mongodb 5.1.0 → 5.2.0

package/src/cmap/auth/scram.ts

@@ -1,15 +1,14 @@
 import * as crypto from 'crypto';
+import { promisify } from 'util';
 
 import { Binary, Document } from '../../bson';
 import { saslprep } from '../../deps';
 import {
-  AnyError,
   MongoInvalidArgumentError,
   MongoMissingCredentialsError,
-  MongoRuntimeError,
-  MongoServerError
+  MongoRuntimeError
 } from '../../error';
-import { Callback, emitWarning, ns } from '../../utils';
+import { emitWarning, ns } from '../../utils';
 import type { HandshakeDocument } from '../connect';
 import { AuthContext, AuthProvider } from './auth_provider';
 import type { MongoCredentials } from './mongo_credentials';
@@ -19,53 +18,51 @@ type CryptoMethod = 'sha1' | 'sha256';
 
 class ScramSHA extends AuthProvider {
   cryptoMethod: CryptoMethod;
+  randomBytesAsync: (size: number) => Promise<Buffer>;
   constructor(cryptoMethod: CryptoMethod) {
     super();
     this.cryptoMethod = cryptoMethod || 'sha1';
+    this.randomBytesAsync = promisify(crypto.randomBytes);
   }
 
-  override prepare(handshakeDoc: HandshakeDocument, authContext: AuthContext, callback: Callback) {
+  override async prepare(
+    handshakeDoc: HandshakeDocument,
+    authContext: AuthContext
+  ): Promise<HandshakeDocument> {
     const cryptoMethod = this.cryptoMethod;
     const credentials = authContext.credentials;
     if (!credentials) {
-      return callback(new MongoMissingCredentialsError('AuthContext must provide credentials.'));
+      throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
     if (cryptoMethod === 'sha256' && saslprep == null) {
       emitWarning('Warning: no saslprep library specified. Passwords will not be sanitized');
     }
 
-    crypto.randomBytes(24, (err, nonce) => {
-      if (err) {
-        return callback(err);
-      }
-
-      // store the nonce for later use
-      Object.assign(authContext, { nonce });
+    const nonce = await this.randomBytesAsync(24);
+    // store the nonce for later use
+    authContext.nonce = nonce;
 
-      const request = Object.assign({}, handshakeDoc, {
-        speculativeAuthenticate: Object.assign(makeFirstMessage(cryptoMethod, credentials, nonce), {
-          db: credentials.source
-        })
-      });
+    const request = {
+      ...handshakeDoc,
+      speculativeAuthenticate: {
+        ...makeFirstMessage(cryptoMethod, credentials, nonce),
+        db: credentials.source
+      }
+    };
 
-      callback(undefined, request);
-    });
+    return request;
   }
 
-  override auth(authContext: AuthContext, callback: Callback) {
-    const response = authContext.response;
-    if (response && response.speculativeAuthenticate) {
-      continueScramConversation(
+  override async auth(authContext: AuthContext) {
+    const { reauthenticating, response } = authContext;
+    if (response?.speculativeAuthenticate && !reauthenticating) {
+      return continueScramConversation(
         this.cryptoMethod,
         response.speculativeAuthenticate,
-        authContext,
-        callback
+        authContext
       );
-
-      return;
     }
-
-    executeScram(this.cryptoMethod, authContext, callback);
+    return executeScram(this.cryptoMethod, authContext);
   }
 }
 
@@ -106,43 +103,34 @@ function makeFirstMessage(
   };
 }
 
-function executeScram(cryptoMethod: CryptoMethod, authContext: AuthContext, callback: Callback) {
+async function executeScram(cryptoMethod: CryptoMethod, authContext: AuthContext): Promise<void> {
   const { connection, credentials } = authContext;
   if (!credentials) {
-    return callback(new MongoMissingCredentialsError('AuthContext must provide credentials.'));
+    throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
   }
   if (!authContext.nonce) {
-    return callback(
-      new MongoInvalidArgumentError('AuthContext must contain a valid nonce property')
-    );
+    throw new MongoInvalidArgumentError('AuthContext must contain a valid nonce property');
   }
   const nonce = authContext.nonce;
   const db = credentials.source;
 
   const saslStartCmd = makeFirstMessage(cryptoMethod, credentials, nonce);
-  connection.command(ns(`${db}.$cmd`), saslStartCmd, undefined, (_err, result) => {
-    const err = resolveError(_err, result);
-    if (err) {
-      return callback(err);
-    }
-
-    continueScramConversation(cryptoMethod, result, authContext, callback);
-  });
+  const response = await connection.commandAsync(ns(`${db}.$cmd`), saslStartCmd, undefined);
+  await continueScramConversation(cryptoMethod, response, authContext);
 }
 
-function continueScramConversation(
+async function continueScramConversation(
   cryptoMethod: CryptoMethod,
   response: Document,
-  authContext: AuthContext,
-  callback: Callback
-) {
+  authContext: AuthContext
+): Promise<void> {
   const connection = authContext.connection;
   const credentials = authContext.credentials;
   if (!credentials) {
-    return callback(new MongoMissingCredentialsError('AuthContext must provide credentials.'));
+    throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
   }
   if (!authContext.nonce) {
-    return callback(new MongoInvalidArgumentError('Unable to continue SCRAM without valid nonce'));
+    throw new MongoInvalidArgumentError('Unable to continue SCRAM without valid nonce');
   }
   const nonce = authContext.nonce;
 
@@ -154,11 +142,7 @@ function continueScramConversation(
   if (cryptoMethod === 'sha256') {
     processedPassword = 'kModuleError' in saslprep ? password : saslprep(password);
   } else {
-    try {
-      processedPassword = passwordDigest(username, password);
-    } catch (e) {
-      return callback(e);
-    }
+    processedPassword = passwordDigest(username, password);
   }
 
   const payload = Buffer.isBuffer(response.payload)
@@ -168,20 +152,15 @@ function continueScramConversation(
 
   const iterations = parseInt(dict.i, 10);
   if (iterations && iterations < 4096) {
-    callback(
-      // TODO(NODE-3483)
-      new MongoRuntimeError(`Server returned an invalid iteration count ${iterations}`),
-      false
-    );
-    return;
+    // TODO(NODE-3483)
+    throw new MongoRuntimeError(`Server returned an invalid iteration count ${iterations}`);
   }
 
   const salt = dict.s;
   const rnonce = dict.r;
   if (rnonce.startsWith('nonce')) {
     // TODO(NODE-3483)
-    callback(new MongoRuntimeError(`Server returned an invalid nonce: ${rnonce}`), false);
-    return;
+    throw new MongoRuntimeError(`Server returned an invalid nonce: ${rnonce}`);
   }
 
   // Set up start of proof
@@ -211,30 +190,25 @@ function continueScramConversation(
     payload: new Binary(Buffer.from(clientFinal))
   };
 
-  connection.command(ns(`${db}.$cmd`), saslContinueCmd, undefined, (_err, r) => {
-    const err = resolveError(_err, r);
-    if (err) {
-      return callback(err);
-    }
+  const r = await connection.commandAsync(ns(`${db}.$cmd`), saslContinueCmd, undefined);
+  const parsedResponse = parsePayload(r.payload.value());
 
-    const parsedResponse = parsePayload(r.payload.value());
-    if (!compareDigest(Buffer.from(parsedResponse.v, 'base64'), serverSignature)) {
-      callback(new MongoRuntimeError('Server returned an invalid signature'));
-      return;
-    }
+  if (!compareDigest(Buffer.from(parsedResponse.v, 'base64'), serverSignature)) {
+    throw new MongoRuntimeError('Server returned an invalid signature');
+  }
 
-    if (!r || r.done !== false) {
-      return callback(err, r);
-    }
+  if (r.done !== false) {
+    // If the server sends r.done === true we can save one RTT
+    return;
+  }
 
-    const retrySaslContinueCmd = {
-      saslContinue: 1,
-      conversationId: r.conversationId,
-      payload: Buffer.alloc(0)
-    };
+  const retrySaslContinueCmd = {
+    saslContinue: 1,
+    conversationId: r.conversationId,
+    payload: Buffer.alloc(0)
+  };
 
-    connection.command(ns(`${db}.$cmd`), retrySaslContinueCmd, undefined, callback);
-  });
+  await connection.commandAsync(ns(`${db}.$cmd`), retrySaslContinueCmd, undefined);
 }
 
 function parsePayload(payload: string) {
@@ -363,14 +337,6 @@ function compareDigest(lhs: Buffer, rhs: Uint8Array) {
   return result === 0;
 }
 
-function resolveError(err?: AnyError, result?: Document) {
-  if (err) return err;
-  if (result) {
-    if (result.$err || result.errmsg) return new MongoServerError(result);
-  }
-  return;
-}
-
 export class ScramSHA1 extends ScramSHA {
   constructor() {
     super('sha1');

package/src/cmap/auth/x509.ts

@@ -1,44 +1,38 @@
 import type { Document } from '../../bson';
 import { MongoMissingCredentialsError } from '../../error';
-import { Callback, ns } from '../../utils';
+import { ns } from '../../utils';
 import type { HandshakeDocument } from '../connect';
 import { AuthContext, AuthProvider } from './auth_provider';
 import type { MongoCredentials } from './mongo_credentials';
 
 export class X509 extends AuthProvider {
-  override prepare(
+  override async prepare(
     handshakeDoc: HandshakeDocument,
-    authContext: AuthContext,
-    callback: Callback
-  ): void {
+    authContext: AuthContext
+  ): Promise<HandshakeDocument> {
     const { credentials } = authContext;
     if (!credentials) {
-      return callback(new MongoMissingCredentialsError('AuthContext must provide credentials.'));
+      throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
-    Object.assign(handshakeDoc, {
-      speculativeAuthenticate: x509AuthenticateCommand(credentials)
-    });
-
-    callback(undefined, handshakeDoc);
+    return { ...handshakeDoc, speculativeAuthenticate: x509AuthenticateCommand(credentials) };
   }
 
-  override auth(authContext: AuthContext, callback: Callback): void {
+  override async auth(authContext: AuthContext) {
     const connection = authContext.connection;
     const credentials = authContext.credentials;
     if (!credentials) {
-      return callback(new MongoMissingCredentialsError('AuthContext must provide credentials.'));
+      throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
     const response = authContext.response;
 
-    if (response && response.speculativeAuthenticate) {
-      return callback();
+    if (response?.speculativeAuthenticate) {
+      return;
     }
 
-    connection.command(
+    await connection.commandAsync(
       ns('$external.$cmd'),
       x509AuthenticateCommand(credentials),
-      undefined,
-      callback
+      undefined
     );
   }
 }

package/src/cmap/command_monitoring_events.ts

@@ -149,8 +149,11 @@ export class CommandFailedEvent {
   }
 }
 
-/** Commands that we want to redact because of the sensitive nature of their contents */
-const SENSITIVE_COMMANDS = new Set([
+/**
+ * Commands that we want to redact because of the sensitive nature of their contents
+ * @internal
+ */
+export const SENSITIVE_COMMANDS = new Set([
   'authenticate',
   'saslStart',
   'saslContinue',

package/src/cmap/commands.ts

@@ -374,7 +374,7 @@ export class Response {
     };
 
     // Position within OP_REPLY at which documents start
-    // (See https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/#wire-op-reply)
+    // (See https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/#wire-op-reply)
     this.index = 20;
 
     // Read the message body

package/src/cmap/connect.ts

@@ -15,19 +15,19 @@ import {
   MongoNetworkError,
   MongoNetworkTimeoutError,
   MongoRuntimeError,
-  MongoServerError,
   needsRetryableWriteLabel
 } from '../error';
-import { Callback, ClientMetadata, HostAddress, makeClientMetadata, ns } from '../utils';
+import { Callback, ClientMetadata, HostAddress, ns } from '../utils';
 import { AuthContext, AuthProvider } from './auth/auth_provider';
 import { GSSAPI } from './auth/gssapi';
 import { MongoCR } from './auth/mongocr';
 import { MongoDBAWS } from './auth/mongodb_aws';
+import { MongoDBOIDC } from './auth/mongodb_oidc';
 import { Plain } from './auth/plain';
 import { AuthMechanism } from './auth/providers';
 import { ScramSHA1, ScramSHA256 } from './auth/scram';
 import { X509 } from './auth/x509';
-import { Connection, ConnectionOptions, CryptoConnection } from './connection';
+import { CommandOptions, Connection, ConnectionOptions, CryptoConnection } from './connection';
 import {
   MAX_SUPPORTED_SERVER_VERSION,
   MAX_SUPPORTED_WIRE_VERSION,
@@ -35,10 +35,12 @@ import {
   MIN_SUPPORTED_WIRE_VERSION
 } from './wire_protocol/constants';
 
-const AUTH_PROVIDERS = new Map<AuthMechanism | string, AuthProvider>([
+/** @internal */
+export const AUTH_PROVIDERS = new Map<AuthMechanism | string, AuthProvider>([
   [AuthMechanism.MONGODB_AWS, new MongoDBAWS()],
   [AuthMechanism.MONGODB_CR, new MongoCR()],
   [AuthMechanism.MONGODB_GSSAPI, new GSSAPI()],
+  [AuthMechanism.MONGODB_OIDC, new MongoDBOIDC()],
   [AuthMechanism.MONGODB_PLAIN, new Plain()],
   [AuthMechanism.MONGODB_SCRAM_SHA1, new ScramSHA1()],
   [AuthMechanism.MONGODB_SCRAM_SHA256, new ScramSHA256()],
@@ -58,7 +60,16 @@ export function connect(options: ConnectionOptions, callback: Callback<Connectio
     if (options.autoEncrypter) {
       ConnectionType = CryptoConnection;
     }
-    performInitialHandshake(new ConnectionType(socket, options), options, callback);
+
+    const connection = new ConnectionType(socket, options);
+
+    performInitialHandshake(connection, options).then(
+      () => callback(undefined, connection),
+      error => {
+        connection.destroy({ force: false });
+        callback(error);
+      }
+    );
   });
 }
 
@@ -89,119 +100,89 @@ function checkSupportedServer(hello: Document, options: ConnectionOptions) {
   return new MongoCompatibilityError(message);
 }
 
-function performInitialHandshake(
+async function performInitialHandshake(
   conn: Connection,
-  options: ConnectionOptions,
-  _callback: Callback
-) {
-  const callback: Callback<Document> = function (err, ret) {
-    if (err && conn) {
-      conn.destroy({ force: false });
-    }
-    _callback(err, ret);
-  };
-
+  options: ConnectionOptions
+): Promise<void> {
   const credentials = options.credentials;
+
   if (credentials) {
     if (
       !(credentials.mechanism === AuthMechanism.MONGODB_DEFAULT) &&
       !AUTH_PROVIDERS.get(credentials.mechanism)
     ) {
-      callback(
-        new MongoInvalidArgumentError(`AuthMechanism '${credentials.mechanism}' not supported`)
-      );
-      return;
+      throw new MongoInvalidArgumentError(`AuthMechanism '${credentials.mechanism}' not supported`);
     }
   }
 
   const authContext = new AuthContext(conn, credentials, options);
-  prepareHandshakeDocument(authContext, (err, handshakeDoc) => {
-    if (err || !handshakeDoc) {
-      return callback(err);
-    }
+  conn.authContext = authContext;
 
-    const handshakeOptions: Document = Object.assign({}, options);
-    if (typeof options.connectTimeoutMS === 'number') {
-      // The handshake technically is a monitoring check, so its socket timeout should be connectTimeoutMS
-      handshakeOptions.socketTimeoutMS = options.connectTimeoutMS;
-    }
+  const handshakeDoc = await prepareHandshakeDocument(authContext);
 
-    const start = new Date().getTime();
-    conn.command(ns('admin.$cmd'), handshakeDoc, handshakeOptions, (err, response) => {
-      if (err) {
-        callback(err);
-        return;
-      }
+  // @ts-expect-error: TODO(NODE-5141): The options need to be filtered properly, Connection options differ from Command options
+  const handshakeOptions: CommandOptions = { ...options };
+  if (typeof options.connectTimeoutMS === 'number') {
+    // The handshake technically is a monitoring check, so its socket timeout should be connectTimeoutMS
+    handshakeOptions.socketTimeoutMS = options.connectTimeoutMS;
+  }
 
-      if (response?.ok === 0) {
-        callback(new MongoServerError(response));
-        return;
-      }
+  const start = new Date().getTime();
+  const response = await conn.commandAsync(ns('admin.$cmd'), handshakeDoc, handshakeOptions);
 
-      if (!('isWritablePrimary' in response)) {
-        // Provide hello-style response document.
-        response.isWritablePrimary = response[LEGACY_HELLO_COMMAND];
-      }
+  if (!('isWritablePrimary' in response)) {
+    // Provide hello-style response document.
+    response.isWritablePrimary = response[LEGACY_HELLO_COMMAND];
+  }
 
-      if (response.helloOk) {
-        conn.helloOk = true;
-      }
+  if (response.helloOk) {
+    conn.helloOk = true;
+  }
 
-      const supportedServerErr = checkSupportedServer(response, options);
-      if (supportedServerErr) {
-        callback(supportedServerErr);
-        return;
-      }
+  const supportedServerErr = checkSupportedServer(response, options);
+  if (supportedServerErr) {
+    throw supportedServerErr;
+  }
 
-      if (options.loadBalanced) {
-        if (!response.serviceId) {
-          return callback(
-            new MongoCompatibilityError(
-              'Driver attempted to initialize in load balancing mode, ' +
-                'but the server does not support this mode.'
-            )
-          );
-        }
-      }
+  if (options.loadBalanced) {
+    if (!response.serviceId) {
+      throw new MongoCompatibilityError(
+        'Driver attempted to initialize in load balancing mode, ' +
+          'but the server does not support this mode.'
+      );
+    }
+  }
 
-      // NOTE: This is metadata attached to the connection while porting away from
-      //       handshake being done in the `Server` class. Likely, it should be
-      //       relocated, or at very least restructured.
-      conn.hello = response;
-      conn.lastHelloMS = new Date().getTime() - start;
-
-      if (!response.arbiterOnly && credentials) {
-        // store the response on auth context
-        authContext.response = response;
-
-        const resolvedCredentials = credentials.resolveAuthMechanism(response);
-        const provider = AUTH_PROVIDERS.get(resolvedCredentials.mechanism);
-        if (!provider) {
-          return callback(
-            new MongoInvalidArgumentError(
-              `No AuthProvider for ${resolvedCredentials.mechanism} defined.`
-            )
-          );
+  // NOTE: This is metadata attached to the connection while porting away from
+  //       handshake being done in the `Server` class. Likely, it should be
+  //       relocated, or at very least restructured.
+  conn.hello = response;
+  conn.lastHelloMS = new Date().getTime() - start;
+
+  if (!response.arbiterOnly && credentials) {
+    // store the response on auth context
+    authContext.response = response;
+
+    const resolvedCredentials = credentials.resolveAuthMechanism(response);
+    const provider = AUTH_PROVIDERS.get(resolvedCredentials.mechanism);
+    if (!provider) {
+      throw new MongoInvalidArgumentError(
+        `No AuthProvider for ${resolvedCredentials.mechanism} defined.`
+      );
+    }
+
+    try {
+      await provider.auth(authContext);
+    } catch (error) {
+      if (error instanceof MongoError) {
+        error.addErrorLabel(MongoErrorLabel.HandshakeError);
+        if (needsRetryableWriteLabel(error, response.maxWireVersion)) {
+          error.addErrorLabel(MongoErrorLabel.RetryableWriteError);
         }
-        provider.auth(authContext, err => {
-          if (err) {
-            if (err instanceof MongoError) {
-              err.addErrorLabel(MongoErrorLabel.HandshakeError);
-              if (needsRetryableWriteLabel(err, response.maxWireVersion)) {
-                err.addErrorLabel(MongoErrorLabel.RetryableWriteError);
-              }
-            }
-            return callback(err);
-          }
-          callback(undefined, conn);
-        });
-
-        return;
       }
-
-      callback(undefined, conn);
-    });
-  });
+      throw error;
+    }
+  }
 }
 
 export interface HandshakeDocument extends Document {
@@ -222,10 +203,9 @@ export interface HandshakeDocument extends Document {
  *
  * This function is only exposed for testing purposes.
  */
-export function prepareHandshakeDocument(
-  authContext: AuthContext,
-  callback: Callback<HandshakeDocument>
-) {
+export async function prepareHandshakeDocument(
+  authContext: AuthContext
+): Promise<HandshakeDocument> {
   const options = authContext.options;
   const compressors = options.compressors ? options.compressors : [];
   const { serverApi } = authContext.connection;
@@ -233,7 +213,7 @@ export function prepareHandshakeDocument(
   const handshakeDoc: HandshakeDocument = {
     [serverApi?.version ? 'hello' : LEGACY_HELLO_COMMAND]: 1,
     helloOk: true,
-    client: options.metadata || makeClientMetadata(options),
+    client: options.metadata,
     compression: compressors
   };
 
@@ -249,23 +229,19 @@ export function prepareHandshakeDocument(
       const provider = AUTH_PROVIDERS.get(AuthMechanism.MONGODB_SCRAM_SHA256);
       if (!provider) {
         // This auth mechanism is always present.
-        return callback(
-          new MongoInvalidArgumentError(
-            `No AuthProvider for ${AuthMechanism.MONGODB_SCRAM_SHA256} defined.`
-          )
+        throw new MongoInvalidArgumentError(
+          `No AuthProvider for ${AuthMechanism.MONGODB_SCRAM_SHA256} defined.`
         );
       }
-      return provider.prepare(handshakeDoc, authContext, callback);
+      return provider.prepare(handshakeDoc, authContext);
     }
     const provider = AUTH_PROVIDERS.get(credentials.mechanism);
     if (!provider) {
-      return callback(
-        new MongoInvalidArgumentError(`No AuthProvider for ${credentials.mechanism} defined.`)
-      );
+      throw new MongoInvalidArgumentError(`No AuthProvider for ${credentials.mechanism} defined.`);
     }
-    return provider.prepare(handshakeDoc, authContext, callback);
+    return provider.prepare(handshakeDoc, authContext);
   }
-  callback(undefined, handshakeDoc);
+  return handshakeDoc;
 }
 
 /** @public */
@@ -347,7 +323,7 @@ function parseSslOptions(options: MakeConnectionOptions): TLSConnectionOpts {
 }
 
 const SOCKET_ERROR_EVENT_LIST = ['error', 'close', 'timeout', 'parseError'] as const;
-type ErrorHandlerEventName = typeof SOCKET_ERROR_EVENT_LIST[number] | 'cancel';
+type ErrorHandlerEventName = (typeof SOCKET_ERROR_EVENT_LIST)[number] | 'cancel';
 const SOCKET_ERROR_EVENTS = new Set(SOCKET_ERROR_EVENT_LIST);
 
 function makeConnection(options: MakeConnectionOptions, _callback: Callback<Stream>) {
@@ -428,7 +404,7 @@ function makeConnection(options: MakeConnectionOptions, _callback: Callback<Stre
       }
     }
 
-    socket.setTimeout(socketTimeoutMS);
+    socket.setTimeout(0);
     callback(undefined, socket);
   }