mongodb · katcharov · Apr 29, 2024 · Apr 19, 2024 · Apr 22, 2024 · Apr 23, 2024
diff --git a/.evergreen/.evg.yml b/.evergreen/.evg.yml
@@ -12,9 +12,8 @@ stepback: true
 # Actual testing tasks are marked with `type: test`
 command_type: system
 
-# Protect ourself against rogue test case, or curl gone wild, that runs forever
-# 12 minutes is the longest we'll ever run
-exec_timeout_secs: 3600 # 12 minutes is the longest we'll ever run
+# Protect ourselves against rogue test case, or curl gone wild, that runs forever
+exec_timeout_secs: 3600
 
 # What to do when evergreen hits the timeout (`post:` tasks are run automatically)
 timeout:
@@ -968,6 +967,58 @@ tasks:
  - func: "run load-balancer"
  - func: "run load-balancer tests"
 
+ - name: "oidc-auth-test-latest"
+ commands:
+ - command: subprocess.exec
+ type: test
+ params:
+ working_dir: "src"
+ binary: bash
+ include_expansions_in_env: ["DRIVERS_TOOLS", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+ args:
+ - .evergreen/run-mongodb-oidc-test.sh
+
+ - name: "oidc-auth-test-azure-latest"
+ commands:
+ - command: shell.exec
+ params:
+ shell: bash
+ env:
+ JAVA_HOME: ${JAVA_HOME}
+ script: |-
+ set -o errexit
+ ${PREPARE_SHELL}
+ cd src
+ git add .
+ git commit -m "add files"
+ # uncompressed tar used to allow appending .git folder
+ export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/mongo-java-driver.tar
+ git archive -o $AZUREOIDC_DRIVERS_TAR_FILE HEAD
+ tar -rf $AZUREOIDC_DRIVERS_TAR_FILE .git
+ export AZUREOIDC_TEST_CMD="OIDC_ENV=azure ./.evergreen/run-mongodb-oidc-test.sh"
+ bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh
+
+ - name: "oidc-auth-test-gcp-latest"
+ commands:
+ - command: shell.exec
+ params:
+ shell: bash
+ script: |-
+ set -o errexit
+ ${PREPARE_SHELL}
+ cd src
+ git add .
+ git commit -m "add files"
+ # uncompressed tar used to allow appending .git folder
+ export GCPOIDC_DRIVERS_TAR_FILE=/tmp/mongo-java-driver.tar
+ git archive -o $GCPOIDC_DRIVERS_TAR_FILE HEAD
+ tar -rf $GCPOIDC_DRIVERS_TAR_FILE .git
+ # Define the command to run on the VM.
+ # Ensure that we source the environment file created for us, set up any other variables we need,
+ # and then run our test suite on the vm.
+ export GCPOIDC_TEST_CMD="OIDC_ENV=gcp ./.evergreen/run-mongodb-oidc-test.sh"
+ bash $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/run-driver-test.sh
+
  - name: serverless-test
  commands:
  - func: "run serverless"
@@ -2065,6 +2116,78 @@ task_groups:
  tasks:
  - test-aws-lambda-deployed
 
+ - name: testoidc_task_group
+ setup_group:
+ - func: fetch source
+ - func: prepare resources
+ - func: fix absolute paths
+ - command: ec2.assume_role
+ params:
+ role_arn: ${aws_test_secrets_role}
+ - command: subprocess.exec
+ params:
+ binary: bash
+ include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+ args:
+ - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/setup.sh
+ teardown_task:
+ - command: subprocess.exec
+ params:
+ binary: bash
+ args:
+ - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/teardown.sh
+ setup_group_can_fail_task: true
+ setup_group_timeout_secs: 1800
+ tasks:
+ - oidc-auth-test-latest
+
+ - name: testazureoidc_task_group
+ setup_group:
+ - func: fetch source
+ - func: prepare resources
+ - func: fix absolute paths
+ - command: subprocess.exec
+ params:
+ binary: bash
+ env:
+ AZUREOIDC_VMNAME_PREFIX: "JAVA_DRIVER"
+ args:
+ - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+ teardown_task:
+ - command: subprocess.exec
+ params:
+ binary: bash
+ args:
+ - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/azure/delete-vm.sh
+ setup_group_can_fail_task: true
+ setup_group_timeout_secs: 1800
+ tasks:
+ - oidc-auth-test-azure-latest
+
+ - name: testgcpoidc_task_group
+ setup_group:
+ - func: fetch source
+ - func: prepare resources
+ - func: fix absolute paths
+ - command: subprocess.exec
+ params:
+ binary: bash
+ env:
+ GCPOIDC_VMNAME_PREFIX: "JAVA_DRIVER"
+ GCPKMS_MACHINETYPE: "e2-medium" # comparable elapsed time to Azure; default was starved, caused timeouts
+ args:
+ - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/gcp/setup.sh
+ teardown_task:
+ - command: subprocess.exec
+ params:
+ binary: bash
+ args:
+ - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/gcp/teardown.sh
+ setup_group_can_fail_task: true
+ setup_group_timeout_secs: 1800
+ tasks:
+ - oidc-auth-test-gcp-latest
+
 buildvariants:
 
 # Test packaging and other release related routines
@@ -2216,6 +2339,27 @@ buildvariants:
  tasks:
  - name: "test_atlas_task_group_search_indexes"
 
+- name: "oidc-auth-test"
+ display_name: "OIDC Auth"
+ run_on: ubuntu2204-small
+ tasks:
+ - name: testoidc_task_group
+ batchtime: 20160 # 14 days
+
+- name: testazureoidc-variant
+ display_name: "OIDC Auth Azure"
+ run_on: ubuntu2204-small
+ tasks:
+ - name: testazureoidc_task_group
+ batchtime: 20160 # 14 days
+
+- name: testgcpoidc-variant
+ display_name: "OIDC Auth GCP"
+ run_on: ubuntu2204-small
+ tasks:
+ - name: testgcpoidc_task_group
+ batchtime: 20160 # 14 days
+
 - matrix_name: "aws-auth-test"
  matrix_spec: { ssl: "nossl", jdk: ["jdk8", "jdk17", "jdk21"], version: ["4.4", "5.0", "6.0", "7.0", "latest"], os: "ubuntu",
  aws-credential-provider: "*" }

diff --git a/.evergreen/run-mongodb-oidc-test.sh b/.evergreen/run-mongodb-oidc-test.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set +x # Disable debug trace
+set -eu
+
+echo "Running MONGODB-OIDC authentication tests"
+
+OIDC_ENV=${OIDC_ENV:-"test"}
+
+echo "OIDC_ENV $OIDC_ENV"
+
+if [ $OIDC_ENV == "test" ]; then
+ if [ -z "$DRIVERS_TOOLS" ]; then
+ echo "Must specify DRIVERS_TOOLS"
+ exit 1
+ fi
+ source ${DRIVERS_TOOLS}/.evergreen/auth_oidc/secrets-export.sh
+ # java will not need to be installed, but we need to config
+ RELATIVE_DIR_PATH="$(dirname "${BASH_SOURCE:-$0}")"
+ source "${RELATIVE_DIR_PATH}/javaConfig.bash"
+elif [ $OIDC_ENV == "azure" ]; then
+ source ./env.sh
+elif [ $OIDC_ENV == "gcp" ]; then
+ source ./secrets-export.sh
+else
+ echo "Unrecognized OIDC_ENV $OIDC_ENV"
+ exit 1
+fi
+
+
+if ! which java ; then
+ echo "Installing java..."
+ sudo apt install openjdk-17-jdk -y
+ echo "Installed java."
+fi
+
+which java
+export OIDC_TESTS_ENABLED=true
+export OIDC_ENV="$OIDC_ENV" # read by tests
+
+# use admin credentials for tests
+TO_REPLACE="mongodb://"
+REPLACEMENT="mongodb://$OIDC_ADMIN_USER:$OIDC_ADMIN_PWD@"
+ADMIN_URI=${MONGODB_URI/$TO_REPLACE/$REPLACEMENT}
+
+./gradlew -Dorg.mongodb.test.uri="$ADMIN_URI" \
+ --stacktrace --debug --info --no-build-cache driver-core:cleanTest \
+ driver-sync:test --tests OidcAuthenticationProseTests --tests UnifiedAuthTest \
+ driver-reactive-streams:test --tests OidcAuthenticationAsyncProseTests \
diff --git a/driver-core/src/main/com/mongodb/ConnectionString.java b/driver-core/src/main/com/mongodb/ConnectionString.java
@@ -916,7 +916,7 @@ private MongoCredential createCredentials(final Map<String, List<String>> option
 
  if (credential != null && authMechanismProperties != null) {
  for (String part : authMechanismProperties.split(",")) {
- String[] mechanismPropertyKeyValue = part.split(":");
+ String[] mechanismPropertyKeyValue = part.split(":", 2);
  if (mechanismPropertyKeyValue.length != 2) {
  throw new IllegalArgumentException(format("The connection string contains invalid authentication properties. "
  + "'%s' is not a key value pair", part));