test: 2 last prose tests

Author: durran

src/cmap/auth/mongodb_aws.ts

@@ -63,8 +63,7 @@ export class MongoDBAWS extends AuthProvider {
       );
     }
 
-    // If a custom credential provider is present we will use that first.
-    if (this.credentialProvider || !authContext.credentials.username) {
+    if (!authContext.credentials.username) {
       authContext.credentials = await makeTempCredentials(
         authContext.credentials,
         this.credentialFetcher

test/integration/auth/mongodb_aws.test.ts

@@ -137,42 +137,24 @@ describe('MONGODB-AWS', function () {
     });
   });
 
-  context('when user supplies a credentials provider', function () {
+  context('1. Custom Credential Provider Authenticates', function () {
     let providerCount = 0;
     let provider;
 
-    before(function () {
-      if (client?.options.credentials.username) {
-        const credentials = client?.options.credentials;
-        // There are 2 variants in our tests that remove the environment variables
-        // and put the credentials in the URI. In those cases we need a custom
-        // provider that returns the correct variables by extracting them out.
-        const awsCredentials: AWSCredentials = {
-          accessKeyId: credentials.username,
-          secretAccessKey: credentials.password
-        };
-        if (credentials.mechanismProperties.AWS_SESSION_TOKEN) {
-          awsCredentials.sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;
-        }
-        provider = async () => {
-          providerCount++;
-          return awsCredentials;
-        };
-      } else {
-        // @ts-expect-error We intentionally access a protected variable.
-        const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
-        provider = async () => {
-          providerCount++;
-          return await credentialProvider.fromNodeProviderChain().apply();
-        };
-      }
-    });
-
     beforeEach(function () {
       if (!awsSdkPresent) {
         this.skipReason = 'only relevant to AssumeRoleWithWebIdentity with SDK installed';
         return this.skip();
       }
+      if (client?.options.credentials.username) {
+        this.skipReason = 'only relevant when no credentials are in the URI';
+        return this.skip();
+      }
+      const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+      provider = async () => {
+        providerCount++;
+        return await credentialProvider.fromNodeProviderChain().apply();
+      };
     });
 
     it('authenticates with a user provided credentials provider', async function () {
@@ -194,6 +176,90 @@ describe('MONGODB-AWS', function () {
     });
   });
 
+  context('2. Custom Credential Provider Authentication Precedence', function () {
+    context('Case 1: Credentials in URI Take Precedence', function () {
+      let providerCount = 0;
+      let provider;
+
+      beforeEach(function () {
+        if (!awsSdkPresent) {
+          this.skipReason = 'only relevant to AssumeRoleWithWebIdentity with SDK installed';
+          return this.skip();
+        }
+        console.log(client?.options);
+        if (!client?.options.credentials.username) {
+          this.skipReason = 'Test only runs when credentials are present in the URI';
+          return this.skip();
+        }
+        // @ts-expect-error We intentionally access a protected variable.
+        const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+        provider = async () => {
+          providerCount++;
+          return await credentialProvider.fromNodeProviderChain().apply();
+        };
+      });
+
+      it('authenticates with a user provided credentials provider', async function () {
+        console.log(process.env);
+        client = this.configuration.newClient(process.env.MONGODB_URI, {
+          authMechanismProperties: {
+            AWS_CREDENTIAL_PROVIDER: provider
+          }
+        });
+
+        const result = await client
+          .db('aws')
+          .collection('aws_test')
+          .estimatedDocumentCount()
+          .catch(error => error);
+
+        expect(result).to.not.be.instanceOf(MongoServerError);
+        expect(result).to.be.a('number');
+        expect(providerCount).to.equal(0);
+      });
+    });
+
+    context('Case 2: Custom Provider Takes Precedence Over Environment Variables', function () {
+      let providerCount = 0;
+      let provider;
+
+      beforeEach(function () {
+        if (!awsSdkPresent) {
+          this.skipReason = 'only relevant to AssumeRoleWithWebIdentity with SDK installed';
+          return this.skip();
+        }
+        if (client?.options.credentials.username || !process.env.AWS_ACCESS_KEY_ID) {
+          this.skipReason = 'Test only runs when credentials are present in the environment';
+          return this.skip();
+        }
+        // @ts-expect-error We intentionally access a protected variable.
+        const credentialProvider = AWSTemporaryCredentialProvider.awsSDK;
+        provider = async () => {
+          providerCount++;
+          return await credentialProvider.fromNodeProviderChain().apply();
+        };
+      });
+
+      it('authenticates with a user provided credentials provider', async function () {
+        client = this.configuration.newClient(process.env.MONGODB_URI, {
+          authMechanismProperties: {
+            AWS_CREDENTIAL_PROVIDER: provider
+          }
+        });
+
+        const result = await client
+          .db('aws')
+          .collection('aws_test')
+          .estimatedDocumentCount()
+          .catch(error => error);
+
+        expect(result).to.not.be.instanceOf(MongoServerError);
+        expect(result).to.be.a('number');
+        expect(providerCount).to.be.greaterThan(0);
+      });
+    });
+  });
+
   it('should allow empty string in authMechanismProperties.AWS_SESSION_TOKEN to override AWS_SESSION_TOKEN environment variable', function () {
     client = this.configuration.newClient(this.configuration.url(), {
       authMechanismProperties: { AWS_SESSION_TOKEN: '' }