mongodb 6.19.0-dev.20250918.sha.7c485ef7 → 6.20.0-dev.20250919.sha.b7c67507
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/cmap/auth/aws_temporary_credentials.js +10 -58
- package/lib/cmap/auth/aws_temporary_credentials.js.map +1 -1
- package/lib/cmap/auth/mongodb_aws.js +1 -4
- package/lib/cmap/auth/mongodb_aws.js.map +1 -1
- package/package.json +1 -1
- package/src/cmap/auth/aws_temporary_credentials.ts +12 -70
- package/src/cmap/auth/mongodb_aws.ts +4 -11
|
@@ -1,46 +1,30 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.
|
|
3
|
+
exports.AWSSDKCredentialProvider = void 0;
|
|
4
4
|
const deps_1 = require("../../deps");
|
|
5
5
|
const error_1 = require("../../error");
|
|
6
|
-
const utils_1 = require("../../utils");
|
|
7
|
-
const AWS_RELATIVE_URI = 'http://169.254.170.2';
|
|
8
|
-
const AWS_EC2_URI = 'http://169.254.169.254';
|
|
9
|
-
const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
|
|
10
|
-
/**
|
|
11
|
-
* @internal
|
|
12
|
-
*
|
|
13
|
-
* Fetches temporary AWS credentials.
|
|
14
|
-
*/
|
|
15
|
-
class AWSTemporaryCredentialProvider {
|
|
16
|
-
static get awsSDK() {
|
|
17
|
-
AWSTemporaryCredentialProvider._awsSDK ??= (0, deps_1.getAwsCredentialProvider)();
|
|
18
|
-
return AWSTemporaryCredentialProvider._awsSDK;
|
|
19
|
-
}
|
|
20
|
-
static get isAWSSDKInstalled() {
|
|
21
|
-
return !('kModuleError' in AWSTemporaryCredentialProvider.awsSDK);
|
|
22
|
-
}
|
|
23
|
-
}
|
|
24
|
-
exports.AWSTemporaryCredentialProvider = AWSTemporaryCredentialProvider;
|
|
25
6
|
/** @internal */
|
|
26
|
-
class AWSSDKCredentialProvider
|
|
7
|
+
class AWSSDKCredentialProvider {
|
|
27
8
|
/**
|
|
28
9
|
* Create the SDK credentials provider.
|
|
29
10
|
* @param credentialsProvider - The credentials provider.
|
|
30
11
|
*/
|
|
31
12
|
constructor(credentialsProvider) {
|
|
32
|
-
super();
|
|
33
13
|
if (credentialsProvider) {
|
|
34
14
|
this._provider = credentialsProvider;
|
|
35
15
|
}
|
|
36
16
|
}
|
|
17
|
+
static get awsSDK() {
|
|
18
|
+
AWSSDKCredentialProvider._awsSDK ??= (0, deps_1.getAwsCredentialProvider)();
|
|
19
|
+
return AWSSDKCredentialProvider._awsSDK;
|
|
20
|
+
}
|
|
37
21
|
/**
|
|
38
22
|
* The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
|
|
39
23
|
* To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
|
|
40
24
|
*/
|
|
41
25
|
get provider() {
|
|
42
|
-
if ('kModuleError' in
|
|
43
|
-
throw
|
|
26
|
+
if ('kModuleError' in AWSSDKCredentialProvider.awsSDK) {
|
|
27
|
+
throw AWSSDKCredentialProvider.awsSDK.kModuleError;
|
|
44
28
|
}
|
|
45
29
|
if (this._provider) {
|
|
46
30
|
return this._provider;
|
|
@@ -83,10 +67,10 @@ class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
|
|
|
83
67
|
(AWS_STS_REGIONAL_ENDPOINTS === 'legacy' && !LEGACY_REGIONS.has(AWS_REGION));
|
|
84
68
|
this._provider =
|
|
85
69
|
awsRegionSettingsExist && useRegionalSts
|
|
86
|
-
?
|
|
70
|
+
? AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain({
|
|
87
71
|
clientConfig: { region: AWS_REGION }
|
|
88
72
|
})
|
|
89
|
-
:
|
|
73
|
+
: AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain();
|
|
90
74
|
return this._provider;
|
|
91
75
|
}
|
|
92
76
|
async getCredentials() {
|
|
@@ -115,36 +99,4 @@ class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
|
|
|
115
99
|
}
|
|
116
100
|
}
|
|
117
101
|
exports.AWSSDKCredentialProvider = AWSSDKCredentialProvider;
|
|
118
|
-
/**
|
|
119
|
-
* @internal
|
|
120
|
-
* Fetches credentials manually (without the AWS SDK), as outlined in the [Obtaining Credentials](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#obtaining-credentials)
|
|
121
|
-
* section of the Auth spec.
|
|
122
|
-
*/
|
|
123
|
-
class LegacyAWSTemporaryCredentialProvider extends AWSTemporaryCredentialProvider {
|
|
124
|
-
async getCredentials() {
|
|
125
|
-
// If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
|
|
126
|
-
// is set then drivers MUST assume that it was set by an AWS ECS agent
|
|
127
|
-
if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
|
|
128
|
-
return await (0, utils_1.request)(`${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`);
|
|
129
|
-
}
|
|
130
|
-
// Otherwise assume we are on an EC2 instance
|
|
131
|
-
// get a token
|
|
132
|
-
const token = await (0, utils_1.request)(`${AWS_EC2_URI}/latest/api/token`, {
|
|
133
|
-
method: 'PUT',
|
|
134
|
-
json: false,
|
|
135
|
-
headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
|
|
136
|
-
});
|
|
137
|
-
// get role name
|
|
138
|
-
const roleName = await (0, utils_1.request)(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
|
|
139
|
-
json: false,
|
|
140
|
-
headers: { 'X-aws-ec2-metadata-token': token }
|
|
141
|
-
});
|
|
142
|
-
// get temp credentials
|
|
143
|
-
const creds = await (0, utils_1.request)(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
|
|
144
|
-
headers: { 'X-aws-ec2-metadata-token': token }
|
|
145
|
-
});
|
|
146
|
-
return creds;
|
|
147
|
-
}
|
|
148
|
-
}
|
|
149
|
-
exports.LegacyAWSTemporaryCredentialProvider = LegacyAWSTemporaryCredentialProvider;
|
|
150
102
|
//# sourceMappingURL=aws_temporary_credentials.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aws_temporary_credentials.js","sourceRoot":"","sources":["../../../src/cmap/auth/aws_temporary_credentials.ts"],"names":[],"mappings":";;;AAAA,qCAA2E;AAC3E,uCAA4C;
|
|
1
|
+
{"version":3,"file":"aws_temporary_credentials.js","sourceRoot":"","sources":["../../../src/cmap/auth/aws_temporary_credentials.ts"],"names":[],"mappings":";;;AAAA,qCAA2E;AAC3E,uCAA4C;AAoB5C,gBAAgB;AAChB,MAAa,wBAAwB;IAInC;;;OAGG;IACH,YAAY,mBAA2C;QACrD,IAAI,mBAAmB,EAAE,CAAC;YACxB,IAAI,CAAC,SAAS,GAAG,mBAAmB,CAAC;QACvC,CAAC;IACH,CAAC;IAED,MAAM,KAAK,MAAM;QACf,wBAAwB,CAAC,OAAO,KAAK,IAAA,+BAAwB,GAAE,CAAC;QAChE,OAAO,wBAAwB,CAAC,OAAO,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,IAAY,QAAQ;QAClB,IAAI,cAAc,IAAI,wBAAwB,CAAC,MAAM,EAAE,CAAC;YACtD,MAAM,wBAAwB,CAAC,MAAM,CAAC,YAAY,CAAC;QACrD,CAAC;QACD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QACD,IAAI,EAAE,0BAA0B,GAAG,EAAE,EAAE,UAAU,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC;QACvE,0BAA0B,GAAG,0BAA0B,CAAC,WAAW,EAAE,CAAC;QACtE,UAAU,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;QAEtC,6IAA6I;QAC7I,MAAM,sBAAsB,GAC1B,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,0BAA0B,CAAC,MAAM,KAAK,CAAC,CAAC;QAErE;;;WAGG;QACH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;YAC7B,gBAAgB;YAChB,YAAY;YACZ,gBAAgB;YAChB,gBAAgB;YAChB,YAAY;YACZ,cAAc;YACd,cAAc;YACd,YAAY;YACZ,WAAW;YACX,WAAW;YACX,WAAW;YACX,WAAW;YACX,WAAW;YACX,WAAW;YACX,WAAW;YACX,WAAW;SACZ,CAAC,CAAC;QACH;;;;;;WAMG;QACH,MAAM,cAAc,GAClB,0BAA0B,KAAK,UAAU;YACzC,CAAC,0BAA0B,KAAK,QAAQ,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/E,IAAI,CAAC,SAAS;YACZ,sBAAsB,IAAI,cAAc;gBACtC,CAAC,CAAC,wBAAwB,CAAC,MAAM,CAAC,qBAAqB,CAAC;oBACpD,YAAY,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE;iBACrC,CAAC;gBACJ,CAAC,CAAC,wBAAwB,CAAC,MAAM,CAAC,qBAAqB,EAAE,CAAC;QAE9D,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,cAAc;QAClB;;;;;;;;;WASG;QACH,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,OAAO;gBACL,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,eAAe,EAAE,KAAK,CAAC,eAAe;gBACtC,KAAK,EAAE,KAAK,CAAC,YAAY;gBACzB,UAAU,EAAE,KAAK,CAAC,UAAU;aAC7B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,qBAAa,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;CACF;AAxGD,4DAwGC"}
|
|
@@ -20,10 +20,7 @@ const bsonOptions = {
|
|
|
20
20
|
class MongoDBAWS extends auth_provider_1.AuthProvider {
|
|
21
21
|
constructor(credentialProvider) {
|
|
22
22
|
super();
|
|
23
|
-
this.
|
|
24
|
-
this.credentialFetcher = aws_temporary_credentials_1.AWSTemporaryCredentialProvider.isAWSSDKInstalled
|
|
25
|
-
? new aws_temporary_credentials_1.AWSSDKCredentialProvider(credentialProvider)
|
|
26
|
-
: new aws_temporary_credentials_1.LegacyAWSTemporaryCredentialProvider();
|
|
23
|
+
this.credentialFetcher = new aws_temporary_credentials_1.AWSSDKCredentialProvider(credentialProvider);
|
|
27
24
|
}
|
|
28
25
|
async auth(authContext) {
|
|
29
26
|
const { connection } = authContext;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"mongodb_aws.js","sourceRoot":"","sources":["../../../src/cmap/auth/mongodb_aws.ts"],"names":[],"mappings":";;;AACA,mCAAmC;AACnC,qCAAkC;AAClC,uCAIqB;AACrB,uCAAyE;AACzE,mDAAiE;AACjE,
|
|
1
|
+
{"version":3,"file":"mongodb_aws.js","sourceRoot":"","sources":["../../../src/cmap/auth/mongodb_aws.ts"],"names":[],"mappings":";;;AACA,mCAAmC;AACnC,qCAAkC;AAClC,uCAIqB;AACrB,uCAAyE;AACzE,mDAAiE;AACjE,2EAIqC;AACrC,2DAAuD;AACvD,2CAA4C;AAE5C,MAAM,OAAO,GAAG,GAAG,CAAC;AACpB,MAAM,WAAW,GAAyB;IACxC,WAAW,EAAE,KAAK;IAClB,YAAY,EAAE,IAAI;IAClB,aAAa,EAAE,IAAI;IACnB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE,KAAK;CAClB,CAAC;AAQF,MAAa,UAAW,SAAQ,4BAAY;IAG1C,YAAY,kBAA0C;QACpD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,iBAAiB,GAAG,IAAI,oDAAwB,CAAC,kBAAkB,CAAC,CAAC;IAC5E,CAAC;IAEQ,KAAK,CAAC,IAAI,CAAC,WAAwB;QAC1C,MAAM,EAAE,UAAU,EAAE,GAAG,WAAW,CAAC;QACnC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;YAC7B,MAAM,IAAI,oCAA4B,CAAC,uCAAuC,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,cAAc,IAAI,WAAI,EAAE,CAAC;YAC3B,MAAM,WAAI,CAAC,cAAc,CAAC,CAAC;QAC7B,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,GAAG,WAAI,CAAC;QAEtB,IAAI,IAAA,sBAAc,EAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,+BAAuB,CAC/B,kEAAkE,CACnE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YACtC,WAAW,CAAC,WAAW,GAAG,MAAM,mBAAmB,CACjD,WAAW,CAAC,WAAW,EACvB,IAAI,CAAC,iBAAiB,CACvB,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC;QAEpC,MAAM,WAAW,GAAG,WAAW,CAAC,QAAQ,CAAC;QACzC,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC;QAC7C,gGAAgG;QAChG,MAAM,YAAY,GAAG,WAAW,CAAC,mBAAmB,CAAC,iBAAiB,CAAC;QAEvE,kGAAkG;QAClG,MAAM,cAAc,GAClB,WAAW,IAAI,eAAe,IAAI,YAAY;YAC5C,CAAC,CAAC,EAAE,WAAW,EAAE,eAAe,EAAE,YAAY,EAAE;YAChD,CAAC,CAAC,WAAW,IAAI,eAAe;gBAC9B,CAAC,CAAC,EAAE,WAAW,EAAE,eAAe,EAAE;gBAClC,CAAC,CAAC,SAAS,CAAC;QAElB,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC;QAC9B,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAW,EAAC,EAAE,CAAC,CAAC;QAEpC,4EAA4E;QAC5E,sDAAsD;QACtD,MAAM,SAAS,GAAG;YAChB,SAAS,EAAE,CAAC;YACZ,SAAS,EAAE,aAAa;YACxB,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,WAAW,CAAC;SAC/D,CAAC;QAEF,MAAM,iBAAiB,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,IAAA,UAAE,EAAC,GAAG,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAE3F,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAGpF,CAAC;QACF,MAAM,IAAI,GAAG,cAAc,CAAC,CAAC,CAAC;QAC9B,MAAM,WAAW,GAAG,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC;QAC5C,IAAI,WAAW,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC9B,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,+BAA+B,WAAW,CAAC,MAAM,eAAe,CAAC,CAAC;QAChG,CAAC;QAED,IAAI,CAAC,iBAAS,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;YACxE,0FAA0F;YAC1F,2FAA2F;YAE3F,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,+CAA+C,CAAC,CAAC;QAC/E,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACtE,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,qCAAqC,IAAI,GAAG,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,IAAI,GAAG,6CAA6C,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAClB;YACE,MAAM,EAAE,MAAM;YACd,IAAI;YACJ,MAAM,EAAE,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC;YACtC,OAAO,EAAE,KAAK;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,gBAAgB,EAAE,IAAI,CAAC,MAAM;gBAC7B,wBAAwB,EAAE,iBAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACzD,uBAAuB,EAAE,GAAG;aAC7B;YACD,IAAI,EAAE,GAAG;YACT,IAAI;SACL,EACD,cAAc,CACf,CAAC;QAEF,MAAM,OAAO,GAA2B;YACtC,CAAC,EAAE,OAAO,CAAC,OAAO,CAAC,aAAa;YAChC,CAAC,EAAE,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;SACjC,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,CAAC,CAAC,GAAG,YAAY,CAAC;QAC3B,CAAC;QAED,MAAM,YAAY,GAAG;YACnB,YAAY,EAAE,CAAC;YACf,cAAc,EAAE,iBAAiB,CAAC,cAAc;YAChD,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,WAAW,CAAC;SAC9C,CAAC;QAEF,MAAM,UAAU,CAAC,OAAO,CAAC,IAAA,UAAE,EAAC,GAAG,EAAE,OAAO,CAAC,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IACtE,CAAC;CACF;AAxHD,gCAwHC;AAED,KAAK,UAAU,mBAAmB,CAChC,WAA6B,EAC7B,oBAA8C;IAE9C,SAAS,+BAA+B,CAAC,KAAyB;QAChE,6DAA6D;QAC7D,IAAI,CAAC,KAAK,CAAC,WAAW,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,CAAC;YACjD,MAAM,IAAI,oCAA4B,CAAC,oDAAoD,CAAC,CAAC;QAC/F,CAAC;QAED,OAAO,IAAI,oCAAgB,CAAC;YAC1B,QAAQ,EAAE,KAAK,CAAC,WAAW;YAC3B,QAAQ,EAAE,KAAK,CAAC,eAAe;YAC/B,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,SAAS,EAAE,yBAAa,CAAC,WAAW;YACpC,mBAAmB,EAAE;gBACnB,iBAAiB,EAAE,KAAK,CAAC,KAAK;aAC/B;SACF,CAAC,CAAC;IACL,CAAC;IACD,MAAM,oBAAoB,GAAG,MAAM,oBAAoB,CAAC,cAAc,EAAE,CAAC;IAEzE,OAAO,+BAA+B,CAAC,oBAAoB,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,WAAW,EAAE,CAAC;QACnD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,10 +1,5 @@
|
|
|
1
1
|
import { type AWSCredentials, getAwsCredentialProvider } from '../../deps';
|
|
2
2
|
import { MongoAWSError } from '../../error';
|
|
3
|
-
import { request } from '../../utils';
|
|
4
|
-
|
|
5
|
-
const AWS_RELATIVE_URI = 'http://169.254.170.2';
|
|
6
|
-
const AWS_EC2_URI = 'http://169.254.169.254';
|
|
7
|
-
const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
|
|
8
3
|
|
|
9
4
|
/**
|
|
10
5
|
* @internal
|
|
@@ -24,26 +19,9 @@ export interface AWSTempCredentials {
|
|
|
24
19
|
/** @public **/
|
|
25
20
|
export type AWSCredentialProvider = () => Promise<AWSCredentials>;
|
|
26
21
|
|
|
27
|
-
/**
|
|
28
|
-
* @internal
|
|
29
|
-
*
|
|
30
|
-
* Fetches temporary AWS credentials.
|
|
31
|
-
*/
|
|
32
|
-
export abstract class AWSTemporaryCredentialProvider {
|
|
33
|
-
abstract getCredentials(): Promise<AWSTempCredentials>;
|
|
34
|
-
private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
|
|
35
|
-
protected static get awsSDK() {
|
|
36
|
-
AWSTemporaryCredentialProvider._awsSDK ??= getAwsCredentialProvider();
|
|
37
|
-
return AWSTemporaryCredentialProvider._awsSDK;
|
|
38
|
-
}
|
|
39
|
-
|
|
40
|
-
static get isAWSSDKInstalled(): boolean {
|
|
41
|
-
return !('kModuleError' in AWSTemporaryCredentialProvider.awsSDK);
|
|
42
|
-
}
|
|
43
|
-
}
|
|
44
|
-
|
|
45
22
|
/** @internal */
|
|
46
|
-
export class AWSSDKCredentialProvider
|
|
23
|
+
export class AWSSDKCredentialProvider {
|
|
24
|
+
private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
|
|
47
25
|
private _provider?: AWSCredentialProvider;
|
|
48
26
|
|
|
49
27
|
/**
|
|
@@ -51,20 +29,23 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
|
|
|
51
29
|
* @param credentialsProvider - The credentials provider.
|
|
52
30
|
*/
|
|
53
31
|
constructor(credentialsProvider?: AWSCredentialProvider) {
|
|
54
|
-
super();
|
|
55
|
-
|
|
56
32
|
if (credentialsProvider) {
|
|
57
33
|
this._provider = credentialsProvider;
|
|
58
34
|
}
|
|
59
35
|
}
|
|
60
36
|
|
|
37
|
+
static get awsSDK() {
|
|
38
|
+
AWSSDKCredentialProvider._awsSDK ??= getAwsCredentialProvider();
|
|
39
|
+
return AWSSDKCredentialProvider._awsSDK;
|
|
40
|
+
}
|
|
41
|
+
|
|
61
42
|
/**
|
|
62
43
|
* The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
|
|
63
44
|
* To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
|
|
64
45
|
*/
|
|
65
46
|
private get provider(): () => Promise<AWSCredentials> {
|
|
66
|
-
if ('kModuleError' in
|
|
67
|
-
throw
|
|
47
|
+
if ('kModuleError' in AWSSDKCredentialProvider.awsSDK) {
|
|
48
|
+
throw AWSSDKCredentialProvider.awsSDK.kModuleError;
|
|
68
49
|
}
|
|
69
50
|
if (this._provider) {
|
|
70
51
|
return this._provider;
|
|
@@ -112,15 +93,15 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
|
|
|
112
93
|
|
|
113
94
|
this._provider =
|
|
114
95
|
awsRegionSettingsExist && useRegionalSts
|
|
115
|
-
?
|
|
96
|
+
? AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain({
|
|
116
97
|
clientConfig: { region: AWS_REGION }
|
|
117
98
|
})
|
|
118
|
-
:
|
|
99
|
+
: AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain();
|
|
119
100
|
|
|
120
101
|
return this._provider;
|
|
121
102
|
}
|
|
122
103
|
|
|
123
|
-
|
|
104
|
+
async getCredentials(): Promise<AWSTempCredentials> {
|
|
124
105
|
/*
|
|
125
106
|
* Creates a credential provider that will attempt to find credentials from the
|
|
126
107
|
* following sources (listed in order of precedence):
|
|
@@ -144,42 +125,3 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
|
|
|
144
125
|
}
|
|
145
126
|
}
|
|
146
127
|
}
|
|
147
|
-
|
|
148
|
-
/**
|
|
149
|
-
* @internal
|
|
150
|
-
* Fetches credentials manually (without the AWS SDK), as outlined in the [Obtaining Credentials](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#obtaining-credentials)
|
|
151
|
-
* section of the Auth spec.
|
|
152
|
-
*/
|
|
153
|
-
export class LegacyAWSTemporaryCredentialProvider extends AWSTemporaryCredentialProvider {
|
|
154
|
-
override async getCredentials(): Promise<AWSTempCredentials> {
|
|
155
|
-
// If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
|
|
156
|
-
// is set then drivers MUST assume that it was set by an AWS ECS agent
|
|
157
|
-
if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
|
|
158
|
-
return await request(
|
|
159
|
-
`${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`
|
|
160
|
-
);
|
|
161
|
-
}
|
|
162
|
-
|
|
163
|
-
// Otherwise assume we are on an EC2 instance
|
|
164
|
-
|
|
165
|
-
// get a token
|
|
166
|
-
const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
|
|
167
|
-
method: 'PUT',
|
|
168
|
-
json: false,
|
|
169
|
-
headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
|
|
170
|
-
});
|
|
171
|
-
|
|
172
|
-
// get role name
|
|
173
|
-
const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
|
|
174
|
-
json: false,
|
|
175
|
-
headers: { 'X-aws-ec2-metadata-token': token }
|
|
176
|
-
});
|
|
177
|
-
|
|
178
|
-
// get temp credentials
|
|
179
|
-
const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
|
|
180
|
-
headers: { 'X-aws-ec2-metadata-token': token }
|
|
181
|
-
});
|
|
182
|
-
|
|
183
|
-
return creds;
|
|
184
|
-
}
|
|
185
|
-
}
|
|
@@ -11,9 +11,7 @@ import { type AuthContext, AuthProvider } from './auth_provider';
|
|
|
11
11
|
import {
|
|
12
12
|
type AWSCredentialProvider,
|
|
13
13
|
AWSSDKCredentialProvider,
|
|
14
|
-
type AWSTempCredentials
|
|
15
|
-
AWSTemporaryCredentialProvider,
|
|
16
|
-
LegacyAWSTemporaryCredentialProvider
|
|
14
|
+
type AWSTempCredentials
|
|
17
15
|
} from './aws_temporary_credentials';
|
|
18
16
|
import { MongoCredentials } from './mongo_credentials';
|
|
19
17
|
import { AuthMechanism } from './providers';
|
|
@@ -34,16 +32,11 @@ interface AWSSaslContinuePayload {
|
|
|
34
32
|
}
|
|
35
33
|
|
|
36
34
|
export class MongoDBAWS extends AuthProvider {
|
|
37
|
-
private credentialFetcher:
|
|
38
|
-
private credentialProvider?: AWSCredentialProvider;
|
|
35
|
+
private credentialFetcher: AWSSDKCredentialProvider;
|
|
39
36
|
|
|
40
37
|
constructor(credentialProvider?: AWSCredentialProvider) {
|
|
41
38
|
super();
|
|
42
|
-
|
|
43
|
-
this.credentialProvider = credentialProvider;
|
|
44
|
-
this.credentialFetcher = AWSTemporaryCredentialProvider.isAWSSDKInstalled
|
|
45
|
-
? new AWSSDKCredentialProvider(credentialProvider)
|
|
46
|
-
: new LegacyAWSTemporaryCredentialProvider();
|
|
39
|
+
this.credentialFetcher = new AWSSDKCredentialProvider(credentialProvider);
|
|
47
40
|
}
|
|
48
41
|
|
|
49
42
|
override async auth(authContext: AuthContext): Promise<void> {
|
|
@@ -162,7 +155,7 @@ export class MongoDBAWS extends AuthProvider {
|
|
|
162
155
|
|
|
163
156
|
async function makeTempCredentials(
|
|
164
157
|
credentials: MongoCredentials,
|
|
165
|
-
awsCredentialFetcher:
|
|
158
|
+
awsCredentialFetcher: AWSSDKCredentialProvider
|
|
166
159
|
): Promise<MongoCredentials> {
|
|
167
160
|
function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
|
|
168
161
|
// The AWS session token (creds.Token) may or may not be set.
|