ALLOWED_HOSTS validation, 1 minute machine timeout (#1380) (#1417)

JAVA-5350 # Conflicts: # driver-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
mongodb · Jun 11, 2024 · 0d30c64 · 0d30c64
1 parent 90a7e17
commit 0d30c64
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 10 deletions.
diff --git a/driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java b/driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
@@ -85,7 +85,8 @@ public final class OidcAuthenticator extends SaslAuthenticator {
     private static final List<String> ALLOWS_USERNAME = Arrays.asList(
             AZURE_ENVIRONMENT);
 
-    private static final Duration CALLBACK_TIMEOUT = Duration.ofMinutes(5);
+    private static final Duration CALLBACK_TIMEOUT = Duration.ofMinutes(1);
+    private static final Duration HUMAN_CALLBACK_TIMEOUT = Duration.ofMinutes(5);
 
     public static final String OIDC_TOKEN_FILE = "OIDC_TOKEN_FILE";
 
@@ -112,6 +113,10 @@ public OidcAuthenticator(final MongoCredentialWithCache credential,
         }
     }
 
+    private Duration getCallbackTimeout() {
+        return isHumanCallback() ? HUMAN_CALLBACK_TIMEOUT : CALLBACK_TIMEOUT;
+    }
+
     @Override
     public String getMechanismName() {
         return MONGODB_OIDC.getMechanismName();
@@ -306,7 +311,7 @@ private byte[] evaluate(final byte[] challenge) {
                 // Invoke Callback using cached Refresh Token
                 fallbackState = FallbackState.PHASE_2_REFRESH_CALLBACK_TOKEN;
                 OidcCallbackResult result = requestCallback.onRequest(new OidcCallbackContextImpl(
-                        CALLBACK_TIMEOUT, cachedIdpInfo, cachedRefreshToken, userName));
+                        getCallbackTimeout(), cachedIdpInfo, cachedRefreshToken, userName));
                 jwt[0] = populateCacheWithCallbackResultAndPrepareJwt(cachedIdpInfo, result);
             } else {
                 // cache is empty
@@ -315,7 +320,7 @@ private byte[] evaluate(final byte[] challenge) {
                     // no principal request
                     fallbackState = FallbackState.PHASE_3B_CALLBACK_TOKEN;
                     OidcCallbackResult result = requestCallback.onRequest(new OidcCallbackContextImpl(
-                            CALLBACK_TIMEOUT, userName));
+                            getCallbackTimeout(), userName));
                     jwt[0] = populateCacheWithCallbackResultAndPrepareJwt(null, result);
                     if (result.getRefreshToken() != null) {
                         throw new MongoConfigurationException(
@@ -345,7 +350,7 @@ private byte[] evaluate(final byte[] challenge) {
                         // there is no cached refresh token
                         fallbackState = FallbackState.PHASE_3B_CALLBACK_TOKEN;
                         OidcCallbackResult result = requestCallback.onRequest(new OidcCallbackContextImpl(
-                                CALLBACK_TIMEOUT, idpInfo, null, userName));
+                                getCallbackTimeout(), idpInfo, null, userName));
                         jwt[0] = populateCacheWithCallbackResultAndPrepareJwt(idpInfo, result);
                     }
                 }
@@ -606,6 +611,11 @@ public static void validateBeforeUse(final MongoCredential credential) {
             Object environmentName = credential.getMechanismProperty(ENVIRONMENT_KEY, null);
             Object machineCallback = credential.getMechanismProperty(OIDC_CALLBACK_KEY, null);
             Object humanCallback = credential.getMechanismProperty(OIDC_HUMAN_CALLBACK_KEY, null);
+            boolean allowedHostsIsSet = credential.getMechanismProperty(ALLOWED_HOSTS_KEY, null) != null;
+            if (humanCallback == null && allowedHostsIsSet) {
+                throw new IllegalArgumentException(ALLOWED_HOSTS_KEY + " must be specified only when "
+                        + OIDC_HUMAN_CALLBACK_KEY + " is specified");
+            }
             if (environmentName == null) {
                 // callback
                 if (machineCallback == null && humanCallback == null) {

diff --git a/driver-core/src/test/resources/unified-test-format/auth/mongodb-oidc-no-retry.json b/driver-core/src/test/resources/unified-test-format/auth/mongodb-oidc-no-retry.json
@@ -5,7 +5,8 @@
     {
       "minServerVersion": "7.0",
       "auth": true,
-      "authMechanism": "MONGODB-OIDC"
+      "authMechanism": "MONGODB-OIDC",
+      "serverless": "forbid"
     }
   ],
   "createEntities": [

diff --git a/...ync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java b/...ync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
@@ -96,15 +96,15 @@ private void assumeTestEnvironment() {
     }
 
     protected static String getOidcUri() {
-        return getenv("MONGODB_URI_SINGLE");
+        return assertNotNull(getenv("MONGODB_URI_SINGLE"));
     }
 
     private static String getOidcUriMulti() {
-        return getenv("MONGODB_URI_MULTI");
+        return assertNotNull(getenv("MONGODB_URI_MULTI"));
     }
 
     private static String getOidcEnv() {
-        return getenv("OIDC_ENV");
+        return assertNotNull(getenv("OIDC_ENV"));
     }
 
     private static void assumeAzure() {
@@ -179,13 +179,13 @@ public void test1p2CallbackCalledOnceForMultipleConnections() {
 
     @Test
     public void test2p1ValidCallbackInputs() {
-        Duration expectedSeconds = Duration.ofMinutes(5);
+        Duration expectedTimeoutDuration = Duration.ofMinutes(1);
 
         TestCallback callback1 = createCallback();
         // #. Verify that the request callback was called with the appropriate
         //    inputs, including the timeout parameter if possible.
         OidcCallback callback2 = (context) -> {
-            assertEquals(expectedSeconds, context.getTimeout());
+            assertEquals(expectedTimeoutDuration, context.getTimeout());
             return callback1.onRequest(context);
         };
         MongoClientSettings clientSettings = createSettings(callback2);