feat(NODE-5035): enable OIDC authentication (#3577)

mongodb · Mar 3, 2023 · 35879f6 · 35879f6
1 parent 9f32721
commit 35879f6
Show file tree

Hide file tree

Showing 23 changed files with 1,847 additions and 659 deletions.
diff --git a/.evergreen/config.in.yml b/.evergreen/config.in.yml
@@ -106,11 +106,6 @@ functions:
         shell: bash
         script: |
           ${PREPARE_SHELL}
-
-          # TODO(NODE-5035): Remove when merged - need to replace with branch just for OIDC.
-          rm -rf "${DRIVERS_TOOLS}"
-          git clone --branch DRIVERS-2415 https://github.com/blink1073/drivers-evergreen-tools.git "${DRIVERS_TOOLS}"
-
           cd "${DRIVERS_TOOLS}"/.evergreen/auth_oidc
 
           # This is a bit confusing but the ec2.assume_role command before
@@ -121,9 +116,9 @@ functions:
           export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
           export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
           export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
-          export AWS_TOKEN_DIR=/tmp/tokens
+          export OIDC_TOKEN_DIR=/tmp/tokens
 
-          . ./activate_venv.sh
+          . ./activate-authoidcvenv.sh
           python oidc_write_orchestration.py
           python oidc_get_tokens.py
 
@@ -147,6 +142,7 @@ functions:
         script: |
           ${PREPARE_SHELL}
 
+          OIDC_TOKEN_DIR="/tmp/tokens" \
           AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test1" \
           PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
             bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh

diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -79,11 +79,6 @@ functions:
         shell: bash
         script: |
           ${PREPARE_SHELL}
-
-          # TODO(NODE-5035): Remove when merged - need to replace with branch just for OIDC.
-          rm -rf "${DRIVERS_TOOLS}"
-          git clone --branch DRIVERS-2415 https://github.com/blink1073/drivers-evergreen-tools.git "${DRIVERS_TOOLS}"
-
           cd "${DRIVERS_TOOLS}"/.evergreen/auth_oidc
 
           # This is a bit confusing but the ec2.assume_role command before
@@ -94,9 +89,9 @@ functions:
           export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
           export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
           export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
-          export AWS_TOKEN_DIR=/tmp/tokens
+          export OIDC_TOKEN_DIR=/tmp/tokens
 
-          . ./activate_venv.sh
+          . ./activate-authoidcvenv.sh
           python oidc_write_orchestration.py
           python oidc_get_tokens.py
   setup oidc roles:
@@ -118,6 +113,7 @@ functions:
         script: |
           ${PREPARE_SHELL}
 
+          OIDC_TOKEN_DIR="/tmp/tokens" \
           AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test1" \
           PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
             bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh
@@ -1478,6 +1474,22 @@ tasks:
     commands:
       - func: install dependencies
       - func: run ldap tests
+  - name: test-auth-oidc
+    tags:
+      - latest
+      - replica_set
+      - oidc
+    commands:
+      - func: install dependencies
+      - func: bootstrap oidc
+      - func: bootstrap mongo-orchestration
+        vars:
+          VERSION: latest
+          TOPOLOGY: replica_set
+          AUTH: auth
+          ORCHESTRATION_FILE: auth-oidc.json
+      - func: setup oidc roles
+      - func: run oidc tests aws
   - name: test-socks5
     tags: []
     commands:
@@ -3137,6 +3149,7 @@ buildvariants:
       - test-latest-load-balanced
       - test-auth-kerberos
       - test-auth-ldap
+      - test-auth-oidc
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -3186,6 +3199,7 @@ buildvariants:
       - test-latest-load-balanced
       - test-auth-kerberos
       - test-auth-ldap
+      - test-auth-oidc
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -3233,6 +3247,7 @@ buildvariants:
       - test-latest-load-balanced
       - test-auth-kerberos
       - test-auth-ldap
+      - test-auth-oidc
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -3279,6 +3294,7 @@ buildvariants:
       - test-6.0-load-balanced
       - test-latest-load-balanced
       - test-auth-ldap
+      - test-auth-oidc
       - test-socks5-csfle
       - test-socks5-tls
       - test-tls-support-latest

diff --git a/.evergreen/generate_evergreen_tasks.js b/.evergreen/generate_evergreen_tasks.js
@@ -100,27 +100,6 @@ BASE_TASKS.push({
   ]
 });
 
-// TODO(NODE-5035): Bring back when implementing.
-// {
-//   name: 'test-auth-oidc',
-//   tags: ['latest', 'replica_set', 'oidc'],
-//   commands: [
-//     { func: 'install dependencies' },
-//     { func: 'bootstrap oidc' },
-//     {
-//       func: 'bootstrap mongo-orchestration',
-//       vars: {
-//         VERSION: 'latest',
-//         TOPOLOGY: 'replica_set',
-//         AUTH: 'auth',
-//         ORCHESTRATION_FILE: 'auth-oidc.json'
-//       }
-//     },
-//     { func: 'setup oidc roles' },
-//     { func: 'run oidc tests aws' }
-//   ]
-// }
-
 // manually added tasks
 TASKS.push(
   ...[
@@ -204,6 +183,25 @@ TASKS.push(
       tags: ['auth', 'ldap'],
       commands: [{ func: 'install dependencies' }, { func: 'run ldap tests' }]
     },
+    {
+      name: 'test-auth-oidc',
+      tags: ['latest', 'replica_set', 'oidc'],
+      commands: [
+        { func: 'install dependencies' },
+        { func: 'bootstrap oidc' },
+        {
+          func: 'bootstrap mongo-orchestration',
+          vars: {
+            VERSION: 'latest',
+            TOPOLOGY: 'replica_set',
+            AUTH: 'auth',
+            ORCHESTRATION_FILE: 'auth-oidc.json'
+          }
+        },
+        { func: 'setup oidc roles' },
+        { func: 'run oidc tests aws' }
+      ]
+    },
     {
       name: 'test-socks5',
       tags: [],

diff --git a/.evergreen/setup-oidc-roles.sh b/.evergreen/setup-oidc-roles.sh
@@ -3,6 +3,6 @@ set -o errexit  # Exit the script with error if any of the commands fail
 set -o xtrace   # Write all commands first to stderr
 
 cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
-. ./activate_venv.sh
+. ./activate-authoidcvenv.sh
 
 ${DRIVERS_TOOLS}/mongodb/bin/mongosh setup_oidc.js
diff --git a/package.json b/package.json
@@ -128,7 +128,7 @@
     "check:atlas": "mocha --config test/manual/mocharc.json test/manual/atlas_connectivity.test.js",
     "check:adl": "mocha --config test/mocha_mongodb.json test/manual/atlas-data-lake-testing",
     "check:aws": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_aws.test.ts",
-    "check:oidc": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc.test.ts",
+    "check:oidc": "mocha --config test/manual/mocharc.json test/manual/mongodb_oidc.prose.test.ts",
     "check:ocsp": "mocha --config test/manual/mocharc.json test/manual/ocsp_support.test.js",
     "check:kerberos": "mocha --config test/manual/mocharc.json test/manual/kerberos.test.js",
     "check:tls": "mocha --config test/manual/mocharc.json test/manual/tls_support.test.js",

diff --git a/src/cmap/auth/mongo_credentials.ts b/src/cmap/auth/mongo_credentials.ts
@@ -30,25 +30,16 @@ function getDefaultAuthMechanism(hello?: Document): AuthMechanism {
   return AuthMechanism.MONGODB_CR;
 }
 
-/**
- * TODO: NODE-5035: Make OIDC properties public.
- *
- * @public
- * */
+/** @public */
 export interface AuthMechanismProperties extends Document {
   SERVICE_HOST?: string;
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
   AWS_SESSION_TOKEN?: string;
-  /** @internal Name for the OIDC device workflow */
-  DEVICE_NAME?: 'aws' | 'azure' | 'gcp';
-  /** @internal Similar to a username, is require by OIDC when more than one IDP is configured. */
-  PRINCIPAL_NAME?: string;
-  /** @internal User provided callback to get OIDC auth credentials */
   REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction;
-  /** @internal User provided callback to refresh OIDC auth credentials */
   REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
+  PROVIDER_NAME?: 'aws';
 }
 
 /** @public */
@@ -155,21 +146,18 @@ export class MongoCredentials {
     }
 
     if (this.mechanism === AuthMechanism.MONGODB_OIDC) {
-      if (this.username) {
+      if (this.username && this.mechanismProperties.PROVIDER_NAME) {
         throw new MongoInvalidArgumentError(
-          `Username not permitted for mechanism '${this.mechanism}'. Use PRINCIPAL_NAME instead.`
+          `username and PROVIDER_NAME may not be used together for mechanism '${this.mechanism}'.`
         );
       }
 
-      if (this.mechanismProperties.PRINCIPAL_NAME && this.mechanismProperties.DEVICE_NAME) {
-        throw new MongoInvalidArgumentError(
-          `PRINCIPAL_NAME and DEVICE_NAME may not be used together for mechanism '${this.mechanism}'.`
-        );
-      }
-
-      if (this.mechanismProperties.DEVICE_NAME && this.mechanismProperties.DEVICE_NAME !== 'aws') {
+      if (
+        this.mechanismProperties.PROVIDER_NAME &&
+        this.mechanismProperties.PROVIDER_NAME !== 'aws'
+      ) {
         throw new MongoInvalidArgumentError(
-          `Currently only a DEVICE_NAME of 'aws' is supported for mechanism '${this.mechanism}'.`
+          `Currently only a PROVIDER_NAME of 'aws' is supported for mechanism '${this.mechanism}'.`
         );
       }
 
@@ -183,11 +171,11 @@ export class MongoCredentials {
       }
 
       if (
-        !this.mechanismProperties.DEVICE_NAME &&
+        !this.mechanismProperties.PROVIDER_NAME &&
         !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
       ) {
         throw new MongoInvalidArgumentError(
-          `Either a DEVICE_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
+          `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
         );
       }
     }