From 0f2d93cfb5c08c94c348011da73538dcba7f7817 Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Mon, 26 Feb 2024 14:04:36 +0100 Subject: [PATCH 1/7] fix(NODE-5944): make AWS token optional --- test/integration/auth/mongodb_aws.test.ts | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts index 635880c04a8..631e6c655fe 100644 --- a/test/integration/auth/mongodb_aws.test.ts +++ b/test/integration/auth/mongodb_aws.test.ts @@ -67,6 +67,20 @@ describe('MONGODB-AWS', function () { .that.equals(''); }); + it('should not throw an exception when aws token is missing', async function () { + client = this.configuration.newClient(process.env.MONGODB_URI, { + authMechanismProperties: { AWS_SESSION_TOKEN: '' } + }); + const result = await client + .db('aws') + .collection('aws_test') + .estimatedDocumentCount() + .catch(error => error); + + expect(result).to.not.be.instanceOf(MongoServerError); + expect(result).to.be.a('number'); + }); + it('should store a MongoDBAWS provider instance per client', async function () { client = this.configuration.newClient(process.env.MONGODB_URI); From 67f1fcbd22a09d7f7d9177c0e684de8b2fdc26a9 Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Mon, 26 Feb 2024 14:29:07 +0100 Subject: [PATCH 2/7] fix: remove check for creds.Token --- src/cmap/auth/mongodb_aws.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts index dae97056b2c..5b0c283c1b3 100644 --- a/src/cmap/auth/mongodb_aws.ts +++ b/src/cmap/auth/mongodb_aws.ts @@ -212,7 +212,7 @@ async function makeTempCredentials( provider?: () => Promise ): Promise { function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) { - if (!creds.AccessKeyId || !creds.SecretAccessKey || !creds.Token) { + if (!creds.AccessKeyId || !creds.SecretAccessKey) { throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials'); } From aa04944007781bdc20d0fc332b08ae035f6e5221 Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Mon, 26 Feb 2024 14:54:09 +0100 Subject: [PATCH 3/7] test: try to delete env --- src/cmap/auth/mongodb_aws.ts | 2 +- test/integration/auth/mongodb_aws.test.ts | 40 +++++++++++++++-------- 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts index 5b0c283c1b3..dae97056b2c 100644 --- a/src/cmap/auth/mongodb_aws.ts +++ b/src/cmap/auth/mongodb_aws.ts @@ -212,7 +212,7 @@ async function makeTempCredentials( provider?: () => Promise ): Promise { function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) { - if (!creds.AccessKeyId || !creds.SecretAccessKey) { + if (!creds.AccessKeyId || !creds.SecretAccessKey || !creds.Token) { throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials'); } diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts index 631e6c655fe..b0c3428fa8b 100644 --- a/test/integration/auth/mongodb_aws.test.ts +++ b/test/integration/auth/mongodb_aws.test.ts @@ -67,20 +67,6 @@ describe('MONGODB-AWS', function () { .that.equals(''); }); - it('should not throw an exception when aws token is missing', async function () { - client = this.configuration.newClient(process.env.MONGODB_URI, { - authMechanismProperties: { AWS_SESSION_TOKEN: '' } - }); - const result = await client - .db('aws') - .collection('aws_test') - .estimatedDocumentCount() - .catch(error => error); - - expect(result).to.not.be.instanceOf(MongoServerError); - expect(result).to.be.a('number'); - }); - it('should store a MongoDBAWS provider instance per client', async function () { client = this.configuration.newClient(process.env.MONGODB_URI); @@ -95,6 +81,32 @@ describe('MONGODB-AWS', function () { expect(provider).to.be.instanceOf(MongoDBAWS); }); + describe('with missing aws token', () => { + let awsSessionToken; + + beforeEach(function () { + awsSessionToken = process.env.AWS_SESSION_TOKEN; + delete process.env.AWS_SESSION_TOKEN; + }); + + afterEach(async () => { + process.env.AWS_SESSION_TOKEN = awsSessionToken; + }); + + it('should not throw an exception when aws token is missing', async function () { + client = this.configuration.newClient(process.env.MONGODB_URI); + + const result = await client + .db('aws') + .collection('aws_test') + .estimatedDocumentCount() + .catch(error => error); + + expect(result).to.not.be.instanceOf(MongoServerError); + expect(result).to.be.a('number'); + }); + }); + describe('EC2 with missing credentials', () => { let client; From fdfb26f0a16ec1cb74e1417b5f2362b04791c978 Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Mon, 26 Feb 2024 15:47:19 +0100 Subject: [PATCH 4/7] test: try for AssumeRoleWithWebIdentity --- test/integration/auth/mongodb_aws.test.ts | 50 +++++++++++------------ 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts index b0c3428fa8b..97acfdd178b 100644 --- a/test/integration/auth/mongodb_aws.test.ts +++ b/test/integration/auth/mongodb_aws.test.ts @@ -81,32 +81,6 @@ describe('MONGODB-AWS', function () { expect(provider).to.be.instanceOf(MongoDBAWS); }); - describe('with missing aws token', () => { - let awsSessionToken; - - beforeEach(function () { - awsSessionToken = process.env.AWS_SESSION_TOKEN; - delete process.env.AWS_SESSION_TOKEN; - }); - - afterEach(async () => { - process.env.AWS_SESSION_TOKEN = awsSessionToken; - }); - - it('should not throw an exception when aws token is missing', async function () { - client = this.configuration.newClient(process.env.MONGODB_URI); - - const result = await client - .db('aws') - .collection('aws_test') - .estimatedDocumentCount() - .catch(error => error); - - expect(result).to.not.be.instanceOf(MongoServerError); - expect(result).to.be.a('number'); - }); - }); - describe('EC2 with missing credentials', () => { let client; @@ -306,6 +280,30 @@ describe('MONGODB-AWS', function () { expect(numberOfFromNodeProviderChainCalls).to.be.eql(1); }); + + context('with missing aws token', () => { + let awsSessionToken; + + beforeEach(function () { + awsSessionToken = process.env.AWS_SESSION_TOKEN; + delete process.env.AWS_SESSION_TOKEN; + }); + + afterEach(async () => { + process.env.AWS_SESSION_TOKEN = awsSessionToken; + }); + + it('should not throw an exception when aws token is missing', async function () { + const result = await client + .db('aws') + .collection('aws_test') + .estimatedDocumentCount() + .catch(error => error); + + expect(result).to.not.be.instanceOf(MongoServerError); + expect(result).to.be.a('number'); + }); + }); }); } }); From 7be2d4cf3a436e1bb05407e16a92c647b18fc84d Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Mon, 26 Feb 2024 16:35:24 +0100 Subject: [PATCH 5/7] test: revert --- src/cmap/auth/mongodb_aws.ts | 2 +- test/integration/auth/mongodb_aws.test.ts | 58 +++++++++++++---------- 2 files changed, 34 insertions(+), 26 deletions(-) diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts index dae97056b2c..5b0c283c1b3 100644 --- a/src/cmap/auth/mongodb_aws.ts +++ b/src/cmap/auth/mongodb_aws.ts @@ -212,7 +212,7 @@ async function makeTempCredentials( provider?: () => Promise ): Promise { function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) { - if (!creds.AccessKeyId || !creds.SecretAccessKey || !creds.Token) { + if (!creds.AccessKeyId || !creds.SecretAccessKey) { throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials'); } diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts index 97acfdd178b..18ccc52316c 100644 --- a/test/integration/auth/mongodb_aws.test.ts +++ b/test/integration/auth/mongodb_aws.test.ts @@ -5,7 +5,13 @@ import * as http from 'http'; import { performance } from 'perf_hooks'; import * as sinon from 'sinon'; -import { MongoAWSError, type MongoClient, MongoDBAWS, MongoServerError } from '../../mongodb'; +import { + MongoAWSError, + type MongoClient, + MongoDBAWS, + MongoMissingCredentialsError, + MongoServerError +} from '../../mongodb'; function awsSdk() { try { @@ -81,6 +87,32 @@ describe('MONGODB-AWS', function () { expect(provider).to.be.instanceOf(MongoDBAWS); }); + describe('with missing aws token', () => { + let awsSessionToken; + + beforeEach(function () { + awsSessionToken = process.env.AWS_SESSION_TOKEN; + delete process.env.AWS_SESSION_TOKEN; + }); + + afterEach(async () => { + process.env.AWS_SESSION_TOKEN = awsSessionToken; + }); + + it('should not throw an exception when aws token is missing', async function () { + client = this.configuration.newClient(process.env.MONGODB_URI); + + const result = await client + .db('aws') + .collection('aws_test') + .estimatedDocumentCount() + .catch(error => error); + + expect(result).to.not.be.instanceOf(MongoMissingCredentialsError); + expect(result).to.be.a('number'); + }); + }); + describe('EC2 with missing credentials', () => { let client; @@ -280,30 +312,6 @@ describe('MONGODB-AWS', function () { expect(numberOfFromNodeProviderChainCalls).to.be.eql(1); }); - - context('with missing aws token', () => { - let awsSessionToken; - - beforeEach(function () { - awsSessionToken = process.env.AWS_SESSION_TOKEN; - delete process.env.AWS_SESSION_TOKEN; - }); - - afterEach(async () => { - process.env.AWS_SESSION_TOKEN = awsSessionToken; - }); - - it('should not throw an exception when aws token is missing', async function () { - const result = await client - .db('aws') - .collection('aws_test') - .estimatedDocumentCount() - .catch(error => error); - - expect(result).to.not.be.instanceOf(MongoServerError); - expect(result).to.be.a('number'); - }); - }); }); } }); From 13e223c520ecc056a1aa4fad8dc2c491de706670 Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Mon, 26 Feb 2024 17:27:04 +0100 Subject: [PATCH 6/7] test: check only for MongoMissingCredentialsError --- test/integration/auth/mongodb_aws.test.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts index 18ccc52316c..cc9e17881fc 100644 --- a/test/integration/auth/mongodb_aws.test.ts +++ b/test/integration/auth/mongodb_aws.test.ts @@ -108,8 +108,11 @@ describe('MONGODB-AWS', function () { .estimatedDocumentCount() .catch(error => error); + // We check only for the MongoMissingCredentialsError + // and do check for the MongoServerError as the error or numeric result + // that can be returned depending on different types of environments + // getting credentials from different sources. expect(result).to.not.be.instanceOf(MongoMissingCredentialsError); - expect(result).to.be.a('number'); }); }); From e7dc44e358c5abe065d6362d2c48fd04be3d2cde Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Mon, 26 Feb 2024 20:26:01 +0100 Subject: [PATCH 7/7] docs: add comments --- src/cmap/auth/mongodb_aws.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts index 5b0c283c1b3..213d2b0547e 100644 --- a/src/cmap/auth/mongodb_aws.ts +++ b/src/cmap/auth/mongodb_aws.ts @@ -116,6 +116,7 @@ export class MongoDBAWS extends AuthProvider { const accessKeyId = credentials.username; const secretAccessKey = credentials.password; + // Allow the user to specify an AWS session token for authentication with temporary credentials. const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN; // If all three defined, include sessionToken, else include username and pass, else no credentials @@ -129,6 +130,8 @@ export class MongoDBAWS extends AuthProvider { const db = credentials.source; const nonce = await randomBytes(32); + // All messages between MongoDB clients and servers are sent as BSON objects + // in the payload field of saslStart and saslContinue. const saslStart = { saslStart: 1, mechanism: 'MONGODB-AWS', @@ -212,6 +215,7 @@ async function makeTempCredentials( provider?: () => Promise ): Promise { function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) { + // The AWS session token (creds.Token) may or may not be set. if (!creds.AccessKeyId || !creds.SecretAccessKey) { throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials'); }