Skip to content

Commit

Permalink
fix(NODE-3487): check for nullish aws mechanism property (#2957)
Browse files Browse the repository at this point in the history
  • Loading branch information
nbbeeken authored Aug 27, 2021
1 parent 54f5c2d commit 5902b4c
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 16 deletions.
5 changes: 4 additions & 1 deletion lib/core/auth/mongo_credentials.js
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,10 @@ class MongoCredentials {
this.password = process.env.AWS_SECRET_ACCESS_KEY;
}

if (!this.mechanismProperties.AWS_SESSION_TOKEN && process.env.AWS_SESSION_TOKEN) {
if (
this.mechanismProperties.AWS_SESSION_TOKEN == null &&
process.env.AWS_SESSION_TOKEN != null
) {
this.mechanismProperties.AWS_SESSION_TOKEN = process.env.AWS_SESSION_TOKEN;
}
}
Expand Down
31 changes: 16 additions & 15 deletions lib/core/auth/mongodb_aws.js
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,21 @@ class MongoDBAWS extends AuthProvider {
return;
}

const username = credentials.username;
const password = credentials.password;
const db = credentials.source;
const token = credentials.mechanismProperties.AWS_SESSION_TOKEN;
const bson = this.bson;

const accessKeyId = credentials.username;
const secretAccessKey = credentials.password;
const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;

// If all three defined, include sessionToken, else include username and pass, else no credentials
const awsCredentials =
accessKeyId && secretAccessKey && sessionToken
? { accessKeyId, secretAccessKey, sessionToken }
: accessKeyId && secretAccessKey
? { accessKeyId, secretAccessKey }
: undefined;

crypto.randomBytes(32, (err, nonce) => {
if (err) {
callback(err);
Expand Down Expand Up @@ -109,18 +118,14 @@ class MongoDBAWS extends AuthProvider {
path: '/',
body
},
{
accessKeyId: username,
secretAccessKey: password,
token
}
awsCredentials
);

const authorization = options.headers.Authorization;
const date = options.headers['X-Amz-Date'];
const payload = { a: authorization, d: date };
if (token) {
payload.t = token;
if (sessionToken) {
payload.t = sessionToken;
}

const saslContinue = {
Expand Down Expand Up @@ -164,6 +169,7 @@ function makeTempCredentials(credentials, callback) {
if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
request(
`${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`,
undefined,
(err, res) => {
if (err) return callback(err);
done(res);
Expand Down Expand Up @@ -215,11 +221,6 @@ function deriveRegion(host) {
}

function request(uri, options, callback) {
if (typeof options === 'function') {
callback = options;
options = {};
}

options = Object.assign(
{
method: 'GET',
Expand Down
9 changes: 9 additions & 0 deletions test/functional/mongodb_aws.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,13 @@ describe('MONGODB-AWS', function() {
});
});
});

it('should allow empty string in authMechanismProperties.AWS_SESSION_TOKEN to override AWS_SESSION_TOKEN environment variable', function() {
const client = this.configuration.newClient(this.configuration.url(), {
authMechanismProperties: { AWS_SESSION_TOKEN: '' }
});
expect(client)
.to.have.nested.property('options.credentials.mechanismProperties.AWS_SESSION_TOKEN')
.that.equals('');
});
});

0 comments on commit 5902b4c

Please sign in to comment.