sigv4 implementation

Author: PavelSafronov

.evergreen/run-mongodb-aws-ecs-test.sh

@@ -13,6 +13,3 @@ source ./.evergreen/prepare-shell.sh # should not run git clone
 
 # load node.js
 source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh
-
-# run the tests
-npm install aws4

.evergreen/setup-mongodb-aws-auth-tests.sh

@@ -22,7 +22,5 @@ cd $DRIVERS_TOOLS/.evergreen/auth_aws
 
 cd $BEFORE
 
-npm install --no-save aws4
-
 # revert to show test output
 set -x

src/aws4.ts

@@ -0,0 +1,207 @@
+import * as crypto from 'node:crypto';
+import * as queryString from 'node:querystring';
+
+export interface AWS4 {
+  /**
+   * Created these inline types to better assert future usage of this API
+   * @param options - options for request
+   * @param credentials - AWS credential details, sessionToken should be omitted entirely if its false-y
+   */
+  sign(
+    this: void,
+    options: {
+      path: '/';
+      body: string;
+      host: string;
+      method: 'POST';
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded';
+        'Content-Length': number;
+        'X-MongoDB-Server-Nonce': string;
+        'X-MongoDB-GS2-CB-Flag': 'n';
+      };
+      service: string;
+      region: string;
+    },
+    credentials:
+      | {
+          accessKeyId: string;
+          secretAccessKey: string;
+          sessionToken: string;
+        }
+      | {
+          accessKeyId: string;
+          secretAccessKey: string;
+        }
+      | undefined
+  ): {
+    headers: {
+      Authorization: string;
+      'X-Amz-Date': string;
+    };
+  };
+}
+
+export function aws4Sign(
+  this: void,
+  options: {
+    path: '/';
+    body: string;
+    host: string;
+    method: 'POST';
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded';
+      'Content-Length': number;
+      'X-MongoDB-Server-Nonce': string;
+      'X-MongoDB-GS2-CB-Flag': 'n';
+    };
+    service: string;
+    region: string;
+  },
+  credentials:
+    | {
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken: string;
+      }
+    | {
+        accessKeyId: string;
+        secretAccessKey: string;
+      }
+    | undefined
+): {
+  headers: {
+    Authorization: string;
+    'X-Amz-Date': string;
+  };
+} {
+  let path: string;
+  let query: queryString.ParsedUrlQuery | undefined;
+
+  const encode = (str: string) => {
+    const encoded = encodeURIComponent(str);
+    const replaced = encoded.replace(/[!'()*]/g, function (c) {
+      return '%' + c.charCodeAt(0).toString(16).toUpperCase();
+    });
+    return replaced;
+  };
+
+  const queryIndex = options.path.indexOf('?');
+  if (queryIndex < 0) {
+    path = options.path;
+    query = undefined;
+  } else {
+    path = options.path.slice(0, queryIndex);
+    query = queryString.parse(options.path.slice(queryIndex + 1));
+  }
+
+  let canonicalQuerystring = '';
+  if (query) {
+    const isS3 = options.service === 's3';
+    const useFirstArrayValue = isS3;
+    // const decodeSlashesInPath = isS3;
+    // const decodePath = isS3;
+    // const normalizePath = !isS3;
+    const queryStrings: string[] = [];
+    const sortedQueryKeys = Object.keys(query).sort();
+    for (const key of sortedQueryKeys) {
+      if (!key) {
+        continue;
+      }
+
+      const encodedKey = encode(key);
+      let value: string | string[] | undefined = query[key];
+      if (Array.isArray(value)) {
+        let values: string[] = value;
+        if (useFirstArrayValue) {
+          values = [value[0]];
+        }
+
+        for (const item of values) {
+          const encodedValue = encode(item);
+          queryStrings.push(`${encodedKey}=${encodedValue}`);
+        }
+      } else {
+        value = value ?? '';
+        const encodedValue = encode(value);
+        queryStrings.push(`${encodedKey}=${encodedValue}`);
+      }
+    }
+    canonicalQuerystring = queryStrings.join('&');
+  }
+
+  const convertHeaderValue = (value: string | number) => {
+    return value.toString().trim().replace(/\s+/g, ' ');
+  };
+  const headers: string[] = [
+    `content-length:${convertHeaderValue(options.headers['Content-Length'])}\n`,
+    `content-type:${convertHeaderValue(options.headers['Content-Type'])}\n`,
+    `x-mongodb-gs2-cb-flag:${convertHeaderValue(options.headers['X-MongoDB-GS2-CB-Flag'])}\n`,
+    `x-mongodb-server-nonce:${convertHeaderValue(options.headers['X-MongoDB-Server-Nonce'])}\n`
+  ];
+  const canonicalHeaders = headers.sort().join('\n');
+
+  const signedHeaders = 'content-length;content-type;x-mongodb-gs2-cb-flag;x-mongodb-server-nonce';
+
+  const getHash = (str: string): string => {
+    return crypto.createHash('sha256').update(str, 'utf8').digest('hex');
+  };
+  const getHmac = (key: string, str: string): string => {
+    return crypto.createHmac('sha256', key).update(str, 'utf8').digest('hex');
+  };
+  const hashedPayload = getHash(options.body || '');
+
+  const canonicalUri = path;
+  const canonicalRequest = [
+    options.method,
+    canonicalUri,
+    canonicalQuerystring,
+    canonicalHeaders,
+    signedHeaders,
+    hashedPayload
+  ].join('\n');
+
+  const canonicRequestHash = getHash(canonicalRequest);
+  const requestDateTime = new Date().toISOString().replace(/[:-]|\.\d{3}/g, '');
+  const requestDate = requestDateTime.substring(0, 8);
+  const credentialScope = `${requestDate}/${options.region}/${options.service}/aws4_request`;
+
+  const stringToSign = [
+    'AWS4-HMAC-SHA256',
+    requestDateTime,
+    credentialScope,
+    canonicRequestHash
+  ].join('\n');
+
+  const getEnvCredentials = () => {
+    const env = process.env;
+    return {
+      accessKeyId: env.AWS_ACCESS_KEY_ID || env.AWS_ACCESS_KEY,
+      secretAccessKey: env.AWS_SECRET_ACCESS_KEY || env.AWS_SECRET_KEY,
+      sessionToken: env.AWS_SESSION_TOKEN
+    };
+  };
+  const creds = credentials || getEnvCredentials();
+  const dateKey = getHmac('AWS4' + creds.secretAccessKey, requestDate);
+  const dateRegionKey = getHmac(dateKey, options.region);
+  const dateRegionServiceKey = getHmac(dateRegionKey, options.service);
+  const signingKey = getHmac(dateRegionServiceKey, 'aws4_request');
+  const signature = getHmac(signingKey, stringToSign);
+
+  const authorizationHeader = [
+    'AWS4-HMAC-SHA256 Credential=' + creds.accessKeyId + '/' + credentialScope,
+    'SignedHeaders=' + signedHeaders,
+    'Signature=' + signature
+  ].join(', ');
+
+  return {
+    headers: {
+      Authorization: authorizationHeader,
+      'X-Amz-Date': requestDateTime
+    }
+  };
+}
+
+// export const aws4: AWS4 = {
+//   sign: aws4Sign
+// };

src/cmap/auth/mongodb_aws.ts

@@ -1,6 +1,6 @@
+import { aws4Sign } from '../../aws4';
 import type { Binary, BSONSerializeOptions } from '../../bson';
 import * as BSON from '../../bson';
-import { aws4 } from '../../deps';
 import {
   MongoCompatibilityError,
   MongoMissingCredentialsError,
@@ -45,11 +45,6 @@ export class MongoDBAWS extends AuthProvider {
       throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
 
-    if ('kModuleError' in aws4) {
-      throw aws4['kModuleError'];
-    }
-    const { sign } = aws4;
-
     if (maxWireVersion(connection) < 9) {
       throw new MongoCompatibilityError(
         'MONGODB-AWS authentication requires MongoDB version 4.4 or later'
@@ -114,7 +109,7 @@ export class MongoDBAWS extends AuthProvider {
     }
 
     const body = 'Action=GetCallerIdentity&Version=2011-06-15';
-    const options = sign(
+    const options = aws4Sign(
       {
         method: 'POST',
         host,

src/deps.ts

@@ -203,66 +203,6 @@ export function getSocks(): SocksLib | { kModuleError: MongoMissingDependencyErr
   }
 }
 
-interface AWS4 {
-  /**
-   * Created these inline types to better assert future usage of this API
-   * @param options - options for request
-   * @param credentials - AWS credential details, sessionToken should be omitted entirely if its false-y
-   */
-  sign(
-    this: void,
-    options: {
-      path: '/';
-      body: string;
-      host: string;
-      method: 'POST';
-      headers: {
-        'Content-Type': 'application/x-www-form-urlencoded';
-        'Content-Length': number;
-        'X-MongoDB-Server-Nonce': string;
-        'X-MongoDB-GS2-CB-Flag': 'n';
-      };
-      service: string;
-      region: string;
-    },
-    credentials:
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-          sessionToken: string;
-        }
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-        }
-      | undefined
-  ): {
-    headers: {
-      Authorization: string;
-      'X-Amz-Date': string;
-    };
-  };
-}
-
-export const aws4: AWS4 | { kModuleError: MongoMissingDependencyError } = loadAws4();
-
-function loadAws4() {
-  let aws4: AWS4 | { kModuleError: MongoMissingDependencyError };
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    aws4 = require('aws4');
-  } catch (error) {
-    aws4 = makeErrorModule(
-      new MongoMissingDependencyError(
-        'Optional module `aws4` not found. Please install it to enable AWS authentication',
-        { cause: error, dependencyName: 'aws4' }
-      )
-    );
-  }
-
-  return aws4;
-}
-
 /** A utility function to get the instance of mongodb-client-encryption, if it exists. */
 export function getMongoDBClientEncryption():
   | typeof import('mongodb-client-encryption')

test/unit/assorted/optional_require.test.ts

@@ -4,7 +4,6 @@ import { resolve } from 'path';
 
 import { AuthContext } from '../../../src/cmap/auth/auth_provider';
 import { GSSAPI } from '../../../src/cmap/auth/gssapi';
-import { MongoDBAWS } from '../../../src/cmap/auth/mongodb_aws';
 import { compress } from '../../../src/cmap/wire_protocol/compression';
 import { MongoMissingDependencyError } from '../../../src/error';
 import { HostAddress } from '../../../src/utils';
@@ -51,20 +50,4 @@ describe('optionalRequire', function () {
       expect(error).to.be.instanceOf(MongoMissingDependencyError);
     });
   });
-
-  describe('aws4', function () {
-    it('should error if not installed', async function () {
-      const moduleName = 'aws4';
-      if (moduleExistsSync(moduleName)) {
-        return this.skip();
-      }
-      const mdbAWS = new MongoDBAWS();
-
-      const error = await mdbAWS
-        .auth(new AuthContext({ hello: { maxWireVersion: 9 } }, true, null))
-        .catch(error => error);
-
-      expect(error).to.be.instanceOf(MongoMissingDependencyError);
-    });
-  });
 });