From 5902b4c13a977c659af94b1fbcbcfbe5e7ca4db4 Mon Sep 17 00:00:00 2001 From: Neal Beeken Date: Fri, 27 Aug 2021 12:09:39 -0400 Subject: [PATCH] fix(NODE-3487): check for nullish aws mechanism property (#2957) --- lib/core/auth/mongo_credentials.js | 5 ++++- lib/core/auth/mongodb_aws.js | 31 +++++++++++++++-------------- test/functional/mongodb_aws.test.js | 9 +++++++++ 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/lib/core/auth/mongo_credentials.js b/lib/core/auth/mongo_credentials.js index 090969e540..82f02518fb 100644 --- a/lib/core/auth/mongo_credentials.js +++ b/lib/core/auth/mongo_credentials.js @@ -58,7 +58,10 @@ class MongoCredentials { this.password = process.env.AWS_SECRET_ACCESS_KEY; } - if (!this.mechanismProperties.AWS_SESSION_TOKEN && process.env.AWS_SESSION_TOKEN) { + if ( + this.mechanismProperties.AWS_SESSION_TOKEN == null && + process.env.AWS_SESSION_TOKEN != null + ) { this.mechanismProperties.AWS_SESSION_TOKEN = process.env.AWS_SESSION_TOKEN; } } diff --git a/lib/core/auth/mongodb_aws.js b/lib/core/auth/mongodb_aws.js index 492b573e61..6fcf3f31f1 100644 --- a/lib/core/auth/mongodb_aws.js +++ b/lib/core/auth/mongodb_aws.js @@ -51,12 +51,21 @@ class MongoDBAWS extends AuthProvider { return; } - const username = credentials.username; - const password = credentials.password; const db = credentials.source; - const token = credentials.mechanismProperties.AWS_SESSION_TOKEN; const bson = this.bson; + const accessKeyId = credentials.username; + const secretAccessKey = credentials.password; + const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN; + + // If all three defined, include sessionToken, else include username and pass, else no credentials + const awsCredentials = + accessKeyId && secretAccessKey && sessionToken + ? { accessKeyId, secretAccessKey, sessionToken } + : accessKeyId && secretAccessKey + ? { accessKeyId, secretAccessKey } + : undefined; + crypto.randomBytes(32, (err, nonce) => { if (err) { callback(err); @@ -109,18 +118,14 @@ class MongoDBAWS extends AuthProvider { path: '/', body }, - { - accessKeyId: username, - secretAccessKey: password, - token - } + awsCredentials ); const authorization = options.headers.Authorization; const date = options.headers['X-Amz-Date']; const payload = { a: authorization, d: date }; - if (token) { - payload.t = token; + if (sessionToken) { + payload.t = sessionToken; } const saslContinue = { @@ -164,6 +169,7 @@ function makeTempCredentials(credentials, callback) { if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) { request( `${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`, + undefined, (err, res) => { if (err) return callback(err); done(res); @@ -215,11 +221,6 @@ function deriveRegion(host) { } function request(uri, options, callback) { - if (typeof options === 'function') { - callback = options; - options = {}; - } - options = Object.assign( { method: 'GET', diff --git a/test/functional/mongodb_aws.test.js b/test/functional/mongodb_aws.test.js index ce0b025a86..09336dbf5b 100644 --- a/test/functional/mongodb_aws.test.js +++ b/test/functional/mongodb_aws.test.js @@ -40,4 +40,13 @@ describe('MONGODB-AWS', function() { }); }); }); + + it('should allow empty string in authMechanismProperties.AWS_SESSION_TOKEN to override AWS_SESSION_TOKEN environment variable', function() { + const client = this.configuration.newClient(this.configuration.url(), { + authMechanismProperties: { AWS_SESSION_TOKEN: '' } + }); + expect(client) + .to.have.nested.property('options.credentials.mechanismProperties.AWS_SESSION_TOKEN') + .that.equals(''); + }); });