feat(NODE-5393): Migrate AWS signature v4 logic into driver

.evergreen/run-mongodb-aws-ecs-test.sh

@@ -13,6 +13,3 @@ source ./.evergreen/prepare-shell.sh # should not run git clone
 
 # load node.js
 source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh
-
-# run the tests
-npm install aws4

.evergreen/setup-mongodb-aws-auth-tests.sh

@@ -22,7 +22,5 @@ cd $DRIVERS_TOOLS/.evergreen/auth_aws
 
 cd $BEFORE
 
-npm install --no-save aws4
-
 # revert to show test output
 set -x

src/aws4.ts

@@ -0,0 +1,184 @@
+import { BSON } from './bson';
+import { type AWSCredentials } from './deps';
+
+export type Options = {
+  path: '/';
+  body: string;
+  host: string;
+  method: 'POST';
+  headers: {
+    'Content-Type': 'application/x-www-form-urlencoded';
+    'Content-Length': number;
+    'X-MongoDB-Server-Nonce': string;
+    'X-MongoDB-GS2-CB-Flag': 'n';
+  };
+  service: string;
+  region: string;
+  date?: Date;
+};
+
+export type SignedHeaders = {
+  headers: {
+    Authorization: string;
+    'X-Amz-Date': string;
+  };
+};
+
+const getHash = async (str: string): Promise<string> => {
+  const data = new Uint8Array(BSON.onDemand.ByteUtils.utf8ByteLength(str));
+  BSON.onDemand.ByteUtils.encodeUTF8Into(data, str, 0);
+  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+  const hashHex = BSON.onDemand.ByteUtils.toHex(new Uint8Array(hashBuffer));
+  return hashHex;
+};
+const getHmacBuffer = async (key: string | Uint8Array, str: string): Promise<Uint8Array> => {
+  let keyData: Uint8Array;
+  if (typeof key === 'string') {
+    keyData = new Uint8Array(BSON.onDemand.ByteUtils.utf8ByteLength(key));
+    BSON.onDemand.ByteUtils.encodeUTF8Into(keyData, key, 0);
+  } else {
+    keyData = key;
+  }
+
+  const importedKey = await crypto.subtle.importKey(
+    'raw',
+    keyData,
+    { name: 'HMAC', hash: { name: 'SHA-256' } },
+    false,
+    ['sign']
+  );
+  const strData = new Uint8Array(BSON.onDemand.ByteUtils.utf8ByteLength(str));
+  BSON.onDemand.ByteUtils.encodeUTF8Into(strData, str, 0);
+  const signature = await crypto.subtle.sign('HMAC', importedKey, strData);
+  const digest = new Uint8Array(signature);
+  return digest;
+};
+const getHmacString = async (key: Uint8Array, str: string): Promise<string> => {
+  const hmacBuffer = await getHmacBuffer(key, str);
+  const hashHex = BSON.onDemand.ByteUtils.toHex(hmacBuffer);
+  return hashHex;
+};
+
+const convertHeaderValue = (value: string | number) => {
+  return value.toString().trim().replace(/\s+/g, ' ');
+};
+
+/**
+ * This method implements AWS Signature 4 logic for a very specific request format.
+ * The signing logic is described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html
+ */
+export async function aws4Sign(
+  options: Options,
+  credentials: AWSCredentials
+): Promise<SignedHeaders> {
+  /**
+   * From the spec: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html
+   *
+   * Summary of signing steps
+   * 1. Create a canonical request
+   *    Arrange the contents of your request (host, action, headers, etc.) into a standard canonical format. The canonical request is one of the inputs used to create the string to sign.
+   * 2. Create a hash of the canonical request
+   *    Hash the canonical request using the same algorithm that you used to create the hash of the payload. The hash of the canonical request is a string of lowercase hexadecimal characters.
+   * 3. Create a string to sign
+   *    Create a string to sign with the canonical request and extra information such as the algorithm, request date, credential scope, and the hash of the canonical request.
+   * 4. Derive a signing key
+   *    Use the secret access key to derive the key used to sign the request.
+   * 5. Calculate the signature
+   *    Perform a keyed hash operation on the string to sign using the derived signing key as the hash key.
+   * 6. Add the signature to the request
+   *    Add the calculated signature to an HTTP header or to the query string of the request.
+   */
+
+  // 1: Create a canonical request
+
+  // Date – The date and time used to sign the request. If not provided, use the current date.
+  const date = options.date || new Date();
+  // RequestDateTime – The date and time used in the credential scope. This value is the current UTC time in ISO 8601 format (for example, 20130524T000000Z).
+  const requestDateTime = date.toISOString().replace(/[:-]|\.\d{3}/g, '');
+  // RequestDate – The date used in the credential scope. This value is the current UTC date in YYYYMMDD format (for example, 20130524).
+  const requestDate = requestDateTime.substring(0, 8);
+  // Method – The HTTP request method. For us, this is always 'POST'.
+  const method = options.method;
+  // CanonicalUri – The URI-encoded version of the absolute path component URI, starting with the / that follows the domain name and up to the end of the string
+  // For our requests, this is always '/'
+  const canonicalUri = options.path;
+  // CanonicalQueryString – The URI-encoded query string parameters. For our requests, there are no query string parameters, so this is always an empty string.
+  const canonicalQuerystring = '';
+
+  // CanonicalHeaders – A list of request headers with their values. Individual header name and value pairs are separated by the newline character ("\n").
+  // All of our known/expected headers are included here, there are no extra headers.
+  const headers = new Headers({
+    'content-length': convertHeaderValue(options.headers['Content-Length']),
+    'content-type': convertHeaderValue(options.headers['Content-Type']),
+    host: convertHeaderValue(options.host),
+    'x-amz-date': convertHeaderValue(requestDateTime),
+    'x-mongodb-gs2-cb-flag': convertHeaderValue(options.headers['X-MongoDB-GS2-CB-Flag']),
+    'x-mongodb-server-nonce': convertHeaderValue(options.headers['X-MongoDB-Server-Nonce'])
+  });
+  // If session token is provided, include it in the headers
+  if ('sessionToken' in credentials && credentials.sessionToken) {
+    headers.append('x-amz-security-token', convertHeaderValue(credentials.sessionToken));
+  }
+  // Canonical headers are lowercased and sorted.
+  const canonicalHeaders = Array.from(headers.entries())
+    .map(([key, value]) => `${key.toLowerCase()}:${value}`)
+    .sort()
+    .join('\n');
+  const canonicalHeaderNames = Array.from(headers.keys()).map(header => header.toLowerCase());
+  // SignedHeaders – An alphabetically sorted, semicolon-separated list of lowercase request header names.
+  const signedHeaders = canonicalHeaderNames.sort().join(';');
+
+  // HashedPayload – A string created using the payload in the body of the HTTP request as input to a hash function. This string uses lowercase hexadecimal characters.
+  const hashedPayload = await getHash(options.body);
+
+  // CanonicalRequest – A string that includes the above elements, separated by newline characters.
+  const canonicalRequest = [
+    method,
+    canonicalUri,
+    canonicalQuerystring,
+    canonicalHeaders + '\n',
+    signedHeaders,
+    hashedPayload
+  ].join('\n');
+
+  // 2. Create a hash of the canonical request
+  // HashedCanonicalRequest – A string created by using the canonical request as input to a hash function.
+  const hashedCanonicalRequest = await getHash(canonicalRequest);
+
+  // 3. Create a string to sign
+  // Algorithm – The algorithm used to create the hash of the canonical request. For SigV4, use AWS4-HMAC-SHA256.
+  const algorithm = 'AWS4-HMAC-SHA256';
+  // CredentialScope – The credential scope, which restricts the resulting signature to the specified Region and service.
+  // Has the following format: YYYYMMDD/region/service/aws4_request.
+  const credentialScope = `${requestDate}/${options.region}/${options.service}/aws4_request`;
+  // StringToSign – A string that includes the above elements, separated by newline characters.
+  const stringToSign = [algorithm, requestDateTime, credentialScope, hashedCanonicalRequest].join(
+    '\n'
+  );
+
+  // 4. Derive a signing key
+  // To derive a signing key for SigV4, perform a succession of keyed hash operations (HMAC) on the request date, Region, and service, with your AWS secret access key as the key for the initial hashing operation.
+  const dateKey = await getHmacBuffer('AWS4' + credentials.secretAccessKey, requestDate);
+  const dateRegionKey = await getHmacBuffer(dateKey, options.region);
+  const dateRegionServiceKey = await getHmacBuffer(dateRegionKey, options.service);
+  const signingKey = await getHmacBuffer(dateRegionServiceKey, 'aws4_request');
+
+  // 5. Calculate the signature
+  const signature = await getHmacString(signingKey, stringToSign);
+
+  // 6. Add the signature to the request
+  // Calculate the Authorization header
+  const authorizationHeader = [
+    'AWS4-HMAC-SHA256 Credential=' + credentials.accessKeyId + '/' + credentialScope,
+    'SignedHeaders=' + signedHeaders,
+    'Signature=' + signature
+  ].join(', ');
+
+  // Return the calculated headers
+  return {
+    headers: {
+      Authorization: authorizationHeader,
+      'X-Amz-Date': requestDateTime
+    }
+  };
+}

src/cmap/auth/mongodb_aws.ts

@@ -1,6 +1,6 @@
+import { aws4Sign } from '../../aws4';
 import type { Binary, BSONSerializeOptions } from '../../bson';
 import * as BSON from '../../bson';
-import { aws4 } from '../../deps';
 import {
   MongoCompatibilityError,
   MongoMissingCredentialsError,
@@ -45,11 +45,6 @@ export class MongoDBAWS extends AuthProvider {
       throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
 
-    if ('kModuleError' in aws4) {
-      throw aws4['kModuleError'];
-    }
-    const { sign } = aws4;
-
     if (maxWireVersion(connection) < 9) {
       throw new MongoCompatibilityError(
         'MONGODB-AWS authentication requires MongoDB version 4.4 or later'
@@ -68,13 +63,10 @@ export class MongoDBAWS extends AuthProvider {
     // Allow the user to specify an AWS session token for authentication with temporary credentials.
     const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;
 
-    // If all three defined, include sessionToken, else include username and pass, else no credentials
-    const awsCredentials =
-      accessKeyId && secretAccessKey && sessionToken
-        ? { accessKeyId, secretAccessKey, sessionToken }
-        : accessKeyId && secretAccessKey
-          ? { accessKeyId, secretAccessKey }
-          : undefined;
+    // If all three defined, include sessionToken, else only include username and pass
+    const awsCredentials = sessionToken
+      ? { accessKeyId, secretAccessKey, sessionToken }
+      : { accessKeyId, secretAccessKey };
 
     const db = credentials.source;
     const nonce = await randomBytes(32);
@@ -114,7 +106,7 @@ export class MongoDBAWS extends AuthProvider {
     }
 
     const body = 'Action=GetCallerIdentity&Version=2011-06-15';
-    const options = sign(
+    const signed = await aws4Sign(
       {
         method: 'POST',
         host,
@@ -133,8 +125,8 @@ export class MongoDBAWS extends AuthProvider {
     );
 
     const payload: AWSSaslContinuePayload = {
-      a: options.headers.Authorization,
-      d: options.headers['X-Amz-Date']
+      a: signed.headers.Authorization,
+      d: signed.headers['X-Amz-Date']
     };
 
     if (sessionToken) {

src/deps.ts

@@ -89,7 +89,7 @@ export interface AWSCredentials {
   expiration?: Date;
 }
 
-type CredentialProvider = {
+export type CredentialProvider = {
   fromNodeProviderChain(
     this: void,
     options: { clientConfig: { region: string } }
@@ -203,66 +203,6 @@ export function getSocks(): SocksLib | { kModuleError: MongoMissingDependencyErr
   }
 }
 
-interface AWS4 {
-  /**
-   * Created these inline types to better assert future usage of this API
-   * @param options - options for request
-   * @param credentials - AWS credential details, sessionToken should be omitted entirely if its false-y
-   */
-  sign(
-    this: void,
-    options: {
-      path: '/';
-      body: string;
-      host: string;
-      method: 'POST';
-      headers: {
-        'Content-Type': 'application/x-www-form-urlencoded';
-        'Content-Length': number;
-        'X-MongoDB-Server-Nonce': string;
-        'X-MongoDB-GS2-CB-Flag': 'n';
-      };
-      service: string;
-      region: string;
-    },
-    credentials:
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-          sessionToken: string;
-        }
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-        }
-      | undefined
-  ): {
-    headers: {
-      Authorization: string;
-      'X-Amz-Date': string;
-    };
-  };
-}
-
-export const aws4: AWS4 | { kModuleError: MongoMissingDependencyError } = loadAws4();
-
-function loadAws4() {
-  let aws4: AWS4 | { kModuleError: MongoMissingDependencyError };
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    aws4 = require('aws4');
-  } catch (error) {
-    aws4 = makeErrorModule(
-      new MongoMissingDependencyError(
-        'Optional module `aws4` not found. Please install it to enable AWS authentication',
-        { cause: error, dependencyName: 'aws4' }
-      )
-    );
-  }
-
-  return aws4;
-}
-
 /** A utility function to get the instance of mongodb-client-encryption, if it exists. */
 export function getMongoDBClientEncryption():
   | typeof import('mongodb-client-encryption')