fix: share aws credential fetching logic with aws KMS and only return expected fields

Author: baileympearson

src/client-side-encryption/providers/aws.ts

@@ -1,20 +1,28 @@
 import { getAwsCredentialProvider } from '../../deps';
 import { type KMSProviders } from '.';
+import { AWSSDKCredentialProvider } from '../../cmap/auth/aws_temporary_credentials';
 
 /**
  * @internal
  */
 export async function loadAWSCredentials(kmsProviders: KMSProviders): Promise<KMSProviders> {
-  const credentialProvider = getAwsCredentialProvider();
+  const credentialProvider = new AWSSDKCredentialProvider();
 
-  if ('kModuleError' in credentialProvider) {
-    return kmsProviders;
-  }
+  // We shouldn't ever receive a response from the AWS SDK that doesn't have a `SecretAccessKey`
+  // or `AccessKeyId`.  However, TS says these fields are optional.  We provide empty strings
+  // and let libmongocrypt error if we're unable to fetch the required keys.
+  const {
+    SecretAccessKey = '',
+    AccessKeyId = '',
+    Token
+  } = await credentialProvider.getCredentials();
+  const aws: NonNullable<KMSProviders['aws']> = {
+    secretAccessKey: SecretAccessKey,
+    accessKeyId: AccessKeyId
+  };
+  // the AWS session token is only required for temporary credentials so only attach it to the
+  // result if it's present in the response from the aws sdk
+  Token != null && (aws.sessionToken = Token);
 
-  const { fromNodeProviderChain } = credentialProvider;
-  const provider = fromNodeProviderChain();
-  // The state machine is the only place calling this so it will
-  // catch if there is a rejection here.
-  const aws = await provider();
   return { ...kmsProviders, aws };
 }

test/integration/auth/mongodb_aws.test.ts

@@ -5,30 +5,26 @@ import * as http from 'http';
 import { performance } from 'perf_hooks';
 import * as sinon from 'sinon';
 
+// eslint-disable-next-line @typescript-eslint/no-restricted-imports
+import { KMSCredentialProvider, refreshKMSCredentials } from '../../../src/client-side-encryption/providers';
 import {
   AWSTemporaryCredentialProvider,
   MongoAWSError,
   type MongoClient,
   MongoDBAWS,
   MongoMissingCredentialsError,
-  MongoServerError
+  MongoServerError,
+  setDifference
 } from '../../mongodb';
 
-function awsSdk() {
-  try {
-    return require('@aws-sdk/credential-providers');
-  } catch {
-    return null;
-  }
-}
+const isMongoDBAWSAuthEnvironment = (process.env.MONGODB_URI ?? '').includes('MONGODB_AWS');
 
 describe('MONGODB-AWS', function () {
   let awsSdkPresent;
   let client: MongoClient;
 
   beforeEach(function () {
-    const MONGODB_URI = process.env.MONGODB_URI;
-    if (!MONGODB_URI || MONGODB_URI.indexOf('MONGODB-AWS') === -1) {
+    if (!isMongoDBAWSAuthEnvironment) {
       this.currentTest.skipReason = 'requires MONGODB_URI to contain MONGODB-AWS auth mechanism';
       return this.skip();
     }
@@ -39,7 +35,7 @@ describe('MONGODB-AWS', function () {
       `Always inform the AWS tests if they run with or without the SDK (MONGODB_AWS_SDK=${MONGODB_AWS_SDK})`
     ).to.include(MONGODB_AWS_SDK);
 
-    awsSdkPresent = !!awsSdk();
+    awsSdkPresent = AWSTemporaryCredentialProvider.isAWSSDKInstalled;
     expect(
       awsSdkPresent,
       MONGODB_AWS_SDK === 'true'
@@ -244,8 +240,10 @@ describe('MONGODB-AWS', function () {
 
         const envCheck = () => {
           const { AWS_WEB_IDENTITY_TOKEN_FILE = '' } = process.env;
-          credentialProvider = awsSdk();
-          return AWS_WEB_IDENTITY_TOKEN_FILE.length === 0 || credentialProvider == null;
+          return (
+            AWS_WEB_IDENTITY_TOKEN_FILE.length === 0 ||
+            !AWSTemporaryCredentialProvider.isAWSSDKInstalled
+          );
         };
 
         beforeEach(function () {
@@ -255,6 +253,9 @@ describe('MONGODB-AWS', function () {
             return this.skip();
           }
 
+          // @ts-expect-error We intentionally access a protected variable.
+          credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+
           storedEnv = process.env;
           if (test.env.AWS_STS_REGIONAL_ENDPOINTS === undefined) {
             delete process.env.AWS_STS_REGIONAL_ENDPOINTS;
@@ -324,3 +325,49 @@ describe('MONGODB-AWS', function () {
     }
   });
 });
+
+describe('AWS KMS Credential Fetching', function () {
+  context('when the AWS SDK is not installed', function () {
+    beforeEach(function () {
+      this.currentTest.skipReason = !isMongoDBAWSAuthEnvironment
+        ? 'Test must run in an AWS auth testing environment'
+        : AWSTemporaryCredentialProvider.isAWSSDKInstalled
+        ? 'This test must run in an environment where the AWS SDK is not installed.'
+        : undefined;
+      this.currentTest?.skipReason && this.skip();
+    });
+    it('fetching AWS KMS credentials throws an error', async function () {
+      const error = await new KMSCredentialProvider({ aws: {} }).refreshCredentials().catch(e => e);
+      expect(error).to.be.instanceOf(MongoAWSError);
+    });
+  });
+
+  context('when the AWS SDK is installed', function () {
+    beforeEach(function () {
+      this.currentTest.skipReason = !isMongoDBAWSAuthEnvironment
+        ? 'Test must run in an AWS auth testing environment'
+        : AWSTemporaryCredentialProvider.isAWSSDKInstalled
+        ? 'This test must run in an environment where the AWS SDK is installed.'
+        : undefined;
+      this.currentTest?.skipReason && this.skip();
+    });
+    it('KMS credentials are successfully fetched.', async function () {
+      const { aws } = await refreshKMSCredentials({ aws: {} });
+
+      expect(aws).to.have.property('accessKeyId');
+      expect(aws).to.have.property('secretAccessKey');
+    });
+
+    it('does not return any extra keys for the `aws` credential provider', async function () {
+      const { aws } = await refreshKMSCredentials({ aws: {} });
+
+      const keys = new Set(Object.keys(aws ?? {}));
+      const allowedKeys = ['accessKeyId', 'secretAccessKey', 'sessionToken'];
+
+      expect(
+        setDifference(keys, allowedKeys),
+        'received an unexpected key in the response refreshing KMS credentials'
+      ).to.deep.equal([]);
+    });
+  });
+});

test/unit/client-side-encryption/providers/credentialsProvider.test.ts

@@ -21,6 +21,8 @@ import {
 // eslint-disable-next-line @typescript-eslint/no-restricted-imports
 import * as utils from '../../../../src/client-side-encryption/providers/utils';
 import * as requirements from '../requirements.helper';
+import { AWSSDKCredentialProvider } from '../../../../src/cmap/auth/aws_temporary_credentials';
+import { MongoAWSError } from '../../../../src/error';
 
 const originalAccessKeyId = process.env.AWS_ACCESS_KEY_ID;
 const originalSecretAccessKey = process.env.AWS_SECRET_ACCESS_KEY;
@@ -170,9 +172,32 @@ describe('#refreshKMSCredentials', function () {
         }
       });
 
-      it('does not refresh credentials', async function () {
-        const providers = await refreshKMSCredentials(kmsProviders);
-        expect(providers).to.deep.equal(kmsProviders);
+      it('throws a MongoAWSError', async function () {
+        const error = await refreshKMSCredentials(kmsProviders).catch(e => e);
+        const expectedErrorMessage = 'Optional module `@aws-sdk/credential-providers` not found';
+        expect(error).to.be.instanceOf(MongoAWSError).to.match(new RegExp(expectedErrorMessage, 'i'));
+      });
+    });
+
+    context('when the AWS SDK returns unknown fields', function () {
+      beforeEach(() => {
+        sinon.stub(AWSSDKCredentialProvider.prototype, 'getCredentials').resolves({
+          Token: 'example',
+          SecretAccessKey: 'example',
+          AccessKeyId: 'example',
+          Expiration: new Date()
+        });
+      });
+      afterEach(() => sinon.restore());
+      it('only returns fields libmongocrypt expects', async function () {
+        const credentials = await refreshKMSCredentials({ aws: {} });
+        expect(credentials).to.deep.equal({
+          aws: {
+            accessKeyId: accessKey,
+            secretAccessKey: secretKey,
+            sessionToken: sessionToken
+          }
+        });
       });
     });
   });