feat(NODE-5191): add allowed hosts option

Author: durran

src/cmap/auth/mongo_credentials.ts

@@ -5,6 +5,7 @@ import {
   MongoInvalidArgumentError,
   MongoMissingCredentialsError
 } from '../../error';
+import { isString } from '../../utils';
 import { GSSAPICanonicalizationValue } from './gssapi';
 import type { OIDCRefreshFunction, OIDCRequestFunction } from './mongodb_oidc';
 import { AUTH_MECHS_AUTH_SRC_EXTERNAL, AuthMechanism } from './providers';
@@ -30,6 +31,18 @@ function getDefaultAuthMechanism(hello?: Document): AuthMechanism {
   return AuthMechanism.MONGODB_CR;
 }
 
+const ALLOWED_HOSTS_ERROR = 'Auth mechanism property ALLOWED_HOSTS must be an array of strings.';
+
+/** @internal */
+export const DEFAULT_ALLOWED_HOSTS = [
+  '*.mongodb.net',
+  '*.mongodb-dev.net',
+  '*.mongodbgov.net',
+  'localhost',
+  '127.0.0.1',
+  '::1'
+];
+
 /** @public */
 export interface AuthMechanismProperties extends Document {
   SERVICE_HOST?: string;
@@ -103,6 +116,10 @@ export class MongoCredentials {
       }
     }
 
+    if (this.mechanism === AuthMechanism.MONGODB_OIDC && !this.mechanismProperties.ALLOWED_HOSTS) {
+      this.mechanismProperties.ALLOWED_HOSTS = DEFAULT_ALLOWED_HOSTS;
+    }
+
     Object.freeze(this.mechanismProperties);
     Object.freeze(this);
   }
@@ -183,6 +200,18 @@ export class MongoCredentials {
           `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
         );
       }
+
+      if (this.mechanismProperties.ALLOWED_HOSTS) {
+        const hosts = this.mechanismProperties.ALLOWED_HOSTS;
+        if (!Array.isArray(hosts)) {
+          throw new MongoInvalidArgumentError(ALLOWED_HOSTS_ERROR);
+        }
+        for (const host of hosts) {
+          if (!isString(host)) {
+            throw new MongoInvalidArgumentError(ALLOWED_HOSTS_ERROR);
+          }
+        }
+      }
     }
 
     if (AUTH_MECHS_AUTH_SRC_EXTERNAL.has(this.mechanism)) {

src/connection_string.ts

@@ -310,6 +310,17 @@ export function parseOptions(
     );
   }
 
+  const uriMechanismProperties = urlOptions.get('authMechanismProperties');
+  if (uriMechanismProperties) {
+    for (const property of uriMechanismProperties) {
+      if (property.includes('ALLOWED_HOSTS:')) {
+        throw new MongoParseError(
+          'Auth mechanism property ALLOWED_HOSTS is not allowed in the connection string.'
+        );
+      }
+    }
+  }
+
   if (objectOptions.has('loadBalanced')) {
     throw new MongoParseError('loadBalanced is only a valid option in the URI');
   }

src/utils.ts

@@ -31,6 +31,8 @@ import type { Topology } from './sdam/topology';
 import type { ClientSession } from './sessions';
 import { WriteConcern } from './write_concern';
 
+const OBJECT_STRING = '[object String]';
+
 /**
  * MongoDB Driver style callback
  * @public
@@ -59,6 +61,15 @@ export const ByteUtils = {
   }
 };
 
+/**
+ * Use this to test if an object is a string. This is because
+ * typeof new String('test') is 'object' and not 'string'.
+ * @internal
+ */
+export function isString(value: any): boolean {
+  return Object.prototype.toString.call(value) === OBJECT_STRING;
+}
+
 /**
  * Throws if collectionName is not a valid mongodb collection namespace.
  * @internal

test/unit/connection_string.test.ts

@@ -5,6 +5,7 @@ import * as sinon from 'sinon';
 import {
   AUTH_MECHS_AUTH_SRC_EXTERNAL,
   AuthMechanism,
+  DEFAULT_ALLOWED_HOSTS,
   FEATURE_FLAGS,
   MongoAPIError,
   MongoClient,
@@ -210,6 +211,72 @@ describe('Connection String', function () {
     expect(options.readConcern.level).to.equal('local');
   });
 
+  context('when auth mechanism is MONGODB-OIDC', function () {
+    context('when ALLOWED_HOSTS is in the URI', function () {
+      it('raises an error', function () {
+        expect(() => {
+          parseOptions(
+            'mongodb://localhost/?authMechanismProperties=PROVIDER_NAME:aws,ALLOWED_HOSTS:[localhost]&authMechanism=MONGODB-OIDC'
+          );
+        }).to.throw(
+          MongoParseError,
+          'Auth mechanism property ALLOWED_HOSTS is not allowed in the connection string.'
+        );
+      });
+    });
+
+    context('when ALLOWED_HOSTS is in the options', function () {
+      context('when it is an array of strings', function () {
+        const hosts = ['*.example.com'];
+
+        it('sets the allowed hosts property', function () {
+          const options = parseOptions(
+            'mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws',
+            {
+              authMechanismProperties: {
+                ALLOWED_HOSTS: hosts
+              }
+            }
+          );
+          expect(options.credentials.mechanismProperties).to.deep.equal({
+            PROVIDER_NAME: 'aws',
+            ALLOWED_HOSTS: hosts
+          });
+        });
+      });
+
+      context('when it is not an array of strings', function () {
+        it('raises an error', function () {
+          expect(() => {
+            parseOptions(
+              'mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws',
+              {
+                authMechanismProperties: {
+                  ALLOWED_HOSTS: [1, 2, 3]
+                }
+              }
+            );
+          }).to.throw(
+            MongoInvalidArgumentError,
+            'Auth mechanism property ALLOWED_HOSTS must be an array of strings.'
+          );
+        });
+      });
+    });
+
+    context('when ALLOWED_HOSTS is not in the options', function () {
+      it('sets the default value', function () {
+        const options = parseOptions(
+          'mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws'
+        );
+        expect(options.credentials.mechanismProperties).to.deep.equal({
+          PROVIDER_NAME: 'aws',
+          ALLOWED_HOSTS: DEFAULT_ALLOWED_HOSTS
+        });
+      });
+    });
+  });
+
   it('should parse `authMechanismProperties`', function () {
     const options = parseOptions(
       'mongodb://user%40EXAMPLE.COM:secret@localhost/?authMechanismProperties=SERVICE_NAME:other,SERVICE_REALM:blah,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com&authMechanism=GSSAPI'