RUBY-2132 fold ssl options into regular options in address/socket code (#1952)

Co-authored-by: Oleg Pudeyev <oleg@bsdpower.com>

Author: p-mongo

lib/mongo/address.rb

@@ -75,7 +75,7 @@ def initialize(seed, options = {})
       end
       @seed = seed
       @host, @port = parse_host_port
-      @options = options
+      @options = Hash[options.map { |k, v| [k.to_sym, v] }]
     end
 
     # @return [ String ] seed The seed address.
@@ -172,28 +172,55 @@ def inspect
     #   address.socket(5, :ssl => true)
     #
     # @param [ Float ] socket_timeout The socket timeout.
-    # @param [ Hash ] ssl_options SSL options.
-    # @param [ Hash ] options The options.
-    #
-    # @option options [ Float ] :connect_timeout Connect timeout.
+    # @param [ Hash ] opts The options.
+    #
+    # @option opts [ Float ] :connect_timeout Connect timeout.
+    # @option opts [ true | false ] :ssl Whether to use SSL.
+    # @option opts [ String ] :ssl_ca_cert
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ Array<OpenSSL::X509::Certificate> ] :ssl_ca_cert_object
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ String ] :ssl_ca_cert_string
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ String ] :ssl_cert
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ OpenSSL::X509::Certificate ] :ssl_cert_object
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ String ] :ssl_cert_string
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ String ] :ssl_key
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ OpenSSL::PKey ] :ssl_key_object
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ String ] :ssl_key_pass_phrase
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ String ] :ssl_key_string
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ true, false ] :ssl_verify
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ true, false ] :ssl_verify_certificate
+    #   Same as the corresponding Client/Socket::SSL option.
+    # @option opts [ true, false ] :ssl_verify_hostname
+    #   Same as the corresponding Client/Socket::SSL option.
     #
     # @return [ Mongo::Socket::SSL | Mongo::Socket::TCP | Mongo::Socket::Unix ]
     #   The socket.
     #
     # @raise [ Mongo::Error ] If network connection failed.
     #
     # @since 2.0.0
-    def socket(socket_timeout, ssl_options = {}, options = {})
+    # @api private
+    def socket(socket_timeout, opts = {})
+      opts = {
+        connect_timeout: Server::CONNECT_TIMEOUT,
+      }.update(options).update(Hash[opts.map { |k, v| [k.to_sym, v] }])
+
       map_exceptions do
         if seed.downcase =~ Unix::MATCH
           specific_address = Unix.new(seed.downcase)
-          return specific_address.socket(socket_timeout, ssl_options, options)
+          return specific_address.socket(socket_timeout, opts)
         end
 
-        options = {
-          connect_timeout: Server::CONNECT_TIMEOUT,
-        }.update(Hash[options.map { |k, v| [k.to_sym, v] }])
-
         # When the driver connects to "localhost", it only attempts IPv4
         # connections. When the driver connects to other hosts, it will
         # attempt both IPv4 and IPv6 connections.
@@ -210,7 +237,7 @@ def socket(socket_timeout, ssl_options = {}, options = {})
         results.each do |family, address_str|
           begin
             specific_address = FAMILY_MAP[family].new(address_str, port, host)
-            socket = specific_address.socket(socket_timeout, ssl_options, options)
+            socket = specific_address.socket(socket_timeout, opts)
             return socket
           rescue IOError, SystemCallError, Error::SocketTimeoutError, Error::SocketError => e
             error = e

lib/mongo/address/ipv4.rb

@@ -78,17 +78,44 @@ def initialize(host, port, host_name=nil)
       #   ipv4.socket(5, :ssl => true)
       #
       # @param [ Float ] socket_timeout The socket timeout.
-      # @param [ Hash ] ssl_options SSL options.
       # @param [ Hash ] options The options.
       #
       # @option options [ Float ] :connect_timeout Connect timeout.
+      # @option options [ true | false ] :ssl Whether to use SSL.
+      # @option options [ String ] :ssl_ca_cert
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ Array<OpenSSL::X509::Certificate> ] :ssl_ca_cert_object
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_ca_cert_string
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_cert
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ OpenSSL::X509::Certificate ] :ssl_cert_object
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_cert_string
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_key
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ OpenSSL::PKey ] :ssl_key_object
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_key_pass_phrase
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_key_string
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ true, false ] :ssl_verify
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ true, false ] :ssl_verify_certificate
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ true, false ] :ssl_verify_hostname
+      #   Same as the corresponding Client/Socket::SSL option.
       #
       # @return [ Mongo::Socket::SSL, Mongo::Socket::TCP ] The socket.
       #
       # @since 2.0.0
-      def socket(socket_timeout, ssl_options = {}, options = {})
-        unless ssl_options.empty?
-          Socket::SSL.new(host, port, host_name, socket_timeout, Socket::PF_INET, ssl_options.merge(options))
+      # @api private
+      def socket(socket_timeout, options = {})
+        if options[:ssl]
+          Socket::SSL.new(host, port, host_name, socket_timeout, Socket::PF_INET, options)
         else
           Socket::TCP.new(host, port, socket_timeout, Socket::PF_INET, options)
         end

lib/mongo/address/ipv6.rb

@@ -92,17 +92,44 @@ def initialize(host, port, host_name=nil)
       #   ipv4.socket(5, :ssl => true)
       #
       # @param [ Float ] socket_timeout The socket timeout.
-      # @param [ Hash ] ssl_options SSL options.
       # @param [ Hash ] options The options.
       #
       # @option options [ Float ] :connect_timeout Connect timeout.
+      # @option options [ true | false ] :ssl Whether to use SSL.
+      # @option options [ String ] :ssl_ca_cert
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ Array<OpenSSL::X509::Certificate> ] :ssl_ca_cert_object
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_ca_cert_string
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_cert
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ OpenSSL::X509::Certificate ] :ssl_cert_object
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_cert_string
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_key
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ OpenSSL::PKey ] :ssl_key_object
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_key_pass_phrase
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ String ] :ssl_key_string
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ true, false ] :ssl_verify
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ true, false ] :ssl_verify_certificate
+      #   Same as the corresponding Client/Socket::SSL option.
+      # @option options [ true, false ] :ssl_verify_hostname
+      #   Same as the corresponding Client/Socket::SSL option.
       #
       # @return [ Mongo::Socket::SSL, Mongo::Socket::TCP ] The socket.
       #
       # @since 2.0.0
-      def socket(socket_timeout, ssl_options = {}, options = {})
-        unless ssl_options.empty?
-          Socket::SSL.new(host, port, host_name, socket_timeout, Socket::PF_INET6, ssl_options.merge(options))
+      # @api private
+      def socket(socket_timeout, options = {})
+        if options[:ssl]
+          Socket::SSL.new(host, port, host_name, socket_timeout, Socket::PF_INET6, options)
         else
           Socket::TCP.new(host, port, socket_timeout, Socket::PF_INET6, options)
         end

lib/mongo/address/unix.rb

@@ -63,15 +63,15 @@ def initialize(host, port=nil, host_name=nil)
       #   address.socket(5)
       #
       # @param [ Float ] socket_timeout The socket timeout.
-      # @param [ Hash ] ssl_options SSL options - ignored.
       # @param [ Hash ] options The options.
       #
       # @option options [ Float ] :connect_timeout Connect timeout.
       #
       # @return [ Mongo::Socket::Unix ] The socket.
       #
       # @since 2.0.0
-      def socket(socket_timeout, ssl_options = {}, options = {})
+      # @api private
+      def socket(socket_timeout, options = {})
         Socket::Unix.new(host, socket_timeout, options)
       end
     end

lib/mongo/server/connection.rb

@@ -181,8 +181,8 @@ def connect!
       #   returned socket.
       private def do_connect
         socket = add_server_diagnostics do
-          address.socket(socket_timeout, ssl_options, address.options.merge(
-            connection_address: address, connection_generation: generation).update(ssl_options))
+          address.socket(socket_timeout, ssl_options.merge(
+            connection_address: address, connection_generation: generation))
         end
 
         begin

lib/mongo/server/connection_common.rb

@@ -104,7 +104,12 @@ def ssl_options
         @ssl_options ||= if options[:ssl]
           options.select { |k, v| k.to_s.start_with?('ssl') }
         else
-          {}
+          # Due to the way options are propagated from the client, if we
+          # decide that we don't want to use TLS we need to have the ssl
+          # options explicitly set to false or the value provided to the
+          # connection might be overwritten by the default inherited from
+          # the client.
+          {ssl: false}
         end.freeze
       end
 

lib/mongo/server/monitor/connection.rb

@@ -162,8 +162,8 @@ def connect!
           end
 
           @socket = add_server_diagnostics do
-            address.socket(socket_timeout, ssl_options, address.options.merge(
-              connection_address: address, monitor: true).update(ssl_options))
+            address.socket(socket_timeout, ssl_options.merge(
+              connection_address: address, monitor: true))
           end
           true
         end

lib/mongo/socket/ssl.rb

@@ -39,8 +39,64 @@ class SSL < Socket
       #   connection (for non-monitoring connections) that created this socket.
       # @option options [ true | false ] :monitor Whether this socket was
       #   created by a monitoring connection.
+      # @option options [ String ] :ssl_ca_cert The file containing concatenated
+      #   certificate authority certificates used to validate certs passed from the
+      #   other end of the connection. Intermediate certificates should NOT be
+      #   specified in files referenced by this option. One of :ssl_ca_cert,
+      #   :ssl_ca_cert_string or :ssl_ca_cert_object (in order of priority) is
+      #   required when using :ssl_verify.
+      # @option options [ Array<OpenSSL::X509::Certificate> ] :ssl_ca_cert_object
+      #   An array of OpenSSL::X509::Certificate objects representing the
+      #   certificate authority certificates used to validate certs passed from
+      #   the other end of the connection. Intermediate certificates should NOT
+      #   be specified in files referenced by this option. One of :ssl_ca_cert,
+      #   :ssl_ca_cert_string or :ssl_ca_cert_object (in order of priority)
+      #   is required when using :ssl_verify.
+      # @option options [ String ] :ssl_ca_cert_string A string containing
+      #   certificate authority certificate used to validate certs passed from the
+      #   other end of the connection. This option allows passing only one CA
+      #   certificate to the driver. Intermediate certificates should NOT
+      #   be specified in files referenced by this option. One of :ssl_ca_cert,
+      #   :ssl_ca_cert_string or :ssl_ca_cert_object (in order of priority) is
+      #   required when using :ssl_verify.
+      # @option options [ String ] :ssl_cert The certificate file used to identify
+      #   the connection against MongoDB. A certificate chain may be passed by
+      #   specifying the client certificate first followed by any intermediate
+      #   certificates up to the CA certificate. The file may also contain the
+      #   certificate's private key, which will be ignored. This option, if present,
+      #   takes precedence over the values of :ssl_cert_string and :ssl_cert_object
+      # @option options [ OpenSSL::X509::Certificate ] :ssl_cert_object The OpenSSL::X509::Certificate
+      #   used to identify the connection against MongoDB. Only one certificate
+      #   may be passed through this option.
+      # @option options [ String ] :ssl_cert_string A string containing the PEM-encoded
+      #   certificate used to identify the connection against MongoDB. A certificate
+      #   chain may be passed by specifying the client certificate first followed
+      #   by any intermediate certificates up to the CA certificate. The string
+      #   may also contain the certificate's private key, which will be ignored,
+      #   This option, if present, takes precedence over the value of :ssl_cert_object
+      # @option options [ String ] :ssl_key The private keyfile used to identify the
+      #   connection against MongoDB. Note that even if the key is stored in the same
+      #   file as the certificate, both need to be explicitly specified. This option,
+      #   if present, takes precedence over the values of :ssl_key_string and :ssl_key_object
+      # @option options [ OpenSSL::PKey ] :ssl_key_object The private key used to identify the
+      #   connection against MongoDB
+      # @option options [ String ] :ssl_key_pass_phrase A passphrase for the private key.
+      # @option options [ String ] :ssl_key_string A string containing the PEM-encoded private key
+      #   used to identify the connection against MongoDB. This parameter, if present,
+      #   takes precedence over the value of option :ssl_key_object
+      # @option options [ true, false ] :ssl_verify Whether to perform peer certificate validation and
+      #   hostname verification. Note that the decision of whether to validate certificates will be
+      #   overridden if :ssl_verify_certificate is set, and the decision of whether to validate
+      #   hostnames will be overridden if :ssl_verify_hostname is set.
+      # @option options [ true, false ] :ssl_verify_certificate Whether to perform peer certificate
+      #   validation. This setting overrides :ssl_verify with respect to whether certificate
+      #   validation is performed.
+      # @option options [ true, false ] :ssl_verify_hostname Whether to perform peer hostname
+      #   validation. This setting overrides :ssl_verify with respect to whether hostname validation
+      #   is performed.
       #
       # @since 2.0.0
+      # @api private
       def initialize(host, port, host_name, timeout, family, options = {})
         super(timeout, options)
         @host, @port, @host_name = host, port, host_name

lib/mongo/socket/tcp.rb

@@ -41,6 +41,7 @@ class TCP < Socket
       #   created by a monitoring connection.
       #
       # @since 2.0.0
+      # @api private
       def initialize(host, port, timeout, family, options = {})
         super(timeout, options)
         @host, @port = host, port

lib/mongo/socket/unix.rb

@@ -38,6 +38,7 @@ class Unix < Socket
       #   created by a monitoring connection.
       #
       # @since 2.0.0
+      # @api private
       def initialize(path, timeout, options = {})
         super(timeout, options)
         @path = path