fix(connection-form): clear autoEncryption when empty (#3071)

See the comment for `unsetAutoEncryptionIfEmpty`, this
otherwise makes connecting fail when fully removing previously
configured CSFLE settings for a connection.

Author: addaleax

packages/connection-form/src/utils/csfle-handler.spec.ts

@@ -85,7 +85,7 @@ describe('csfle-handler', function () {
         }).connectionOptions.fleOptions
       ).to.deep.equal({
         storeCredentials: false,
-        autoEncryption: {},
+        autoEncryption: undefined,
       });
     });
   });
@@ -124,9 +124,7 @@ describe('csfle-handler', function () {
         }).connectionOptions.fleOptions
       ).to.deep.equal({
         storeCredentials: false,
-        autoEncryption: {
-          kmsProviders: {},
-        },
+        autoEncryption: undefined,
       });
     });
   });
@@ -165,9 +163,7 @@ describe('csfle-handler', function () {
         }).connectionOptions.fleOptions
       ).to.deep.equal({
         storeCredentials: false,
-        autoEncryption: {
-          tlsOptions: {},
-        },
+        autoEncryption: undefined,
       });
     });
   });

packages/connection-form/src/utils/csfle-handler.ts

@@ -11,7 +11,7 @@ import queryParser from 'mongodb-query-parser';
 
 const DEFAULT_FLE_OPTIONS: NonNullable<ConnectionOptions['fleOptions']> = {
   storeCredentials: false,
-  autoEncryption: {},
+  autoEncryption: undefined,
 };
 
 type KeysOfUnion<T> = T extends T ? keyof T : never;
@@ -89,7 +89,7 @@ export function handleUpdateCsfleParam({
       fleOptions: {
         ...DEFAULT_FLE_OPTIONS,
         ...connectionOptions.fleOptions,
-        autoEncryption,
+        autoEncryption: unsetAutoEncryptionIfEmpty(autoEncryption),
       },
     },
   };
@@ -127,10 +127,10 @@ export function handleUpdateCsfleKmsParam({
       fleOptions: {
         ...DEFAULT_FLE_OPTIONS,
         ...connectionOptions.fleOptions,
-        autoEncryption: {
+        autoEncryption: unsetAutoEncryptionIfEmpty({
           ...autoEncryption,
           kmsProviders,
-        },
+        }),
       },
     },
   };
@@ -168,15 +168,25 @@ export function handleUpdateCsfleKmsTlsParam({
       fleOptions: {
         ...DEFAULT_FLE_OPTIONS,
         ...connectionOptions.fleOptions,
-        autoEncryption: {
+        autoEncryption: unsetAutoEncryptionIfEmpty({
           ...autoEncryption,
           tlsOptions,
-        },
+        }),
       },
     },
   };
 }
 
+// The driver creates an AutoEncrypter object if `.autoEncryption` has been set
+// as an option, regardless of whether it is filled. Consequently, we need
+// to set it to undefined explicitly if the user wants to disable automatic
+// CSFLE entirely (indicated by removing all CSFLE options).
+export function unsetAutoEncryptionIfEmpty(
+  o?: AutoEncryptionOptions
+): AutoEncryptionOptions | undefined {
+  return o && hasAnyCsfleOption(o) ? o : undefined;
+}
+
 export function hasAnyCsfleOption(o: Readonly<AutoEncryptionOptions>): boolean {
   return !!(
     o.bypassAutoEncryption ||

packages/data-service/src/connection-options.ts

@@ -31,7 +31,7 @@ export interface ConnectionFleOptions {
   /**
    * Encryption options passed to the driver verbatim.
    */
-  autoEncryption: AutoEncryptionOptions;
+  autoEncryption?: AutoEncryptionOptions;
 }
 
 export interface ConnectionSshOptions {

packages/data-service/src/data-service.ts

@@ -2413,7 +2413,7 @@ export class DataServiceImpl extends EventEmitter implements DataService {
         ...fleOptions?.autoEncryption?.encryptedFieldsMap,
         ...fleOptions?.autoEncryption?.schemaMap,
       }),
-      keyVaultNamespace: fleOptions?.autoEncryption.keyVaultNamespace,
+      keyVaultNamespace: fleOptions?.autoEncryption?.keyVaultNamespace,
       kmsProviders,
     };
   }