OIDC Add remaining environments (azure, gcp), evergreen testing, API naming updates #1371
Conversation
| @@ -916,7 +916,7 @@ private MongoCredential createCredentials(final Map<String, List<String>> option | |||
|
|
|||
| if (credential != null && authMechanismProperties != null) { | |||
| for (String part : authMechanismProperties.split(",")) { | |||
| String[] mechanismPropertyKeyValue = part.split(":"); | |||
| String[] mechanismPropertyKeyValue = part.split(":", 2); | |||
There was a problem hiding this comment.
This ignores the second : (a test passes in a value that decodes to a string that includes :).
katcharov
force-pushed
the
JAVA-oidc-4395
branch
from
b277316
to
581ae2e
Compare
|
Rebased |
| @@ -69,11 +73,20 @@ | |||
| */ | |||
| public final class OidcAuthenticator extends SaslAuthenticator { | |||
|
|
|||
| private static final List<String> SUPPORTED_PROVIDERS = Arrays.asList("aws"); | |||
| private static final String TEST_ENVIRONMENT = "test"; | |||
There was a problem hiding this comment.
This is only used (enabled) in unified tests. The "Entities" class could instead check if this environment is set, and supply the test callback under OIDC_CALLBACK_KEY, which is a mild abuse of mechanism properties, but would avoid the (limited) code needed in the driver to support this.
| @@ -601,7 +601,7 @@ class ConnectionStringSpecification extends Specification { | |||
| new ConnectionString('mongodb://jeff@localhost/?' + | |||
| 'authMechanism=GSSAPI' + | |||
| '&authMechanismProperties=' + | |||
| 'SERVICE_NAME:foo:bar') | |||
| 'SERVICE_NAMEbar') // missing = | |||
There was a problem hiding this comment.
No spec was associated with the Jira ticket where this check was added. OIDC tests include a value with a second : (when decoded). Rather than remove, I replaced with a different invalidity check.
...r-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
Show resolved
Hide resolved
| @@ -2216,6 +2339,27 @@ buildvariants: | |||
| tasks: | |||
| - name: "test_atlas_task_group_search_indexes" | |||
|
|
|||
| - name: "oidc-auth-test" | |||
| display_name: "OIDC Auth" | |||
| run_on: ubuntu2204-small | |||
There was a problem hiding this comment.
We explicitly test on Windows and MacOS in PyMongo, but I'd consider that optional.
There was a problem hiding this comment.
All of our tests use linux/ubuntu as the os, so I took those out.
| public static OidcCallback getAzureCallback(final MongoCredential credential) { | ||
| return (context) -> { | ||
| String resource = assertNotNull(credential.getMechanismProperty(TOKEN_RESOURCE_KEY, null)); | ||
| String objectId = credential.getUserName(); |
There was a problem hiding this comment.
This is actually the clientId
There was a problem hiding this comment.
Hmm, my ensuing fetchAzure... call is calling:
public static CredentialInfo fetchAzureCredentialInfo(final String resource, @Nullable final String objectId) {
String endpoint = "http://169.254.169.254:80"
+ "/metadata/identity/oauth2/token?api-version=2018-02-01"
+ "&resource=" + resource
+ (objectId == null ? "" : "&object_id=" + objectId);
This must be incorrect, since the spec says to use:
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=<resource>&client_id=<client_id>
I'll update this, but why do the tests still pass, and was this changed from object_id?
There was a problem hiding this comment.
It was changed from object_id to align with the Azure SDK that uses client_id.
driver-core/src/main/com/mongodb/internal/authentication/GcpCredentialHelper.java
Outdated
Show resolved
Hide resolved
driver-core/src/main/com/mongodb/internal/authentication/AzureCredentialHelper.java
Outdated
Show resolved
Hide resolved
driver-core/src/main/com/mongodb/internal/authentication/CredentialInfo.java
Show resolved
Hide resolved
driver-sync/src/test/functional/com/mongodb/client/unified/Entities.java
Outdated
Show resolved
Hide resolved
driver-sync/src/test/functional/com/mongodb/client/unified/Entities.java
Outdated
Show resolved
Hide resolved
driver-sync/src/test/functional/com/mongodb/client/unified/Entities.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Valentin Kovalenko <valentin.male.kovalenko@gmail.com>
Co-authored-by: Valentin Kovalenko <valentin.male.kovalenko@gmail.com>
…ntialInfo.java Co-authored-by: Valentin Kovalenko <valentin.male.kovalenko@gmail.com>
driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
Outdated
Show resolved
Hide resolved
driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
Outdated
Show resolved
Hide resolved
driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
Outdated
Show resolved
Hide resolved
driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
Outdated
Show resolved
Hide resolved
driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
Outdated
Show resolved
Hide resolved
driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
Outdated
Show resolved
Hide resolved
...r-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
Outdated
Show resolved
Hide resolved
...r-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
Outdated
Show resolved
Hide resolved
...r-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
Outdated
Show resolved
Hide resolved
...r-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
Outdated
Show resolved
Hide resolved
...r-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
Outdated
Show resolved
Hide resolved
driver-core/src/main/com/mongodb/internal/authentication/AzureCredentialHelper.java
Outdated
Show resolved
Hide resolved
driver-sync/src/test/functional/com/mongodb/client/unified/Entities.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Commits d856d84 and cc1c7ec in this PR take changes from mongodb/specifications#1569, which hasn't been approved and merged. Are we sure this is the way to go? I realize that we are short of time, but taking spec changes that are still work in progress (if this were not the case, they would have been merged) is not the right process, and we may end up having tests that have never been merged to the spec.
I would also expect that if there is time pressure on the driver, the same (even more, actually) should be true for the spec changes, because they have to go before the driver changes.
Maxim, if you have already confirmed this with Jeff, then OK. If not, then could you please confirm? (alternatively, I can do that)
There was a problem hiding this comment.
I agree that we should block merging of at least the OIDC feature PR on the approval and merging of that PR (and I have no issues with blocking this PR since nothing depends on it).
driver-core/src/test/unit/com/mongodb/ConnectionStringUnitTest.java
Outdated
Show resolved
Hide resolved
| // encoded tags will fail parsing with an "invalid read preference tag" | ||
| // error if decoding is skipped. | ||
| String encodedTags = encode("dc:ny,rack:1"); |
...r-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
Outdated
Show resolved
Hide resolved
…n/OidcAuthenticationProseTests.java Co-authored-by: Valentin Kovalenko <valentin.male.kovalenko@gmail.com>
* Implement OIDC SASL mechanism in sync (#1107) JAVA-4980 * Implement OIDC auth for async (#1131) JAVA-4981 * Remove non-machine workflow (#1259) JAVA-5077 * Add Human OIDC Workflow (#1316) JAVA-5328 * OIDC Add remaining environments (azure, gcp), evergreen testing, API naming updates (#1371) JAVA-5353 JAVA-5395 JAVA-4834 JAVA-4932 Co-authored-by: Valentin Kovalenko <valentin.kovalenko@mongodb.com>
JAVA-5353 API naming
JAVA-5395 Atlas testing
JAVA-4834 Azure
JAVA-4932 GCP