fix issues and add a test, and a simple way to run it

Author: PavelSafronov

etc/aws-test.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+cd $DRIVERS_TOOLS/.evergreen/auth_aws
+
+. ./activate-authawsvenv.sh
+
+# Test with permanent credentials
+. aws_setup.sh env-creds
+unset MONGODB_URI
+echo "AWS_SESSION_TOKEN is set to '${AWS_SESSION_TOKEN-NOT SET}'"
+npm run check:test -- --grep "AwsSigV4"
+
+# Test with session credentials
+. aws_setup.sh session-creds
+unset MONGODB_URI
+echo "AWS_SESSION_TOKEN is set to '${AWS_SESSION_TOKEN-NOT SET}'"
+npm run check:test -- --grep "AwsSigV4"

src/aws4.ts

@@ -1,5 +1,4 @@
 import * as crypto from 'node:crypto';
-import * as queryString from 'node:querystring';
 
 export interface AWS4 {
   /**
@@ -42,6 +41,29 @@ export interface AWS4 {
   };
 }
 
+const getHash = (str: string): string => {
+  return crypto.createHash('sha256').update(str, 'utf8').digest('hex');
+};
+const getHmacArray = (key: string | Uint8Array, str: string): Uint8Array => {
+  return crypto.createHmac('sha256', key).update(str, 'utf8').digest();
+};
+const getHmacString = (key: Uint8Array, str: string): string => {
+  return crypto.createHmac('sha256', key).update(str, 'utf8').digest('hex');
+};
+
+const getEnvCredentials = () => {
+  const env = process.env;
+  return {
+    accessKeyId: env.AWS_ACCESS_KEY_ID || env.AWS_ACCESS_KEY,
+    secretAccessKey: env.AWS_SECRET_ACCESS_KEY || env.AWS_SECRET_KEY,
+    sessionToken: env.AWS_SESSION_TOKEN
+  };
+};
+
+const convertHeaderValue = (value: string | number) => {
+  return value.toString().trim().replace(/\s+/g, ' ');
+};
+
 export function aws4Sign(
   this: void,
   options: {
@@ -75,118 +97,56 @@ export function aws4Sign(
     'X-Amz-Date': string;
   };
 } {
-  let path: string;
-  let query: queryString.ParsedUrlQuery | undefined;
-
-  const encode = (str: string) => {
-    const encoded = encodeURIComponent(str);
-    const replaced = encoded.replace(/[!'()*]/g, function (c) {
-      return '%' + c.charCodeAt(0).toString(16).toUpperCase();
-    });
-    return replaced;
-  };
-
-  const queryIndex = options.path.indexOf('?');
-  if (queryIndex < 0) {
-    path = options.path;
-    query = undefined;
-  } else {
-    path = options.path.slice(0, queryIndex);
-    query = queryString.parse(options.path.slice(queryIndex + 1));
-  }
-
-  let canonicalQuerystring = '';
-  if (query) {
-    const isS3 = options.service === 's3';
-    const useFirstArrayValue = isS3;
-    // const decodeSlashesInPath = isS3;
-    // const decodePath = isS3;
-    // const normalizePath = !isS3;
-    const queryStrings: string[] = [];
-    const sortedQueryKeys = Object.keys(query).sort();
-    for (const key of sortedQueryKeys) {
-      if (!key) {
-        continue;
-      }
-
-      const encodedKey = encode(key);
-      let value: string | string[] | undefined = query[key];
-      if (Array.isArray(value)) {
-        let values: string[] = value;
-        if (useFirstArrayValue) {
-          values = [value[0]];
-        }
+  const method = options.method;
+  const canonicalUri = options.path;
+  const canonicalQuerystring = '';
+  const creds = credentials || getEnvCredentials();
 
-        for (const item of values) {
-          const encodedValue = encode(item);
-          queryStrings.push(`${encodedKey}=${encodedValue}`);
-        }
-      } else {
-        value = value ?? '';
-        const encodedValue = encode(value);
-        queryStrings.push(`${encodedKey}=${encodedValue}`);
-      }
-    }
-    canonicalQuerystring = queryStrings.join('&');
-  }
+  const date = new Date();
+  const requestDateTime = date.toISOString().replace(/[:-]|\.\d{3}/g, '');
+  const requestDate = requestDateTime.substring(0, 8);
 
-  const convertHeaderValue = (value: string | number) => {
-    return value.toString().trim().replace(/\s+/g, ' ');
-  };
   const headers: string[] = [
-    `content-length:${convertHeaderValue(options.headers['Content-Length'])}\n`,
-    `content-type:${convertHeaderValue(options.headers['Content-Type'])}\n`,
-    `x-mongodb-gs2-cb-flag:${convertHeaderValue(options.headers['X-MongoDB-GS2-CB-Flag'])}\n`,
-    `x-mongodb-server-nonce:${convertHeaderValue(options.headers['X-MongoDB-Server-Nonce'])}\n`
+    `content-length:${convertHeaderValue(options.headers['Content-Length'])}`,
+    `content-type:${convertHeaderValue(options.headers['Content-Type'])}`,
+    `host:${convertHeaderValue(options.host)}`,
+    `x-amz-date:${convertHeaderValue(requestDateTime)}`,
+    `x-mongodb-gs2-cb-flag:${convertHeaderValue(options.headers['X-MongoDB-GS2-CB-Flag'])}`,
+    `x-mongodb-server-nonce:${convertHeaderValue(options.headers['X-MongoDB-Server-Nonce'])}`
   ];
+  if ('sessionToken' in creds && creds.sessionToken) {
+    headers.push(`x-amz-security-token:${convertHeaderValue(creds.sessionToken)}`);
+  }
   const canonicalHeaders = headers.sort().join('\n');
+  const canonicalHeaderNames = headers.map(header => header.split(':', 2)[0].toLowerCase());
+  const signedHeaders = canonicalHeaderNames.sort().join(';');
 
-  const signedHeaders = 'content-length;content-type;x-mongodb-gs2-cb-flag;x-mongodb-server-nonce';
-
-  const getHash = (str: string): string => {
-    return crypto.createHash('sha256').update(str, 'utf8').digest('hex');
-  };
-  const getHmac = (key: string, str: string): string => {
-    return crypto.createHmac('sha256', key).update(str, 'utf8').digest('hex');
-  };
   const hashedPayload = getHash(options.body || '');
 
-  const canonicalUri = path;
   const canonicalRequest = [
-    options.method,
+    method,
     canonicalUri,
     canonicalQuerystring,
-    canonicalHeaders,
+    canonicalHeaders + '\n',
     signedHeaders,
     hashedPayload
   ].join('\n');
 
-  const canonicRequestHash = getHash(canonicalRequest);
-  const requestDateTime = new Date().toISOString().replace(/[:-]|\.\d{3}/g, '');
-  const requestDate = requestDateTime.substring(0, 8);
+  const canonicalRequestHash = getHash(canonicalRequest);
   const credentialScope = `${requestDate}/${options.region}/${options.service}/aws4_request`;
 
   const stringToSign = [
     'AWS4-HMAC-SHA256',
     requestDateTime,
     credentialScope,
-    canonicRequestHash
+    canonicalRequestHash
   ].join('\n');
 
-  const getEnvCredentials = () => {
-    const env = process.env;
-    return {
-      accessKeyId: env.AWS_ACCESS_KEY_ID || env.AWS_ACCESS_KEY,
-      secretAccessKey: env.AWS_SECRET_ACCESS_KEY || env.AWS_SECRET_KEY,
-      sessionToken: env.AWS_SESSION_TOKEN
-    };
-  };
-  const creds = credentials || getEnvCredentials();
-  const dateKey = getHmac('AWS4' + creds.secretAccessKey, requestDate);
-  const dateRegionKey = getHmac(dateKey, options.region);
-  const dateRegionServiceKey = getHmac(dateRegionKey, options.service);
-  const signingKey = getHmac(dateRegionServiceKey, 'aws4_request');
-  const signature = getHmac(signingKey, stringToSign);
+  const dateKey = getHmacArray('AWS4' + creds.secretAccessKey, requestDate);
+  const dateRegionKey = getHmacArray(dateKey, options.region);
+  const dateRegionServiceKey = getHmacArray(dateRegionKey, options.service);
+  const signingKey = getHmacArray(dateRegionServiceKey, 'aws4_request');
+  const signature = getHmacString(signingKey, stringToSign);
 
   const authorizationHeader = [
     'AWS4-HMAC-SHA256 Credential=' + creds.accessKeyId + '/' + credentialScope,
@@ -201,7 +161,3 @@ export function aws4Sign(
     }
   };
 }
-
-// export const aws4: AWS4 = {
-//   sign: aws4Sign
-// };

test/integration/auth/aws.test.ts

@@ -0,0 +1,105 @@
+import * as process from 'node:process';
+
+import { expect } from 'chai';
+
+import { aws4Sign } from '../../../src/aws4';
+
+// This test verifies that our AWS SigV4 signing works correctly with real AWS credentials.
+// This is done by calculating a signature, then using it to make a real request to the AWS STS service.
+// To run this test, simply run `./etc/aws-test.sh`.
+
+describe('AwsSigV4', function () {
+  beforeEach(function () {
+    if (!process.env.AWS_ACCESS_KEY_ID || !process.env.AWS_SECRET_ACCESS_KEY) {
+      this.skipReason = 'AWS credentials are not present in the environment';
+      this.skip();
+    }
+  });
+
+  const testSigning = async credentials => {
+    const host = 'sts.amazonaws.com';
+    const body = 'Action=GetCallerIdentity&Version=2011-06-15';
+    const headers: {
+      'Content-Type': 'application/x-www-form-urlencoded';
+      'Content-Length': number;
+      'X-MongoDB-Server-Nonce': string;
+      'X-MongoDB-GS2-CB-Flag': 'n';
+    } = {
+      'Content-Type': 'application/x-www-form-urlencoded',
+      'Content-Length': body.length,
+      'X-MongoDB-Server-Nonce': 'fakenonce',
+      'X-MongoDB-GS2-CB-Flag': 'n'
+    };
+    const options = aws4Sign(
+      {
+        method: 'POST',
+        host,
+        path: '/',
+        region: 'us-east-1',
+        service: 'sts',
+        headers: headers,
+        body
+      },
+      credentials
+    );
+
+    const authorization = options.headers.Authorization;
+    const xAmzDate = options.headers['X-Amz-Date'];
+
+    const fetchHeaders = new Headers();
+    for (const [key, value] of Object.entries(headers)) {
+      fetchHeaders.append(key, value.toString());
+    }
+    if (credentials.sessionToken) {
+      fetchHeaders.append('X-Amz-Security-Token', credentials.sessionToken);
+    }
+    fetchHeaders.append('Authorization', authorization);
+    fetchHeaders.append('X-Amz-Date', xAmzDate);
+    const response = await fetch('https://sts.amazonaws.com', {
+      method: 'POST',
+      headers: fetchHeaders,
+      body
+    });
+    expect(response.status).to.equal(200);
+    expect(response.statusText).to.equal('OK');
+    const text = await response.text();
+    expect(text).to.match(
+      /<GetCallerIdentityResponse xmlns="https:\/\/sts.amazonaws.com\/doc\/2011-06-15\/">/
+    );
+  };
+
+  describe('AWS4 signs requests with AWS permanent env vars', function () {
+    before(function () {
+      if (process.env.AWS_SESSION_TOKEN) {
+        this.skipReason = 'Skipping permanent credentials test because session token is set';
+        this.skip();
+      }
+    });
+
+    it('AWS4 signs requests with AWS permanent env vars', async () => {
+      const awsCredentials = {
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+      };
+      await testSigning(awsCredentials);
+    });
+  });
+
+  describe('AWS4 signs requests with AWS session env vars', function () {
+    before(function () {
+      if (!process.env.AWS_SESSION_TOKEN) {
+        this.skipReason = 'Skipping session credentials test because session token is not set';
+        this.skip();
+      }
+    });
+
+    it('AWS4 signs requests with AWS session env vars', async () => {
+      const awsCredentials = {
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+        sessionToken: process.env.AWS_SESSION_TOKEN
+      };
+      await testSigning(awsCredentials);
+    });
+  });
+});

test/integration/auth/mongodb_aws.test.ts

@@ -38,44 +38,6 @@ describe('MONGODB-AWS', function () {
     await client?.close();
   });
 
-  context('when the AWS SDK is not present', function () {
-    beforeEach(function () {
-      AWSSDKCredentialProvider.awsSDK['kModuleError'] = new MongoMissingDependencyError(
-        'Missing dependency @aws-sdk/credential-providers',
-        {
-          cause: new Error(),
-          dependencyName: '@aws-sdk/credential-providers'
-        }
-      );
-    });
-
-    afterEach(function () {
-      delete AWSSDKCredentialProvider.awsSDK['kModuleError'];
-    });
-
-    describe('when attempting AWS auth', function () {
-      it('throws an error', async function () {
-        client = this.configuration.newClient(process.env.MONGODB_URI); // use the URI built by the test environment
-
-        const result = await client
-          .db('aws')
-          .collection('aws_test')
-          .estimatedDocumentCount()
-          .catch(e => e);
-
-        // TODO(NODE-7046): Remove branch when removing support for AWS credentials in URI.
-        // The drivers tools scripts put the credentials in the URI currently for some environments,
-        // this will need to change when doing the DRIVERS-3131 work.
-        if (!client.options.credentials.username) {
-          expect(result).to.be.instanceof(MongoAWSError);
-          expect(result.message).to.match(/credential-providers/);
-        } else {
-          expect(result).to.equal(0);
-        }
-      });
-    });
-  });
-
   context('when the AWS SDK is present', function () {
     it('should authorize when successfully authenticated', async function () {
       client = this.configuration.newClient(process.env.MONGODB_URI); // use the URI built by the test environment