oxygen-cli 1.40.2-beta.1 → 1.41.0

package/transpiled/mongodb/lib/cmap/auth/mongodb_aws.js

@@ -1,181 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.MongoDBAWS = void 0;
-
-const BSON = require("../../bson");
-
-const deps_1 = require("../../deps");
-
-const error_1 = require("../../error");
-
-const utils_1 = require("../../utils");
-
-const auth_provider_1 = require("./auth_provider");
-
-const aws_temporary_credentials_1 = require("./aws_temporary_credentials");
-
-const mongo_credentials_1 = require("./mongo_credentials");
-
-const providers_1 = require("./providers");
-
-const ASCII_N = 110;
-const bsonOptions = {
-  useBigInt64: false,
-  promoteLongs: true,
-  promoteValues: true,
-  promoteBuffers: false,
-  bsonRegExp: false
-};
-
-class MongoDBAWS extends auth_provider_1.AuthProvider {
-  constructor(credentialProvider) {
-    super();
-    this.credentialProvider = credentialProvider;
-    this.credentialFetcher = aws_temporary_credentials_1.AWSTemporaryCredentialProvider.isAWSSDKInstalled ? new aws_temporary_credentials_1.AWSSDKCredentialProvider(credentialProvider) : new aws_temporary_credentials_1.LegacyAWSTemporaryCredentialProvider();
-  }
-
-  async auth(authContext) {
-    const {
-      connection
-    } = authContext;
-
-    if (!authContext.credentials) {
-      throw new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.');
-    }
-
-    if ('kModuleError' in deps_1.aws4) {
-      throw deps_1.aws4['kModuleError'];
-    }
-
-    const {
-      sign
-    } = deps_1.aws4;
-
-    if ((0, utils_1.maxWireVersion)(connection) < 9) {
-      throw new error_1.MongoCompatibilityError('MONGODB-AWS authentication requires MongoDB version 4.4 or later');
-    }
-
-    if (!authContext.credentials.username) {
-      authContext.credentials = await makeTempCredentials(authContext.credentials, this.credentialFetcher);
-    }
-
-    const {
-      credentials
-    } = authContext;
-    const accessKeyId = credentials.username;
-    const secretAccessKey = credentials.password; // Allow the user to specify an AWS session token for authentication with temporary credentials.
-
-    const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN; // If all three defined, include sessionToken, else include username and pass, else no credentials
-
-    const awsCredentials = accessKeyId && secretAccessKey && sessionToken ? {
-      accessKeyId,
-      secretAccessKey,
-      sessionToken
-    } : accessKeyId && secretAccessKey ? {
-      accessKeyId,
-      secretAccessKey
-    } : undefined;
-    const db = credentials.source;
-    const nonce = await (0, utils_1.randomBytes)(32); // All messages between MongoDB clients and servers are sent as BSON objects
-    // in the payload field of saslStart and saslContinue.
-
-    const saslStart = {
-      saslStart: 1,
-      mechanism: 'MONGODB-AWS',
-      payload: BSON.serialize({
-        r: nonce,
-        p: ASCII_N
-      }, bsonOptions)
-    };
-    const saslStartResponse = await connection.command((0, utils_1.ns)(`${db}.$cmd`), saslStart, undefined);
-    const serverResponse = BSON.deserialize(saslStartResponse.payload.buffer, bsonOptions);
-    const host = serverResponse.h;
-    const serverNonce = serverResponse.s.buffer;
-
-    if (serverNonce.length !== 64) {
-      // TODO(NODE-3483)
-      throw new error_1.MongoRuntimeError(`Invalid server nonce length ${serverNonce.length}, expected 64`);
-    }
-
-    if (!utils_1.ByteUtils.equals(serverNonce.subarray(0, nonce.byteLength), nonce)) {
-      // throw because the serverNonce's leading 32 bytes must equal the client nonce's 32 bytes
-      // https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#conversation-5
-      // TODO(NODE-3483)
-      throw new error_1.MongoRuntimeError('Server nonce does not begin with client nonce');
-    }
-
-    if (host.length < 1 || host.length > 255 || host.indexOf('..') !== -1) {
-      // TODO(NODE-3483)
-      throw new error_1.MongoRuntimeError(`Server returned an invalid host: "${host}"`);
-    }
-
-    const body = 'Action=GetCallerIdentity&Version=2011-06-15';
-    const options = sign({
-      method: 'POST',
-      host,
-      region: deriveRegion(serverResponse.h),
-      service: 'sts',
-      headers: {
-        'Content-Type': 'application/x-www-form-urlencoded',
-        'Content-Length': body.length,
-        'X-MongoDB-Server-Nonce': utils_1.ByteUtils.toBase64(serverNonce),
-        'X-MongoDB-GS2-CB-Flag': 'n'
-      },
-      path: '/',
-      body
-    }, awsCredentials);
-    const payload = {
-      a: options.headers.Authorization,
-      d: options.headers['X-Amz-Date']
-    };
-
-    if (sessionToken) {
-      payload.t = sessionToken;
-    }
-
-    const saslContinue = {
-      saslContinue: 1,
-      conversationId: saslStartResponse.conversationId,
-      payload: BSON.serialize(payload, bsonOptions)
-    };
-    await connection.command((0, utils_1.ns)(`${db}.$cmd`), saslContinue, undefined);
-  }
-
-}
-
-exports.MongoDBAWS = MongoDBAWS;
-
-async function makeTempCredentials(credentials, awsCredentialFetcher) {
-  function makeMongoCredentialsFromAWSTemp(creds) {
-    // The AWS session token (creds.Token) may or may not be set.
-    if (!creds.AccessKeyId || !creds.SecretAccessKey) {
-      throw new error_1.MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials');
-    }
-
-    return new mongo_credentials_1.MongoCredentials({
-      username: creds.AccessKeyId,
-      password: creds.SecretAccessKey,
-      source: credentials.source,
-      mechanism: providers_1.AuthMechanism.MONGODB_AWS,
-      mechanismProperties: {
-        AWS_SESSION_TOKEN: creds.Token
-      }
-    });
-  }
-
-  const temporaryCredentials = await awsCredentialFetcher.getCredentials();
-  return makeMongoCredentialsFromAWSTemp(temporaryCredentials);
-}
-
-function deriveRegion(host) {
-  const parts = host.split('.');
-
-  if (parts.length === 1 || parts[1] === 'amazonaws') {
-    return 'us-east-1';
-  }
-
-  return parts[1];
-}

package/transpiled/mongodb/lib/cmap/auth/mongodb_oidc/automated_callback_workflow.js

@@ -1,101 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.AutomatedCallbackWorkflow = void 0;
-
-const error_1 = require("../../../error");
-
-const timeout_1 = require("../../../timeout");
-
-const mongodb_oidc_1 = require("../mongodb_oidc");
-
-const callback_workflow_1 = require("./callback_workflow");
-/**
- * Class implementing behaviour for the non human callback workflow.
- * @internal
- */
-
-
-class AutomatedCallbackWorkflow extends callback_workflow_1.CallbackWorkflow {
-  /**
-   * Instantiate the human callback workflow.
-   */
-  constructor(cache, callback) {
-    super(cache, callback);
-  }
-  /**
-   * Execute the OIDC callback workflow.
-   */
-
-
-  async execute(connection, credentials) {
-    // If there is a cached access token, try to authenticate with it. If
-    // authentication fails with an Authentication error (18),
-    // invalidate the access token, fetch a new access token, and try
-    // to authenticate again.
-    // If the server fails for any other reason, do not clear the cache.
-    if (this.cache.hasAccessToken) {
-      const token = this.cache.getAccessToken();
-
-      if (!connection.accessToken) {
-        connection.accessToken = token;
-      }
-
-      try {
-        return await this.finishAuthentication(connection, credentials, token);
-      } catch (error) {
-        if (error instanceof error_1.MongoError && error.code === error_1.MONGODB_ERROR_CODES.AuthenticationFailed) {
-          this.cache.removeAccessToken();
-          return await this.execute(connection, credentials);
-        } else {
-          throw error;
-        }
-      }
-    }
-
-    const response = await this.fetchAccessToken(credentials);
-    this.cache.put(response);
-    connection.accessToken = response.accessToken;
-    await this.finishAuthentication(connection, credentials, response.accessToken);
-  }
-  /**
-   * Fetches the access token using the callback.
-   */
-
-
-  async fetchAccessToken(credentials) {
-    const controller = new AbortController();
-    const params = {
-      timeoutContext: controller.signal,
-      version: mongodb_oidc_1.OIDC_VERSION
-    };
-
-    if (credentials.username) {
-      params.username = credentials.username;
-    }
-
-    if (credentials.mechanismProperties.TOKEN_RESOURCE) {
-      params.tokenAudience = credentials.mechanismProperties.TOKEN_RESOURCE;
-    }
-
-    const timeout = timeout_1.Timeout.expires(callback_workflow_1.AUTOMATED_TIMEOUT_MS);
-
-    try {
-      return await Promise.race([this.executeAndValidateCallback(params), timeout]);
-    } catch (error) {
-      if (timeout_1.TimeoutError.is(error)) {
-        controller.abort();
-        throw new error_1.MongoOIDCError(`OIDC callback timed out after ${callback_workflow_1.AUTOMATED_TIMEOUT_MS}ms.`);
-      }
-
-      throw error;
-    } finally {
-      timeout.clear();
-    }
-  }
-
-}
-
-exports.AutomatedCallbackWorkflow = AutomatedCallbackWorkflow;

package/transpiled/mongodb/lib/cmap/auth/mongodb_oidc/azure_machine_workflow.js

@@ -1,81 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.callback = void 0;
-
-const azure_1 = require("../../../client-side-encryption/providers/azure");
-
-const error_1 = require("../../../error");
-
-const utils_1 = require("../../../utils");
-/** Azure request headers. */
-
-
-const AZURE_HEADERS = Object.freeze({
-  Metadata: 'true',
-  Accept: 'application/json'
-});
-/** Invalid endpoint result error. */
-
-const ENDPOINT_RESULT_ERROR = 'Azure endpoint did not return a value with only access_token and expires_in properties';
-/** Error for when the token audience is missing in the environment. */
-
-const TOKEN_RESOURCE_MISSING_ERROR = 'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure.';
-/**
- * The callback function to be used in the automated callback workflow.
- * @param params - The OIDC callback parameters.
- * @returns The OIDC response.
- */
-
-const callback = async params => {
-  const tokenAudience = params.tokenAudience;
-  const username = params.username;
-
-  if (!tokenAudience) {
-    throw new error_1.MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
-  }
-
-  const response = await getAzureTokenData(tokenAudience, username);
-
-  if (!isEndpointResultValid(response)) {
-    throw new error_1.MongoAzureError(ENDPOINT_RESULT_ERROR);
-  }
-
-  return response;
-};
-
-exports.callback = callback;
-/**
- * Hit the Azure endpoint to get the token data.
- */
-
-async function getAzureTokenData(tokenAudience, username) {
-  const url = new URL(azure_1.AZURE_BASE_URL);
-  (0, azure_1.addAzureParams)(url, tokenAudience, username);
-  const response = await (0, utils_1.get)(url, {
-    headers: AZURE_HEADERS
-  });
-
-  if (response.status !== 200) {
-    throw new error_1.MongoAzureError(`Status code ${response.status} returned from the Azure endpoint. Response body: ${response.body}`);
-  }
-
-  const result = JSON.parse(response.body);
-  return {
-    accessToken: result.access_token,
-    expiresInSeconds: Number(result.expires_in)
-  };
-}
-/**
- * Determines if a result returned from the endpoint is valid.
- * This means the result is not nullish, contains the access_token required field
- * and the expires_in required field.
- */
-
-
-function isEndpointResultValid(token) {
-  if (token == null || typeof token !== 'object') return false;
-  return 'accessToken' in token && typeof token.accessToken === 'string' && 'expiresInSeconds' in token && typeof token.expiresInSeconds === 'number';
-}

package/transpiled/mongodb/lib/cmap/auth/mongodb_oidc/callback_workflow.js

@@ -1,174 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.CallbackWorkflow = exports.AUTOMATED_TIMEOUT_MS = exports.HUMAN_TIMEOUT_MS = void 0;
-
-const promises_1 = require("timers/promises");
-
-const error_1 = require("../../../error");
-
-const utils_1 = require("../../../utils");
-
-const command_builders_1 = require("./command_builders");
-/** 5 minutes in milliseconds */
-
-
-exports.HUMAN_TIMEOUT_MS = 300000;
-/** 1 minute in milliseconds */
-
-exports.AUTOMATED_TIMEOUT_MS = 60000;
-/** Properties allowed on results of callbacks. */
-
-const RESULT_PROPERTIES = ['accessToken', 'expiresInSeconds', 'refreshToken'];
-/** Error message when the callback result is invalid. */
-
-const CALLBACK_RESULT_ERROR = 'User provided OIDC callbacks must return a valid object with an accessToken.';
-/** The time to throttle callback calls. */
-
-const THROTTLE_MS = 100;
-/**
- * OIDC implementation of a callback based workflow.
- * @internal
- */
-
-class CallbackWorkflow {
-  /**
-   * Instantiate the callback workflow.
-   */
-  constructor(cache, callback) {
-    this.cache = cache;
-    this.callback = this.withLock(callback);
-    this.lastExecutionTime = Date.now() - THROTTLE_MS;
-  }
-  /**
-   * Get the document to add for speculative authentication. This also needs
-   * to add a db field from the credentials source.
-   */
-
-
-  async speculativeAuth(connection, credentials) {
-    // Check if the Client Cache has an access token.
-    // If it does, cache the access token in the Connection Cache and send a JwtStepRequest
-    // with the cached access token in the speculative authentication SASL payload.
-    if (this.cache.hasAccessToken) {
-      const accessToken = this.cache.getAccessToken();
-      connection.accessToken = accessToken;
-      const document = (0, command_builders_1.finishCommandDocument)(accessToken);
-      document.db = credentials.source;
-      return {
-        speculativeAuthenticate: document
-      };
-    }
-
-    return {};
-  }
-  /**
-   * Reauthenticate the callback workflow. For this we invalidated the access token
-   * in the cache and run the authentication steps again. No initial handshake needs
-   * to be sent.
-   */
-
-
-  async reauthenticate(connection, credentials) {
-    if (this.cache.hasAccessToken) {
-      // Reauthentication implies the token has expired.
-      if (connection.accessToken === this.cache.getAccessToken()) {
-        // If connection's access token is the same as the cache's, remove
-        // the token from the cache and connection.
-        this.cache.removeAccessToken();
-        delete connection.accessToken;
-      } else {
-        // If the connection's access token is different from the cache's, set
-        // the cache's token on the connection and do not remove from the
-        // cache.
-        connection.accessToken = this.cache.getAccessToken();
-      }
-    }
-
-    await this.execute(connection, credentials);
-  }
-  /**
-   * Starts the callback authentication process. If there is a speculative
-   * authentication document from the initial handshake, then we will use that
-   * value to get the issuer, otherwise we will send the saslStart command.
-   */
-
-
-  async startAuthentication(connection, credentials, response) {
-    let result;
-
-    if (response?.speculativeAuthenticate) {
-      result = response.speculativeAuthenticate;
-    } else {
-      result = await connection.command((0, utils_1.ns)(credentials.source), (0, command_builders_1.startCommandDocument)(credentials), undefined);
-    }
-
-    return result;
-  }
-  /**
-   * Finishes the callback authentication process.
-   */
-
-
-  async finishAuthentication(connection, credentials, token, conversationId) {
-    await connection.command((0, utils_1.ns)(credentials.source), (0, command_builders_1.finishCommandDocument)(token, conversationId), undefined);
-  }
-  /**
-   * Executes the callback and validates the output.
-   */
-
-
-  async executeAndValidateCallback(params) {
-    const result = await this.callback(params); // Validate that the result returned by the callback is acceptable. If it is not
-    // we must clear the token result from the cache.
-
-    if (isCallbackResultInvalid(result)) {
-      throw new error_1.MongoMissingCredentialsError(CALLBACK_RESULT_ERROR);
-    }
-
-    return result;
-  }
-  /**
-   * Ensure the callback is only executed one at a time and throttles the calls
-   * to every 100ms.
-   */
-
-
-  withLock(callback) {
-    let lock = Promise.resolve();
-    return async params => {
-      // We do this to ensure that we would never return the result of the
-      // previous lock, only the current callback's value would get returned.
-      await lock;
-      lock = lock.catch(() => null).then(async () => {
-        const difference = Date.now() - this.lastExecutionTime;
-
-        if (difference <= THROTTLE_MS) {
-          await (0, promises_1.setTimeout)(THROTTLE_MS - difference, {
-            signal: params.timeoutContext
-          });
-        }
-
-        this.lastExecutionTime = Date.now();
-        return await callback(params);
-      });
-      return await lock;
-    };
-  }
-
-}
-
-exports.CallbackWorkflow = CallbackWorkflow;
-/**
- * Determines if a result returned from a request or refresh callback
- * function is invalid. This means the result is nullish, doesn't contain
- * the accessToken required field, and does not contain extra fields.
- */
-
-function isCallbackResultInvalid(tokenResult) {
-  if (tokenResult == null || typeof tokenResult !== 'object') return true;
-  if (!('accessToken' in tokenResult)) return true;
-  return !Object.getOwnPropertyNames(tokenResult).every(prop => RESULT_PROPERTIES.includes(prop));
-}

package/transpiled/mongodb/lib/cmap/auth/mongodb_oidc/command_builders.js

@@ -1,59 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.finishCommandDocument = finishCommandDocument;
-exports.startCommandDocument = startCommandDocument;
-
-const bson_1 = require("../../../bson");
-
-const providers_1 = require("../providers");
-/**
- * Generate the finishing command document for authentication. Will be a
- * saslStart or saslContinue depending on the presence of a conversation id.
- */
-
-
-function finishCommandDocument(token, conversationId) {
-  if (conversationId != null) {
-    return {
-      saslContinue: 1,
-      conversationId: conversationId,
-      payload: new bson_1.Binary(bson_1.BSON.serialize({
-        jwt: token
-      }))
-    };
-  } // saslContinue requires a conversationId in the command to be valid so in this
-  // case the server allows "step two" to actually be a saslStart with the token
-  // as the jwt since the use of the cached value has no correlating conversating
-  // on the particular connection.
-
-
-  return {
-    saslStart: 1,
-    mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
-    payload: new bson_1.Binary(bson_1.BSON.serialize({
-      jwt: token
-    }))
-  };
-}
-/**
- * Generate the saslStart command document.
- */
-
-
-function startCommandDocument(credentials) {
-  const payload = {};
-
-  if (credentials.username) {
-    payload.n = credentials.username;
-  }
-
-  return {
-    saslStart: 1,
-    autoAuthorize: 1,
-    mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
-    payload: new bson_1.Binary(bson_1.BSON.serialize(payload))
-  };
-}

package/transpiled/mongodb/lib/cmap/auth/mongodb_oidc/gcp_machine_workflow.js

@@ -1,58 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.callback = void 0;
-
-const error_1 = require("../../../error");
-
-const utils_1 = require("../../../utils");
-/** GCP base URL. */
-
-
-const GCP_BASE_URL = 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity';
-/** GCP request headers. */
-
-const GCP_HEADERS = Object.freeze({
-  'Metadata-Flavor': 'Google'
-});
-/** Error for when the token audience is missing in the environment. */
-
-const TOKEN_RESOURCE_MISSING_ERROR = 'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is gcp.';
-/**
- * The callback function to be used in the automated callback workflow.
- * @param params - The OIDC callback parameters.
- * @returns The OIDC response.
- */
-
-const callback = async params => {
-  const tokenAudience = params.tokenAudience;
-
-  if (!tokenAudience) {
-    throw new error_1.MongoGCPError(TOKEN_RESOURCE_MISSING_ERROR);
-  }
-
-  return await getGcpTokenData(tokenAudience);
-};
-
-exports.callback = callback;
-/**
- * Hit the GCP endpoint to get the token data.
- */
-
-async function getGcpTokenData(tokenAudience) {
-  const url = new URL(GCP_BASE_URL);
-  url.searchParams.append('audience', tokenAudience);
-  const response = await (0, utils_1.get)(url, {
-    headers: GCP_HEADERS
-  });
-
-  if (response.status !== 200) {
-    throw new error_1.MongoGCPError(`Status code ${response.status} returned from the GCP endpoint. Response body: ${response.body}`);
-  }
-
-  return {
-    accessToken: response.body
-  };
-}