PYTHON-3467 OIDC: Automatic token acquisition for Azure Identity Provider

.evergreen/config.yml

@@ -1010,6 +1010,32 @@ task_groups:
     tasks:
     - testazurekms-task
 
+  - name: testazureoidc_task_group
+    setup_group:
+      - func: fetch source
+      - func: prepare resources
+      - func: fix absolute paths
+      - func: make files executable
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            export AZUREOIDC_VMNAME_PREFIX="PYTHON_DRIVER"
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+    teardown_task:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            ${PREPARE_SHELL}
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/delete-vm.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-azure-latest
+
   - name: test_aws_lambda_task_group
     setup_group:
       - func: fetch source
@@ -1978,6 +2004,22 @@ tasks:
         - func: "run load-balancer"
         - func: "run tests"
 
+    - name: "oidc-auth-test-azure-latest"
+      commands:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            cd src
+            git add .
+            git commit -m "add files"
+            export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/mongo-python-driver.tgz
+            git archive -o $AZUREOIDC_DRIVERS_TAR_FILE HEAD
+            export AZUREOIDC_TEST_CMD="source ./env.sh && export OIDC_PROVIDER_NAME=azure && ./.evergreen/run-mongodb-oidc-test.sh"
+            bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh
+
     - name: "test-fips-standalone"
       tags: ["fips"]
       commands:
@@ -3036,6 +3078,13 @@ buildvariants:
   tasks:
     - name: "oidc-auth-test-latest"
 
+- name: testazureoidc-variant
+  display_name: "Azure OIDC"
+  run_on: ubuntu2004-small
+  tasks:
+    - name: testazureoidc_task_group
+      batchtime: 20160 # Use a batchtime of 14 days as suggested by the CSFLE test README
+
 - matrix_name: "aws-auth-test"
   matrix_spec:
     platform: [ubuntu-20.04]

.evergreen/run-mongodb-oidc-test.sh

@@ -5,44 +5,69 @@ set -o errexit  # Exit the script with error if any of the commands fail
 
 echo "Running MONGODB-OIDC authentication tests"
 
-# Make sure DRIVERS_TOOLS is set.
-if [ -z "$DRIVERS_TOOLS" ]; then
-    echo "Must specify DRIVERS_TOOLS"
-    exit 1
-fi
+OIDC_PROVIDER_NAME=${OIDC_PROVIDER_NAME:-"aws"}
 
-# Get the drivers secrets.  Use an existing secrets file first.
-if [ ! -f "./secrets-export.sh" ]; then
-    bash ${DRIVERS_TOOLS}/.evergreen/auth_aws/setup_secrets.sh drivers/oidc
-fi
-source ./secrets-export.sh
+if [ $OIDC_PROVIDER_NAME == "aws" ]; then
+    # Make sure DRIVERS_TOOLS is set.
+    if [ -z "$DRIVERS_TOOLS" ]; then
+        echo "Must specify DRIVERS_TOOLS"
+        exit 1
+    fi
 
-# # If the file did not have our creds, get them from the vault.
-if [ -z "$OIDC_ATLAS_URI_SINGLE" ]; then
-    bash ${DRIVERS_TOOLS}/.evergreen/auth_aws/setup_secrets.sh drivers/oidc
+    # Get the drivers secrets.  Use an existing secrets file first.
+    if [ ! -f "./secrets-export.sh" ]; then
+        bash ${DRIVERS_TOOLS}/.evergreen/auth_aws/setup_secrets.sh drivers/oidc
+    fi
     source ./secrets-export.sh
-fi
 
-# Make the OIDC tokens.
-set -x
-pushd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
-. ./oidc_get_tokens.sh
-popd
+    # # If the file did not have our creds, get them from the vault.
+    if [ -z "$OIDC_ATLAS_URI_SINGLE" ]; then
+        bash ${DRIVERS_TOOLS}/.evergreen/auth_aws/setup_secrets.sh drivers/oidc
+        source ./secrets-export.sh
+    fi
 
-# Set up variables and run the test.
-if [ -n "$LOCAL_OIDC_SERVER" ]; then
-    export MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
-    export MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
-    export MONGODB_URI_MULTI="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true"
-else
+    # Make the OIDC tokens.
+    set -x
+    pushd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
+    . ./oidc_get_tokens.sh
+    popd
+
+    # Set up variables and run the test.
+    if [ -n "$LOCAL_OIDC_SERVER" ]; then
+        export MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
+        export MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
+        export MONGODB_URI_MULTI="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true"
+    else
+        set +x   # turn off xtrace for this portion
+        export MONGODB_URI="$OIDC_ATLAS_URI_SINGLE"
+        export MONGODB_URI_SINGLE="$OIDC_ATLAS_URI_SINGLE/?authMechanism=MONGODB-OIDC"
+        export MONGODB_URI_MULTI="$OIDC_ATLAS_URI_MULTI/?authMechanism=MONGODB-OIDC"
+        set -x
+    fi
+    export AWS_WEB_IDENTITY_TOKEN_FILE="$OIDC_TOKEN_DIR/test_user1"
+    export OIDC_ADMIN_USER=$OIDC_ALTAS_USER
+    export OIDC_ADMIN_PWD=$OIDC_ATLAS_PASSWORD
+
+elif [ $OIDC_PROVIDER_NAME == "azure" ]; then
+    if [ -z "${AZUREOIDC_AUDIENCE}" ]; then
+        echo "Must specify an AZUREOIDC_AUDIENCE"
+        exit 1
+    fi
     set +x   # turn off xtrace for this portion
-    export MONGODB_URI="$OIDC_ATLAS_URI_SINGLE"
-    export MONGODB_URI_SINGLE="$OIDC_ATLAS_URI_SINGLE/?authMechanism=MONGODB-OIDC"
-    export MONGODB_URI_MULTI="$OIDC_ATLAS_URI_MULTI/?authMechanism=MONGODB-OIDC"
+    export OIDC_ADMIN_USER=$AZUREOIDC_USERNAME
+    export OIDC_ADMIN_PWD=pwd123
     set -x
+    export MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
+    MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
+    MONGODB_URI_SINGLE="${MONGODB_URI_SINGLE}&authMechanismProperties=PROVIDER_NAME:azure"
+    export MONGODB_URI_SINGLE="${MONGODB_URI_SINGLE},TOKEN_AUDIENCE:${AZUREOIDC_AUDIENCE}"
+    export MONGODB_URI_MULTI=$MONGODB_URI_SINGLE
+else
+    echo "Unrecognized OIDC_PROVIDER_NAME $OIDC_PROVIDER_NAME"
+    exit 1
 fi
 
 export TEST_AUTH_OIDC=1
 export COVERAGE=1
 export AUTH="auth"
-bash ./.evergreen/tox.sh -m test-eg
+bash ./.evergreen/tox.sh -m test-eg -- "${@:1}"

.evergreen/run-tests.sh

@@ -30,7 +30,7 @@ set -o xtrace
 
 AUTH=${AUTH:-noauth}
 SSL=${SSL:-nossl}
-TEST_ARGS="$1"
+TEST_ARGS="${*:1}"
 PYTHON=$(which python)
 export PIP_QUIET=1  # Quiet by default
 
@@ -50,8 +50,9 @@ if [ "$AUTH" != "noauth" ]; then
         export DB_USER=$SERVERLESS_ATLAS_USER
         export DB_PASSWORD=$SERVERLESS_ATLAS_PASSWORD
     elif [ ! -z "$TEST_AUTH_OIDC" ]; then
-        export DB_USER=$OIDC_ALTAS_USER
-        export DB_PASSWORD=$OIDC_ATLAS_PASSWORD
+        export DB_USER=$OIDC_ADMIN_USER
+        export DB_PASSWORD=$OIDC_ADMIN_PWD
+        export DB_IP="$MONGODB_URI"
     else
         export DB_USER="bob"
         export DB_PASSWORD="pwd123"
@@ -205,7 +206,6 @@ fi
 
 if [ -n "$TEST_AUTH_OIDC" ]; then
     python -m pip install ".[aws]"
-
     TEST_ARGS="test/auth_oidc/test_auth_oidc.py"
 fi
 

pymongo/_azure_helpers.py

@@ -0,0 +1,56 @@
+# Copyright 2023-present MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Azure helpers."""
+from __future__ import annotations
+
+import json
+from typing import Any, Optional
+from urllib.request import Request, urlopen
+
+
+def _get_azure_response(
+    resource: str, object_id: Optional[str] = None, timeout: float = 5
+) -> dict[str, Any]:
+    url = "http://169.254.169.254/metadata/identity/oauth2/token"
+    url += "?api-version=2018-02-01"
+    url += f"&resource={resource}"
+    if object_id:
+        url += f"&object_id={object_id}"
+    headers = {"Metadata": "true", "Accept": "application/json"}
+    request = Request(url, headers=headers)  # noqa: S310
+    print("fetching url", url)  # noqa: T201
+    try:
+        with urlopen(request, timeout=timeout) as response:  # noqa: S310
+            status = response.status
+            body = response.read().decode("utf8")
+    except Exception as e:
+        msg = "Failed to acquire IMDS access token: %s" % e
+        raise ValueError(msg) from None
+
+    if status != 200:
+        msg = "Failed to acquire IMDS access token."
+        raise ValueError(msg)
+    try:
+        data = json.loads(body)
+    except Exception:
+        raise ValueError("Azure IMDS response must be in JSON format.") from None
+
+    for key in ["access_token", "expires_in"]:
+        if not data.get(key):
+            msg = "Azure IMDS response must contain %s, but was %s."
+            msg = msg % (key, body)
+            raise ValueError(msg)
+
+    return data

pymongo/auth.py

@@ -37,7 +37,13 @@
 
 from bson.binary import Binary
 from pymongo.auth_aws import _authenticate_aws
-from pymongo.auth_oidc import _authenticate_oidc, _get_authenticator, _OIDCProperties
+from pymongo.auth_oidc import (
+    _authenticate_oidc,
+    _get_authenticator,
+    _OIDCAWSCallback,
+    _OIDCAzureCallback,
+    _OIDCProperties,
+)
 from pymongo.errors import ConfigurationError, OperationFailure
 from pymongo.saslprep import saslprep
 
@@ -162,8 +168,10 @@ def _build_credentials_tuple(
         return MongoCredential(mech, "$external", user, passwd, aws_props, None)
     elif mech == "MONGODB-OIDC":
         properties = extra.get("authmechanismproperties", {})
-        request_token_callback = properties.get("request_token_callback")
-        provider_name = properties.get("PROVIDER_NAME", "")
+        callback = properties.get("OIDC_CALLBACK")
+        human_callback = properties.get("OIDC_HUMAN_CALLBACK")
+        provider_name = properties.get("PROVIDER_NAME")
+        token_audience = properties.get("TOKEN_AUDIENCE", "")
         default_allowed = [
             "*.mongodb.net",
             "*.mongodb-dev.net",
@@ -173,13 +181,40 @@ def _build_credentials_tuple(
             "127.0.0.1",
             "::1",
         ]
-        allowed_hosts = properties.get("allowed_hosts", default_allowed)
-        if not request_token_callback and provider_name != "aws":
-            raise ConfigurationError(
-                "authentication with MONGODB-OIDC requires providing an request_token_callback or a provider_name of 'aws'"
-            )
+        allowed_hosts = properties.get("ALLOWED_HOSTS", default_allowed)
+        msg = "authentication with MONGODB-OIDC requires providing either a callback or a provider_name"
+        if passwd is not None:
+            msg = "password is not supported by MONGODB-OIDC"
+            raise ConfigurationError(msg)
+        if callback or human_callback:
+            if provider_name is not None:
+                raise ConfigurationError(msg)
+            if callback and human_callback:
+                msg = "cannot set both OIDC_CALLBACK and OIDC_HUMAN_CALLBACK"
+                raise ConfigurationError(msg)
+        elif provider_name is not None:
+            if provider_name == "aws":
+                if user is not None:
+                    msg = "AWS provider for MONGODB-OIDC does not support username"
+                    raise ConfigurationError(msg)
+                callback = _OIDCAWSCallback()
+            elif provider_name == "azure":
+                passwd = None
+                if not token_audience:
+                    raise ConfigurationError(
+                        "Azure provider for MONGODB-OIDC requires a TOKEN_AUDIENCE auth mechanism property"
+                    )
+                callback = _OIDCAzureCallback(token_audience, user)
+            else:
+                raise ConfigurationError(
+                    f"unrecognized provider_name for MONGODB-OIDC: {provider_name}"
+                )
+        else:
+            raise ConfigurationError(msg)
+
         oidc_props = _OIDCProperties(
-            request_token_callback=request_token_callback,
+            callback=callback,
+            human_callback=human_callback,
             provider_name=provider_name,
             allowed_hosts=allowed_hosts,
         )
@@ -522,6 +557,7 @@ def _authenticate_default(credentials: MongoCredential, conn: Connection) -> Non
     "MONGODB-CR": _authenticate_mongo_cr,
     "MONGODB-X509": _authenticate_x509,
     "MONGODB-AWS": _authenticate_aws,
+    "MONGODB-OIDC": _authenticate_oidc,  # type:ignore[dict-item]
     "PLAIN": _authenticate_plain,
     "SCRAM-SHA-1": functools.partial(_authenticate_scram, mechanism="SCRAM-SHA-1"),
     "SCRAM-SHA-256": functools.partial(_authenticate_scram, mechanism="SCRAM-SHA-256"),
@@ -582,7 +618,7 @@ def speculate_command(self) -> MutableMapping[str, Any]:
 class _OIDCContext(_AuthContext):
     def speculate_command(self) -> Optional[MutableMapping[str, Any]]:
         authenticator = _get_authenticator(self.credentials, self.address)
-        cmd = authenticator.auth_start_cmd(False)
+        cmd = authenticator.get_spec_auth_cmd()
         if cmd is None:
             return None
         cmd["db"] = self.credentials.source