostnames: true,
@@ -404,28 +396,11 @@ describe('MongoOptions', function () {
       const optsFromObject = parseOptions('mongodb://localhost/', {
         tlsCertificateKeyFile: 'testCertKey.pem'
       });
-      expect(optsFromObject).to.have.property('cert', 'cert key');
       expect(optsFromObject).to.have.property('key', 'cert key');
 
       const optsFromUri = parseOptions('mongodb://localhost?tlsCertificateKeyFile=testCertKey.pem');
-      expect(optsFromUri).to.have.property('cert', 'cert key');
       expect(optsFromUri).to.have.property('key', 'cert key');
     });
-
-    it('correctly sets the cert and key if both tlsCertificateKeyFile and tlsCertificateFile is provided', function () {
-      const optsFromObject = parseOptions('mongodb://localhost/', {
-        tlsCertificateKeyFile: 'testKey.pem',
-        tlsCertificateFile: 'testCert.pem'
-      });
-      expect(optsFromObject).to.have.property('cert', 'test cert');
-      expect(optsFromObject).to.have.property('key', 'test key');
-
-      const optsFromUri = parseOptions(
-        'mongodb://localhost?tlsCertificateKeyFile=testKey.pem&tlsCertificateFile=testCert.pem'
-      );
-      expect(optsFromUri).to.have.property('cert', 'test cert');
-      expect(optsFromUri).to.have.property('key', 'test key');
-    });
   });
 
   it('throws an error if multiple tls parameters are not all set to the same value', () => {