introduce KMSCredentialProvider abstraction

baileympearson · baileympearson · commit 187582ee8256 · 2024-03-26T14:57:46.000-06:00
diff --git a/src/client-side-encryption/auto_encrypter.ts b/src/client-side-encryption/auto_encrypter.ts
@@ -13,7 +13,7 @@ import { MongoDBCollectionNamespace } from '../utils';
 import * as cryptoCallbacks from './crypto_callbacks';
 import { MongoCryptInvalidArgumentError } from './errors';
 import { MongocryptdManager } from './mongocryptd_manager';
-import { type KMSProviders, refreshKMSCredentials } from './providers';
+import { KMSCredentialProvider, type KMSProviders } from './providers';
 import { type CSFLEKMSTlsOptions, StateMachine } from './state_machine';
 
 /** @public */
@@ -233,7 +233,6 @@ export class AutoEncrypter {
   _metaDataClient: MongoClient;
   _proxyOptions: ProxyOptions;
   _tlsOptions: CSFLEKMSTlsOptions;
-  _kmsProviders: KMSProviders;
   _bypassMongocryptdAndCryptShared: boolean;
   _contextCounter: number;
 
@@ -252,6 +251,7 @@ export class AutoEncrypter {
    * fields were decrypted.
    */
   [kDecorateResult] = false;
+  _credentialProvider: KMSCredentialProvider;
 
   /** @internal */
   static getMongoCrypt(): MongoCryptConstructor {
@@ -319,7 +319,7 @@ export class AutoEncrypter {
     this._metaDataClient = options.metadataClient || client;
     this._proxyOptions = options.proxyOptions || {};
     this._tlsOptions = options.tlsOptions || {};
-    this._kmsProviders = options.kmsProviders || {};
+    const kmsProviders = options.kmsProviders || {};
 
     const mongoCryptOptions: MongoCryptOptions = {
       cryptoCallbacks
@@ -336,9 +336,9 @@ export class AutoEncrypter {
         : (serialize(options.encryptedFieldsMap) as Buffer);
     }
 
-    mongoCryptOptions.kmsProviders = !Buffer.isBuffer(this._kmsProviders)
-      ? (serialize(this._kmsProviders) as Buffer)
-      : this._kmsProviders;
+    mongoCryptOptions.kmsProviders = !Buffer.isBuffer(kmsProviders)
+      ? (serialize(kmsProviders) as Buffer)
+      : kmsProviders;
 
     if (options.options?.logger) {
       mongoCryptOptions.logger = options.options.logger;
@@ -389,6 +389,8 @@ export class AutoEncrypter {
 
       this._mongocryptdClient = new MongoClient(this._mongocryptdManager.uri, clientOptions);
     }
+
+    this._credentialProvider = new KMSCredentialProvider(kmsProviders);
   }
 
   /**
@@ -502,7 +504,7 @@ export class AutoEncrypter {
    * the original ones.
    */
   async askForKMSCredentials(): Promise<KMSProviders> {
-    return refreshKMSCredentials(this._kmsProviders);
+    return this._credentialProvider.refreshCredentials();
   }
 
   /**
diff --git a/src/client-side-encryption/client_encryption.ts b/src/client-side-encryption/client_encryption.ts
@@ -25,8 +25,8 @@ import {
 } from './errors';
 import {
   type ClientEncryptionDataKeyProvider,
-  type KMSProviders,
-  refreshKMSCredentials
+  KMSCredentialProvider,
+  type KMSProviders
 } from './providers/index';
 import { type CSFLEKMSTlsOptions, StateMachine } from './state_machine';
 
@@ -61,8 +61,7 @@ export class ClientEncryption {
   /** @internal */
   _tlsOptions: CSFLEKMSTlsOptions;
   /** @internal */
-  _kmsProviders: KMSProviders;
-
+  _credentialProvider: KMSCredentialProvider;
   /** @internal */
   _mongoCrypt: MongoCrypt;
 
@@ -107,7 +106,7 @@ export class ClientEncryption {
     this._client = client;
     this._proxyOptions = options.proxyOptions ?? {};
     this._tlsOptions = options.tlsOptions ?? {};
-    this._kmsProviders = options.kmsProviders || {};
+    const kmsProviders = options.kmsProviders || {};
 
     if (options.keyVaultNamespace == null) {
       throw new MongoCryptInvalidArgumentError('Missing required option `keyVaultNamespace`');
@@ -116,15 +115,16 @@ export class ClientEncryption {
     const mongoCryptOptions: MongoCryptOptions = {
       ...options,
       cryptoCallbacks,
-      kmsProviders: !Buffer.isBuffer(this._kmsProviders)
-        ? (serialize(this._kmsProviders) as Buffer)
-        : this._kmsProviders
+      kmsProviders: !Buffer.isBuffer(kmsProviders)
+        ? (serialize(kmsProviders) as Buffer)
+        : kmsProviders
     };
 
     this._keyVaultNamespace = options.keyVaultNamespace;
     this._keyVaultClient = options.keyVaultClient || client;
     const MongoCrypt = ClientEncryption.getMongoCrypt();
     this._mongoCrypt = new MongoCrypt(mongoCryptOptions);
+    this._credentialProvider = new KMSCredentialProvider(kmsProviders);
   }
 
   /**
@@ -654,7 +654,7 @@ export class ClientEncryption {
    * the original ones.
    */
   async askForKMSCredentials(): Promise<KMSProviders> {
-    return refreshKMSCredentials(this._kmsProviders);
+    return this._credentialProvider.refreshCredentials();
   }
 
   static get libmongocryptVersion() {
diff --git a/src/client-side-encryption/providers/index.ts b/src/client-side-encryption/providers/index.ts
@@ -144,25 +144,30 @@ export function isEmptyCredentials(
 }
 
 /**
- * Load cloud provider credentials for the user provided KMS providers.
- * Credentials will only attempt to get loaded if they do not exist
- * and no existing credentials will get overwritten.
- *
  * @internal
  */
-export async function refreshKMSCredentials(kmsProviders: KMSProviders): Promise<KMSProviders> {
-  let finalKMSProviders = kmsProviders;
+export class KMSCredentialProvider {
+  constructor(private readonly kmsProviders: KMSProviders) {}
 
-  if (isEmptyCredentials('aws', kmsProviders)) {
-    finalKMSProviders = await loadAWSCredentials(finalKMSProviders);
-  }
+  /**
+   * Load cloud provider credentials for the user provided KMS providers.
+   * Credentials will only attempt to get loaded if they do not exist
+   * and no existing credentials will get overwritten.
+   */
+  async refreshCredentials() {
+    let finalKMSProviders = this.kmsProviders;
 
-  if (isEmptyCredentials('gcp', kmsProviders)) {
-    finalKMSProviders = await loadGCPCredentials(finalKMSProviders);
-  }
+    if (isEmptyCredentials('aws', this.kmsProviders)) {
+      finalKMSProviders = await loadAWSCredentials(finalKMSProviders);
+    }
+
+    if (isEmptyCredentials('gcp', this.kmsProviders)) {
+      finalKMSProviders = await loadGCPCredentials(finalKMSProviders);
+    }
 
-  if (isEmptyCredentials('azure', kmsProviders)) {
-    finalKMSProviders = await loadAzureCredentials(finalKMSProviders);
+    if (isEmptyCredentials('azure', this.kmsProviders)) {
+      finalKMSProviders = await loadAzureCredentials(finalKMSProviders);
+    }
+    return finalKMSProviders;
   }
-  return finalKMSProviders;
 }
