Commit

node_modules/mongodb/lib/client-side-encryption/providers/aws.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadAWSCredentials = loadAWSCredentials;
+const aws_temporary_credentials_1 = require("../../cmap/auth/aws_temporary_credentials");
+/**
+ * @internal
+ */
+async function loadAWSCredentials(kmsProviders, provider) {
+    const credentialProvider = new aws_temporary_credentials_1.AWSSDKCredentialProvider(provider);
+    // We shouldn't ever receive a response from the AWS SDK that doesn't have a `SecretAccessKey`
+    // or `AccessKeyId`.  However, TS says these fields are optional.  We provide empty strings
+    // and let libmongocrypt error if we're unable to fetch the required keys.
+    const { SecretAccessKey = '', AccessKeyId = '', Token } = await credentialProvider.getCredentials();
+    const aws = {
+        secretAccessKey: SecretAccessKey,
+        accessKeyId: AccessKeyId
+    };
+    // the AWS session token is only required for temporary credentials so only attach it to the
+    // result if it's present in the response from the aws sdk
+    Token != null && (aws.sessionToken = Token);
+    return { ...kmsProviders, aws };
+}
+//# sourceMappingURL=aws.js.map

node_modules/mongodb/lib/client-side-encryption/providers/aws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../../src/client-side-encryption/providers/aws.ts"],"names":[],"mappings":";;AASA,gDAuBC;AAhCD,yFAGmD;AAGnD;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACtC,YAA0B,EAC1B,QAAgC;IAEhC,MAAM,kBAAkB,GAAG,IAAI,oDAAwB,CAAC,QAAQ,CAAC,CAAC;IAElE,8FAA8F;IAC9F,2FAA2F;IAC3F,0EAA0E;IAC1E,MAAM,EACJ,eAAe,GAAG,EAAE,EACpB,WAAW,GAAG,EAAE,EAChB,KAAK,EACN,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,CAAC;IAC9C,MAAM,GAAG,GAAqC;QAC5C,eAAe,EAAE,eAAe;QAChC,WAAW,EAAE,WAAW;KACzB,CAAC;IACF,4FAA4F;IAC5F,0DAA0D;IAC1D,KAAK,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,GAAG,KAAK,CAAC,CAAC;IAE5C,OAAO,EAAE,GAAG,YAAY,EAAE,GAAG,EAAE,CAAC;AAClC,CAAC"}

node_modules/mongodb/lib/client-side-encryption/providers/azure.js

@@ -0,0 +1,132 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenCache = exports.AzureCredentialCache = exports.AZURE_BASE_URL = void 0;
+exports.addAzureParams = addAzureParams;
+exports.prepareRequest = prepareRequest;
+exports.fetchAzureKMSToken = fetchAzureKMSToken;
+exports.loadAzureCredentials = loadAzureCredentials;
+const error_1 = require("../../error");
+const utils_1 = require("../../utils");
+const errors_1 = require("../errors");
+const MINIMUM_TOKEN_REFRESH_IN_MILLISECONDS = 6000;
+/** Base URL for getting Azure tokens. */
+exports.AZURE_BASE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token?';
+/**
+ * @internal
+ */
+class AzureCredentialCache {
+    constructor() {
+        this.cachedToken = null;
+    }
+    async getToken() {
+        if (this.cachedToken == null || this.needsRefresh(this.cachedToken)) {
+            this.cachedToken = await this._getToken();
+        }
+        return { accessToken: this.cachedToken.accessToken };
+    }
+    needsRefresh(token) {
+        const timeUntilExpirationMS = token.expiresOnTimestamp - Date.now();
+        return timeUntilExpirationMS <= MINIMUM_TOKEN_REFRESH_IN_MILLISECONDS;
+    }
+    /**
+     * exposed for testing
+     */
+    resetCache() {
+        this.cachedToken = null;
+    }
+    /**
+     * exposed for testing
+     */
+    _getToken() {
+        return fetchAzureKMSToken();
+    }
+}
+exports.AzureCredentialCache = AzureCredentialCache;
+/** @internal */
+exports.tokenCache = new AzureCredentialCache();
+/** @internal */
+async function parseResponse(response) {
+    const { status, body: rawBody } = response;
+    const body = (() => {
+        try {
+            return JSON.parse(rawBody);
+        }
+        catch {
+            throw new errors_1.MongoCryptAzureKMSRequestError('Malformed JSON body in GET request.');
+        }
+    })();
+    if (status !== 200) {
+        throw new errors_1.MongoCryptAzureKMSRequestError('Unable to complete request.', body);
+    }
+    if (!body.access_token) {
+        throw new errors_1.MongoCryptAzureKMSRequestError('Malformed response body - missing field `access_token`.');
+    }
+    if (!body.expires_in) {
+        throw new errors_1.MongoCryptAzureKMSRequestError('Malformed response body - missing field `expires_in`.');
+    }
+    const expiresInMS = Number(body.expires_in) * 1000;
+    if (Number.isNaN(expiresInMS)) {
+        throw new errors_1.MongoCryptAzureKMSRequestError('Malformed response body - unable to parse int from `expires_in` field.');
+    }
+    return {
+        accessToken: body.access_token,
+        expiresOnTimestamp: Date.now() + expiresInMS
+    };
+}
+/**
+ * @internal
+ * Get the Azure endpoint URL.
+ */
+function addAzureParams(url, resource, username) {
+    url.searchParams.append('api-version', '2018-02-01');
+    url.searchParams.append('resource', resource);
+    if (username) {
+        url.searchParams.append('client_id', username);
+    }
+    return url;
+}
+/**
+ * @internal
+ *
+ * parses any options provided by prose tests to `fetchAzureKMSToken` and merges them with
+ * the default values for headers and the request url.
+ */
+function prepareRequest(options) {
+    const url = new URL(options.url?.toString() ?? exports.AZURE_BASE_URL);
+    addAzureParams(url, 'https://vault.azure.net');
+    const headers = { ...options.headers, 'Content-Type': 'application/json', Metadata: true };
+    return { headers, url };
+}
+/**
+ * @internal
+ *
+ * `AzureKMSRequestOptions` allows prose tests to modify the http request sent to the idms
+ * servers.  This is required to simulate different server conditions.  No options are expected to
+ * be set outside of tests.
+ *
+ * exposed for CSFLE
+ * [prose test 18](https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/tests#azure-imds-credentials)
+ */
+async function fetchAzureKMSToken(options = {}) {
+    const { headers, url } = prepareRequest(options);
+    try {
+        const response = await (0, utils_1.get)(url, { headers });
+        return await parseResponse(response);
+    }
+    catch (error) {
+        if (error instanceof error_1.MongoNetworkTimeoutError) {
+            throw new errors_1.MongoCryptAzureKMSRequestError(`[Azure KMS] ${error.message}`);
+        }
+        throw error;
+    }
+}
+/**
+ * @internal
+ *
+ * @throws Will reject with a `MongoCryptError` if the http request fails or the http response is malformed.
+ */
+async function loadAzureCredentials(kmsProviders) {
+    const azure = await exports.tokenCache.getToken();
+    return { ...kmsProviders, azure };
+}
+//# sourceMappingURL=azure.js.map

node_modules/mongodb/lib/client-side-encryption/providers/azure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure.js","sourceRoot":"","sources":["../../../src/client-side-encryption/providers/azure.ts"],"names":[],"mappings":";;;AA0HA,wCAOC;AAQD,wCAQC;AAYD,gDAaC;AAOD,oDAGC;AAnLD,uCAAuD;AACvD,uCAAkC;AAClC,sCAA2D;AAG3D,MAAM,qCAAqC,GAAG,IAAI,CAAC;AACnD,yCAAyC;AAC5B,QAAA,cAAc,GAAG,wDAAwD,CAAC;AAkBvF;;GAEG;AACH,MAAa,oBAAoB;IAAjC;QACE,gBAAW,GAAgC,IAAI,CAAC;IA4BlD,CAAC;IA1BC,KAAK,CAAC,QAAQ;QACZ,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YACpE,IAAI,CAAC,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAC5C,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;IACvD,CAAC;IAED,YAAY,CAAC,KAA2B;QACtC,MAAM,qBAAqB,GAAG,KAAK,CAAC,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACpE,OAAO,qBAAqB,IAAI,qCAAqC,CAAC;IACxE,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,kBAAkB,EAAE,CAAC;IAC9B,CAAC;CACF;AA7BD,oDA6BC;AAED,gBAAgB;AACH,QAAA,UAAU,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAErD,gBAAgB;AAChB,KAAK,UAAU,aAAa,CAAC,QAG5B;IACC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC;IAE3C,MAAM,IAAI,GAAmD,CAAC,GAAG,EAAE;QACjE,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,uCAA8B,CAAC,qCAAqC,CAAC,CAAC;QAClF,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,MAAM,IAAI,uCAA8B,CAAC,6BAA6B,EAAE,IAAI,CAAC,CAAC;IAChF,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QACvB,MAAM,IAAI,uCAA8B,CACtC,yDAAyD,CAC1D,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QACrB,MAAM,IAAI,uCAA8B,CACtC,uDAAuD,CACxD,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;IACnD,IAAI,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,uCAA8B,CACtC,wEAAwE,CACzE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,kBAAkB,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW;KAC7C,CAAC;AACJ,CAAC;AAaD;;;GAGG;AACH,SAAgB,cAAc,CAAC,GAAQ,EAAE,QAAgB,EAAE,QAAiB;IAC1E,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACrD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC9C,IAAI,QAAQ,EAAE,CAAC;QACb,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,OAA+B;IAI5D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,sBAAc,CAAC,CAAC;IAC/D,cAAc,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3F,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAC1B,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,kBAAkB,CACtC,UAAkC,EAAE;IAEpC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,IAAA,WAAG,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7C,OAAO,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,gCAAwB,EAAE,CAAC;YAC9C,MAAM,IAAI,uCAA8B,CAAC,eAAe,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,oBAAoB,CAAC,YAA0B;IACnE,MAAM,KAAK,GAAG,MAAM,kBAAU,CAAC,QAAQ,EAAE,CAAC;IAC1C,OAAO,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC"}

node_modules/mongodb/lib/client-side-encryption/providers/gcp.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadGCPCredentials = loadGCPCredentials;
+const deps_1 = require("../../deps");
+/** @internal */
+async function loadGCPCredentials(kmsProviders) {
+    const gcpMetadata = (0, deps_1.getGcpMetadata)();
+    if ('kModuleError' in gcpMetadata) {
+        return kmsProviders;
+    }
+    const { access_token: accessToken } = await gcpMetadata.instance({
+        property: 'service-accounts/default/token'
+    });
+    return { ...kmsProviders, gcp: { accessToken } };
+}
+//# sourceMappingURL=gcp.js.map

node_modules/mongodb/lib/client-side-encryption/providers/gcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcp.js","sourceRoot":"","sources":["../../../src/client-side-encryption/providers/gcp.ts"],"names":[],"mappings":";;AAIA,gDAWC;AAfD,qCAA4C;AAG5C,gBAAgB;AACT,KAAK,UAAU,kBAAkB,CAAC,YAA0B;IACjE,MAAM,WAAW,GAAG,IAAA,qBAAc,GAAE,CAAC;IAErC,IAAI,cAAc,IAAI,WAAW,EAAE,CAAC;QAClC,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,GAAG,MAAM,WAAW,CAAC,QAAQ,CAA2B;QACzF,QAAQ,EAAE,gCAAgC;KAC3C,CAAC,CAAC;IACH,OAAO,EAAE,GAAG,YAAY,EAAE,GAAG,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;AACnD,CAAC"}

node_modules/mongodb/lib/client-side-encryption/providers/index.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isEmptyCredentials = isEmptyCredentials;
+exports.refreshKMSCredentials = refreshKMSCredentials;
+const aws_1 = require("./aws");
+const azure_1 = require("./azure");
+const gcp_1 = require("./gcp");
+/**
+ * Auto credential fetching should only occur when the provider is defined on the kmsProviders map
+ * and the settings are an empty object.
+ *
+ * This is distinct from a nullish provider key.
+ *
+ * @internal - exposed for testing purposes only
+ */
+function isEmptyCredentials(providerName, kmsProviders) {
+    const provider = kmsProviders[providerName];
+    if (provider == null) {
+        return false;
+    }
+    return typeof provider === 'object' && Object.keys(provider).length === 0;
+}
+/**
+ * Load cloud provider credentials for the user provided KMS providers.
+ * Credentials will only attempt to get loaded if they do not exist
+ * and no existing credentials will get overwritten.
+ *
+ * @internal
+ */
+async function refreshKMSCredentials(kmsProviders, credentialProviders) {
+    let finalKMSProviders = kmsProviders;
+    if (isEmptyCredentials('aws', kmsProviders)) {
+        finalKMSProviders = await (0, aws_1.loadAWSCredentials)(finalKMSProviders, credentialProviders?.aws);
+    }
+    if (isEmptyCredentials('gcp', kmsProviders)) {
+        finalKMSProviders = await (0, gcp_1.loadGCPCredentials)(finalKMSProviders);
+    }
+    if (isEmptyCredentials('azure', kmsProviders)) {
+        finalKMSProviders = await (0, azure_1.loadAzureCredentials)(finalKMSProviders);
+    }
+    return finalKMSProviders;
+}
+//# sourceMappingURL=index.js.map

node_modules/mongodb/lib/client-side-encryption/providers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/client-side-encryption/providers/index.ts"],"names":[],"mappings":";;AA0KA,gDASC;AASD,sDAkBC;AA5MD,+BAA2C;AAC3C,mCAA+C;AAC/C,+BAA2C;AA8J3C;;;;;;;GAOG;AACH,SAAgB,kBAAkB,CAChC,YAA6C,EAC7C,YAA0B;IAE1B,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IAC5C,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;QACrB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AAC5E,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,qBAAqB,CACzC,YAA0B,EAC1B,mBAAyC;IAEzC,IAAI,iBAAiB,GAAG,YAAY,CAAC;IAErC,IAAI,kBAAkB,CAAC,KAAK,EAAE,YAAY,CAAC,EAAE,CAAC;QAC5C,iBAAiB,GAAG,MAAM,IAAA,wBAAkB,EAAC,iBAAiB,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,IAAI,kBAAkB,CAAC,KAAK,EAAE,YAAY,CAAC,EAAE,CAAC;QAC5C,iBAAiB,GAAG,MAAM,IAAA,wBAAkB,EAAC,iBAAiB,CAAC,CAAC;IAClE,CAAC;IAED,IAAI,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,EAAE,CAAC;QAC9C,iBAAiB,GAAG,MAAM,IAAA,4BAAoB,EAAC,iBAAiB,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,iBAAiB,CAAC;AAC3B,CAAC"}