chore: comments

durran · durran · commit 307b3f86ae75 · 2025-09-18T15:42:13.000+02:00
diff --git a/src/cmap/auth/aws_temporary_credentials.ts b/src/cmap/auth/aws_temporary_credentials.ts
@@ -19,47 +19,33 @@ export interface AWSTempCredentials {
 /** @public **/
 export type AWSCredentialProvider = () => Promise<AWSCredentials>;
 
-/**
- * @internal
- *
- * Fetches temporary AWS credentials.
- */
-export abstract class AWSTemporaryCredentialProvider {
-  abstract getCredentials(): Promise<AWSTempCredentials>;
-  private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
-  static get awsSDK() {
-    AWSTemporaryCredentialProvider._awsSDK ??= getAwsCredentialProvider();
-    return AWSTemporaryCredentialProvider._awsSDK;
-  }
-
-  static get isAWSSDKInstalled(): boolean {
-    return !('kModuleError' in AWSTemporaryCredentialProvider.awsSDK);
-  }
-}
-
 /** @internal */
-export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
+export class AWSSDKCredentialProvider {
+  private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
   private _provider?: AWSCredentialProvider;
 
   /**
    * Create the SDK credentials provider.
    * @param credentialsProvider - The credentials provider.
    */
   constructor(credentialsProvider?: AWSCredentialProvider) {
-    super();
-
     if (credentialsProvider) {
       this._provider = credentialsProvider;
     }
   }
 
+  static get awsSDK() {
+    AWSSDKCredentialProvider._awsSDK ??= getAwsCredentialProvider();
+    return AWSSDKCredentialProvider._awsSDK;
+  }
+
   /**
    * The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
    * To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
    */
   private get provider(): () => Promise<AWSCredentials> {
-    if ('kModuleError' in AWSTemporaryCredentialProvider.awsSDK) {
-      throw AWSTemporaryCredentialProvider.awsSDK.kModuleError;
+    if ('kModuleError' in AWSSDKCredentialProvider.awsSDK) {
+      throw AWSSDKCredentialProvider.awsSDK.kModuleError;
     }
     if (this._provider) {
       return this._provider;
@@ -107,15 +93,15 @@ export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
 
     this._provider =
       awsRegionSettingsExist && useRegionalSts
-        ? AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain({
+        ? AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain({
             clientConfig: { region: AWS_REGION }
           })
-        : AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain();
+        : AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain();
 
     return this._provider;
   }
 
-  override async getCredentials(): Promise<AWSTempCredentials> {
+  async getCredentials(): Promise<AWSTempCredentials> {
     /*
      * Creates a credential provider that will attempt to find credentials from the
      * following sources (listed in order of precedence):
diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts
@@ -11,8 +11,7 @@ import { type AuthContext, AuthProvider } from './auth_provider';
 import {
   type AWSCredentialProvider,
   AWSSDKCredentialProvider,
-  type AWSTempCredentials,
-  type AWSTemporaryCredentialProvider
+  type AWSTempCredentials
 } from './aws_temporary_credentials';
 import { MongoCredentials } from './mongo_credentials';
 import { AuthMechanism } from './providers';
@@ -33,13 +32,10 @@ interface AWSSaslContinuePayload {
 }
 
 export class MongoDBAWS extends AuthProvider {
-  private credentialFetcher: AWSTemporaryCredentialProvider;
-  private credentialProvider?: AWSCredentialProvider;
+  private credentialFetcher: AWSSDKCredentialProvider;
 
   constructor(credentialProvider?: AWSCredentialProvider) {
     super();
-
-    this.credentialProvider = credentialProvider;
     this.credentialFetcher = new AWSSDKCredentialProvider(credentialProvider);
   }
 
@@ -159,7 +155,7 @@ export class MongoDBAWS extends AuthProvider {
 
 async function makeTempCredentials(
   credentials: MongoCredentials,
-  awsCredentialFetcher: AWSTemporaryCredentialProvider
+  awsCredentialFetcher: AWSSDKCredentialProvider
 ): Promise<MongoCredentials> {
   function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
     // The AWS session token (creds.Token) may or may not be set.
diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts
@@ -8,7 +8,7 @@ import * as sinon from 'sinon';
 // eslint-disable-next-line @typescript-eslint/no-restricted-imports
 import { refreshKMSCredentials } from '../../../src/client-side-encryption/providers';
 import {
-  AWSTemporaryCredentialProvider,
+  AWSSDKCredentialProvider,
   type CommandOptions,
   Connection,
   type Document,
@@ -41,7 +41,7 @@ describe('MONGODB-AWS', function () {
 
   context('when the AWS SDK is not present', function () {
     beforeEach(function () {
-      AWSTemporaryCredentialProvider.awsSDK['kModuleError'] = new MongoMissingDependencyError(
+      AWSSDKCredentialProvider.awsSDK['kModuleError'] = new MongoMissingDependencyError(
         'Missing dependency @aws-sdk/credential-providers',
         {
           cause: new Error(),
@@ -51,7 +51,7 @@ describe('MONGODB-AWS', function () {
     });
 
     afterEach(function () {
-      delete AWSTemporaryCredentialProvider.awsSDK['kModuleError'];
+      delete AWSSDKCredentialProvider.awsSDK['kModuleError'];
     });
 
     describe('when attempting AWS auth', function () {
@@ -176,7 +176,7 @@ describe('MONGODB-AWS', function () {
       });
 
       it('authenticates with a user provided credentials provider', async function () {
-        const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+        const credentialProvider = AWSSDKCredentialProvider.awsSDK;
         const provider = async () => {
           providerCount++;
           return await credentialProvider.fromNodeProviderChain().apply();
@@ -389,7 +389,7 @@ describe('MONGODB-AWS', function () {
             return this.skip();
           }
 
-          credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+          credentialProvider = AWSSDKCredentialProvider.awsSDK;
 
           storedEnv = process.env;
           if (test.env.AWS_STS_REGIONAL_ENDPOINTS === undefined) {
@@ -461,46 +461,78 @@ describe('MONGODB-AWS', function () {
   });
 
   describe('AWS KMS Credential Fetching', function () {
-    context('when a credential provider is not provided', function () {
-      it('KMS credentials are successfully fetched.', async function () {
-        const { aws } = await refreshKMSCredentials({ aws: {} });
+    context('when the AWS SDK is not installed', function () {
+      beforeEach(function () {
+        AWSSDKCredentialProvider.awsSDK['kModuleError'] = new MongoMissingDependencyError(
+          'Missing dependency @aws-sdk/credential-providers',
+          {
+            cause: new Error(),
+            dependencyName: '@aws-sdk/credential-providers'
+          }
+        );
+      });
 
-        expect(aws).to.have.property('accessKeyId');
-        expect(aws).to.have.property('secretAccessKey');
+      afterEach(function () {
+        delete AWSSDKCredentialProvider.awsSDK['kModuleError'];
+      });
+
+      it('fetching AWS KMS credentials throws an error', async function () {
+        const result = await refreshKMSCredentials({ aws: {} }).catch(e => e);
+
+        // TODO(NODE-7046): Remove branch when removing support for AWS credentials in URI.
+        // The drivers tools scripts put the credentials in the URI currently for some environments,
+        // this will need to change when doing the DRIVERS-3131 work.
+        if (!client.options.credentials.username) {
+          expect(result).to.be.instanceof(MongoAWSError);
+          expect(result.message).to.match(/credential-providers/);
+        } else {
+          expect(result).to.equal(0);
+        }
       });
     });
 
-    context('when a credential provider is provided', function () {
-      let credentialProvider;
-      let providerCount = 0;
+    context('when the AWS SDK is installed', function () {
+      context('when a credential provider is not provided', function () {
+        it('KMS credentials are successfully fetched.', async function () {
+          const { aws } = await refreshKMSCredentials({ aws: {} });
 
-      beforeEach(function () {
-        const provider = AWSTemporaryCredentialProvider.awsSDK;
-        credentialProvider = async () => {
-          providerCount++;
-          return await provider.fromNodeProviderChain().apply();
-        };
+          expect(aws).to.have.property('accessKeyId');
+          expect(aws).to.have.property('secretAccessKey');
+        });
       });
 
-      it('KMS credentials are successfully fetched.', async function () {
-        const { aws } = await refreshKMSCredentials({ aws: {} }, { aws: credentialProvider });
+      context('when a credential provider is provided', function () {
+        let credentialProvider;
+        let providerCount = 0;
 
-        expect(aws).to.have.property('accessKeyId');
-        expect(aws).to.have.property('secretAccessKey');
-        expect(providerCount).to.be.greaterThan(0);
+        beforeEach(function () {
+          const provider = AWSSDKCredentialProvider.awsSDK;
+          credentialProvider = async () => {
+            providerCount++;
+            return await provider.fromNodeProviderChain().apply();
+          };
+        });
+
+        it('KMS credentials are successfully fetched.', async function () {
+          const { aws } = await refreshKMSCredentials({ aws: {} }, { aws: credentialProvider });
+
+          expect(aws).to.have.property('accessKeyId');
+          expect(aws).to.have.property('secretAccessKey');
+          expect(providerCount).to.be.greaterThan(0);
+        });
       });
-    });
 
-    it('does not return any extra keys for the `aws` credential provider', async function () {
-      const { aws } = await refreshKMSCredentials({ aws: {} });
+      it('does not return any extra keys for the `aws` credential provider', async function () {
+        const { aws } = await refreshKMSCredentials({ aws: {} });
 
-      const keys = new Set(Object.keys(aws ?? {}));
-      const allowedKeys = ['accessKeyId', 'secretAccessKey', 'sessionToken'];
+        const keys = new Set(Object.keys(aws ?? {}));
+        const allowedKeys = ['accessKeyId', 'secretAccessKey', 'sessionToken'];
 
-      expect(
-        Array.from(setDifference(keys, allowedKeys)),
-        'received an unexpected key in the response refreshing KMS credentials'
-      ).to.deep.equal([]);
+        expect(
+          Array.from(setDifference(keys, allowedKeys)),
+          'received an unexpected key in the response refreshing KMS credentials'
+        ).to.deep.equal([]);
+      });
     });
   });
 });
