mongodb 6.5.0 → 6.6.0

package/src/cmap/auth/mongodb_aws.ts

@@ -1,45 +1,23 @@
-import * as process from 'process';
-
 import type { Binary, BSONSerializeOptions } from '../../bson';
 import * as BSON from '../../bson';
-import { aws4, type AWSCredentials, getAwsCredentialProvider } from '../../deps';
+import { aws4 } from '../../deps';
 import {
-  MongoAWSError,
   MongoCompatibilityError,
   MongoMissingCredentialsError,
   MongoRuntimeError
 } from '../../error';
-import { ByteUtils, maxWireVersion, ns, randomBytes, request } from '../../utils';
+import { ByteUtils, maxWireVersion, ns, randomBytes } from '../../utils';
 import { type AuthContext, AuthProvider } from './auth_provider';
+import {
+  AWSSDKCredentialProvider,
+  type AWSTempCredentials,
+  AWSTemporaryCredentialProvider,
+  LegacyAWSTemporaryCredentialProvider
+} from './aws_temporary_credentials';
 import { MongoCredentials } from './mongo_credentials';
 import { AuthMechanism } from './providers';
 
-/**
- * The following regions use the global AWS STS endpoint, sts.amazonaws.com, by default
- * https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
- */
-const LEGACY_REGIONS = new Set([
-  'ap-northeast-1',
-  'ap-south-1',
-  'ap-southeast-1',
-  'ap-southeast-2',
-  'aws-global',
-  'ca-central-1',
-  'eu-central-1',
-  'eu-north-1',
-  'eu-west-1',
-  'eu-west-2',
-  'eu-west-3',
-  'sa-east-1',
-  'us-east-1',
-  'us-east-2',
-  'us-west-1',
-  'us-west-2'
-]);
 const ASCII_N = 110;
-const AWS_RELATIVE_URI = 'http://169.254.170.2';
-const AWS_EC2_URI = 'http://169.254.169.254';
-const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
 const bsonOptions: BSONSerializeOptions = {
   useBigInt64: false,
   promoteLongs: true,
@@ -55,40 +33,13 @@ interface AWSSaslContinuePayload {
 }
 
 export class MongoDBAWS extends AuthProvider {
-  static credentialProvider: ReturnType<typeof getAwsCredentialProvider>;
-  provider?: () => Promise<AWSCredentials>;
-
+  private credentialFetcher: AWSTemporaryCredentialProvider;
   constructor() {
     super();
-    MongoDBAWS.credentialProvider ??= getAwsCredentialProvider();
-
-    let { AWS_STS_REGIONAL_ENDPOINTS = '', AWS_REGION = '' } = process.env;
-    AWS_STS_REGIONAL_ENDPOINTS = AWS_STS_REGIONAL_ENDPOINTS.toLowerCase();
-    AWS_REGION = AWS_REGION.toLowerCase();
-
-    /** The option setting should work only for users who have explicit settings in their environment, the driver should not encode "defaults" */
-    const awsRegionSettingsExist =
-      AWS_REGION.length !== 0 && AWS_STS_REGIONAL_ENDPOINTS.length !== 0;
-
-    /**
-     * If AWS_STS_REGIONAL_ENDPOINTS is set to regional, users are opting into the new behavior of respecting the region settings
-     *
-     * If AWS_STS_REGIONAL_ENDPOINTS is set to legacy, then "old" regions need to keep using the global setting.
-     * Technically the SDK gets this wrong, it reaches out to 'sts.us-east-1.amazonaws.com' when it should be 'sts.amazonaws.com'.
-     * That is not our bug to fix here. We leave that up to the SDK.
-     */
-    const useRegionalSts =
-      AWS_STS_REGIONAL_ENDPOINTS === 'regional' ||
-      (AWS_STS_REGIONAL_ENDPOINTS === 'legacy' && !LEGACY_REGIONS.has(AWS_REGION));
 
-    if ('fromNodeProviderChain' in MongoDBAWS.credentialProvider) {
-      this.provider =
-        awsRegionSettingsExist && useRegionalSts
-          ? MongoDBAWS.credentialProvider.fromNodeProviderChain({
-              clientConfig: { region: AWS_REGION }
-            })
-          : MongoDBAWS.credentialProvider.fromNodeProviderChain();
-    }
+    this.credentialFetcher = AWSTemporaryCredentialProvider.isAWSSDKInstalled
+      ? new AWSSDKCredentialProvider()
+      : new LegacyAWSTemporaryCredentialProvider();
   }
 
   override async auth(authContext: AuthContext): Promise<void> {
@@ -109,7 +60,10 @@ export class MongoDBAWS extends AuthProvider {
     }
 
     if (!authContext.credentials.username) {
-      authContext.credentials = await makeTempCredentials(authContext.credentials, this.provider);
+      authContext.credentials = await makeTempCredentials(
+        authContext.credentials,
+        this.credentialFetcher
+      );
     }
 
     const { credentials } = authContext;
@@ -202,17 +156,9 @@ export class MongoDBAWS extends AuthProvider {
   }
 }
 
-interface AWSTempCredentials {
-  AccessKeyId?: string;
-  SecretAccessKey?: string;
-  Token?: string;
-  RoleArn?: string;
-  Expiration?: Date;
-}
-
 async function makeTempCredentials(
   credentials: MongoCredentials,
-  provider?: () => Promise<AWSCredentials>
+  awsCredentialFetcher: AWSTemporaryCredentialProvider
 ): Promise<MongoCredentials> {
   function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
     // The AWS session token (creds.Token) may or may not be set.
@@ -230,62 +176,9 @@ async function makeTempCredentials(
       }
     });
   }
+  const temporaryCredentials = await awsCredentialFetcher.getCredentials();
 
-  // Check if the AWS credential provider from the SDK is present. If not,
-  // use the old method.
-  if (provider && !('kModuleError' in MongoDBAWS.credentialProvider)) {
-    /*
-     * Creates a credential provider that will attempt to find credentials from the
-     * following sources (listed in order of precedence):
-     *
-     * - Environment variables exposed via process.env
-     * - SSO credentials from token cache
-     * - Web identity token credentials
-     * - Shared credentials and config ini files
-     * - The EC2/ECS Instance Metadata Service
-     */
-    try {
-      const creds = await provider();
-      return makeMongoCredentialsFromAWSTemp({
-        AccessKeyId: creds.accessKeyId,
-        SecretAccessKey: creds.secretAccessKey,
-        Token: creds.sessionToken,
-        Expiration: creds.expiration
-      });
-    } catch (error) {
-      throw new MongoAWSError(error.message);
-    }
-  } else {
-    // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
-    // is set then drivers MUST assume that it was set by an AWS ECS agent
-    if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
-      return makeMongoCredentialsFromAWSTemp(
-        await request(`${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`)
-      );
-    }
-
-    // Otherwise assume we are on an EC2 instance
-
-    // get a token
-    const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
-      method: 'PUT',
-      json: false,
-      headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
-    });
-
-    // get role name
-    const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
-      json: false,
-      headers: { 'X-aws-ec2-metadata-token': token }
-    });
-
-    // get temp credentials
-    const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
-      headers: { 'X-aws-ec2-metadata-token': token }
-    });
-
-    return makeMongoCredentialsFromAWSTemp(creds);
-  }
+  return makeMongoCredentialsFromAWSTemp(temporaryCredentials);
 }
 
 function deriveRegion(host: string) {

package/src/cmap/auth/mongodb_oidc/aws_service_workflow.ts

@@ -24,6 +24,6 @@ export class AwsServiceWorkflow extends ServiceWorkflow {
     if (!tokenFile) {
       throw new MongoAWSError(TOKEN_MISSING_ERROR);
     }
-    return fs.promises.readFile(tokenFile, 'utf8');
+    return await fs.promises.readFile(tokenFile, 'utf8');
   }
 }

package/src/cmap/auth/mongodb_oidc/callback_lock_cache.ts

@@ -87,8 +87,9 @@ function withLock(callback: OIDCRequestFunction | OIDCRefreshFunction) {
   let lock: Promise<any> = Promise.resolve();
   return async (info: IdPServerInfo, context: OIDCCallbackContext): Promise<IdPServerResponse> => {
     await lock;
+    // eslint-disable-next-line github/no-then
     lock = lock.then(() => callback(info, context));
-    return lock;
+    return await lock;
   };
 }
 

package/src/cmap/auth/mongodb_oidc/service_workflow.ts

@@ -18,7 +18,7 @@ export abstract class ServiceWorkflow implements Workflow {
   async execute(connection: Connection, credentials: MongoCredentials): Promise<Document> {
     const token = await this.getToken(credentials);
     const command = commandDocument(token);
-    return connection.command(ns(credentials.source), command, undefined);
+    return await connection.command(ns(credentials.source), command, undefined);
   }
 
   /**

package/src/cmap/auth/scram.ts

@@ -51,13 +51,13 @@ class ScramSHA extends AuthProvider {
   override async auth(authContext: AuthContext) {
     const { reauthenticating, response } = authContext;
     if (response?.speculativeAuthenticate && !reauthenticating) {
-      return continueScramConversation(
+      return await continueScramConversation(
         this.cryptoMethod,
         response.speculativeAuthenticate,
         authContext
       );
     }
-    return executeScram(this.cryptoMethod, authContext);
+    return await executeScram(this.cryptoMethod, authContext);
   }
 }
 

package/src/cmap/commands.ts

@@ -37,7 +37,6 @@ export type WriteProtocolMessageType = OpQueryRequest | OpMsgRequest;
 export interface OpQueryOptions extends CommandOptions {
   socketTimeoutMS?: number;
   session?: ClientSession;
-  documentsReturnedIn?: string;
   numberToSkip?: number;
   numberToReturn?: number;
   returnFieldSelector?: Document;
@@ -53,9 +52,6 @@ export interface OpQueryOptions extends CommandOptions {
   exhaustAllowed?: boolean;
 }
 
-/**************************************************************
- * QUERY
- **************************************************************/
 /** @internal */
 export class OpQueryRequest {
   ns: string;
@@ -284,16 +280,11 @@ export interface MessageHeader {
 }
 
 /** @internal */
-export interface OpResponseOptions extends BSONSerializeOptions {
-  documentsReturnedIn?: string | null;
-}
-
-/** @internal */
-export class OpQueryResponse {
+export class OpReply {
   parsed: boolean;
   raw: Buffer;
   data: Buffer;
-  opts: OpResponseOptions;
+  opts: BSONSerializeOptions;
   length: number;
   requestId: number;
   responseTo: number;
@@ -303,7 +294,6 @@ export class OpQueryResponse {
   cursorId?: Long;
   startingFrom?: number;
   numberReturned?: number;
-  documents: (Document | Buffer)[] = new Array(0);
   cursorNotFound?: boolean;
   queryFailure?: boolean;
   shardConfigStale?: boolean;
@@ -313,7 +303,8 @@ export class OpQueryResponse {
   promoteValues: boolean;
   promoteBuffers: boolean;
   bsonRegExp?: boolean;
-  index?: number;
+  index = 0;
+  sections: Uint8Array[] = [];
 
   /** moreToCome is an OP_MSG only concept */
   moreToCome = false;
@@ -322,7 +313,7 @@ export class OpQueryResponse {
     message: Buffer,
     msgHeader: MessageHeader,
     msgBody: Buffer,
-    opts?: OpResponseOptions
+    opts?: BSONSerializeOptions
   ) {
     this.parsed = false;
     this.raw = message;
@@ -356,29 +347,9 @@ export class OpQueryResponse {
     return this.parsed;
   }
 
-  parse(options: OpResponseOptions): void {
+  parse(): Uint8Array {
     // Don't parse again if not needed
-    if (this.parsed) return;
-    options = options ?? {};
-
-    // Allow the return of raw documents instead of parsing
-    const raw = options.raw || false;
-    const documentsReturnedIn = options.documentsReturnedIn || null;
-    const useBigInt64 = options.useBigInt64 ?? this.opts.useBigInt64;
-    const promoteLongs = options.promoteLongs ?? this.opts.promoteLongs;
-    const promoteValues = options.promoteValues ?? this.opts.promoteValues;
-    const promoteBuffers = options.promoteBuffers ?? this.opts.promoteBuffers;
-    const bsonRegExp = options.bsonRegExp ?? this.opts.bsonRegExp;
-    let bsonSize;
-
-    // Set up the options
-    const _options: BSONSerializeOptions = {
-      useBigInt64,
-      promoteLongs,
-      promoteValues,
-      promoteBuffers,
-      bsonRegExp
-    };
+    if (this.parsed) return this.sections[0];
 
     // Position within OP_REPLY at which documents start
     // (See https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/#wire-op-reply)
@@ -390,8 +361,11 @@ export class OpQueryResponse {
     this.startingFrom = this.data.readInt32LE(12);
     this.numberReturned = this.data.readInt32LE(16);
 
-    // Preallocate document array
-    this.documents = new Array(this.numberReturned);
+    if (this.numberReturned < 0 || this.numberReturned > 2 ** 32 - 1) {
+      throw new RangeError(
+        `OP_REPLY numberReturned is an invalid array length ${this.numberReturned}`
+      );
+    }
 
     this.cursorNotFound = (this.responseFlags & CURSOR_NOT_FOUND) !== 0;
     this.queryFailure = (this.responseFlags & QUERY_FAILURE) !== 0;
@@ -400,67 +374,26 @@ export class OpQueryResponse {
 
     // Parse Body
     for (let i = 0; i < this.numberReturned; i++) {
-      bsonSize =
+      const bsonSize =
         this.data[this.index] |
         (this.data[this.index + 1] << 8) |
         (this.data[this.index + 2] << 16) |
         (this.data[this.index + 3] << 24);
 
-      // If we have raw results specified slice the return document
-      if (raw) {
-        this.documents[i] = this.data.slice(this.index, this.index + bsonSize);
-      } else {
-        this.documents[i] = BSON.deserialize(
-          this.data.slice(this.index, this.index + bsonSize),
-          _options
-        );
-      }
+      const section = this.data.subarray(this.index, this.index + bsonSize);
+      this.sections.push(section);
 
       // Adjust the index
       this.index = this.index + bsonSize;
     }
 
-    if (this.documents.length === 1 && documentsReturnedIn != null && raw) {
-      const fieldsAsRaw: Document = {};
-      fieldsAsRaw[documentsReturnedIn] = true;
-      _options.fieldsAsRaw = fieldsAsRaw;
-
-      const doc = BSON.deserialize(this.documents[0] as Buffer, _options);
-      this.documents = [doc];
-    }
-
     // Set parsed
     this.parsed = true;
+
+    return this.sections[0];
   }
 }
 
-// Implementation of OP_MSG spec:
-// https://github.com/mongodb/specifications/blob/master/source/message/OP_MSG.rst
-//
-// struct Section {
-//   uint8 payloadType;
-//   union payload {
-//       document  document; // payloadType == 0
-//       struct sequence { // payloadType == 1
-//           int32      size;
-//           cstring    identifier;
-//           document*  documents;
-//       };
-//   };
-// };
-
-// struct OP_MSG {
-//   struct MsgHeader {
-//       int32  messageLength;
-//       int32  requestID;
-//       int32  responseTo;
-//       int32  opCode = 2013;
-//   };
-//   uint32      flagBits;
-//   Section+    sections;
-//   [uint32     checksum;]
-// };
-
 // Msg Flags
 const OPTS_CHECKSUM_PRESENT = 1;
 const OPTS_MORE_TO_COME = 2;
@@ -587,7 +520,7 @@ export class OpMsgResponse {
   parsed: boolean;
   raw: Buffer;
   data: Buffer;
-  opts: OpResponseOptions;
+  opts: BSONSerializeOptions;
   length: number;
   requestId: number;
   responseTo: number;
@@ -603,14 +536,14 @@ export class OpMsgResponse {
   promoteValues: boolean;
   promoteBuffers: boolean;
   bsonRegExp: boolean;
-  documents: (Document | Buffer)[];
-  index?: number;
+  index = 0;
+  sections: Uint8Array[] = [];
 
   constructor(
     message: Buffer,
     msgHeader: MessageHeader,
     msgBody: Buffer,
-    opts?: OpResponseOptions
+    opts?: BSONSerializeOptions
   ) {
     this.parsed = false;
     this.raw = message;
@@ -642,47 +575,26 @@ export class OpMsgResponse {
     this.promoteBuffers =
       typeof this.opts.promoteBuffers === 'boolean' ? this.opts.promoteBuffers : false;
     this.bsonRegExp = typeof this.opts.bsonRegExp === 'boolean' ? this.opts.bsonRegExp : false;
-
-    this.documents = [];
   }
 
   isParsed(): boolean {
     return this.parsed;
   }
 
-  parse(options: OpResponseOptions): void {
+  parse(): Uint8Array {
     // Don't parse again if not needed
-    if (this.parsed) return;
-    options = options ?? {};
+    if (this.parsed) return this.sections[0];
 
     this.index = 4;
-    // Allow the return of raw documents instead of parsing
-    const raw = options.raw || false;
-    const documentsReturnedIn = options.documentsReturnedIn || null;
-    const useBigInt64 = options.useBigInt64 ?? this.opts.useBigInt64;
-    const promoteLongs = options.promoteLongs ?? this.opts.promoteLongs;
-    const promoteValues = options.promoteValues ?? this.opts.promoteValues;
-    const promoteBuffers = options.promoteBuffers ?? this.opts.promoteBuffers;
-    const bsonRegExp = options.bsonRegExp ?? this.opts.bsonRegExp;
-    const validation = this.parseBsonSerializationOptions(options);
-
-    // Set up the options
-    const bsonOptions: BSONSerializeOptions = {
-      useBigInt64,
-      promoteLongs,
-      promoteValues,
-      promoteBuffers,
-      bsonRegExp,
-      validation
-      // Due to the strictness of the BSON libraries validation option we need this cast
-    } as BSONSerializeOptions & { validation: { utf8: { writeErrors: boolean } } };
 
     while (this.index < this.data.length) {
       const payloadType = this.data.readUInt8(this.index++);
       if (payloadType === 0) {
         const bsonSize = this.data.readUInt32LE(this.index);
-        const bin = this.data.slice(this.index, this.index + bsonSize);
-        this.documents.push(raw ? bin : BSON.deserialize(bin, bsonOptions));
+        const bin = this.data.subarray(this.index, this.index + bsonSize);
+
+        this.sections.push(bin);
+
         this.index += bsonSize;
       } else if (payloadType === 1) {
         // It was decided that no driver makes use of payload type 1
@@ -692,25 +604,9 @@ export class OpMsgResponse {
       }
     }
 
-    if (this.documents.length === 1 && documentsReturnedIn != null && raw) {
-      const fieldsAsRaw: Document = {};
-      fieldsAsRaw[documentsReturnedIn] = true;
-      bsonOptions.fieldsAsRaw = fieldsAsRaw;
-      const doc = BSON.deserialize(this.documents[0] as Buffer, bsonOptions);
-      this.documents = [doc];
-    }
-
     this.parsed = true;
-  }
-
-  parseBsonSerializationOptions({ enableUtf8Validation }: BSONSerializeOptions): {
-    utf8: { writeErrors: false } | false;
-  } {
-    if (enableUtf8Validation === false) {
-      return { utf8: false };
-    }
 
-    return { utf8: { writeErrors: false } };
+    return this.sections[0];
   }
 }
 

package/src/cmap/connect.ts

@@ -103,7 +103,7 @@ export async function performInitialHandshake(
   const handshakeDoc = await prepareHandshakeDocument(authContext);
 
   // @ts-expect-error: TODO(NODE-5141): The options need to be filtered properly, Connection options differ from Command options
-  const handshakeOptions: CommandOptions = { ...options };
+  const handshakeOptions: CommandOptions = { ...options, raw: false };
   if (typeof options.connectTimeoutMS === 'number') {
     // The handshake technically is a monitoring check, so its socket timeout should be connectTimeoutMS
     handshakeOptions.socketTimeoutMS = options.connectTimeoutMS;
@@ -226,13 +226,13 @@ export async function prepareHandshakeDocument(
           `No AuthProvider for ${AuthMechanism.MONGODB_SCRAM_SHA256} defined.`
         );
       }
-      return provider.prepare(handshakeDoc, authContext);
+      return await provider.prepare(handshakeDoc, authContext);
     }
     const provider = authContext.options.authProviders.getOrCreateProvider(credentials.mechanism);
     if (!provider) {
       throw new MongoInvalidArgumentError(`No AuthProvider for ${credentials.mechanism} defined.`);
     }
-    return provider.prepare(handshakeDoc, authContext);
+    return await provider.prepare(handshakeDoc, authContext);
   }
   return handshakeDoc;
 }
@@ -325,7 +325,7 @@ export async function makeSocket(options: MakeConnectionOptions): Promise<Stream
 
   if (options.proxyHost != null) {
     // Currently, only Socks5 is supported.
-    return makeSocks5Connection({
+    return await makeSocks5Connection({
       ...options,
       connectTimeoutMS // Should always be present for Socks5
     });