added unit tests for the signing logic, added comments about how to compare the output with the old aws4 library

Author: PavelSafronov

etc/aws-test.sh

@@ -15,3 +15,10 @@ npm run check:test -- --grep "AwsSigV4"
 unset MONGODB_URI
 echo "AWS_SESSION_TOKEN is set to '${AWS_SESSION_TOKEN-NOT SET}'"
 npm run check:test -- --grep "AwsSigV4"
+
+# Test with missing credentials
+unset MONGODB_URI
+unset AWS_ACCESS_KEY_ID
+unset AWS_SECRET_ACCESS_KEY
+unset AWS_SESSION_TOKEN
+npm run check:test -- --grep "AwsSigV4"

src/aws4.ts

@@ -1,5 +1,39 @@
 import * as crypto from 'node:crypto';
 
+export type Options = {
+  path: '/';
+  body: string;
+  host: string;
+  method: 'POST';
+  headers: {
+    'Content-Type': 'application/x-www-form-urlencoded';
+    'Content-Length': number;
+    'X-MongoDB-Server-Nonce': string;
+    'X-MongoDB-GS2-CB-Flag': 'n';
+  };
+  service: string;
+  region: string;
+  date?: Date;
+};
+
+export type AwsSessionCredentials = {
+  accessKeyId: string;
+  secretAccessKey: string;
+  sessionToken: string;
+};
+
+export type AwsLongtermCredentials = {
+  accessKeyId: string;
+  secretAccessKey: string;
+};
+
+export type SignedHeaders = {
+  headers: {
+    Authorization: string;
+    'X-Amz-Date': string;
+  };
+};
+
 export interface AWS4 {
   /**
    * Created these inline types to better assert future usage of this API
@@ -8,37 +42,9 @@ export interface AWS4 {
    */
   sign(
     this: void,
-    options: {
-      path: '/';
-      body: string;
-      host: string;
-      method: 'POST';
-      headers: {
-        'Content-Type': 'application/x-www-form-urlencoded';
-        'Content-Length': number;
-        'X-MongoDB-Server-Nonce': string;
-        'X-MongoDB-GS2-CB-Flag': 'n';
-      };
-      service: string;
-      region: string;
-    },
-    credentials:
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-          sessionToken: string;
-        }
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-        }
-      | undefined
-  ): {
-    headers: {
-      Authorization: string;
-      'X-Amz-Date': string;
-    };
-  };
+    options: Options,
+    credentials: AwsSessionCredentials | AwsLongtermCredentials | undefined
+  ): SignedHeaders;
 }
 
 const getHash = (str: string): string => {
@@ -66,43 +72,15 @@ const convertHeaderValue = (value: string | number) => {
 
 export function aws4Sign(
   this: void,
-  options: {
-    path: '/';
-    body: string;
-    host: string;
-    method: 'POST';
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded';
-      'Content-Length': number;
-      'X-MongoDB-Server-Nonce': string;
-      'X-MongoDB-GS2-CB-Flag': 'n';
-    };
-    service: string;
-    region: string;
-  },
-  credentials:
-    | {
-        accessKeyId: string;
-        secretAccessKey: string;
-        sessionToken: string;
-      }
-    | {
-        accessKeyId: string;
-        secretAccessKey: string;
-      }
-    | undefined
-): {
-  headers: {
-    Authorization: string;
-    'X-Amz-Date': string;
-  };
-} {
+  options: Options,
+  credentials: AwsSessionCredentials | AwsLongtermCredentials | undefined
+): SignedHeaders {
   const method = options.method;
   const canonicalUri = options.path;
   const canonicalQuerystring = '';
   const creds = credentials || getEnvCredentials();
 
-  const date = new Date();
+  const date = options.date || new Date();
   const requestDateTime = date.toISOString().replace(/[:-]|\.\d{3}/g, '');
   const requestDate = requestDateTime.substring(0, 8);
 

src/cmap/auth/mongodb_aws.ts

@@ -109,7 +109,7 @@ export class MongoDBAWS extends AuthProvider {
     }
 
     const body = 'Action=GetCallerIdentity&Version=2011-06-15';
-    const options = aws4Sign(
+    const signed = aws4Sign(
       {
         method: 'POST',
         host,
@@ -128,8 +128,8 @@ export class MongoDBAWS extends AuthProvider {
     );
 
     const payload: AWSSaslContinuePayload = {
-      a: options.headers.Authorization,
-      d: options.headers['X-Amz-Date']
+      a: signed.headers.Authorization,
+      d: signed.headers['X-Amz-Date']
     };
 
     if (sessionToken) {

test/integration/auth/aws.test.ts test/integration/auth/aws4.test.tstest/integration/auth/aws.test.ts renamed to test/integration/auth/aws4.test.ts

@@ -30,7 +30,7 @@ describe('AwsSigV4', function () {
       'X-MongoDB-Server-Nonce': 'fakenonce',
       'X-MongoDB-GS2-CB-Flag': 'n'
     };
-    const options = aws4Sign(
+    const signed = aws4Sign(
       {
         method: 'POST',
         host,
@@ -43,8 +43,8 @@ describe('AwsSigV4', function () {
       credentials
     );
 
-    const authorization = options.headers.Authorization;
-    const xAmzDate = options.headers['X-Amz-Date'];
+    const authorization = signed.headers.Authorization;
+    const xAmzDate = signed.headers['X-Amz-Date'];
 
     const fetchHeaders = new Headers();
     for (const [key, value] of Object.entries(headers)) {
@@ -68,6 +68,23 @@ describe('AwsSigV4', function () {
     );
   };
 
+  describe('AWS4 signs requests with missing AWS env vars', function () {
+    before(function () {
+      if (
+        process.env.AWS_ACCESS_KEY_ID ||
+        process.env.AWS_SECRET_ACCESS_KEY ||
+        process.env.AWS_SESSION_TOKEN
+      ) {
+        this.skipReason = 'Skipping missing credentials test because AWS credentials are set';
+        this.skip();
+      }
+    });
+
+    it('AWS4 signs requests with missing aws env vars', async () => {
+      await testSigning(undefined);
+    });
+  });
+
   describe('AWS4 signs requests with AWS permanent env vars', function () {
     before(function () {
       if (process.env.AWS_SESSION_TOKEN) {
@@ -94,12 +111,12 @@ describe('AwsSigV4', function () {
     });
 
     it('AWS4 signs requests with AWS session env vars', async () => {
-      const awsCredentials = {
+      const awsSesssionCredentials = {
         accessKeyId: process.env.AWS_ACCESS_KEY_ID,
         secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
         sessionToken: process.env.AWS_SESSION_TOKEN
       };
-      await testSigning(awsCredentials);
+      await testSigning(awsSesssionCredentials);
     });
   });
 });

test/unit/aws4.test.ts

@@ -0,0 +1,93 @@
+import { expect } from 'chai';
+
+import { aws4Sign, type Options } from '../../src/aws4';
+
+describe('Verify AWS4 signature generation', () => {
+  const date = new Date('2025-12-15T12:34:56Z');
+  const awsCredentials = {
+    accessKeyId: 'AKIDEXAMPLE',
+    secretAccessKey: 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
+  };
+  const awsSessionCredentials = {
+    accessKeyId: 'AKIDEXAMPLE',
+    secretAccessKey: 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYexamplekey',
+    sessionToken: 'AQoDYXdzEJ'
+  };
+  const host = 'sts.amazonaws.com';
+  const body = 'Action=GetCallerIdentity&Version=2011-06-15';
+  const request: Options = {
+    method: 'POST',
+    host,
+    path: '/',
+    region: 'us-east-1',
+    service: 'sts',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+      'Content-Length': body.length,
+      'X-MongoDB-Server-Nonce': 'fakenonce',
+      'X-MongoDB-GS2-CB-Flag': 'n'
+    },
+    body,
+    date
+  };
+
+  it('should generate correct credentials for missing credentials', () => {
+    const signed = aws4Sign(request, undefined);
+
+    expect(signed.headers['X-Amz-Date']).to.exist;
+    expect(signed.headers['X-Amz-Date']).to.equal('20251215T123456Z');
+    expect(signed.headers['Authorization']).to.exist;
+    expect(signed.headers['Authorization']).to.equal(
+      'AWS4-HMAC-SHA256 Credential=undefined/20251215/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-mongodb-gs2-cb-flag;x-mongodb-server-nonce, Signature=8854aaaeec4bf1f820435b60e216b610e92fa53cbfca71b269f2c334e02c1c45'
+    );
+
+    // Uncomment the following lines if you want to compare with the old aws4 library.
+    // Remember to import aws4 at the top of the file, like this: import * as aws4sign from 'aws4';
+
+    // const oldSigned = aws4sign.sign(request, undefined);
+    // expect(oldSigned.headers['X-Amz-Date']).to.exist;
+    // expect(oldSigned.headers['X-Amz-Date']).to.equal(signed.headers['X-Amz-Date']);
+    // expect(oldSigned.headers['Authorization']).to.exist;
+    // expect(oldSigned.headers['Authorization']).to.equal(signed.headers['Authorization']);
+  });
+
+  it('should generate correct credentials for permanent credentials', () => {
+    const signed = aws4Sign(request, awsCredentials);
+
+    expect(signed.headers['X-Amz-Date']).to.exist;
+    expect(signed.headers['X-Amz-Date']).to.equal('20251215T123456Z');
+    expect(signed.headers['Authorization']).to.exist;
+    expect(signed.headers['Authorization']).to.equal(
+      'AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20251215/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-mongodb-gs2-cb-flag;x-mongodb-server-nonce, Signature=48a66f9fc76829002a7a7ac5b92e4089395d9b88ea7d417ab146949b90eeab08'
+    );
+
+    // Uncomment the following lines if you want to compare with the old aws4 library.
+    // Remember to import aws4 at the top of the file, like this: import * as aws4sign from 'aws4';
+
+    // const oldSigned = aws4sign.sign(request, awsCredentials);
+    // expect(oldSigned.headers['X-Amz-Date']).to.exist;
+    // expect(oldSigned.headers['X-Amz-Date']).to.equal(signed.headers['X-Amz-Date']);
+    // expect(oldSigned.headers['Authorization']).to.exist;
+    // expect(oldSigned.headers['Authorization']).to.equal(signed.headers['Authorization']);
+  });
+
+  it('should generate correct credentials for session credentials', () => {
+    const signed = aws4Sign(request, awsSessionCredentials);
+
+    expect(signed.headers['X-Amz-Date']).to.exist;
+    expect(signed.headers['X-Amz-Date']).to.equal('20251215T123456Z');
+    expect(signed.headers['Authorization']).to.exist;
+    expect(signed.headers['Authorization']).to.equal(
+      'AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20251215/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-mongodb-gs2-cb-flag;x-mongodb-server-nonce, Signature=bbcb06e2feb8651dced329789743ba283f92ef1302d34a7398cb1d35808a1a66'
+    );
+
+    // Uncomment the following lines if you want to compare with the old aws4 library.
+    // Remember to import aws4 at the top of the file, like this: import * as aws4sign from 'aws4';
+
+    // const oldSigned = aws4sign.sign(request, awsSessionCredentials);
+    // expect(oldSigned.headers['X-Amz-Date']).to.exist;
+    // expect(oldSigned.headers['X-Amz-Date']).to.equal(signed.headers['X-Amz-Date']);
+    // expect(oldSigned.headers['Authorization']).to.exist;
+    // expect(oldSigned.headers['Authorization']).to.equal(signed.headers['Authorization']);
+  });
+});