refactor(NODE-6040): extract aws temporary credential acquisition log…

…ic into a standalone module (#4050)
mongodb · Mar 25, 2024 · 918fe69 · 918fe69
1 parent d94439f
commit 918fe69
Show file tree

Hide file tree

Showing 5 changed files with 194 additions and 130 deletions.
diff --git a/src/cmap/auth/aws_temporary_credentials.ts b/src/cmap/auth/aws_temporary_credentials.ts
@@ -0,0 +1,167 @@
+import { type AWSCredentials, getAwsCredentialProvider } from '../../deps';
+import { MongoAWSError } from '../../error';
+import { request } from '../../utils';
+
+const AWS_RELATIVE_URI = 'http://169.254.170.2';
+const AWS_EC2_URI = 'http://169.254.169.254';
+const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
+
+/**
+ * @internal
+ * This interface matches the final result of fetching temporary credentials manually, outlined
+ * in the spec [here](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#ec2-endpoint).
+ *
+ * When we use the AWS SDK, we map the response from the SDK to conform to this interface.
+ */
+export interface AWSTempCredentials {
+ AccessKeyId?: string;
+ SecretAccessKey?: string;
+ Token?: string;
+ RoleArn?: string;
+ Expiration?: Date;
+}
+
+/**
+ * @internal
+ *
+ * Fetches temporary AWS credentials.
+ */
+export abstract class AWSTemporaryCredentialProvider {
+ abstract getCredentials(): Promise<AWSTempCredentials>;
+ private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
+ protected static get awsSDK() {
+ AWSTemporaryCredentialProvider._awsSDK ??= getAwsCredentialProvider();
+ return AWSTemporaryCredentialProvider._awsSDK;
+ }
+
+ static get isAWSSDKInstalled(): boolean {
+ return !('kModuleError' in AWSTemporaryCredentialProvider.awsSDK);
+ }
+}
+
+/** @internal */
+export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
+ private _provider?: () => Promise<AWSCredentials>;
+ /**
+ * The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
+ * To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
+ */
+ private get provider(): () => Promise<AWSCredentials> {
+ if ('kModuleError' in AWSTemporaryCredentialProvider.awsSDK) {
+ throw AWSTemporaryCredentialProvider.awsSDK.kModuleError;
+ }
+ if (this._provider) {
+ return this._provider;
+ }
+ let { AWS_STS_REGIONAL_ENDPOINTS = '', AWS_REGION = '' } = process.env;
+ AWS_STS_REGIONAL_ENDPOINTS = AWS_STS_REGIONAL_ENDPOINTS.toLowerCase();
+ AWS_REGION = AWS_REGION.toLowerCase();
+
+ /** The option setting should work only for users who have explicit settings in their environment, the driver should not encode "defaults" */
+ const awsRegionSettingsExist =
+ AWS_REGION.length !== 0 && AWS_STS_REGIONAL_ENDPOINTS.length !== 0;
+
+ /**
+ * The following regions use the global AWS STS endpoint, sts.amazonaws.com, by default
+ * https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
+ */
+ const LEGACY_REGIONS = new Set([
+ 'ap-northeast-1',
+ 'ap-south-1',
+ 'ap-southeast-1',
+ 'ap-southeast-2',
+ 'aws-global',
+ 'ca-central-1',
+ 'eu-central-1',
+ 'eu-north-1',
+ 'eu-west-1',
+ 'eu-west-2',
+ 'eu-west-3',
+ 'sa-east-1',
+ 'us-east-1',
+ 'us-east-2',
+ 'us-west-1',
+ 'us-west-2'
+ ]);
+ /**
+ * If AWS_STS_REGIONAL_ENDPOINTS is set to regional, users are opting into the new behavior of respecting the region settings
+ *
+ * If AWS_STS_REGIONAL_ENDPOINTS is set to legacy, then "old" regions need to keep using the global setting.
+ * Technically the SDK gets this wrong, it reaches out to 'sts.us-east-1.amazonaws.com' when it should be 'sts.amazonaws.com'.
+ * That is not our bug to fix here. We leave that up to the SDK.
+ */
+ const useRegionalSts =
+ AWS_STS_REGIONAL_ENDPOINTS === 'regional' ||
+ (AWS_STS_REGIONAL_ENDPOINTS === 'legacy' && !LEGACY_REGIONS.has(AWS_REGION));
+
+ this._provider =
+ awsRegionSettingsExist && useRegionalSts
+ ? AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain({
+ clientConfig: { region: AWS_REGION }
+ })
+ : AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain();
+
+ return this._provider;
+ }
+
+ override async getCredentials(): Promise<AWSTempCredentials> {
+ /*
+ * Creates a credential provider that will attempt to find credentials from the
+ * following sources (listed in order of precedence):
+ *
+ * - Environment variables exposed via process.env
+ * - SSO credentials from token cache
+ * - Web identity token credentials
+ * - Shared credentials and config ini files
+ * - The EC2/ECS Instance Metadata Service
+ */
+ try {
+ const creds = await this.provider();
+ return {
+ AccessKeyId: creds.accessKeyId,
+ SecretAccessKey: creds.secretAccessKey,
+ Token: creds.sessionToken,
+ Expiration: creds.expiration
+ };
+ } catch (error) {
+ throw new MongoAWSError(error.message, { cause: error });
+ }
+ }
+}
+
+/**
+ * @internal
+ * Fetches credentials manually (without the AWS SDK), as outlined in the [Obtaining Credentials](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#obtaining-credentials)
+ * section of the Auth spec.
+ */
+export class LegacyAWSTemporaryCredentialProvider extends AWSTemporaryCredentialProvider {
+ override async getCredentials(): Promise<AWSTempCredentials> {
+ // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+ // is set then drivers MUST assume that it was set by an AWS ECS agent
+ if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
+ return request(`${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`);
+ }
+
+ // Otherwise assume we are on an EC2 instance
+
+ // get a token
+ const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
+ method: 'PUT',
+ json: false,
+ headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
+ });
+
+ // get role name
+ const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
+ json: false,
+ headers: { 'X-aws-ec2-metadata-token': token }
+ });
+
+ // get temp credentials
+ const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
+ headers: { 'X-aws-ec2-metadata-token': token }
+ });
+
+ return creds;
+ }
+}
diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts
@@ -1,45 +1,23 @@
-import * as process from 'process';
-
 import type { Binary, BSONSerializeOptions } from '../../bson';
 import * as BSON from '../../bson';
-import { aws4, type AWSCredentials, getAwsCredentialProvider } from '../../deps';
+import { aws4 } from '../../deps';
 import {
- MongoAWSError,
  MongoCompatibilityError,
  MongoMissingCredentialsError,
  MongoRuntimeError
 } from '../../error';
-import { ByteUtils, maxWireVersion, ns, randomBytes, request } from '../../utils';
+import { ByteUtils, maxWireVersion, ns, randomBytes } from '../../utils';
 import { type AuthContext, AuthProvider } from './auth_provider';
+import {
+ AWSSDKCredentialProvider,
+ type AWSTempCredentials,
+ AWSTemporaryCredentialProvider,
+ LegacyAWSTemporaryCredentialProvider
+} from './aws_temporary_credentials';
 import { MongoCredentials } from './mongo_credentials';
 import { AuthMechanism } from './providers';
 
-/**
- * The following regions use the global AWS STS endpoint, sts.amazonaws.com, by default
- * https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
- */
-const LEGACY_REGIONS = new Set([
- 'ap-northeast-1',
- 'ap-south-1',
- 'ap-southeast-1',
- 'ap-southeast-2',
- 'aws-global',
- 'ca-central-1',
- 'eu-central-1',
- 'eu-north-1',
- 'eu-west-1',
- 'eu-west-2',
- 'eu-west-3',
- 'sa-east-1',
- 'us-east-1',
- 'us-east-2',
- 'us-west-1',
- 'us-west-2'
-]);
 const ASCII_N = 110;
-const AWS_RELATIVE_URI = 'http://169.254.170.2';
-const AWS_EC2_URI = 'http://169.254.169.254';
-const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
 const bsonOptions: BSONSerializeOptions = {
  useBigInt64: false,
  promoteLongs: true,
@@ -55,40 +33,13 @@ interface AWSSaslContinuePayload {
 }
 
 export class MongoDBAWS extends AuthProvider {
- static credentialProvider: ReturnType<typeof getAwsCredentialProvider>;
- provider?: () => Promise<AWSCredentials>;
-
+ private credentialFetcher: AWSTemporaryCredentialProvider;
  constructor() {
  super();
- MongoDBAWS.credentialProvider ??= getAwsCredentialProvider();
-
- let { AWS_STS_REGIONAL_ENDPOINTS = '', AWS_REGION = '' } = process.env;
- AWS_STS_REGIONAL_ENDPOINTS = AWS_STS_REGIONAL_ENDPOINTS.toLowerCase();
- AWS_REGION = AWS_REGION.toLowerCase();
-
- /** The option setting should work only for users who have explicit settings in their environment, the driver should not encode "defaults" */
- const awsRegionSettingsExist =
- AWS_REGION.length !== 0 && AWS_STS_REGIONAL_ENDPOINTS.length !== 0;
-
- /**
- * If AWS_STS_REGIONAL_ENDPOINTS is set to regional, users are opting into the new behavior of respecting the region settings
- *
- * If AWS_STS_REGIONAL_ENDPOINTS is set to legacy, then "old" regions need to keep using the global setting.
- * Technically the SDK gets this wrong, it reaches out to 'sts.us-east-1.amazonaws.com' when it should be 'sts.amazonaws.com'.
- * That is not our bug to fix here. We leave that up to the SDK.
- */
- const useRegionalSts =
- AWS_STS_REGIONAL_ENDPOINTS === 'regional' ||
- (AWS_STS_REGIONAL_ENDPOINTS === 'legacy' && !LEGACY_REGIONS.has(AWS_REGION));
 
- if ('fromNodeProviderChain' in MongoDBAWS.credentialProvider) {
- this.provider =
- awsRegionSettingsExist && useRegionalSts
- ? MongoDBAWS.credentialProvider.fromNodeProviderChain({
- clientConfig: { region: AWS_REGION }
- })
- : MongoDBAWS.credentialProvider.fromNodeProviderChain();
- }
+ this.credentialFetcher = AWSTemporaryCredentialProvider.isAWSSDKInstalled
+ ? new AWSSDKCredentialProvider()
+ : new LegacyAWSTemporaryCredentialProvider();
  }
 
  override async auth(authContext: AuthContext): Promise<void> {
@@ -109,7 +60,10 @@ export class MongoDBAWS extends AuthProvider {
  }
 
  if (!authContext.credentials.username) {
- authContext.credentials = await makeTempCredentials(authContext.credentials, this.provider);
+ authContext.credentials = await makeTempCredentials(
+ authContext.credentials,
+ this.credentialFetcher
+ );
  }
 
  const { credentials } = authContext;
@@ -202,17 +156,9 @@ export class MongoDBAWS extends AuthProvider {
  }
 }
 
-interface AWSTempCredentials {
- AccessKeyId?: string;
- SecretAccessKey?: string;
- Token?: string;
- RoleArn?: string;
- Expiration?: Date;
-}
-
 async function makeTempCredentials(
  credentials: MongoCredentials,
- provider?: () => Promise<AWSCredentials>
+ awsCredentialFetcher: AWSTemporaryCredentialProvider
 ): Promise<MongoCredentials> {
  function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
  // The AWS session token (creds.Token) may or may not be set.
@@ -230,62 +176,9 @@ async function makeTempCredentials(
  }
  });
  }
+ const temporaryCredentials = await awsCredentialFetcher.getCredentials();
 
- // Check if the AWS credential provider from the SDK is present. If not,
- // use the old method.
- if (provider && !('kModuleError' in MongoDBAWS.credentialProvider)) {
- /*
- * Creates a credential provider that will attempt to find credentials from the
- * following sources (listed in order of precedence):
- *
- * - Environment variables exposed via process.env
- * - SSO credentials from token cache
- * - Web identity token credentials
- * - Shared credentials and config ini files
- * - The EC2/ECS Instance Metadata Service
- */
- try {
- const creds = await provider();
- return makeMongoCredentialsFromAWSTemp({
- AccessKeyId: creds.accessKeyId,
- SecretAccessKey: creds.secretAccessKey,
- Token: creds.sessionToken,
- Expiration: creds.expiration
- });
- } catch (error) {
- throw new MongoAWSError(error.message);
- }
- } else {
- // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
- // is set then drivers MUST assume that it was set by an AWS ECS agent
- if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
- return makeMongoCredentialsFromAWSTemp(
- await request(`${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`)
- );
- }
-
- // Otherwise assume we are on an EC2 instance
-
- // get a token
- const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
- method: 'PUT',
- json: false,
- headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
- });
-
- // get role name
- const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
- json: false,
- headers: { 'X-aws-ec2-metadata-token': token }
- });
-
- // get temp credentials
- const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
- headers: { 'X-aws-ec2-metadata-token': token }
- });
-
- return makeMongoCredentialsFromAWSTemp(creds);
- }
+ return makeMongoCredentialsFromAWSTemp(temporaryCredentials);
 }
 
 function deriveRegion(host: string) {

diff --git a/src/error.ts b/src/error.ts
@@ -520,8 +520,8 @@ export class MongoAWSError extends MongoRuntimeError {
  *
  * @public
  **/
- constructor(message: string) {
- super(message);
+ constructor(message: string, options?: { cause?: Error }) {
+ super(message, options);
  }
 
  override get name(): string {