update Credentials struct

Author: qingyang-hu

internal/aws/types.go

@@ -12,14 +12,29 @@ package aws
 
 import (
 	"io"
+	"time"
 )
 
 // Credentials represents AWS credentials.
 type Credentials struct {
-	AccessKeyID        string
-	SecretAccessKey    string
-	SessionToken       string
-	ExpirationCallback func() bool
+	AccessKeyID     string
+	SecretAccessKey string
+	SessionToken    string
+	Source          string
+	CanExpire       bool
+	Expires         time.Time
+	AccountID       string
+}
+
+func (v Credentials) Expired() bool {
+	if v.CanExpire {
+		// Calling Round(0) on the current time will truncate the monotonic
+		// reading only. Ensures credential expiry time is always based on
+		// reported wall-clock time.
+		return !v.Expires.After(time.Now().Round(0))
+	}
+
+	return false
 }
 
 // ReadSeekCloser wraps a io.Reader returning a ReaderSeekerCloser. Allows the

internal/credproviders/aws_provider.go

@@ -40,8 +40,8 @@ func (a *AwsProvider) Retrieve(ctx context.Context) (credentials.Value, error) {
 
 // IsExpired returns true if the credentials have not been retrieved.
 func (a *AwsProvider) IsExpired() bool {
-	if a.credentials == nil || a.credentials.ExpirationCallback == nil {
+	if a.credentials == nil {
 		return true
 	}
-	return a.credentials.ExpirationCallback()
+	return a.credentials.Expired()
 }

internal/integration/client_side_encryption_prose_test.go

@@ -3190,9 +3190,8 @@ func TestCustomAwsCredentialsProse(t *testing.T) {
 				"aws": func(_ context.Context) (options.Credentials, error) {
 					calledCount++
 					return options.Credentials{
-						AccessKeyID:        awsAccessKeyID,
-						SecretAccessKey:    awsSecretAccessKey,
-						ExpirationCallback: func() bool { return false },
+						AccessKeyID:     awsAccessKeyID,
+						SecretAccessKey: awsSecretAccessKey,
 					}, nil
 				},
 			})
@@ -3248,9 +3247,8 @@ func TestCustomAwsCredentialsProse(t *testing.T) {
 				"aws": func(ctx context.Context) (options.Credentials, error) {
 					calledCount++
 					return options.Credentials{
-						AccessKeyID:        awsAccessKeyID,
-						SecretAccessKey:    awsSecretAccessKey,
-						ExpirationCallback: func() bool { return false },
+						AccessKeyID:     awsAccessKeyID,
+						SecretAccessKey: awsSecretAccessKey,
 					}, nil
 				},
 			})

mongo/client.go

@@ -603,16 +603,11 @@ func (c *Client) newMongoCrypt(opts *options.AutoEncryptionOptions) (*mongocrypt
 		if k == "aws" && fn != nil {
 			providers[k] = &credproviders.AwsProvider{
 				Provider: func(ctx context.Context) (aws.Credentials, error) {
-					var creds aws.Credentials
 					c, err := fn(ctx)
 					if err != nil {
-						return creds, err
+						return aws.Credentials{}, err
 					}
-					creds.AccessKeyID = c.AccessKeyID
-					creds.SecretAccessKey = c.SecretAccessKey
-					creds.SessionToken = c.SessionToken
-					creds.ExpirationCallback = c.ExpirationCallback
-					return creds, nil
+					return aws.Credentials(c), nil
 				},
 			}
 		}

mongo/client_encryption.go

@@ -61,16 +61,11 @@ func NewClientEncryption(keyVaultClient *Client, opts ...options.Lister[options.
 		if k == "aws" && fn != nil {
 			providers[k] = &credproviders.AwsProvider{
 				Provider: func(ctx context.Context) (aws.Credentials, error) {
-					var creds aws.Credentials
 					c, err := fn(ctx)
 					if err != nil {
-						return creds, err
+						return aws.Credentials{}, err
 					}
-					creds.AccessKeyID = c.AccessKeyID
-					creds.SecretAccessKey = c.SecretAccessKey
-					creds.SessionToken = c.SessionToken
-					creds.ExpirationCallback = c.ExpirationCallback
-					return creds, nil
+					return aws.Credentials(c), nil
 				},
 			}
 		}

mongo/client_examples_test.go

@@ -363,10 +363,9 @@ func ExampleConnect_aWS() {
 		AwsCredentialsProvider: func(_ context.Context) (
 			options.Credentials, error) {
 			return options.Credentials{
-				AccessKeyID:        accessKeyID,
-				SecretAccessKey:    secretAccessKey,
-				SessionToken:       sessionToken,
-				ExpirationCallback: func() bool { return false },
+				AccessKeyID:     accessKeyID,
+				SecretAccessKey: secretAccessKey,
+				SessionToken:    sessionToken,
 			}, nil
 		},
 	}

mongo/options/clientoptions.go

@@ -25,7 +25,6 @@ import (
 	"github.com/youmark/pkcs8"
 	"go.mongodb.org/mongo-driver/v2/bson"
 	"go.mongodb.org/mongo-driver/v2/event"
-	"go.mongodb.org/mongo-driver/v2/internal/aws"
 	"go.mongodb.org/mongo-driver/v2/internal/httputil"
 	"go.mongodb.org/mongo-driver/v2/internal/optionsutil"
 	"go.mongodb.org/mongo-driver/v2/mongo/readconcern"
@@ -117,7 +116,7 @@ type Credential struct {
 	PasswordSet             bool
 	OIDCMachineCallback     OIDCCallback
 	OIDCHumanCallback       OIDCCallback
-	AwsCredentialsProvider  func(context.Context) (Credentials, error)
+	AwsCredentialsProvider  CredentialsProvider
 }
 
 // OIDCCallback is the type for both Human and Machine Callback flows.
@@ -150,7 +149,15 @@ type IDPInfo struct {
 type CredentialsProvider func(context.Context) (Credentials, error)
 
 // Credentials represents AWS credentials.
-type Credentials aws.Credentials
+type Credentials struct {
+	AccessKeyID     string
+	SecretAccessKey string
+	SessionToken    string
+	Source          string
+	CanExpire       bool
+	Expires         time.Time
+	AccountID       string
+}
 
 // BSONOptions are optional BSON marshaling and unmarshaling behaviors.
 type BSONOptions struct {

x/mongo/driver/topology/topology_options.go

@@ -117,12 +117,7 @@ func ConvertCreds(cred *options.Credential) *driver.Cred {
 	if cred.AwsCredentialsProvider != nil {
 		awsCredentialsProvider = func(ctx context.Context) (aws.Credentials, error) {
 			creds, err := cred.AwsCredentialsProvider(ctx)
-			return aws.Credentials{
-				AccessKeyID:        creds.AccessKeyID,
-				SecretAccessKey:    creds.SecretAccessKey,
-				SessionToken:       creds.SessionToken,
-				ExpirationCallback: creds.ExpirationCallback,
-			}, err
+			return aws.Credentials(creds), err
 		}
 	}