GODRIVER-2410 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS. (#1143)

Author: qingyang-hu

.evergreen/config.yml

@@ -2028,6 +2028,50 @@ tasks:
             EXPECT_ERROR='unable to retrieve GCP credentials' \
               ./testgcpkms
 
+  - name: "testawskms-task"
+    commands:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src/go.mongodb.org/mongo-driver
+        shell: "bash"
+        script: |
+          ${PREPARE_SHELL}
+          echo "Building build-awskms-test ... begin"
+          BUILD_TAGS="-tags cse" \
+          PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
+            make build-awskms-test
+          echo "Building build-awskms-test ... end"
+
+          export AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}"
+          export AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}"
+
+          LD_LIBRARY_PATH=./install/libmongocrypt/lib \
+          MONGODB_URI='${atlas_free_tier_uri}' \
+            ./testawskms
+
+  - name: "testawskms-fail-task"
+    # testawskms-fail-task runs without environment variables.
+    # It is expected to fail to obtain credentials.
+    commands:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src/go.mongodb.org/mongo-driver
+        shell: "bash"
+        script: |
+          ${PREPARE_SHELL}
+          echo "Building build-awskms-test ... begin"
+          BUILD_TAGS="-tags cse" \
+          PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
+            make build-awskms-test
+          echo "Building build-awskms-test ... end"
+
+          LD_LIBRARY_PATH=./install/libmongocrypt/lib \
+          MONGODB_URI='${atlas_free_tier_uri}' \
+          EXPECT_ERROR='unable to retrieve AWS credentials' \
+            ./testawskms
+
   - name: "test-fuzz"
     commands:
       - func: bootstrap-mongo-orchestration
@@ -2444,3 +2488,13 @@ buildvariants:
       - name: testgcpkms_task_group
         batchtime: 20160 # Use a batchtime of 14 days as suggested by the CSFLE test README
       - testgcpkms-fail-task
+
+  - name: testawskms-variant
+    display_name: "AWS KMS"
+    run_on:
+      - debian11-small
+    expansions:
+      GO_DIST: "/opt/golang/go1.18"
+    tasks:
+      - testawskms-task
+      - testawskms-fail-task

Makefile

@@ -174,6 +174,10 @@ evg-test-versioned-api:
 build-gcpkms-test:
 	go build $(BUILD_TAGS) ./cmd/testgcpkms
 
+.PHONY: build-awskms-test
+build-awskms-test:
+	go build $(BUILD_TAGS) ./cmd/testawskms
+
 ### Benchmark specific targets and support. ###
 .PHONY: benchmark
 benchmark:perf

cmd/testawskms/main.go

@@ -0,0 +1,67 @@
+// Copyright (C) MongoDB, Inc. 2022-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+func main() {
+	uri := os.Getenv("MONGODB_URI")
+	// expecterror is an expect error substring. Set to empty string to expect no error.
+	expecterror := os.Getenv("EXPECT_ERROR")
+
+	if uri == "" {
+		fmt.Println("ERROR: Please set required MONGODB_URI environment variable.")
+		fmt.Println("The following environment variables are understood:")
+		fmt.Println("- MONGODB_URI as a MongoDB URI. Example: 'mongodb://localhost:27017'")
+		fmt.Println("- EXPECT_ERROR as an optional expected error substring.")
+		os.Exit(1)
+	}
+
+	cOpts := options.Client().ApplyURI(uri)
+	keyVaultClient, err := mongo.Connect(context.Background(), cOpts)
+	if err != nil {
+		panic(fmt.Sprintf("Connect error: %v", err))
+	}
+	defer keyVaultClient.Disconnect(context.Background())
+
+	kmsProvidersMap := map[string]map[string]interface{}{
+		"aws": {},
+	}
+	ceOpts := options.ClientEncryption().SetKmsProviders(kmsProvidersMap).SetKeyVaultNamespace("keyvault.datakeys")
+	ce, err := mongo.NewClientEncryption(keyVaultClient, ceOpts)
+	if err != nil {
+		panic(fmt.Sprintf("Error in NewClientEncryption: %v", err))
+	}
+	defer ce.Close(context.Background())
+
+	dkOpts := options.DataKey().SetMasterKey(bson.M{
+		"region": "us-east-1",
+		"key":    "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+	})
+	_, err = ce.CreateDataKey(context.Background(), "aws", dkOpts)
+	if expecterror == "" {
+		if err != nil {
+			panic(fmt.Sprintf("Expected success, but got error in CreateDataKey: %v", err))
+		}
+	} else {
+		if err == nil {
+			panic(fmt.Sprintf("Expected error message to contain %q, but got no error", expecterror))
+		}
+		if !strings.Contains(err.Error(), expecterror) {
+			panic(fmt.Sprintf("Expected error message to contain %q, but got %q", expecterror, err.Error()))
+		}
+	}
+}

x/mongo/driver/auth/aws_conv.go

@@ -11,12 +11,9 @@ import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
-	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net/http"
-	"os"
 	"strings"
 	"time"
 
@@ -36,35 +33,23 @@ const (
 )
 
 type awsConversation struct {
-	state      clientState
-	valid      bool
-	nonce      []byte
-	username   string
-	password   string
-	token      string
-	httpClient *http.Client
+	state    clientState
+	valid    bool
+	nonce    []byte
+	provider interface {
+		getCredentials(ctx context.Context) (*awsv4.StaticProvider, error)
+	}
 }
 
 type serverMessage struct {
 	Nonce primitive.Binary `bson:"s"`
 	Host  string           `bson:"h"`
 }
 
-type ecsResponse struct {
-	AccessKeyID     string `json:"AccessKeyId"`
-	SecretAccessKey string `json:"SecretAccessKey"`
-	Token           string `json:"Token"`
-}
-
 const (
 	amzDateFormat       = "20060102T150405Z"
-	awsRelativeURI      = "http://169.254.170.2/"
-	awsEC2URI           = "http://169.254.169.254/"
-	awsEC2RolePath      = "latest/meta-data/iam/security-credentials/"
-	awsEC2TokenPath     = "latest/api/token"
 	defaultRegion       = "us-east-1"
 	maxHostLength       = 255
-	defaultHTTPTimeout  = 10 * time.Second
 	responceNonceLength = 64
 )
 
@@ -128,149 +113,6 @@ func getRegion(host string) (string, error) {
 	return region, nil
 }
 
-func (ac *awsConversation) validateAndMakeCredentials() (*awsv4.StaticProvider, error) {
-	if ac.username != "" && ac.password == "" {
-		return nil, errors.New("ACCESS_KEY_ID is set, but SECRET_ACCESS_KEY is missing")
-	}
-	if ac.username == "" && ac.password != "" {
-		return nil, errors.New("SECRET_ACCESS_KEY is set, but ACCESS_KEY_ID is missing")
-	}
-	if ac.username == "" && ac.password == "" && ac.token != "" {
-		return nil, errors.New("AWS_SESSION_TOKEN is set, but ACCESS_KEY_ID and SECRET_ACCESS_KEY are missing")
-	}
-	if ac.username != "" || ac.password != "" || ac.token != "" {
-		return &awsv4.StaticProvider{Value: awsv4.Value{
-			AccessKeyID:     ac.username,
-			SecretAccessKey: ac.password,
-			SessionToken:    ac.token,
-		}}, nil
-	}
-	return nil, nil
-}
-
-func executeAWSHTTPRequest(httpClient *http.Client, req *http.Request) ([]byte, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), defaultHTTPTimeout)
-	defer cancel()
-	resp, err := httpClient.Do(req.WithContext(ctx))
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	return ioutil.ReadAll(resp.Body)
-}
-
-func (ac *awsConversation) getEC2Credentials() (*awsv4.StaticProvider, error) {
-	// get token
-	req, err := http.NewRequest("PUT", awsEC2URI+awsEC2TokenPath, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("X-aws-ec2-metadata-token-ttl-seconds", "30")
-
-	token, err := executeAWSHTTPRequest(ac.httpClient, req)
-	if err != nil {
-		return nil, err
-	}
-	if len(token) == 0 {
-		return nil, errors.New("unable to retrieve token from EC2 metadata")
-	}
-	tokenStr := string(token)
-
-	// get role name
-	req, err = http.NewRequest("GET", awsEC2URI+awsEC2RolePath, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("X-aws-ec2-metadata-token", tokenStr)
-
-	role, err := executeAWSHTTPRequest(ac.httpClient, req)
-	if err != nil {
-		return nil, err
-	}
-	if len(role) == 0 {
-		return nil, errors.New("unable to retrieve role_name from EC2 metadata")
-	}
-
-	// get credentials
-	pathWithRole := awsEC2URI + awsEC2RolePath + string(role)
-	req, err = http.NewRequest("GET", pathWithRole, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("X-aws-ec2-metadata-token", tokenStr)
-	creds, err := executeAWSHTTPRequest(ac.httpClient, req)
-	if err != nil {
-		return nil, err
-	}
-
-	var es2Resp ecsResponse
-	err = json.Unmarshal(creds, &es2Resp)
-	if err != nil {
-		return nil, err
-	}
-	ac.username = es2Resp.AccessKeyID
-	ac.password = es2Resp.SecretAccessKey
-	ac.token = es2Resp.Token
-
-	return ac.validateAndMakeCredentials()
-}
-
-func (ac *awsConversation) getCredentials() (*awsv4.StaticProvider, error) {
-	// Credentials passed through URI
-	creds, err := ac.validateAndMakeCredentials()
-	if creds != nil || err != nil {
-		return creds, err
-	}
-
-	// Credentials from environment variables
-	ac.username = os.Getenv("AWS_ACCESS_KEY_ID")
-	ac.password = os.Getenv("AWS_SECRET_ACCESS_KEY")
-	ac.token = os.Getenv("AWS_SESSION_TOKEN")
-
-	creds, err = ac.validateAndMakeCredentials()
-	if creds != nil || err != nil {
-		return creds, err
-	}
-
-	// Credentials from ECS metadata
-	relativeEcsURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
-	if len(relativeEcsURI) > 0 {
-		fullURI := awsRelativeURI + relativeEcsURI
-
-		req, err := http.NewRequest("GET", fullURI, nil)
-		if err != nil {
-			return nil, err
-		}
-
-		body, err := executeAWSHTTPRequest(ac.httpClient, req)
-		if err != nil {
-			return nil, err
-		}
-
-		var espResp ecsResponse
-		err = json.Unmarshal(body, &espResp)
-		if err != nil {
-			return nil, err
-		}
-		ac.username = espResp.AccessKeyID
-		ac.password = espResp.SecretAccessKey
-		ac.token = espResp.Token
-
-		creds, err = ac.validateAndMakeCredentials()
-		if creds != nil || err != nil {
-			return creds, err
-		}
-	}
-
-	// Credentials from EC2 metadata
-	creds, err = ac.getEC2Credentials()
-	if creds == nil && err == nil {
-		return nil, errors.New("unable to get credentials")
-	}
-	return creds, err
-}
-
 func (ac *awsConversation) firstMsg() []byte {
 	// Values are cached for use in final message parameters
 	ac.nonce = make([]byte, 32)
@@ -306,7 +148,7 @@ func (ac *awsConversation) finalMsg(s1 []byte) ([]byte, error) {
 		return nil, err
 	}
 
-	creds, err := ac.getCredentials()
+	creds, err := ac.provider.getCredentials(context.Background())
 	if err != nil {
 		return nil, err
 	}
@@ -320,8 +162,8 @@ func (ac *awsConversation) finalMsg(s1 []byte) ([]byte, error) {
 	req.Header.Set("Content-Length", "43")
 	req.Host = sm.Host
 	req.Header.Set("X-Amz-Date", currentTime.Format(amzDateFormat))
-	if len(ac.token) > 0 {
-		req.Header.Set("X-Amz-Security-Token", ac.token)
+	if len(creds.Value.SessionToken) > 0 {
+		req.Header.Set("X-Amz-Security-Token", creds.Value.SessionToken)
 	}
 	req.Header.Set("X-MongoDB-Server-Nonce", base64.StdEncoding.EncodeToString(sm.Nonce.Data))
 	req.Header.Set("X-MongoDB-GS2-CB-Flag", "n")
@@ -339,8 +181,8 @@ func (ac *awsConversation) finalMsg(s1 []byte) ([]byte, error) {
 	idx, msg := bsoncore.AppendDocumentStart(nil)
 	msg = bsoncore.AppendStringElement(msg, "a", req.Header.Get("Authorization"))
 	msg = bsoncore.AppendStringElement(msg, "d", req.Header.Get("X-Amz-Date"))
-	if len(ac.token) > 0 {
-		msg = bsoncore.AppendStringElement(msg, "t", ac.token)
+	if len(creds.Value.SessionToken) > 0 {
+		msg = bsoncore.AppendStringElement(msg, "t", creds.Value.SessionToken)
 	}
 	msg, _ = bsoncore.AppendDocumentEnd(msg, idx)