last code changes and integration tests passing

baileympearson · baileympearson · commit 3ba6c54ab528 · 2024-03-21T14:14:22.000-06:00
diff --git a/src/cmap/auth/aws_temporary_credentials.ts b/src/cmap/auth/aws_temporary_credentials.ts
@@ -6,16 +6,26 @@ const AWS_RELATIVE_URI = 'http://169.254.170.2';
 const AWS_EC2_URI = 'http://169.254.169.254';
 const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
 
-/** @internal */
+/**
+ * @internal
+ * This interface matches the final result of fetching temporary credentials manually, outlined
+ * in the spec [here](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#ec2-endpoint).
+ *
+ * When we use the AWS SDK, we map the response from the SDK to conform to this interface.
+ */
 export interface AWSTempCredentials {
   AccessKeyId?: string;
   SecretAccessKey?: string;
-  SessionToken?: string;
+  Token?: string;
   RoleArn?: string;
   Expiration?: Date;
 }
 
-/** @internal */
+/**
+ * @internal
+ *
+ * Fetches temporary AWS credentials.
+ */
 export abstract class AWSTemporaryCredentialProvider {
   abstract getCredentials(): Promise<AWSTempCredentials>;
   private static _credentialProvider: ReturnType<typeof getAwsCredentialProvider>;
@@ -32,6 +42,10 @@ export abstract class AWSTemporaryCredentialProvider {
 /** @internal */
 export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
   private _provider?: () => Promise<AWSCredentials>;
+  /**
+   * The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
+   * To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
+   */
   private get provider(): () => Promise<AWSCredentials> {
     if ('kModuleError' in AWSTemporaryCredentialProvider.credentialProvider) {
       throw AWSTemporaryCredentialProvider.credentialProvider.kModuleError;
@@ -106,7 +120,7 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
       return {
         AccessKeyId: creds.accessKeyId,
         SecretAccessKey: creds.secretAccessKey,
-        SessionToken: creds.sessionToken,
+        Token: creds.sessionToken,
         Expiration: creds.expiration
       };
     } catch (error) {
@@ -115,7 +129,11 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
   }
 }
 
-/** @internal */
+/**
+ * @internal
+ * Fetches credentials manually (without the AWS SDK), as outlined in the [Obtaining Credentials](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#obtaining-credentials)
+ * section of the Auth spec.
+ */
 export class LegacyAWSTemporaryCredentialProvider extends AWSTemporaryCredentialProvider {
   override async getCredentials(): Promise<AWSTempCredentials> {
     // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts
@@ -172,7 +172,7 @@ async function makeTempCredentials(
       source: credentials.source,
       mechanism: AuthMechanism.MONGODB_AWS,
       mechanismProperties: {
-        AWS_SESSION_TOKEN: creds.SessionToken
+        AWS_SESSION_TOKEN: creds.Token
       }
     });
   }
diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts
@@ -6,6 +6,7 @@ import { performance } from 'perf_hooks';
 import * as sinon from 'sinon';
 
 import {
+  AWSTemporaryCredentialProvider,
   MongoAWSError,
   type MongoClient,
   MongoDBAWS,
@@ -268,7 +269,8 @@ describe('MONGODB-AWS', function () {
 
           numberOfFromNodeProviderChainCalls = 0;
 
-          MongoDBAWS.credentialProvider = {
+          // @ts-expect-error We intentionally access a protected variable.
+          AWSTemporaryCredentialProvider._credentialProvider = {
             fromNodeProviderChain(...args) {
               calledArguments = args;
               numberOfFromNodeProviderChainCalls += 1;
@@ -289,7 +291,8 @@ describe('MONGODB-AWS', function () {
           if (typeof storedEnv.AWS_STS_REGIONAL_ENDPOINTS === 'string') {
             process.env.AWS_REGION = storedEnv.AWS_REGION;
           }
-          MongoDBAWS.credentialProvider = credentialProvider;
+          // @ts-expect-error We intentionally access a protected variable.
+          AWSTemporaryCredentialProvider._credentialProvider = credentialProvider;
           calledArguments = [];
         });
 
diff --git a/test/mongodb.ts b/test/mongodb.ts
@@ -101,6 +101,7 @@ export * from '../src/bulk/ordered';
 export * from '../src/bulk/unordered';
 export * from '../src/change_stream';
 export * from '../src/cmap/auth/auth_provider';
+export * from '../src/cmap/auth/aws_temporary_credentials';
 export * from '../src/cmap/auth/gssapi';
 export * from '../src/cmap/auth/mongo_credentials';
 export * from '../src/cmap/auth/mongocr';

Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,7 @@ async function makeTempCredentials(`
`172`	`172`	`source: credentials.source,`
`173`	`173`	`mechanism: AuthMechanism.MONGODB_AWS,`
`174`	`174`	`mechanismProperties: {`
`175`		`- AWS_SESSION_TOKEN: creds.SessionToken`
	`175`	`+ AWS_SESSION_TOKEN: creds.Token`
`176`	`176`	`}`
`177`	`177`	`});`
`178`	`178`	`}`