Skip to content

Commit

Permalink
Wrap up spec and prose tests.
Browse files Browse the repository at this point in the history
  • Loading branch information
@matthewdale
matthewdale committed Dec 7, 2023
1 parent 8a33d9a commit 419e1ee
Show file tree
Hide file tree
Showing 2 changed files with 100 additions and 39 deletions.
34 changes: 22 additions & 12 deletions source/auth/auth.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1211,15 +1211,15 @@ mechanism
mechanism_properties
PROVIDER_NAME
Drivers MUST allow the user to specify the name of the OIDC service to
use to obtain credentials. MUST be one of ["aws"]. If PROVIDER_NAME is
given and a custom callback is configured (either via , the driver MUST
raise an error.
use to obtain credentials. The value MUST be one of ["aws"]. If both
``PROVIDER_NAME`` and a `custom callback`_ are configured for the same
``MongoClient``, the driver MUST raise an error.

OIDC_TOKEN_CALLBACK
Drivers MAY allow the user to specify a custom OIDC callback using a
mechanism property. Drivers MUST support either the ``MongoClient``
configuration method or the mechanism property, but MUST NOT support
both.
mechanism property. Drivers MUST support specifying a callback either as
a ``MongoClient`` configuration or a mechanism property, but MUST NOT
support both.

Supported Providers
```````````````````
Expand All @@ -1233,6 +1233,12 @@ environment variable ``AWS_WEB_IDENTITY_TOKEN_FILE`` and then read the OIDC
Access Token from that file. The driver MUST use the contents of that file as
value in the ``jwt`` field of the ``saslStart`` payload.

Drivers MAY implement the AWS provider so that it conforms to the function
signature of the `custom callback`_ to prevent having to re-implement the AWS
provider logic in the OIDC prose tests.

.. _`custom callback`:

Custom Callback
_______________
Drivers MUST allow the user to integrate with OIDC providers not supported by
Expand Down Expand Up @@ -1278,7 +1284,7 @@ added to the callback signature in the future. An example might look like:

.. code:: typescript
interface OIDCTokenParams {
interface OIDCCallbackParams {
callbackTimeoutMS: int;
version: int;
}
Expand All @@ -1290,7 +1296,7 @@ added to the callback signature in the future. An example might look like:
.. code:: typescript
function oidcToken(params: OIDCTokenParams): OIDCToken
function oidcCallback(params: OIDCCallbackParams): OIDCToken
Conversation
````````````
Expand All @@ -1308,8 +1314,8 @@ Speculative Authentication
Drivers MUST implement speculative authentication for MONGODB-OIDC during the
``hello`` handshake. If there is a cached access token on the ``MongoClient``,
use it for authentication. Otherwise, call the configured workload callback to
retrieve a new access token for the new connection and send that access token
with the ``saslStart`` SASL command.
retrieve a new access token and send that access token with the speculative
authentication document.

.. _reauthentication:

Expand Down Expand Up @@ -1367,7 +1373,8 @@ authentication:
- Check if the the *Client Cache* has an access token.
- If it does, cache the returned access token in *Connection Cache* and
optimisitically try to authenticate using the access token. If the server
returns ``AuthenticationFailed`` (error code 18), continue.
returns ``AuthenticationFailed`` (error code 18), slep 100ms then
continue.
- Call the access token function for the configured provider or the custom
provider callback.
- Cache the returned access token in the *Client Cache* and *Connection Cache*.
Expand All @@ -1391,6 +1398,7 @@ described above:
sasl_conversation(conn, {"jwt": token})
return
except AuthenticationFailed:
sleep(0.1)
invalid_token = token
token = client_cache(invalid_token)
Expand All @@ -1407,7 +1415,8 @@ the following algorithm to manage the caches during `reauthentication`_:
token in the *Connection Cache*.
- If they are different, cache the returned access token in *Connection
Cache* and optimisitically try to authenticate using the access token. If
the server returns ``AuthenticationFailed`` (error code 18), continue.
the server returns ``AuthenticationFailed`` (error code 18), sleep 100ms
then continue.
- Call the access token function for the configured provider or the custom
provider callback.
- Cache the returned access token in the *Client Cache* and *Connection Cache*.
Expand All @@ -1432,6 +1441,7 @@ above:
sasl_conversation(conn, {"jwt": token})
return
except AuthenticationFailed:
sleep(0.1)
invalid_token = token
token = client_cache(invalid_token)
Expand Down
105 changes: 78 additions & 27 deletions source/auth/tests/mongodb-oidc.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@
MongoDB OIDC
============

TODO

Local Testing
~~~~~~~~~~~~~

Expand All @@ -25,34 +23,33 @@ For example, if the selected AWS profile ID is "drivers-test", run:
Prose Tests
===========


1. Custom Callback
~~~~~~~~~~~~~~~~~~

- Create a ``MongoClient`` configured with an ``OIDCCallback`` set to the
built-in AWS provider callback.
- Create a ``MongoClient`` configured with a custom OIDC callback that
implements the AWS provider logic.
- Perform a ``find`` operation that succeeds.
- Close the client.

2. Callback is called during reauthentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Create a ``MongoClient`` configured with an ``OIDCCallback`` set to the
built-in AWS provider callback.
- Create a ``MongoClient`` configured with a custom OIDC callback that
implements the AWS provider logic.
- Set a fail point for ``find`` commands of the form:

.. code:: javascript
{
"configureFailPoint": "failCommand",
"mode": {
"times": 1
configureFailPoint: "failCommand",
mode: {
times: 1
},
"data": {
"failCommands": [
data: {
failCommands: [
"find"
],
"errorCode": 391
errorCode: 391
}
}
Expand All @@ -61,37 +58,91 @@ Prose Tests
handshake, and again during reauthentication).
- Close the client.

3. Callback is called twice on handshake authentication failure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3. Authentication failures with cached tokens retry with a new token
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Create a ``MongoClient`` configured with ``retryReads=false`` and a custom
OIDC callback that implements the AWS provider logic.
- Set a fail point for ``find`` commands of the form:

.. code:: javascript
- Create a ``MongoClient`` configured with an ``OIDCCallback`` set to the
built-in AWS provider callback.
{
configureFailPoint: "failCommand",
mode: {
times: 1
},
data: {
failCommands: [
"find"
],
closeConnection: true
}
}
- Perform a ``find`` operation that fails. This is to force the ``MongoClient``
to cache an access token.
- Set a fail point for ``saslStart`` commands of the form:

.. code:: javascript
{
"configureFailPoint": "failCommand",
"mode": {
"times": 1
configureFailPoint: "failCommand",
mode: {
times: 2
},
"data": {
"failCommands": [
data: {
failCommands: [
"saslStart"
],
"errorCode": 18
errorCode: 18
}
}
- Perform a ``find`` operation that succeeds.
- Perform a ``find`` operation that fails.
- Verify that the callback was called 2 times during connection handshake (once
to get the initial token, and once to refresh the token after the
authentication failure).
- Close the client.

4. Reauthentication messages are sent.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TODO
4. Reauthentication messages are sent
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Create a ``MongoClient`` configured with a custom OIDC callback that
implements the AWS provider logic.
- Perform a ``find`` operation that succeeds.
- Set fail points for ``find`` and ``saslStart`` of the form:

.. code:: javascript
{
configureFailPoint: "failCommand",
mode: {
times: 1
},
data: {
failCommands: [
"find"
],
errorCode: 391
}
}
{
configureFailPoint: "failCommand",
mode: {
times: 2
},
data: {
failCommands: [
"saslStart"
],
errorCode: 18
}
}
- Perform a ``find`` operation that fails.
- Close the client.

=========================
Human Authentication Flow
Expand Down

0 comments on commit 419e1ee

Please sign in to comment.