CSHARP-4168: Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS. (#862)

Author: DmitryLukyanov

evergreen/set-temp-fle-aws-creds.sh

@@ -29,10 +29,11 @@ echo "Triggering temporary CSFLE credentials"
 
 get_creds() {
     $PYTHON - "$@" << 'EOF'
+import sys
 import boto3
 client = boto3.client("sts")
 credentials = client.get_session_token()["Credentials"]
-print (credentials["AccessKeyId"] + " " + credentials["SecretAccessKey"] + " " + credentials["SessionToken"])
+sys.stdout.write(credentials["AccessKeyId"] + " " + credentials["SecretAccessKey"] + " " + credentials["SessionToken"])
 EOF
 }
 

src/MongoDB.Driver.Core/Core/Authentication/MongoAWSAuthenticator.cs

@@ -23,7 +23,6 @@
 using MongoDB.Bson.Serialization;
 using MongoDB.Driver.Core.Connections;
 using MongoDB.Driver.Core.Misc;
-using MongoDB.Shared;
 
 namespace MongoDB.Driver.Core.Authentication
 {
@@ -32,6 +31,73 @@ namespace MongoDB.Driver.Core.Authentication
     /// </summary>
     public class MongoAWSAuthenticator : SaslAuthenticator
     {
+        internal static class ExternalAuthenticator
+        {
+            public static AwsCredentials CreateAwsCredentialsFromExternalSource(string subject = "MONGODB-AWS authentication") =>
+               CreateAwsCredentialsFromExternalSourceAsync(subject).GetAwaiter().GetResult();
+
+            public static async Task<AwsCredentials> CreateAwsCredentialsFromExternalSourceAsync(string subject = "MONGODB-AWS authentication") =>
+                CreateAwsCredentialsFromEnvironmentVariables(subject) ??
+                (await CreateAwsCredentialsFromEcsResponseAsync().ConfigureAwait(false)) ??
+                (await CreateAwsCredentialsFromEc2ResponseAsync().ConfigureAwait(false)) ??
+                throw new InvalidOperationException($"Unable to find credentials for {subject}.");
+
+            // private methods
+            private static AwsCredentials CreateAwsCredentialsFromEnvironmentVariables(string subject)
+            {
+                var accessKeyId = Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID");
+                var secretAccessKey = Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY");
+                var sessionToken = Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN");
+
+                if (accessKeyId == null && secretAccessKey == null && sessionToken == null)
+                {
+                    return null;
+                }
+                if (secretAccessKey != null && accessKeyId == null)
+                {
+                    throw new InvalidOperationException($"When using {subject} if a secret access key is provided via environment variables then an access key ID must be provided also.");
+                }
+                if (accessKeyId != null && secretAccessKey == null)
+                {
+                    throw new InvalidOperationException($"When using {subject} if an access key ID is provided via environment variables then a secret access key must be provided also.");
+                }
+                if (sessionToken != null && (accessKeyId == null || secretAccessKey == null))
+                {
+                    throw new InvalidOperationException($"When using {subject} if a session token is provided via environment variables then an access key ID and a secret access key must be provided also.");
+                }
+
+                return new AwsCredentials(accessKeyId, SecureStringHelper.ToSecureString(secretAccessKey), sessionToken);
+            }
+
+            private static async Task<AwsCredentials> CreateAwsCredentialsFromEcsResponseAsync()
+            {
+                var relativeUri = Environment.GetEnvironmentVariable("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
+                if (relativeUri == null)
+                {
+                    return null;
+                }
+
+                var response = await AwsHttpClientHelper.GetECSResponseAsync(relativeUri).ConfigureAwait(false);
+                return CreateAwsCreadentialsFromAwsResponse(response);
+            }
+
+            private static async Task<AwsCredentials> CreateAwsCredentialsFromEc2ResponseAsync()
+            {
+                var response = await AwsHttpClientHelper.GetEC2ResponseAsync().ConfigureAwait(false);
+                return CreateAwsCreadentialsFromAwsResponse(response);
+            }
+
+            private static AwsCredentials CreateAwsCreadentialsFromAwsResponse(string awsResponse)
+            {
+                var parsedResponse = BsonDocument.Parse(awsResponse);
+                var accessKeyId = parsedResponse.GetValue("AccessKeyId", null)?.AsString;
+                var secretAccessKey = parsedResponse.GetValue("SecretAccessKey", null)?.AsString;
+                var sessionToken = parsedResponse.GetValue("Token", null)?.AsString;
+
+                return new AwsCredentials(accessKeyId, SecureStringHelper.ToSecureString(secretAccessKey), sessionToken);
+            }
+        }
+
         // constants
         private const int ClientNonceLength = 32;
 
@@ -72,14 +138,7 @@ private static MongoAWSMechanism CreateMechanism(
         {
             var awsCredentials =
                 CreateAwsCredentialsFromMongoCredentials(username, password, properties) ??
-                CreateAwsCredentialsFromEnvironmentVariables() ??
-                CreateAwsCredentialsFromEcsResponse() ??
-                CreateAwsCredentialsFromEc2Response();
-
-            if (awsCredentials == null)
-            {
-                throw new InvalidOperationException("Unable to find credentials for MONGODB-AWS authentication.");
-            }
+                ExternalAuthenticator.CreateAwsCredentialsFromExternalSource();
 
             return new MongoAWSMechanism(awsCredentials, randomByteGenerator, clock);
         }
@@ -109,60 +168,6 @@ private static AwsCredentials CreateAwsCredentialsFromMongoCredentials(string us
             return new AwsCredentials(accessKeyId: username, secretAccessKey: password, sessionToken);
         }
 
-        private static AwsCredentials CreateAwsCredentialsFromEnvironmentVariables()
-        {
-            var accessKeyId = Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID");
-            var secretAccessKey = Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY");
-            var sessionToken = Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN");
-
-            if (accessKeyId == null && secretAccessKey == null && sessionToken == null)
-            {
-                return null;
-            }
-            if (secretAccessKey != null && accessKeyId == null)
-            {
-                throw new InvalidOperationException("When using MONGODB-AWS authentication if a secret access key is provided via environment variables then an access key ID must be provided also.");
-            }
-            if (accessKeyId != null && secretAccessKey == null)
-            {
-                throw new InvalidOperationException("When using MONGODB-AWS authentication if an access key ID is provided via environment variables then a secret access key must be provided also.");
-            }
-            if (sessionToken != null && (accessKeyId == null || secretAccessKey == null))
-            {
-                throw new InvalidOperationException("When using MONGODB-AWS authentication if a session token is provided via environment variables then an access key ID and a secret access key must be provided also.");
-            }
-
-            return new AwsCredentials(accessKeyId, SecureStringHelper.ToSecureString(secretAccessKey), sessionToken);
-        }
-
-        private static AwsCredentials CreateAwsCredentialsFromEcsResponse()
-        {
-            var relativeUri = Environment.GetEnvironmentVariable("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
-            if (relativeUri == null)
-            {
-                return null;
-            }
-
-            var response = AwsHttpClientHelper.GetECSResponseAsync(relativeUri).GetAwaiter().GetResult();
-            var parsedResponse = BsonDocument.Parse(response);
-            var accessKeyId = parsedResponse.GetValue("AccessKeyId", null)?.AsString;
-            var secretAccessKey = parsedResponse.GetValue("SecretAccessKey", null)?.AsString;
-            var sessionToken = parsedResponse.GetValue("Token", null)?.AsString;
-
-            return new AwsCredentials(accessKeyId, SecureStringHelper.ToSecureString(secretAccessKey), sessionToken);
-        }
-
-        private static AwsCredentials CreateAwsCredentialsFromEc2Response()
-        {
-            var response = AwsHttpClientHelper.GetEC2ResponseAsync().GetAwaiter().GetResult();
-            var parsedResponse = BsonDocument.Parse(response);
-            var accessKeyId = parsedResponse.GetValue("AccessKeyId", null)?.AsString;
-            var secretAccessKey = parsedResponse.GetValue("SecretAccessKey", null)?.AsString;
-            var sessionToken = parsedResponse.GetValue("Token", null)?.AsString;
-
-            return new AwsCredentials(accessKeyId, SecureStringHelper.ToSecureString(secretAccessKey), sessionToken);
-        }
-
         private static string ExtractSessionTokenFromMechanismProperties(IEnumerable<KeyValuePair<string, string>> properties)
         {
             if (properties != null)
@@ -272,7 +277,7 @@ public override string DatabaseName
         }
 
         // nested classes
-        private class AwsCredentials
+        internal class AwsCredentials
         {
             private readonly string _accessKeyId;
             private readonly SecureString _secretAccessKey;
@@ -288,6 +293,14 @@ public AwsCredentials(string accessKeyId, SecureString secretAccessKey, string s
             public string AccessKeyId => _accessKeyId;
             public SecureString SecretAccessKey => _secretAccessKey;
             public string SessionToken => _sessionToken;
+
+            public BsonDocument ConvertToKmsCredentials() =>
+                new BsonDocument
+                {
+                    { "accessKeyId", _accessKeyId },
+                    { "secretAccessKey", SecureStringHelper.ToInsecureString(_secretAccessKey) },
+                    { "sessionToken", _sessionToken, _sessionToken != null }
+                };
         }
 
         private static class AwsHttpClientHelper

src/MongoDB.Driver.Core/MongoDB.Driver.Core.csproj

@@ -56,8 +56,8 @@
   <ItemGroup>
     <PackageReference Include="DnsClient" Version="1.6.1" />
     <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="2.6.2" PrivateAssets="All" />
+    <PackageReference Include="MongoDB.Libmongocrypt" Version="1.6.0" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="2.0.0" />
-    <PackageReference Include="MongoDB.Libmongocrypt" Version="1.5.5" />
     <PackageReference Include="SharpCompress" Version="0.30.1" />
     <PackageReference Include="Snappier" Version="1.0.0" />
     <PackageReference Include="ZstdSharp.Port" Version="0.6.2" />

src/MongoDB.Driver/Encryption/AutoEncryptionLibMongoController.cs

@@ -19,7 +19,6 @@
 using System.Threading;
 using System.Threading.Tasks;
 using MongoDB.Bson;
-using MongoDB.Driver.Core.Misc;
 using MongoDB.Driver.Core.Servers;
 using MongoDB.Driver.Core.WireProtocol;
 using MongoDB.Libmongocrypt;
@@ -66,11 +65,7 @@ private AutoEncryptionLibMongoCryptController(
             IMongoClient metadataClient,
             CryptClient cryptClient,
             AutoEncryptionOptions autoEncryptionOptions)
-            : base(
-                  Ensure.IsNotNull(cryptClient, nameof(cryptClient)),
-                  Ensure.IsNotNull(keyVaultClient, nameof(keyVaultClient)),
-                  Ensure.IsNotNull(Ensure.IsNotNull(autoEncryptionOptions, nameof(autoEncryptionOptions)).KeyVaultNamespace, nameof(autoEncryptionOptions.KeyVaultNamespace)),
-                  Ensure.IsNotNull(Ensure.IsNotNull(autoEncryptionOptions, nameof(autoEncryptionOptions)).TlsOptions, nameof(autoEncryptionOptions.TlsOptions)))
+            : base(cryptClient, keyVaultClient, autoEncryptionOptions)
         {
             _internalClient = internalClient; // can be null
             _metadataClient = metadataClient; // can be null

src/MongoDB.Driver/Encryption/AutoEncryptionOptions.cs

@@ -30,7 +30,7 @@ namespace MongoDB.Driver.Encryption
     /// <summary>
     /// Auto encryption options.
     /// </summary>
-    public class AutoEncryptionOptions
+    public class AutoEncryptionOptions : IEncryptionOptions
     {
         // private fields
         private readonly bool _bypassAutoEncryption;

src/MongoDB.Driver/Encryption/ClientEncryptionOptions.cs

@@ -21,7 +21,7 @@ namespace MongoDB.Driver.Encryption
     /// <summary>
     /// Client encryption options.
     /// </summary>
-    public class ClientEncryptionOptions
+    public class ClientEncryptionOptions : IEncryptionOptions
     {
         // private fields
         private readonly IMongoClient _keyVaultClient;

src/MongoDB.Driver/Encryption/ExplicitEncryptionLibMongoCryptController.cs

@@ -19,7 +19,6 @@
 using System.Threading;
 using System.Threading.Tasks;
 using MongoDB.Bson;
-using MongoDB.Bson.IO;
 using MongoDB.Bson.Serialization;
 using MongoDB.Driver.Core.Misc;
 using MongoDB.Libmongocrypt;
@@ -32,11 +31,9 @@ internal sealed class ExplicitEncryptionLibMongoCryptController : LibMongoCryptC
         public ExplicitEncryptionLibMongoCryptController(
             CryptClient cryptClient,
             ClientEncryptionOptions clientEncryptionOptions)
-            : base(
-                  Ensure.IsNotNull(cryptClient, nameof(cryptClient)),
+            : base(cryptClient,
                   Ensure.IsNotNull(Ensure.IsNotNull(clientEncryptionOptions, nameof(clientEncryptionOptions)).KeyVaultClient, nameof(clientEncryptionOptions.KeyVaultClient)),
-                  Ensure.IsNotNull(Ensure.IsNotNull(clientEncryptionOptions, nameof(clientEncryptionOptions)).KeyVaultNamespace, nameof(clientEncryptionOptions.KeyVaultNamespace)),
-                  Ensure.IsNotNull(Ensure.IsNotNull(clientEncryptionOptions, nameof(clientEncryptionOptions)).TlsOptions, nameof(clientEncryptionOptions.TlsOptions)))
+                  clientEncryptionOptions)
         {
         }
 
@@ -547,23 +544,6 @@ private BsonValue RenderFilter(FilterDefinition<BsonDocument> filter)
             return filter.Render(serializer, registry);
         }
 
-        private byte[] ToBsonIfNotNull(BsonValue value)
-        {
-            if (value != null)
-            {
-                var writerSettings = BsonBinaryWriterSettings.Defaults.Clone();
-#pragma warning disable 618
-                if (BsonDefaults.GuidRepresentationMode == GuidRepresentationMode.V2)
-                {
-                    writerSettings.GuidRepresentation = GuidRepresentation.Unspecified;
-                }
-#pragma warning restore 618
-                return value.ToBson(writerSettings: writerSettings);
-            }
-
-            return null;
-        }
-
         private Guid UnwrapKeyId(RawBsonDocument wrappedKeyDocument)
         {
             var keyId = wrappedKeyDocument["_id"].AsBsonBinaryData;

src/MongoDB.Driver/Encryption/IEncryptionOptions.cs

@@ -0,0 +1,28 @@
+/* Copyright 2010-present MongoDB Inc.
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+using System.Collections.Generic;
+
+namespace MongoDB.Driver.Encryption
+{
+    internal interface IEncryptionOptions
+    {
+        CollectionNamespace KeyVaultNamespace { get; }
+
+        IReadOnlyDictionary<string, IReadOnlyDictionary<string, object>> KmsProviders { get; }
+
+        IReadOnlyDictionary<string, SslSettings> TlsOptions { get; }
+    }
+}