mongodb 6.6.2-dev.20240529.sha.d3031a5 → 6.7.0-dev.20240530.sha.f56938f

package/src/client-side-encryption/providers/azure.ts

@@ -1,9 +1,12 @@
 import { type Document } from '../../bson';
-import { MongoCryptAzureKMSRequestError, MongoCryptKMSRequestNetworkTimeoutError } from '../errors';
+import { MongoNetworkTimeoutError } from '../../error';
+import { get } from '../../utils';
+import { MongoCryptAzureKMSRequestError } from '../errors';
 import { type KMSProviders } from './index';
-import { get } from './utils';
 
 const MINIMUM_TOKEN_REFRESH_IN_MILLISECONDS = 6000;
+/** Base URL for getting Azure tokens. */
+export const AZURE_BASE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token?';
 
 /**
  * The access token that libmongocrypt expects for Azure kms.
@@ -113,6 +116,19 @@ export interface AzureKMSRequestOptions {
   url?: URL | string;
 }
 
+/**
+ * @internal
+ * Get the Azure endpoint URL.
+ */
+export function addAzureParams(url: URL, resource: string, username?: string): URL {
+  url.searchParams.append('api-version', '2018-02-01');
+  url.searchParams.append('resource', resource);
+  if (username) {
+    url.searchParams.append('client_id', username);
+  }
+  return url;
+}
+
 /**
  * @internal
  *
@@ -123,13 +139,8 @@ export function prepareRequest(options: AzureKMSRequestOptions): {
   headers: Document;
   url: URL;
 } {
-  const url = new URL(
-    options.url?.toString() ?? 'http://169.254.169.254/metadata/identity/oauth2/token'
-  );
-
-  url.searchParams.append('api-version', '2018-02-01');
-  url.searchParams.append('resource', 'https://vault.azure.net');
-
+  const url = new URL(options.url?.toString() ?? AZURE_BASE_URL);
+  addAzureParams(url, 'https://vault.azure.net');
   const headers = { ...options.headers, 'Content-Type': 'application/json', Metadata: true };
   return { headers, url };
 }
@@ -152,7 +163,7 @@ export async function fetchAzureKMSToken(
     const response = await get(url, { headers });
     return await parseResponse(response);
   } catch (error) {
-    if (error instanceof MongoCryptKMSRequestNetworkTimeoutError) {
+    if (error instanceof MongoNetworkTimeoutError) {
       throw new MongoCryptAzureKMSRequestError(`[Azure KMS] ${error.message}`);
     }
     throw error;

package/src/cmap/auth/mongo_credentials.ts

@@ -3,12 +3,11 @@
 import type { Document } from '../../bson';
 import {
   MongoAPIError,
-  MongoAzureError,
   MongoInvalidArgumentError,
   MongoMissingCredentialsError
 } from '../../error';
 import { GSSAPICanonicalizationValue } from './gssapi';
-import type { OIDCRefreshFunction, OIDCRequestFunction } from './mongodb_oidc';
+import type { OIDCCallbackFunction } from './mongodb_oidc';
 import { AUTH_MECHS_AUTH_SRC_EXTERNAL, AuthMechanism } from './providers';
 
 // https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst
@@ -32,12 +31,17 @@ function getDefaultAuthMechanism(hello: Document | null): AuthMechanism {
   return AuthMechanism.MONGODB_CR;
 }
 
-const ALLOWED_PROVIDER_NAMES: AuthMechanismProperties['PROVIDER_NAME'][] = ['aws', 'azure'];
+const ALLOWED_ENVIRONMENT_NAMES: AuthMechanismProperties['ENVIRONMENT'][] = [
+  'test',
+  'azure',
+  'gcp'
+];
 const ALLOWED_HOSTS_ERROR = 'Auth mechanism property ALLOWED_HOSTS must be an array of strings.';
 
 /** @internal */
 export const DEFAULT_ALLOWED_HOSTS = [
   '*.mongodb.net',
+  '*.mongodb-qa.net',
   '*.mongodb-dev.net',
   '*.mongodbgov.net',
   'localhost',
@@ -46,8 +50,8 @@ export const DEFAULT_ALLOWED_HOSTS = [
 ];
 
 /** Error for when the token audience is missing in the environment. */
-const TOKEN_AUDIENCE_MISSING_ERROR =
-  'TOKEN_AUDIENCE must be set in the auth mechanism properties when PROVIDER_NAME is azure.';
+const TOKEN_RESOURCE_MISSING_ERROR =
+  'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure or gcp.';
 
 /** @public */
 export interface AuthMechanismProperties extends Document {
@@ -56,16 +60,16 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
   AWS_SESSION_TOKEN?: string;
-  /** @experimental */
-  REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction;
-  /** @experimental */
-  REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
-  /** @experimental */
-  PROVIDER_NAME?: 'aws' | 'azure';
-  /** @experimental */
+  /** A user provided OIDC machine callback function. */
+  OIDC_CALLBACK?: OIDCCallbackFunction;
+  /** A user provided OIDC human interacted callback function. */
+  OIDC_HUMAN_CALLBACK?: OIDCCallbackFunction;
+  /** The OIDC environment. Note that 'test' is for internal use only. */
+  ENVIRONMENT?: 'test' | 'azure' | 'gcp';
+  /** Allowed hosts that OIDC auth can connect to. */
   ALLOWED_HOSTS?: string[];
-  /** @experimental */
-  TOKEN_AUDIENCE?: string;
+  /** The resource token for OIDC auth in Azure and GCP. */
+  TOKEN_RESOURCE?: string;
 }
 
 /** @public */
@@ -179,45 +183,48 @@ export class MongoCredentials {
     }
 
     if (this.mechanism === AuthMechanism.MONGODB_OIDC) {
-      if (this.username && this.mechanismProperties.PROVIDER_NAME) {
+      if (
+        this.username &&
+        this.mechanismProperties.ENVIRONMENT &&
+        this.mechanismProperties.ENVIRONMENT !== 'azure'
+      ) {
         throw new MongoInvalidArgumentError(
-          `username and PROVIDER_NAME may not be used together for mechanism '${this.mechanism}'.`
+          `username and ENVIRONMENT '${this.mechanismProperties.ENVIRONMENT}' may not be used together for mechanism '${this.mechanism}'.`
         );
       }
 
-      if (
-        this.mechanismProperties.PROVIDER_NAME === 'azure' &&
-        !this.mechanismProperties.TOKEN_AUDIENCE
-      ) {
-        throw new MongoAzureError(TOKEN_AUDIENCE_MISSING_ERROR);
+      if (this.username && this.password) {
+        throw new MongoInvalidArgumentError(
+          `No password is allowed in ENVIRONMENT '${this.mechanismProperties.ENVIRONMENT}' for '${this.mechanism}'.`
+        );
       }
 
       if (
-        this.mechanismProperties.PROVIDER_NAME &&
-        !ALLOWED_PROVIDER_NAMES.includes(this.mechanismProperties.PROVIDER_NAME)
+        (this.mechanismProperties.ENVIRONMENT === 'azure' ||
+          this.mechanismProperties.ENVIRONMENT === 'gcp') &&
+        !this.mechanismProperties.TOKEN_RESOURCE
       ) {
-        throw new MongoInvalidArgumentError(
-          `Currently only a PROVIDER_NAME in ${ALLOWED_PROVIDER_NAMES.join(
-            ','
-          )} is supported for mechanism '${this.mechanism}'.`
-        );
+        throw new MongoInvalidArgumentError(TOKEN_RESOURCE_MISSING_ERROR);
       }
 
       if (
-        this.mechanismProperties.REFRESH_TOKEN_CALLBACK &&
-        !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
+        this.mechanismProperties.ENVIRONMENT &&
+        !ALLOWED_ENVIRONMENT_NAMES.includes(this.mechanismProperties.ENVIRONMENT)
       ) {
         throw new MongoInvalidArgumentError(
-          `A REQUEST_TOKEN_CALLBACK must be provided when using a REFRESH_TOKEN_CALLBACK for mechanism '${this.mechanism}'`
+          `Currently only a ENVIRONMENT in ${ALLOWED_ENVIRONMENT_NAMES.join(
+            ','
+          )} is supported for mechanism '${this.mechanism}'.`
         );
       }
 
       if (
-        !this.mechanismProperties.PROVIDER_NAME &&
-        !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
+        !this.mechanismProperties.ENVIRONMENT &&
+        !this.mechanismProperties.OIDC_CALLBACK &&
+        !this.mechanismProperties.OIDC_HUMAN_CALLBACK
       ) {
         throw new MongoInvalidArgumentError(
-          `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
+          `Either a ENVIRONMENT, OIDC_CALLBACK, or OIDC_HUMAN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
         );
       }
 

package/src/cmap/auth/mongodb_oidc/automated_callback_workflow.ts

@@ -0,0 +1,82 @@
+import { MONGODB_ERROR_CODES, MongoError, MongoOIDCError } from '../../../error';
+import { Timeout, TimeoutError } from '../../../timeout';
+import { type Connection } from '../../connection';
+import { type MongoCredentials } from '../mongo_credentials';
+import {
+  OIDC_VERSION,
+  type OIDCCallbackFunction,
+  type OIDCCallbackParams,
+  type OIDCResponse
+} from '../mongodb_oidc';
+import { AUTOMATED_TIMEOUT_MS, CallbackWorkflow } from './callback_workflow';
+import { type TokenCache } from './token_cache';
+
+/**
+ * Class implementing behaviour for the non human callback workflow.
+ * @internal
+ */
+export class AutomatedCallbackWorkflow extends CallbackWorkflow {
+  /**
+   * Instantiate the human callback workflow.
+   */
+  constructor(cache: TokenCache, callback: OIDCCallbackFunction) {
+    super(cache, callback);
+  }
+
+  /**
+   * Execute the OIDC callback workflow.
+   */
+  async execute(connection: Connection, credentials: MongoCredentials): Promise<void> {
+    // If there is a cached access token, try to authenticate with it. If
+    // authentication fails with an Authentication error (18),
+    // invalidate the access token, fetch a new access token, and try
+    // to authenticate again.
+    // If the server fails for any other reason, do not clear the cache.
+    if (this.cache.hasAccessToken) {
+      const token = this.cache.getAccessToken();
+      try {
+        return await this.finishAuthentication(connection, credentials, token);
+      } catch (error) {
+        if (
+          error instanceof MongoError &&
+          error.code === MONGODB_ERROR_CODES.AuthenticationFailed
+        ) {
+          this.cache.removeAccessToken();
+          return await this.execute(connection, credentials);
+        } else {
+          throw error;
+        }
+      }
+    }
+    const response = await this.fetchAccessToken(credentials);
+    this.cache.put(response);
+    connection.accessToken = response.accessToken;
+    await this.finishAuthentication(connection, credentials, response.accessToken);
+  }
+
+  /**
+   * Fetches the access token using the callback.
+   */
+  protected async fetchAccessToken(credentials: MongoCredentials): Promise<OIDCResponse> {
+    const controller = new AbortController();
+    const params: OIDCCallbackParams = {
+      timeoutContext: controller.signal,
+      version: OIDC_VERSION
+    };
+    if (credentials.username) {
+      params.username = credentials.username;
+    }
+    const timeout = Timeout.expires(AUTOMATED_TIMEOUT_MS);
+    try {
+      return await Promise.race([this.executeAndValidateCallback(params), timeout]);
+    } catch (error) {
+      if (TimeoutError.is(error)) {
+        controller.abort();
+        throw new MongoOIDCError(`OIDC callback timed out after ${AUTOMATED_TIMEOUT_MS}ms.`);
+      }
+      throw error;
+    } finally {
+      timeout.clear();
+    }
+  }
+}

package/src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts

@@ -0,0 +1,85 @@
+import { addAzureParams, AZURE_BASE_URL } from '../../../client-side-encryption/providers/azure';
+import { MongoAzureError } from '../../../error';
+import { get } from '../../../utils';
+import type { MongoCredentials } from '../mongo_credentials';
+import { type AccessToken, MachineWorkflow } from './machine_workflow';
+import { type TokenCache } from './token_cache';
+
+/** Azure request headers. */
+const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
+
+/** Invalid endpoint result error. */
+const ENDPOINT_RESULT_ERROR =
+  'Azure endpoint did not return a value with only access_token and expires_in properties';
+
+/** Error for when the token audience is missing in the environment. */
+const TOKEN_RESOURCE_MISSING_ERROR =
+  'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure.';
+
+/**
+ * Device workflow implementation for Azure.
+ *
+ * @internal
+ */
+export class AzureMachineWorkflow extends MachineWorkflow {
+  /**
+   * Instantiate the machine workflow.
+   */
+  constructor(cache: TokenCache) {
+    super(cache);
+  }
+
+  /**
+   * Get the token from the environment.
+   */
+  async getToken(credentials?: MongoCredentials): Promise<AccessToken> {
+    const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
+    const username = credentials?.username;
+    if (!tokenAudience) {
+      throw new MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
+    }
+    const response = await getAzureTokenData(tokenAudience, username);
+    if (!isEndpointResultValid(response)) {
+      throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
+    }
+    return response;
+  }
+}
+
+/**
+ * Hit the Azure endpoint to get the token data.
+ */
+async function getAzureTokenData(tokenAudience: string, username?: string): Promise<AccessToken> {
+  const url = new URL(AZURE_BASE_URL);
+  addAzureParams(url, tokenAudience, username);
+  const response = await get(url, {
+    headers: AZURE_HEADERS
+  });
+  if (response.status !== 200) {
+    throw new MongoAzureError(
+      `Status code ${response.status} returned from the Azure endpoint. Response body: ${response.body}`
+    );
+  }
+  const result = JSON.parse(response.body);
+  return {
+    access_token: result.access_token,
+    expires_in: Number(result.expires_in)
+  };
+}
+
+/**
+ * Determines if a result returned from the endpoint is valid.
+ * This means the result is not nullish, contains the access_token required field
+ * and the expires_in required field.
+ */
+function isEndpointResultValid(
+  token: unknown
+): token is { access_token: unknown; expires_in: unknown } {
+  if (token == null || typeof token !== 'object') return false;
+  return (
+    'access_token' in token &&
+    typeof token.access_token === 'string' &&
+    'expires_in' in token &&
+    typeof token.expires_in === 'number'
+  );
+}