From f2bd9035a4d78148475f9de68f6d14cabcacd8b5 Mon Sep 17 00:00:00 2001 From: Matt Dale <9760375+matthewdale@users.noreply.github.com> Date: Wed, 6 Mar 2024 17:19:09 -0800 Subject: [PATCH 01/10] DRIVERS-2672 Rename OIDC integration name and values. (cherry picked from commit dde06323313e9bca9105438f2f9de7b5fe6cc1f0) --- source/auth/auth.md | 25 ++++++++++++------- .../auth/tests/legacy/connection-string.json | 18 ++++++------- .../auth/tests/legacy/connection-string.yml | 14 +++++------ source/auth/tests/mongodb-oidc.md | 6 ++--- .../tests/unified/mongodb-oidc-no-retry.yml | 2 +- .../unified-test-format.md | 2 +- 6 files changed, 37 insertions(+), 30 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index ec6c8b0164..d11a6cce78 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1215,9 +1215,9 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall - mechanism_properties - - PROVIDER_NAME\ - Drivers MUST allow the user to specify the name of a built-in OIDC provider integration to use to - obtain credentials. If provided, the value MUST be one of `["aws"]`. If both `PROVIDER_NAME` and an + - OIDC_ENV\ + Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration to + use to obtain credentials. If provided, the value MUST be one of `["k8s"]`. If both `OIDC_ENV` and an [OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same `MongoClient`, the driver MUST raise an error. @@ -1246,20 +1246,27 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall performed after SRV record resolution, if applicable. This property is only required for drivers that support the [Human Authentication Flow](#human-authentication-flow). -#### Built-in Provider Integrations +#### Built-in OIDC Environment Integrations -Drivers MUST support all of the following built-in OIDC providers. +Drivers MUST support all of the following built-in OIDC application environment integrations. -####### AWS +####### Kubernetes -The AWS provider is enabled by setting auth mechanism property `PROVIDER_NAME:aws`. +The Kubernetes integration is enabled by setting auth mechanism property `OIDC_ENV:k8s`. If enabled, drivers MUST read the file path from environment variable `AWS_WEB_IDENTITY_TOKEN_FILE` and then read the OIDC access token from that file. The driver MUST use the contents of that file as value in the `jwt` field of the `saslStart` payload. -Drivers MAY implement the AWS provider so that it conforms to the function signature of the -[OIDC Callback](#oidc-callback) to prevent having to re-implement the AWS provider logic in the OIDC prose tests. +> \[!NOTE\] +> +> The Kubernetes integration currently only supports the AWS-hosted EKS Kubernetes environment. Drivers MUST document +> that the "k8s" integration currently only supports AWS EKS, but will support more Kubernetes environments in the +> future. + +Drivers MAY implement the Kubernetes integration so that it conforms to the function signature of the +[OIDC Callback](#oidc-callback) to prevent having to re-implement the Kubernetes integration logic in the OIDC prose +tests. #### OIDC Callback diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 982edb8b36..e821bf9b03 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -482,8 +482,8 @@ } }, { - "description": "should recognise the mechanism with aws provider (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws", + "description": "should recognise the mechanism with k8s integration (MONGODB-OIDC)", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s", "valid": true, "credential": { "username": null, @@ -491,13 +491,13 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "PROVIDER_NAME": "aws" + "OIDC_ENV": "k8s" } } }, { "description": "should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:k8s", "valid": true, "credential": { "username": null, @@ -505,25 +505,25 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "PROVIDER_NAME": "aws" + "OIDC_ENV": "k8s" } } }, { "description": "should throw an exception if supplied a password (MONGODB-OIDC)", - "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws", + "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s", "valid": false, "credential": null }, { - "description": "should throw an exception if username is specified for aws (MONGODB-OIDC)", - "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws", + "description": "should throw an exception if username is specified for k8s (MONGODB-OIDC)", + "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:k8s", "valid": false, "credential": null }, { "description": "should throw an exception if specified provider is not supported (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid", "valid": false, "credential": null }, diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index d2658e0309..29049790cc 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -351,7 +351,7 @@ tests: mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ - description: should recognise the mechanism with aws provider (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws valid: true credential: username: @@ -359,9 +359,9 @@ tests: source: "$external" mechanism: MONGODB-OIDC mechanism_properties: - PROVIDER_NAME: aws + OIDC_ENV: aws - description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:aws valid: true credential: username: @@ -369,17 +369,17 @@ tests: source: "$external" mechanism: MONGODB-OIDC mechanism_properties: - PROVIDER_NAME: aws + OIDC_ENV: aws - description: should throw an exception if supplied a password (MONGODB-OIDC) - uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws + uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws valid: false credential: - description: should throw an exception if username is specified for aws (MONGODB-OIDC) - uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws + uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:aws valid: false credential: - description: should throw an exception if specified provider is not supported (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid valid: false credential: - description: should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC) diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index e61cdfd464..abde9ca826 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -27,7 +27,7 @@ configured with `retryReads=false`. > \[!NOTE\] > > For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point -> after the test to prevent interaction between test cases. +> aOIDC_ENV to prevent interaction between test cases. Note that typically the preconfigured Atlas Dev clusters are used for testing, in Evergreen and locally. The URIs can be fetched from the `drivers/oidc` Secrets vault, see @@ -36,7 +36,7 @@ Use `OIDC_ATLAS_URI_SINGLE` for the `MONGODB_URI`. If using local servers is pre [Local Testing](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md#local-testing) method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. -### (1) OIDC Callback Authentication +###OIDC_ENVlback Authentication **1.1 Callback is called during authentication** @@ -101,7 +101,7 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. - Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic. - Set a fail point for `find` commands of the form: -```javascript +```javascriptOIDC_ENV { configureFailPoint: "failCommand", mode: { diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml index b500fb7db6..9c875cb280 100644 --- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml +++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml @@ -16,7 +16,7 @@ createEntities: # The $$placeholder document should be replaced by auth mechanism # properties that enable OIDC auth on the target cloud platform. For # example, when running the test on AWS, replace the $$placeholder - # document with {"PROVIDER_NAME": "aws"}. + # document with {"OIDC_ENV": "aws"}. authMechanismProperties: { $$placeholder: 1 } retryReads: false retryWrites: false diff --git a/source/unified-test-format/unified-test-format.md b/source/unified-test-format/unified-test-format.md index c84e23207f..cad69a2c20 100644 --- a/source/unified-test-format/unified-test-format.md +++ b/source/unified-test-format/unified-test-format.md @@ -422,7 +422,7 @@ The structure of this object is as follows: uriOptions: authMechanism: "MONGODB-OIDC" authMechanismProperties: - PROVIDER_NAME: { $$placeholder: 1 } + OIDC_ENV: { $$placeholder: 1 } ```
From d1b4b0b6f0febfb4c649b7f9d6943646b28b65b7 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Fri, 8 Mar 2024 06:40:02 -0600 Subject: [PATCH 02/10] Rename OIDC property PROVIDER_NAME and config values --- source/auth/auth.md | 21 ++++++++----------- .../auth/tests/legacy/connection-string.json | 16 +++++++------- source/auth/tests/mongodb-oidc.md | 12 +++++------ 3 files changed, 23 insertions(+), 26 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index d11a6cce78..dfdbd50ec5 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1217,7 +1217,7 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall - OIDC_ENV\ Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration to - use to obtain credentials. If provided, the value MUST be one of `["k8s"]`. If both `OIDC_ENV` and an + use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `OIDC_ENV` and an [OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same `MongoClient`, the driver MUST raise an error. @@ -1246,27 +1246,24 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall performed after SRV record resolution, if applicable. This property is only required for drivers that support the [Human Authentication Flow](#human-authentication-flow). +
+ #### Built-in OIDC Environment Integrations Drivers MUST support all of the following built-in OIDC application environment integrations. -####### Kubernetes +####### Test -The Kubernetes integration is enabled by setting auth mechanism property `OIDC_ENV:k8s`. +The test integration is enabled by setting auth mechanism property `OIDC_ENV:test`. It is not meant to be documented as +a user-facing feature, but used for testing purposes, with the self-generated token created by the script in Drivers +Evergreen Tools. If enabled, drivers MUST read the file path from environment variable `AWS_WEB_IDENTITY_TOKEN_FILE` and then read the OIDC access token from that file. The driver MUST use the contents of that file as value in the `jwt` field of the `saslStart` payload. -> \[!NOTE\] -> -> The Kubernetes integration currently only supports the AWS-hosted EKS Kubernetes environment. Drivers MUST document -> that the "k8s" integration currently only supports AWS EKS, but will support more Kubernetes environments in the -> future. - -Drivers MAY implement the Kubernetes integration so that it conforms to the function signature of the -[OIDC Callback](#oidc-callback) to prevent having to re-implement the Kubernetes integration logic in the OIDC prose -tests. +Drivers MAY implement the "test" integration so that it conforms to the function signature of the +[OIDC Callback](#oidc-callback) to prevent having to re-implement the "tet" integration logic in the OIDC prose tests. #### OIDC Callback diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index e821bf9b03..af1106f5d7 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -482,8 +482,8 @@ } }, { - "description": "should recognise the mechanism with k8s integration (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s", + "description": "should recognise the mechanism with test integration (MONGODB-OIDC)", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test", "valid": true, "credential": { "username": null, @@ -491,13 +491,13 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "OIDC_ENV": "k8s" + "OIDC_ENV": "test" } } }, { "description": "should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:k8s", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test", "valid": true, "credential": { "username": null, @@ -505,19 +505,19 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "OIDC_ENV": "k8s" + "OIDC_ENV": "test" } } }, { "description": "should throw an exception if supplied a password (MONGODB-OIDC)", - "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s", + "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test", "valid": false, "credential": null }, { - "description": "should throw an exception if username is specified for k8s (MONGODB-OIDC)", - "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:k8s", + "description": "should throw an exception if username is specified for test (MONGODB-OIDC)", + "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test", "valid": false, "credential": null }, diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index abde9ca826..654305a0d2 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -40,14 +40,14 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. **1.1 Callback is called during authentication** -- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic. +- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic. - Perform a `find` operation that succeeds. - Assert that the callback was called 1 time. - Close the client. **1.2 Callback is called once for multiple connections** -- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic. +- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic. - Start 10 threads and run 100 `find` operations in each thread that all succeed. - Assert that the callback was called 1 time. - Close the client. @@ -76,14 +76,14 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. **2.4 Invalid Client Configuration with Callback** -- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `PROVIDER_NAME:aws`. +- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `OIDC_ENV:test`. - Assert it returns a client configuration error. ### (3) Authentication Failure **3.1 Authentication failure with cached tokens fetch a new token and retry auth** -- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic. +- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic. - Poison the *Client Cache* with an invalid access token. - Perform a `find` operation that succeeds. - Assert that the callback was called 1 time. @@ -98,10 +98,10 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. ### (4) Reauthentication -- Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic. +- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic. - Set a fail point for `find` commands of the form: -```javascriptOIDC_ENV +```javascript { configureFailPoint: "failCommand", mode: { From 70bbd926ce922c79565a8ba15385cd8e540bf468 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Fri, 8 Mar 2024 06:41:26 -0600 Subject: [PATCH 03/10] add changelog --- source/auth/auth.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/auth/auth.md b/source/auth/auth.md index dfdbd50ec5..28d52e7083 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1923,6 +1923,8 @@ to EC2 instance metadata in ECS, for security reasons, Amazon states it's best p ## Changelog +- 2024-03-09: Rename OIDC integration name and values. + - 2024-01-31: Migrated from reStructuredText to Markdown. - 2024-01-17: Added MONGODB-OIDC machine auth flow spec and combine with human\ From 957e30e8ba99c11e3ebf893ea362f7d12af29c86 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Fri, 8 Mar 2024 06:42:24 -0600 Subject: [PATCH 04/10] update yml file --- source/auth/tests/legacy/connection-string.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index 29049790cc..9bb093941d 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -351,7 +351,7 @@ tests: mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ - description: should recognise the mechanism with aws provider (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test valid: true credential: username: @@ -359,9 +359,9 @@ tests: source: "$external" mechanism: MONGODB-OIDC mechanism_properties: - OIDC_ENV: aws + OIDC_ENV: test - description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:aws + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test valid: true credential: username: @@ -369,13 +369,13 @@ tests: source: "$external" mechanism: MONGODB-OIDC mechanism_properties: - OIDC_ENV: aws + OIDC_ENV: test - description: should throw an exception if supplied a password (MONGODB-OIDC) - uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws + uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test valid: false credential: - description: should throw an exception if username is specified for aws (MONGODB-OIDC) - uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:aws + uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test valid: false credential: - description: should throw an exception if specified provider is not supported (MONGODB-OIDC) From 985cb210b6b480307245f7a1c92fd283dcf72d28 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Fri, 8 Mar 2024 07:27:30 -0600 Subject: [PATCH 05/10] cleanup --- source/auth/auth.md | 2 +- source/auth/tests/legacy/connection-string.json | 6 +++--- source/auth/tests/legacy/connection-string.yml | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 28d52e7083..eb40c84657 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1263,7 +1263,7 @@ OIDC access token from that file. The driver MUST use the contents of that file `saslStart` payload. Drivers MAY implement the "test" integration so that it conforms to the function signature of the -[OIDC Callback](#oidc-callback) to prevent having to re-implement the "tet" integration logic in the OIDC prose tests. +[OIDC Callback](#oidc-callback) to prevent having to re-implement the "test" integration logic in the OIDC prose tests. #### OIDC Callback diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index af1106f5d7..53bd0392cd 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -496,7 +496,7 @@ } }, { - "description": "should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)", + "description": "should recognise the mechanism when auth source is explicitly specified and with environment (MONGODB-OIDC)", "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test", "valid": true, "credential": { @@ -522,13 +522,13 @@ "credential": null }, { - "description": "should throw an exception if specified provider is not supported (MONGODB-OIDC)", + "description": "should throw an exception if specified environment is not supported (MONGODB-OIDC)", "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid", "valid": false, "credential": null }, { - "description": "should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC)", + "description": "should throw an exception if neither environment nor callbacks specified (MONGODB-OIDC)", "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC", "valid": false, "credential": null diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index 9bb093941d..51dab25860 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -350,7 +350,7 @@ tests: mechanism: MONGODB-AWS mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ -- description: should recognise the mechanism with aws provider (MONGODB-OIDC) +- description: should recognise the mechanism with test environment (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test valid: true credential: @@ -360,7 +360,7 @@ tests: mechanism: MONGODB-OIDC mechanism_properties: OIDC_ENV: test -- description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC) +- description: should recognise the mechanism when auth source is explicitly specified and with environment (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test valid: true credential: @@ -378,11 +378,11 @@ tests: uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test valid: false credential: -- description: should throw an exception if specified provider is not supported (MONGODB-OIDC) +- description: should throw an exception if specified environment is not supported (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid valid: false credential: -- description: should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC) +- description: should throw an exception if neither environment nor callbacks specified (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC valid: false credential: From 22720a6cd93b56bc3b702464513b9b2901486f96 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Fri, 8 Mar 2024 07:28:55 -0600 Subject: [PATCH 06/10] cleanup --- source/auth/tests/mongodb-oidc.md | 4 ++-- source/auth/tests/unified/mongodb-oidc-no-retry.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index 654305a0d2..1357aa7e38 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -27,7 +27,7 @@ configured with `retryReads=false`. > \[!NOTE\] > > For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point -> aOIDC_ENV to prevent interaction between test cases. +> callback to prevent interaction between test cases. Note that typically the preconfigured Atlas Dev clusters are used for testing, in Evergreen and locally. The URIs can be fetched from the `drivers/oidc` Secrets vault, see @@ -36,7 +36,7 @@ Use `OIDC_ATLAS_URI_SINGLE` for the `MONGODB_URI`. If using local servers is pre [Local Testing](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md#local-testing) method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. -###OIDC_ENVlback Authentication +### Callback Authentication **1.1 Callback is called during authentication** diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml index 9c875cb280..b4bce30f8b 100644 --- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml +++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml @@ -15,8 +15,8 @@ createEntities: authMechanism: "MONGODB-OIDC" # The $$placeholder document should be replaced by auth mechanism # properties that enable OIDC auth on the target cloud platform. For - # example, when running the test on AWS, replace the $$placeholder - # document with {"OIDC_ENV": "aws"}. + # example, when running the test on EC2, replace the $$placeholder + # document with {"OIDC_ENV": "test"}. authMechanismProperties: { $$placeholder: 1 } retryReads: false retryWrites: false From 81f4bf850a01f269a4bd2aa64fe8993660cda493 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Fri, 8 Mar 2024 07:32:41 -0600 Subject: [PATCH 07/10] cleanup --- source/auth/auth.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index eb40c84657..f0c9ae76b8 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1254,13 +1254,13 @@ Drivers MUST support all of the following built-in OIDC application environment ####### Test -The test integration is enabled by setting auth mechanism property `OIDC_ENV:test`. It is not meant to be documented as -a user-facing feature, but used for testing purposes, with the self-generated token created by the script in Drivers -Evergreen Tools. +The test integration is enabled by setting auth mechanism property `OIDC_ENV:test`. It is meant for driver testing +purposes, and is not meant to be documented as a user-facing feature. -If enabled, drivers MUST read the file path from environment variable `AWS_WEB_IDENTITY_TOKEN_FILE` and then read the -OIDC access token from that file. The driver MUST use the contents of that file as value in the `jwt` field of the -`saslStart` payload. +If enabled, drivers MUST generate a token using the script in Drivers-Evergreen-Tools. The must then set the +`AWS_WEB_IDENTITY_TOKEN_FILE` environment variable to the path to that file. At runtime, the driver MUST use the +`AWS_WEB_IDENTITY_TOKEN_FILE` environment variable and read the OIDC access token from that path. The driver MUST use +the contents of that file as value in the `jwt` field of the `saslStart` payload. Drivers MAY implement the "test" integration so that it conforms to the function signature of the [OIDC Callback](#oidc-callback) to prevent having to re-implement the "test" integration logic in the OIDC prose tests. From 5a65c63eb2d64fd8cfc41202b6b32f0107192b16 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 11 Mar 2024 20:57:01 -0500 Subject: [PATCH 08/10] address review --- source/auth/auth.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index f0c9ae76b8..12456977c9 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1215,9 +1215,9 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall - mechanism_properties - - OIDC_ENV\ - Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration to - use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `OIDC_ENV` and an + - ENVIRONMENT\ + Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration + to use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `OIDC_ENV` and an [OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same `MongoClient`, the driver MUST raise an error. @@ -1254,13 +1254,14 @@ Drivers MUST support all of the following built-in OIDC application environment ####### Test -The test integration is enabled by setting auth mechanism property `OIDC_ENV:test`. It is meant for driver testing +The test integration is enabled by setting auth mechanism property `ENVIRONMENT:test`. It is meant for driver testing purposes, and is not meant to be documented as a user-facing feature. -If enabled, drivers MUST generate a token using the script in Drivers-Evergreen-Tools. The must then set the -`AWS_WEB_IDENTITY_TOKEN_FILE` environment variable to the path to that file. At runtime, the driver MUST use the -`AWS_WEB_IDENTITY_TOKEN_FILE` environment variable and read the OIDC access token from that path. The driver MUST use -the contents of that file as value in the `jwt` field of the `saslStart` payload. +If enabled, drivers MUST generate a token using a script in the `auth_oidc` +[folder](https://github.com/mongodb-labs/drivers-evergreen-tools/tree/master/.evergreen/auth_oidc#readme) in Drivers +Evergreen Tools. The must then set the `OIDC_TOKEN_FILE` environment variable to the path to that file. At runtime, the +driver MUST use the `OIDC_TOKEN_FILE` environment variable and read the OIDC access token from that path. The driver +MUST use the contents of that file as value in the `jwt` field of the `saslStart` payload. Drivers MAY implement the "test" integration so that it conforms to the function signature of the [OIDC Callback](#oidc-callback) to prevent having to re-implement the "test" integration logic in the OIDC prose tests. From 08e8705941b84c7837fdbf97f1d946e43553a167 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 11 Mar 2024 21:30:42 -0500 Subject: [PATCH 09/10] more cleanup --- source/auth/auth.md | 2 +- source/auth/tests/legacy/connection-string.json | 14 +++++++------- source/auth/tests/legacy/connection-string.yml | 14 +++++++------- source/auth/tests/mongodb-oidc.md | 12 ++++++------ .../auth/tests/unified/mongodb-oidc-no-retry.yml | 2 +- source/unified-test-format/unified-test-format.md | 2 +- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 12456977c9..76e298d8ab 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1217,7 +1217,7 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall - ENVIRONMENT\ Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration - to use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `OIDC_ENV` and an + to use to obtain credentials. If provided, the value MUST be one of `["test"]`. If both `ENVIRONMENT` and an [OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same `MongoClient`, the driver MUST raise an error. diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 53bd0392cd..a5f3c7e085 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -483,7 +483,7 @@ }, { "description": "should recognise the mechanism with test integration (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test", "valid": true, "credential": { "username": null, @@ -491,13 +491,13 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "OIDC_ENV": "test" + "ENVIRONMENT": "test" } } }, { "description": "should recognise the mechanism when auth source is explicitly specified and with environment (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=ENVIRONMENT:test", "valid": true, "credential": { "username": null, @@ -505,25 +505,25 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "OIDC_ENV": "test" + "ENVIRONMENT": "test" } } }, { "description": "should throw an exception if supplied a password (MONGODB-OIDC)", - "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test", + "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test", "valid": false, "credential": null }, { "description": "should throw an exception if username is specified for test (MONGODB-OIDC)", - "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test", + "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&ENVIRONMENT:test", "valid": false, "credential": null }, { "description": "should throw an exception if specified environment is not supported (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:invalid", "valid": false, "credential": null }, diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index 51dab25860..8c3d46d01a 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -351,7 +351,7 @@ tests: mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ - description: should recognise the mechanism with test environment (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test valid: true credential: username: @@ -359,9 +359,9 @@ tests: source: "$external" mechanism: MONGODB-OIDC mechanism_properties: - OIDC_ENV: test + ENVIRONMENT: test - description: should recognise the mechanism when auth source is explicitly specified and with environment (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:test + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=ENVIRONMENT:test valid: true credential: username: @@ -369,17 +369,17 @@ tests: source: "$external" mechanism: MONGODB-OIDC mechanism_properties: - OIDC_ENV: test + ENVIRONMENT: test - description: should throw an exception if supplied a password (MONGODB-OIDC) - uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:test + uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test valid: false credential: - description: should throw an exception if username is specified for aws (MONGODB-OIDC) - uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:test + uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&ENVIRONMENT:test valid: false credential: - description: should throw an exception if specified environment is not supported (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:invalid valid: false credential: - description: should throw an exception if neither environment nor callbacks specified (MONGODB-OIDC) diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index 1357aa7e38..9c059c8201 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -14,7 +14,7 @@ For example, if the selected AWS profile ID is "drivers-test", run: aws configure sso export OIDC_TOKEN_DIR=/tmp/tokens AWS_PROFILE="drivers-test" oidc_get_tokens.sh -AWS_WEB_IDENTITY_TOKEN_FILE="$OIDC_TOKEN_DIR/test_user1" /my/test/command +OIDC_TOKEN_FILE="$OIDC_TOKEN_DIR/test_user1" /my/test/command ``` ______________________________________________________________________ @@ -40,14 +40,14 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. **1.1 Callback is called during authentication** -- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic. +- Create a `MongoClient` configured with an OIDC callback that implements the `ENVIRONMENT:test` logic. - Perform a `find` operation that succeeds. - Assert that the callback was called 1 time. - Close the client. **1.2 Callback is called once for multiple connections** -- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic. +- Create a `MongoClient` configured with an OIDC callback that implements the `ENVIRONMENT:test` logic. - Start 10 threads and run 100 `find` operations in each thread that all succeed. - Assert that the callback was called 1 time. - Close the client. @@ -76,14 +76,14 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. **2.4 Invalid Client Configuration with Callback** -- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `OIDC_ENV:test`. +- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `ENVIRONMENT:test`. - Assert it returns a client configuration error. ### (3) Authentication Failure **3.1 Authentication failure with cached tokens fetch a new token and retry auth** -- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic. +- Create a `MongoClient` configured with an OIDC callback that implements the `ENVIRONMENT:test` logic. - Poison the *Client Cache* with an invalid access token. - Perform a `find` operation that succeeds. - Assert that the callback was called 1 time. @@ -98,7 +98,7 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. ### (4) Reauthentication -- Create a `MongoClient` configured with an OIDC callback that implements the `OIDC_ENV:test` logic. +- Create a `MongoClient` configured with an OIDC callback that implements the `ENVIRONMENT:test` logic. - Set a fail point for `find` commands of the form: ```javascript diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml index b4bce30f8b..8108acb501 100644 --- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml +++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml @@ -16,7 +16,7 @@ createEntities: # The $$placeholder document should be replaced by auth mechanism # properties that enable OIDC auth on the target cloud platform. For # example, when running the test on EC2, replace the $$placeholder - # document with {"OIDC_ENV": "test"}. + # document with {"ENVIRONMENT": "test"}. authMechanismProperties: { $$placeholder: 1 } retryReads: false retryWrites: false diff --git a/source/unified-test-format/unified-test-format.md b/source/unified-test-format/unified-test-format.md index cad69a2c20..f3c2c02462 100644 --- a/source/unified-test-format/unified-test-format.md +++ b/source/unified-test-format/unified-test-format.md @@ -422,7 +422,7 @@ The structure of this object is as follows: uriOptions: authMechanism: "MONGODB-OIDC" authMechanismProperties: - OIDC_ENV: { $$placeholder: 1 } + ENVIRONMENT: { $$placeholder: 1 } ```
From 55d5c1e94ab223207c3daf0983c1f5f7c7fc58d0 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 19 Mar 2024 20:06:45 -0500 Subject: [PATCH 10/10] fix header --- source/auth/auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/auth/auth.md b/source/auth/auth.md index 76e298d8ab..3ba9cc9326 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1252,7 +1252,7 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall Drivers MUST support all of the following built-in OIDC application environment integrations. -####### Test +**Test** The test integration is enabled by setting auth mechanism property `ENVIRONMENT:test`. It is meant for driver testing purposes, and is not meant to be documented as a user-facing feature.