From f2bd9035a4d78148475f9de68f6d14cabcacd8b5 Mon Sep 17 00:00:00 2001
From: Matt Dale <9760375+matthewdale@users.noreply.github.com>
Date: Wed, 6 Mar 2024 17:19:09 -0800
Subject: [PATCH 01/10] DRIVERS-2672 Rename OIDC integration name and values.
(cherry picked from commit dde06323313e9bca9105438f2f9de7b5fe6cc1f0)
---
source/auth/auth.md | 25 ++++++++++++-------
.../auth/tests/legacy/connection-string.json | 18 ++++++-------
.../auth/tests/legacy/connection-string.yml | 14 +++++------
source/auth/tests/mongodb-oidc.md | 6 ++---
.../tests/unified/mongodb-oidc-no-retry.yml | 2 +-
.../unified-test-format.md | 2 +-
6 files changed, 37 insertions(+), 30 deletions(-)
diff --git a/source/auth/auth.md b/source/auth/auth.md
index ec6c8b0164..d11a6cce78 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1215,9 +1215,9 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
- mechanism_properties
- - PROVIDER_NAME\
- Drivers MUST allow the user to specify the name of a built-in OIDC provider integration to use to
- obtain credentials. If provided, the value MUST be one of `["aws"]`. If both `PROVIDER_NAME` and an
+ - OIDC_ENV\
+ Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration to
+ use to obtain credentials. If provided, the value MUST be one of `["k8s"]`. If both `OIDC_ENV` and an
[OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same
`MongoClient`, the driver MUST raise an error.
@@ -1246,20 +1246,27 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
performed after SRV record resolution, if applicable. This property is only required for drivers that support the
[Human Authentication Flow](#human-authentication-flow).
-#### Built-in Provider Integrations
+#### Built-in OIDC Environment Integrations
-Drivers MUST support all of the following built-in OIDC providers.
+Drivers MUST support all of the following built-in OIDC application environment integrations.
-####### AWS
+####### Kubernetes
-The AWS provider is enabled by setting auth mechanism property `PROVIDER_NAME:aws`.
+The Kubernetes integration is enabled by setting auth mechanism property `OIDC_ENV:k8s`.
If enabled, drivers MUST read the file path from environment variable `AWS_WEB_IDENTITY_TOKEN_FILE` and then read the
OIDC access token from that file. The driver MUST use the contents of that file as value in the `jwt` field of the
`saslStart` payload.
-Drivers MAY implement the AWS provider so that it conforms to the function signature of the
-[OIDC Callback](#oidc-callback) to prevent having to re-implement the AWS provider logic in the OIDC prose tests.
+> \[!NOTE\]
+>
+> The Kubernetes integration currently only supports the AWS-hosted EKS Kubernetes environment. Drivers MUST document
+> that the "k8s" integration currently only supports AWS EKS, but will support more Kubernetes environments in the
+> future.
+
+Drivers MAY implement the Kubernetes integration so that it conforms to the function signature of the
+[OIDC Callback](#oidc-callback) to prevent having to re-implement the Kubernetes integration logic in the OIDC prose
+tests.
#### OIDC Callback
diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json
index 982edb8b36..e821bf9b03 100644
--- a/source/auth/tests/legacy/connection-string.json
+++ b/source/auth/tests/legacy/connection-string.json
@@ -482,8 +482,8 @@
}
},
{
- "description": "should recognise the mechanism with aws provider (MONGODB-OIDC)",
- "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws",
+ "description": "should recognise the mechanism with k8s integration (MONGODB-OIDC)",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s",
"valid": true,
"credential": {
"username": null,
@@ -491,13 +491,13 @@
"source": "$external",
"mechanism": "MONGODB-OIDC",
"mechanism_properties": {
- "PROVIDER_NAME": "aws"
+ "OIDC_ENV": "k8s"
}
}
},
{
"description": "should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)",
- "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:k8s",
"valid": true,
"credential": {
"username": null,
@@ -505,25 +505,25 @@
"source": "$external",
"mechanism": "MONGODB-OIDC",
"mechanism_properties": {
- "PROVIDER_NAME": "aws"
+ "OIDC_ENV": "k8s"
}
}
},
{
"description": "should throw an exception if supplied a password (MONGODB-OIDC)",
- "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws",
+ "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s",
"valid": false,
"credential": null
},
{
- "description": "should throw an exception if username is specified for aws (MONGODB-OIDC)",
- "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws",
+ "description": "should throw an exception if username is specified for k8s (MONGODB-OIDC)",
+ "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:k8s",
"valid": false,
"credential": null
},
{
"description": "should throw an exception if specified provider is not supported (MONGODB-OIDC)",
- "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid",
"valid": false,
"credential": null
},
diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml
index d2658e0309..29049790cc 100644
--- a/source/auth/tests/legacy/connection-string.yml
+++ b/source/auth/tests/legacy/connection-string.yml
@@ -351,7 +351,7 @@ tests:
mechanism_properties:
AWS_SESSION_TOKEN: token!@#$%^&*()_+
- description: should recognise the mechanism with aws provider (MONGODB-OIDC)
- uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws
+ uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws
valid: true
credential:
username:
@@ -359,9 +359,9 @@ tests:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
- PROVIDER_NAME: aws
+ OIDC_ENV: aws
- description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)
- uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws
+ uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:aws
valid: true
credential:
username:
@@ -369,17 +369,17 @@ tests:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
- PROVIDER_NAME: aws
+ OIDC_ENV: aws
- description: should throw an exception if supplied a password (MONGODB-OIDC)
- uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws
+ uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws
valid: false
credential:
- description: should throw an exception if username is specified for aws (MONGODB-OIDC)
- uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws
+ uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:aws
valid: false
credential:
- description: should throw an exception if specified provider is not supported (MONGODB-OIDC)
- uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid
+ uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid
valid: false
credential:
- description: should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC)
diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md
index e61cdfd464..abde9ca826 100644
--- a/source/auth/tests/mongodb-oidc.md
+++ b/source/auth/tests/mongodb-oidc.md
@@ -27,7 +27,7 @@ configured with `retryReads=false`.
> \[!NOTE\]
>
> For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point
-> after the test to prevent interaction between test cases.
+> aOIDC_ENV to prevent interaction between test cases.
Note that typically the preconfigured Atlas Dev clusters are used for testing, in Evergreen and locally. The URIs can be
fetched from the `drivers/oidc` Secrets vault, see
@@ -36,7 +36,7 @@ Use `OIDC_ATLAS_URI_SINGLE` for the `MONGODB_URI`. If using local servers is pre
[Local Testing](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md#local-testing)
method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
-### (1) OIDC Callback Authentication
+###OIDC_ENVlback Authentication
**1.1 Callback is called during authentication**
@@ -101,7 +101,7 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic.
- Set a fail point for `find` commands of the form:
-```javascript
+```javascriptOIDC_ENV
{
configureFailPoint: "failCommand",
mode: {
diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml
index b500fb7db6..9c875cb280 100644
--- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml
+++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml
@@ -16,7 +16,7 @@ createEntities:
# The $$placeholder document should be replaced by auth mechanism
# properties that enable OIDC auth on the target cloud platform. For
# example, when running the test on AWS, replace the $$placeholder
- # document with {"PROVIDER_NAME": "aws"}.
+ # document with {"OIDC_ENV": "aws"}.
authMechanismProperties: { $$placeholder: 1 }
retryReads: false
retryWrites: false
diff --git a/source/unified-test-format/unified-test-format.md b/source/unified-test-format/unified-test-format.md
index c84e23207f..cad69a2c20 100644
--- a/source/unified-test-format/unified-test-format.md
+++ b/source/unified-test-format/unified-test-format.md
@@ -422,7 +422,7 @@ The structure of this object is as follows:
uriOptions:
authMechanism: "MONGODB-OIDC"
authMechanismProperties:
- PROVIDER_NAME: { $$placeholder: 1 }
+ OIDC_ENV: { $$placeholder: 1 }
```
From d1b4b0b6f0febfb4c649b7f9d6943646b28b65b7 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Fri, 8 Mar 2024 06:40:02 -0600
Subject: [PATCH 02/10] Rename OIDC property PROVIDER_NAME and config values
---
source/auth/auth.md | 21 ++++++++-----------
.../auth/tests/legacy/connection-string.json | 16 +++++++-------
source/auth/tests/mongodb-oidc.md | 12 +++++------
3 files changed, 23 insertions(+), 26 deletions(-)
diff --git a/source/auth/auth.md b/source/auth/auth.md
index d11a6cce78..dfdbd50ec5 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1217,7 +1217,7 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
- OIDC_ENV\
Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration to
- use to obtain credentials. If provided, the value MUST be one of `["k8s"]`. If both `OIDC_ENV` and an
+ use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `OIDC_ENV` and an
[OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same
`MongoClient`, the driver MUST raise an error.
@@ -1246,27 +1246,24 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
performed after SRV record resolution, if applicable. This property is only required for drivers that support the
[Human Authentication Flow](#human-authentication-flow).
+
+
#### Built-in OIDC Environment Integrations
Drivers MUST support all of the following built-in OIDC application environment integrations.
-####### Kubernetes
+####### Test
-The Kubernetes integration is enabled by setting auth mechanism property `OIDC_ENV:k8s`.
+The test integration is enabled by setting auth mechanism property `OIDC_ENV:test`. It is not meant to be documented as
+a user-facing feature, but used for testing purposes, with the self-generated token created by the script in Drivers
+Evergreen Tools.
If enabled, drivers MUST read the file path from environment variable `AWS_WEB_IDENTITY_TOKEN_FILE` and then read the
OIDC access token from that file. The driver MUST use the contents of that file as value in the `jwt` field of the
`saslStart` payload.
-> \[!NOTE\]
->
-> The Kubernetes integration currently only supports the AWS-hosted EKS Kubernetes environment. Drivers MUST document
-> that the "k8s" integration currently only supports AWS EKS, but will support more Kubernetes environments in the
-> future.
-
-Drivers MAY implement the Kubernetes integration so that it conforms to the function signature of the
-[OIDC Callback](#oidc-callback) to prevent having to re-implement the Kubernetes integration logic in the OIDC prose
-tests.
+Drivers MAY implement the "test" integration so that it conforms to the function signature of the
+[OIDC Callback](#oidc-callback) to prevent having to re-implement the "tet" integration logic in the OIDC prose tests.
#### OIDC Callback
diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json
index e821bf9b03..af1106f5d7 100644
--- a/source/auth/tests/legacy/connection-string.json
+++ b/source/auth/tests/legacy/connection-string.json
@@ -482,8 +482,8 @@
}
},
{
- "description": "should recognise the mechanism with k8s integration (MONGODB-OIDC)",
- "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s",
+ "description": "should recognise the mechanism with test integration (MONGODB-OIDC)",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test",
"valid": true,
"credential": {
"username": null,
@@ -491,13 +491,13 @@
"source": "$external",
"mechanism": "MONGODB-OIDC",
"mechanism_properties": {
- "OIDC_ENV": "k8s"
+ "OIDC_ENV": "test"
}
}
},
{
"description": "should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)",
- "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:k8s",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test",
"valid": true,
"credential": {
"username": null,
@@ -505,19 +505,19 @@
"source": "$external",
"mechanism": "MONGODB-OIDC",
"mechanism_properties": {
- "OIDC_ENV": "k8s"
+ "OIDC_ENV": "test"
}
}
},
{
"description": "should throw an exception if supplied a password (MONGODB-OIDC)",
- "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s",
+ "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test",
"valid": false,
"credential": null
},
{
- "description": "should throw an exception if username is specified for k8s (MONGODB-OIDC)",
- "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:k8s",
+ "description": "should throw an exception if username is specified for test (MONGODB-OIDC)",
+ "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test",
"valid": false,
"credential": null
},
diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md
index abde9ca826..654305a0d2 100644
--- a/source/auth/tests/mongodb-oidc.md
+++ b/source/auth/tests/mongodb-oidc.md
@@ -40,14 +40,14 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
**1.1 Callback is called during authentication**
-- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic.
+- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic.
- Perform a `find` operation that succeeds.
- Assert that the callback was called 1 time.
- Close the client.
**1.2 Callback is called once for multiple connections**
-- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic.
+- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic.
- Start 10 threads and run 100 `find` operations in each thread that all succeed.
- Assert that the callback was called 1 time.
- Close the client.
@@ -76,14 +76,14 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
**2.4 Invalid Client Configuration with Callback**
-- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `PROVIDER_NAME:aws`.
+- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `OIDC_ENV:test`.
- Assert it returns a client configuration error.
### (3) Authentication Failure
**3.1 Authentication failure with cached tokens fetch a new token and retry auth**
-- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic.
+- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic.
- Poison the *Client Cache* with an invalid access token.
- Perform a `find` operation that succeeds.
- Assert that the callback was called 1 time.
@@ -98,10 +98,10 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
### (4) Reauthentication
-- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic.
+- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic.
- Set a fail point for `find` commands of the form:
-```javascriptOIDC_ENV
+```javascript
{
configureFailPoint: "failCommand",
mode: {
From 70bbd926ce922c79565a8ba15385cd8e540bf468 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Fri, 8 Mar 2024 06:41:26 -0600
Subject: [PATCH 03/10] add changelog
---
source/auth/auth.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source/auth/auth.md b/source/auth/auth.md
index dfdbd50ec5..28d52e7083 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1923,6 +1923,8 @@ to EC2 instance metadata in ECS, for security reasons, Amazon states it's best p
## Changelog
+- 2024-03-09: Rename OIDC integration name and values.
+
- 2024-01-31: Migrated from reStructuredText to Markdown.
- 2024-01-17: Added MONGODB-OIDC machine auth flow spec and combine with human\
From 957e30e8ba99c11e3ebf893ea362f7d12af29c86 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Fri, 8 Mar 2024 06:42:24 -0600
Subject: [PATCH 04/10] update yml file
---
source/auth/tests/legacy/connection-string.yml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml
index 29049790cc..9bb093941d 100644
--- a/source/auth/tests/legacy/connection-string.yml
+++ b/source/auth/tests/legacy/connection-string.yml
@@ -351,7 +351,7 @@ tests:
mechanism_properties:
AWS_SESSION_TOKEN: token!@#$%^&*()_+
- description: should recognise the mechanism with aws provider (MONGODB-OIDC)
- uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws
+ uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test
valid: true
credential:
username:
@@ -359,9 +359,9 @@ tests:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
- OIDC_ENV: aws
+ OIDC_ENV: test
- description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)
- uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:aws
+ uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test
valid: true
credential:
username:
@@ -369,13 +369,13 @@ tests:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
- OIDC_ENV: aws
+ OIDC_ENV: test
- description: should throw an exception if supplied a password (MONGODB-OIDC)
- uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws
+ uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test
valid: false
credential:
- description: should throw an exception if username is specified for aws (MONGODB-OIDC)
- uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:aws
+ uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test
valid: false
credential:
- description: should throw an exception if specified provider is not supported (MONGODB-OIDC)
From 985cb210b6b480307245f7a1c92fd283dcf72d28 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Fri, 8 Mar 2024 07:27:30 -0600
Subject: [PATCH 05/10] cleanup
---
source/auth/auth.md | 2 +-
source/auth/tests/legacy/connection-string.json | 6 +++---
source/auth/tests/legacy/connection-string.yml | 8 ++++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/source/auth/auth.md b/source/auth/auth.md
index 28d52e7083..eb40c84657 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1263,7 +1263,7 @@ OIDC access token from that file. The driver MUST use the contents of that file
`saslStart` payload.
Drivers MAY implement the "test" integration so that it conforms to the function signature of the
-[OIDC Callback](#oidc-callback) to prevent having to re-implement the "tet" integration logic in the OIDC prose tests.
+[OIDC Callback](#oidc-callback) to prevent having to re-implement the "test" integration logic in the OIDC prose tests.
#### OIDC Callback
diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json
index af1106f5d7..53bd0392cd 100644
--- a/source/auth/tests/legacy/connection-string.json
+++ b/source/auth/tests/legacy/connection-string.json
@@ -496,7 +496,7 @@
}
},
{
- "description": "should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)",
+ "description": "should recognise the mechanism when auth source is explicitly specified and with environment (MONGODB-OIDC)",
"uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test",
"valid": true,
"credential": {
@@ -522,13 +522,13 @@
"credential": null
},
{
- "description": "should throw an exception if specified provider is not supported (MONGODB-OIDC)",
+ "description": "should throw an exception if specified environment is not supported (MONGODB-OIDC)",
"uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid",
"valid": false,
"credential": null
},
{
- "description": "should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC)",
+ "description": "should throw an exception if neither environment nor callbacks specified (MONGODB-OIDC)",
"uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC",
"valid": false,
"credential": null
diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml
index 9bb093941d..51dab25860 100644
--- a/source/auth/tests/legacy/connection-string.yml
+++ b/source/auth/tests/legacy/connection-string.yml
@@ -350,7 +350,7 @@ tests:
mechanism: MONGODB-AWS
mechanism_properties:
AWS_SESSION_TOKEN: token!@#$%^&*()_+
-- description: should recognise the mechanism with aws provider (MONGODB-OIDC)
+- description: should recognise the mechanism with test environment (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test
valid: true
credential:
@@ -360,7 +360,7 @@ tests:
mechanism: MONGODB-OIDC
mechanism_properties:
OIDC_ENV: test
-- description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)
+- description: should recognise the mechanism when auth source is explicitly specified and with environment (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test
valid: true
credential:
@@ -378,11 +378,11 @@ tests:
uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test
valid: false
credential:
-- description: should throw an exception if specified provider is not supported (MONGODB-OIDC)
+- description: should throw an exception if specified environment is not supported (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid
valid: false
credential:
-- description: should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC)
+- description: should throw an exception if neither environment nor callbacks specified (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC
valid: false
credential:
From 22720a6cd93b56bc3b702464513b9b2901486f96 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Fri, 8 Mar 2024 07:28:55 -0600
Subject: [PATCH 06/10] cleanup
---
source/auth/tests/mongodb-oidc.md | 4 ++--
source/auth/tests/unified/mongodb-oidc-no-retry.yml | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md
index 654305a0d2..1357aa7e38 100644
--- a/source/auth/tests/mongodb-oidc.md
+++ b/source/auth/tests/mongodb-oidc.md
@@ -27,7 +27,7 @@ configured with `retryReads=false`.
> \[!NOTE\]
>
> For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point
-> aOIDC_ENV to prevent interaction between test cases.
+> callback to prevent interaction between test cases.
Note that typically the preconfigured Atlas Dev clusters are used for testing, in Evergreen and locally. The URIs can be
fetched from the `drivers/oidc` Secrets vault, see
@@ -36,7 +36,7 @@ Use `OIDC_ATLAS_URI_SINGLE` for the `MONGODB_URI`. If using local servers is pre
[Local Testing](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md#local-testing)
method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
-###OIDC_ENVlback Authentication
+### Callback Authentication
**1.1 Callback is called during authentication**
diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml
index 9c875cb280..b4bce30f8b 100644
--- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml
+++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml
@@ -15,8 +15,8 @@ createEntities:
authMechanism: "MONGODB-OIDC"
# The $$placeholder document should be replaced by auth mechanism
# properties that enable OIDC auth on the target cloud platform. For
- # example, when running the test on AWS, replace the $$placeholder
- # document with {"OIDC_ENV": "aws"}.
+ # example, when running the test on EC2, replace the $$placeholder
+ # document with {"OIDC_ENV": "test"}.
authMechanismProperties: { $$placeholder: 1 }
retryReads: false
retryWrites: false
From 81f4bf850a01f269a4bd2aa64fe8993660cda493 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Fri, 8 Mar 2024 07:32:41 -0600
Subject: [PATCH 07/10] cleanup
---
source/auth/auth.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/source/auth/auth.md b/source/auth/auth.md
index eb40c84657..f0c9ae76b8 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1254,13 +1254,13 @@ Drivers MUST support all of the following built-in OIDC application environment
####### Test
-The test integration is enabled by setting auth mechanism property `OIDC_ENV:test`. It is not meant to be documented as
-a user-facing feature, but used for testing purposes, with the self-generated token created by the script in Drivers
-Evergreen Tools.
+The test integration is enabled by setting auth mechanism property `OIDC_ENV:test`. It is meant for driver testing
+purposes, and is not meant to be documented as a user-facing feature.
-If enabled, drivers MUST read the file path from environment variable `AWS_WEB_IDENTITY_TOKEN_FILE` and then read the
-OIDC access token from that file. The driver MUST use the contents of that file as value in the `jwt` field of the
-`saslStart` payload.
+If enabled, drivers MUST generate a token using the script in Drivers-Evergreen-Tools. The must then set the
+`AWS_WEB_IDENTITY_TOKEN_FILE` environment variable to the path to that file. At runtime, the driver MUST use the
+`AWS_WEB_IDENTITY_TOKEN_FILE` environment variable and read the OIDC access token from that path. The driver MUST use
+the contents of that file as value in the `jwt` field of the `saslStart` payload.
Drivers MAY implement the "test" integration so that it conforms to the function signature of the
[OIDC Callback](#oidc-callback) to prevent having to re-implement the "test" integration logic in the OIDC prose tests.
From 5a65c63eb2d64fd8cfc41202b6b32f0107192b16 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Mon, 11 Mar 2024 20:57:01 -0500
Subject: [PATCH 08/10] address review
---
source/auth/auth.md | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/source/auth/auth.md b/source/auth/auth.md
index f0c9ae76b8..12456977c9 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1215,9 +1215,9 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
- mechanism_properties
- - OIDC_ENV\
- Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration to
- use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `OIDC_ENV` and an
+ - ENVIRONMENT\
+ Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration
+ to use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `OIDC_ENV` and an
[OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same
`MongoClient`, the driver MUST raise an error.
@@ -1254,13 +1254,14 @@ Drivers MUST support all of the following built-in OIDC application environment
####### Test
-The test integration is enabled by setting auth mechanism property `OIDC_ENV:test`. It is meant for driver testing
+The test integration is enabled by setting auth mechanism property `ENVIRONMENT:test`. It is meant for driver testing
purposes, and is not meant to be documented as a user-facing feature.
-If enabled, drivers MUST generate a token using the script in Drivers-Evergreen-Tools. The must then set the
-`AWS_WEB_IDENTITY_TOKEN_FILE` environment variable to the path to that file. At runtime, the driver MUST use the
-`AWS_WEB_IDENTITY_TOKEN_FILE` environment variable and read the OIDC access token from that path. The driver MUST use
-the contents of that file as value in the `jwt` field of the `saslStart` payload.
+If enabled, drivers MUST generate a token using a script in the `auth_oidc`
+[folder](https://github.com/mongodb-labs/drivers-evergreen-tools/tree/master/.evergreen/auth_oidc#readme) in Drivers
+Evergreen Tools. The must then set the `OIDC_TOKEN_FILE` environment variable to the path to that file. At runtime, the
+driver MUST use the `OIDC_TOKEN_FILE` environment variable and read the OIDC access token from that path. The driver
+MUST use the contents of that file as value in the `jwt` field of the `saslStart` payload.
Drivers MAY implement the "test" integration so that it conforms to the function signature of the
[OIDC Callback](#oidc-callback) to prevent having to re-implement the "test" integration logic in the OIDC prose tests.
From 08e8705941b84c7837fdbf97f1d946e43553a167 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Mon, 11 Mar 2024 21:30:42 -0500
Subject: [PATCH 09/10] more cleanup
---
source/auth/auth.md | 2 +-
source/auth/tests/legacy/connection-string.json | 14 +++++++-------
source/auth/tests/legacy/connection-string.yml | 14 +++++++-------
source/auth/tests/mongodb-oidc.md | 12 ++++++------
.../auth/tests/unified/mongodb-oidc-no-retry.yml | 2 +-
source/unified-test-format/unified-test-format.md | 2 +-
6 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/source/auth/auth.md b/source/auth/auth.md
index 12456977c9..76e298d8ab 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1217,7 +1217,7 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
- ENVIRONMENT\
Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration
- to use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `OIDC_ENV` and an
+ to use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `ENVIRONMENT` and an
[OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same
`MongoClient`, the driver MUST raise an error.
diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json
index 53bd0392cd..a5f3c7e085 100644
--- a/source/auth/tests/legacy/connection-string.json
+++ b/source/auth/tests/legacy/connection-string.json
@@ -483,7 +483,7 @@
},
{
"description": "should recognise the mechanism with test integration (MONGODB-OIDC)",
- "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test",
"valid": true,
"credential": {
"username": null,
@@ -491,13 +491,13 @@
"source": "$external",
"mechanism": "MONGODB-OIDC",
"mechanism_properties": {
- "OIDC_ENV": "test"
+ "ENVIRONMENT": "test"
}
}
},
{
"description": "should recognise the mechanism when auth source is explicitly specified and with environment (MONGODB-OIDC)",
- "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=ENVIRONMENT:test",
"valid": true,
"credential": {
"username": null,
@@ -505,25 +505,25 @@
"source": "$external",
"mechanism": "MONGODB-OIDC",
"mechanism_properties": {
- "OIDC_ENV": "test"
+ "ENVIRONMENT": "test"
}
}
},
{
"description": "should throw an exception if supplied a password (MONGODB-OIDC)",
- "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test",
+ "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test",
"valid": false,
"credential": null
},
{
"description": "should throw an exception if username is specified for test (MONGODB-OIDC)",
- "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test",
+ "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&ENVIRONMENT:test",
"valid": false,
"credential": null
},
{
"description": "should throw an exception if specified environment is not supported (MONGODB-OIDC)",
- "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:invalid",
"valid": false,
"credential": null
},
diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml
index 51dab25860..8c3d46d01a 100644
--- a/source/auth/tests/legacy/connection-string.yml
+++ b/source/auth/tests/legacy/connection-string.yml
@@ -351,7 +351,7 @@ tests:
mechanism_properties:
AWS_SESSION_TOKEN: token!@#$%^&*()_+
- description: should recognise the mechanism with test environment (MONGODB-OIDC)
- uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test
+ uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test
valid: true
credential:
username:
@@ -359,9 +359,9 @@ tests:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
- OIDC_ENV: test
+ ENVIRONMENT: test
- description: should recognise the mechanism when auth source is explicitly specified and with environment (MONGODB-OIDC)
- uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test
+ uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=ENVIRONMENT:test
valid: true
credential:
username:
@@ -369,17 +369,17 @@ tests:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
- OIDC_ENV: test
+ ENVIRONMENT: test
- description: should throw an exception if supplied a password (MONGODB-OIDC)
- uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test
+ uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test
valid: false
credential:
- description: should throw an exception if username is specified for aws (MONGODB-OIDC)
- uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test
+ uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&ENVIRONMENT:test
valid: false
credential:
- description: should throw an exception if specified environment is not supported (MONGODB-OIDC)
- uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid
+ uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:invalid
valid: false
credential:
- description: should throw an exception if neither environment nor callbacks specified (MONGODB-OIDC)
diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md
index 1357aa7e38..9c059c8201 100644
--- a/source/auth/tests/mongodb-oidc.md
+++ b/source/auth/tests/mongodb-oidc.md
@@ -14,7 +14,7 @@ For example, if the selected AWS profile ID is "drivers-test", run:
aws configure sso
export OIDC_TOKEN_DIR=/tmp/tokens
AWS_PROFILE="drivers-test" oidc_get_tokens.sh
-AWS_WEB_IDENTITY_TOKEN_FILE="$OIDC_TOKEN_DIR/test_user1" /my/test/command
+OIDC_TOKEN_FILE="$OIDC_TOKEN_DIR/test_user1" /my/test/command
```
______________________________________________________________________
@@ -40,14 +40,14 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
**1.1 Callback is called during authentication**
-- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic.
+- Create a `MongoClient` configured with an OIDC callback that implements the `ENVIRONMENT:test` logic.
- Perform a `find` operation that succeeds.
- Assert that the callback was called 1 time.
- Close the client.
**1.2 Callback is called once for multiple connections**
-- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic.
+- Create a `MongoClient` configured with an OIDC callback that implements the `ENVIRONMENT:test` logic.
- Start 10 threads and run 100 `find` operations in each thread that all succeed.
- Assert that the callback was called 1 time.
- Close the client.
@@ -76,14 +76,14 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
**2.4 Invalid Client Configuration with Callback**
-- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `OIDC_ENV:test`.
+- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `ENVIRONMENT:test`.
- Assert it returns a client configuration error.
### (3) Authentication Failure
**3.1 Authentication failure with cached tokens fetch a new token and retry auth**
-- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic.
+- Create a `MongoClient` configured with an OIDC callback that implements the `ENVIRONMENT:test` logic.
- Poison the *Client Cache* with an invalid access token.
- Perform a `find` operation that succeeds.
- Assert that the callback was called 1 time.
@@ -98,7 +98,7 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`.
### (4) Reauthentication
-- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic.
+- Create a `MongoClient` configured with an OIDC callback that implements the `ENVIRONMENT:test` logic.
- Set a fail point for `find` commands of the form:
```javascript
diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml
index b4bce30f8b..8108acb501 100644
--- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml
+++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml
@@ -16,7 +16,7 @@ createEntities:
# The $$placeholder document should be replaced by auth mechanism
# properties that enable OIDC auth on the target cloud platform. For
# example, when running the test on EC2, replace the $$placeholder
- # document with {"OIDC_ENV": "test"}.
+ # document with {"ENVIRONMENT": "test"}.
authMechanismProperties: { $$placeholder: 1 }
retryReads: false
retryWrites: false
diff --git a/source/unified-test-format/unified-test-format.md b/source/unified-test-format/unified-test-format.md
index cad69a2c20..f3c2c02462 100644
--- a/source/unified-test-format/unified-test-format.md
+++ b/source/unified-test-format/unified-test-format.md
@@ -422,7 +422,7 @@ The structure of this object is as follows:
uriOptions:
authMechanism: "MONGODB-OIDC"
authMechanismProperties:
- OIDC_ENV: { $$placeholder: 1 }
+ ENVIRONMENT: { $$placeholder: 1 }
```
From 55d5c1e94ab223207c3daf0983c1f5f7c7fc58d0 Mon Sep 17 00:00:00 2001
From: Steven Silvester
Date: Tue, 19 Mar 2024 20:06:45 -0500
Subject: [PATCH 10/10] fix header
---
source/auth/auth.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source/auth/auth.md b/source/auth/auth.md
index 76e298d8ab..3ba9cc9326 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1252,7 +1252,7 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
Drivers MUST support all of the following built-in OIDC application environment integrations.
-####### Test
+**Test**
The test integration is enabled by setting auth mechanism property `ENVIRONMENT:test`. It is meant for driver testing
purposes, and is not meant to be documented as a user-facing feature.