feat(NODE-7047): use custom credential provider first

durran · durran · commit 8271c1f9b859 · 2025-09-19T13:54:18.000+02:00
diff --git a/test/integration/auth/mongodb_aws.test.ts b/test/integration/auth/mongodb_aws.test.ts
@@ -8,6 +8,7 @@ import * as sinon from 'sinon';
 // eslint-disable-next-line @typescript-eslint/no-restricted-imports
 import { refreshKMSCredentials } from '../../../src/client-side-encryption/providers';
 import {
+  type AWSCredentials,
   AWSTemporaryCredentialProvider,
   type CommandOptions,
   Connection,
@@ -136,29 +137,27 @@ describe('MONGODB-AWS', function () {
     });
   });
 
-  context('when user supplies a credentials provider', function () {
+  context('1. Custom Credential Provider Authenticates', function () {
     let providerCount = 0;
+    let provider;
 
     beforeEach(function () {
       if (!awsSdkPresent) {
         this.skipReason = 'only relevant to AssumeRoleWithWebIdentity with SDK installed';
         return this.skip();
       }
-      // If we have a username the credentials have been set from the URI, options, or environment
-      // variables per the auth spec stated order.
-      if (client.options.credentials.username) {
-        this.skipReason = 'Credentials in the URI on env variables will not use custom provider.';
+      if (client?.options.credentials.username) {
+        this.skipReason = 'only relevant when no credentials are in the URI';
         return this.skip();
       }
-    });
-
-    it('authenticates with a user provided credentials provider', async function () {
-      // @ts-expect-error We intentionally access a protected variable.
       const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
-      const provider = async () => {
+      provider = async () => {
         providerCount++;
         return await credentialProvider.fromNodeProviderChain().apply();
       };
+    });
+
+    it('authenticates with a user provided credentials provider', async function () {
       client = this.configuration.newClient(process.env.MONGODB_URI, {
         authMechanismProperties: {
           AWS_CREDENTIAL_PROVIDER: provider
@@ -177,6 +176,90 @@ describe('MONGODB-AWS', function () {
     });
   });
 
+  context('2. Custom Credential Provider Authentication Precedence', function () {
+    context('Case 1: Credentials in URI Take Precedence', function () {
+      let providerCount = 0;
+      let provider;
+
+      beforeEach(function () {
+        if (!awsSdkPresent) {
+          this.skipReason = 'only relevant to AssumeRoleWithWebIdentity with SDK installed';
+          return this.skip();
+        }
+        console.log(client?.options);
+        if (!client?.options.credentials.username) {
+          this.skipReason = 'Test only runs when credentials are present in the URI';
+          return this.skip();
+        }
+        // @ts-expect-error We intentionally access a protected variable.
+        const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+        provider = async () => {
+          providerCount++;
+          return await credentialProvider.fromNodeProviderChain().apply();
+        };
+      });
+
+      it('authenticates with a user provided credentials provider', async function () {
+        console.log(process.env);
+        client = this.configuration.newClient(process.env.MONGODB_URI, {
+          authMechanismProperties: {
+            AWS_CREDENTIAL_PROVIDER: provider
+          }
+        });
+
+        const result = await client
+          .db('aws')
+          .collection('aws_test')
+          .estimatedDocumentCount()
+          .catch(error => error);
+
+        expect(result).to.not.be.instanceOf(MongoServerError);
+        expect(result).to.be.a('number');
+        expect(providerCount).to.equal(0);
+      });
+    });
+
+    context('Case 2: Custom Provider Takes Precedence Over Environment Variables', function () {
+      let providerCount = 0;
+      let provider;
+
+      beforeEach(function () {
+        if (!awsSdkPresent) {
+          this.skipReason = 'only relevant to AssumeRoleWithWebIdentity with SDK installed';
+          return this.skip();
+        }
+        if (client?.options.credentials.username || !process.env.AWS_ACCESS_KEY_ID) {
+          this.skipReason = 'Test only runs when credentials are present in the environment';
+          return this.skip();
+        }
+        // @ts-expect-error We intentionally access a protected variable.
+        const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+        provider = async () => {
+          providerCount++;
+          return await credentialProvider.fromNodeProviderChain().apply();
+        };
+      });
+
+      it('authenticates with a user provided credentials provider', async function () {
+        client = this.configuration.newClient(process.env.MONGODB_URI, {
+          authMechanismProperties: {
+            AWS_CREDENTIAL_PROVIDER: provider
+          }
+        });
+
+        const result = await client
+          .db('aws')
+          .collection('aws_test')
+          .estimatedDocumentCount()
+          .catch(error => error);
+
+        expect(result).to.not.be.instanceOf(MongoServerError);
+        expect(result).to.be.a('number');
+        expect(providerCount).to.be.greaterThan(0);
+      });
+    });
+  });
+
   it('should allow empty string in authMechanismProperties.AWS_SESSION_TOKEN to override AWS_SESSION_TOKEN environment variable', function () {
     client = this.configuration.newClient(this.configuration.url(), {
       authMechanismProperties: { AWS_SESSION_TOKEN: '' }
diff --git a/test/integration/client-side-encryption/client_side_encryption.prose.26.custom_aws_credential_providers.test.ts b/test/integration/client-side-encryption/client_side_encryption.prose.26.custom_aws_credential_providers.test.ts
@@ -108,4 +108,49 @@ describe('26. Custom AWS Credential Providers', metadata, () => {
       });
     }
   );
+
+  context(
+    'ClientEncryption with credentialProviders and valid environment variables',
+    metadata,
+    function () {
+      let clientEncryption;
+      let providerCount = 0;
+      let previousAccessKey;
+      let previousSecretKey;
+
+      beforeEach(function () {
+        previousAccessKey = process.env.AWS_ACCESS_KEY_ID;
+        previousSecretKey = process.env.AWS_SECRET_ACCESS_KEY;
+        process.env.AWS_ACCESS_KEY_ID = process.env.FLE_AWS_KEY;
+        process.env.AWS_SECRET_ACCESS_KEY = process.env.FLE_AWS_SECRET;
+
+        const options = {
+          keyVaultNamespace: 'keyvault.datakeys',
+          kmsProviders: { aws: {} },
+          credentialProviders: {
+            aws: async () => {
+              providerCount++;
+              return {
+                accessKeyId: process.env.FLE_AWS_KEY,
+                secretAccessKey: process.env.FLE_AWS_SECRET
+              };
+            }
+          },
+          extraOptions: getEncryptExtraOptions()
+        };
+        clientEncryption = new ClientEncryption(keyVaultClient, options);
+      });
+
+      afterEach(function () {
+        process.env.AWS_ACCESS_KEY_ID = previousAccessKey;
+        process.env.AWS_SECRET_ACCESS_KEY = previousSecretKey;
+      });
+
+      it('is successful', metadata, async function () {
+        const dk = await clientEncryption.createDataKey('aws', { masterKey });
+        expect(dk).to.be.instanceOf(Binary);
+        expect(providerCount).to.be.greaterThan(0);
+      });
+    }
+  );
 });
