chore(ci): label security tests and generate summary report COMPASS-7960

 (#5902)

.github/workflows/authors-and-third-party-notices.yaml

@@ -43,18 +43,23 @@ jobs:
       - name: Update THIRD-PARTY-NOTICES.md
         run: npm run update-third-party-notices
 
+      - name: Update Security Test Summary
+        run: |
+          npm run update-security-test-summary
+
       - name: Create Pull Request
         id: cpr
         uses: peter-evans/create-pull-request@v6
         with:
           commit-message: Update report
           branch: ci/update-3rd-party-notices-and-authors
-          title: 'chore: update AUTHORS and THIRD-PARTY-NOTICES'
+          title: 'chore: update AUTHORS, THIRD-PARTY-NOTICES, Security Test Summary'
           add-paths: |
             THIRD-PARTY-NOTICES.md
             AUTHORS
+            docs/security-test-summary.md
           body: |
-            - Update `AUTHORS` and `THIRD-PARTY-NOTICES`
+            - Update `AUTHORS`, `THIRD-PARTY-NOTICES` and `docs/security-test-summary.md`
 
       - name: Merge PR
         env:

docs/security-test-summary.md

@@ -0,0 +1,117 @@
+# MongoDB Compass Security Testing Summary
+
+This document lists specific instances of security-relevant testing that is being
+performed for MongoDB Compass. All parts of the MongoDB Compass source code
+are subject to integration and unit testing on every change made to the project,
+including the specific instances listed below.
+
+# Security Tests
+
+## Atlas Login Integration Tests
+
+The Atlas Login feature is thoroughly tested, including proper authentication token
+handling and credential revocation upon signout.
+
+<!-- Source File: `packages/atlas-service/src/main.spec.ts` -->
+
+
+## Connection Import / Export Testing
+
+Compass allows users to export and import connections. Our tests verify that
+the application informs the user about what this feature does, and in particular
+that encryption for credentials is correctly applied.
+
+<!-- Source File: `packages/compass-e2e-tests/tests/import-export-connections.test.ts` -->
+
+
+## In-Use Encryption Testing
+
+MongoDB supports a set of features referred to as "In-Use Encryption".
+The most sensitive data handled as part of these features are Key Management System
+credentials -- our tests verify that these are not stored, unless the user explicitly
+requests that behavior.
+
+Additionally, the application provides a layer of protection for users against
+accidental misconfiguration: When updating decrypted data coming from the server,
+we ensure that when writing back into the database, it is always encrypted again,
+and never sent in plaintext.
+
+<!-- Source File: `packages/compass-e2e-tests/tests/in-use-encryption.test.ts` -->
+
+
+## Enhanced Network Isolation Tests
+
+Compass allows users to specify that the application should not perform any
+network calls that are not necessary for interacting with MongoDB clusters,
+partially because users may consider this deployment more more secure, even
+if it comes with a reduced feature set.
+We ensure that no such network calls happen when this setting is enabled.
+
+<!-- Source File: `packages/compass-e2e-tests/tests/no-network-traffic.test.ts` -->
+
+
+## OIDC Authentication End-to-End Tests
+
+In addition to our regular tests for the different authentication mechanisms supported
+by MongoDB, we give special consideration to our OpenID Connect database authentication
+feature, as it involves client applications performing actions based on directions
+received from the database server.
+
+Additionally, we verify that Compass stores credentials in a way that is consistent with
+what the user has previously specified.
+
+<!-- Source File: `packages/compass-e2e-tests/tests/oidc.test.ts` -->
+
+
+## Connection String Credential Protection Tests
+
+Compass provides a user- or administrator-configurable setting that prevents the application
+from displaying credentials to avoid accidental leakage. Our tests verify that features
+which expose connection information honor this setting.
+
+<!-- Source File: `packages/compass-e2e-tests/tests/protect-connection-strings.test.ts` -->
+
+
+##s Automatic Connection Establishment Tests
+
+Since this application accepts remote host connection information on the command line,
+we thoroughly check such arguments to verify that they do not result in surprising
+behavior for users. In particular, our tests verify that the application warns users
+about options that seem unusual or may not result in unexpected or dangerous application
+behavior.
+
+<!-- Source File: `packages/compass/src/main/auto-connect.spec.ts` -->
+
+
+## Connection Form Password Protection
+
+We verify that database credentials are not displayed to users, unless they
+are actively in the process of editing them.
+
+<!-- Source File: `packages/connection-form/src/components/connection-string-input.spec.tsx` -->
+
+
+## Connection Option Validation Rules
+
+We explicitly verify that the application warns users about connection settings
+that may result in security issues, for example potentially insecure TLS or Proxy settings.
+
+<!-- Source File: `packages/connection-form/src/utils/validation.spec.ts` -->
+
+
+## Secure Credential Storage
+
+We ensure that when sensitive information is persisted, in particular database access credentials,
+it is cryptographically protected through an OS keychain encryption integration.
+
+<!-- Source File: `packages/connection-info/src/connection-secrets.spec.ts` -->
+
+
+## SSH Tunnel Support Testing
+
+We ensure that, when the application opens an SSH Tunnel in response to a user
+request to do so, it does so securely. For example, we verify that no other application
+is able to use the same tunnel.
+
+<!-- Source File: `packages/ssh-tunnel/src/index.spec.ts` -->
+

package.json

@@ -45,6 +45,7 @@
     "where": "monorepo-where",
     "create-workspace": "node ./scripts/create-workspace.js",
     "update-evergreen-config": "node .evergreen/template-yml.js",
+    "update-security-test-summary": "ts-node scripts/generate-security-test-summary.ts > docs/security-test-summary.md",
     "version-packages-next": "npx lerna version \"0.0.0-next-$(git rev-parse HEAD)\" --exact --private --no-git-tag-version --force-publish --no-push --yes",
     "publish-packages-next": "npx lerna publish from-package --no-private --dist-tag next --pre-dist-tag next --yes",
     "prepare": "husky install",

packages/atlas-service/src/main.spec.ts

@@ -13,6 +13,12 @@ function getListenerCount(emitter: EventEmitter) {
   }, 0);
 }
 
+/**
+ * @securityTest Atlas Login Integration Tests
+ *
+ * The Atlas Login feature is thoroughly tested, including proper authentication token
+ * handling and credential revocation upon signout.
+ */
 describe('CompassAuthServiceMain', function () {
   const sandbox = Sinon.createSandbox();
 

packages/compass-connection-import-export/src/hooks/use-export.spec.ts

@@ -89,6 +89,7 @@ describe('useExportConnections', function () {
     await fs.rm(tmpdir, { recursive: true });
   });
 
+  // Security-relevant test -- description is in the protect-connection-strings e2e test.
   it('sets removeSecrets if protectConnectionStrings is set', async function () {
     expect(result.current.exportConnections.state.removeSecrets).to.equal(
       false

packages/compass-e2e-tests/tests/import-export-connections.test.ts

@@ -28,6 +28,13 @@ function waitForConnections() {
   return new Promise((resolve) => setTimeout(resolve, 5000));
 }
 
+/**
+ * @securityTest Connection Import / Export Testing
+ *
+ * Compass allows users to export and import connections. Our tests verify that
+ * the application informs the user about what this feature does, and in particular
+ * that encryption for credentials is correctly applied.
+ */
 describe('Connection Import / Export', function () {
   let tmpdir: string;
   let i = 0;

packages/compass-e2e-tests/tests/in-use-encryption.test.ts

@@ -26,6 +26,19 @@ async function refresh(browser: CompassBrowser) {
   await browser.clickVisible(Selectors.SidebarRefreshDatabasesButton);
 }
 
+/**
+ * @securityTest In-Use Encryption Testing
+ *
+ * MongoDB supports a set of features referred to as "In-Use Encryption".
+ * The most sensitive data handled as part of these features are Key Management System
+ * credentials -- our tests verify that these are not stored, unless the user explicitly
+ * requests that behavior.
+ *
+ * Additionally, the application provides a layer of protection for users against
+ * accidental misconfiguration: When updating decrypted data coming from the server,
+ * we ensure that when writing back into the database, it is always encrypted again,
+ * and never sent in plaintext.
+ */
 describe('CSFLE / QE', function () {
   before(function () {
     skipForWeb(this, 'not available in compass-web');

packages/compass-e2e-tests/tests/no-network-traffic.test.ts

@@ -8,6 +8,15 @@ import { promises as fs } from 'fs';
 import path from 'path';
 import os from 'os';
 
+/**
+ * @securityTest Enhanced Network Isolation Tests
+ *
+ * Compass allows users to specify that the application should not perform any
+ * network calls that are not necessary for interacting with MongoDB clusters,
+ * partially because users may consider this deployment more more secure, even
+ * if it comes with a reduced feature set.
+ * We ensure that no such network calls happen when this setting is enabled.
+ */
 describe('networkTraffic: false / Isolated Edition', function () {
   let tmpdir: string;
   let i = 0;

packages/compass-e2e-tests/tests/oidc.test.ts

@@ -45,6 +45,17 @@ function getTestBrowserShellCommand() {
   )}`;
 }
 
+/**
+ * @securityTest OIDC Authentication End-to-End Tests
+ *
+ * In addition to our regular tests for the different authentication mechanisms supported
+ * by MongoDB, we give special consideration to our OpenID Connect database authentication
+ * feature, as it involves client applications performing actions based on directions
+ * received from the database server.
+ *
+ * Additionally, we verify that Compass stores credentials in a way that is consistent with
+ * what the user has previously specified.
+ */
 describe('OIDC integration', function () {
   let compass: Compass;
   let browser: CompassBrowser;

packages/compass-e2e-tests/tests/protect-connection-strings.test.ts

@@ -34,6 +34,13 @@ async function expectCopyConnectionStringToClipboard(
   }
 }
 
+/**
+ * @securityTest Connection String Credential Protection Tests
+ *
+ * Compass provides a user- or administrator-configurable setting that prevents the application
+ * from displaying credentials to avoid accidental leakage. Our tests verify that features
+ * which expose connection information honor this setting.
+ */
 describe('protectConnectionStrings', function () {
   let compass: Compass;
   let browser: CompassBrowser;

packages/compass-export-to-language/src/modules/transpiler.spec.ts

@@ -154,6 +154,7 @@ FindIterable<Document> result = collection.find(filter);`);
     });
 
     for (const protectConnectionStrings of [false, true]) {
+      // Security-relevant test -- description is in the protect-connection-strings e2e test.
       context(
         `when protect connection strings is ${protectConnectionStrings}`,
         function () {

packages/compass/src/main/auto-connect.spec.ts

@@ -20,6 +20,15 @@ const URI_WITH_DISALLOWED_SERVICE_HOST_AUTH_MECHANISM_PROP =
 const URI_WITH_ALLOWED_SERVICE_HOST_AUTH_MECHANISM_PROP =
   'mongodb://localhost:27017/?authMechanism=GSSAPI&authSource=%24external&authMechanismProperties=CANONICALIZE_HOST_NAME%3Aforward';
 
+/**
+ * @securityTest Automatic Connection Establishment Tests
+ *
+ * Since this application accepts remote host connection information on the command line,
+ * we thoroughly check such arguments to verify that they do not result in surprising
+ * behavior for users. In particular, our tests verify that the application warns users
+ * about options that seem unusual or may not result in unexpected or dangerous application
+ * behavior.
+ */
 describe('auto connect management', function () {
   let sandbox: sinon.SinonSandbox;
   let preferences: Parameters<typeof getWindowAutoConnectPreferences>[1];

packages/connection-form/src/components/connection-string-input.spec.tsx

@@ -33,6 +33,12 @@ const renderConnectionStringInput = (
   );
 };
 
+/**
+ * @securityTest Connection Form Password Protection
+ *
+ * We verify that database credentials are not displayed to users, unless they
+ * are actively in the process of editing them.
+ */
 describe('ConnectionStringInput Component', function () {
   let setEnableEditingConnectionStringSpy: sinon.SinonSpy;
   let updateConnectionFormFieldSpy: sinon.SinonSpy;

packages/connection-form/src/utils/validation.spec.ts

@@ -6,6 +6,12 @@ import {
 } from './validation';
 import type { ConnectionInfo } from '@mongodb-js/connection-info';
 
+/**
+ * @securityTest Connection Option Validation Rules
+ *
+ * We explicitly verify that the application warns users about connection settings
+ * that may result in security issues, for example potentially insecure TLS or Proxy settings.
+ */
 describe('validation', function () {
   describe('Form Validation Errors', function () {
     describe('SSH', function () {

packages/connection-info/src/connection-secrets.spec.ts

@@ -5,6 +5,12 @@ import type { ConnectionSecrets } from './connection-secrets';
 import { mergeSecrets, extractSecrets } from './connection-secrets';
 import { UUID } from 'bson';
 
+/**
+ * @securityTest Secure Credential Storage
+ *
+ * We ensure that when sensitive information is persisted, in particular database access credentials,
+ * it is cryptographically protected through an OS keychain encryption integration.
+ */
 describe('connection secrets', function () {
   describe('mergeSecrets', function () {
     it('does not modify the original object', function () {

packages/connection-storage/src/encrypt.spec.ts

@@ -1,6 +1,7 @@
 import { Encrypter, Decrypter } from './encrypt';
 import { expect } from 'chai';
 
+// Security-relevant test -- see import-export-connections e2e test for description.
 describe('Encryption support', function () {
   it('can encrypt and decrypt data', async function () {
     const encrypter = new Encrypter('passphrase');

packages/connection-storage/src/import-export-connection.spec.ts

@@ -31,6 +31,7 @@ const CONNECTIONS: ConnectionInfo[] = [
   },
 ];
 
+// Security-relevant test -- see import-export-connections e2e test for description.
 describe('Connection serialization', function () {
   it('with default options', async function () {
     const serializedConnections = await serializeConnections(CONNECTIONS);

packages/data-service/src/connect-mongo-client.spec.ts

@@ -267,6 +267,7 @@ describe('connectMongoClient', function () {
   });
 });
 
+// Security-relevant test -- see oidc e2e test for description.
 // eslint-disable-next-line mocha/max-top-level-suites
 describe('prepareOIDCOptions', function () {
   it('defaults allowedFlows to "auth-code"', async function () {

packages/data-service/src/csfle-collection-tracker.spec.ts

@@ -6,6 +6,9 @@ import type { Binary } from 'bson';
 import connect from './connect';
 import { mochaTestServer } from '@mongodb-js/compass-test-server';
 
+// Security-relevant test -- see in-use-encryption e2e tests for description.
+// (In particular, the tests here verify that decrypted data is always encrypted
+// when written back into the database)
 describe('CSFLECollectionTracker', function () {
   const DECRYPTED_KEYS = Symbol.for('@@mdb.decryptedKeys');
   const ALGO_DET = 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic';