GODRIVER-3567 Fill in mongoaws skeleton

Author: prestonvasquez

etc/run-mongodb-aws-test.sh

@@ -31,5 +31,5 @@ set -x
 
 # For Go 1.16+, Go builds requires a go.mod file in the current working directory or a parent
 # directory. Spawn a new subshell, "cd" to the project directory, then run "go run".
-(cd ${PROJECT_DIRECTORY} && go run "./internal/cmd/testaws/main.go" | tee test.suite)
-(cd ${PROJECT_DIRECTORY} && go test "./internal/cmd/testmongoaws/main.go" -v | tee test.suite)
+#(cd ${PROJECT_DIRECTORY} && go run "./internal/cmd/testaws/main.go" | tee test.suite)
+(cd ${PROJECT_DIRECTORY} && go test "./internal/test/mongoaws" -v | tee test.suite)

x/mongo/driver/auth/mongoaws/go.mod

@@ -2,9 +2,24 @@ module go.mongodb.org/mongo-driver/v2/x/mongo/driver/auth/mongoaws
 
 go 1.23
 
-require go.mongodb.org/mongo-driver/v2 v2.2.1
+require (
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.14
+	go.mongodb.org/mongo-driver/v2 v2.2.1
+)
 
 require (
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/golang/snappy v1.0.0 // indirect
 	github.com/klauspost/compress v1.16.7 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect

x/mongo/driver/auth/mongoaws/go.sum

@@ -1,3 +1,29 @@
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM=
+github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=

x/mongo/driver/auth/mongoaws/mongoaws.go

@@ -1,27 +1,59 @@
 package mongoaws
 
 import (
+	"bytes"
 	"context"
+	"crypto/rand"
+	"encoding/base64"
 	"errors"
+	"fmt"
 	"net/http"
+	"strings"
+	"time"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awsv4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"go.mongodb.org/mongo-driver/v2/bson"
+	"go.mongodb.org/mongo-driver/v2/x/bsonx/bsoncore"
 	"go.mongodb.org/mongo-driver/v2/x/mongo/driver"
 	"go.mongodb.org/mongo-driver/v2/x/mongo/driver/auth"
 )
 
-const sourceExternal = "$external"
+const (
+	sourceExternal      = "$external"
+	responceNonceLength = 64
+	amzDateFormat       = "20060102T150405Z"
+	awsSessionToken     = "AWS_SESSION_TOKEN"
+	defaultRegion       = "us-east-1"
+	maxHostLength       = 255
+)
 
 // Authenticator is an authenticator that uses the AWS SDK rather than the
 // lightweight AWS package used internally by the driver.
-type Authenticator struct{}
+type Authenticator struct {
+	userCred *auth.Cred    // MongoDB TLS credentials with AWS keys
+	awsCfg   aws.Config    // AWS SDK config
+	signer   *awsv4.Signer // SigV4 signer
+}
 
 var _ driver.Authenticator = (*Authenticator)(nil)
 
 // NewAuthenticator creates a new AWS SDK authenticator. It loads the AWS
 // SDK config (honoring AWS_STS_REGIONAL_ENDPOINTS & AWS_REGION) and returns an
 // Authenticator that uses it.
-func NewAuthenticator(*auth.Cred, *http.Client) (driver.Authenticator, error) {
-	return &Authenticator{}, nil
+func NewAuthenticator(cred *auth.Cred, _ *http.Client) (driver.Authenticator, error) {
+	// Load AWS SDK config from environment variables / credentials files.
+	awsCfg, err := config.LoadDefaultConfig(context.Background(), config.WithRegion("us-east-1"))
+	if err != nil {
+		return nil, fmt.Errorf("failed to load AWS SDK config: %w", err)
+	}
+
+	return &Authenticator{
+		userCred: cred,
+		awsCfg:   awsCfg,
+		signer:   awsv4.NewSigner(),
+	}, nil
 }
 
 var _ auth.AuthenticatorFactory = NewAuthenticator
@@ -30,7 +62,11 @@ var _ auth.AuthenticatorFactory = NewAuthenticator
 // uses the AWS SDK for singing.
 func (a *Authenticator) Auth(ctx context.Context, cfg *driver.AuthConfig) error {
 	// Build a SASL adapter that uses AWS SDK for signing.
-	adapter := &awsSdkSaslClient{}
+	adapter := &awsSdkSaslClient{
+		userCred: a.userCred,
+		awsCfg:   a.awsCfg,
+		signer:   a.signer,
+	}
 
 	return auth.ConductSaslConversation(ctx, cfg, sourceExternal, adapter)
 }
@@ -40,25 +76,142 @@ func (a *Authenticator) Reauth(context.Context, *driver.AuthConfig) error {
 	return errors.New("AWS reauthentication not supported")
 }
 
+type conversationState uint8
+
+const (
+	conversationStateStart       conversationState = 1 // before sending anything.
+	conversationStateServerFirst conversationState = 2 // after sending client-first, awaiting server reply.
+	conversationStateDone        conversationState = 3 // after sending client-final.
+)
+
 // awsSdkSaslClient is a SASL client that uses the AWS SDK for signing.
-type awsSdkSaslClient struct{}
+type awsSdkSaslClient struct {
+	state    conversationState // handshake state machine
+	nonce    []byte            // client nonce
+	userCred *auth.Cred        // MongoDB TLS credentials with AWS keys
+	awsCfg   aws.Config        // AWS SDK config
+	signer   *awsv4.Signer     // SigV4 signer
+}
 
 var _ auth.SaslClient = (*awsSdkSaslClient)(nil)
 
 // Start will create the client-first SASL message.
 // { p: 110, r: <32-byte nonce>}; per the current Go Driver behavior.
-func (a *awsSdkSaslClient) Start() (string, []byte, error) {
-	return "", nil, nil
+func (client *awsSdkSaslClient) Start() (string, []byte, error) {
+	client.state = conversationStateServerFirst
+	client.nonce = make([]byte, 32)
+	_, _ = rand.Read(client.nonce)
+
+	idx, msg := bsoncore.AppendDocumentStart(nil)
+	msg = bsoncore.AppendInt32Element(msg, "p", 110)
+	msg = bsoncore.AppendBinaryElement(msg, "r", 0x00, client.nonce)
+	msg, _ = bsoncore.AppendDocumentEnd(msg, idx)
+
+	return auth.MongoDBAWS, msg, nil
+}
+
+func getRegion(host string) (string, error) {
+	region := defaultRegion
+
+	if len(host) == 0 {
+		return "", errors.New("invalid STS host: empty")
+	}
+	if len(host) > maxHostLength {
+		return "", errors.New("invalid STS host: too large")
+	}
+	// The implicit region for sts.amazonaws.com is us-east-1
+	if host == "sts.amazonaws.com" {
+		return region, nil
+	}
+	if strings.HasPrefix(host, ".") || strings.HasSuffix(host, ".") || strings.Contains(host, "..") {
+		return "", errors.New("invalid STS host: empty part")
+	}
+
+	// If the host has multiple parts, the second part is the region
+	parts := strings.Split(host, ".")
+	if len(parts) >= 2 {
+		region = parts[1]
+	}
+
+	return region, nil
 }
 
 // Next handles the server's "server-first" message, then builds and returns the
 // "client-final" payload containing the SigV4-signed STS GetCallerIdentity
 // request.
-func (a *awsSdkSaslClient) Next(ctx context.Context, challenge []byte) ([]byte, error) {
+func (client *awsSdkSaslClient) Next(ctx context.Context, challenge []byte) ([]byte, error) {
+	if client.state != conversationStateServerFirst {
+		return nil, fmt.Errorf("invalid state: %v", client.state)
+	}
+	client.state = conversationStateDone
+
+	// Unmarhal the server's BSON: { s: <server nonce>, h: "<sts host>"}
+	var sm struct {
+		Nonce bson.Binary `bson:"s"`
+		Host  string      `bson:"h"`
+	}
+
+	if err := bson.Unmarshal(challenge, &sm); err != nil {
+		return nil, err
+	}
+
+	// Check nonce prefix
+	if sm.Nonce.Subtype != 0x00 {
+		return nil, errors.New("server reply contained unexpected binary subtype")
+	}
+
+	if len(sm.Nonce.Data) != responceNonceLength {
+		return nil, fmt.Errorf("server reply nonce was not %v bytes", responceNonceLength)
+	}
+
+	if !bytes.HasPrefix(sm.Nonce.Data, client.nonce) {
+		return nil, errors.New("server nonce did not extend client nonce")
+	}
+
+	currentTime := time.Now().UTC()
+	body := "Action=GetCallerIdentity&Version=2011-06-15"
+
+	// Create http.Request
+	req, _ := http.NewRequest("POST", "/", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Content-Length", "43")
+	req.Host = sm.Host
+	req.Header.Set("X-Amz-Date", currentTime.Format(amzDateFormat))
+
+	// Include session token if present.
+	if tok := client.userCred.Props[awsSessionToken]; tok != "" {
+		req.Header.Set("X-Amz-Security-Token", tok)
+	}
+
+	req.Header.Set("X-MongoDB-Server-Nonce", base64.StdEncoding.EncodeToString(sm.Nonce.Data))
+	req.Header.Set("X-MongoDB-GS2-CB-Flag", "n")
+
+	// Retrieve AWS creds and sign the request using AWS SDK v4.
+	creds, err := client.awsCfg.Credentials.Retrieve(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to retrieve AWS credentials: %w", err)
+	}
+
+	// Create signer with credentials
+	err = client.signer.SignHTTP(ctx, creds, req, body, "sts", sm.Host, currentTime)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign request: %w", err)
+	}
+
+	// create message
+	// { a: Authorization, d: X-Amz-Date, t: X-Amz-Security-Token }
+	idx, msg := bsoncore.AppendDocumentStart(nil)
+	msg = bsoncore.AppendStringElement(msg, "a", req.Header.Get("Authorization"))
+	msg = bsoncore.AppendStringElement(msg, "d", req.Header.Get("X-Amz-Date"))
+	if tok := req.Header.Get("X-Amz-Security-Token"); tok != "" {
+		msg = bsoncore.AppendStringElement(msg, "t", tok)
+	}
+	msg, _ = bsoncore.AppendDocumentEnd(msg, idx)
+
 	return nil, nil
 }
 
 // complete signals that the SASL conversation is done.
-func (a *awsSdkSaslClient) Completed() bool {
-	return false
+func (client *awsSdkSaslClient) Completed() bool {
+	return client.state == conversationStateDone
 }