update test case

Author: qingyang-hu

internal/credproviders/aws_provider.go

@@ -10,26 +10,15 @@ import (
 	"context"
 
 	"go.mongodb.org/mongo-driver/v2/internal/aws/credentials"
+	"go.mongodb.org/mongo-driver/v2/x/mongo/driver"
 )
 
 const awsProviderName = "AwsProvider"
 
-// AwsCredentialsProvider is a function that retrieves AWS credentials.
-type AwsCredentialsProvider func(context.Context) (AwsCredentials, error)
-
-// AwsCredentials represents AWS credentials with an expiration callback.
-type AwsCredentials struct {
-	AccessKeyID        string
-	SecretAccessKey    string
-	SessionToken       string
-	ExpirationCallback func() bool
-}
-
 // AwsProvider retrieves credentials from the given AWS credentials provider.
 type AwsProvider struct {
-	credentials *AwsCredentials
-
-	Provider AwsCredentialsProvider
+	credentials *driver.Credentials
+	Provider    func(context.Context) (driver.Credentials, error)
 }
 
 // Retrieve retrieves the keys from the given AWS credentials provider.

internal/integration/client_side_encryption_prose_test.go

@@ -28,7 +28,6 @@ import (
 	"go.mongodb.org/mongo-driver/v2/bson"
 	"go.mongodb.org/mongo-driver/v2/event"
 	"go.mongodb.org/mongo-driver/v2/internal/assert"
-	"go.mongodb.org/mongo-driver/v2/internal/credproviders"
 	"go.mongodb.org/mongo-driver/v2/internal/handshake"
 	"go.mongodb.org/mongo-driver/v2/internal/integration/mtest"
 	"go.mongodb.org/mongo-driver/v2/internal/integtest"
@@ -3146,144 +3145,125 @@ func TestClientSideEncryptionProse(t *testing.T) {
 			})
 		}
 	})
+}
 
-	mt.RunOpts("26. custom AWS credentials", qeRunOpts22, func(mt *mtest.T) {
-		mt.Run("Case 1: ClientEncryption with credentialProviders and incorrect kmsProviders", func(mt *mtest.T) {
-			opts := options.Client().ApplyURI(mtest.ClusterURI())
-			integtest.AddTestServerAPIVersion(opts)
-			keyVaultClient, err := mongo.Connect(opts)
-			assert.NoErrorf(mt, err, "error on Connect: %v", err)
+func TestCustomAwsCredentialsProse(t *testing.T) {
+	mt := mtest.New(t, mtest.NewOptions().CreateClient(false))
 
-			ceo := options.ClientEncryption().
-				SetKeyVaultNamespace("keyvault.datakeys").
-				SetKmsProviders(map[string]map[string]any{
-					"aws": {
-						"accessKeyId":     awsAccessKeyID,
-						"secretAccessKey": awsSecretAccessKey,
-					},
-				}).
-				SetCredentialProviders(map[string]options.CredentialsProvider{
-					"aws": func(ctx context.Context) (options.Credentials, error) {
-						var cred options.Credentials
-						provider := credproviders.NewEnvProvider()
-						c, err := provider.Retrieve(ctx)
-						if err != nil {
-							return cred, err
-						}
-						cred.AccessKeyID = c.AccessKeyID
-						cred.SecretAccessKey = c.SecretAccessKey
-						cred.SessionToken = c.SessionToken
-						cred.ExpirationCallback = provider.IsExpired
-						return cred, nil
-					},
-				})
-			clientEncryption, err := mongo.NewClientEncryption(keyVaultClient, ceo)
-			assert.NoErrorf(mt, err, "error on NewClientEncryption: %v", err)
+	mt.Run("Case 1: ClientEncryption with credentialProviders and incorrect kmsProviders", func(mt *mtest.T) {
+		opts := options.Client().ApplyURI(mtest.ClusterURI())
+		integtest.AddTestServerAPIVersion(opts)
+		keyVaultClient, err := mongo.Connect(opts)
+		assert.NoErrorf(mt, err, "error on Connect: %v", err)
 
-			dkOpts := options.DataKey()
-			_, err = clientEncryption.CreateDataKey(context.Background(), "aws", dkOpts)
-			assert.Error(mt, err, "expected an error")
-		})
-		mt.Run("Case 2: ClientEncryption with credentialProviders works", func(mt *mtest.T) {
-			opts := options.Client().ApplyURI(mtest.ClusterURI())
-			integtest.AddTestServerAPIVersion(opts)
-			keyVaultClient, err := mongo.Connect(opts)
-			assert.NoErrorf(mt, err, "error on Connect: %v", err)
+		ceo := options.ClientEncryption().
+			SetKeyVaultNamespace("keyvault.datakeys").
+			SetKmsProviders(map[string]map[string]any{
+				"aws": {
+					"accessKeyId":     awsAccessKeyID,
+					"secretAccessKey": awsSecretAccessKey,
+				},
+			}).
+			SetCredentialProviders(map[string]options.CredentialsProvider{
+				"aws": func(ctx context.Context) (options.Credentials, error) {
+					return options.Credentials{}, nil
+				},
+			})
+		_, err = mongo.NewClientEncryption(keyVaultClient, ceo)
+		assert.ErrorContains(mt, err, "can only provide a custom AWS credential provider",
+			"unexpected error: %v", err)
+	})
 
-			var calledCount int
-			ceo := options.ClientEncryption().
-				SetKeyVaultNamespace("keyvault.datakeys").
-				SetKmsProviders(map[string]map[string]any{
-					"aws": map[string]any{},
-				}).
-				SetCredentialProviders(map[string]options.CredentialsProvider{
-					"aws": func(_ context.Context) (options.Credentials, error) {
-						calledCount++
-						return options.Credentials{
-							AccessKeyID:        awsAccessKeyID,
-							SecretAccessKey:    awsSecretAccessKey,
-							ExpirationCallback: func() bool { return false },
-						}, nil
-					},
-				})
-			clientEncryption, err := mongo.NewClientEncryption(keyVaultClient, ceo)
-			assert.NoErrorf(mt, err, "error on NewClientEncryption: %v", err)
+	mt.Run("Case 2: ClientEncryption with credentialProviders works", func(mt *mtest.T) {
+		opts := options.Client().ApplyURI(mtest.ClusterURI())
+		integtest.AddTestServerAPIVersion(opts)
+		keyVaultClient, err := mongo.Connect(opts)
+		assert.NoErrorf(mt, err, "error on Connect: %v", err)
 
-			dkOpts := options.DataKey()
-			_, err = clientEncryption.CreateDataKey(context.Background(), "aws", dkOpts)
-			assert.NoErrorf(mt, err, "unexpected error %v", err)
-			assert.Equal(mt, 1, calledCount, "expected credential provider to be called once")
-		})
+		var calledCount int
+		ceo := options.ClientEncryption().
+			SetKeyVaultNamespace("keyvault.datakeys").
+			SetKmsProviders(map[string]map[string]any{
+				"aws": map[string]any{},
+			}).
+			SetCredentialProviders(map[string]options.CredentialsProvider{
+				"aws": func(_ context.Context) (options.Credentials, error) {
+					calledCount++
+					return options.Credentials{
+						AccessKeyID:        awsAccessKeyID,
+						SecretAccessKey:    awsSecretAccessKey,
+						ExpirationCallback: func() bool { return false },
+					}, nil
+				},
+			})
+		clientEncryption, err := mongo.NewClientEncryption(keyVaultClient, ceo)
+		assert.NoErrorf(mt, err, "error on NewClientEncryption: %v", err)
 
-		mt.Run("Case 3: AutoEncryptionOpts with credentialProviders and incorrect kmsProviders", func(mt *mtest.T) {
-			aeo := options.AutoEncryption().
-				SetKeyVaultNamespace("keyvault.datakeys").
-				SetKmsProviders(map[string]map[string]any{
-					"aws": {
-						"accessKeyId":     awsAccessKeyID,
-						"secretAccessKey": awsSecretAccessKey,
-					},
-				}).
-				SetCredentialProviders(map[string]options.CredentialsProvider{
-					"aws": func(ctx context.Context) (options.Credentials, error) {
-						var cred options.Credentials
-						provider := credproviders.NewEnvProvider()
-						c, err := provider.Retrieve(ctx)
-						if err != nil {
-							return cred, err
-						}
-						cred.AccessKeyID = c.AccessKeyID
-						cred.SecretAccessKey = c.SecretAccessKey
-						cred.SessionToken = c.SessionToken
-						cred.ExpirationCallback = provider.IsExpired
-						return cred, nil
-					},
-				})
-			co := options.Client().SetAutoEncryptionOptions(aeo).ApplyURI(mtest.ClusterURI())
-			integtest.AddTestServerAPIVersion(co)
-			_, err := mongo.Connect(co)
-			assert.Error(mt, err, "expected an error")
+		dkOpts := options.DataKey().SetMasterKey(bson.D{
+			{"region", "us-east-1"},
+			{"key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"},
 		})
+		_, err = clientEncryption.CreateDataKey(context.Background(), "aws", dkOpts)
+		assert.NoErrorf(mt, err, "unexpected error %v", err)
+		assert.Equal(mt, 1, calledCount, "expected credential provider to be called once")
+	})
 
-		mt.Run("Case 4: ClientEncryption with credentialProviders and valid environment variables", func(mt *mtest.T) {
-			mt.Setenv("AWS_ACCESS_KEY_ID", os.Getenv("FLE_AWS_SECRET_ACCESS_KEY"))
-			mt.Setenv("AWS_SECRET_ACCESS_KEY", os.Getenv("FLE_AWS_ACCESS_KEY_ID"))
+	mt.Run("Case 3: AutoEncryptionOpts with credentialProviders and incorrect kmsProviders", func(mt *mtest.T) {
+		aeo := options.AutoEncryption().
+			SetKeyVaultNamespace("keyvault.datakeys").
+			SetKmsProviders(map[string]map[string]any{
+				"aws": {
+					"accessKeyId":     awsAccessKeyID,
+					"secretAccessKey": awsSecretAccessKey,
+				},
+			}).
+			SetCredentialProviders(map[string]options.CredentialsProvider{
+				"aws": func(ctx context.Context) (options.Credentials, error) {
+					return options.Credentials{}, nil
+				},
+			})
+		co := options.Client().SetAutoEncryptionOptions(aeo).ApplyURI(mtest.ClusterURI())
+		integtest.AddTestServerAPIVersion(co)
+		_, err := mongo.Connect(co)
+		assert.ErrorContainsf(mt, err, "can only provide a custom AWS credential provider",
+			"unexpected error: %v", err)
+	})
 
-			opts := options.Client().ApplyURI(mtest.ClusterURI())
-			integtest.AddTestServerAPIVersion(opts)
-			keyVaultClient, err := mongo.Connect(opts)
-			assert.NoErrorf(mt, err, "error on Connect: %v", err)
+	mt.Run("Case 4: ClientEncryption with credentialProviders and valid environment variables", func(mt *mtest.T) {
+		mt.Setenv("AWS_ACCESS_KEY_ID", os.Getenv("FLE_AWS_SECRET_ACCESS_KEY"))
+		mt.Setenv("AWS_SECRET_ACCESS_KEY", os.Getenv("FLE_AWS_ACCESS_KEY_ID"))
 
-			ceo := options.ClientEncryption().
-				SetKeyVaultNamespace("keyvault.datakeys").
-				SetKmsProviders(map[string]map[string]any{
-					"aws": {
-						"accessKeyId":     awsAccessKeyID,
-						"secretAccessKey": awsSecretAccessKey,
-					},
-				}).
-				SetCredentialProviders(map[string]options.CredentialsProvider{
-					"aws": func(ctx context.Context) (options.Credentials, error) {
-						var cred options.Credentials
-						provider := credproviders.NewEnvProvider()
-						c, err := provider.Retrieve(ctx)
-						if err != nil {
-							return cred, err
-						}
-						cred.AccessKeyID = c.AccessKeyID
-						cred.SecretAccessKey = c.SecretAccessKey
-						cred.SessionToken = c.SessionToken
-						cred.ExpirationCallback = provider.IsExpired
-						return cred, nil
-					},
-				})
-			clientEncryption, err := mongo.NewClientEncryption(keyVaultClient, ceo)
-			assert.NoErrorf(mt, err, "error on NewClientEncryption: %v", err)
+		opts := options.Client().ApplyURI(mtest.ClusterURI())
+		integtest.AddTestServerAPIVersion(opts)
+		keyVaultClient, err := mongo.Connect(opts)
+		assert.NoErrorf(mt, err, "error on Connect: %v", err)
 
-			dkOpts := options.DataKey()
-			_, err = clientEncryption.CreateDataKey(context.Background(), "aws", dkOpts)
-			assert.NoErrorf(mt, err, "unexpected error %v", err)
+		var calledCount int
+		ceo := options.ClientEncryption().
+			SetKeyVaultNamespace("keyvault.datakeys").
+			SetKmsProviders(map[string]map[string]any{
+				"aws": map[string]any{},
+			}).
+			SetCredentialProviders(map[string]options.CredentialsProvider{
+				"aws": func(ctx context.Context) (options.Credentials, error) {
+					calledCount++
+					return options.Credentials{
+						AccessKeyID:        awsAccessKeyID,
+						SecretAccessKey:    awsSecretAccessKey,
+						ExpirationCallback: func() bool { return false },
+					}, nil
+				},
+			})
+		clientEncryption, err := mongo.NewClientEncryption(keyVaultClient, ceo)
+		assert.NoErrorf(mt, err, "error on NewClientEncryption: %v", err)
+
+		dkOpts := options.DataKey().SetMasterKey(bson.D{
+			{"region", "us-east-1"},
+			{"key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"},
 		})
+		_, err = clientEncryption.CreateDataKey(context.Background(), "aws", dkOpts)
+		assert.NoErrorf(mt, err, "unexpected error %v", err)
+		assert.Equal(mt, 1, calledCount, "expected credential provider to be called once")
 	})
 }
 

internal/test/aws/aws_test.go

@@ -38,37 +38,3 @@ func TestAWS(t *testing.T) {
 		t.Logf("FindOne error: %v", err)
 	}
 }
-
-func TestAWSCustomCredentialProviders(t *testing.T) {
-	uri := os.Getenv("MONGODB_URI")
-	if uri == "" {
-		t.Skip("Skipping test: MONGODB_URI environment variable is not set")
-	}
-
-	var calledCount int
-	awsCredential := options.Credential{
-		AuthMechanism: "MONGODB-AWS",
-		AwsCredentialsProvider: func(_ context.Context) (options.Credentials, error) {
-			calledCount++
-			return options.Credentials{
-				AccessKeyID:        os.Getenv("AWS_ACCESS_KEY_ID"),
-				SecretAccessKey:    os.Getenv("AWS_SECRET_ACCESS_KEY"),
-				ExpirationCallback: func() bool { return false },
-			}, nil
-		},
-	}
-	client, err := mongo.Connect(options.Client().ApplyURI(uri).SetAuth(awsCredential))
-
-	defer func() {
-		err = client.Disconnect(context.Background())
-		require.NoError(t, err)
-	}()
-
-	coll := client.Database("aws").Collection("test")
-
-	err = coll.FindOne(context.Background(), bson.D{{Key: "x", Value: 1}}).Err()
-	if err != nil && !errors.Is(err, mongo.ErrNoDocuments) {
-		t.Logf("FindOne error: %v", err)
-	}
-	require.Equalf(t, 1, calledCount, "expected custom AWS credential provider to be called once")
-}

mongo/client.go

@@ -601,8 +601,8 @@ func (c *Client) newMongoCrypt(opts *options.AutoEncryptionOptions) (*mongocrypt
 	for k, fn := range opts.CredentialProviders {
 		if k == "aws" && fn != nil {
 			providers[k] = &credproviders.AwsProvider{
-				Provider: func(ctx context.Context) (credproviders.AwsCredentials, error) {
-					var creds credproviders.AwsCredentials
+				Provider: func(ctx context.Context) (driver.Credentials, error) {
+					var creds driver.Credentials
 					c, err := fn(ctx)
 					if err != nil {
 						return creds, err

mongo/client_encryption.go

@@ -59,8 +59,8 @@ func NewClientEncryption(keyVaultClient *Client, opts ...options.Lister[options.
 	for k, fn := range cea.CredentialProviders {
 		if k == "aws" && fn != nil {
 			providers[k] = &credproviders.AwsProvider{
-				Provider: func(ctx context.Context) (credproviders.AwsCredentials, error) {
-					var creds credproviders.AwsCredentials
+				Provider: func(ctx context.Context) (driver.Credentials, error) {
+					var creds driver.Credentials
 					c, err := fn(ctx)
 					if err != nil {
 						return creds, err

mongo/client_examples_test.go

@@ -267,10 +267,11 @@ func ExampleConnect_aWS() {
 	// The order in which the driver searches for credentials is:
 	//
 	// 1. Credentials passed through the URI
-	// 2. Environment variables
-	// 3. ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is
+	// 2. Custom AWS credential provider
+	// 3. Environment variables
+	// 4. ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is
 	//    set
-	// 4. EC2 endpoint
+	// 5. EC2 endpoint
 	//
 	// The following examples set the appropriate credentials via the
 	// ClientOptions.SetAuth method. All of these credentials can be specified
@@ -352,6 +353,28 @@ func ExampleConnect_aWS() {
 		panic(err)
 	}
 	_ = ecClient
+
+	// Custom AWS credential provider
+
+	// Applications can authenticate using a custom AWS credential provider as
+	// well.
+	credential := options.Credential{
+		AuthMechanism: "MONGODB-AWS",
+		AwsCredentialsProvider: func(_ context.Context) (options.Credentials, error) {
+			return options.Credentials{
+				AccessKeyID:        accessKeyID,
+				SecretAccessKey:    secretAccessKey,
+				SessionToken:       sessionToken,
+				ExpirationCallback: func() bool { return false },
+			}, nil
+		},
+	}
+	awsClient, err := mongo.Connect(
+		options.Client().SetAuth(credential))
+	if err != nil {
+		panic(err)
+	}
+	_ = awsClient
 }
 
 func ExampleConnect_stableAPI() {