Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PYTHON-3716 OIDC-SASL Follow-Up #1365

Merged
merged 39 commits into from
Sep 28, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
37e55b0
DRIVERS-2415 Simplifications
blink1073 Aug 28, 2023
c52e10a
wip clean up oidc
blink1073 Aug 28, 2023
1b87e6a
lint
blink1073 Aug 30, 2023
69346bc
fix EG config
blink1073 Aug 30, 2023
2971708
Merge branch 'master' of github.com:mongodb/mongo-python-driver into …
blink1073 Aug 30, 2023
8426412
fix handling of assume role
blink1073 Aug 30, 2023
6cb708a
move cache to mongocredential
blink1073 Sep 2, 2023
2ea10a2
finish refactor
blink1073 Sep 4, 2023
4a2b10a
clean up tests
blink1073 Sep 4, 2023
b40fab8
finish refactor
blink1073 Sep 5, 2023
b5aae77
lint and test on multiple platforms
blink1073 Sep 5, 2023
f1aa532
clean up python binary handling
blink1073 Sep 5, 2023
89bf558
add helper function
blink1073 Sep 5, 2023
bd7953d
debug
blink1073 Sep 5, 2023
7cf158f
try that
blink1073 Sep 5, 2023
1c39d65
fix binaries
blink1073 Sep 5, 2023
4b1eb82
try updating certifi
blink1073 Sep 5, 2023
50186ff
fix for windows
blink1073 Sep 5, 2023
5828512
use wip branch
blink1073 Sep 5, 2023
3ddd737
debug
blink1073 Sep 5, 2023
9ae811e
try to create token dir
blink1073 Sep 5, 2023
96bf593
use regular branch
blink1073 Sep 5, 2023
7109a47
try again
blink1073 Sep 5, 2023
47e3dea
try again
blink1073 Sep 5, 2023
9ad53d2
debug
blink1073 Sep 5, 2023
6dde30e
try again
blink1073 Sep 5, 2023
0e2de59
try with bash
blink1073 Sep 5, 2023
7226e0e
try this
blink1073 Sep 5, 2023
bffa4a8
try with a bash script
blink1073 Sep 5, 2023
501ae19
cleanup
blink1073 Sep 6, 2023
4bfa368
fix handling of token dir
blink1073 Sep 6, 2023
7a15bd0
debug on macos
blink1073 Sep 6, 2023
f2bbacf
more debug
blink1073 Sep 6, 2023
41a7a7d
add certificate workaround
blink1073 Sep 6, 2023
c746b6d
switch to main channel
blink1073 Sep 6, 2023
b8fdaa3
remove todo
blink1073 Sep 8, 2023
3c614b0
Merge branch 'master' of github.com:mongodb/mongo-python-driver into …
blink1073 Sep 16, 2023
2a6d315
address review
blink1073 Sep 20, 2023
237b273
add missing default
blink1073 Sep 20, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 17 additions & 63 deletions .evergreen/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,17 @@ functions:
export PATH="$MONGODB_BINARIES:$PATH"
export PROJECT="${project}"
export PIP_QUIET=1
ENSURE_TOOLCHAIN_PYTHON_BINARY: |
# Make sure PYTHON_BINARY is set to a suitable toolchain python.
if [ -z "$PYTHON_BINARY" ]; then
if [ "$(uname -s)" = "Darwin" ]; then
export PYTHON_BINARY=/Library/Frameworks/Python.Framework/Versions/3.9/bin/python3
elif [ "Windows_NT" = "$OS" ]; then # Magic variable in cygwin
export PYTHON_BINARY=/cygdrive/c/python/Python39/python
else
export PYTHON_BINARY=/opt/python/3.9/bin/python3
fi
fi
EOT

# Load the expansion file to make an evergreen variable with the current unique version
Expand Down Expand Up @@ -655,7 +666,7 @@ functions:
.evergreen/run-mongodb-aws-test.sh
fi

"bootstrap oidc":
"run oidc auth test with aws credentials":
- command: ec2.assume_role
params:
role_arn: ${aws_test_secrets_role}
Expand All @@ -664,58 +675,11 @@ functions:
params:
working_dir: "src"
shell: bash
include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
script: |
${PREPARE_SHELL}
if [ "${skip_EC2_auth_test}" = "true" ]; then
echo "This platform does not support the oidc auth test, skipping..."
exit 0
fi

cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
export OIDC_TOKEN_DIR=/tmp/tokens

. ./activate-authoidcvenv.sh
python oidc_write_orchestration.py
python oidc_get_tokens.py

"run oidc auth test with aws credentials":
- command: shell.exec
type: test
params:
working_dir: "src"
shell: bash
script: |
${PREPARE_SHELL}
if [ "${skip_EC2_auth_test}" = "true" ]; then
echo "This platform does not support the oidc auth test, skipping..."
exit 0
fi
cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
mongosh setup_oidc.js
- command: shell.exec
type: test
params:
working_dir: "src"
silent: true
script: |
# DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh"
export OIDC_TOKEN_DIR=/tmp/tokens
EOF
- command: shell.exec
type: test
params:
working_dir: "src"
script: |
${PREPARE_SHELL}
if [ "${skip_web_identity_auth_test}" = "true" ]; then
echo "This platform does not support the oidc auth test, skipping..."
exit 0
fi
PYTHON_BINARY=${PYTHON_BINARY} ASSERT_NO_URI_CREDS=true .evergreen/run-mongodb-oidc-test.sh
${ENSURE_TOOLCHAIN_PYTHON_BINARY}
bash .evergreen/run-mongodb-oidc-test.sh

"run aws auth test with aws credentials as environment variables":
- command: shell.exec
Expand Down Expand Up @@ -2133,16 +2097,7 @@ tasks:

- name: "oidc-auth-test-latest"
commands:
- func: "bootstrap oidc"
- func: "bootstrap mongo-orchestration"
vars:
AUTH: "auth"
ORCHESTRATION_FILE: "auth-oidc.json"
TOPOLOGY: "replica_set"
VERSION: "latest"
- func: "run oidc auth test with aws credentials"
vars:
AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/tokens/test1

- name: load-balancer-test
commands:
Expand Down Expand Up @@ -3192,9 +3147,8 @@ buildvariants:

- matrix_name: "oidc-auth-test"
matrix_spec:
platform: [ rhel8 ]
python-version: ["3.9"]
display_name: "MONGODB-OIDC Auth ${platform} ${python-version}"
platform: [ rhel8, macos-1100, windows-64-vsMulti-small ]
display_name: "MONGODB-OIDC Auth ${platform}"
tasks:
- name: "oidc-auth-test-latest"

Expand Down
70 changes: 31 additions & 39 deletions .evergreen/run-mongodb-oidc-test.sh
Original file line number Diff line number Diff line change
@@ -1,56 +1,48 @@
#!/bin/bash

set -o xtrace
set +x # Disable debug trace
set -o errexit # Exit the script with error if any of the commands fail

############################################
# Main Program #
############################################

# Supported/used environment variables:
# MONGODB_URI Set the URI, including an optional username/password to use
# to connect to the server via MONGODB-OIDC authentication
# mechanism.
# PYTHON_BINARY The Python version to use.

echo "Running MONGODB-OIDC authentication tests"
# ensure no secrets are printed in log files
set +x

# load the script
shopt -s expand_aliases # needed for `urlencode` alias
[ -s "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh" ] && source "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh"

MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
MONGODB_URI_MULTIPLE="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true"

if [ -z "${OIDC_TOKEN_DIR}" ]; then
echo "Must specify OIDC_TOKEN_DIR"
# Make sure DRIVERS_TOOLS is set.
if [ -z "$DRIVERS_TOOLS" ]; then
echo "Must specify DRIVERS_TOOLS"
exit 1
fi

export MONGODB_URI_SINGLE="$MONGODB_URI_SINGLE"
export MONGODB_URI_MULTIPLE="$MONGODB_URI_MULTIPLE"
export MONGODB_URI="$MONGODB_URI"

echo $MONGODB_URI_SINGLE
echo $MONGODB_URI_MULTIPLE
echo $MONGODB_URI
# Get the drivers secrets. Use an existing secrets file first.
if [ ! -f "./secrets-export.sh" ]; then
bash .evergreen/tox.sh -m aws-secrets -- drivers/oidc
fi
source ./secrets-export.sh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this source be under a set +x for safety?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


if [ "$ASSERT_NO_URI_CREDS" = "true" ]; then
if echo "$MONGODB_URI" | grep -q "@"; then
echo "MONGODB_URI unexpectedly contains user credentials!";
exit 1
fi
# # If the file did not have our creds, get them from the vault.
if [ -z "$OIDC_ATLAS_URI_SINGLE" ]; then
bash .evergreen/tox.sh -m aws-secrets -- drivers/oidc
source ./secrets-export.sh
fi

if [ -z "$PYTHON_BINARY" ]; then
echo "Cannot test without specifying PYTHON_BINARY"
exit 1
# Make the OIDC tokens.
set -x
pushd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
. ./oidc_get_tokens.sh
popd

# Set up variables and run the test.
if [ -n "$LOCAL_OIDC_SERVER" ]; then
export MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
export MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
export MONGODB_URI_MULTI="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true"
else
set +x # turn off xtrace for this portion
export MONGODB_URI="$OIDC_ATLAS_URI_SINGLE"
export MONGODB_URI_SINGLE="$OIDC_ATLAS_URI_SINGLE/?authMechanism=MONGODB-OIDC"
export MONGODB_URI_MULTI="$OIDC_ATLAS_URI_MULTI/?authMechanism=MONGODB-OIDC"
set -x
fi

export TEST_AUTH_OIDC=1
export COVERAGE=1
export AUTH="auth"
export SET_XTRACE_ON=1
bash ./.evergreen/tox.sh -m test-eg
16 changes: 15 additions & 1 deletion .evergreen/run-tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ if [ "$AUTH" != "noauth" ]; then
elif [ ! -z "$TEST_SERVERLESS" ]; then
export DB_USER=$SERVERLESS_ATLAS_USER
export DB_PASSWORD=$SERVERLESS_ATLAS_PASSWORD
elif [ ! -z "$TEST_AUTH_OIDC" ]; then
export DB_USER=$OIDC_ALTAS_USER
export DB_PASSWORD=$OIDC_ATLAS_PASSWORD
else
export DB_USER="bob"
export DB_PASSWORD="pwd123"
Expand Down Expand Up @@ -109,7 +112,7 @@ fi
if [ -n "$TEST_ENCRYPTION" ] || [ -n "$TEST_FLE_AZURE_AUTO" ] || [ -n "$TEST_FLE_GCP_AUTO" ]; then

# Work around for root certifi not being installed.
# TODO: Remove after PYTHON-3827
# TODO: Remove after PYTHON-3952 is deployed.
if [ "$(uname -s)" = "Darwin" ]; then
python -m pip install certifi
CERT_PATH=$(python -c "import certifi; print(certifi.where())")
Expand Down Expand Up @@ -224,6 +227,17 @@ fi

if [ -n "$TEST_AUTH_OIDC" ]; then
python -m pip install ".[aws]"

# Work around for root certifi not being installed.
# TODO: Remove after PYTHON-3952 is deployed.
if [ "$(uname -s)" = "Darwin" ]; then
python -m pip install certifi
CERT_PATH=$(python -c "import certifi; print(certifi.where())")
export SSL_CERT_FILE=${CERT_PATH}
export REQUESTS_CA_BUNDLE=${CERT_PATH}
export AWS_CA_BUNDLE=${CERT_PATH}
fi

TEST_ARGS="test/auth_oidc/test_auth_oidc.py"
fi

Expand Down
5 changes: 2 additions & 3 deletions pymongo/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,11 @@ def _build_credentials_tuple(
elif mech == "MONGODB-OIDC":
properties = extra.get("authmechanismproperties", {})
request_token_callback = properties.get("request_token_callback")
refresh_token_callback = properties.get("refresh_token_callback", None)
provider_name = properties.get("PROVIDER_NAME", "")
default_allowed = [
"*.mongodb.net",
"*.mongodb-dev.net",
"*.mongodb-qa.net",
"*.mongodbgov.net",
"localhost",
"127.0.0.1",
Expand All @@ -172,11 +172,10 @@ def _build_credentials_tuple(
)
oidc_props = _OIDCProperties(
request_token_callback=request_token_callback,
refresh_token_callback=refresh_token_callback,
provider_name=provider_name,
allowed_hosts=allowed_hosts,
)
return MongoCredential(mech, "$external", user, passwd, oidc_props, None)
return MongoCredential(mech, "$external", user, passwd, oidc_props, _Cache())

elif mech == "PLAIN":
source_database = source or database or "$external"
Expand Down
Loading