feat(NODE-7046): remove AWS uri/options support

.evergreen/setup-mongodb-aws-auth-tests.sh

@@ -18,7 +18,7 @@ cd $DRIVERS_TOOLS/.evergreen/auth_aws
 # Create a python virtual environment.
 . ./activate-authawsvenv.sh
 # Source the environment variables. Configure the environment and the server.
-. aws_setup.sh $AWS_CREDENTIAL_TYPE
+. aws_setup.sh --nouri $AWS_CREDENTIAL_TYPE
 
 cd $BEFORE
 

.gitmodules

@@ -1,3 +1,3 @@
 [submodule "drivers-evergreen-tools"]
 	path = drivers-evergreen-tools
-	url = https://github.com/mongodb-labs/drivers-evergreen-tools.git
+	url = https://github.com/mongodb-labs/drivers-evergreen-tools.git

src/cmap/auth/mongo_credentials.ts

@@ -58,6 +58,7 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
+  /** @internal */
   AWS_SESSION_TOKEN?: string;
   /** A user provided OIDC machine callback function. */
   OIDC_CALLBACK?: OIDCCallbackFunction;

src/cmap/auth/mongodb_aws.ts

@@ -56,12 +56,10 @@ export class MongoDBAWS extends AuthProvider {
       );
     }
 
-    if (!authContext.credentials.username) {
-      authContext.credentials = await makeTempCredentials(
-        authContext.credentials,
-        this.credentialFetcher
-      );
-    }
+    authContext.credentials = await makeTempCredentials(
+      authContext.credentials,
+      this.credentialFetcher
+    );
 
     const { credentials } = authContext;
 

src/connection_string.ts

@@ -423,6 +423,20 @@ export function parseOptions(
       );
     }
 
+    if (isAws) {
+      const { username, password } = mongoOptions.credentials;
+      if (username || password) {
+        throw new MongoAPIError(
+          'username and password cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK'
+        );
+      }
+      if (mongoOptions.credentials.mechanismProperties.AWS_SESSION_TOKEN) {
+        throw new MongoAPIError(
+          'AWS_SESSION_TOKEN cannot be provided when using MONGODB-AWS. Credentials must be read via the AWS SDK'
+        );
+      }
+    }
+
     mongoOptions.credentials.validate();
 
     // Check if the only auth related option provided was authSource, if so we can remove credentials

test/integration/node-specific/examples/aws_handler.js

@@ -6,10 +6,6 @@ const { MongoClient } = require('mongodb');
 // options. Note that MongoClient now auto-connects so no need to store the connect()
 // promise anywhere and reference it.
 const client = new MongoClient(process.env.MONGODB_URI, {
-  auth: {
-    username: process.env.AWS_ACCESS_KEY_ID,
-    password: process.env.AWS_SECRET_ACCESS_KEY
-  },
   authSource: '$external',
   authMechanism: 'MONGODB-AWS'
 });

test/spec/auth/legacy/connection-string.json

@@ -440,6 +440,21 @@
         }
       }
     },
+    {
+      "description": "should throw an exception if username provided (MONGODB-AWS)",
+      "uri": "mongodb://user@localhost.com/?authMechanism=MONGODB-AWS",
+      "valid": false
+    },
+    {
+      "description": "should throw an exception if username and password provided (MONGODB-AWS)",
+      "uri": "mongodb://user:pass@localhost.com/?authMechanism=MONGODB-AWS",
+      "valid": false
+    },
+    {
+      "description": "should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS)",
+      "uri": "mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token",
+      "valid": false
+    },
     {
       "description": "should recognise the mechanism with test environment (MONGODB-OIDC)",
       "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test",

test/spec/auth/legacy/connection-string.yml

@@ -320,6 +320,15 @@ tests:
     mechanism: MONGODB-AWS
     mechanism_properties:
       AWS_SESSION_TOKEN: token!@#$%^&*()_+
+- description: should throw an exception if username provided (MONGODB-AWS)
+  uri: mongodb://user@localhost.com/?authMechanism=MONGODB-AWS
+  valid: false
+- description: should throw an exception if username and password provided (MONGODB-AWS)
+  uri: mongodb://user:pass@localhost.com/?authMechanism=MONGODB-AWS
+  valid: false
+- description: should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS)
+  uri: mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token
+  valid: false
 - description: should recognise the mechanism with test environment (MONGODB-OIDC)
   uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test
   valid: true
@@ -468,4 +477,4 @@ tests:
     (MONGODB-OIDC)
   uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s
   valid: false
-  credential: null
+  credential: null

test/unit/assorted/auth.spec.test.ts

@@ -1,13 +1,22 @@
 import { loadSpecTests } from '../../spec';
 import { executeUriValidationTest } from '../../tools/uri_spec_runner';
 
+const SKIP = [
+  'should use username and password if specified (MONGODB-AWS)',
+  'should use username, password and session token if specified (MONGODB-AWS)'
+];
+
 describe('Auth option spec tests (legacy)', function () {
   const suites = loadSpecTests('auth', 'legacy');
 
   for (const suite of suites) {
     describe(suite.name, function () {
       for (const test of suite.tests) {
         it(`${test.description}`, function () {
+          if (SKIP.includes(test.description)) {
+            this.test.skipReason = `NODE-7228: ${test.description}`;
+            this.test.skip();
+          }
           executeUriValidationTest(test);
         });
       }