Add remaining tests, refactor, increase GCP test machine

Author: katcharov

.evergreen/.evg.yml

@@ -2134,6 +2134,7 @@ task_groups:
           binary: bash
           env:
             GCPOIDC_VMNAME_PREFIX: "JAVA_DRIVER"
+            GCPKMS_MACHINETYPE: "e2-medium" # comparable elapsed time to Azure; default was starved, caused timeouts
           args:
             - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/gcp/setup.sh
     teardown_task:

driver-core/src/main/com/mongodb/internal/authentication/GcpCredentialHelper.java

@@ -33,31 +33,32 @@
  */
 public final class GcpCredentialHelper {
 
-    public static CredentialInfo fetchGcpCredentialInfo(final String resource) {
-        String endpoint = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?" + resource;
-        return new CredentialInfo(
-                getBsonDocument(endpoint).getValue(),
-                Duration.ZERO);
-    }
-
     public static BsonDocument obtainFromEnvironment() {
         String endpoint = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token";
-        return new BsonDocument("accessToken", getBsonDocument(endpoint));
-    }
 
-    private static BsonString getBsonDocument(final String endpoint) {
         Map<String, String> header = new HashMap<>();
         header.put("Metadata-Flavor", "Google");
-        header.put("Accept", "application/json");
         String response = getHttpContents("GET", endpoint, header);
         BsonDocument responseDocument = BsonDocument.parse(response);
         if (responseDocument.containsKey("access_token")) {
-            return responseDocument.get("access_token").asString();
+            return new BsonDocument("accessToken", responseDocument.get("access_token"));
         } else {
-            throw new MongoClientException("access_token is missing from GCE metadata response.  Full response is ''" + response);
+            throw new MongoClientException("access_token is missing from GCE metadata response.  Full response is ''"
+                    + response);
         }
     }
 
+    public static CredentialInfo fetchGcpCredentialInfo(final String resource) {
+        String endpoint = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience="
+                + resource;
+        Map<String, String> header = new HashMap<>();
+        header.put("Metadata-Flavor", "Google");;
+        String response = getHttpContents("GET", endpoint, header);
+        return new CredentialInfo(
+                    new BsonString(response).getValue(),
+                    Duration.ZERO);
+    }
+
     private GcpCredentialHelper() {
     }
 }

driver-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java

@@ -33,6 +33,7 @@
 import org.bson.BsonDocument;
 import org.bson.BsonInt32;
 import org.bson.BsonString;
+import org.bson.Document;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -71,7 +72,6 @@
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
 import static util.ThreadTestHelpers.executeAll;
 
@@ -201,7 +201,7 @@ public void test2p2RequestCallbackReturnsNull() {
         //noinspection ConstantConditions
         OidcCallback callback = (context) -> null;
         MongoClientSettings clientSettings = this.createSettings(callback);
-        performFind(clientSettings, MongoConfigurationException.class,
+        assertFindFails(clientSettings, MongoConfigurationException.class,
                 "Result of callback must not be null");
     }
 
@@ -216,12 +216,9 @@ public void test2p3CallbackReturnsMissingData() {
         // we ensure that the error is propagated
         MongoClientSettings clientSettings = createSettings(callback);
         try (MongoClient mongoClient = createMongoClient(clientSettings)) {
-            try {
-                performFind(mongoClient);
-                fail();
-            } catch (Exception e) {
-                assertCause(IllegalArgumentException.class, "accessToken can not be null", e);
-            }
+            assertCause(IllegalArgumentException.class,
+                    "accessToken can not be null",
+                    () -> performFind(mongoClient));
         }
     }
 
@@ -230,13 +227,9 @@ public void test2p4InvalidClientConfigurationWithCallback() {
         String uri = getOidcUri() + "&authMechanismProperties=ENVIRONMENT:" + getOidcEnv();
         MongoClientSettings settings = createSettings(
                 uri, createCallback(), null, OIDC_CALLBACK_KEY);
-        try {
-            performFind(settings);
-            fail();
-        } catch (Exception e) {
-            assertCause(IllegalArgumentException.class,
-                    "OIDC_CALLBACK must not be specified when ENVIRONMENT is specified", e);
-        }
+        assertCause(IllegalArgumentException.class,
+                "OIDC_CALLBACK must not be specified when ENVIRONMENT is specified",
+                () -> performFind(settings));
     }
 
     @Test
@@ -282,13 +275,9 @@ public void test3p2AuthFailsWithoutCachedToken() {
                 (x) -> new OidcCallbackResult("invalid_token", Duration.ZERO);
         MongoClientSettings clientSettings = createSettings(callback);
         try (MongoClient mongoClient = createMongoClient(clientSettings)) {
-            try {
-                performFind(mongoClient);
-                fail();
-            } catch (Exception e) {
-                assertCause(MongoCommandException.class,
-                        "Command failed with error 18 (AuthenticationFailed):", e);
-            }
+            assertCause(MongoCommandException.class,
+                    "Command failed with error 18 (AuthenticationFailed):",
+                    () -> performFind(mongoClient));
         }
     }
 
@@ -321,8 +310,6 @@ public void test3p3UnexpectedErrorDoesNotClearCache() {
         }
     }
 
-    // TODO-OIDC reinstate 2 broken(?) tests in mongodb-oidc-no-retry.json
-
     @Test
     public void test4p1Reauthentication() {
         TestCallback callback = createCallback();
@@ -335,6 +322,59 @@ public void test4p1Reauthentication() {
         assertEquals(2, callback.invocations.get());
     }
 
+    @Test
+    public void test4p2ReadCommandsFailIfReauthenticationFails() {
+        // Create a `MongoClient` whose OIDC callback returns one good token
+        // and then bad tokens after the first call.
+        TestCallback wrappedCallback = createCallback();
+        OidcCallback callback = (context) -> {
+            OidcCallbackResult result1 = wrappedCallback.callback(context);
+            return new OidcCallbackResult(
+                    wrappedCallback.getInvocations() > 1 ? "bad" : result1.getAccessToken(),
+                    Duration.ZERO,
+                    null);
+        };
+        MongoClientSettings clientSettings = createSettings(callback);
+        try (MongoClient mongoClient = createMongoClient(clientSettings)) {
+            performFind(mongoClient);
+            failCommand(391, 1, "find");
+            assertCause(MongoCommandException.class,
+                    "Command failed with error 18",
+                    () -> performFind(mongoClient));
+        }
+        assertEquals(2, wrappedCallback.invocations.get());
+    }
+
+    @Test
+    public void test4p3WriteCommandsFailIfReauthenticationFails() {
+        // Create a `MongoClient` whose OIDC callback returns one good token
+        // and then bad tokens after the first call.
+        TestCallback wrappedCallback = createCallback();
+        OidcCallback callback = (context) -> {
+            OidcCallbackResult result1 = wrappedCallback.callback(context);
+            return new OidcCallbackResult(
+                    wrappedCallback.getInvocations() > 1 ? "bad" : result1.getAccessToken(),
+                    Duration.ZERO,
+                    null);
+        };
+        MongoClientSettings clientSettings = createSettings(callback);
+        try (MongoClient mongoClient = createMongoClient(clientSettings)) {
+            performInsert(mongoClient);
+            failCommand(391, 1, "insert");
+            assertCause(MongoCommandException.class,
+                    "Command failed with error 18",
+                    () -> performInsert(mongoClient));
+        }
+        assertEquals(2, wrappedCallback.invocations.get());
+    }
+
+    private static void performInsert(final MongoClient mongoClient) {
+        mongoClient
+                .getDatabase("test")
+                .getCollection("test")
+                .insertOne(Document.parse("{ x: 1 }"));
+    }
+
     @Test
     public void test5p1Azure() {
         assumeTrue(getOidcEnv().equals("azure"));
@@ -410,7 +450,7 @@ public void testh1p5MultiplePrincipalNoUser() {
         // Create an OIDC configured client with `MONGODB_URI_MULTI` and no username.
         MongoClientSettings clientSettings = createSettingsMulti(null, createHumanCallback());
         // Assert that a `find` operation fails.
-        performFind(clientSettings, MongoCommandException.class, "Authentication failed");
+        assertFindFails(clientSettings, MongoCommandException.class, "Authentication failed");
     }
 
     @Test
@@ -420,15 +460,15 @@ public void testh1p6AllowedHostsBlocked() {
         //- Assert that a ``find`` operation fails with a client-side error.
         MongoClientSettings clientSettings1 = createSettings(getOidcUri(),
                 createHumanCallback(), null, OIDC_HUMAN_CALLBACK_KEY, Collections.emptyList());
-        performFind(clientSettings1, MongoSecurityException.class, "not permitted by ALLOWED_HOSTS");
+        assertFindFails(clientSettings1, MongoSecurityException.class, "not permitted by ALLOWED_HOSTS");
 
         //- Create a client that uses the URL
         //  ``mongodb://localhost/?authMechanism=MONGODB-OIDC&ignored=example.com``, a
         //  human callback, and an ``ALLOWED_HOSTS`` that contains ``["example.com"]``.
         //- Assert that a ``find`` operation fails with a client-side error.
         MongoClientSettings clientSettings2 = createSettings(getOidcUri() + "&ignored=example.com",
                 createHumanCallback(), null, OIDC_HUMAN_CALLBACK_KEY, Arrays.asList("example.com"));
-        performFind(clientSettings2, MongoSecurityException.class, "not permitted by ALLOWED_HOSTS");
+        assertFindFails(clientSettings2, MongoSecurityException.class, "not permitted by ALLOWED_HOSTS");
     }
 
     // Not a prose test
@@ -485,14 +525,14 @@ public void testh2p2HumanCallbackReturnsMissingData() {
         assumeTestEnvironment();
         //noinspection ConstantConditions
         OidcCallback callbackNull = (context) -> null;
-        performFind(createHumanSettings(callbackNull, null),
+        assertFindFails(createHumanSettings(callbackNull, null),
                 MongoConfigurationException.class,
                 "Result of callback must not be null");
 
         //noinspection ConstantConditions
         OidcCallback callback =
                 (context) -> new OidcCallbackResult(null, Duration.ZERO);
-        performFind(createHumanSettings(callback, null),
+        assertFindFails(createHumanSettings(callback, null),
                 IllegalArgumentException.class,
                 "accessToken can not be null");
     }
@@ -503,7 +543,7 @@ public void testRefreshTokenAbsent() {
         // additionally, check validation for refresh in machine workflow:
         OidcCallback callbackMachineRefresh =
                 (context) -> new OidcCallbackResult("access", Duration.ZERO, "exists");
-        performFind(createSettings(callbackMachineRefresh),
+        assertFindFails(createSettings(callbackMachineRefresh),
                 MongoConfigurationException.class,
                 "Refresh token must only be provided in human workflow");
     }
@@ -549,7 +589,7 @@ public void testh3p2NoSpecAuthIfNoCachedToken() {
         failCommand(18, 1, "saslStart");
         TestListener listener = new TestListener();
         TestCommandListener commandListener = new TestCommandListener(listener);
-        performFind(createHumanSettings(createHumanCallback(), commandListener),
+        assertFindFails(createHumanSettings(createHumanCallback(), commandListener),
                 MongoCommandException.class,
                 "Command failed with error 18");
         assertEquals(Arrays.asList(
@@ -833,7 +873,7 @@ private void performFind(final MongoClientSettings settings) {
         }
     }
 
-    private <T extends Throwable> void performFind(
+    private <T extends Throwable> void assertFindFails(
             final MongoClientSettings settings,
             final Class<T> expectedExceptionOrCause,
             final String expectedMessage) {
@@ -852,21 +892,15 @@ private void performFind(final MongoClient mongoClient) {
 
     private static <T extends Throwable> void assertCause(
             final Class<T> expectedCause, final String expectedMessageFragment, final Executable e) {
-        Throwable actualException = assertThrows(Throwable.class, e);
-        assertCause(expectedCause, expectedMessageFragment, actualException);
-    }
-
-    private static <T extends Throwable> void assertCause(
-            final Class<T> expectedCause, final String expectedMessageFragment, final Throwable actualException) {
-        Throwable cause = actualException;
+        Throwable cause = assertThrows(Throwable.class, e);
         while (cause.getCause() != null) {
             cause = cause.getCause();
         }
         if (!expectedCause.isInstance(cause)) {
-            throw new AssertionFailedError("Unexpected cause: " + actualException.getClass(), actualException);
+            throw new AssertionFailedError("Unexpected cause: " + assertThrows(Throwable.class, e).getClass(), assertThrows(Throwable.class, e));
         }
         if (!cause.getMessage().contains(expectedMessageFragment)) {
-            throw new AssertionFailedError("Unexpected message", actualException);
+            throw new AssertionFailedError("Unexpected message", assertThrows(Throwable.class, e));
         }
     }