mongodb 6.6.2 → 6.7.0

package/lib/cmap/auth/mongodb_oidc/token_entry_cache.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"token_entry_cache.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/token_entry_cache.ts"],"names":[],"mappings":";;;AACA,mCAAoD;AAEpD,+DAA+D;AAC/D,MAAM,uBAAuB,GAAG,CAAC,CAAC;AAElC,gBAAgB;AAChB,MAAa,UAAW,SAAQ,0BAAkB;IAIhD;;OAEG;IACH,YAAY,WAA8B,EAAE,UAAyB,EAAE,UAAkB;QACvF,KAAK,CAAC,UAAU,CAAC,CAAC;QAClB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAZD,gCAYC;AAED;;;GAGG;AACH,MAAa,eAAgB,SAAQ,aAAiB;IACpD;;OAEG;IACH,QAAQ,CACN,OAAe,EACf,QAAgB,EAChB,YAAoB,EACpB,WAA8B,EAC9B,UAAyB;QAEzB,MAAM,KAAK,GAAG,IAAI,UAAU,CAC1B,WAAW,EACX,UAAU,EACV,WAAW,CAAC,gBAAgB,IAAI,uBAAuB,CACxD,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC;QACxE,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,OAAe,EAAE,QAAgB,EAAE,YAAoB;QACjE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAAe,EAAE,QAAgB,EAAE,YAAoB;QAC9D,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED;;OAEG;IACH,oBAAoB;QAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE;YACvC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE;gBACpB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;aAC1B;SACF;IACH,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAAe,EAAE,QAAgB,EAAE,YAAoB;QAC9D,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC;CACF;AAnDD,0CAmDC"}

package/src/client-side-encryption/providers/utils.ts

@@ -1,37 +0,0 @@
-import * as http from 'http';
-import { clearTimeout, setTimeout } from 'timers';
-
-import { MongoCryptKMSRequestNetworkTimeoutError } from '../errors';
-
-/**
- * @internal
- */
-export function get(
-  url: URL | string,
-  options: http.RequestOptions = {}
-): Promise<{ body: string; status: number | undefined }> {
-  return new Promise((resolve, reject) => {
-    /* eslint-disable prefer-const */
-    let timeoutId: NodeJS.Timeout;
-    const request = http
-      .get(url, options, response => {
-        response.setEncoding('utf8');
-        let body = '';
-        response.on('data', chunk => (body += chunk));
-        response.on('end', () => {
-          clearTimeout(timeoutId);
-          resolve({ status: response.statusCode, body });
-        });
-      })
-      .on('error', error => {
-        clearTimeout(timeoutId);
-        reject(error);
-      })
-      .end();
-    timeoutId = setTimeout(() => {
-      request.destroy(
-        new MongoCryptKMSRequestNetworkTimeoutError(`request timed out after 10 seconds`)
-      );
-    }, 10000);
-  });
-}

package/src/cmap/auth/mongodb_oidc/aws_service_workflow.ts

@@ -1,29 +0,0 @@
-import * as fs from 'fs';
-
-import { MongoAWSError } from '../../../error';
-import { ServiceWorkflow } from './service_workflow';
-
-/** Error for when the token is missing in the environment. */
-const TOKEN_MISSING_ERROR = 'AWS_WEB_IDENTITY_TOKEN_FILE must be set in the environment.';
-
-/**
- * Device workflow implementation for AWS.
- *
- * @internal
- */
-export class AwsServiceWorkflow extends ServiceWorkflow {
-  constructor() {
-    super();
-  }
-
-  /**
-   * Get the token from the environment.
-   */
-  async getToken(): Promise<string> {
-    const tokenFile = process.env.AWS_WEB_IDENTITY_TOKEN_FILE;
-    if (!tokenFile) {
-      throw new MongoAWSError(TOKEN_MISSING_ERROR);
-    }
-    return await fs.promises.readFile(tokenFile, 'utf8');
-  }
-}

package/src/cmap/auth/mongodb_oidc/azure_service_workflow.ts

@@ -1,86 +0,0 @@
-import { MongoAzureError } from '../../../error';
-import { request } from '../../../utils';
-import type { MongoCredentials } from '../mongo_credentials';
-import { AzureTokenCache } from './azure_token_cache';
-import { ServiceWorkflow } from './service_workflow';
-
-/** Base URL for getting Azure tokens. */
-const AZURE_BASE_URL =
-  'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01';
-
-/** Azure request headers. */
-const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
-
-/** Invalid endpoint result error. */
-const ENDPOINT_RESULT_ERROR =
-  'Azure endpoint did not return a value with only access_token and expires_in properties';
-
-/** Error for when the token audience is missing in the environment. */
-const TOKEN_AUDIENCE_MISSING_ERROR =
-  'TOKEN_AUDIENCE must be set in the auth mechanism properties when PROVIDER_NAME is azure.';
-
-/**
- * The Azure access token format.
- * @internal
- */
-export interface AzureAccessToken {
-  access_token: string;
-  expires_in: number;
-}
-
-/**
- * Device workflow implementation for Azure.
- *
- * @internal
- */
-export class AzureServiceWorkflow extends ServiceWorkflow {
-  cache = new AzureTokenCache();
-
-  /**
-   * Get the token from the environment.
-   */
-  async getToken(credentials?: MongoCredentials): Promise<string> {
-    const tokenAudience = credentials?.mechanismProperties.TOKEN_AUDIENCE;
-    if (!tokenAudience) {
-      throw new MongoAzureError(TOKEN_AUDIENCE_MISSING_ERROR);
-    }
-    let token;
-    const entry = this.cache.getEntry(tokenAudience);
-    if (entry?.isValid()) {
-      token = entry.token;
-    } else {
-      this.cache.deleteEntry(tokenAudience);
-      const response = await getAzureTokenData(tokenAudience);
-      if (!isEndpointResultValid(response)) {
-        throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
-      }
-      this.cache.addEntry(tokenAudience, response);
-      token = response.access_token;
-    }
-    return token;
-  }
-}
-
-/**
- * Hit the Azure endpoint to get the token data.
- */
-async function getAzureTokenData(tokenAudience: string): Promise<AzureAccessToken> {
-  const url = `${AZURE_BASE_URL}&resource=${tokenAudience}`;
-  const data = await request(url, {
-    json: true,
-    headers: AZURE_HEADERS
-  });
-  return data as AzureAccessToken;
-}
-
-/**
- * Determines if a result returned from the endpoint is valid.
- * This means the result is not nullish, contains the access_token required field
- * and the expires_in required field.
- */
-function isEndpointResultValid(
-  token: unknown
-): token is { access_token: unknown; expires_in: unknown } {
-  if (token == null || typeof token !== 'object') return false;
-  return 'access_token' in token && 'expires_in' in token;
-}

package/src/cmap/auth/mongodb_oidc/azure_token_cache.ts

@@ -1,51 +0,0 @@
-import type { AzureAccessToken } from './azure_service_workflow';
-import { Cache, ExpiringCacheEntry } from './cache';
-
-/** @internal */
-export class AzureTokenEntry extends ExpiringCacheEntry {
-  token: string;
-
-  /**
-   * Instantiate the entry.
-   */
-  constructor(token: string, expiration: number) {
-    super(expiration);
-    this.token = token;
-  }
-}
-
-/**
- * A cache of access tokens from Azure.
- * @internal
- */
-export class AzureTokenCache extends Cache<AzureTokenEntry> {
-  /**
-   * Add an entry to the cache.
-   */
-  addEntry(tokenAudience: string, token: AzureAccessToken): AzureTokenEntry {
-    const entry = new AzureTokenEntry(token.access_token, token.expires_in);
-    this.entries.set(tokenAudience, entry);
-    return entry;
-  }
-
-  /**
-   * Create a cache key.
-   */
-  cacheKey(tokenAudience: string): string {
-    return tokenAudience;
-  }
-
-  /**
-   * Delete an entry from the cache.
-   */
-  deleteEntry(tokenAudience: string): void {
-    this.entries.delete(tokenAudience);
-  }
-
-  /**
-   * Get an Azure token entry from the cache.
-   */
-  getEntry(tokenAudience: string): AzureTokenEntry | undefined {
-    return this.entries.get(tokenAudience);
-  }
-}

package/src/cmap/auth/mongodb_oidc/cache.ts

@@ -1,63 +0,0 @@
-/* 5 minutes in milliseconds */
-const EXPIRATION_BUFFER_MS = 300000;
-
-/**
- * An entry in a cache that can expire in a certain amount of time.
- */
-export abstract class ExpiringCacheEntry {
-  expiration: number;
-
-  /**
-   * Create a new expiring token entry.
-   */
-  constructor(expiration: number) {
-    this.expiration = this.expirationTime(expiration);
-  }
-  /**
-   * The entry is still valid if the expiration is more than
-   * 5 minutes from the expiration time.
-   */
-  isValid() {
-    return this.expiration - Date.now() > EXPIRATION_BUFFER_MS;
-  }
-
-  /**
-   * Get an expiration time in milliseconds past epoch.
-   */
-  private expirationTime(expiresInSeconds: number): number {
-    return Date.now() + expiresInSeconds * 1000;
-  }
-}
-
-/**
- * Base class for OIDC caches.
- */
-export abstract class Cache<T> {
-  entries: Map<string, T>;
-
-  /**
-   * Create a new cache.
-   */
-  constructor() {
-    this.entries = new Map<string, T>();
-  }
-
-  /**
-   * Clear the cache.
-   */
-  clear() {
-    this.entries.clear();
-  }
-
-  /**
-   * Implement the cache key for the token.
-   */
-  abstract cacheKey(address: string, username: string, callbackHash: string): string;
-
-  /**
-   * Create a cache key from the address and username.
-   */
-  hashedCacheKey(address: string, username: string, callbackHash: string): string {
-    return JSON.stringify([address, username, callbackHash]);
-  }
-}

package/src/cmap/auth/mongodb_oidc/callback_lock_cache.ts

@@ -1,115 +0,0 @@
-import { MongoInvalidArgumentError } from '../../../error';
-import type { Connection } from '../../connection';
-import type { MongoCredentials } from '../mongo_credentials';
-import type {
-  IdPServerInfo,
-  IdPServerResponse,
-  OIDCCallbackContext,
-  OIDCRefreshFunction,
-  OIDCRequestFunction
-} from '../mongodb_oidc';
-import { Cache } from './cache';
-
-/** Error message for when request callback is missing. */
-const REQUEST_CALLBACK_REQUIRED_ERROR =
-  'Auth mechanism property REQUEST_TOKEN_CALLBACK is required.';
-/* Counter for function "hashes".*/
-let FN_HASH_COUNTER = 0;
-/* No function present function */
-const NO_FUNCTION: OIDCRequestFunction = async () => ({ accessToken: 'test' });
-/* The map of function hashes */
-const FN_HASHES = new WeakMap<OIDCRequestFunction | OIDCRefreshFunction, number>();
-/* Put the no function hash in the map. */
-FN_HASHES.set(NO_FUNCTION, FN_HASH_COUNTER);
-
-/**
- * An entry of callbacks in the cache.
- */
-interface CallbacksEntry {
-  requestCallback: OIDCRequestFunction;
-  refreshCallback?: OIDCRefreshFunction;
-  callbackHash: string;
-}
-
-/**
- * A cache of request and refresh callbacks per server/user.
- */
-export class CallbackLockCache extends Cache<CallbacksEntry> {
-  /**
-   * Get the callbacks for the connection and credentials. If an entry does not
-   * exist a new one will get set.
-   */
-  getEntry(connection: Connection, credentials: MongoCredentials): CallbacksEntry {
-    const requestCallback = credentials.mechanismProperties.REQUEST_TOKEN_CALLBACK;
-    const refreshCallback = credentials.mechanismProperties.REFRESH_TOKEN_CALLBACK;
-    if (!requestCallback) {
-      throw new MongoInvalidArgumentError(REQUEST_CALLBACK_REQUIRED_ERROR);
-    }
-    const callbackHash = hashFunctions(requestCallback, refreshCallback);
-    const key = this.cacheKey(connection.address, credentials.username, callbackHash);
-    const entry = this.entries.get(key);
-    if (entry) {
-      return entry;
-    }
-    return this.addEntry(key, callbackHash, requestCallback, refreshCallback);
-  }
-
-  /**
-   * Set locked callbacks on for connection and credentials.
-   */
-  private addEntry(
-    key: string,
-    callbackHash: string,
-    requestCallback: OIDCRequestFunction,
-    refreshCallback?: OIDCRefreshFunction
-  ): CallbacksEntry {
-    const entry = {
-      requestCallback: withLock(requestCallback),
-      refreshCallback: refreshCallback ? withLock(refreshCallback) : undefined,
-      callbackHash: callbackHash
-    };
-    this.entries.set(key, entry);
-    return entry;
-  }
-
-  /**
-   * Create a cache key from the address and username.
-   */
-  cacheKey(address: string, username: string, callbackHash: string): string {
-    return this.hashedCacheKey(address, username, callbackHash);
-  }
-}
-
-/**
- * Ensure the callback is only executed one at a time.
- */
-function withLock(callback: OIDCRequestFunction | OIDCRefreshFunction) {
-  let lock: Promise<any> = Promise.resolve();
-  return async (info: IdPServerInfo, context: OIDCCallbackContext): Promise<IdPServerResponse> => {
-    await lock;
-    // eslint-disable-next-line github/no-then
-    lock = lock.then(() => callback(info, context));
-    return await lock;
-  };
-}
-
-/**
- * Get the hash string for the request and refresh functions.
- */
-function hashFunctions(requestFn: OIDCRequestFunction, refreshFn?: OIDCRefreshFunction): string {
-  let requestHash = FN_HASHES.get(requestFn);
-  let refreshHash = FN_HASHES.get(refreshFn ?? NO_FUNCTION);
-  if (requestHash == null) {
-    // Create a new one for the function and put it in the map.
-    FN_HASH_COUNTER++;
-    requestHash = FN_HASH_COUNTER;
-    FN_HASHES.set(requestFn, FN_HASH_COUNTER);
-  }
-  if (refreshHash == null && refreshFn) {
-    // Create a new one for the function and put it in the map.
-    FN_HASH_COUNTER++;
-    refreshHash = FN_HASH_COUNTER;
-    FN_HASHES.set(refreshFn, FN_HASH_COUNTER);
-  }
-  return `${requestHash}-${refreshHash}`;
-}

package/src/cmap/auth/mongodb_oidc/service_workflow.ts

@@ -1,49 +0,0 @@
-import { BSON, type Document } from 'bson';
-
-import { ns } from '../../../utils';
-import type { Connection } from '../../connection';
-import type { MongoCredentials } from '../mongo_credentials';
-import type { Workflow } from '../mongodb_oidc';
-import { AuthMechanism } from '../providers';
-
-/**
- * Common behaviour for OIDC device workflows.
- * @internal
- */
-export abstract class ServiceWorkflow implements Workflow {
-  /**
-   * Execute the workflow. Looks for AWS_WEB_IDENTITY_TOKEN_FILE in the environment
-   * and then attempts to read the token from that path.
-   */
-  async execute(connection: Connection, credentials: MongoCredentials): Promise<Document> {
-    const token = await this.getToken(credentials);
-    const command = commandDocument(token);
-    return await connection.command(ns(credentials.source), command, undefined);
-  }
-
-  /**
-   * Get the document to add for speculative authentication.
-   */
-  async speculativeAuth(credentials: MongoCredentials): Promise<Document> {
-    const token = await this.getToken(credentials);
-    const document = commandDocument(token);
-    document.db = credentials.source;
-    return { speculativeAuthenticate: document };
-  }
-
-  /**
-   * Get the token from the environment or endpoint.
-   */
-  abstract getToken(credentials: MongoCredentials): Promise<string>;
-}
-
-/**
- * Create the saslStart command document.
- */
-export function commandDocument(token: string): Document {
-  return {
-    saslStart: 1,
-    mechanism: AuthMechanism.MONGODB_OIDC,
-    payload: BSON.serialize({ jwt: token })
-  };
-}

package/src/cmap/auth/mongodb_oidc/token_entry_cache.ts

@@ -1,77 +0,0 @@
-import type { IdPServerInfo, IdPServerResponse } from '../mongodb_oidc';
-import { Cache, ExpiringCacheEntry } from './cache';
-
-/* Default expiration is now for when no expiration provided */
-const DEFAULT_EXPIRATION_SECS = 0;
-
-/** @internal */
-export class TokenEntry extends ExpiringCacheEntry {
-  tokenResult: IdPServerResponse;
-  serverInfo: IdPServerInfo;
-
-  /**
-   * Instantiate the entry.
-   */
-  constructor(tokenResult: IdPServerResponse, serverInfo: IdPServerInfo, expiration: number) {
-    super(expiration);
-    this.tokenResult = tokenResult;
-    this.serverInfo = serverInfo;
-  }
-}
-
-/**
- * Cache of OIDC token entries.
- * @internal
- */
-export class TokenEntryCache extends Cache<TokenEntry> {
-  /**
-   * Set an entry in the token cache.
-   */
-  addEntry(
-    address: string,
-    username: string,
-    callbackHash: string,
-    tokenResult: IdPServerResponse,
-    serverInfo: IdPServerInfo
-  ): TokenEntry {
-    const entry = new TokenEntry(
-      tokenResult,
-      serverInfo,
-      tokenResult.expiresInSeconds ?? DEFAULT_EXPIRATION_SECS
-    );
-    this.entries.set(this.cacheKey(address, username, callbackHash), entry);
-    return entry;
-  }
-
-  /**
-   * Delete an entry from the cache.
-   */
-  deleteEntry(address: string, username: string, callbackHash: string): void {
-    this.entries.delete(this.cacheKey(address, username, callbackHash));
-  }
-
-  /**
-   * Get an entry from the cache.
-   */
-  getEntry(address: string, username: string, callbackHash: string): TokenEntry | undefined {
-    return this.entries.get(this.cacheKey(address, username, callbackHash));
-  }
-
-  /**
-   * Delete all expired entries from the cache.
-   */
-  deleteExpiredEntries(): void {
-    for (const [key, entry] of this.entries) {
-      if (!entry.isValid()) {
-        this.entries.delete(key);
-      }
-    }
-  }
-
-  /**
-   * Create a cache key from the address and username.
-   */
-  cacheKey(address: string, username: string, callbackHash: string): string {
-    return this.hashedCacheKey(address, username, callbackHash);
-  }
-}