Add remaining environments (azure, gcp), evergreen testing, API naming updates

Author: katcharov

.evergreen/.evg.yml

@@ -12,9 +12,8 @@ stepback: true
 # Actual testing tasks are marked with `type: test`
 command_type: system
 
-# Protect ourself against rogue test case, or curl gone wild, that runs forever
-# 12 minutes is the longest we'll ever run
-exec_timeout_secs: 3600 # 12 minutes is the longest we'll ever run
+# Protect ourselves against rogue test case, or curl gone wild, that runs forever
+exec_timeout_secs: 7200
 
 # What to do when evergreen hits the timeout (`post:` tasks are run automatically)
 timeout:
@@ -934,6 +933,58 @@ tasks:
         - func: "run load-balancer"
         - func: "run load-balancer tests"
 
+    - name: "oidc-auth-test-latest"
+      commands:
+        - command: subprocess.exec
+          type: test
+          params:
+            working_dir: "src"
+            binary: bash
+            include_expansions_in_env: ["DRIVERS_TOOLS", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+            args:
+              - .evergreen/run-mongodb-oidc-test.sh
+
+    - name: "oidc-auth-test-azure-latest"
+      commands:
+        - command: shell.exec
+          params:
+            shell: bash
+            env:
+              JAVA_HOME: ${JAVA_HOME}
+            script: |-
+              set -o errexit
+              ${PREPARE_SHELL}
+              cd src
+              git add .
+              git commit -m "add files"
+              # uncompressed tar used to allow appending .git folder
+              export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/mongo-java-driver.tar
+              git archive -o $AZUREOIDC_DRIVERS_TAR_FILE HEAD
+              tar -rf $AZUREOIDC_DRIVERS_TAR_FILE .git
+              export AZUREOIDC_TEST_CMD="OIDC_ENV=azure ./.evergreen/run-mongodb-oidc-test.sh"
+              bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh
+
+    - name: "oidc-auth-test-gcp-latest"
+      commands:
+        - command: shell.exec
+          params:
+            shell: bash
+            script: |-
+              set -o errexit
+              ${PREPARE_SHELL}
+              cd src
+              git add .
+              git commit -m "add files"
+              # uncompressed tar used to allow appending .git folder
+              export GCPOIDC_DRIVERS_TAR_FILE=/tmp/mongo-java-driver.tar
+              git archive -o $GCPOIDC_DRIVERS_TAR_FILE HEAD
+              tar -rf $GCPOIDC_DRIVERS_TAR_FILE .git
+              # Define the command to run on the VM.
+              # Ensure that we source the environment file created for us, set up any other variables we need,
+              # and then run our test suite on the vm.
+              export GCPOIDC_TEST_CMD="OIDC_ENV=gcp ./.evergreen/run-mongodb-oidc-test.sh"
+              bash $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/run-driver-test.sh
+
     - name: serverless-test
       commands:
         - func: "run serverless"
@@ -2025,6 +2076,77 @@ task_groups:
     tasks:
       - test-aws-lambda-deployed
 
+  - name: testoidc_task_group
+    setup_group:
+      - func: fetch source
+      - func: prepare resources
+      - func: fix absolute paths
+      - command: ec2.assume_role
+        params:
+          role_arn: ${aws_test_secrets_role}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-latest
+
+  - name: testazureoidc_task_group
+    setup_group:
+      - func: fetch source
+      - func: prepare resources
+      - func: fix absolute paths
+      - command: subprocess.exec
+        params:
+          binary: bash
+          env:
+            AZUREOIDC_VMNAME_PREFIX: "JAVA_DRIVER"
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/azure/delete-vm.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-azure-latest
+
+  - name: testgcpoidc_task_group
+    setup_group:
+      - func: fetch source
+      - func: prepare resources
+      - func: fix absolute paths
+      - command: subprocess.exec
+        params:
+          binary: bash
+          env:
+            GCPOIDC_VMNAME_PREFIX: "JAVA_DRIVER"
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/gcp/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/gcp/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-gcp-latest
+
 buildvariants:
 
 # Test packaging and other release related routines
@@ -2176,6 +2298,27 @@ buildvariants:
   tasks:
     - name: "test_atlas_task_group_search_indexes"
 
+- name: "oidc-auth-test"
+  display_name: "OIDC Auth"
+  run_on: ubuntu2204-small
+  tasks:
+    - name: testoidc_task_group
+      batchtime: 20160 # 14 days
+
+- name: testazureoidc-variant
+  display_name: "OIDC Auth Azure"
+  run_on: ubuntu2204-small
+  tasks:
+    - name: testazureoidc_task_group
+      batchtime: 20160 # 14 days
+
+- name: testgcpoidc-variant
+  display_name: "OIDC Auth GCP"
+  run_on: ubuntu2204-small
+  tasks:
+    - name: testgcpoidc_task_group
+      batchtime: 20160 # 14 days
+
 - matrix_name: "aws-auth-test"
   matrix_spec: { ssl: "nossl", jdk: ["jdk8", "jdk17", "jdk21"], version: ["4.4", "5.0", "6.0", "7.0", "latest"], os: "ubuntu",
                  aws-credential-provider: "*" }

.evergreen/run-mongodb-oidc-test.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set +x          # Disable debug trace
+set -eu
+
+echo "Running MONGODB-OIDC authentication tests"
+
+OIDC_ENV=${OIDC_ENV:-"test"}
+
+echo "OIDC_ENV $OIDC_ENV"
+
+if [ $OIDC_ENV == "test" ]; then
+    if [ -z "$DRIVERS_TOOLS" ]; then
+        echo "Must specify DRIVERS_TOOLS"
+        exit 1
+    fi
+    source ${DRIVERS_TOOLS}/.evergreen/auth_oidc/secrets-export.sh
+    # java will not need to be installed, but we need to config
+    RELATIVE_DIR_PATH="$(dirname "${BASH_SOURCE:-$0}")"
+    source "${RELATIVE_DIR_PATH}/javaConfig.bash"
+elif [ $OIDC_ENV == "azure" ]; then
+    source ./env.sh
+elif [ $OIDC_ENV == "gcp" ]; then
+    source ./secrets-export.sh
+else
+    echo "Unrecognized OIDC_ENV $OIDC_ENV"
+    exit 1
+fi
+
+
+if ! which java ; then
+    echo "Installing java..."
+    sudo apt install openjdk-17-jdk -y
+    echo "Installed java."
+fi
+
+which java
+export OIDC_TESTS_ENABLED=true
+export OIDC_ENV="$OIDC_ENV" # read by tests
+
+# use admin credentials for tests
+TO_REPLACE="mongodb://"
+REPLACEMENT="mongodb://$OIDC_ADMIN_USER:$OIDC_ADMIN_PWD@"
+ADMIN_URI=${MONGODB_URI/$TO_REPLACE/$REPLACEMENT}
+
+./gradlew -Dorg.mongodb.test.uri="$ADMIN_URI" \
+  --stacktrace --debug --info --no-build-cache driver-core:cleanTest \
+  driver-sync:test --tests OidcAuthenticationProseTests --tests UnifiedAuthTest \
+  driver-reactive-streams:test --tests OidcAuthenticationAsyncProseTests \

driver-core/src/main/com/mongodb/ConnectionString.java

@@ -916,7 +916,7 @@ private MongoCredential createCredentials(final Map<String, List<String>> option
 
         if (credential != null && authMechanismProperties != null) {
             for (String part : authMechanismProperties.split(",")) {
-                String[] mechanismPropertyKeyValue = part.split(":");
+                String[] mechanismPropertyKeyValue = part.split(":", 2);
                 if (mechanismPropertyKeyValue.length != 2) {
                     throw new IllegalArgumentException(format("The connection string contains invalid authentication properties. "
                             + "'%s' is not a key value pair", part));

driver-core/src/main/com/mongodb/MongoCredential.java

@@ -37,6 +37,7 @@
 import static com.mongodb.AuthenticationMechanism.SCRAM_SHA_1;
 import static com.mongodb.AuthenticationMechanism.SCRAM_SHA_256;
 import static com.mongodb.assertions.Assertions.notNull;
+import static com.mongodb.internal.connection.OidcAuthenticator.OidcValidator.validateCreateOidcCredential;
 import static com.mongodb.internal.connection.OidcAuthenticator.OidcValidator.validateOidcCredentialConstruction;
 
 /**
@@ -185,7 +186,7 @@ public final class MongoCredential {
     public static final String AWS_CREDENTIAL_PROVIDER_KEY = "AWS_CREDENTIAL_PROVIDER";
 
     /**
-     * The provider name. The value must be a string.
+     * The environment. The value must be a string.
      * <p>
      * If this is provided,
      * {@link MongoCredential#OIDC_CALLBACK_KEY} and
@@ -195,7 +196,7 @@ public final class MongoCredential {
      * @see #createOidcCredential(String)
      * @since 4.10
      */
-    public static final String PROVIDER_NAME_KEY = "PROVIDER_NAME";
+    public static final String ENVIRONMENT_KEY = "ENVIRONMENT";
 
     /**
      * This callback is invoked when the OIDC-based authenticator requests
@@ -204,7 +205,7 @@ public final class MongoCredential {
      * and a {@linkplain OidcCallbackResult#getRefreshToken() refresh token}
      * must not be returned by the callback.
      * <p>
-     * If this is provided, {@link MongoCredential#PROVIDER_NAME_KEY}
+     * If this is provided, {@link MongoCredential#ENVIRONMENT_KEY}
      * and {@link MongoCredential#OIDC_HUMAN_CALLBACK_KEY}
      * must not be provided.
      *
@@ -219,7 +220,7 @@ public final class MongoCredential {
      * from the MongoDB server. The type of the value must be
      * {@link OidcCallback}.
      * <p>
-     * If this is provided, {@link MongoCredential#PROVIDER_NAME_KEY}
+     * If this is provided, {@link MongoCredential#ENVIRONMENT_KEY}
      * and {@link MongoCredential#OIDC_CALLBACK_KEY}
      * must not be provided.
      *
@@ -253,6 +254,13 @@ public final class MongoCredential {
     public static final List<String> DEFAULT_ALLOWED_HOSTS = Collections.unmodifiableList(Arrays.asList(
             "*.mongodb.net", "*.mongodb-qa.net", "*.mongodb-dev.net", "*.mongodbgov.net", "localhost", "127.0.0.1", "::1"));
 
+    /**
+     * The token resource.
+     *
+     * @since TODO-OIDC update all
+     */
+    public static final String TOKEN_RESOURCE_KEY = "TOKEN_RESOURCE";
+
     /**
      * Creates a MongoCredential instance with an unspecified mechanism.  The client will negotiate the best mechanism based on the
      * version of the server that the client is authenticating to.
@@ -408,7 +416,7 @@ public static MongoCredential createAwsCredential(@Nullable final String userNam
      * @return the credential
      * @since 4.10
      * @see #withMechanismProperty(String, Object)
-     * @see #PROVIDER_NAME_KEY
+     * @see #ENVIRONMENT_KEY
      * @see #OIDC_CALLBACK_KEY
      * @see #OIDC_HUMAN_CALLBACK_KEY
      * @see #ALLOWED_HOSTS_KEY
@@ -463,6 +471,7 @@ public MongoCredential withMechanism(final AuthenticationMechanism mechanism) {
 
         if (mechanism == MONGODB_OIDC) {
             validateOidcCredentialConstruction(source, mechanismProperties);
+            validateCreateOidcCredential(password);
         }
 
         if (userName == null && !Arrays.asList(MONGODB_X509, MONGODB_AWS, MONGODB_OIDC).contains(mechanism)) {
@@ -697,6 +706,7 @@ public interface IdpInfo {
         /**
          * @return Unique client ID for this OIDC client.
          */
+        @Nullable
         String getClientId();
 
         /**