Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(NODE-6051): only provide expected allowed keys to libmongocrypt after fetching aws kms credentials #4057

Merged
merged 9 commits into from
Apr 4, 2024
Merged

fix(NODE-6051): only provide expected allowed keys to libmongocrypt after fetching aws kms credentials #4057

merged 9 commits into from
Apr 4, 2024

Conversation

baileympearson
Copy link
Contributor

@baileympearson baileympearson commented Mar 26, 2024
edited
Loading

Description

What is changing?

  • AWS KMS credentials are now fetched using the same logic as AWS authentication (the AWSSDKTemporaryCredentialProvider).
  • Only expected keys (sessionToken,accessKeyId, secretAccessKey) are returned to libmongocrypt after fetching kms credentials

I also fixed some unit test skipping logic on Node18+, which previously only skipped on Node 18 and 20. Now it skips on Node18+.

This PR includes changes from #4064 to get a greener CI.

Is there new documentation needed for these changes?

Nope.

What is the motivation for this change?

Release Highlight

AWS credentials with expirations no longer throw when using on-demand AWS KMS credentials

In addition to letting users provide KMS credentials manually, client-side encryption supports fetching AWS KMS credentials on-demand using the AWS SDK. However, AWS credential mechanisms that returned access keys with expiration timestamps caused the driver to throw an error.

The driver will no longer throw an error when receiving an expiration token from the AWS SDK.

Double check the following

  • Ran npm run check:lint script
  • Self-review completed using the steps outlined here
  • PR title follows the correct format: type(NODE-xxxx)[!]: description
    • Example: feat(NODE-1234)!: rewriting everything in coffeescript
  • Changes are covered by tests
  • New TODOs have a related JIRA ticket

@baileympearson baileympearson changed the title signing commit object fix(NODE-6051): cache AWS credential provider during KMS refresh and only provide allowed keys to libmongocrypt Mar 26, 2024
@baileympearson baileympearson changed the title fix(NODE-6051): cache AWS credential provider during KMS refresh and only provide allowed keys to libmongocrypt fix(NODE-6051): only provide expected allowed keys to libmongocrypt after fetching aws kms credentials Mar 29, 2024
@baileympearson baileympearson marked this pull request as ready for review April 2, 2024 14:06
@W-A-James W-A-James self-assigned this Apr 2, 2024
@W-A-James W-A-James added the Primary Review In Review with primary reviewer, not yet ready for team's eyes label Apr 2, 2024
@W-A-James W-A-James self-requested a review April 2, 2024 19:05
W-A-James
W-A-James requested changes Apr 2, 2024
View reviewed changes
Copy link
Contributor

@W-A-James W-A-James left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM apart from skip reason change and update to highlight

test/unit/connection_string.spec.test.ts Outdated Show resolved Hide resolved
@baileympearson @W-A-James
Update test/unit/connection_string.spec.test.ts
db52e06 
Co-authored-by: Warren James <warren.james.dev@gmail.com>
@W-A-James W-A-James added Team Review Needs review from team and removed Primary Review In Review with primary reviewer, not yet ready for team's eyes labels Apr 3, 2024
aditi-khare-mongoDB
aditi-khare-mongoDB approved these changes Apr 3, 2024
View reviewed changes
Copy link
Contributor

@aditi-khare-mongoDB aditi-khare-mongoDB left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@W-A-James W-A-James merged commit c604e74 into mongodb:main Apr 4, 2024
18 of 26 checks passed
@github-actions github-actions bot mentioned this pull request Apr 3, 2024
Merged
@lryanle lryanle mentioned this pull request Sep 3, 2024
Open
@lydmoon lydmoon mentioned this pull request Sep 3, 2024
Open
@mkusztal mkusztal mentioned this pull request Sep 3, 2024
Open
@NotZarifGithub NotZarifGithub mentioned this pull request Sep 4, 2024
Open
@arenault-pass arenault-pass mentioned this pull request Sep 6, 2024
Closed
This was referenced Sep 6, 2024
Merged
Merged
This was referenced Sep 7, 2024
Closed
Closed
@snyk-io snyk-io bot mentioned this pull request Sep 16, 2024
Open
@sunil-lakshman sunil-lakshman mentioned this pull request Sep 18, 2024
Closed
This was referenced Sep 24, 2024
Closed
Closed
Closed
Closed
@akanchhaS akanchhaS mentioned this pull request Sep 27, 2024
Open
@MohammadGhajari MohammadGhajari mentioned this pull request Sep 27, 2024
Open
@snyk-io snyk-io bot mentioned this pull request Sep 28, 2024
Open
@issam-seghir issam-seghir mentioned this pull request Sep 28, 2024
Open
@arenault-pass arenault-pass mentioned this pull request Sep 28, 2024
Closed
@lydmoon lydmoon mentioned this pull request Sep 28, 2024
Open
@lryanle lryanle mentioned this pull request Sep 28, 2024
Open
@NotZarifGithub NotZarifGithub mentioned this pull request Sep 28, 2024
Open
@aretexit aretexit mentioned this pull request Sep 28, 2024
Open
@sunil-lakshman sunil-lakshman mentioned this pull request Sep 28, 2024
Closed
@WontonSam WontonSam mentioned this pull request Sep 29, 2024
Open
@mkusztal mkusztal mentioned this pull request Sep 29, 2024
Open
This was referenced Oct 1, 2024
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aditi-khare-mongoDB aditi-khare-mongoDB aditi-khare-mongoDB approved these changes

@W-A-James W-A-James W-A-James approved these changes

Assignees

@W-A-James W-A-James

Labels
Team Review Needs review from team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@baileympearson @W-A-James @aditi-khare-mongoDB