flow like the river

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/aws_service_workflow.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsServiceWorkflow = void 0;
+const fs = require("fs");
+const error_1 = require("../../../error");
+const service_workflow_1 = require("./service_workflow");
+/** Error for when the token is missing in the environment. */
+const TOKEN_MISSING_ERROR = 'AWS_WEB_IDENTITY_TOKEN_FILE must be set in the environment.';
+/**
+ * Device workflow implementation for AWS.
+ *
+ * @internal
+ */
+class AwsServiceWorkflow extends service_workflow_1.ServiceWorkflow {
+    constructor() {
+        super();
+    }
+    /**
+     * Get the token from the environment.
+     */
+    async getToken() {
+        const tokenFile = process.env.AWS_WEB_IDENTITY_TOKEN_FILE;
+        if (!tokenFile) {
+            throw new error_1.MongoAWSError(TOKEN_MISSING_ERROR);
+        }
+        return fs.promises.readFile(tokenFile, 'utf8');
+    }
+}
+exports.AwsServiceWorkflow = AwsServiceWorkflow;
+//# sourceMappingURL=aws_service_workflow.js.map

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/aws_service_workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws_service_workflow.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/aws_service_workflow.ts"],"names":[],"mappings":";;;AAAA,yBAAyB;AAEzB,0CAA+C;AAC/C,yDAAqD;AAErD,8DAA8D;AAC9D,MAAM,mBAAmB,GAAG,6DAA6D,CAAC;AAE1F;;;;GAIG;AACH,MAAa,kBAAmB,SAAQ,kCAAe;IACrD;QACE,KAAK,EAAE,CAAC;IACV,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ;QACZ,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;QAC1D,IAAI,CAAC,SAAS,EAAE;YACd,MAAM,IAAI,qBAAa,CAAC,mBAAmB,CAAC,CAAC;SAC9C;QACD,OAAO,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACjD,CAAC;CACF;AAfD,gDAeC"}

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/azure_service_workflow.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureServiceWorkflow = void 0;
+const error_1 = require("../../../error");
+const utils_1 = require("../../../utils");
+const azure_token_cache_1 = require("./azure_token_cache");
+const service_workflow_1 = require("./service_workflow");
+/** Base URL for getting Azure tokens. */
+const AZURE_BASE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01';
+/** Azure request headers. */
+const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
+/** Invalid endpoint result error. */
+const ENDPOINT_RESULT_ERROR = 'Azure endpoint did not return a value with only access_token and expires_in properties';
+/** Error for when the token audience is missing in the environment. */
+const TOKEN_AUDIENCE_MISSING_ERROR = 'TOKEN_AUDIENCE must be set in the auth mechanism properties when PROVIDER_NAME is azure.';
+/**
+ * Device workflow implementation for Azure.
+ *
+ * @internal
+ */
+class AzureServiceWorkflow extends service_workflow_1.ServiceWorkflow {
+    constructor() {
+        super(...arguments);
+        this.cache = new azure_token_cache_1.AzureTokenCache();
+    }
+    /**
+     * Get the token from the environment.
+     */
+    async getToken(credentials) {
+        const tokenAudience = credentials?.mechanismProperties.TOKEN_AUDIENCE;
+        if (!tokenAudience) {
+            throw new error_1.MongoAzureError(TOKEN_AUDIENCE_MISSING_ERROR);
+        }
+        let token;
+        const entry = this.cache.getEntry(tokenAudience);
+        if (entry?.isValid()) {
+            token = entry.token;
+        }
+        else {
+            this.cache.deleteEntry(tokenAudience);
+            const response = await getAzureTokenData(tokenAudience);
+            if (!isEndpointResultValid(response)) {
+                throw new error_1.MongoAzureError(ENDPOINT_RESULT_ERROR);
+            }
+            this.cache.addEntry(tokenAudience, response);
+            token = response.access_token;
+        }
+        return token;
+    }
+}
+exports.AzureServiceWorkflow = AzureServiceWorkflow;
+/**
+ * Hit the Azure endpoint to get the token data.
+ */
+async function getAzureTokenData(tokenAudience) {
+    const url = `${AZURE_BASE_URL}&resource=${tokenAudience}`;
+    const data = await (0, utils_1.request)(url, {
+        json: true,
+        headers: AZURE_HEADERS
+    });
+    return data;
+}
+/**
+ * Determines if a result returned from the endpoint is valid.
+ * This means the result is not nullish, contains the access_token required field
+ * and the expires_in required field.
+ */
+function isEndpointResultValid(token) {
+    if (token == null || typeof token !== 'object')
+        return false;
+    return 'access_token' in token && 'expires_in' in token;
+}
+//# sourceMappingURL=azure_service_workflow.js.map

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/azure_service_workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure_service_workflow.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/azure_service_workflow.ts"],"names":[],"mappings":";;;AAAA,0CAAiD;AACjD,0CAAyC;AAEzC,2DAAsD;AACtD,yDAAqD;AAErD,yCAAyC;AACzC,MAAM,cAAc,GAClB,8EAA8E,CAAC;AAEjF,6BAA6B;AAC7B,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAEtF,qCAAqC;AACrC,MAAM,qBAAqB,GACzB,wFAAwF,CAAC;AAE3F,uEAAuE;AACvE,MAAM,4BAA4B,GAChC,0FAA0F,CAAC;AAW7F;;;;GAIG;AACH,MAAa,oBAAqB,SAAQ,kCAAe;IAAzD;;QACE,UAAK,GAAG,IAAI,mCAAe,EAAE,CAAC;IAyBhC,CAAC;IAvBC;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,WAA8B;QAC3C,MAAM,aAAa,GAAG,WAAW,EAAE,mBAAmB,CAAC,cAAc,CAAC;QACtE,IAAI,CAAC,aAAa,EAAE;YAClB,MAAM,IAAI,uBAAe,CAAC,4BAA4B,CAAC,CAAC;SACzD;QACD,IAAI,KAAK,CAAC;QACV,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QACjD,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE;YACpB,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;SACrB;aAAM;YACL,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;YACtC,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,aAAa,CAAC,CAAC;YACxD,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,EAAE;gBACpC,MAAM,IAAI,uBAAe,CAAC,qBAAqB,CAAC,CAAC;aAClD;YACD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;YAC7C,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC;SAC/B;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AA1BD,oDA0BC;AAED;;GAEG;AACH,KAAK,UAAU,iBAAiB,CAAC,aAAqB;IACpD,MAAM,GAAG,GAAG,GAAG,cAAc,aAAa,aAAa,EAAE,CAAC;IAC1D,MAAM,IAAI,GAAG,MAAM,IAAA,eAAO,EAAC,GAAG,EAAE;QAC9B,IAAI,EAAE,IAAI;QACV,OAAO,EAAE,aAAa;KACvB,CAAC,CAAC;IACH,OAAO,IAAwB,CAAC;AAClC,CAAC;AAED;;;;GAIG;AACH,SAAS,qBAAqB,CAC5B,KAAc;IAEd,IAAI,KAAK,IAAI,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC7D,OAAO,cAAc,IAAI,KAAK,IAAI,YAAY,IAAI,KAAK,CAAC;AAC1D,CAAC"}

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/azure_token_cache.js

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureTokenCache = exports.AzureTokenEntry = void 0;
+const cache_1 = require("./cache");
+/** @internal */
+class AzureTokenEntry extends cache_1.ExpiringCacheEntry {
+    /**
+     * Instantiate the entry.
+     */
+    constructor(token, expiration) {
+        super(expiration);
+        this.token = token;
+    }
+}
+exports.AzureTokenEntry = AzureTokenEntry;
+/**
+ * A cache of access tokens from Azure.
+ * @internal
+ */
+class AzureTokenCache extends cache_1.Cache {
+    /**
+     * Add an entry to the cache.
+     */
+    addEntry(tokenAudience, token) {
+        const entry = new AzureTokenEntry(token.access_token, token.expires_in);
+        this.entries.set(tokenAudience, entry);
+        return entry;
+    }
+    /**
+     * Create a cache key.
+     */
+    cacheKey(tokenAudience) {
+        return tokenAudience;
+    }
+    /**
+     * Delete an entry from the cache.
+     */
+    deleteEntry(tokenAudience) {
+        this.entries.delete(tokenAudience);
+    }
+    /**
+     * Get an Azure token entry from the cache.
+     */
+    getEntry(tokenAudience) {
+        return this.entries.get(tokenAudience);
+    }
+}
+exports.AzureTokenCache = AzureTokenCache;
+//# sourceMappingURL=azure_token_cache.js.map

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/azure_token_cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure_token_cache.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/azure_token_cache.ts"],"names":[],"mappings":";;;AACA,mCAAoD;AAEpD,gBAAgB;AAChB,MAAa,eAAgB,SAAQ,0BAAkB;IAGrD;;OAEG;IACH,YAAY,KAAa,EAAE,UAAkB;QAC3C,KAAK,CAAC,UAAU,CAAC,CAAC;QAClB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;CACF;AAVD,0CAUC;AAED;;;GAGG;AACH,MAAa,eAAgB,SAAQ,aAAsB;IACzD;;OAEG;IACH,QAAQ,CAAC,aAAqB,EAAE,KAAuB;QACrD,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;QACxE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;QACvC,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,aAAqB;QAC5B,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,aAAqB;QAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,aAAqB;QAC5B,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IACzC,CAAC;CACF;AA9BD,0CA8BC"}

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/cache.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Cache = exports.ExpiringCacheEntry = void 0;
+/* 5 minutes in milliseconds */
+const EXPIRATION_BUFFER_MS = 300000;
+/**
+ * An entry in a cache that can expire in a certain amount of time.
+ */
+class ExpiringCacheEntry {
+    /**
+     * Create a new expiring token entry.
+     */
+    constructor(expiration) {
+        this.expiration = this.expirationTime(expiration);
+    }
+    /**
+     * The entry is still valid if the expiration is more than
+     * 5 minutes from the expiration time.
+     */
+    isValid() {
+        return this.expiration - Date.now() > EXPIRATION_BUFFER_MS;
+    }
+    /**
+     * Get an expiration time in milliseconds past epoch.
+     */
+    expirationTime(expiresInSeconds) {
+        return Date.now() + expiresInSeconds * 1000;
+    }
+}
+exports.ExpiringCacheEntry = ExpiringCacheEntry;
+/**
+ * Base class for OIDC caches.
+ */
+class Cache {
+    /**
+     * Create a new cache.
+     */
+    constructor() {
+        this.entries = new Map();
+    }
+    /**
+     * Clear the cache.
+     */
+    clear() {
+        this.entries.clear();
+    }
+    /**
+     * Create a cache key from the address and username.
+     */
+    hashedCacheKey(address, username, callbackHash) {
+        return JSON.stringify([address, username, callbackHash]);
+    }
+}
+exports.Cache = Cache;
+//# sourceMappingURL=cache.js.map

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/cache.ts"],"names":[],"mappings":";;;AAAA,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,MAAM,CAAC;AAEpC;;GAEG;AACH,MAAsB,kBAAkB;IAGtC;;OAEG;IACH,YAAY,UAAkB;QAC5B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACpD,CAAC;IACD;;;OAGG;IACH,OAAO;QACL,OAAO,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,oBAAoB,CAAC;IAC7D,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,gBAAwB;QAC7C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB,GAAG,IAAI,CAAC;IAC9C,CAAC;CACF;AAvBD,gDAuBC;AAED;;GAEG;AACH,MAAsB,KAAK;IAGzB;;OAEG;IACH;QACE,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,EAAa,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAOD;;OAEG;IACH,cAAc,CAAC,OAAe,EAAE,QAAgB,EAAE,YAAoB;QACpE,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;IAC3D,CAAC;CACF;AA5BD,sBA4BC"}

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/callback_lock_cache.js

@@ -0,0 +1,89 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CallbackLockCache = void 0;
+const error_1 = require("../../../error");
+const cache_1 = require("./cache");
+/** Error message for when request callback is missing. */
+const REQUEST_CALLBACK_REQUIRED_ERROR = 'Auth mechanism property REQUEST_TOKEN_CALLBACK is required.';
+/* Counter for function "hashes".*/
+let FN_HASH_COUNTER = 0;
+/* No function present function */
+const NO_FUNCTION = async () => ({ accessToken: 'test' });
+/* The map of function hashes */
+const FN_HASHES = new WeakMap();
+/* Put the no function hash in the map. */
+FN_HASHES.set(NO_FUNCTION, FN_HASH_COUNTER);
+/**
+ * A cache of request and refresh callbacks per server/user.
+ */
+class CallbackLockCache extends cache_1.Cache {
+    /**
+     * Get the callbacks for the connection and credentials. If an entry does not
+     * exist a new one will get set.
+     */
+    getEntry(connection, credentials) {
+        const requestCallback = credentials.mechanismProperties.REQUEST_TOKEN_CALLBACK;
+        const refreshCallback = credentials.mechanismProperties.REFRESH_TOKEN_CALLBACK;
+        if (!requestCallback) {
+            throw new error_1.MongoInvalidArgumentError(REQUEST_CALLBACK_REQUIRED_ERROR);
+        }
+        const callbackHash = hashFunctions(requestCallback, refreshCallback);
+        const key = this.cacheKey(connection.address, credentials.username, callbackHash);
+        const entry = this.entries.get(key);
+        if (entry) {
+            return entry;
+        }
+        return this.addEntry(key, callbackHash, requestCallback, refreshCallback);
+    }
+    /**
+     * Set locked callbacks on for connection and credentials.
+     */
+    addEntry(key, callbackHash, requestCallback, refreshCallback) {
+        const entry = {
+            requestCallback: withLock(requestCallback),
+            refreshCallback: refreshCallback ? withLock(refreshCallback) : undefined,
+            callbackHash: callbackHash
+        };
+        this.entries.set(key, entry);
+        return entry;
+    }
+    /**
+     * Create a cache key from the address and username.
+     */
+    cacheKey(address, username, callbackHash) {
+        return this.hashedCacheKey(address, username, callbackHash);
+    }
+}
+exports.CallbackLockCache = CallbackLockCache;
+/**
+ * Ensure the callback is only executed one at a time.
+ */
+function withLock(callback) {
+    let lock = Promise.resolve();
+    return async (info, context) => {
+        await lock;
+        lock = lock.then(() => callback(info, context));
+        return lock;
+    };
+}
+/**
+ * Get the hash string for the request and refresh functions.
+ */
+function hashFunctions(requestFn, refreshFn) {
+    let requestHash = FN_HASHES.get(requestFn);
+    let refreshHash = FN_HASHES.get(refreshFn ?? NO_FUNCTION);
+    if (requestHash == null) {
+        // Create a new one for the function and put it in the map.
+        FN_HASH_COUNTER++;
+        requestHash = FN_HASH_COUNTER;
+        FN_HASHES.set(requestFn, FN_HASH_COUNTER);
+    }
+    if (refreshHash == null && refreshFn) {
+        // Create a new one for the function and put it in the map.
+        FN_HASH_COUNTER++;
+        refreshHash = FN_HASH_COUNTER;
+        FN_HASHES.set(refreshFn, FN_HASH_COUNTER);
+    }
+    return `${requestHash}-${refreshHash}`;
+}
+//# sourceMappingURL=callback_lock_cache.js.map

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/callback_lock_cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback_lock_cache.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/callback_lock_cache.ts"],"names":[],"mappings":";;;AAAA,0CAA2D;AAU3D,mCAAgC;AAEhC,0DAA0D;AAC1D,MAAM,+BAA+B,GACnC,6DAA6D,CAAC;AAChE,mCAAmC;AACnC,IAAI,eAAe,GAAG,CAAC,CAAC;AACxB,kCAAkC;AAClC,MAAM,WAAW,GAAwB,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;AAC/E,gCAAgC;AAChC,MAAM,SAAS,GAAG,IAAI,OAAO,EAAqD,CAAC;AACnF,0CAA0C;AAC1C,SAAS,CAAC,GAAG,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;AAW5C;;GAEG;AACH,MAAa,iBAAkB,SAAQ,aAAqB;IAC1D;;;OAGG;IACH,QAAQ,CAAC,UAAsB,EAAE,WAA6B;QAC5D,MAAM,eAAe,GAAG,WAAW,CAAC,mBAAmB,CAAC,sBAAsB,CAAC;QAC/E,MAAM,eAAe,GAAG,WAAW,CAAC,mBAAmB,CAAC,sBAAsB,CAAC;QAC/E,IAAI,CAAC,eAAe,EAAE;YACpB,MAAM,IAAI,iCAAyB,CAAC,+BAA+B,CAAC,CAAC;SACtE;QACD,MAAM,YAAY,GAAG,aAAa,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;QACrE,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,EAAE,WAAW,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAClF,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,EAAE;YACT,OAAO,KAAK,CAAC;SACd;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,YAAY,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;IAC5E,CAAC;IAED;;OAEG;IACK,QAAQ,CACd,GAAW,EACX,YAAoB,EACpB,eAAoC,EACpC,eAAqC;QAErC,MAAM,KAAK,GAAG;YACZ,eAAe,EAAE,QAAQ,CAAC,eAAe,CAAC;YAC1C,eAAe,EAAE,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS;YACxE,YAAY,EAAE,YAAY;SAC3B,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAAe,EAAE,QAAgB,EAAE,YAAoB;QAC9D,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC;CACF;AA5CD,8CA4CC;AAED;;GAEG;AACH,SAAS,QAAQ,CAAC,QAAmD;IACnE,IAAI,IAAI,GAAiB,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3C,OAAO,KAAK,EAAE,IAAmB,EAAE,OAA4B,EAA8B,EAAE;QAC7F,MAAM,IAAI,CAAC;QACX,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,SAA8B,EAAE,SAA+B;IACpF,IAAI,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,IAAI,WAAW,CAAC,CAAC;IAC1D,IAAI,WAAW,IAAI,IAAI,EAAE;QACvB,2DAA2D;QAC3D,eAAe,EAAE,CAAC;QAClB,WAAW,GAAG,eAAe,CAAC;QAC9B,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;KAC3C;IACD,IAAI,WAAW,IAAI,IAAI,IAAI,SAAS,EAAE;QACpC,2DAA2D;QAC3D,eAAe,EAAE,CAAC;QAClB,WAAW,GAAG,eAAe,CAAC;QAC9B,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;KAC3C;IACD,OAAO,GAAG,WAAW,IAAI,WAAW,EAAE,CAAC;AACzC,CAAC"}

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/callback_workflow.js

@@ -0,0 +1,204 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CallbackWorkflow = void 0;
+const bson_1 = require("bson");
+const error_1 = require("../../../error");
+const utils_1 = require("../../../utils");
+const providers_1 = require("../providers");
+const callback_lock_cache_1 = require("./callback_lock_cache");
+const token_entry_cache_1 = require("./token_entry_cache");
+/** The current version of OIDC implementation. */
+const OIDC_VERSION = 0;
+/** 5 minutes in seconds */
+const TIMEOUT_S = 300;
+/** Properties allowed on results of callbacks. */
+const RESULT_PROPERTIES = ['accessToken', 'expiresInSeconds', 'refreshToken'];
+/** Error message when the callback result is invalid. */
+const CALLBACK_RESULT_ERROR = 'User provided OIDC callbacks must return a valid object with an accessToken.';
+/**
+ * OIDC implementation of a callback based workflow.
+ * @internal
+ */
+class CallbackWorkflow {
+    /**
+     * Instantiate the workflow
+     */
+    constructor() {
+        this.cache = new token_entry_cache_1.TokenEntryCache();
+        this.callbackCache = new callback_lock_cache_1.CallbackLockCache();
+    }
+    /**
+     * Get the document to add for speculative authentication. This also needs
+     * to add a db field from the credentials source.
+     */
+    async speculativeAuth(credentials) {
+        const document = startCommandDocument(credentials);
+        document.db = credentials.source;
+        return { speculativeAuthenticate: document };
+    }
+    /**
+     * Execute the OIDC callback workflow.
+     */
+    async execute(connection, credentials, reauthenticating, response) {
+        // Get the callbacks with locks from the callback lock cache.
+        const { requestCallback, refreshCallback, callbackHash } = this.callbackCache.getEntry(connection, credentials);
+        // Look for an existing entry in the cache.
+        const entry = this.cache.getEntry(connection.address, credentials.username, callbackHash);
+        let result;
+        if (entry) {
+            // Reauthentication cannot use a token from the cache since the server has
+            // stated it is invalid by the request for reauthentication.
+            if (entry.isValid() && !reauthenticating) {
+                // Presence of a valid cache entry means we can skip to the finishing step.
+                result = await this.finishAuthentication(connection, credentials, entry.tokenResult, response?.speculativeAuthenticate?.conversationId);
+            }
+            else {
+                // Presence of an expired cache entry means we must fetch a new one and
+                // then execute the final step.
+                const tokenResult = await this.fetchAccessToken(connection, credentials, entry.serverInfo, reauthenticating, callbackHash, requestCallback, refreshCallback);
+                try {
+                    result = await this.finishAuthentication(connection, credentials, tokenResult, reauthenticating ? undefined : response?.speculativeAuthenticate?.conversationId);
+                }
+                catch (error) {
+                    // If we are reauthenticating and this errors with reauthentication
+                    // required, we need to do the entire process over again and clear
+                    // the cache entry.
+                    if (reauthenticating &&
+                        error instanceof error_1.MongoError &&
+                        error.code === error_1.MONGODB_ERROR_CODES.Reauthenticate) {
+                        this.cache.deleteEntry(connection.address, credentials.username, callbackHash);
+                        result = await this.execute(connection, credentials, reauthenticating);
+                    }
+                    else {
+                        throw error;
+                    }
+                }
+            }
+        }
+        else {
+            // No entry in the cache requires us to do all authentication steps
+            // from start to finish, including getting a fresh token for the cache.
+            const startDocument = await this.startAuthentication(connection, credentials, reauthenticating, response);
+            const conversationId = startDocument.conversationId;
+            const serverResult = bson_1.BSON.deserialize(startDocument.payload.buffer);
+            const tokenResult = await this.fetchAccessToken(connection, credentials, serverResult, reauthenticating, callbackHash, requestCallback, refreshCallback);
+            result = await this.finishAuthentication(connection, credentials, tokenResult, conversationId);
+        }
+        return result;
+    }
+    /**
+     * Starts the callback authentication process. If there is a speculative
+     * authentication document from the initial handshake, then we will use that
+     * value to get the issuer, otherwise we will send the saslStart command.
+     */
+    async startAuthentication(connection, credentials, reauthenticating, response) {
+        let result;
+        if (!reauthenticating && response?.speculativeAuthenticate) {
+            result = response.speculativeAuthenticate;
+        }
+        else {
+            result = await connection.commandAsync((0, utils_1.ns)(credentials.source), startCommandDocument(credentials), undefined);
+        }
+        return result;
+    }
+    /**
+     * Finishes the callback authentication process.
+     */
+    async finishAuthentication(connection, credentials, tokenResult, conversationId) {
+        const result = await connection.commandAsync((0, utils_1.ns)(credentials.source), finishCommandDocument(tokenResult.accessToken, conversationId), undefined);
+        return result;
+    }
+    /**
+     * Fetches an access token using either the request or refresh callbacks and
+     * puts it in the cache.
+     */
+    async fetchAccessToken(connection, credentials, serverInfo, reauthenticating, callbackHash, requestCallback, refreshCallback) {
+        // Get the token from the cache.
+        const entry = this.cache.getEntry(connection.address, credentials.username, callbackHash);
+        let result;
+        const context = { timeoutSeconds: TIMEOUT_S, version: OIDC_VERSION };
+        // Check if there's a token in the cache.
+        if (entry) {
+            // If the cache entry is valid, return the token result.
+            if (entry.isValid() && !reauthenticating) {
+                return entry.tokenResult;
+            }
+            // If the cache entry is not valid, remove it from the cache and first attempt
+            // to use the refresh callback to get a new token. If no refresh callback
+            // exists, then fallback to the request callback.
+            if (refreshCallback) {
+                context.refreshToken = entry.tokenResult.refreshToken;
+                result = await refreshCallback(serverInfo, context);
+            }
+            else {
+                result = await requestCallback(serverInfo, context);
+            }
+        }
+        else {
+            // With no token in the cache we use the request callback.
+            result = await requestCallback(serverInfo, context);
+        }
+        // Validate that the result returned by the callback is acceptable. If it is not
+        // we must clear the token result from the cache.
+        if (isCallbackResultInvalid(result)) {
+            this.cache.deleteEntry(connection.address, credentials.username, callbackHash);
+            throw new error_1.MongoMissingCredentialsError(CALLBACK_RESULT_ERROR);
+        }
+        // Cleanup the cache.
+        this.cache.deleteExpiredEntries();
+        // Put the new entry into the cache.
+        this.cache.addEntry(connection.address, credentials.username || '', callbackHash, result, serverInfo);
+        return result;
+    }
+}
+exports.CallbackWorkflow = CallbackWorkflow;
+/**
+ * Generate the finishing command document for authentication. Will be a
+ * saslStart or saslContinue depending on the presence of a conversation id.
+ */
+function finishCommandDocument(token, conversationId) {
+    if (conversationId != null && typeof conversationId === 'number') {
+        return {
+            saslContinue: 1,
+            conversationId: conversationId,
+            payload: new bson_1.Binary(bson_1.BSON.serialize({ jwt: token }))
+        };
+    }
+    // saslContinue requires a conversationId in the command to be valid so in this
+    // case the server allows "step two" to actually be a saslStart with the token
+    // as the jwt since the use of the cached value has no correlating conversating
+    // on the particular connection.
+    return {
+        saslStart: 1,
+        mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
+        payload: new bson_1.Binary(bson_1.BSON.serialize({ jwt: token }))
+    };
+}
+/**
+ * Determines if a result returned from a request or refresh callback
+ * function is invalid. This means the result is nullish, doesn't contain
+ * the accessToken required field, and does not contain extra fields.
+ */
+function isCallbackResultInvalid(tokenResult) {
+    if (tokenResult == null || typeof tokenResult !== 'object')
+        return true;
+    if (!('accessToken' in tokenResult))
+        return true;
+    return !Object.getOwnPropertyNames(tokenResult).every(prop => RESULT_PROPERTIES.includes(prop));
+}
+/**
+ * Generate the saslStart command document.
+ */
+function startCommandDocument(credentials) {
+    const payload = {};
+    if (credentials.username) {
+        payload.n = credentials.username;
+    }
+    return {
+        saslStart: 1,
+        autoAuthorize: 1,
+        mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
+        payload: new bson_1.Binary(bson_1.BSON.serialize(payload))
+    };
+}
+//# sourceMappingURL=callback_workflow.js.map

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/service_workflow.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.commandDocument = exports.ServiceWorkflow = void 0;
+const bson_1 = require("bson");
+const utils_1 = require("../../../utils");
+const providers_1 = require("../providers");
+/**
+ * Common behaviour for OIDC device workflows.
+ * @internal
+ */
+class ServiceWorkflow {
+    /**
+     * Execute the workflow. Looks for AWS_WEB_IDENTITY_TOKEN_FILE in the environment
+     * and then attempts to read the token from that path.
+     */
+    async execute(connection, credentials) {
+        const token = await this.getToken(credentials);
+        const command = commandDocument(token);
+        return connection.commandAsync((0, utils_1.ns)(credentials.source), command, undefined);
+    }
+    /**
+     * Get the document to add for speculative authentication.
+     */
+    async speculativeAuth(credentials) {
+        const token = await this.getToken(credentials);
+        const document = commandDocument(token);
+        document.db = credentials.source;
+        return { speculativeAuthenticate: document };
+    }
+}
+exports.ServiceWorkflow = ServiceWorkflow;
+/**
+ * Create the saslStart command document.
+ */
+function commandDocument(token) {
+    return {
+        saslStart: 1,
+        mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
+        payload: bson_1.BSON.serialize({ jwt: token })
+    };
+}
+exports.commandDocument = commandDocument;
+//# sourceMappingURL=service_workflow.js.map

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/service_workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service_workflow.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/service_workflow.ts"],"names":[],"mappings":";;;AAAA,+BAA2C;AAE3C,0CAAoC;AAIpC,4CAA6C;AAE7C;;;GAGG;AACH,MAAsB,eAAe;IACnC;;;OAGG;IACH,KAAK,CAAC,OAAO,CAAC,UAAsB,EAAE,WAA6B;QACjE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,UAAU,CAAC,YAAY,CAAC,IAAA,UAAE,EAAC,WAAW,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAC7E,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,WAA6B;QACjD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACxC,QAAQ,CAAC,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC;QACjC,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,CAAC;IAC/C,CAAC;CAMF;AAzBD,0CAyBC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,KAAa;IAC3C,OAAO;QACL,SAAS,EAAE,CAAC;QACZ,SAAS,EAAE,yBAAa,CAAC,YAAY;QACrC,OAAO,EAAE,WAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC;AAND,0CAMC"}

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/token_entry_cache.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenEntryCache = exports.TokenEntry = void 0;
+const cache_1 = require("./cache");
+/* Default expiration is now for when no expiration provided */
+const DEFAULT_EXPIRATION_SECS = 0;
+/** @internal */
+class TokenEntry extends cache_1.ExpiringCacheEntry {
+    /**
+     * Instantiate the entry.
+     */
+    constructor(tokenResult, serverInfo, expiration) {
+        super(expiration);
+        this.tokenResult = tokenResult;
+        this.serverInfo = serverInfo;
+    }
+}
+exports.TokenEntry = TokenEntry;
+/**
+ * Cache of OIDC token entries.
+ * @internal
+ */
+class TokenEntryCache extends cache_1.Cache {
+    /**
+     * Set an entry in the token cache.
+     */
+    addEntry(address, username, callbackHash, tokenResult, serverInfo) {
+        const entry = new TokenEntry(tokenResult, serverInfo, tokenResult.expiresInSeconds ?? DEFAULT_EXPIRATION_SECS);
+        this.entries.set(this.cacheKey(address, username, callbackHash), entry);
+        return entry;
+    }
+    /**
+     * Delete an entry from the cache.
+     */
+    deleteEntry(address, username, callbackHash) {
+        this.entries.delete(this.cacheKey(address, username, callbackHash));
+    }
+    /**
+     * Get an entry from the cache.
+     */
+    getEntry(address, username, callbackHash) {
+        return this.entries.get(this.cacheKey(address, username, callbackHash));
+    }
+    /**
+     * Delete all expired entries from the cache.
+     */
+    deleteExpiredEntries() {
+        for (const [key, entry] of this.entries) {
+            if (!entry.isValid()) {
+                this.entries.delete(key);
+            }
+        }
+    }
+    /**
+     * Create a cache key from the address and username.
+     */
+    cacheKey(address, username, callbackHash) {
+        return this.hashedCacheKey(address, username, callbackHash);
+    }
+}
+exports.TokenEntryCache = TokenEntryCache;
+//# sourceMappingURL=token_entry_cache.js.map

VISUALIZACION/node_modules/mongodb/lib/cmap/auth/mongodb_oidc/token_entry_cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token_entry_cache.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/token_entry_cache.ts"],"names":[],"mappings":";;;AACA,mCAAoD;AAEpD,+DAA+D;AAC/D,MAAM,uBAAuB,GAAG,CAAC,CAAC;AAElC,gBAAgB;AAChB,MAAa,UAAW,SAAQ,0BAAkB;IAIhD;;OAEG;IACH,YAAY,WAA8B,EAAE,UAAyB,EAAE,UAAkB;QACvF,KAAK,CAAC,UAAU,CAAC,CAAC;QAClB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAZD,gCAYC;AAED;;;GAGG;AACH,MAAa,eAAgB,SAAQ,aAAiB;IACpD;;OAEG;IACH,QAAQ,CACN,OAAe,EACf,QAAgB,EAChB,YAAoB,EACpB,WAA8B,EAC9B,UAAyB;QAEzB,MAAM,KAAK,GAAG,IAAI,UAAU,CAC1B,WAAW,EACX,UAAU,EACV,WAAW,CAAC,gBAAgB,IAAI,uBAAuB,CACxD,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC;QACxE,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,OAAe,EAAE,QAAgB,EAAE,YAAoB;QACjE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAAe,EAAE,QAAgB,EAAE,YAAoB;QAC9D,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED;;OAEG;IACH,oBAAoB;QAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE;YACvC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE;gBACpB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;aAC1B;SACF;IACH,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,OAAe,EAAE,QAAgB,EAAE,YAAoB;QAC9D,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC;CACF;AAnDD,0CAmDC"}