mongodb 5.0.1 → 5.2.0

package/src/cmap/auth/mongo_credentials.ts

@@ -1,7 +1,12 @@
 // Resolves the default auth mechanism according to
 import type { Document } from '../../bson';
-import { MongoAPIError, MongoMissingCredentialsError } from '../../error';
+import {
+  MongoAPIError,
+  MongoInvalidArgumentError,
+  MongoMissingCredentialsError
+} from '../../error';
 import { GSSAPICanonicalizationValue } from './gssapi';
+import type { OIDCRefreshFunction, OIDCRequestFunction } from './mongodb_oidc';
 import { AUTH_MECHS_AUTH_SRC_EXTERNAL, AuthMechanism } from './providers';
 
 // https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst
@@ -32,6 +37,12 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
   AWS_SESSION_TOKEN?: string;
+  /** @experimental */
+  REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction;
+  /** @experimental */
+  REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
+  /** @experimental */
+  PROVIDER_NAME?: 'aws';
 }
 
 /** @public */
@@ -137,6 +148,41 @@ export class MongoCredentials {
       throw new MongoMissingCredentialsError(`Username required for mechanism '${this.mechanism}'`);
     }
 
+    if (this.mechanism === AuthMechanism.MONGODB_OIDC) {
+      if (this.username && this.mechanismProperties.PROVIDER_NAME) {
+        throw new MongoInvalidArgumentError(
+          `username and PROVIDER_NAME may not be used together for mechanism '${this.mechanism}'.`
+        );
+      }
+
+      if (
+        this.mechanismProperties.PROVIDER_NAME &&
+        this.mechanismProperties.PROVIDER_NAME !== 'aws'
+      ) {
+        throw new MongoInvalidArgumentError(
+          `Currently only a PROVIDER_NAME of 'aws' is supported for mechanism '${this.mechanism}'.`
+        );
+      }
+
+      if (
+        this.mechanismProperties.REFRESH_TOKEN_CALLBACK &&
+        !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
+      ) {
+        throw new MongoInvalidArgumentError(
+          `A REQUEST_TOKEN_CALLBACK must be provided when using a REFRESH_TOKEN_CALLBACK for mechanism '${this.mechanism}'`
+        );
+      }
+
+      if (
+        !this.mechanismProperties.PROVIDER_NAME &&
+        !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
+      ) {
+        throw new MongoInvalidArgumentError(
+          `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
+        );
+      }
+    }
+
     if (AUTH_MECHS_AUTH_SRC_EXTERNAL.has(this.mechanism)) {
       if (this.source != null && this.source !== '$external') {
         // TODO(NODE-3485): Replace this with a MongoAuthValidationError

package/src/cmap/auth/mongocr.ts

@@ -1,47 +1,42 @@
 import * as crypto from 'crypto';
 
 import { MongoMissingCredentialsError } from '../../error';
-import { Callback, ns } from '../../utils';
+import { ns } from '../../utils';
 import { AuthContext, AuthProvider } from './auth_provider';
 
 export class MongoCR extends AuthProvider {
-  override auth(authContext: AuthContext, callback: Callback): void {
+  override async auth(authContext: AuthContext): Promise<void> {
     const { connection, credentials } = authContext;
     if (!credentials) {
-      return callback(new MongoMissingCredentialsError('AuthContext must provide credentials.'));
+      throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
-    const username = credentials.username;
-    const password = credentials.password;
-    const source = credentials.source;
-    connection.command(ns(`${source}.$cmd`), { getnonce: 1 }, undefined, (err, r) => {
-      let nonce = null;
-      let key = null;
-
-      // Get nonce
-      if (err == null) {
-        nonce = r.nonce;
-
-        // Use node md5 generator
-        let md5 = crypto.createHash('md5');
-
-        // Generate keys used for authentication
-        md5.update(`${username}:mongo:${password}`, 'utf8');
-        const hash_password = md5.digest('hex');
-
-        // Final key
-        md5 = crypto.createHash('md5');
-        md5.update(nonce + username + hash_password, 'utf8');
-        key = md5.digest('hex');
-      }
-
-      const authenticateCommand = {
-        authenticate: 1,
-        user: username,
-        nonce,
-        key
-      };
-
-      connection.command(ns(`${source}.$cmd`), authenticateCommand, undefined, callback);
-    });
+
+    const { username, password, source } = credentials;
+
+    const { nonce } = await connection.commandAsync(
+      ns(`${source}.$cmd`),
+      { getnonce: 1 },
+      undefined
+    );
+
+    const hashPassword = crypto
+      .createHash('md5')
+      .update(`${username}:mongo:${password}`, 'utf8')
+      .digest('hex');
+
+    // Final key
+    const key = crypto
+      .createHash('md5')
+      .update(`${nonce}${username}${hashPassword}`, 'utf8')
+      .digest('hex');
+
+    const authenticateCommand = {
+      authenticate: 1,
+      user: username,
+      nonce,
+      key
+    };
+
+    await connection.commandAsync(ns(`${source}.$cmd`), authenticateCommand, undefined);
   }
 }

package/src/cmap/auth/mongodb_aws.ts

@@ -1,6 +1,7 @@
 import * as crypto from 'crypto';
 import * as http from 'http';
 import * as url from 'url';
+import { promisify } from 'util';
 
 import type { Binary, BSONSerializeOptions } from '../../bson';
 import * as BSON from '../../bson';
@@ -11,7 +12,7 @@ import {
   MongoMissingCredentialsError,
   MongoRuntimeError
 } from '../../error';
-import { ByteUtils, Callback, maxWireVersion, ns } from '../../utils';
+import { ByteUtils, maxWireVersion, ns } from '../../utils';
 import { AuthContext, AuthProvider } from './auth_provider';
 import { MongoCredentials } from './mongo_credentials';
 import { AuthMechanism } from './providers';
@@ -21,6 +22,7 @@ const AWS_RELATIVE_URI = 'http://169.254.170.2';
 const AWS_EC2_URI = 'http://169.254.169.254';
 const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
 const bsonOptions: BSONSerializeOptions = {
+  useBigInt64: false,
   promoteLongs: true,
   promoteValues: true,
   promoteBuffers: false,
@@ -34,37 +36,36 @@ interface AWSSaslContinuePayload {
 }
 
 export class MongoDBAWS extends AuthProvider {
-  override auth(authContext: AuthContext, callback: Callback): void {
-    const { connection, credentials } = authContext;
-    if (!credentials) {
-      return callback(new MongoMissingCredentialsError('AuthContext must provide credentials.'));
+  randomBytesAsync: (size: number) => Promise<Buffer>;
+
+  constructor() {
+    super();
+    this.randomBytesAsync = promisify(crypto.randomBytes);
+  }
+
+  override async auth(authContext: AuthContext): Promise<void> {
+    const { connection } = authContext;
+    if (!authContext.credentials) {
+      throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
 
     if ('kModuleError' in aws4) {
-      return callback(aws4['kModuleError']);
+      throw aws4['kModuleError'];
     }
     const { sign } = aws4;
 
     if (maxWireVersion(connection) < 9) {
-      callback(
-        new MongoCompatibilityError(
-          'MONGODB-AWS authentication requires MongoDB version 4.4 or later'
-        )
+      throw new MongoCompatibilityError(
+        'MONGODB-AWS authentication requires MongoDB version 4.4 or later'
       );
-      return;
     }
 
-    if (!credentials.username) {
-      makeTempCredentials(credentials, (err, tempCredentials) => {
-        if (err || !tempCredentials) return callback(err);
-
-        authContext.credentials = tempCredentials;
-        this.auth(authContext, callback);
-      });
-
-      return;
+    if (!authContext.credentials.username) {
+      authContext.credentials = await makeTempCredentials(authContext.credentials);
     }
 
+    const { credentials } = authContext;
+
     const accessKeyId = credentials.username;
     const secretAccessKey = credentials.password;
     const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;
@@ -78,87 +79,75 @@ export class MongoDBAWS extends AuthProvider {
         : undefined;
 
     const db = credentials.source;
-    crypto.randomBytes(32, (err, nonce) => {
-      if (err) {
-        callback(err);
-        return;
-      }
+    const nonce = await this.randomBytesAsync(32);
+
+    const saslStart = {
+      saslStart: 1,
+      mechanism: 'MONGODB-AWS',
+      payload: BSON.serialize({ r: nonce, p: ASCII_N }, bsonOptions)
+    };
+
+    const saslStartResponse = await connection.commandAsync(ns(`${db}.$cmd`), saslStart, undefined);
+
+    const serverResponse = BSON.deserialize(saslStartResponse.payload.buffer, bsonOptions) as {
+      s: Binary;
+      h: string;
+    };
+    const host = serverResponse.h;
+    const serverNonce = serverResponse.s.buffer;
+    if (serverNonce.length !== 64) {
+      // TODO(NODE-3483)
+      throw new MongoRuntimeError(`Invalid server nonce length ${serverNonce.length}, expected 64`);
+    }
 
-      const saslStart = {
-        saslStart: 1,
-        mechanism: 'MONGODB-AWS',
-        payload: BSON.serialize({ r: nonce, p: ASCII_N }, bsonOptions)
-      };
-
-      connection.command(ns(`${db}.$cmd`), saslStart, undefined, (err, res) => {
-        if (err) return callback(err);
-
-        const serverResponse = BSON.deserialize(res.payload.buffer, bsonOptions) as {
-          s: Binary;
-          h: string;
-        };
-        const host = serverResponse.h;
-        const serverNonce = serverResponse.s.buffer;
-        if (serverNonce.length !== 64) {
-          callback(
-            // TODO(NODE-3483)
-            new MongoRuntimeError(`Invalid server nonce length ${serverNonce.length}, expected 64`)
-          );
+    if (!ByteUtils.equals(serverNonce.subarray(0, nonce.byteLength), nonce)) {
+      // throw because the serverNonce's leading 32 bytes must equal the client nonce's 32 bytes
+      // https://github.com/mongodb/specifications/blob/875446db44aade414011731840831f38a6c668df/source/auth/auth.rst#id11
 
-          return;
-        }
+      // TODO(NODE-3483)
+      throw new MongoRuntimeError('Server nonce does not begin with client nonce');
+    }
 
-        if (!ByteUtils.equals(serverNonce.subarray(0, nonce.byteLength), nonce)) {
-          // throw because the serverNonce's leading 32 bytes must equal the client nonce's 32 bytes
-          // https://github.com/mongodb/specifications/blob/875446db44aade414011731840831f38a6c668df/source/auth/auth.rst#id11
+    if (host.length < 1 || host.length > 255 || host.indexOf('..') !== -1) {
+      // TODO(NODE-3483)
+      throw new MongoRuntimeError(`Server returned an invalid host: "${host}"`);
+    }
 
-          // TODO(NODE-3483)
-          callback(new MongoRuntimeError('Server nonce does not begin with client nonce'));
-          return;
-        }
+    const body = 'Action=GetCallerIdentity&Version=2011-06-15';
+    const options = sign(
+      {
+        method: 'POST',
+        host,
+        region: deriveRegion(serverResponse.h),
+        service: 'sts',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'Content-Length': body.length,
+          'X-MongoDB-Server-Nonce': ByteUtils.toBase64(serverNonce),
+          'X-MongoDB-GS2-CB-Flag': 'n'
+        },
+        path: '/',
+        body
+      },
+      awsCredentials
+    );
 
-        if (host.length < 1 || host.length > 255 || host.indexOf('..') !== -1) {
-          // TODO(NODE-3483)
-          callback(new MongoRuntimeError(`Server returned an invalid host: "${host}"`));
-          return;
-        }
+    const payload: AWSSaslContinuePayload = {
+      a: options.headers.Authorization,
+      d: options.headers['X-Amz-Date']
+    };
 
-        const body = 'Action=GetCallerIdentity&Version=2011-06-15';
-        const options = sign(
-          {
-            method: 'POST',
-            host,
-            region: deriveRegion(serverResponse.h),
-            service: 'sts',
-            headers: {
-              'Content-Type': 'application/x-www-form-urlencoded',
-              'Content-Length': body.length,
-              'X-MongoDB-Server-Nonce': ByteUtils.toBase64(serverNonce),
-              'X-MongoDB-GS2-CB-Flag': 'n'
-            },
-            path: '/',
-            body
-          },
-          awsCredentials
-        );
-
-        const payload: AWSSaslContinuePayload = {
-          a: options.headers.Authorization,
-          d: options.headers['X-Amz-Date']
-        };
-        if (sessionToken) {
-          payload.t = sessionToken;
-        }
+    if (sessionToken) {
+      payload.t = sessionToken;
+    }
 
-        const saslContinue = {
-          saslContinue: 1,
-          conversationId: 1,
-          payload: BSON.serialize(payload, bsonOptions)
-        };
+    const saslContinue = {
+      saslContinue: 1,
+      conversationId: 1,
+      payload: BSON.serialize(payload, bsonOptions)
+    };
 
-        connection.command(ns(`${db}.$cmd`), saslContinue, undefined, callback);
-      });
-    });
+    await connection.commandAsync(ns(`${db}.$cmd`), saslContinue, undefined);
   }
 }
 
@@ -178,27 +167,21 @@ export interface AWSCredentials {
   expiration?: Date;
 }
 
-function makeTempCredentials(credentials: MongoCredentials, callback: Callback<MongoCredentials>) {
-  function done(creds: AWSTempCredentials) {
+async function makeTempCredentials(credentials: MongoCredentials): Promise<MongoCredentials> {
+  function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
     if (!creds.AccessKeyId || !creds.SecretAccessKey || !creds.Token) {
-      callback(
-        new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials')
-      );
-      return;
+      throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials');
     }
 
-    callback(
-      undefined,
-      new MongoCredentials({
-        username: creds.AccessKeyId,
-        password: creds.SecretAccessKey,
-        source: credentials.source,
-        mechanism: AuthMechanism.MONGODB_AWS,
-        mechanismProperties: {
-          AWS_SESSION_TOKEN: creds.Token
-        }
-      })
-    );
+    return new MongoCredentials({
+      username: creds.AccessKeyId,
+      password: creds.SecretAccessKey,
+      source: credentials.source,
+      mechanism: AuthMechanism.MONGODB_AWS,
+      mechanismProperties: {
+        AWS_SESSION_TOKEN: creds.Token
+      }
+    });
   }
 
   const credentialProvider = getAwsCredentialProvider();
@@ -209,47 +192,32 @@ function makeTempCredentials(credentials: MongoCredentials, callback: Callback<M
     // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
     // is set then drivers MUST assume that it was set by an AWS ECS agent
     if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
-      request(
-        `${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`,
-        undefined,
-        (err, res) => {
-          if (err) return callback(err);
-          done(res);
-        }
+      return makeMongoCredentialsFromAWSTemp(
+        await request(`${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`)
       );
-
-      return;
     }
 
     // Otherwise assume we are on an EC2 instance
 
     // get a token
-    request(
-      `${AWS_EC2_URI}/latest/api/token`,
-      { method: 'PUT', json: false, headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 } },
-      (err, token) => {
-        if (err) return callback(err);
-
-        // get role name
-        request(
-          `${AWS_EC2_URI}/${AWS_EC2_PATH}`,
-          { json: false, headers: { 'X-aws-ec2-metadata-token': token } },
-          (err, roleName) => {
-            if (err) return callback(err);
-
-            // get temp credentials
-            request(
-              `${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`,
-              { headers: { 'X-aws-ec2-metadata-token': token } },
-              (err, creds) => {
-                if (err) return callback(err);
-                done(creds);
-              }
-            );
-          }
-        );
-      }
-    );
+    const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
+      method: 'PUT',
+      json: false,
+      headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
+    });
+
+    // get role name
+    const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
+      json: false,
+      headers: { 'X-aws-ec2-metadata-token': token }
+    });
+
+    // get temp credentials
+    const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
+      headers: { 'X-aws-ec2-metadata-token': token }
+    });
+
+    return makeMongoCredentialsFromAWSTemp(creds);
   } else {
     /*
      * Creates a credential provider that will attempt to find credentials from the
@@ -263,18 +231,17 @@ function makeTempCredentials(credentials: MongoCredentials, callback: Callback<M
      */
     const { fromNodeProviderChain } = credentialProvider;
     const provider = fromNodeProviderChain();
-    provider()
-      .then((creds: AWSCredentials) => {
-        done({
-          AccessKeyId: creds.accessKeyId,
-          SecretAccessKey: creds.secretAccessKey,
-          Token: creds.sessionToken,
-          Expiration: creds.expiration
-        });
-      })
-      .catch((error: Error) => {
-        callback(new MongoAWSError(error.message));
+    try {
+      const creds = await provider();
+      return makeMongoCredentialsFromAWSTemp({
+        AccessKeyId: creds.accessKeyId,
+        SecretAccessKey: creds.secretAccessKey,
+        Token: creds.sessionToken,
+        Expiration: creds.expiration
       });
+    } catch (error) {
+      throw new MongoAWSError(error.message);
+    }
   }
 }
 
@@ -294,42 +261,53 @@ interface RequestOptions {
   headers?: http.OutgoingHttpHeaders;
 }
 
-function request(uri: string, _options: RequestOptions | undefined, callback: Callback) {
-  const options = Object.assign(
-    {
+async function request(uri: string): Promise<Record<string, any>>;
+async function request(
+  uri: string,
+  options?: { json?: true } & RequestOptions
+): Promise<Record<string, any>>;
+async function request(uri: string, options?: { json: false } & RequestOptions): Promise<string>;
+async function request(
+  uri: string,
+  options: RequestOptions = {}
+): Promise<string | Record<string, any>> {
+  return new Promise<string | Record<string, any>>((resolve, reject) => {
+    const requestOptions = {
       method: 'GET',
       timeout: 10000,
-      json: true
-    },
-    url.parse(uri),
-    _options
-  );
-
-  const req = http.request(options, res => {
-    res.setEncoding('utf8');
-
-    let data = '';
-    res.on('data', d => (data += d));
-    res.on('end', () => {
-      if (options.json === false) {
-        callback(undefined, data);
-        return;
-      }
+      json: true,
+      ...url.parse(uri),
+      ...options
+    };
 
-      try {
-        const parsed = JSON.parse(data);
-        callback(undefined, parsed);
-      } catch (err) {
-        // TODO(NODE-3483)
-        callback(new MongoRuntimeError(`Invalid JSON response: "${data}"`));
-      }
+    const req = http.request(requestOptions, res => {
+      res.setEncoding('utf8');
+
+      let data = '';
+      res.on('data', d => {
+        data += d;
+      });
+
+      res.once('end', () => {
+        if (options.json === false) {
+          resolve(data);
+          return;
+        }
+
+        try {
+          const parsed = JSON.parse(data);
+          resolve(parsed);
+        } catch {
+          // TODO(NODE-3483)
+          reject(new MongoRuntimeError(`Invalid JSON response: "${data}"`));
+        }
+      });
     });
-  });
 
-  req.on('timeout', () => {
-    req.destroy(new MongoAWSError(`AWS request to ${uri} timed out after ${options.timeout} ms`));
+    req.once('timeout', () =>
+      req.destroy(new MongoAWSError(`AWS request to ${uri} timed out after ${options.timeout} ms`))
+    );
+    req.once('error', error => reject(error));
+    req.end();
   });
-
-  req.on('error', err => callback(err));
-  req.end();
 }

package/src/cmap/auth/mongodb_oidc/aws_service_workflow.ts

@@ -0,0 +1,26 @@
+import { readFile } from 'fs/promises';
+
+import { MongoAWSError } from '../../../error';
+import { ServiceWorkflow } from './service_workflow';
+
+/**
+ * Device workflow implementation for AWS.
+ *
+ * @internal
+ */
+export class AwsServiceWorkflow extends ServiceWorkflow {
+  constructor() {
+    super();
+  }
+
+  /**
+   * Get the token from the environment.
+   */
+  async getToken(): Promise<string> {
+    const tokenFile = process.env.AWS_WEB_IDENTITY_TOKEN_FILE;
+    if (!tokenFile) {
+      throw new MongoAWSError('AWS_WEB_IDENTITY_TOKEN_FILE must be set in the environment.');
+    }
+    return readFile(tokenFile, 'utf8');
+  }
+}