New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(NODE-5191): OIDC Auth Updates #3637
Conversation
1c249b3
to
fbc8550
Compare
3635712
to
4be3e9d
Compare
@@ -1,16 +1,31 @@ | |||
import { Binary, BSON, type Document } from 'bson'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers. This file is probably better off reviewing as a whole instead of looking at the diff. The entire class is pretty much refactored to separate the request/refresh function logic when dealing with the token cache and the actual saslStart/saslContinue commands sent to the server. It made more sense to separate them then to have them intertwined - I think the result is easier to understand.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Locking looks good! 🚀
@@ -73,19 +81,10 @@ export class MongoDBOIDC extends AuthProvider { | |||
* Authenticate using OIDC | |||
*/ | |||
override async auth(authContext: AuthContext): Promise<void> { | |||
const { connection, credentials, response, reauthenticating } = authContext; | |||
|
|||
if (response?.speculativeAuthenticate) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Speculative auth is implemented in the the workflows.
/** | ||
* A cache of request and refresh callbacks per server/user. | ||
*/ | ||
export class CallbackLockCache { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This cache is now responsible for the hashing of the request and refresh functions, which is also then used by the TokenEntryCache
. It also is responsible for wrapping the callbacks in a lock and storing them by the same cache key as the token results in the other cache. Main reasoning for not storing these in the other cache and creating a new one is that the callback functions have no expiration.
/** | ||
* Ensure the callback is only executed one at a time. | ||
*/ | ||
function withLock(callback: OIDCRequestFunction | OIDCRefreshFunction) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ensures a request or refresh function cannot be entered simultaneously by different code paths, by chaining on to the end of each previous promise. Inspired by those clever dev tools folks: https://github.com/mongodb-js/oidc-plugin/blob/ca6bb4fdddabfd651ea2d544b2f9bdcf2095fe71/src/util.ts#L62-L80
/** | ||
* Get the hash string for the request and refresh functions. | ||
*/ | ||
function hashFunctions(requestFn: OIDCRequestFunction, refreshFn?: OIDCRefreshFunction): string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the same as before, just moved to this cache impl from the other.
@@ -3,6 +3,9 @@ import { readFile } from 'fs/promises'; | |||
import { MongoAWSError } from '../../../error'; | |||
import { ServiceWorkflow } from './service_workflow'; | |||
|
|||
/** Error for when the token is missing in the environment. */ | |||
const TOKEN_MISSING_ERROR = 'AWS_WEB_IDENTITY_TOKEN_FILE must be set in the environment.'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This and other string constants just a simple refactoring of any non-interpolated string being a constant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just username and sleep outstanding comments
Patch on latest commit without all the other clutter: https://spruce.mongodb.com/version/6452c353a4cf47cc42d9b7f5/tasks?sorts=STATUS%3AASC%3BBASE_STATUS%3ADESC |
Description
Updates OIDC implementation to the latest changes in mongodb/specifications#1381
What is changing?
ALLOWED_HOSTS
validation for connections using callback workflows.OIDCMechanismServerStep1
becomesIdPServerInfo
, removing endpoint fields.OIDCRequestTokenResult
becomesIdPServerResponse
.OIDCCallbackContext
created to pass to the request and refresh callbacks.CallbackWorkflow
is refactored to split behaviour around server commands and callbacks.CallbackLockCache
implements the locking of callbacks and function hashing.TokenResultCache
is simplified and is passed function hashes.Is there new documentation needed for these changes?
None, this is still considered public preview, not stable.
What is the motivation for this change?
NODE-5191/DRIVERS-2415
mongodb/specifications#1381
Double check the following
npm run check:lint
scripttype(NODE-xxxx)[!]: description
feat(NODE-1234)!: rewriting everything in coffeescript