From 6a4dd70a6d2fc399bf9cad59091e1fe7a9a3168a Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Thu, 29 Feb 2024 16:24:06 +0100 Subject: [PATCH 1/3] fix(NODE-5945): backport to 5.x optional AWS session token --- src/cmap/auth/mongodb_aws.ts | 6 ++++- test/integration/auth/mongodb_aws.test.ts | 29 +++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts index 0e430dd1ac3..78dcceb02cd 100644 --- a/src/cmap/auth/mongodb_aws.ts +++ b/src/cmap/auth/mongodb_aws.ts @@ -116,6 +116,7 @@ export class MongoDBAWS extends AuthProvider { const accessKeyId = credentials.username; const secretAccessKey = credentials.password; + // Allow the user to specify an AWS session token for authentication with temporary credentials. const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN; // If all three defined, include sessionToken, else include username and pass, else no credentials @@ -129,6 +130,8 @@ export class MongoDBAWS extends AuthProvider { const db = credentials.source; const nonce = await randomBytes(32); + // All messages between MongoDB clients and servers are sent as BSON objects + // in the payload field of saslStart and saslContinue. const saslStart = { saslStart: 1, mechanism: 'MONGODB-AWS', @@ -212,7 +215,8 @@ async function makeTempCredentials( provider?: () => Promise ): Promise { function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) { - if (!creds.AccessKeyId || !creds.SecretAccessKey || !creds.Token) { + // The AWS session token (creds.Token) may or may not be set. + if (!creds.AccessKeyId || !creds.SecretAccessKey) { throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials'); } diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts index 19813249394..568679282be 100644 --- a/test/integration/auth/mongodb_aws.test.ts +++ b/test/integration/auth/mongodb_aws.test.ts @@ -81,6 +81,35 @@ describe('MONGODB-AWS', function () { expect(provider).to.be.instanceOf(MongoDBAWS); }); + describe('with missing aws token', () => { + let awsSessionToken; + + beforeEach(function () { + awsSessionToken = process.env.AWS_SESSION_TOKEN; + delete process.env.AWS_SESSION_TOKEN; + }); + + afterEach(async () => { + process.env.AWS_SESSION_TOKEN = awsSessionToken; + }); + + it('should not throw an exception when aws token is missing', async function () { + client = this.configuration.newClient(process.env.MONGODB_URI); + + const result = await client + .db('aws') + .collection('aws_test') + .estimatedDocumentCount() + .catch(error => error); + + // We check only for the MongoMissingCredentialsError + // and do check for the MongoServerError as the error or numeric result + // that can be returned depending on different types of environments + // getting credentials from different sources. + expect(result).to.not.be.instanceOf(MongoMissingCredentialsError); + }); + }); + describe('EC2 with missing credentials', () => { let client; From a02e4f34521c2a665de8001c715ee5a1934ce0aa Mon Sep 17 00:00:00 2001 From: Alena Khineika Date: Thu, 29 Feb 2024 16:39:38 +0100 Subject: [PATCH 2/3] test: import error --- test/integration/auth/mongodb_aws.test.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts index 568679282be..7564871b404 100644 --- a/test/integration/auth/mongodb_aws.test.ts +++ b/test/integration/auth/mongodb_aws.test.ts @@ -5,7 +5,13 @@ import * as http from 'http'; import { performance } from 'perf_hooks'; import * as sinon from 'sinon'; -import { MongoAWSError, type MongoClient, MongoDBAWS, MongoServerError } from '../../mongodb'; +import { + MongoAWSError, + type MongoClient, + MongoDBAWS, + MongoMissingCredentialsError, + MongoServerError +} from '../../mongodb'; function awsSdk() { try { From f97eb7b0ba31535e686094e4c293fe46c068d87f Mon Sep 17 00:00:00 2001 From: Neal Beeken Date: Mon, 4 Mar 2024 11:20:22 -0500 Subject: [PATCH 3/3] test: fix env var restoration --- test/integration/auth/mongodb_aws.test.ts | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts index 7564871b404..49abc9afdec 100644 --- a/test/integration/auth/mongodb_aws.test.ts +++ b/test/integration/auth/mongodb_aws.test.ts @@ -88,15 +88,17 @@ describe('MONGODB-AWS', function () { }); describe('with missing aws token', () => { - let awsSessionToken; + let awsSessionToken: string | undefined; - beforeEach(function () { + beforeEach(() => { awsSessionToken = process.env.AWS_SESSION_TOKEN; delete process.env.AWS_SESSION_TOKEN; }); - afterEach(async () => { - process.env.AWS_SESSION_TOKEN = awsSessionToken; + afterEach(() => { + if (awsSessionToken != null) { + process.env.AWS_SESSION_TOKEN = awsSessionToken; + } }); it('should not throw an exception when aws token is missing', async function () {