feat(NODE-7047)!: use custom credential provider first after URI #4656
Conversation
durran
force-pushed
the
NODE-7047
branch
2 times, most recently
from
1a59a5a to
6e98b5d
Compare
dariakp
changed the title
durran
force-pushed
the
NODE-7047
branch
3 times, most recently
from
7281459 to
8271c1f
Compare
durran
changed the title
baileympearson
added
the
Primary Review
| let provider; | ||
|
|
||
| beforeEach(function () { | ||
| console.log(client?.options); |
There was a problem hiding this comment.
stray debugging console log here and in L222?
| expect(providerCount).to.be.greaterThan(0); | ||
| beforeEach(function () { | ||
| if (client?.options.credentials.username || !process.env.AWS_ACCESS_KEY_ID) { | ||
| this.skipReason = 'Test only runs when credentials are present in the environment'; |
There was a problem hiding this comment.
"... and not the URI"? Is that what client?.options.credentials.username is testing for? If so, should there be a similar check in the case above to make sure that process.env.AWS_ACCESS_KEY_ID is not set?
There was a problem hiding this comment.
"... and not the URI"? Is that what client?.options.credentials.username is testing for?
Yup
If so, should there be a similar check in the case above to make sure that process.env.AWS_ACCESS_KEY_ID is not set?
No - URI takes precedence over everything, so it should run both when there are no credentials in the environment and when there are credentials in the environment.
|
|
||
| expect(client).to.have.nested.property('s.authProviders'); | ||
| const provider = client.s.authProviders.getOrCreateProvider('MONGODB-AWS'); | ||
| const provider = client.s.authProviders.getOrCreateProvider('MONGODB-AWS', {}); |
There was a problem hiding this comment.
what prompted this change?
| this.mechanism = options.mechanism || AuthMechanism.MONGODB_DEFAULT; | ||
| this.mechanismProperties = options.mechanismProperties || {}; | ||
|
|
||
| if (this.mechanism.match(/MONGODB-AWS/i)) { |
There was a problem hiding this comment.
Does this work because we outsource the env credential reading to the sdk as of NODE-6988 and previously we were overriding the natural order by explicitly reading in the env vars?
There was a problem hiding this comment.
Yes, reading credentials from the environment in addition to using the SDK has always been a bug (https://jira.mongodb.org/browse/NODE-6987)
| AWS_CREDENTIAL_PROVIDER: provider | ||
| } | ||
| context('2. Custom Credential Provider Authentication Precedence', function () { | ||
| context('Case 1: Credentials in URI Take Precedence', function () { |
There was a problem hiding this comment.
For all the prose tests, we usually copy the language of the prose test in the comments, so that it's easier to tell how the test implementation maps to the prose and and also to identify cases of divergence between the spec prose and the implementation (if either the prose or the implementation are updated in the future).
| }); | ||
|
|
||
| it('authenticates with a user provided credentials provider', async function () { | ||
| console.log(process.env); |
There was a problem hiding this comment.
| console.log(process.env); |
Description
Updates AWS auth to use a custom credential provider first after URI/MongoClient credentials if present.
Summary of Changes
What is the motivation for this change?
NODE-7047
Release Highlight
Custom AWS Credential Provider Takes Highest Precedence
When providing a custom AWS credential provider via the auth mechanism property
AWS_CREDENTIAL_PROVIDER, it will now take the highest precedence over any other AWS auth mechanism.Double check the following
npm run check:lint)type(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript