feat: allow to save connection info COMPASS-4630 (#2510)

* wip: preserve connection info on save COMPASS-4630

* use CommaAndColonSeparatedRecord

* add convertConnectionInfoToModel test

* more conversion tests + fix lastUsed

* add replicaSet name test

* add read preference tags tests

* add scram conversion tests

* add tests for X509 and convert SSL properties

* remove only

* test ssl

* test convert id

* ssh options

* encrypt tls cert password

* fix AWS

* fix ts types

Author: mcasimir

packages/connection-model/lib/extended-model.js

@@ -32,7 +32,7 @@ const ExtendedConnection = Connection.extend(storageMixin, {
     namespace: 'Connections',
     basepath,
     appName, // Not to be confused with `props.appname` that is being sent to driver
-    secureCondition: (val, key) => key.match(/(password|passphrase)/i)
+    secureCondition: (val, key) => key.match(/(password|passphrase|secrets)/i)
   },
   props: {
     _id: { type: 'string', default: () => uuidv4() },

packages/connection-model/lib/model.js

@@ -65,6 +65,16 @@ const session = {};
 
 let Connection = {};
 
+/**
+ * New ConnectionInfo properties
+ */
+Object.assign(props, {
+  connectionInfo: { type: 'object', default: undefined },
+
+  // anything in secrets is saved in the keyring by storage mixin
+  secrets: { type: 'object', default: undefined }
+});
+
 /**
  * Assigning observable top-level properties of a state class.
  */

packages/data-service/src/connection-secrets.spec.ts

@@ -0,0 +1,166 @@
+import { expect } from 'chai';
+import { ConnectionInfo } from './connection-info';
+import {
+  mergeSecrets,
+  extractSecrets,
+  ConnectionSecrets,
+} from './connection-secrets';
+
+describe('connection secrets', function () {
+  describe('mergeSecrets', function () {
+    it('does not modify the original object', function () {
+      const originalConnectionInfo: ConnectionInfo = {
+        connectionOptions: {
+          connectionString: 'mongodb://localhost:27017',
+          sshTunnel: {
+            host: 'localhost',
+            username: 'user',
+            port: 22,
+          },
+        },
+        favorite: {
+          name: 'connection 1',
+        },
+      };
+
+      const originalConnectionInfoStr = JSON.stringify(originalConnectionInfo);
+
+      const newConnectionInfo = mergeSecrets(originalConnectionInfo, {
+        password: 'xxx',
+        awsSessionToken: 'xxx',
+        sshTunnelPassphrase: 'xxx',
+        tlsCertificateKeyFilePassword: 'xxx',
+      });
+
+      expect(newConnectionInfo).to.not.equal(originalConnectionInfo);
+
+      expect(newConnectionInfo.connectionOptions).to.not.equal(
+        originalConnectionInfo.connectionOptions
+      );
+
+      expect(newConnectionInfo.connectionOptions.sshTunnel).to.not.equal(
+        originalConnectionInfo.connectionOptions.sshTunnel
+      );
+
+      expect(newConnectionInfo.favorite).to.not.equal(
+        originalConnectionInfo.favorite
+      );
+
+      expect(originalConnectionInfoStr).to.equal(
+        JSON.stringify(originalConnectionInfo)
+      );
+    });
+
+    it('merges secrets', function () {
+      const originalConnectionInfo: ConnectionInfo = {
+        connectionOptions: {
+          connectionString: 'mongodb://username@localhost:27017/',
+          sshTunnel: {
+            host: 'localhost',
+            username: 'user',
+            port: 22,
+          },
+        },
+      };
+
+      const newConnectionInfo = mergeSecrets(originalConnectionInfo, {
+        awsSessionToken: 'sessionToken',
+        password: 'userPassword',
+        sshTunnelPassphrase: 'passphrase',
+        tlsCertificateKeyFilePassword: 'tlsCertPassword',
+      });
+
+      expect(newConnectionInfo).to.be.deep.equal({
+        connectionOptions: {
+          connectionString:
+            'mongodb://username:userPassword@localhost:27017/?tlsCertificateKeyFilePassword=tlsCertPassword&authMechanismProperties=AWS_SESSION_TOKEN%3AsessionToken',
+          sshTunnel: {
+            host: 'localhost',
+            username: 'user',
+            port: 22,
+            identityKeyPassphrase: 'passphrase',
+          },
+        },
+      } as ConnectionInfo);
+    });
+  });
+
+  describe('extractSecrets', function () {
+    it('does not modify the original object', function () {
+      const originalConnectionInfo: ConnectionInfo = {
+        connectionOptions: {
+          connectionString: 'mongodb://localhost:27017',
+          sshTunnel: {
+            host: 'localhost',
+            username: 'user',
+            port: 22,
+          },
+        },
+        favorite: {
+          name: 'connection 1',
+        },
+      };
+
+      const originalConnectionInfoStr = JSON.stringify(originalConnectionInfo);
+
+      const { connectionInfo: newConnectionInfo } = extractSecrets(
+        originalConnectionInfo
+      );
+
+      expect(newConnectionInfo).to.not.equal(originalConnectionInfo);
+
+      expect(newConnectionInfo.connectionOptions).to.not.equal(
+        originalConnectionInfo.connectionOptions
+      );
+
+      expect(newConnectionInfo.connectionOptions.sshTunnel).to.not.equal(
+        originalConnectionInfo.connectionOptions.sshTunnel
+      );
+
+      expect(newConnectionInfo.favorite).to.not.equal(
+        originalConnectionInfo.favorite
+      );
+
+      expect(originalConnectionInfoStr).to.equal(
+        JSON.stringify(originalConnectionInfo)
+      );
+    });
+
+    it('extracts secrets', function () {
+      const originalConnectionInfo: ConnectionInfo = {
+        connectionOptions: {
+          connectionString:
+            'mongodb://username:userPassword@localhost:27017/?tlsCertificateKeyFilePassword=tlsCertPassword&authMechanismProperties=AWS_SESSION_TOKEN%3AsessionToken',
+          sshTunnel: {
+            host: 'localhost',
+            username: 'user',
+            port: 22,
+            identityKeyPassphrase: 'passphrase',
+          },
+        },
+      };
+
+      const { connectionInfo: newConnectionInfo, secrets } = extractSecrets(
+        originalConnectionInfo
+      );
+
+      expect(newConnectionInfo).to.be.deep.equal({
+        connectionOptions: {
+          connectionString: 'mongodb://username@localhost:27017/',
+          sshTunnel: {
+            host: 'localhost',
+            username: 'user',
+            port: 22,
+          },
+        },
+      } as ConnectionInfo);
+
+      expect(secrets).to.be.deep.equal({
+        awsSessionToken: 'sessionToken',
+        password: 'userPassword',
+        sshTunnelPassphrase: 'passphrase',
+        tlsCertificateKeyFilePassword: 'tlsCertPassword',
+      } as ConnectionSecrets);
+    });
+  });
+});

packages/data-service/src/connection-secrets.ts

@@ -0,0 +1,120 @@
+import _ from 'lodash';
+import ConnectionString, {
+  CommaAndColonSeparatedRecord,
+} from 'mongodb-connection-string-url';
+import { ConnectionInfo } from './connection-info';
+
+export interface ConnectionSecrets {
+  password?: string;
+  sshTunnelPassphrase?: string;
+  awsSessionToken?: string;
+  tlsCertificateKeyFilePassword?: string;
+}
+
+const AWS_SESSION_TOKEN_PROPERTY = 'AWS_SESSION_TOKEN';
+const AUTH_MECHANISM_PROPERTIES_PARAM = 'authMechanismProperties';
+const TLS_CERTIFICATE_KEY_FILE_PASSWORD_PARAM = 'tlsCertificateKeyFilePassword';
+
+export function mergeSecrets(
+  connectionInfo: Readonly<ConnectionInfo>,
+  secrets: ConnectionSecrets | undefined
+): ConnectionInfo {
+  const connectionInfoWithSecrets = _.cloneDeep(connectionInfo);
+
+  if (!secrets) {
+    return connectionInfoWithSecrets;
+  }
+
+  const connectionOptions = connectionInfoWithSecrets.connectionOptions;
+
+  const uri = new ConnectionString(connectionOptions.connectionString);
+
+  if (secrets.password) {
+    uri.password = secrets.password;
+  }
+
+  if (secrets.sshTunnelPassphrase && connectionOptions.sshTunnel) {
+    connectionOptions.sshTunnel.identityKeyPassphrase =
+      secrets.sshTunnelPassphrase;
+  }
+
+  if (secrets.tlsCertificateKeyFilePassword) {
+    uri.searchParams.set(
+      TLS_CERTIFICATE_KEY_FILE_PASSWORD_PARAM,
+      secrets.tlsCertificateKeyFilePassword
+    );
+  }
+
+  if (secrets.awsSessionToken) {
+    const authMechanismProperties = new CommaAndColonSeparatedRecord(
+      uri.searchParams.get(AUTH_MECHANISM_PROPERTIES_PARAM)
+    );
+
+    authMechanismProperties.set(
+      AWS_SESSION_TOKEN_PROPERTY,
+      secrets.awsSessionToken
+    );
+
+    uri.searchParams.set(
+      AUTH_MECHANISM_PROPERTIES_PARAM,
+      authMechanismProperties.toString()
+    );
+  }
+
+  connectionInfoWithSecrets.connectionOptions.connectionString = uri.href;
+
+  return connectionInfoWithSecrets;
+}
+
+export function extractSecrets(connectionInfo: Readonly<ConnectionInfo>): {
+  connectionInfo: ConnectionInfo;
+  secrets: ConnectionSecrets;
+} {
+  const connectionInfoWithoutSecrets = _.cloneDeep(connectionInfo);
+  const secrets: ConnectionSecrets = {};
+
+  const connectionOptions = connectionInfoWithoutSecrets.connectionOptions;
+  const uri = new ConnectionString(connectionOptions.connectionString);
+
+  if (uri.password) {
+    secrets.password = uri.password;
+    uri.password = '';
+  }
+
+  if (connectionOptions.sshTunnel?.identityKeyPassphrase) {
+    secrets.sshTunnelPassphrase =
+      connectionOptions.sshTunnel.identityKeyPassphrase;
+    delete connectionOptions.sshTunnel.identityKeyPassphrase;
+  }
+
+  if (uri.searchParams.has(TLS_CERTIFICATE_KEY_FILE_PASSWORD_PARAM)) {
+    secrets.tlsCertificateKeyFilePassword =
+      uri.searchParams.get(TLS_CERTIFICATE_KEY_FILE_PASSWORD_PARAM) ||
+      undefined;
+    uri.searchParams.delete(TLS_CERTIFICATE_KEY_FILE_PASSWORD_PARAM);
+  }
+
+  const authMechanismProperties = new CommaAndColonSeparatedRecord(
+    uri.searchParams.get(AUTH_MECHANISM_PROPERTIES_PARAM)
+  );
+
+  if (authMechanismProperties.has(AWS_SESSION_TOKEN_PROPERTY)) {
+    secrets.awsSessionToken = authMechanismProperties.get(
+      AWS_SESSION_TOKEN_PROPERTY
+    );
+    authMechanismProperties.delete(AWS_SESSION_TOKEN_PROPERTY);
+
+    if (authMechanismProperties.toString()) {
+      uri.searchParams.set(
+        AUTH_MECHANISM_PROPERTIES_PARAM,
+        authMechanismProperties.toString()
+      );
+    } else {
+      uri.searchParams.delete(AUTH_MECHANISM_PROPERTIES_PARAM);
+    }
+  }
+
+  connectionInfoWithoutSecrets.connectionOptions.connectionString = uri.href;
+
+  return { connectionInfo: connectionInfoWithoutSecrets, secrets };
+}

packages/data-service/src/connection-storage.spec.ts

@@ -1,4 +1,5 @@
-import { TestBackend } from 'storage-mixin';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { TestBackend } = require('storage-mixin');
 
 import { expect } from 'chai';
 
@@ -95,6 +96,19 @@ describe('ConnectionStorage', function () {
         },
       ]);
     });
+
+    it('should convert lastUsed', async function () {
+      const id = uuid();
+      const lastUsed = new Date('2021-10-26T13:51:27.585Z');
+      writeFakeConnection(tmpDir, {
+        _id: id,
+        lastUsed,
+      });
+
+      const connectionStorage = new ConnectionStorage();
+      const connections = await connectionStorage.loadAll();
+      expect(connections[0].lastUsed).to.deep.equal(lastUsed);
+    });
   });
 
   describe('save', function () {