feat(NODE-5076): add support for Azure KMS credential auto refresh (#583)

Co-authored-by: Neal Beeken <[email protected]>

Author: baileympearson

index.d.ts

@@ -62,6 +62,16 @@ export class MongoCryptCreateDataKeyError extends MongoCryptError {
   cause: Error;
 }
 
+/**
+ * An error indicating that mongodb-client-encryption failed to auto-refresh Azure KMS credentials.
+ */
+export class MongoCryptAzureKMSRequestError extends MongoCryptError {
+  /* The body of the IMDS request that produced the error, if present. */
+  body?: Document ;
+}
+
+export class MongoCryptKMSRequestNetworkTimeoutError extends MongoCryptError {}
+
 /**
  * A set of options for specifying a Socks5 proxy.
  */
@@ -179,7 +189,8 @@ export interface KMSProviders {
          * If present, an access token to authenticate with Azure.
          */
         accessToken: string;
-      };
+      }
+    | Record<string, never>;
 
   /**
    * Configuration options for using 'gcp' as your KMS provider

lib/autoEncrypter.js

@@ -9,7 +9,7 @@ module.exports = function (modules) {
   const MongoClient = modules.mongodb.MongoClient;
   const MongoError = modules.mongodb.MongoError;
   const BSON = modules.mongodb.BSON;
-  const { loadCredentials } = require('./credentialsProvider');
+  const { loadCredentials } = require('./providers/index');
   const cryptoCallbacks = require('./cryptoCallbacks');
 
   /**

lib/clientEncryption.js

@@ -13,7 +13,7 @@ module.exports = function (modules) {
     MongoCryptCreateEncryptedCollectionError,
     MongoCryptCreateDataKeyError
   } = require('./errors');
-  const { loadCredentials } = require('./credentialsProvider');
+  const { loadCredentials } = require('./providers/index');
   const cryptoCallbacks = require('./cryptoCallbacks');
   const { promisify } = require('util');
 

lib/credentialsProvider.js

@@ -49,8 +49,27 @@ class MongoCryptCreateEncryptedCollectionError extends MongoCryptError {
   }
 }
 
+/**
+ * @class
+ * An error indicating that mongodb-client-encryption failed to auto-refresh Azure KMS credentials.
+ */
+class MongoCryptAzureKMSRequestError extends MongoCryptError {
+  /**
+   * @param {string} message
+   * @param {object | undefined} body
+   */
+  constructor(message, body) {
+    super(message);
+    this.body = body;
+  }
+}
+
+class MongoCryptKMSRequestNetworkTimeoutError extends MongoCryptError {}
+
 module.exports = {
   MongoCryptError,
+  MongoCryptKMSRequestNetworkTimeoutError,
+  MongoCryptAzureKMSRequestError,
   MongoCryptCreateDataKeyError,
   MongoCryptCreateEncryptedCollectionError
 };

lib/errors.js

@@ -12,30 +12,46 @@ function loadDefaultModule() {
 const {
   MongoCryptError,
   MongoCryptCreateEncryptedCollectionError,
-  MongoCryptCreateDataKeyError
+  MongoCryptCreateDataKeyError,
+  MongoCryptAzureKMSRequestError,
+  MongoCryptKMSRequestNetworkTimeoutError
 } = require('./errors');
 
+const { fetchAzureKMSToken } = require('./providers/index');
+
 function extension(mongodb) {
   const modules = { mongodb };
 
   modules.stateMachine = require('./stateMachine')(modules);
   modules.autoEncrypter = require('./autoEncrypter')(modules);
   modules.clientEncryption = require('./clientEncryption')(modules);
 
-  return {
+  const exports = {
     AutoEncrypter: modules.autoEncrypter.AutoEncrypter,
     ClientEncryption: modules.clientEncryption.ClientEncryption,
     MongoCryptError,
     MongoCryptCreateEncryptedCollectionError,
-    MongoCryptCreateDataKeyError
+    MongoCryptCreateDataKeyError,
+    MongoCryptAzureKMSRequestError,
+    MongoCryptKMSRequestNetworkTimeoutError
   };
+
+  Object.defineProperty(exports, '___azureKMSProseTestExports', {
+    enumerable: false,
+    configurable: false,
+    value: fetchAzureKMSToken
+  });
+
+  return exports;
 }
 
 module.exports = {
   extension,
   MongoCryptError,
   MongoCryptCreateEncryptedCollectionError,
   MongoCryptCreateDataKeyError,
+  MongoCryptAzureKMSRequestError,
+  MongoCryptKMSRequestNetworkTimeoutError,
   get AutoEncrypter() {
     const m = loadDefaultModule();
     delete module.exports.AutoEncrypter;
@@ -49,3 +65,9 @@ module.exports = {
     return m.ClientEncryption;
   }
 };
+
+Object.defineProperty(module.exports, '___azureKMSProseTestExports', {
+  enumerable: false,
+  configurable: false,
+  value: fetchAzureKMSToken
+});

lib/index.js

@@ -0,0 +1,26 @@
+'use strict';
+
+let awsCredentialProviders = null;
+/** @ignore */
+async function loadAWSCredentials(kmsProviders) {
+  if (awsCredentialProviders == null) {
+    try {
+      // Ensure you always wrap an optional require in the try block NODE-3199
+      awsCredentialProviders = require('@aws-sdk/credential-providers');
+      // eslint-disable-next-line no-empty
+    } catch {}
+  }
+
+  if (awsCredentialProviders != null) {
+    const { fromNodeProviderChain } = awsCredentialProviders;
+    const provider = fromNodeProviderChain();
+    // The state machine is the only place calling this so it will
+    // catch if there is a rejection here.
+    const aws = await provider();
+    return { ...kmsProviders, aws };
+  }
+
+  return kmsProviders;
+}
+
+module.exports = { loadAWSCredentials };