chore: comments

Author: durran

src/client-side-encryption/auto_encrypter.ts

@@ -247,12 +247,9 @@ export class AutoEncrypter {
     this._kmsProviders = options.kmsProviders || {};
     this._credentialProviders = options.credentialProviders;
 
-    if (
-      options.credentialProviders?.aws &&
-      !isEmptyCredentials('aws', options.kmsProviders || {})
-    ) {
+    if (options.credentialProviders?.aws && !isEmptyCredentials('aws', this._kmsProviders)) {
       throw new MongoCryptInvalidArgumentError(
-        'Cannot provide both a custom credential provider and credentials. Please specify one or the other.'
+        'Can only provide a custom AWS credential provider when the state machine is configured for automatic AWS credential fetching'
       );
     }
 

src/client-side-encryption/client_encryption.ts

@@ -132,12 +132,9 @@ export class ClientEncryption {
     this._timeoutMS = timeoutMS;
     this._credentialProviders = options.credentialProviders;
 
-    if (
-      options.credentialProviders?.aws &&
-      !isEmptyCredentials('aws', options.kmsProviders || {})
-    ) {
+    if (options.credentialProviders?.aws && !isEmptyCredentials('aws', this._kmsProviders)) {
       throw new MongoCryptInvalidArgumentError(
-        'Cannot provide both a custom credential provider and credentials. Please specify one or the other.'
+        'Can only provide a custom AWS credential provider when the state machine is configured for automatic AWS credential fetching'
       );
     }
 

test/integration/auth/mongodb_aws.test.ts

@@ -468,7 +468,7 @@ describe('AWS KMS Credential Fetching', function () {
       this.currentTest?.skipReason && this.skip();
     });
 
-    context('when a credential provider is not providered', function () {
+    context('when a credential provider is not provided', function () {
       it('KMS credentials are successfully fetched.', async function () {
         const { aws } = await refreshKMSCredentials({ aws: {} });
 
@@ -479,20 +479,23 @@ describe('AWS KMS Credential Fetching', function () {
 
     context('when a credential provider is provided', function () {
       let credentialProvider;
+      let providerCount = 0;
 
       beforeEach(function () {
         // @ts-expect-error We intentionally access a protected variable.
-        credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+        const provider = AWSTemporaryCredentialProvider.awsSDK;
+        credentialProvider = async () => {
+          providerCount++;
+          return await provider.fromNodeProviderChain().apply();
+        };
       });
 
       it('KMS credentials are successfully fetched.', async function () {
-        const { aws } = await refreshKMSCredentials(
-          { aws: {} },
-          { aws: credentialProvider.fromNodeProviderChain() }
-        );
+        const { aws } = await refreshKMSCredentials({ aws: {} }, { aws: credentialProvider });
 
         expect(aws).to.have.property('accessKeyId');
         expect(aws).to.have.property('secretAccessKey');
+        expect(providerCount).to.be.greaterThan(0);
       });
     });
 

test/integration/client-side-encryption/client_side_encryption.prose.26.custom_aws_credential_providers.test.ts

@@ -18,7 +18,7 @@ const masterKey = {
   key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0'
 };
 
-describe('25. Custom AWS Credential Providers', metadata, () => {
+describe('26. Custom AWS Credential Providers', metadata, () => {
   let keyVaultClient;
   let credentialProvider;
 

test/integration/client-side-encryption/driver.test.ts

@@ -50,67 +50,6 @@ describe('Client Side Encryption Functional', function () {
   const keyVaultCollName = 'datakeys';
   const keyVaultNamespace = `${keyVaultDbName}.${keyVaultCollName}`;
 
-  describe('ClientEncryption', metadata, function () {
-    describe('#constructor', function () {
-      context('when a custom credential provider and credentials are provided', function () {
-        let client;
-
-        before(function () {
-          client = this.configuration.newClient({});
-        });
-
-        it('throws an error', function () {
-          expect(() => {
-            new ClientEncryption(client, {
-              keyVaultNamespace: 'test.keyvault',
-              kmsProviders: {
-                aws: { secretAccessKey: 'test', accessKeyId: 'test' }
-              },
-              credentialProviders: {
-                aws: async () => {
-                  return {
-                    sessionToken: 'test',
-                    secretAccessKey: 'test',
-                    accessKeyId: 'test'
-                  };
-                }
-              }
-            });
-          }).to.throw(/custom credential provider and credentials/);
-        });
-      });
-    });
-  });
-
-  describe('AutoEncrypter', metadata, function () {
-    context('when a custom credential provider and credentials are provided', function () {
-      it('throws an error', function () {
-        expect(() => {
-          this.configuration.newClient(
-            {},
-            {
-              autoEncryption: {
-                keyVaultNamespace: 'test.keyvault',
-                kmsProviders: {
-                  aws: { secretAccessKey: 'test', accessKeyId: 'test' }
-                },
-                credentialProviders: {
-                  aws: async () => {
-                    return {
-                      sessionToken: 'test',
-                      secretAccessKey: 'test',
-                      accessKeyId: 'test'
-                    };
-                  }
-                }
-              }
-            }
-          );
-        }).to.throw(/custom credential provider and credentials/);
-      });
-    });
-  });
-
   describe('Collection', metadata, function () {
     describe('#bulkWrite()', metadata, function () {
       context('when encryption errors', function () {