feat(NODE-5035): enable OIDC authentication (#3577)

Author: durran

.evergreen/config.in.yml

@@ -106,11 +106,6 @@ functions:
  shell: bash
  script: |
  ${PREPARE_SHELL}
-
- # TODO(NODE-5035): Remove when merged - need to replace with branch just for OIDC.
- rm -rf "${DRIVERS_TOOLS}"
- git clone --branch DRIVERS-2415 https://github.com/blink1073/drivers-evergreen-tools.git "${DRIVERS_TOOLS}"
-
  cd "${DRIVERS_TOOLS}"/.evergreen/auth_oidc
 
  # This is a bit confusing but the ec2.assume_role command before
@@ -121,9 +116,9 @@ functions:
  export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
  export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
  export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
- export AWS_TOKEN_DIR=/tmp/tokens
+ export OIDC_TOKEN_DIR=/tmp/tokens
 
- . ./activate_venv.sh
+ . ./activate-authoidcvenv.sh
  python oidc_write_orchestration.py
  python oidc_get_tokens.py
 
@@ -147,6 +142,7 @@ functions:
  script: |
  ${PREPARE_SHELL}
 
+ OIDC_TOKEN_DIR="/tmp/tokens" \
  AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test1" \
  PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
  bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh

.evergreen/config.yml

@@ -79,11 +79,6 @@ functions:
  shell: bash
  script: |
  ${PREPARE_SHELL}
-
- # TODO(NODE-5035): Remove when merged - need to replace with branch just for OIDC.
- rm -rf "${DRIVERS_TOOLS}"
- git clone --branch DRIVERS-2415 https://github.com/blink1073/drivers-evergreen-tools.git "${DRIVERS_TOOLS}"
-
  cd "${DRIVERS_TOOLS}"/.evergreen/auth_oidc
 
  # This is a bit confusing but the ec2.assume_role command before
@@ -94,9 +89,9 @@ functions:
  export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
  export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
  export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
- export AWS_TOKEN_DIR=/tmp/tokens
+ export OIDC_TOKEN_DIR=/tmp/tokens
 
- . ./activate_venv.sh
+ . ./activate-authoidcvenv.sh
  python oidc_write_orchestration.py
  python oidc_get_tokens.py
  setup oidc roles:
@@ -118,6 +113,7 @@ functions:
  script: |
  ${PREPARE_SHELL}
 
+ OIDC_TOKEN_DIR="/tmp/tokens" \
  AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test1" \
  PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
  bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh
@@ -1478,6 +1474,22 @@ tasks:
  commands:
  - func: install dependencies
  - func: run ldap tests
+ - name: test-auth-oidc
+ tags:
+ - latest
+ - replica_set
+ - oidc
+ commands:
+ - func: install dependencies
+ - func: bootstrap oidc
+ - func: bootstrap mongo-orchestration
+ vars:
+ VERSION: latest
+ TOPOLOGY: replica_set
+ AUTH: auth
+ ORCHESTRATION_FILE: auth-oidc.json
+ - func: setup oidc roles
+ - func: run oidc tests aws
  - name: test-socks5
  tags: []
  commands:
@@ -3137,6 +3149,7 @@ buildvariants:
  - test-latest-load-balanced
  - test-auth-kerberos
  - test-auth-ldap
+ - test-auth-oidc
  - test-socks5
  - test-socks5-csfle
  - test-socks5-tls
@@ -3186,6 +3199,7 @@ buildvariants:
  - test-latest-load-balanced
  - test-auth-kerberos
  - test-auth-ldap
+ - test-auth-oidc
  - test-socks5
  - test-socks5-csfle
  - test-socks5-tls
@@ -3233,6 +3247,7 @@ buildvariants:
  - test-latest-load-balanced
  - test-auth-kerberos
  - test-auth-ldap
+ - test-auth-oidc
  - test-socks5
  - test-socks5-csfle
  - test-socks5-tls
@@ -3279,6 +3294,7 @@ buildvariants:
  - test-6.0-load-balanced
  - test-latest-load-balanced
  - test-auth-ldap
+ - test-auth-oidc
  - test-socks5-csfle
  - test-socks5-tls
  - test-tls-support-latest

.evergreen/generate_evergreen_tasks.js

@@ -100,27 +100,6 @@ BASE_TASKS.push({
  ]
 });
 
-// TODO(NODE-5035): Bring back when implementing.
-// {
-// name: 'test-auth-oidc',
-// tags: ['latest', 'replica_set', 'oidc'],
-// commands: [
-// { func: 'install dependencies' },
-// { func: 'bootstrap oidc' },
-// {
-// func: 'bootstrap mongo-orchestration',
-// vars: {
-// VERSION: 'latest',
-// TOPOLOGY: 'replica_set',
-// AUTH: 'auth',
-// ORCHESTRATION_FILE: 'auth-oidc.json'
-// }
-// },
-// { func: 'setup oidc roles' },
-// { func: 'run oidc tests aws' }
-// ]
-// }
-
 // manually added tasks
 TASKS.push(
  ...[
@@ -204,6 +183,25 @@ TASKS.push(
  tags: ['auth', 'ldap'],
  commands: [{ func: 'install dependencies' }, { func: 'run ldap tests' }]
  },
+ {
+ name: 'test-auth-oidc',
+ tags: ['latest', 'replica_set', 'oidc'],
+ commands: [
+ { func: 'install dependencies' },
+ { func: 'bootstrap oidc' },
+ {
+ func: 'bootstrap mongo-orchestration',
+ vars: {
+ VERSION: 'latest',
+ TOPOLOGY: 'replica_set',
+ AUTH: 'auth',
+ ORCHESTRATION_FILE: 'auth-oidc.json'
+ }
+ },
+ { func: 'setup oidc roles' },
+ { func: 'run oidc tests aws' }
+ ]
+ },
  {
  name: 'test-socks5',
  tags: [],

.evergreen/setup-oidc-roles.sh

@@ -3,6 +3,6 @@ set -o errexit # Exit the script with error if any of the commands fail
 set -o xtrace # Write all commands first to stderr
 
 cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
-. ./activate_venv.sh
+. ./activate-authoidcvenv.sh
 
 ${DRIVERS_TOOLS}/mongodb/bin/mongosh setup_oidc.js

package.json

@@ -128,7 +128,7 @@
  "check:atlas": "mocha --config test/manual/mocharc.json test/manual/atlas_connectivity.test.js",
  "check:adl": "mocha --config test/mocha_mongodb.json test/manual/atlas-data-lake-testing",
  "check:aws": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_aws.test.ts",
- "check:oidc": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc.test.ts",
+ "check:oidc": "mocha --config test/manual/mocharc.json test/manual/mongodb_oidc.prose.test.ts",
  "check:ocsp": "mocha --config test/manual/mocharc.json test/manual/ocsp_support.test.js",
  "check:kerberos": "mocha --config test/manual/mocharc.json test/manual/kerberos.test.js",
  "check:tls": "mocha --config test/manual/mocharc.json test/manual/tls_support.test.js",

src/cmap/auth/mongo_credentials.ts

@@ -30,25 +30,16 @@ function getDefaultAuthMechanism(hello?: Document): AuthMechanism {
  return AuthMechanism.MONGODB_CR;
 }
 
-/**
- * TODO: NODE-5035: Make OIDC properties public.
- *
- * @public
- * */
+/** @public */
 export interface AuthMechanismProperties extends Document {
  SERVICE_HOST?: string;
  SERVICE_NAME?: string;
  SERVICE_REALM?: string;
  CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
  AWS_SESSION_TOKEN?: string;
- /** @internal Name for the OIDC device workflow */
- DEVICE_NAME?: 'aws' | 'azure' | 'gcp';
- /** @internal Similar to a username, is require by OIDC when more than one IDP is configured. */
- PRINCIPAL_NAME?: string;
- /** @internal User provided callback to get OIDC auth credentials */
  REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction;
- /** @internal User provided callback to refresh OIDC auth credentials */
  REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
+ PROVIDER_NAME?: 'aws';
 }
 
 /** @public */
@@ -155,21 +146,18 @@ export class MongoCredentials {
  }
 
  if (this.mechanism === AuthMechanism.MONGODB_OIDC) {
- if (this.username) {
+ if (this.username && this.mechanismProperties.PROVIDER_NAME) {
  throw new MongoInvalidArgumentError(
- `Username not permitted for mechanism '${this.mechanism}'. Use PRINCIPAL_NAME instead.`
+ `username and PROVIDER_NAME may not be used together for mechanism '${this.mechanism}'.`
  );
  }
 
- if (this.mechanismProperties.PRINCIPAL_NAME && this.mechanismProperties.DEVICE_NAME) {
- throw new MongoInvalidArgumentError(
- `PRINCIPAL_NAME and DEVICE_NAME may not be used together for mechanism '${this.mechanism}'.`
- );
- }
-
- if (this.mechanismProperties.DEVICE_NAME && this.mechanismProperties.DEVICE_NAME !== 'aws') {
+ if (
+ this.mechanismProperties.PROVIDER_NAME &&
+ this.mechanismProperties.PROVIDER_NAME !== 'aws'
+ ) {
  throw new MongoInvalidArgumentError(
- `Currently only a DEVICE_NAME of 'aws' is supported for mechanism '${this.mechanism}'.`
+ `Currently only a PROVIDER_NAME of 'aws' is supported for mechanism '${this.mechanism}'.`
  );
  }
 
@@ -183,11 +171,11 @@ export class MongoCredentials {
  }
 
  if (
- !this.mechanismProperties.DEVICE_NAME &&
+ !this.mechanismProperties.PROVIDER_NAME &&
  !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
  ) {
  throw new MongoInvalidArgumentError(
- `Either a DEVICE_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
+ `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
  );
  }
  }