Apply authmechanism renaming and add azure environment.

Author: Oleksandr Poliakov

src/MongoDB.Driver.Core/Core/Authentication/Oidc/AzureOidcCallback.cs

@@ -0,0 +1,89 @@
+/* Copyright 2010-present MongoDB Inc.
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+using System;
+using System.IO;
+using System.Net;
+using System.Threading;
+using System.Threading.Tasks;
+using MongoDB.Bson.IO;
+using MongoDB.Bson.Serialization;
+using MongoDB.Bson.Serialization.Serializers;
+
+namespace MongoDB.Driver.Core.Authentication.Oidc
+{
+    internal sealed class AzureOidcCallback : IOidcCallback
+    {
+        private readonly string _tokenResource;
+
+        public AzureOidcCallback(string tokenResource)
+        {
+            _tokenResource = tokenResource;
+        }
+
+        public OidcAccessToken GetOidcAccessToken(OidcCallbackParameters parameters, CancellationToken cancellationToken)
+        {
+            var request = CreateMetadataRequest(parameters);
+            using (cancellationToken.Register(() => request.Abort(), useSynchronizationContext: false))
+            {
+                var response = request.GetResponse();
+                return ParseMetadataResponse((HttpWebResponse)response);
+            }
+        }
+
+        public async Task<OidcAccessToken> GetOidcAccessTokenAsync(OidcCallbackParameters parameters, CancellationToken cancellationToken)
+        {
+            var request = CreateMetadataRequest(parameters);
+            using (cancellationToken.Register(() => request.Abort(), useSynchronizationContext: false))
+            {
+                var response = await request.GetResponseAsync().ConfigureAwait(false);
+                return ParseMetadataResponse((HttpWebResponse)response);
+            }
+        }
+
+        private HttpWebRequest CreateMetadataRequest(OidcCallbackParameters parameters)
+        {
+            var metadataUrl = $"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={_tokenResource}";
+            if (!string.IsNullOrEmpty(parameters.UserName))
+            {
+                metadataUrl += $"&client_id={parameters.UserName}";
+            }
+
+            var request = WebRequest.CreateHttp(new Uri(metadataUrl));
+            request.Headers["Metadata"] = "true";
+            request.Accept = "application/json";
+            request.Method = "GET";
+
+            return request;
+        }
+
+        private OidcAccessToken ParseMetadataResponse(HttpWebResponse response)
+        {
+            if (response.StatusCode != HttpStatusCode.OK)
+            {
+                throw new InvalidOperationException($"Response status code does not indicate success {response.StatusCode}:{response.StatusDescription}");
+            }
+
+            using var responseReader = new StreamReader(response.GetResponseStream());
+            using var jsonReader = new JsonReader(responseReader);
+
+            var context = BsonDeserializationContext.CreateRoot(jsonReader);
+            var document = BsonDocumentSerializer.Instance.Deserialize(context);
+
+            var accessToken = document.GetValue("access_token");
+            return new OidcAccessToken(accessToken.AsString, null);
+        }
+    }
+}

src/MongoDB.Driver.Core/Core/Authentication/Oidc/IOidcCallback.cs

@@ -28,15 +28,22 @@ public sealed class OidcCallbackParameters
         /// Initializes a new instance of the <see cref="OidcCallbackParameters" /> class.
         /// </summary>
         /// <param name="version">Callback API version number.</param>
-        public OidcCallbackParameters(int version)
+        /// <param name="userName">User name.</param>
+        public OidcCallbackParameters(int version, string userName)
         {
             Version = version;
+            UserName = userName;
         }
 
         /// <summary>
         /// Callback API version number.
         /// </summary>
         public int Version { get; }
+
+        /// <summary>
+        /// User name.
+        /// </summary>
+        public string UserName { get; }
     }
 
     /// <summary>

src/MongoDB.Driver.Core/Core/Authentication/Oidc/MongoOidcAuthenticator.cs

@@ -27,9 +27,7 @@ namespace MongoDB.Driver.Core.Authentication.Oidc
     internal sealed class MongoOidcAuthenticator : SaslAuthenticator
     {
         #region static
-        public const string CallbackMechanismPropertyName = "OIDC_CALLBACK";
         public const string MechanismName = "MONGODB-OIDC";
-        public const string ProviderMechanismPropertyName = "PROVIDER_NAME";
 
         public static MongoOidcAuthenticator CreateAuthenticator(
             string source,
@@ -43,30 +41,27 @@ public static MongoOidcAuthenticator CreateAuthenticator(
                 properties,
                 endPoints,
                 serverApi,
-                OidcCallbackAdapterCachingFactory.Instance,
-                OidcKnownCallbackProviders.Instance);
+                OidcCallbackAdapterCachingFactory.Instance);
 
         public static MongoOidcAuthenticator CreateAuthenticator(
             string source,
             string principalName,
             IEnumerable<KeyValuePair<string, object>> properties,
             IReadOnlyList<EndPoint> endPoints,
             ServerApi serverApi,
-            IOidcCallbackAdapterFactory callbackAdapterFactory,
-            IOidcKnownCallbackProviders oidcKnownCallbackProviders)
+            IOidcCallbackAdapterFactory callbackAdapterFactory)
         {
             Ensure.IsNotNull(endPoints, nameof(endPoints));
             Ensure.IsNotNull(callbackAdapterFactory, nameof(callbackAdapterFactory));
-            Ensure.IsNotNull(oidcKnownCallbackProviders, nameof(oidcKnownCallbackProviders));
 
             if (source != "$external")
             {
                 throw new ArgumentException("MONGODB-OIDC authentication must use the $external authentication source.", nameof(source));
             }
 
-            var configuration = new OidcConfiguration(endPoints, principalName, properties, oidcKnownCallbackProviders);
+            var configuration = new OidcConfiguration(endPoints, principalName, properties);
             var callbackAdapter = callbackAdapterFactory.Get(configuration);
-            var mechanism = new OidcSaslMechanism(callbackAdapter);
+            var mechanism = new OidcSaslMechanism(callbackAdapter, principalName);
             return new MongoOidcAuthenticator(mechanism, serverApi, configuration);
         }
         #endregion

src/MongoDB.Driver.Core/Core/Authentication/Oidc/OidcCallbackAdapterFactory.cs

@@ -13,6 +13,7 @@
 * limitations under the License.
 */
 
+using System;
 using System.Collections.Concurrent;
 using MongoDB.Driver.Core.Misc;
 
@@ -25,20 +26,39 @@ internal interface IOidcCallbackAdapterFactory
 
     internal class OidcCallbackAdapterCachingFactory : IOidcCallbackAdapterFactory
     {
-        public static readonly OidcCallbackAdapterCachingFactory Instance = new(SystemClock.Instance);
+        public static readonly OidcCallbackAdapterCachingFactory Instance = new(SystemClock.Instance, EnvironmentVariableProvider.Instance);
 
         private readonly IClock _clock;
+        private readonly IEnvironmentVariableProvider _environmentVariableProvider;
         private readonly ConcurrentDictionary<OidcConfiguration, IOidcCallbackAdapter> _cache = new();
 
-        public OidcCallbackAdapterCachingFactory(IClock clock)
+        public OidcCallbackAdapterCachingFactory(IClock clock, IEnvironmentVariableProvider environmentVariableProvider)
         {
             _clock = clock;
+            _environmentVariableProvider = environmentVariableProvider;
         }
 
         public IOidcCallbackAdapter Get(OidcConfiguration configuration)
-            => _cache.GetOrAdd(configuration, config => new OidcCallbackAdapter(config.Callback, _clock));
+            => _cache.GetOrAdd(configuration, CreateCallbackAdapter);
 
         internal void Reset()
             => _cache.Clear();
+
+        private IOidcCallbackAdapter CreateCallbackAdapter(OidcConfiguration configuration)
+        {
+            var callback = configuration.Callback;
+
+            if (!string.IsNullOrEmpty(configuration.Environment))
+            {
+                callback = configuration.Environment switch
+                {
+                    "test" => FileOidcCallback.CreateFromEnvironmentVariable("OIDC_TOKEN_FILE ", _environmentVariableProvider),
+                    "azure" => new AzureOidcCallback(configuration.TokenResource),
+                    _ => throw new NotSupportedException($"Non supported {OidcConfiguration.EnvironmentMechanismPropertyName} value: {configuration.Environment}")
+                };
+            }
+
+            return new OidcCallbackAdapter(callback, _clock);
+        }
     }
 }

src/MongoDB.Driver.Core/Core/Authentication/Oidc/OidcConfiguration.cs

@@ -24,13 +24,17 @@ namespace MongoDB.Driver.Core.Authentication.Oidc
 {
     internal sealed class OidcConfiguration
     {
+        public const string CallbackMechanismPropertyName = "OIDC_CALLBACK";
+        public const string EnvironmentMechanismPropertyName = "ENVIRONMENT";
+        public const string TokenResourceMechanismPropertyName = "TOKEN_RESOURCE";
+
+        private static readonly ISet<string> __supportedEnvironments = new HashSet<string> { "test", "azure" };
         private readonly int _hashCode;
 
         public OidcConfiguration(
             IEnumerable<EndPoint> endPoints,
             string principalName,
-            IEnumerable<KeyValuePair<string, object>> authMechanismProperties,
-            IOidcKnownCallbackProviders oidcKnownCallbackProviders)
+            IEnumerable<KeyValuePair<string, object>> authMechanismProperties)
         {
             EndPoints = Ensure.IsNotNullOrEmpty(endPoints, nameof(endPoints));
             Ensure.IsNotNull(authMechanismProperties, nameof(authMechanismProperties));
@@ -42,15 +46,14 @@ public OidcConfiguration(
                 {
                     switch (authorizationProperty.Key)
                     {
-                        case MongoOidcAuthenticator.CallbackMechanismPropertyName:
-                            {
-                                Callback = GetProperty<IOidcCallback>(authorizationProperty);
-                            }
+                        case CallbackMechanismPropertyName:
+                            Callback = GetProperty<IOidcCallback>(authorizationProperty);
+                            break;
+                        case EnvironmentMechanismPropertyName:
+                            Environment = GetProperty<string>(authorizationProperty);
                             break;
-                        case MongoOidcAuthenticator.ProviderMechanismPropertyName:
-                            {
-                                ProviderName = GetProperty<string>(authorizationProperty);
-                            }
+                        case TokenResourceMechanismPropertyName:
+                            TokenResource = GetProperty<string>(authorizationProperty);
                             break;
                         default:
                             throw new ArgumentException(
@@ -63,17 +66,6 @@ public OidcConfiguration(
             ValidateOptions();
             _hashCode = CalculateHashCode();
 
-            if (ProviderName != null)
-            {
-                Callback = ProviderName switch
-                {
-                    "aws" => oidcKnownCallbackProviders.Aws,
-                    _ => throw new ArgumentException(
-                        $"Not supported value of {MongoOidcAuthenticator.ProviderMechanismPropertyName} mechanism property: {ProviderName}.",
-                        MongoOidcAuthenticator.ProviderMechanismPropertyName)
-                };
-            }
-
             static T GetProperty<T>(KeyValuePair<string, object> property)
             {
                 if (property.Value is T result)
@@ -85,10 +77,11 @@ static T GetProperty<T>(KeyValuePair<string, object> property)
             }
         }
 
+        public IOidcCallback Callback { get; }
         public IEnumerable<EndPoint> EndPoints { get; }
+        public string Environment { get; }
         public string PrincipalName { get; }
-        public string ProviderName { get; }
-        public IOidcCallback Callback { get; }
+        public string TokenResource { get; }
 
         public override int GetHashCode() => _hashCode;
 
@@ -98,29 +91,52 @@ public override bool Equals(object obj)
             if (object.ReferenceEquals(this, obj)) { return true; }
             return
                 obj is OidcConfiguration other &&
-                ProviderName == other.ProviderName &&
+                Environment == other.Environment &&
                 PrincipalName == other.PrincipalName &&
                 object.Equals(Callback, other.Callback) &&
+                TokenResource == other.TokenResource &&
                 EndPoints.SequenceEqual(other.EndPoints, EndPointHelper.EndPointEqualityComparer);
         }
 
         private int CalculateHashCode()
             => new Hasher()
-                .Hash(ProviderName)
+                .Hash(Environment)
                 .Hash(PrincipalName)
                 .HashElements(EndPoints)
+                .Hash(TokenResource)
                 .GetHashCode();
 
         private void ValidateOptions()
         {
-            if (ProviderName == null && Callback == null)
+            if (Environment == null && Callback == null)
+            {
+                throw new ArgumentException($"{EnvironmentMechanismPropertyName} or {CallbackMechanismPropertyName} must be configured.");
+            }
+
+            if (Environment != null && Callback != null)
+            {
+                throw new ArgumentException($"{CallbackMechanismPropertyName} is mutually exclusive with {EnvironmentMechanismPropertyName}.");
+            }
+
+            if (Environment != null && !__supportedEnvironments.Contains(Environment))
+            {
+                throw new ArgumentException(
+                    $"Not supported value of {EnvironmentMechanismPropertyName} mechanism property: {Environment}.",
+                    EnvironmentMechanismPropertyName);
+            }
+
+            if (!string.IsNullOrEmpty(TokenResource) && Environment != "azure")
             {
-                throw new ArgumentException($"{MongoOidcAuthenticator.ProviderMechanismPropertyName} or {MongoOidcAuthenticator.CallbackMechanismPropertyName} must be configured.");
+                throw new ArgumentException(
+                    $"{TokenResourceMechanismPropertyName} mechanism property supported only by azure environment.",
+                    TokenResourceMechanismPropertyName);
             }
 
-            if (ProviderName != null && Callback != null)
+            if (Environment == "azure" && string.IsNullOrEmpty(TokenResource))
             {
-                throw new ArgumentException($"{MongoOidcAuthenticator.CallbackMechanismPropertyName} is mutually exclusive with {MongoOidcAuthenticator.ProviderMechanismPropertyName}.");
+                throw new ArgumentException(
+                    $"{TokenResourceMechanismPropertyName} mechanism property is required by azure environment.",
+                    TokenResourceMechanismPropertyName);
             }
         }
     }