test: prose tests

Author: durran

.evergreen/config.in.yml

@@ -548,6 +548,21 @@ functions:
         args:
           - .evergreen/prepare-mongodb-aws-ecs-auth.sh
 
+  "run aws custom credential providers test":
+    - command: subprocess.exec
+      type: test
+      params:
+        include_expansions_in_env:
+          - MONGODB_URI
+          - DRIVERS_TOOLS
+          - MONGODB_AWS_SDK
+        env:
+          AWS_CREDENTIAL_TYPE: env-creds
+        working_dir: "src"
+        binary: bash
+        args:
+          - .evergreen/run-aws-custom-credential-providers-test.sh
+
   "run custom csfle tests":
     - command: subprocess.exec
       type: test

.evergreen/config.yml

@@ -485,6 +485,20 @@ functions:
         binary: bash
         args:
           - .evergreen/prepare-mongodb-aws-ecs-auth.sh
+  run aws custom credential providers test:
+    - command: subprocess.exec
+      type: test
+      params:
+        include_expansions_in_env:
+          - MONGODB_URI
+          - DRIVERS_TOOLS
+          - MONGODB_AWS_SDK
+        env:
+          AWS_CREDENTIAL_TYPE: env-creds
+        working_dir: src
+        binary: bash
+        args:
+          - .evergreen/run-aws-custom-credential-providers-test.sh
   run custom csfle tests:
     - command: subprocess.exec
       type: test
@@ -1797,6 +1811,21 @@ tasks:
       - func: bootstrap mongo-orchestration
       - func: assume secrets manager rule
       - func: run aws auth test AssumeRoleWithWebIdentity with AWS_ROLE_SESSION_NAME set
+  - name: aws-latest-auth-test-run-aws-custom-credential-providers-test
+    commands:
+      - command: expansions.update
+        type: setup
+        params:
+          updates:
+            - {key: VERSION, value: latest}
+            - {key: AUTH, value: auth}
+            - {key: ORCHESTRATION_FILE, value: auth-aws.json}
+            - {key: TOPOLOGY, value: server}
+            - {key: MONGODB_AWS_SDK, value: 'true'}
+      - func: install dependencies
+      - func: bootstrap mongo-orchestration
+      - func: assume secrets manager rule
+      - func: run aws custom credential providers test
   - name: aws-latest-auth-test-run-aws-auth-test-with-regular-aws-credentials-no-peer-dependencies
     commands:
       - command: expansions.update
@@ -3688,6 +3717,7 @@ buildvariants:
       - aws-latest-auth-test-run-aws-ECS-auth-test
       - aws-latest-auth-test-run-aws-auth-test-AssumeRoleWithWebIdentity-with-AWS_ROLE_SESSION_NAME-unset
       - aws-latest-auth-test-run-aws-auth-test-AssumeRoleWithWebIdentity-with-AWS_ROLE_SESSION_NAME-set
+      - aws-latest-auth-test-run-aws-custom-credential-providers-test
       - aws-latest-auth-test-run-aws-auth-test-with-regular-aws-credentials-no-peer-dependencies
       - aws-latest-auth-test-run-aws-auth-test-with-assume-role-credentials-no-peer-dependencies
       - aws-latest-auth-test-run-aws-auth-test-with-aws-credentials-as-environment-variables-no-peer-dependencies

.evergreen/generate_evergreen_tasks.js

@@ -351,6 +351,10 @@ for (const VERSION of AWS_AUTH_VERSIONS) {
     {
       func: 'run aws auth test AssumeRoleWithWebIdentity with AWS_ROLE_SESSION_NAME set',
       onlySdk: true
+    },
+    {
+      func: 'run aws custom credential providers test',
+      onlySdk: true
     }
   ];
 

.evergreen/run-aws-custom-credential-providers-test.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# set -o xtrace   # Write all commands first to stderr
+set -o errexit # Exit the script with error if any of the commands fail
+
+MONGODB_URI=${MONGODB_URI:-}
+
+source .evergreen/setup-mongodb-aws-auth-tests.sh
+
+# load node.js environment
+source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh
+
+export TEST_CSFLE=true
+
+npx mocha --config test/mocha_mongodb.js test/integration/client-side-encryption/client_side_encryption.prose.25.custon_aws_credential_providers.test.ts

src/deps.ts

@@ -85,7 +85,7 @@ export function getZstdLibrary(): ZStandardLib | { kModuleError: MongoMissingDep
 export interface AWSCredentials {
   accessKeyId: string;
   secretAccessKey: string;
-  sessionToken: string;
+  sessionToken?: string;
   expiration?: Date;
 }
 

test/integration/client-side-encryption/client_side_encryption.prose.25.custom_aws_credential_providers.test.ts

@@ -0,0 +1,111 @@
+import { expect } from 'chai';
+
+/* eslint-disable @typescript-eslint/no-restricted-imports */
+import { ClientEncryption } from '../../../src/client-side-encryption/client_encryption';
+import { AWSTemporaryCredentialProvider, Binary } from '../../mongodb';
+
+const metadata: MongoDBMetadataUI = {
+  requires: {
+    clientSideEncryption: true
+  }
+} as const;
+
+const masterKey = {
+  region: 'us-east-1',
+  key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0',
+  endpoint: '127.0.0.1:9002'
+};
+
+const isMongoDBAWSAuthEnvironment = (process.env.MONGODB_URI ?? '').includes('MONGODB-AWS');
+
+describe('25. Custom AWS Credential Providers', metadata, () => {
+  let keyVaultClient;
+  let credentialProvider;
+
+  beforeEach(async function () {
+    this.currentTest.skipReason = !isMongoDBAWSAuthEnvironment
+      ? 'Test must run in an AWS auth testing environment'
+      : !AWSTemporaryCredentialProvider.isAWSSDKInstalled
+        ? 'This test must run in an environment where the AWS SDK is installed.'
+        : undefined;
+    this.currentTest?.skipReason && this.skip();
+
+    keyVaultClient = this.configuration.newClient(process.env.MONGODB_UR);
+    // @ts-expect-error We intentionally access a protected variable.
+    credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+  });
+
+  afterEach(async () => {
+    await keyVaultClient?.close();
+  });
+
+  context(
+    'Case 1: Explicit encryption with credentials and custom credential provider',
+    function () {
+      it('throws an error', function () {
+        expect(() => {
+          new ClientEncryption(keyVaultClient, {
+            keyVaultNamespace: 'keyvault.datakeys',
+            kmsProviders: {
+              aws: {
+                accessKeyId: process.env.FLE_AWS_KEY,
+                secretAccessKey: process.env.FLE_AWS_SECRET
+              }
+            },
+            credentialProviders: { aws: credentialProvider.fromNodeProviderChain() }
+          });
+        }).to.throw();
+      });
+    }
+  );
+
+  context('Case 2: Explicit encryption with custom credential provider', function () {
+    let clientEncryption;
+
+    beforeEach(function () {
+      clientEncryption = new ClientEncryption(keyVaultClient, {
+        keyVaultNamespace: 'keyvault.datakeys',
+        kmsProviders: { aws: {} },
+        credentialProviders: { aws: credentialProvider.fromNodeProviderChain() }
+      });
+    });
+
+    it('is successful', async function () {
+      const dk = await clientEncryption.createDataKey('aws', masterKey);
+      expect(dk).to.be.instanceOf(Binary);
+    });
+  });
+
+  context('Case 3: Automatic encryption with different custom providers', function () {
+    let client;
+
+    beforeEach(function () {
+      client = this.configuration.newClient(process.env.MONGODB_URI, {
+        authMechanismProperties: {
+          AWS_CREDENTIAL_PROVIDER: credentialProvider.fromNodeProviderChain()
+        },
+        autoEncryption: {
+          keyVaultNamespace: 'keyvault.datakeys',
+          kmsProviders: { aws: {} },
+          credentialProviders: {
+            aws: async () => {
+              return {
+                accessKeyId: process.env.FLE_AWS_KEY,
+                secretAccessKey: process.env.FLE_AWS_SECRET
+              };
+            }
+          }
+        }
+      });
+    });
+
+    afterEach(async function () {
+      await client?.close();
+    });
+
+    it('is successful', async function () {
+      const result = await client.db('test').collection('test').insertOne({ n: 1 });
+      expect(result.ok).to.equal(1);
+    });
+  });
+});