test: update configs

Author: durran

.evergreen/config.in.yml

@@ -1209,6 +1209,20 @@ tasks:
           args:
             - src/.evergreen/run-azure-kms-tests.sh
 
+  - name: "oidc-auth-test-azure-latest"
+    commands:
+    - command: shell.exec
+      params:
+        shell: bash
+        script: |-
+          set -o errexit
+          ${PREPARE_SHELL}
+          cd src
+          export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/node-mongodb-native.tgz
+          tar czf $AZUREOIDC_DRIVERS_TAR_FILE .
+          export AZUREOIDC_TEST_CMD="source ./env.sh && PROVIDER_NAME=azure ./.evergreen/run-oidc-tests.sh"
+          bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh
+
 
 task_groups:
   - name: serverless_task_group
@@ -1313,6 +1327,37 @@ task_groups:
     tasks:
       - test-azurekms-task
 
+  - name: testazureoidc_task_group
+    setup_group:
+    - func: fetch source
+    # - func: prepare resources
+    # - func: fix absolute paths
+    # - func: make files executable
+    - command: shell.exec
+      params:
+        shell: bash
+        script: |-
+          set -o errexit
+          ${PREPARE_SHELL}
+          export AZUREOIDC_CLIENTID="${testazureoidc_clientid}"
+          export AZUREOIDC_TENANTID="${testazureoic_tenantid}"
+          export AZUREOIDC_SECRET="${testazureoidc_secret}"
+          export AZUREOIDC_KEYVAULT=${testazureoidc_keyvault}
+          export AZUREOIDC_DRIVERS_TOOLS="$DRIVERS_TOOLS"
+          export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER"
+          $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+    teardown_group:
+    - command: shell.exec
+      params:
+        shell: bash
+        script: |-
+          ${PREPARE_SHELL}
+          $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/delete-vm.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+    - oidc-auth-test-azure-latest
+
 pre:
   - func: "fetch source"
   - func: "windows fix"

.evergreen/config.yml

@@ -1136,6 +1136,19 @@ tasks:
             EXPECTED_AZUREKMS_OUTCOME: failure
           args:
             - src/.evergreen/run-azure-kms-tests.sh
+  - name: oidc-auth-test-azure-latest
+    commands:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            cd src
+            export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/node-mongodb-native.tgz
+            tar czf $AZUREOIDC_DRIVERS_TAR_FILE .
+            export AZUREOIDC_TEST_CMD="source ./env.sh && PROVIDER_NAME=azure ./.evergreen/run-oidc-tests.sh"
+            bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh
   - name: test-latest-server
     tags:
       - latest
@@ -3191,6 +3204,33 @@ task_groups:
             - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/delete-vm.sh
     tasks:
       - test-azurekms-task
+  - name: testazureoidc_task_group
+    setup_group:
+      - func: fetch source
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            export AZUREOIDC_CLIENTID="${testazureoidc_clientid}"
+            export AZUREOIDC_TENANTID="${testazureoic_tenantid}"
+            export AZUREOIDC_SECRET="${testazureoidc_secret}"
+            export AZUREOIDC_KEYVAULT=${testazureoidc_keyvault}
+            export AZUREOIDC_DRIVERS_TOOLS="$DRIVERS_TOOLS"
+            export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER"
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+    teardown_group:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            ${PREPARE_SHELL}
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/delete-vm.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-azure-latest
 pre:
   - func: fetch source
   - func: windows fix
@@ -3756,6 +3796,12 @@ buildvariants:
     tasks:
       - test_azurekms_task_group
       - test-azurekms-fail-task
+  - name: ubuntu20-test-azure-oidc
+    display_name: Azure OIDC
+    run_on: ubuntu2004-small
+    batchtime: 20160
+    tasks:
+      - testazureoidc_task_group
   - name: rhel8-no-auth-tests
     display_name: No Auth Tests
     run_on: rhel80-large

.evergreen/generate_evergreen_tasks.js

@@ -681,6 +681,14 @@ BUILD_VARIANTS.push({
   tasks: ['test_azurekms_task_group', 'test-azurekms-fail-task']
 });
 
+BUILD_VARIANTS.push({
+  name: 'ubuntu20-test-azure-oidc',
+  display_name: 'Azure OIDC',
+  run_on: 'ubuntu2004-small',
+  batchtime: 20160,
+  tasks: ['testazureoidc_task_group']
+});
+
 BUILD_VARIANTS.push({
   name: 'rhel8-no-auth-tests',
   display_name: 'No Auth Tests',

src/cmap/auth/mongodb_oidc/azure_service_workflow.ts

@@ -1,4 +1,4 @@
-import { MongoAWSError } from '../../../error';
+import { MongoAWSError, MongoMissingCredentialsError } from '../../../error';
 import { request } from '../../../utils';
 import { AzureTokenCache } from './azure_token_cache';
 import { ServiceWorkflow } from './service_workflow';
@@ -13,6 +13,13 @@ const AZURE_BASE_URL =
 /** Azure request headers. */
 const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
 
+/** Properties allowed on results of the endpoint. */
+const RESULT_PROPERTIES = ['access_token', 'expires_in'];
+
+/** Invalid endpoint result error. */
+const ENDPOINT_RESULT_ERROR =
+  'Azure endpoint did not return a value with only access_token and expires_in properties';
+
 /**
  * The Azure access token format.
  * @internal
@@ -46,7 +53,6 @@ export class AzureServiceWorkflow extends ServiceWorkflow {
     if (!tokenAudience) {
       throw new MongoAWSError(TOKEN_AUDIENCE_MISSING_ERROR);
     }
-    // TODO: Look for the token in the cache. They expire after 5 minutes.
     let token;
     const entry = this.cache.getEntry(tokenAudience);
     if (entry?.isValid()) {
@@ -58,7 +64,10 @@ export class AzureServiceWorkflow extends ServiceWorkflow {
       token = azureEntry.token;
     }
 
-    // TODO: Validate access_token and expires_in are present.
+    if (isEndpointResultInvalid(token)) {
+      this.cache.deleteEntry(tokenAudience);
+      throw new MongoMissingCredentialsError(ENDPOINT_RESULT_ERROR);
+    }
     return token;
   }
 }
@@ -74,3 +83,14 @@ async function getAzureTokenData(tokenAudience: string): Promise<AzureAccessToke
   });
   return data as AzureAccessToken;
 }
+
+/**
+ * Determines if a result returned from the endpoint is invalid.
+ * This means the result is nullish, doesn't contain the access_token required field,
+ * the expires_in required field, and does not contain extra fields.
+ */
+function isEndpointResultInvalid(token: unknown): boolean {
+  if (token == null || typeof token !== 'object') return true;
+  if (!('access_token' in token) || !('expires_in' in token)) return true;
+  return !Object.getOwnPropertyNames(token).every(prop => RESULT_PROPERTIES.includes(prop));
+}

src/cmap/auth/mongodb_oidc/azure_token_cache.ts

@@ -29,7 +29,7 @@ export class AzureTokenCache extends AbstractCache<AzureTokenEntry> {
   }
 
   /**
-   * Create a cache key from the address and username.
+   * Create a cache key.
    */
   cacheKey(tokenAudience: string): string {
     return tokenAudience;

test/mongodb.ts

@@ -107,6 +107,8 @@ export * from '../src/cmap/auth/mongocr';
 export * from '../src/cmap/auth/mongodb_aws';
 export * from '../src/cmap/auth/mongodb_oidc';
 export * from '../src/cmap/auth/mongodb_oidc/aws_service_workflow';
+export * from '../src/cmap/auth/mongodb_oidc/azure_service_workflow';
+export * from '../src/cmap/auth/mongodb_oidc/azure_token_cache';
 export * from '../src/cmap/auth/mongodb_oidc/callback_lock_cache';
 export * from '../src/cmap/auth/mongodb_oidc/callback_workflow';
 export * from '../src/cmap/auth/mongodb_oidc/service_workflow';

test/unit/cmap/auth/mongodb_oidc/azure_token_cache.test.ts

@@ -0,0 +1,77 @@
+import { expect } from 'chai';
+
+import { AzureTokenCache } from '../../../../mongodb';
+
+describe('AzureTokenCache', function () {
+  const tokenResultWithExpiration = Object.freeze({
+    access_token: 'test',
+    expires_in: 100
+  });
+
+  describe('#addEntry', function () {
+    context('when expiresInSeconds is provided', function () {
+      const cache = new AzureTokenCache();
+      let entry;
+
+      before(function () {
+        cache.addEntry('audience', tokenResultWithExpiration);
+        entry = cache.getEntry('audience');
+      });
+
+      it('adds the token result', function () {
+        expect(entry.tokenResult).to.deep.equal(tokenResultWithExpiration);
+      });
+
+      it('creates an expiration', function () {
+        expect(entry.expiration).to.be.within(Date.now(), Date.now() + 100 * 1000);
+      });
+    });
+  });
+
+  describe('#clear', function () {
+    const cache = new AzureTokenCache();
+
+    before(function () {
+      cache.addEntry('audience', tokenResultWithExpiration);
+      cache.clear();
+    });
+
+    it('clears the cache', function () {
+      expect(cache.entries.size).to.equal(0);
+    });
+  });
+
+  describe('#deleteEntry', function () {
+    const cache = new AzureTokenCache();
+
+    before(function () {
+      cache.addEntry('audience', tokenResultWithExpiration);
+      cache.deleteEntry('audience');
+    });
+
+    it('deletes the entry', function () {
+      expect(cache.getEntry('audience')).to.not.exist;
+    });
+  });
+
+  describe('#getEntry', function () {
+    const cache = new AzureTokenCache();
+
+    before(function () {
+      cache.addEntry('audience1', tokenResultWithExpiration);
+      cache.addEntry('audience2', tokenResultWithExpiration);
+    });
+
+    context('when there is a matching entry', function () {
+      it('returns the entry', function () {
+        expect(cache.getEntry('audience1')).to.equal(tokenResultWithExpiration);
+      });
+    });
+
+    context('when there is no matching entry', function () {
+      it('returns undefined', function () {
+        expect(cache.getEntry('audience')).to.equal(undefined);
+      });
+    });
+  });
+});