From b63dfbe1e40be437aa462e1ec96fc6836f25df62 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Wed, 15 Feb 2023 11:36:42 -0600
Subject: [PATCH] PYTHON-3533 Permit tlsDisableOCSPEndpointCheck in KMS TLS
 options (#1155)

---
 .evergreen/run-tests.sh |  3 ++-
 pymongo/uri_parser.py   |  1 -
 test/test_encryption.py | 28 ++++++++++++++++++++++------
 3 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh
index d495e2671..3a15163b6 100755
--- a/.evergreen/run-tests.sh
+++ b/.evergreen/run-tests.sh
@@ -151,7 +151,8 @@ fi
 
 if [ -n "$TEST_ENCRYPTION" ]; then
     # Need aws dependency for On-Demand KMS Credentials.
-    python -m pip install '.[aws]'
+    # Need OSCP dependency to verify OCSP TSL args.
+    python -m pip install '.[aws,ocsp]'
 
     # Get access to the AWS temporary credentials:
     # CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN
diff --git a/pymongo/uri_parser.py b/pymongo/uri_parser.py
index f59af2e74..398dfbff0 100644
--- a/pymongo/uri_parser.py
+++ b/pymongo/uri_parser.py
@@ -605,7 +605,6 @@ def _parse_kms_tls_options(kms_tls_options):
             "tlsInsecure",
             "tlsAllowInvalidCertificates",
             "tlsAllowInvalidHostnames",
-            "tlsDisableOCSPEndpointCheck",
             "tlsDisableCertificateRevocationCheck",
         ]:
             if n in opts:
diff --git a/test/test_encryption.py b/test/test_encryption.py
index dcfb63916..1b9a0d823 100644
--- a/test/test_encryption.py
+++ b/test/test_encryption.py
@@ -155,7 +155,6 @@ class TestAutoEncryptionOpts(PyMongoTestCase):
             {"kmip": {"tls": True, "tlsInsecure": True}},
             {"kmip": {"tls": True, "tlsAllowInvalidCertificates": True}},
             {"kmip": {"tls": True, "tlsAllowInvalidHostnames": True}},
-            {"kmip": {"tls": True, "tlsDisableOCSPEndpointCheck": True}},
         ]:
             with self.assertRaisesRegex(ConfigurationError, "Insecure TLS options prohibited"):
                 opts = AutoEncryptionOpts({}, "k.d", kms_tls_options=tls_opts)
@@ -2014,7 +2013,9 @@ class TestKmsTLSProse(EncryptionIntegrationTest):
         # Some examples:
         # certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1129)"
         # hostname '127.0.0.1' doesn't match 'wronghost.com'
-        with self.assertRaisesRegex(EncryptionError, "IP address mismatch|wronghost"):
+        with self.assertRaisesRegex(
+            EncryptionError, "IP address mismatch|wronghost|IPAddressMismatch"
+        ):
             self.client_encrypted.create_data_key("aws", master_key=key)
 
 
@@ -2067,7 +2068,7 @@ class TestKmsTLSOptions(EncryptionIntegrationTest):
         # [SSL: TLSV13_ALERT_CERTIFICATE_REQUIRED] tlsv13 alert certificate required (_ssl.c:2623)
         self.cert_error = (
             "certificate required|SSL handshake failed|"
-            "KMS connection closed|Connection reset by peer"
+            "KMS connection closed|Connection reset by peer|ECONNRESET"
         )
         # On Python 3.10+ this error might be:
         # EOF occurred in violation of protocol (_ssl.c:2384)
@@ -2099,7 +2100,9 @@ class TestKmsTLSOptions(EncryptionIntegrationTest):
         # certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1129)"
         # hostname '127.0.0.1' doesn't match 'wronghost.com'
         key["endpoint"] = "127.0.0.1:8001"
-        with self.assertRaisesRegex(EncryptionError, "IP address mismatch|wronghost"):
+        with self.assertRaisesRegex(
+            EncryptionError, "IP address mismatch|wronghost|IPAddressMismatch"
+        ):
             self.client_encryption_invalid_hostname.create_data_key("aws", key)
 
     def test_02_azure(self):
@@ -2114,7 +2117,9 @@ class TestKmsTLSOptions(EncryptionIntegrationTest):
         with self.assertRaisesRegex(EncryptionError, "expired|certificate verify failed"):
             self.client_encryption_expired.create_data_key("azure", key)
         # Invalid cert hostname error.
-        with self.assertRaisesRegex(EncryptionError, "IP address mismatch|wronghost"):
+        with self.assertRaisesRegex(
+            EncryptionError, "IP address mismatch|wronghost|IPAddressMismatch"
+        ):
             self.client_encryption_invalid_hostname.create_data_key("azure", key)
 
     def test_03_gcp(self):
@@ -2129,7 +2134,9 @@ class TestKmsTLSOptions(EncryptionIntegrationTest):
         with self.assertRaisesRegex(EncryptionError, "expired|certificate verify failed"):
             self.client_encryption_expired.create_data_key("gcp", key)
         # Invalid cert hostname error.
-        with self.assertRaisesRegex(EncryptionError, "IP address mismatch|wronghost"):
+        with self.assertRaisesRegex(
+            EncryptionError, "IP address mismatch|wronghost|IPAddressMismatch"
+        ):
             self.client_encryption_invalid_hostname.create_data_key("gcp", key)
 
     def test_04_kmip(self):
@@ -2146,6 +2153,15 @@ class TestKmsTLSOptions(EncryptionIntegrationTest):
         ):
             self.client_encryption_invalid_hostname.create_data_key("kmip")
 
+    def test_05_tlsDisableOCSPEndpointCheck_is_permitted(self):
+        providers = {"aws": {"accessKeyId": "foo", "secretAccessKey": "bar"}}
+        options = {"aws": {"tlsDisableOCSPEndpointCheck": True}}
+        encryption = ClientEncryption(
+            providers, "keyvault.datakeys", self.client, OPTS, kms_tls_options=options
+        )
+        self.assertFalse(encryption._io_callbacks.opts._kms_ssl_contexts["aws"].check_ocsp_endpoint)
+        encryption.close()
+
 
 # https://github.com/mongodb/specifications/blob/50e26fe/source/client-side-encryption/tests/README.rst#unique-index-on-keyaltnames
 class TestUniqueIndexOnKeyAltNamesProse(EncryptionIntegrationTest):