Skip to content

feat(NODE-6141): allow custom aws sdk config #4373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
baileympearson merged 25 commits into from
Mar 14, 2025
Merged

feat(NODE-6141): allow custom aws sdk config #4373

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
b974867
feat(NODE-6161): allow custom aws sdk config
durran Jan 17, 2025
36fe795
feat: add auto encryption option
durran Jan 31, 2025
2d76be7
feat: use credential providers
durran Feb 20, 2025
73584b2
test: add config tests
durran Feb 24, 2025
35303e8
test: add config tests
durran Feb 24, 2025
45115cd
test: prose tests
durran Feb 27, 2025
b7bb2bb
fix: typo
durran Feb 27, 2025
42a2b75
fix: change insert
durran Feb 27, 2025
9c5d773
fix: master key
durran Feb 27, 2025
e0912f0
test: setup fle
durran Feb 27, 2025
0be1f1f
test: setup fle first
durran Feb 27, 2025
9b2c563
const doc = await cursor.next();
durran Feb 27, 2025
33b8489
test: run with fle tests
durran Mar 3, 2025
e563fdb
test: cleanup
durran Mar 3, 2025
af40051
fix: test
durran Mar 3, 2025
b4ef702
fix: test
durran Mar 3, 2025
4ec025e
test: fix provider
durran Mar 3, 2025
e3e2681
test: add auto encryption test
durran Mar 9, 2025
074e400
test: count provider calls
durran Mar 9, 2025
2fb76c8
test: check provider count
durran Mar 11, 2025
2a284a9
chore: comments
durran Mar 11, 2025
b52fe67
fix: tests
durran Mar 11, 2025
39cd313
fix: pass auth mech props to get providers
durran Mar 12, 2025
3c8a5db
test: update names
durran Mar 12, 2025
4f73b77
chore: add comments
durran Mar 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat: use credential providers
  • Loading branch information
@durran
durran committed Mar 13, 2025
commit 2d76be7908b840620967472b18d9ad20668946d5
13 changes: 6 additions & 7 deletions src/client-side-encryption/auto_encrypter.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import {
import * as net from 'net';

import { deserialize, type Document, serialize } from '../bson';
import { type AWSCredentialProvider } from '../cmap/auth/aws_temporary_credentials';
import { type CommandOptions, type ProxyOptions } from '../cmap/connection';
import { kDecorateResult } from '../constants';
import { getMongoDBClientEncryption } from '../deps';
Expand All @@ -18,7 +17,7 @@ import { autoSelectSocketOptions } from './client_encryption';
import * as cryptoCallbacks from './crypto_callbacks';
import { MongoCryptInvalidArgumentError } from './errors';
import { MongocryptdManager } from './mongocryptd_manager';
import { type KMSProviders, refreshKMSCredentials } from './providers';
import { type CredentialProviders, type KMSProviders, refreshKMSCredentials } from './providers';
import { type CSFLEKMSTlsOptions, StateMachine } from './state_machine';

/** @public */
Expand All @@ -31,6 +30,8 @@ export interface AutoEncryptionOptions {
keyVaultNamespace?: string;
/** Configuration options that are used by specific KMS providers during key generation, encryption, and decryption. */
kmsProviders?: KMSProviders;
/** Configuration options for custom credential providers. */
credentialProviders?: CredentialProviders;
/**
* A map of namespaces to a local JSON schema for encryption
*
Expand Down Expand Up @@ -105,8 +106,6 @@ export interface AutoEncryptionOptions {
proxyOptions?: ProxyOptions;
/** The TLS options to use connecting to the KMS provider */
tlsOptions?: CSFLEKMSTlsOptions;
/** Optional custom credential provider to use for KMS requests. */
awsCredentialProvider?: AWSCredentialProvider;
}

/**
Expand Down Expand Up @@ -156,7 +155,7 @@ export class AutoEncrypter {
_kmsProviders: KMSProviders;
_bypassMongocryptdAndCryptShared: boolean;
_contextCounter: number;
_awsCredentialProvider?: AWSCredentialProvider;
_credentialProviders?: CredentialProviders;

_mongocryptdManager?: MongocryptdManager;
_mongocryptdClient?: MongoClient;
Expand Down Expand Up @@ -241,7 +240,7 @@ export class AutoEncrypter {
this._proxyOptions = options.proxyOptions || {};
this._tlsOptions = options.tlsOptions || {};
this._kmsProviders = options.kmsProviders || {};
this._awsCredentialProvider = options.awsCredentialProvider;
this._credentialProviders = options.credentialProviders;

const mongoCryptOptions: MongoCryptOptions = {
enableMultipleCollinfo: true,
Expand Down Expand Up @@ -444,7 +443,7 @@ export class AutoEncrypter {
* the original ones.
*/
async askForKMSCredentials(): Promise<KMSProviders> {
return await refreshKMSCredentials(this._kmsProviders, this._awsCredentialProvider);
return await refreshKMSCredentials(this._kmsProviders, this._credentialProviders);
}

/**
Expand Down
14 changes: 9 additions & 5 deletions src/client-side-encryption/client_encryption.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ import {
type UUID
} from '../bson';
import { type AnyBulkWriteOperation, type BulkWriteResult } from '../bulk/common';
import { type AWSCredentialProvider } from '../cmap/auth/aws_temporary_credentials';
import { type ProxyOptions } from '../cmap/connection';
import { type Collection } from '../collection';
import { type FindCursor } from '../cursor/find_cursor';
Expand All @@ -35,6 +34,7 @@ import {
} from './errors';
import {
type ClientEncryptionDataKeyProvider,
type CredentialProviders,
type KMSProviders,
refreshKMSCredentials
} from './providers/index';
Expand Down Expand Up @@ -83,7 +83,7 @@ export class ClientEncryption {
_mongoCrypt: MongoCrypt;

/** @internal */
_awsCredentialProvider?: AWSCredentialProvider;
_credentialProviders?: CredentialProviders;

/** @internal */
static getMongoCrypt(): MongoCryptConstructor {
Expand Down Expand Up @@ -129,8 +129,7 @@ export class ClientEncryption {
this._kmsProviders = options.kmsProviders || {};
const { timeoutMS } = resolveTimeoutOptions(client, options);
this._timeoutMS = timeoutMS;
this._awsCredentialProvider =
client.options.credentials?.mechanismProperties.AWS_CREDENTIAL_PROVIDER;
this._credentialProviders = options.credentialProviders;

if (options.keyVaultNamespace == null) {
throw new MongoCryptInvalidArgumentError('Missing required option `keyVaultNamespace`');
Expand Down Expand Up @@ -718,7 +717,7 @@ export class ClientEncryption {
* the original ones.
*/
async askForKMSCredentials(): Promise<KMSProviders> {
return await refreshKMSCredentials(this._kmsProviders, this._awsCredentialProvider);
return await refreshKMSCredentials(this._kmsProviders, this._credentialProviders);
}

static get libmongocryptVersion() {
Expand Down Expand Up @@ -864,6 +863,11 @@ export interface ClientEncryptionOptions {
*/
kmsProviders?: KMSProviders;

/**
* Options for user provided custom credential providers.
*/
credentialProviders?: CredentialProviders;

/**
* Options for specifying a Socks5 proxy to use for connecting to the KMS.
*/
Expand Down
13 changes: 11 additions & 2 deletions src/client-side-encryption/providers/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,15 @@ export type GCPKMSProviderConfiguration =
accessToken: string;
};

/**
* @public
* Configuration options for custom credential providers for KMS requests.
*/
export interface CredentialProviders {
/* A custom AWS credential provider */
aws?: AWSCredentialProvider;
}

/**
* @public
* Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.
Expand Down Expand Up @@ -179,12 +188,12 @@ export function isEmptyCredentials(
*/
export async function refreshKMSCredentials(
kmsProviders: KMSProviders,
awsProvider?: AWSCredentialProvider
credentialProviders?: CredentialProviders
): Promise<KMSProviders> {
let finalKMSProviders = kmsProviders;

if (isEmptyCredentials('aws', kmsProviders)) {
finalKMSProviders = await loadAWSCredentials(finalKMSProviders, awsProvider);
finalKMSProviders = await loadAWSCredentials(finalKMSProviders, credentialProviders?.aws);
}

if (isEmptyCredentials('gcp', kmsProviders)) {
Expand Down
1 change: 1 addition & 0 deletions src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,7 @@ export type {
AWSKMSProviderConfiguration,
AzureKMSProviderConfiguration,
ClientEncryptionDataKeyProvider,
CredentialProviders,
GCPKMSProviderConfiguration,
KMIPKMSProviderConfiguration,
KMSProviders,
Expand Down
2 changes: 1 addition & 1 deletion test/integration/auth/mongodb_aws.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -475,7 +475,7 @@ describe('AWS KMS Credential Fetching', function () {
it('KMS credentials are successfully fetched.', async function () {
const { aws } = await refreshKMSCredentials(
{ aws: {} },
credentialProvider.fromNodeProviderChain()
{ aws: credentialProvider.fromNodeProviderChain() }
);

expect(aws).to.have.property('accessKeyId');
Expand Down