From ac5e5551dcef8612a2c1d5a3207dcd3017b373a2 Mon Sep 17 00:00:00 2001
From: Neal Beeken <neal.beeken@mongodb.com>
Date: Tue, 25 Mar 2025 16:12:24 -0400
Subject: [PATCH 1/3] test(NODE-3151): add KMS TLS tests for client-side
 encryption

---
 ...t_side_encryption.prose.10.kms_tls.test.ts | 63 +++++++++++++++++++
 .../client_side_encryption.prose.test.js      |  5 --
 2 files changed, 63 insertions(+), 5 deletions(-)
 create mode 100644 test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts

diff --git a/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts b/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
new file mode 100644
index 00000000000..c2d97d62013
--- /dev/null
+++ b/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
@@ -0,0 +1,63 @@
+import { expect } from 'chai';
+
+import { getCSFLEKMSProviders } from '../../csfle-kms-providers';
+import { ClientEncryption, type MongoClient } from '../../mongodb';
+
+const metadata: MongoDBMetadataUI = {
+  requires: {
+    mongodb: '>=4.2.0'
+  }
+};
+
+describe('10. KMS TLS Tests', function () {
+  const keyVaultNamespace = 'keyvault.datakeys';
+  const masterKeyBase = {
+    region: 'us-east-1',
+    key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0'
+  };
+
+  let client: MongoClient;
+  let clientEncryption: ClientEncryption;
+
+  beforeEach(async function () {
+    client = this.configuration.newClient();
+    await client.connect();
+
+    clientEncryption = new ClientEncryption(client, {
+      keyVaultNamespace,
+      kmsProviders: getCSFLEKMSProviders(),
+      tlsOptions: {
+        aws: {
+          tlsCAFile: process.env.CSFLE_TLS_CA_FILE,
+          tlsCertificateKeyFile: process.env.CSFLE_TLS_CLIENT_CERT_FILE
+        }
+      }
+    });
+  });
+
+  afterEach(async function () {
+    await client.close();
+  });
+
+  it('should fail with an expired certificate', metadata, async function () {
+    const masterKey = { ...masterKeyBase, endpoint: '127.0.0.1:9000' };
+
+    const error = await clientEncryption.createDataKey('aws', { masterKey }).then(
+      () => null,
+      error => error
+    );
+
+    expect(error.cause.message, error.stack).to.include('certificate has expired');
+  });
+
+  it('should fail with an invalid hostname', metadata, async function () {
+    const masterKey = { ...masterKeyBase, endpoint: '127.0.0.1:9001' };
+
+    const error = await clientEncryption.createDataKey('aws', { masterKey }).then(
+      () => null,
+      error => error
+    );
+
+    expect(error.cause.message, error.stack).to.include('does not match certificate');
+  });
+});
diff --git a/test/integration/client-side-encryption/client_side_encryption.prose.test.js b/test/integration/client-side-encryption/client_side_encryption.prose.test.js
index ce04942be64..9009bc94aff 100644
--- a/test/integration/client-side-encryption/client_side_encryption.prose.test.js
+++ b/test/integration/client-side-encryption/client_side_encryption.prose.test.js
@@ -1351,11 +1351,6 @@ describe('Client Side Encryption Prose Tests', metadata, function () {
     });
   });
 
-  // TODO(NODE-3151): Implement kms prose tests
-  describe('KMS TLS Tests', () => {
-    it.skip('TBD', () => {}).skipReason = 'TODO(NODE-3151): Implement "KMS TLS Tests"';
-  });
-
   /**
    * - Create client encryption no tls
    * - Create client encryption with tls

From 3c258fe56db8eccdd3e3e1e4d6dd53e5c88827e5 Mon Sep 17 00:00:00 2001
From: Neal Beeken <neal.beeken@mongodb.com>
Date: Wed, 26 Mar 2025 10:47:00 -0400
Subject: [PATCH 2/3] test: ensure proper error properties in tests

---
 ...sfle-kms-providers.js => csfle-kms-providers.ts} | 13 +++++--------
 .../client_side_encryption.prose.10.kms_tls.test.ts |  8 +++++++-
 2 files changed, 12 insertions(+), 9 deletions(-)
 rename test/{csfle-kms-providers.js => csfle-kms-providers.ts} (79%)

diff --git a/test/csfle-kms-providers.js b/test/csfle-kms-providers.ts
similarity index 79%
rename from test/csfle-kms-providers.js
rename to test/csfle-kms-providers.ts
index 97b8855a570..dc1d3502bbc 100644
--- a/test/csfle-kms-providers.js
+++ b/test/csfle-kms-providers.ts
@@ -1,4 +1,4 @@
-'use strict';
+import { type KMSProviders } from './mongodb';
 
 const csfleKMSProviders = {
   aws: {
@@ -22,7 +22,7 @@ const csfleKMSProviders = {
   }
 };
 
-function getCSFLEKMSProviders() {
+export function getCSFLEKMSProviders(): KMSProviders {
   return JSON.parse(JSON.stringify(csfleKMSProviders));
 }
 
@@ -37,10 +37,7 @@ const keys = [
 ];
 
 const isInEnvironment = key => typeof process.env[key] === 'string' && process.env[key].length > 0;
-const missingKeys = keys.filter(key => !isInEnvironment(key)).join(',');
 
-module.exports = {
-  getCSFLEKMSProviders,
-  kmsCredentialsPresent: missingKeys === '',
-  missingKeys
-};
+export const missingKeys = keys.filter(key => !isInEnvironment(key)).join(',');
+
+export const kmsCredentialsPresent = missingKeys === '';
diff --git a/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts b/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
index c2d97d62013..c17688bc1c0 100644
--- a/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
+++ b/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
@@ -5,6 +5,8 @@ import { ClientEncryption, type MongoClient } from '../../mongodb';
 
 const metadata: MongoDBMetadataUI = {
   requires: {
+    os: '!win32',
+    topology: '!load-balanced',
     mongodb: '>=4.2.0'
   }
 };
@@ -25,7 +27,7 @@ describe('10. KMS TLS Tests', function () {
 
     clientEncryption = new ClientEncryption(client, {
       keyVaultNamespace,
-      kmsProviders: getCSFLEKMSProviders(),
+      kmsProviders: { aws: getCSFLEKMSProviders().aws },
       tlsOptions: {
         aws: {
           tlsCAFile: process.env.CSFLE_TLS_CA_FILE,
@@ -47,6 +49,8 @@ describe('10. KMS TLS Tests', function () {
       error => error
     );
 
+    expect(error).to.exist;
+    expect(error, error.stack).to.have.property('cause').that.is.instanceOf(Error);
     expect(error.cause.message, error.stack).to.include('certificate has expired');
   });
 
@@ -58,6 +62,8 @@ describe('10. KMS TLS Tests', function () {
       error => error
     );
 
+    expect(error).to.exist;
+    expect(error, error.stack).to.have.property('cause').that.is.instanceOf(Error);
     expect(error.cause.message, error.stack).to.include('does not match certificate');
   });
 });

From 26a9afaff8084ba1f39d846afc33fb3cbb008263 Mon Sep 17 00:00:00 2001
From: Neal Beeken <neal.beeken@mongodb.com>
Date: Wed, 26 Mar 2025 12:26:33 -0400
Subject: [PATCH 3/3] test: update metadata to require client-side encryption
 for KMS TLS tests

---
 .../client_side_encryption.prose.10.kms_tls.test.ts            | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts b/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
index c17688bc1c0..393468e1e97 100644
--- a/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
+++ b/test/integration/client-side-encryption/client_side_encryption.prose.10.kms_tls.test.ts
@@ -5,8 +5,7 @@ import { ClientEncryption, type MongoClient } from '../../mongodb';
 
 const metadata: MongoDBMetadataUI = {
   requires: {
-    os: '!win32',
-    topology: '!load-balanced',
+    clientSideEncryption: true,
     mongodb: '>=4.2.0'
   }
 };