mongodb 6.5.0 → 6.6.0

package/src/bson.ts

@@ -1,8 +1,10 @@
 import type { DeserializeOptions, SerializeOptions } from 'bson';
+import { BSON } from 'bson';
 
 export {
   Binary,
   BSON,
+  BSONError,
   BSONRegExp,
   BSONSymbol,
   BSONType,
@@ -25,6 +27,18 @@ export {
   UUID
 } from 'bson';
 
+export type BSONElement = BSON.OnDemand['BSONElement'];
+
+export function parseToElementsToArray(bytes: Uint8Array, offset?: number): BSONElement[] {
+  const res = BSON.onDemand.parseToElements(bytes, offset);
+  return Array.isArray(res) ? res : [...res];
+}
+
+export const getInt32LE = BSON.onDemand.NumberUtils.getInt32LE;
+export const getFloat64LE = BSON.onDemand.NumberUtils.getFloat64LE;
+export const getBigInt64LE = BSON.onDemand.NumberUtils.getBigInt64LE;
+export const toUTF8 = BSON.onDemand.ByteUtils.toUTF8;
+
 /**
  * BSON Serialization options.
  * @public

package/src/bulk/common.ts

@@ -12,7 +12,6 @@ import {
 } from '../error';
 import type { Filter, OneOrMore, OptionalId, UpdateFilter, WithoutId } from '../mongo_types';
 import type { CollationOptions, CommandOperationOptions } from '../operations/command';
-import { maybeAddIdToDocuments } from '../operations/common_functions';
 import { DeleteOperation, type DeleteStatement, makeDeleteStatement } from '../operations/delete';
 import { executeOperation } from '../operations/execute_operation';
 import { InsertOperation } from '../operations/insert';
@@ -21,6 +20,7 @@ import { makeUpdateStatement, UpdateOperation, type UpdateStatement } from '../o
 import type { Server } from '../sdam/server';
 import type { Topology } from '../sdam/topology';
 import type { ClientSession } from '../sessions';
+import { maybeAddIdToDocuments } from '../utils';
 import {
   applyRetryableWrites,
   type Callback,
@@ -589,6 +589,7 @@ function executeCommands(
       : null;
 
     if (operation != null) {
+      // eslint-disable-next-line github/no-then
       executeOperation(bulkOperation.s.collection.client, operation).then(
         result => resultHandler(undefined, result),
         error => resultHandler(error)
@@ -1224,7 +1225,7 @@ export abstract class BulkOperationBase {
     const finalOptions = { ...this.s.options, ...options };
     const operation = new BulkWriteShimOperation(this, finalOptions);
 
-    return executeOperation(this.s.collection.client, operation);
+    return await executeOperation(this.s.collection.client, operation);
   }
 
   /**

package/src/change_stream.ts

@@ -19,7 +19,7 @@ import type { AggregateOptions } from './operations/aggregate';
 import type { CollationOptions, OperationParent } from './operations/command';
 import type { ReadPreference } from './read_preference';
 import type { ServerSessionId } from './sessions';
-import { filterOptions, getTopology, type MongoDBNamespace } from './utils';
+import { filterOptions, getTopology, type MongoDBNamespace, squashError } from './utils';
 
 /** @internal */
 const kCursorStream = Symbol('cursorStream');
@@ -379,7 +379,7 @@ export interface ChangeStreamInvalidateDocument extends ChangeStreamDocumentComm
 /**
  * Only present when the `showExpandedEvents` flag is enabled.
  * @public
- * @see https://www.mongodb.com/docs/manual/reference/change-events/
+ * @see https://www.mongodb.com/docs/manual/reference/change-events/createIndexes/#mongodb-data-createIndexes
  */
 export interface ChangeStreamCreateIndexDocument
   extends ChangeStreamDocumentCommon,
@@ -392,7 +392,7 @@ export interface ChangeStreamCreateIndexDocument
 /**
  * Only present when the `showExpandedEvents` flag is enabled.
  * @public
- * @see https://www.mongodb.com/docs/manual/reference/change-events/
+ * @see https://www.mongodb.com/docs/manual/reference/change-events/dropIndexes/#mongodb-data-dropIndexes
  */
 export interface ChangeStreamDropIndexDocument
   extends ChangeStreamDocumentCommon,
@@ -405,7 +405,7 @@ export interface ChangeStreamDropIndexDocument
 /**
  * Only present when the `showExpandedEvents` flag is enabled.
  * @public
- * @see https://www.mongodb.com/docs/manual/reference/change-events/
+ * @see https://www.mongodb.com/docs/manual/reference/change-events/modify/#mongodb-data-modify
  */
 export interface ChangeStreamCollModDocument
   extends ChangeStreamDocumentCommon,
@@ -416,7 +416,7 @@ export interface ChangeStreamCollModDocument
 
 /**
  * @public
- * @see https://www.mongodb.com/docs/manual/reference/change-events/
+ * @see https://www.mongodb.com/docs/manual/reference/change-events/create/#mongodb-data-create
  */
 export interface ChangeStreamCreateDocument
   extends ChangeStreamDocumentCommon,
@@ -427,7 +427,7 @@ export interface ChangeStreamCreateDocument
 
 /**
  * @public
- * @see https://www.mongodb.com/docs/manual/reference/change-events/
+ * @see https://www.mongodb.com/docs/manual/reference/change-events/shardCollection/#mongodb-data-shardCollection
  */
 export interface ChangeStreamShardCollectionDocument
   extends ChangeStreamDocumentCommon,
@@ -439,7 +439,7 @@ export interface ChangeStreamShardCollectionDocument
 
 /**
  * @public
- * @see https://www.mongodb.com/docs/manual/reference/change-events/
+ * @see https://www.mongodb.com/docs/manual/reference/change-events/reshardCollection/#mongodb-data-reshardCollection
  */
 export interface ChangeStreamReshardCollectionDocument
   extends ChangeStreamDocumentCommon,
@@ -451,7 +451,7 @@ export interface ChangeStreamReshardCollectionDocument
 
 /**
  * @public
- * @see https://www.mongodb.com/docs/manual/reference/change-events/
+ * @see https://www.mongodb.com/docs/manual/reference/change-events/refineCollectionShardKey/#mongodb-data-refineCollectionShardKey
  */
 export interface ChangeStreamRefineCollectionShardKeyDocument
   extends ChangeStreamDocumentCommon,
@@ -676,8 +676,8 @@ export class ChangeStream<
         } catch (error) {
           try {
             await this.close();
-          } catch {
-            // We are not concerned with errors from close()
+          } catch (error) {
+            squashError(error);
           }
           throw error;
         }
@@ -703,8 +703,8 @@ export class ChangeStream<
         } catch (error) {
           try {
             await this.close();
-          } catch {
-            // We are not concerned with errors from close()
+          } catch (error) {
+            squashError(error);
           }
           throw error;
         }
@@ -731,8 +731,8 @@ export class ChangeStream<
         } catch (error) {
           try {
             await this.close();
-          } catch {
-            // We are not concerned with errors from close()
+          } catch (error) {
+            squashError(error);
           }
           throw error;
         }
@@ -754,8 +754,8 @@ export class ChangeStream<
     } finally {
       try {
         await this.close();
-      } catch {
-        // we're not concerned with errors from close()
+      } catch (error) {
+        squashError(error);
       }
     }
   }
@@ -867,7 +867,8 @@ export class ChangeStream<
   private _closeEmitterModeWithError(error: AnyError): void {
     this.emit(ChangeStream.ERROR, error);
 
-    this.close().catch(() => null);
+    // eslint-disable-next-line github/no-then
+    this.close().then(undefined, squashError);
   }
 
   /** @internal */
@@ -931,17 +932,21 @@ export class ChangeStream<
 
     if (isResumableError(changeStreamError, this.cursor.maxWireVersion)) {
       this._endStream();
-      this.cursor.close().catch(() => null);
+      // eslint-disable-next-line github/no-then
+      this.cursor.close().then(undefined, squashError);
 
       const topology = getTopology(this.parent);
-      topology.selectServer(
-        this.cursor.readPreference,
-        { operationName: 'reconnect topology in change stream' },
-        serverSelectionError => {
-          if (serverSelectionError) return this._closeEmitterModeWithError(changeStreamError);
-          this.cursor = this._createChangeStreamCursor(this.cursor.resumeOptions);
-        }
-      );
+      topology
+        .selectServer(this.cursor.readPreference, {
+          operationName: 'reconnect topology in change stream'
+        })
+        // eslint-disable-next-line github/no-then
+        .then(
+          () => {
+            this.cursor = this._createChangeStreamCursor(this.cursor.resumeOptions);
+          },
+          () => this._closeEmitterModeWithError(changeStreamError)
+        );
     } else {
       this._closeEmitterModeWithError(changeStreamError);
     }
@@ -957,16 +962,20 @@ export class ChangeStream<
     if (!isResumableError(changeStreamError, this.cursor.maxWireVersion)) {
       try {
         await this.close();
-      } catch {
-        // ignore errors from close
+      } catch (error) {
+        squashError(error);
       }
       throw changeStreamError;
     }
 
-    await this.cursor.close().catch(() => null);
+    try {
+      await this.cursor.close();
+    } catch (error) {
+      squashError(error);
+    }
     const topology = getTopology(this.parent);
     try {
-      await topology.selectServerAsync(this.cursor.readPreference, {
+      await topology.selectServer(this.cursor.readPreference, {
         operationName: 'reconnect topology in change stream'
       });
       this.cursor = this._createChangeStreamCursor(this.cursor.resumeOptions);

package/src/client-side-encryption/auto_encrypter.ts

@@ -467,7 +467,7 @@ export class AutoEncrypter {
       proxyOptions: this._proxyOptions,
       tlsOptions: this._tlsOptions
     });
-    return stateMachine.execute<Document>(this, context);
+    return await stateMachine.execute<Document>(this, context);
   }
 
   /**
@@ -502,7 +502,7 @@ export class AutoEncrypter {
    * the original ones.
    */
   async askForKMSCredentials(): Promise<KMSProviders> {
-    return refreshKMSCredentials(this._kmsProviders);
+    return await refreshKMSCredentials(this._kmsProviders);
   }
 
   /**

package/src/client-side-encryption/client_encryption.ts

@@ -315,7 +315,7 @@ export class ClientEncryption {
       this._keyVaultNamespace
     );
 
-    return this._keyVaultClient
+    return await this._keyVaultClient
       .db(dbName)
       .collection<DataKey>(collectionName)
       .deleteOne({ _id }, { writeConcern: { w: 'majority' } });
@@ -364,7 +364,7 @@ export class ClientEncryption {
       this._keyVaultNamespace
     );
 
-    return this._keyVaultClient
+    return await this._keyVaultClient
       .db(dbName)
       .collection<DataKey>(collectionName)
       .findOne({ _id }, { readConcern: { level: 'majority' } });
@@ -391,7 +391,7 @@ export class ClientEncryption {
       this._keyVaultNamespace
     );
 
-    return this._keyVaultClient
+    return await this._keyVaultClient
       .db(dbName)
       .collection<DataKey>(collectionName)
       .findOne({ keyAltNames: keyAltName }, { readConcern: { level: 'majority' } });
@@ -589,7 +589,7 @@ export class ClientEncryption {
    * ```
    */
   async encrypt(value: unknown, options: ClientEncryptionEncryptOptions): Promise<Binary> {
-    return this._encrypt(value, false, options);
+    return await this._encrypt(value, false, options);
   }
 
   /**
@@ -614,7 +614,7 @@ export class ClientEncryption {
     expression: Document,
     options: ClientEncryptionEncryptOptions
   ): Promise<Binary> {
-    return this._encrypt(expression, true, options);
+    return await this._encrypt(expression, true, options);
   }
 
   /**
@@ -654,7 +654,7 @@ export class ClientEncryption {
    * the original ones.
    */
   async askForKMSCredentials(): Promise<KMSProviders> {
-    return refreshKMSCredentials(this._kmsProviders);
+    return await refreshKMSCredentials(this._kmsProviders);
   }
 
   static get libmongocryptVersion() {

package/src/client-side-encryption/providers/aws.ts

@@ -1,20 +1,27 @@
-import { getAwsCredentialProvider } from '../../deps';
+import { AWSSDKCredentialProvider } from '../../cmap/auth/aws_temporary_credentials';
 import { type KMSProviders } from '.';
 
 /**
  * @internal
  */
 export async function loadAWSCredentials(kmsProviders: KMSProviders): Promise<KMSProviders> {
-  const credentialProvider = getAwsCredentialProvider();
+  const credentialProvider = new AWSSDKCredentialProvider();
 
-  if ('kModuleError' in credentialProvider) {
-    return kmsProviders;
-  }
+  // We shouldn't ever receive a response from the AWS SDK that doesn't have a `SecretAccessKey`
+  // or `AccessKeyId`.  However, TS says these fields are optional.  We provide empty strings
+  // and let libmongocrypt error if we're unable to fetch the required keys.
+  const {
+    SecretAccessKey = '',
+    AccessKeyId = '',
+    Token
+  } = await credentialProvider.getCredentials();
+  const aws: NonNullable<KMSProviders['aws']> = {
+    secretAccessKey: SecretAccessKey,
+    accessKeyId: AccessKeyId
+  };
+  // the AWS session token is only required for temporary credentials so only attach it to the
+  // result if it's present in the response from the aws sdk
+  Token != null && (aws.sessionToken = Token);
 
-  const { fromNodeProviderChain } = credentialProvider;
-  const provider = fromNodeProviderChain();
-  // The state machine is the only place calling this so it will
-  // catch if there is a rejection here.
-  const aws = await provider();
   return { ...kmsProviders, aws };
 }

package/src/client-side-encryption/providers/azure.ts

@@ -148,13 +148,15 @@ export async function fetchAzureKMSToken(
   options: AzureKMSRequestOptions = {}
 ): Promise<AzureTokenCacheEntry> {
   const { headers, url } = prepareRequest(options);
-  const response = await get(url, { headers }).catch(error => {
+  try {
+    const response = await get(url, { headers });
+    return await parseResponse(response);
+  } catch (error) {
     if (error instanceof MongoCryptKMSRequestNetworkTimeoutError) {
       throw new MongoCryptAzureKMSRequestError(`[Azure KMS] ${error.message}`);
     }
     throw error;
-  });
-  return parseResponse(response);
+  }
 }
 
 /**

package/src/cmap/auth/aws_temporary_credentials.ts

@@ -0,0 +1,169 @@
+import { type AWSCredentials, getAwsCredentialProvider } from '../../deps';
+import { MongoAWSError } from '../../error';
+import { request } from '../../utils';
+
+const AWS_RELATIVE_URI = 'http://169.254.170.2';
+const AWS_EC2_URI = 'http://169.254.169.254';
+const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
+
+/**
+ * @internal
+ * This interface matches the final result of fetching temporary credentials manually, outlined
+ * in the spec [here](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#ec2-endpoint).
+ *
+ * When we use the AWS SDK, we map the response from the SDK to conform to this interface.
+ */
+export interface AWSTempCredentials {
+  AccessKeyId?: string;
+  SecretAccessKey?: string;
+  Token?: string;
+  RoleArn?: string;
+  Expiration?: Date;
+}
+
+/**
+ * @internal
+ *
+ * Fetches temporary AWS credentials.
+ */
+export abstract class AWSTemporaryCredentialProvider {
+  abstract getCredentials(): Promise<AWSTempCredentials>;
+  private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
+  protected static get awsSDK() {
+    AWSTemporaryCredentialProvider._awsSDK ??= getAwsCredentialProvider();
+    return AWSTemporaryCredentialProvider._awsSDK;
+  }
+
+  static get isAWSSDKInstalled(): boolean {
+    return !('kModuleError' in AWSTemporaryCredentialProvider.awsSDK);
+  }
+}
+
+/** @internal */
+export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
+  private _provider?: () => Promise<AWSCredentials>;
+  /**
+   * The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
+   * To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
+   */
+  private get provider(): () => Promise<AWSCredentials> {
+    if ('kModuleError' in AWSTemporaryCredentialProvider.awsSDK) {
+      throw AWSTemporaryCredentialProvider.awsSDK.kModuleError;
+    }
+    if (this._provider) {
+      return this._provider;
+    }
+    let { AWS_STS_REGIONAL_ENDPOINTS = '', AWS_REGION = '' } = process.env;
+    AWS_STS_REGIONAL_ENDPOINTS = AWS_STS_REGIONAL_ENDPOINTS.toLowerCase();
+    AWS_REGION = AWS_REGION.toLowerCase();
+
+    /** The option setting should work only for users who have explicit settings in their environment, the driver should not encode "defaults" */
+    const awsRegionSettingsExist =
+      AWS_REGION.length !== 0 && AWS_STS_REGIONAL_ENDPOINTS.length !== 0;
+
+    /**
+     * The following regions use the global AWS STS endpoint, sts.amazonaws.com, by default
+     * https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
+     */
+    const LEGACY_REGIONS = new Set([
+      'ap-northeast-1',
+      'ap-south-1',
+      'ap-southeast-1',
+      'ap-southeast-2',
+      'aws-global',
+      'ca-central-1',
+      'eu-central-1',
+      'eu-north-1',
+      'eu-west-1',
+      'eu-west-2',
+      'eu-west-3',
+      'sa-east-1',
+      'us-east-1',
+      'us-east-2',
+      'us-west-1',
+      'us-west-2'
+    ]);
+    /**
+     * If AWS_STS_REGIONAL_ENDPOINTS is set to regional, users are opting into the new behavior of respecting the region settings
+     *
+     * If AWS_STS_REGIONAL_ENDPOINTS is set to legacy, then "old" regions need to keep using the global setting.
+     * Technically the SDK gets this wrong, it reaches out to 'sts.us-east-1.amazonaws.com' when it should be 'sts.amazonaws.com'.
+     * That is not our bug to fix here. We leave that up to the SDK.
+     */
+    const useRegionalSts =
+      AWS_STS_REGIONAL_ENDPOINTS === 'regional' ||
+      (AWS_STS_REGIONAL_ENDPOINTS === 'legacy' && !LEGACY_REGIONS.has(AWS_REGION));
+
+    this._provider =
+      awsRegionSettingsExist && useRegionalSts
+        ? AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain({
+            clientConfig: { region: AWS_REGION }
+          })
+        : AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain();
+
+    return this._provider;
+  }
+
+  override async getCredentials(): Promise<AWSTempCredentials> {
+    /*
+     * Creates a credential provider that will attempt to find credentials from the
+     * following sources (listed in order of precedence):
+     *
+     * - Environment variables exposed via process.env
+     * - SSO credentials from token cache
+     * - Web identity token credentials
+     * - Shared credentials and config ini files
+     * - The EC2/ECS Instance Metadata Service
+     */
+    try {
+      const creds = await this.provider();
+      return {
+        AccessKeyId: creds.accessKeyId,
+        SecretAccessKey: creds.secretAccessKey,
+        Token: creds.sessionToken,
+        Expiration: creds.expiration
+      };
+    } catch (error) {
+      throw new MongoAWSError(error.message, { cause: error });
+    }
+  }
+}
+
+/**
+ * @internal
+ * Fetches credentials manually (without the AWS SDK), as outlined in the [Obtaining Credentials](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#obtaining-credentials)
+ * section of the Auth spec.
+ */
+export class LegacyAWSTemporaryCredentialProvider extends AWSTemporaryCredentialProvider {
+  override async getCredentials(): Promise<AWSTempCredentials> {
+    // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+    // is set then drivers MUST assume that it was set by an AWS ECS agent
+    if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
+      return await request(
+        `${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`
+      );
+    }
+
+    // Otherwise assume we are on an EC2 instance
+
+    // get a token
+    const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
+      method: 'PUT',
+      json: false,
+      headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
+    });
+
+    // get role name
+    const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
+      json: false,
+      headers: { 'X-aws-ec2-metadata-token': token }
+    });
+
+    // get temp credentials
+    const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
+      headers: { 'X-aws-ec2-metadata-token': token }
+    });
+
+    return creds;
+  }
+}

package/src/cmap/auth/gssapi.ts

@@ -29,14 +29,12 @@ type MechanismProperties = {
 async function externalCommand(
   connection: Connection,
   command: ReturnType<typeof saslStart> | ReturnType<typeof saslContinue>
-): Promise<{ payload: string; conversationId: any }> {
-  return connection.command(ns('$external.$cmd'), command, undefined) as Promise<{
-    payload: string;
-    conversationId: any;
-  }>;
+): Promise<{ payload: string; conversationId: number }> {
+  const response = await connection.command(ns('$external.$cmd'), command);
+  return response as { payload: string; conversationId: number };
 }
 
-let krb: typeof Kerberos;
+let krb: Kerberos;
 
 export class GSSAPI extends AuthProvider {
   override async auth(authContext: AuthContext): Promise<void> {
@@ -104,7 +102,7 @@ async function makeKerberosClient(authContext: AuthContext): Promise<KerberosCli
     spn = `${spn}@${mechanismProperties.SERVICE_REALM}`;
   }
 
-  return initializeClient(spn, initOptions);
+  return await initializeClient(spn, initOptions);
 }
 
 function saslStart(payload: string) {
@@ -138,14 +136,14 @@ async function negotiate(
       throw error;
     }
     // Adjust number of retries and call step again
-    return negotiate(client, retries - 1, payload);
+    return await negotiate(client, retries - 1, payload);
   }
 }
 
 async function finalize(client: KerberosClient, user: string, payload: string): Promise<string> {
   // GSS Client Unwrap
   const response = await client.unwrap(payload);
-  return client.wrap(response || '', { user });
+  return await client.wrap(response || '', { user });
 }
 
 export async function performGSSAPICanonicalizeHostName(
@@ -174,12 +172,12 @@ export async function performGSSAPICanonicalizeHostName(
       // This can error as ptr records may not exist for all ips. In this case
       // fallback to a cname lookup as dns.lookup() does not return the
       // cname.
-      return resolveCname(host);
+      return await resolveCname(host);
     }
   } else {
     // The case for forward is just to resolve the cname as dns.lookup()
     // will not return it.
-    return resolveCname(host);
+    return await resolveCname(host);
   }
 }