mongodb · mdbmes · Mar 20, 2024 · Mar 20, 2024 · Mar 20, 2024 · Mar 20, 2024
@@ -46,3 +46,4 @@ include:
   - filename: .evergreen/generated_configs/task_groups.yml
   - filename: .evergreen/generated_configs/tasks.yml
   - filename: .evergreen/generated_configs/variants.yml
+  - filename: .evergreen/example-config.yml
@@ -0,0 +1,60 @@
+# The following task can be run with the `evergreen` CLI as follows:
+#   evergreen patch --project=mongo-c-driver \
+#     --description="Run example-task" \
+#     --yes --finalize \
+#      -v example-variant -t example-task
+
+tasks:
+  - name: example-task
+    run_on: ubuntu2204-small
+    commands:
+    - command: shell.exec
+      params:
+        shell: bash
+        script: |-
+          echo "Hello from example-task!"
+  - name: test-asan-sasl-openssl-ubuntu2204-clang-compile
+    run_on: ubuntu2204-large
+    commands:
+      - func: fetch-source
+      - func: sasl-cyrus-openssl-compile
+      - func: upload-build
+  - name: run-tests-task
+    run_on: ubuntu2204-small
+    depends_on: [{ name: test-asan-sasl-openssl-ubuntu2204-clang-compile }]
+    commands:
+      - func: fetch-build
+        vars:
+          BUILD_NAME: test-asan-sasl-openssl-ubuntu2204-clang-compile
+      - command: expansions.update
+        params:
+          updates:
+            - { key: CC, value: clang }
+            - { key: AUTH, value: auth }
+            - { key: OIDC, value: oidc }
+            - { key: MONGODB_VERSION, value: "latest" }
+            - { key: TOPOLOGY, value: replica_set }
+      - func: run-tests
+task_groups:
+  - name: testoidc_task_group
+    setup_group:
+      - func: fetch-det
+      - func: "assume ec2 role" # Get necessary AWS credentials
+      - command: subprocess.exec
+        params:
+          binary: bash
+          include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+          args:
+            - ./drivers-evergreen-tools/.evergreen/auth_oidc/setup.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - example-task
+      - test-asan-sasl-openssl-ubuntu2204-clang-compile
+      - run-tests-task
+
+buildvariants:
+  - name: example-variant
+    display_name: Example Variant
+    tasks:
+    - name: testoidc_task_group
@@ -728,6 +728,125 @@ functions:
         local_file: mongoc/mongoc-man-pages.html
         permissions: public-read
         remote_file: ${project}/man-pages/libmongoc/${CURRENT_VERSION}/index.html
+  "assume ec2 role":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+  "fetch source":
+    # Executes clone and applies the submitted patch, if any
+    - command: git.get_project
+      params:
+        directory: "src"
+    # Applies the submitted patch, if any
+    # Deprecated. Should be removed. But still needed for certain agents (ZAP)
+    - command: git.apply_patch
+    # Make an evergreen expansion file with dynamic values
+    - command: shell.exec
+      params:
+        working_dir: "src"
+        script: |
+           set +x
+           # Get the current unique version of this checkout
+           if [ "${is_patch}" = "true" ]; then
+              CURRENT_VERSION=$(git describe)-patch-${version_id}
+           else
+              CURRENT_VERSION=latest
+           fi
+
+           export DRIVERS_TOOLS="$(dirname $(pwd))/drivers-tools"
+           export PROJECT_DIRECTORY="$(pwd)"
+
+           # Python has cygwin path problems on Windows. Detect prospective mongo-orchestration home directory
+           if [ "Windows_NT" = "$OS" ]; then # Magic variable in cygwin
+              export DRIVERS_TOOLS=$(cygpath -m $DRIVERS_TOOLS)
+              export PROJECT_DIRECTORY=$(cygpath -m $PROJECT_DIRECTORY)
+           fi
+
+           export MONGO_ORCHESTRATION_HOME="$DRIVERS_TOOLS/.evergreen/orchestration"
+           export MONGODB_BINARIES="$DRIVERS_TOOLS/mongodb/bin"
+           export UPLOAD_BUCKET="${project}"
+
+           cat <<EOT > expansion.yml
+           CURRENT_VERSION: "$CURRENT_VERSION"
+           DRIVERS_TOOLS: "$DRIVERS_TOOLS"
+           MONGO_ORCHESTRATION_HOME: "$MONGO_ORCHESTRATION_HOME"
+           MONGODB_BINARIES: "$MONGODB_BINARIES"
+           UPLOAD_BUCKET: "$UPLOAD_BUCKET"
+           PROJECT_DIRECTORY: "$PROJECT_DIRECTORY"
+           PREPARE_SHELL: |
+              set -o errexit
+              export SKIP_LEGACY_SHELL=1
+              export DRIVERS_TOOLS="$DRIVERS_TOOLS"
+              export MONGO_ORCHESTRATION_HOME="$MONGO_ORCHESTRATION_HOME"
+              export MONGODB_BINARIES="$MONGODB_BINARIES"
+              export UPLOAD_BUCKET="$UPLOAD_BUCKET"
+              export PROJECT_DIRECTORY="$PROJECT_DIRECTORY"
+
+              export TMPDIR="$MONGO_ORCHESTRATION_HOME/db"
+              export PATH="$MONGODB_BINARIES:$PATH"
+              export PROJECT="${project}"
+              export PIP_QUIET=1
+           EOT
+
+    # Load the expansion file to make an evergreen variable with the current unique version
+    - command: expansions.update
+      params:
+        file: src/expansion.yml
+  bootstrap-oidc:
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "mongoc"
+        shell: bash
+        script: |
+          set -x
+          echo "RUNNING BOOTSTRAP OIDC"
+          if [[ ! -d drivers-evergreen-tools ]]; then
+              git clone --depth=1 [email protected]:mongodb-labs/drivers-evergreen-tools.git
+          fi
+          ${PREPARE_SHELL}
+          if [ "${skip_EC2_auth_test}" = "true" ]; then
+             echo "This platform does not support the oidc auth test, skipping..."
+             exit 0
+          fi
+          cd drivers-evergreen-tools/.evergreen/auth_oidc
+          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+          export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+          export OIDC_TOKEN_DIR=/tmp/tokens
+
+          # Z Series fails with the following error messages:
+          # error: can't find Rust compiler
+          # ModuleNotFoundError: No module named 'jwkest'
+          # We will skip this test on Z Series.
+          if [[ `uname -m` == "s390x" ]]; then
+              echo "OIDC Setup scripts do not work on Z Series, skipping."
+              exit 0
+          fi
+
+          . ./activate-authoidcvenv.sh
+
+          # The OIDC scripts require at least Python version 3.6 in order to function.
+          if python -c "import sys; sys.exit(0 if sys.version_info >= (3, 6) else 1)"; then
+              echo "Python version is 3.6 or greater, will run OIDC setup scripts"
+          else
+              echo "Python version is less than 3.6, cannot use OIDC setup scripts"
+              exit 0
+          fi
+
+          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+          export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+          export TOPOLOGY=replica_set
+          export ORCHESTRATION_FILE=auth-oidc.json
+          echo "RUNNING OIDC SETUP"
+          ./setup.sh
+
+          #python oidc_write_orchestration.py
+          #python oidc_get_tokens.py
   upload-mo-artifacts:
     - command: subprocess.exec
       params:

@@ -22,6 +22,7 @@ check_var_opt SINGLE_MONGOS_LB_URI
 check_var_opt SKIP_CRYPT_SHARED_LIB
 check_var_opt SSL "nossl"
 check_var_opt URI
+check_var_opt OIDC
 
 declare script_dir
 script_dir="$(to_absolute "$(dirname "${BASH_SOURCE[0]}")")"
@@ -241,6 +242,11 @@ if [[ "${LOADBALANCED}" != "noloadbalanced" ]]; then
   test_args+=("-l" "/command_monitoring/unified/*")
 fi
 
+if [[ "${OIDC}" == "oidc" ]]; then
+  test_args+=("-l" "/unified/mongodb-oidc-no-retry")
+  echo "TESTING OIDC"
+fi
+
 if [[ ! "${test_args[*]}" =~ "-l" ]]; then
   # /http tests are only run if the set of tests to execute were not limited.
   echo "Waiting for simple HTTP server to start..."

@@ -557,6 +557,7 @@ set (MONGOC_SOURCES
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client-side-encryption.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-aws.c
+   ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-oidc.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-sasl.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-collection.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-compression.c
@@ -1199,6 +1200,7 @@ if (ENABLE_TESTS)
    mongoc_add_test (test-azurekms ${PROJECT_SOURCE_DIR}/tests/test-azurekms.c)
    mongoc_add_test (test-gcpkms ${PROJECT_SOURCE_DIR}/tests/test-gcpkms.c)
    mongoc_add_test (test-awsauth ${PROJECT_SOURCE_DIR}/tests/test-awsauth.c)
+   mongoc_add_test (test-oidcauth ${PROJECT_SOURCE_DIR}/tests/test-oidcauth.c)
 
    # "make test" doesn't compile tests, so we create "make check" which compiles
    # and runs tests: https://gitlab.kitware.com/cmake/cmake/issues/8774

@@ -0,0 +1,33 @@
+:man_page: mongoc_oidc_callback_copy
+
+mongoc_oidc_callback_copy()
+===========================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+  mongoc_oidc_callback_t *
+  mongoc_oidc_callback_copy (const mongoc_oidc_callback_t *callback)
+
+Create a new :symbol:`mongoc_oidc_callback_t` object with the same callback function and user data pointer as an existing :symbol:`mongoc_oidc_callback_t`.
+
+.. warning::
+
+    The lifetime of the object pointed to by ``user_data`` is managed the user, not by :symbol:`mongoc_oidc_callback_t`!
+
+Parameters
+----------
+
+* ``callback``: a :symbol:`mongoc_oidc_callback_t` to copy. Must not be ``NULL``.
+
+Returns
+-------
+
+A new :symbol:`mongoc_oidc_callback_t` that must be freed with :symbol:`mongoc_oidc_callback_destroy()`.
+
+.. seealso::
+
+  - :symbol:`mongoc_oidc_callback_t`
+  - :symbol:`mongoc_oidc_callback_new`
@@ -25,6 +25,7 @@ The callback may be used to integrate with OIDC providers that are not supported
 
     mongoc_oidc_callback_new
     mongoc_oidc_callback_new_with_user_data
+    mongoc_oidc_callback_copy
     mongoc_oidc_callback_destroy
     mongoc_oidc_callback_get_fn
     mongoc_oidc_callback_get_user_data

@@ -121,6 +121,23 @@ mongoc_client_pool_new (const mongoc_uri_t *uri)
    return pool;
 }
 
+void
+mongoc_client_pool_set_oidc_callback (mongoc_client_pool_t *pool, const mongoc_oidc_callback_t *callback)
+{
+   BSON_ASSERT_PARAM (pool);
+   BSON_ASSERT_PARAM (callback);
+
+   mongoc_oidc_callback_destroy (pool->topology->oidc_callback);
+   pool->topology->oidc_callback = mongoc_oidc_callback_copy (callback);
+}
+
+const mongoc_oidc_callback_t *
+mongoc_client_pool_get_oidc_callback (const mongoc_client_pool_t *pool)
+{
+   BSON_ASSERT_PARAM (pool);
+
+   return pool->topology->oidc_callback;
+}
 
 mongoc_client_pool_t *
 mongoc_client_pool_new_with_error (const mongoc_uri_t *uri, bson_error_t *error)

@@ -41,6 +41,12 @@ typedef struct _mongoc_client_pool_t mongoc_client_pool_t;
 MONGOC_EXPORT (mongoc_client_pool_t *)
 mongoc_client_pool_new (const mongoc_uri_t *uri) BSON_GNUC_WARN_UNUSED_RESULT;
 
+MONGOC_EXPORT (void)
+mongoc_client_pool_set_oidc_callback (mongoc_client_pool_t *pool, const mongoc_oidc_callback_t *callback);
+
+MONGOC_EXPORT (const mongoc_oidc_callback_t *)
+mongoc_client_pool_get_oidc_callback (const mongoc_client_pool_t *pool);
+
 MONGOC_EXPORT (mongoc_client_pool_t *)
 mongoc_client_pool_new_with_error (const mongoc_uri_t *uri, bson_error_t *error) BSON_GNUC_WARN_UNUSED_RESULT;
 

@@ -1083,6 +1083,38 @@ mongoc_client_new_from_uri_with_error (const mongoc_uri_t *uri, bson_error_t *er
    RETURN (client);
 }
 
+/*
+ * Spec:
+ * Drivers MUST have a way to invalidate a specific access token from the
+ * Client Cache. Invalidation MUST only clear the cached access token if it is
+ * the same as the invalid access token.
+ *
+ * https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#credential-caching
+ */
+void
+mongoc_client_oidc_credential_invalidate (mongoc_client_t *client, const char *access_token)
+{
+   BSON_ASSERT_PARAM (client);
+   BSON_ASSERT_PARAM (access_token);
+
+   mongoc_topology_t *topology = client->topology;
+   BSON_ASSERT (topology);
+
+   bson_mutex_lock (&topology->oidc_mtx);
+
+   if (!topology->oidc_credential) {
+      goto done;
+   }
+
+   if (!strcmp (access_token, mongoc_oidc_credential_get_access_token (topology->oidc_credential))) {
+      mongoc_oidc_credential_destroy (topology->oidc_credential);
+      topology->oidc_credential = NULL;
+   }
+
+done:
+   bson_mutex_unlock (&topology->oidc_mtx);
+}
+
 
 /* precondition: topology is valid */
 mongoc_client_t *
@@ -2653,6 +2685,30 @@ mongoc_client_set_server_api (mongoc_client_t *client, const mongoc_server_api_t
    return true;
 }
 
+void
+mongoc_client_set_oidc_callback (mongoc_client_t *client, const mongoc_oidc_callback_t *callback)
+{
+   BSON_ASSERT_PARAM (client);
+   BSON_ASSERT_PARAM (callback);
+
+   if (!client->topology->single_threaded) {
+      MONGOC_ERROR ("mongoc_client_set_oidc_callback must only be used for single threaded clients. "
+                    "For client pools, use mongoc_client_pool_set_oidc_callback instead.");
+      return;
+   }
+
+   mongoc_oidc_callback_destroy (client->topology->oidc_callback);
+   client->topology->oidc_callback = mongoc_oidc_callback_copy (callback);
+}
+
+const mongoc_oidc_callback_t *
+mongoc_client_get_oidc_callback (const mongoc_client_t *client)
+{
+   BSON_ASSERT_PARAM (client);
+
+   return client->topology->oidc_callback;
+}
+
 mongoc_server_description_t *
 mongoc_client_get_handshake_description (mongoc_client_t *client, uint32_t server_id, bson_t *opts, bson_error_t *error)
 {