module Mongo::Crypt::KMS::Validations

This module contains helper methods for validating KMS parameters.

@api private

Public Class Methods

validate_tls_options(options) click to toggle source

Validate KMS TLS options.

@param [ Hash | nil ] options TLS options to connect to KMS

providers. Keys of the hash should be KSM provider names; values
should be hashes of TLS connection options. The options are equivalent
to TLS connection options of Mongo::Client.

@return [ Hash ] Provided TLS options if valid.

@raise [ ArgumentError ] If required options are missing or incorrectly

formatted.
# File lib/mongo/crypt/kms.rb, line 86
def validate_tls_options(options)
  opts = options || {}
  opts.each do |provider, provider_opts|
    if provider_opts[:ssl] == false || opts[:tls] == false
      raise ArgumentError.new(
        "Incorrect TLS options for #{provider}: TLS is required"
      )
    end
    %i(
      ssl_verify_certificate
      ssl_verify_hostname
    ).each do |opt|
      if provider_opts[opt] == false
        raise ArgumentError.new(
          "Incorrect TLS options for #{provider}: " +
          'Insecure TLS options prohibited, ' +
          "#{opt} cannot be set to false for KMS"
        )
      end
    end
  end
  opts
end

Public Instance Methods

validate_param(key, opts, format_hint, required: true) click to toggle source

Validate if a KMS parameter is valid.

@param [ Symbol ] key The parameter name. @param [ Hash ] opts Hash should contain the parameter under the key. @param [ Boolean ] required Whether the parameter is required or not.

Non-required parameters can be nil.

@return [ String | nil ] String parameter value or nil if a

non-required parameter is missing.

@raise [ ArgumentError ] If required options are missing or incorrectly

formatted.
# File lib/mongo/crypt/kms.rb, line 42
def validate_param(key, opts, format_hint, required: true)
  value = opts.fetch(key)
  return nil if value.nil? && !required
  if value.nil?
    raise ArgumentError.new(
      "The #{key} option must be a String with at least one character; " \
      "currently have nil"
    )
  end
  unless value.is_a?(String)
    raise ArgumentError.new(
      "The #{key} option must be a String with at least one character; " \
      "currently have #{value}"
    )
  end
  if value.empty?
    raise ArgumentError.new(
      "The #{key} option must be a String with at least one character; " \
      "it is currently an empty string"
    )
  end
  value
rescue KeyError
  if required
    raise ArgumentError.new(
      "The specified KMS provider options are invalid: #{opts}. " +
      format_hint
    )
  else
    nil
  end
end

Private Instance Methods

validate_tls_options(options) click to toggle source

Validate KMS TLS options.

@param [ Hash | nil ] options TLS options to connect to KMS

providers. Keys of the hash should be KSM provider names; values
should be hashes of TLS connection options. The options are equivalent
to TLS connection options of Mongo::Client.

@return [ Hash ] Provided TLS options if valid.

@raise [ ArgumentError ] If required options are missing or incorrectly

formatted.
# File lib/mongo/crypt/kms.rb, line 86
def validate_tls_options(options)
  opts = options || {}
  opts.each do |provider, provider_opts|
    if provider_opts[:ssl] == false || opts[:tls] == false
      raise ArgumentError.new(
        "Incorrect TLS options for #{provider}: TLS is required"
      )
    end
    %i(
      ssl_verify_certificate
      ssl_verify_hostname
    ).each do |opt|
      if provider_opts[opt] == false
        raise ArgumentError.new(
          "Incorrect TLS options for #{provider}: " +
          'Insecure TLS options prohibited, ' +
          "#{opt} cannot be set to false for KMS"
        )
      end
    end
  end
  opts
end