Skip to content

Commit 5469458

Browse files
durrandurran
committed
feat: use credential providers
1 parent 2c361a4 commit 5469458

File tree

5 files changed

+28
-15
lines changed

5 files changed

+28
-15
lines changed

src/client-side-encryption/auto_encrypter.ts

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ import {
66
import * as net from 'net';
77

88
import { deserialize, type Document, serialize } from '../bson';
9-
import { type AWSCredentialProvider } from '../cmap/auth/aws_temporary_credentials';
109
import { type CommandOptions, type ProxyOptions } from '../cmap/connection';
1110
import { kDecorateResult } from '../constants';
1211
import { getMongoDBClientEncryption } from '../deps';
@@ -18,7 +17,7 @@ import { autoSelectSocketOptions } from './client_encryption';
1817
import * as cryptoCallbacks from './crypto_callbacks';
1918
import { MongoCryptInvalidArgumentError } from './errors';
2019
import { MongocryptdManager } from './mongocryptd_manager';
21-
import { type KMSProviders, refreshKMSCredentials } from './providers';
20+
import { type CredentialProviders, type KMSProviders, refreshKMSCredentials } from './providers';
2221
import { type CSFLEKMSTlsOptions, StateMachine } from './state_machine';
2322

2423
/** @public */
@@ -31,6 +30,8 @@ export interface AutoEncryptionOptions {
3130
keyVaultNamespace?: string;
3231
/** Configuration options that are used by specific KMS providers during key generation, encryption, and decryption. */
3332
kmsProviders?: KMSProviders;
33+
/** Configuration options for custom credential providers. */
34+
credentialProviders?: CredentialProviders;
3435
/**
3536
* A map of namespaces to a local JSON schema for encryption
3637
*
@@ -105,8 +106,6 @@ export interface AutoEncryptionOptions {
105106
proxyOptions?: ProxyOptions;
106107
/** The TLS options to use connecting to the KMS provider */
107108
tlsOptions?: CSFLEKMSTlsOptions;
108-
/** Optional custom credential provider to use for KMS requests. */
109-
awsCredentialProvider?: AWSCredentialProvider;
110109
}
111110

112111
/**
@@ -156,7 +155,7 @@ export class AutoEncrypter {
156155
_kmsProviders: KMSProviders;
157156
_bypassMongocryptdAndCryptShared: boolean;
158157
_contextCounter: number;
159-
_awsCredentialProvider?: AWSCredentialProvider;
158+
_credentialProviders?: CredentialProviders;
160159

161160
_mongocryptdManager?: MongocryptdManager;
162161
_mongocryptdClient?: MongoClient;
@@ -241,7 +240,7 @@ export class AutoEncrypter {
241240
this._proxyOptions = options.proxyOptions || {};
242241
this._tlsOptions = options.tlsOptions || {};
243242
this._kmsProviders = options.kmsProviders || {};
244-
this._awsCredentialProvider = options.awsCredentialProvider;
243+
this._credentialProviders = options.credentialProviders;
245244

246245
const mongoCryptOptions: MongoCryptOptions = {
247246
cryptoCallbacks
@@ -443,7 +442,7 @@ export class AutoEncrypter {
443442
* the original ones.
444443
*/
445444
async askForKMSCredentials(): Promise<KMSProviders> {
446-
return await refreshKMSCredentials(this._kmsProviders, this._awsCredentialProvider);
445+
return await refreshKMSCredentials(this._kmsProviders, this._credentialProviders);
447446
}
448447

449448
/**

src/client-side-encryption/client_encryption.ts

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@ import {
1515
type UUID
1616
} from '../bson';
1717
import { type AnyBulkWriteOperation, type BulkWriteResult } from '../bulk/common';
18-
import { type AWSCredentialProvider } from '../cmap/auth/aws_temporary_credentials';
1918
import { type ProxyOptions } from '../cmap/connection';
2019
import { type Collection } from '../collection';
2120
import { type FindCursor } from '../cursor/find_cursor';
@@ -35,6 +34,7 @@ import {
3534
} from './errors';
3635
import {
3736
type ClientEncryptionDataKeyProvider,
37+
type CredentialProviders,
3838
type KMSProviders,
3939
refreshKMSCredentials
4040
} from './providers/index';
@@ -83,7 +83,7 @@ export class ClientEncryption {
8383
_mongoCrypt: MongoCrypt;
8484

8585
/** @internal */
86-
_awsCredentialProvider?: AWSCredentialProvider;
86+
_credentialProviders?: CredentialProviders;
8787

8888
/** @internal */
8989
static getMongoCrypt(): MongoCryptConstructor {
@@ -129,8 +129,7 @@ export class ClientEncryption {
129129
this._kmsProviders = options.kmsProviders || {};
130130
const { timeoutMS } = resolveTimeoutOptions(client, options);
131131
this._timeoutMS = timeoutMS;
132-
this._awsCredentialProvider =
133-
client.options.credentials?.mechanismProperties.AWS_CREDENTIAL_PROVIDER;
132+
this._credentialProviders = options.credentialProviders;
134133

135134
if (options.keyVaultNamespace == null) {
136135
throw new MongoCryptInvalidArgumentError('Missing required option `keyVaultNamespace`');
@@ -718,7 +717,7 @@ export class ClientEncryption {
718717
* the original ones.
719718
*/
720719
async askForKMSCredentials(): Promise<KMSProviders> {
721-
return await refreshKMSCredentials(this._kmsProviders, this._awsCredentialProvider);
720+
return await refreshKMSCredentials(this._kmsProviders, this._credentialProviders);
722721
}
723722

724723
static get libmongocryptVersion() {
@@ -864,6 +863,11 @@ export interface ClientEncryptionOptions {
864863
*/
865864
kmsProviders?: KMSProviders;
866865

866+
/**
867+
* Options for user provided custom credential providers.
868+
*/
869+
credentialProviders?: CredentialProviders;
870+
867871
/**
868872
* Options for specifying a Socks5 proxy to use for connecting to the KMS.
869873
*/

src/client-side-encryption/providers/index.ts

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,15 @@ export type GCPKMSProviderConfiguration =
113113
accessToken: string;
114114
};
115115

116+
/**
117+
* @public
118+
* Configuration options for custom credential providers for KMS requests.
119+
*/
120+
export interface CredentialProviders {
121+
/* A custom AWS credential provider */
122+
aws?: AWSCredentialProvider;
123+
}
124+
116125
/**
117126
* @public
118127
* Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.
@@ -179,12 +188,12 @@ export function isEmptyCredentials(
179188
*/
180189
export async function refreshKMSCredentials(
181190
kmsProviders: KMSProviders,
182-
awsProvider?: AWSCredentialProvider
191+
credentialProviders?: CredentialProviders
183192
): Promise<KMSProviders> {
184193
let finalKMSProviders = kmsProviders;
185194

186195
if (isEmptyCredentials('aws', kmsProviders)) {
187-
finalKMSProviders = await loadAWSCredentials(finalKMSProviders, awsProvider);
196+
finalKMSProviders = await loadAWSCredentials(finalKMSProviders, credentialProviders?.aws);
188197
}
189198

190199
if (isEmptyCredentials('gcp', kmsProviders)) {

src/index.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -256,6 +256,7 @@ export type {
256256
AWSKMSProviderConfiguration,
257257
AzureKMSProviderConfiguration,
258258
ClientEncryptionDataKeyProvider,
259+
CredentialProviders,
259260
GCPKMSProviderConfiguration,
260261
KMIPKMSProviderConfiguration,
261262
KMSProviders,

test/integration/auth/mongodb_aws.test.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -475,7 +475,7 @@ describe('AWS KMS Credential Fetching', function () {
475475
it('KMS credentials are successfully fetched.', async function () {
476476
const { aws } = await refreshKMSCredentials(
477477
{ aws: {} },
478-
credentialProvider.fromNodeProviderChain()
478+
{ aws: credentialProvider.fromNodeProviderChain() }
479479
);
480480

481481
expect(aws).to.have.property('accessKeyId');

0 commit comments

Comments
 (0)