feat: use credential providers

Author: durran

src/client-side-encryption/auto_encrypter.ts

@@ -6,7 +6,6 @@ import {
 import * as net from 'net';
 
 import { deserialize, type Document, serialize } from '../bson';
-import { type AWSCredentialProvider } from '../cmap/auth/aws_temporary_credentials';
 import { type CommandOptions, type ProxyOptions } from '../cmap/connection';
 import { kDecorateResult } from '../constants';
 import { getMongoDBClientEncryption } from '../deps';
@@ -18,7 +17,7 @@ import { autoSelectSocketOptions } from './client_encryption';
 import * as cryptoCallbacks from './crypto_callbacks';
 import { MongoCryptInvalidArgumentError } from './errors';
 import { MongocryptdManager } from './mongocryptd_manager';
-import { type KMSProviders, refreshKMSCredentials } from './providers';
+import { type CredentialProviders, type KMSProviders, refreshKMSCredentials } from './providers';
 import { type CSFLEKMSTlsOptions, StateMachine } from './state_machine';
 
 /** @public */
@@ -31,6 +30,8 @@ export interface AutoEncryptionOptions {
   keyVaultNamespace?: string;
   /** Configuration options that are used by specific KMS providers during key generation, encryption, and decryption. */
   kmsProviders?: KMSProviders;
+  /** Configuration options for custom credential providers. */
+  credentialProviders?: CredentialProviders;
   /**
    * A map of namespaces to a local JSON schema for encryption
    *
@@ -105,8 +106,6 @@ export interface AutoEncryptionOptions {
   proxyOptions?: ProxyOptions;
   /** The TLS options to use connecting to the KMS provider */
   tlsOptions?: CSFLEKMSTlsOptions;
-  /** Optional custom credential provider to use for KMS requests. */
-  awsCredentialProvider?: AWSCredentialProvider;
 }
 
 /**
@@ -156,7 +155,7 @@ export class AutoEncrypter {
   _kmsProviders: KMSProviders;
   _bypassMongocryptdAndCryptShared: boolean;
   _contextCounter: number;
-  _awsCredentialProvider?: AWSCredentialProvider;
+  _credentialProviders?: CredentialProviders;
 
   _mongocryptdManager?: MongocryptdManager;
   _mongocryptdClient?: MongoClient;
@@ -241,7 +240,7 @@ export class AutoEncrypter {
     this._proxyOptions = options.proxyOptions || {};
     this._tlsOptions = options.tlsOptions || {};
     this._kmsProviders = options.kmsProviders || {};
-    this._awsCredentialProvider = options.awsCredentialProvider;
+    this._credentialProviders = options.credentialProviders;
 
     const mongoCryptOptions: MongoCryptOptions = {
       cryptoCallbacks
@@ -443,7 +442,7 @@ export class AutoEncrypter {
    * the original ones.
    */
   async askForKMSCredentials(): Promise<KMSProviders> {
-    return await refreshKMSCredentials(this._kmsProviders, this._awsCredentialProvider);
+    return await refreshKMSCredentials(this._kmsProviders, this._credentialProviders);
   }
 
   /**

src/client-side-encryption/client_encryption.ts

@@ -15,7 +15,6 @@ import {
   type UUID
 } from '../bson';
 import { type AnyBulkWriteOperation, type BulkWriteResult } from '../bulk/common';
-import { type AWSCredentialProvider } from '../cmap/auth/aws_temporary_credentials';
 import { type ProxyOptions } from '../cmap/connection';
 import { type Collection } from '../collection';
 import { type FindCursor } from '../cursor/find_cursor';
@@ -35,6 +34,7 @@ import {
 } from './errors';
 import {
   type ClientEncryptionDataKeyProvider,
+  type CredentialProviders,
   type KMSProviders,
   refreshKMSCredentials
 } from './providers/index';
@@ -83,7 +83,7 @@ export class ClientEncryption {
   _mongoCrypt: MongoCrypt;
 
   /** @internal */
-  _awsCredentialProvider?: AWSCredentialProvider;
+  _credentialProviders?: CredentialProviders;
 
   /** @internal */
   static getMongoCrypt(): MongoCryptConstructor {
@@ -129,8 +129,7 @@ export class ClientEncryption {
     this._kmsProviders = options.kmsProviders || {};
     const { timeoutMS } = resolveTimeoutOptions(client, options);
     this._timeoutMS = timeoutMS;
-    this._awsCredentialProvider =
-      client.options.credentials?.mechanismProperties.AWS_CREDENTIAL_PROVIDER;
+    this._credentialProviders = options.credentialProviders;
 
     if (options.keyVaultNamespace == null) {
       throw new MongoCryptInvalidArgumentError('Missing required option `keyVaultNamespace`');
@@ -718,7 +717,7 @@ export class ClientEncryption {
    * the original ones.
    */
   async askForKMSCredentials(): Promise<KMSProviders> {
-    return await refreshKMSCredentials(this._kmsProviders, this._awsCredentialProvider);
+    return await refreshKMSCredentials(this._kmsProviders, this._credentialProviders);
   }
 
   static get libmongocryptVersion() {
@@ -864,6 +863,11 @@ export interface ClientEncryptionOptions {
    */
   kmsProviders?: KMSProviders;
 
+  /**
+   * Options for user provided custom credential providers.
+   */
+  credentialProviders?: CredentialProviders;
+
   /**
    * Options for specifying a Socks5 proxy to use for connecting to the KMS.
    */

src/client-side-encryption/providers/index.ts

@@ -113,6 +113,15 @@ export type GCPKMSProviderConfiguration =
       accessToken: string;
     };
 
+/**
+ * @public
+ * Configuration options for custom credential providers for KMS requests.
+ */
+export interface CredentialProviders {
+  /* A custom AWS credential provider */
+  aws?: AWSCredentialProvider;
+}
+
 /**
  * @public
  * Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.
@@ -179,12 +188,12 @@ export function isEmptyCredentials(
  */
 export async function refreshKMSCredentials(
   kmsProviders: KMSProviders,
-  awsProvider?: AWSCredentialProvider
+  credentialProviders?: CredentialProviders
 ): Promise<KMSProviders> {
   let finalKMSProviders = kmsProviders;
 
   if (isEmptyCredentials('aws', kmsProviders)) {
-    finalKMSProviders = await loadAWSCredentials(finalKMSProviders, awsProvider);
+    finalKMSProviders = await loadAWSCredentials(finalKMSProviders, credentialProviders?.aws);
   }
 
   if (isEmptyCredentials('gcp', kmsProviders)) {

src/index.ts

@@ -256,6 +256,7 @@ export type {
   AWSKMSProviderConfiguration,
   AzureKMSProviderConfiguration,
   ClientEncryptionDataKeyProvider,
+  CredentialProviders,
   GCPKMSProviderConfiguration,
   KMIPKMSProviderConfiguration,
   KMSProviders,

test/integration/auth/mongodb_aws.test.ts

@@ -475,7 +475,7 @@ describe('AWS KMS Credential Fetching', function () {
       it('KMS credentials are successfully fetched.', async function () {
         const { aws } = await refreshKMSCredentials(
           { aws: {} },
-          credentialProvider.fromNodeProviderChain()
+          { aws: credentialProvider.fromNodeProviderChain() }
         );
 
         expect(aws).to.have.property('accessKeyId');