Skip to content

Commit

Permalink
fix(NODE-5944): make AWS session token optional (#4002)
Browse files Browse the repository at this point in the history
Co-authored-by: Durran Jordan <durran@gmail.com>
  • Loading branch information
alenakhineika and durran authored Feb 27, 2024
1 parent 09c9b0b commit f26de76
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 2 deletions.
6 changes: 5 additions & 1 deletion src/cmap/auth/mongodb_aws.ts
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ export class MongoDBAWS extends AuthProvider {

const accessKeyId = credentials.username;
const secretAccessKey = credentials.password;
// Allow the user to specify an AWS session token for authentication with temporary credentials.
const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;

// If all three defined, include sessionToken, else include username and pass, else no credentials
Expand All @@ -129,6 +130,8 @@ export class MongoDBAWS extends AuthProvider {
const db = credentials.source;
const nonce = await randomBytes(32);

// All messages between MongoDB clients and servers are sent as BSON objects
// in the payload field of saslStart and saslContinue.
const saslStart = {
saslStart: 1,
mechanism: 'MONGODB-AWS',
Expand Down Expand Up @@ -212,7 +215,8 @@ async function makeTempCredentials(
provider?: () => Promise<AWSCredentials>
): Promise<MongoCredentials> {
function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
if (!creds.AccessKeyId || !creds.SecretAccessKey || !creds.Token) {
// The AWS session token (creds.Token) may or may not be set.
if (!creds.AccessKeyId || !creds.SecretAccessKey) {
throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials');
}

Expand Down
37 changes: 36 additions & 1 deletion test/integration/auth/mongodb_aws.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,13 @@ import * as http from 'http';
import { performance } from 'perf_hooks';
import * as sinon from 'sinon';

import { MongoAWSError, type MongoClient, MongoDBAWS, MongoServerError } from '../../mongodb';
import {
MongoAWSError,
type MongoClient,
MongoDBAWS,
MongoMissingCredentialsError,
MongoServerError
} from '../../mongodb';

function awsSdk() {
try {
Expand Down Expand Up @@ -81,6 +87,35 @@ describe('MONGODB-AWS', function () {
expect(provider).to.be.instanceOf(MongoDBAWS);
});

describe('with missing aws token', () => {
let awsSessionToken;

beforeEach(function () {
awsSessionToken = process.env.AWS_SESSION_TOKEN;
delete process.env.AWS_SESSION_TOKEN;
});

afterEach(async () => {
process.env.AWS_SESSION_TOKEN = awsSessionToken;
});

it('should not throw an exception when aws token is missing', async function () {
client = this.configuration.newClient(process.env.MONGODB_URI);

const result = await client
.db('aws')
.collection('aws_test')
.estimatedDocumentCount()
.catch(error => error);

// We check only for the MongoMissingCredentialsError
// and do check for the MongoServerError as the error or numeric result
// that can be returned depending on different types of environments
// getting credentials from different sources.
expect(result).to.not.be.instanceOf(MongoMissingCredentialsError);
});
});

describe('EC2 with missing credentials', () => {
let client;

Expand Down

0 comments on commit f26de76

Please sign in to comment.