PYTHON-3716 OIDC-SASL Follow-Up

.evergreen/config.yml

@@ -79,6 +79,17 @@ functions:
               export PATH="$MONGODB_BINARIES:$PATH"
               export PROJECT="${project}"
               export PIP_QUIET=1
+           ENSURE_TOOLCHAIN_PYTHON_BINARY: |
+              # Make sure PYTHON_BINARY is set to a suitable toolchain python.
+              if [ -z "$PYTHON_BINARY" ]; then
+                  if [ "$(uname -s)" = "Darwin" ]; then
+                      export PYTHON_BINARY=/Library/Frameworks/Python.Framework/Versions/3.9/bin/python3
+                  elif [ "Windows_NT" = "$OS" ]; then # Magic variable in cygwin
+                      export PYTHON_BINARY=/cygdrive/c/python/Python39/python
+                  else
+                      export PYTHON_BINARY=/opt/python/3.9/bin/python3
+                  fi
+              fi
            EOT
 
     # Load the expansion file to make an evergreen variable with the current unique version
@@ -655,7 +666,7 @@ functions:
               .evergreen/run-mongodb-aws-test.sh
           fi
 
-  "bootstrap oidc":
+  "run oidc auth test with aws credentials":
     - command: ec2.assume_role
       params:
         role_arn: ${aws_test_secrets_role}
@@ -664,58 +675,11 @@ functions:
       params:
         working_dir: "src"
         shell: bash
+        include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
         script: |
           ${PREPARE_SHELL}
-          if [ "${skip_EC2_auth_test}" = "true" ]; then
-             echo "This platform does not support the oidc auth test, skipping..."
-             exit 0
-          fi
-
-          cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
-          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
-          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
-          export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
-          export OIDC_TOKEN_DIR=/tmp/tokens
-
-          . ./activate-authoidcvenv.sh
-          python oidc_write_orchestration.py
-          python oidc_get_tokens.py
-
-  "run oidc auth test with aws credentials":
-    - command: shell.exec
-      type: test
-      params:
-        working_dir: "src"
-        shell: bash
-        script: |
-          ${PREPARE_SHELL}
-          if [ "${skip_EC2_auth_test}" = "true" ]; then
-             echo "This platform does not support the oidc auth test, skipping..."
-             exit 0
-          fi
-          cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
-          mongosh setup_oidc.js
-    - command: shell.exec
-      type: test
-      params:
-        working_dir: "src"
-        silent: true
-        script: |
-          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
-          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh"
-            export OIDC_TOKEN_DIR=/tmp/tokens
-          EOF
-    - command: shell.exec
-      type: test
-      params:
-        working_dir: "src"
-        script: |
-          ${PREPARE_SHELL}
-          if [ "${skip_web_identity_auth_test}" = "true" ]; then
-             echo "This platform does not support the oidc auth test, skipping..."
-             exit 0
-          fi
-          PYTHON_BINARY=${PYTHON_BINARY} ASSERT_NO_URI_CREDS=true .evergreen/run-mongodb-oidc-test.sh
+          ${ENSURE_TOOLCHAIN_PYTHON_BINARY}
+          bash .evergreen/run-mongodb-oidc-test.sh
 
   "run aws auth test with aws credentials as environment variables":
     - command: shell.exec
@@ -2133,16 +2097,7 @@ tasks:
 
     - name: "oidc-auth-test-latest"
       commands:
-        - func: "bootstrap oidc"
-        - func: "bootstrap mongo-orchestration"
-          vars:
-            AUTH: "auth"
-            ORCHESTRATION_FILE: "auth-oidc.json"
-            TOPOLOGY: "replica_set"
-            VERSION: "latest"
         - func: "run oidc auth test with aws credentials"
-          vars:
-            AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/tokens/test1
 
     - name: load-balancer-test
       commands:
@@ -3192,9 +3147,8 @@ buildvariants:
 
 - matrix_name: "oidc-auth-test"
   matrix_spec:
-    platform: [ rhel8 ]
-    python-version: ["3.9"]
-  display_name: "MONGODB-OIDC Auth ${platform} ${python-version}"
+    platform: [ rhel8, macos-1100, windows-64-vsMulti-small ]
+  display_name: "MONGODB-OIDC Auth ${platform}"
   tasks:
     - name: "oidc-auth-test-latest"
 

.evergreen/run-mongodb-oidc-test.sh

@@ -1,56 +1,48 @@
 #!/bin/bash
 
-set -o xtrace
+set -o xtrace   # Trace outputs.
 set -o errexit  # Exit the script with error if any of the commands fail
 
-############################################
-#            Main Program                  #
-############################################
-
-# Supported/used environment variables:
-#  MONGODB_URI    Set the URI, including an optional username/password to use
-#                 to connect to the server via MONGODB-OIDC authentication
-#                 mechanism.
-#  PYTHON_BINARY  The Python version to use.
-
 echo "Running MONGODB-OIDC authentication tests"
-# ensure no secrets are printed in log files
-set +x
-
-# load the script
-shopt -s expand_aliases # needed for `urlencode` alias
-[ -s "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh" ] && source "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh"
-
-MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
-MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
-MONGODB_URI_MULTIPLE="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true"
 
-if [ -z "${OIDC_TOKEN_DIR}" ]; then
-    echo "Must specify OIDC_TOKEN_DIR"
+# Make sure DRIVERS_TOOLS is set.
+if [ -z "$DRIVERS_TOOLS" ]; then
+    echo "Must specify DRIVERS_TOOLS"
     exit 1
 fi
 
-export MONGODB_URI_SINGLE="$MONGODB_URI_SINGLE"
-export MONGODB_URI_MULTIPLE="$MONGODB_URI_MULTIPLE"
-export MONGODB_URI="$MONGODB_URI"
-
-echo $MONGODB_URI_SINGLE
-echo $MONGODB_URI_MULTIPLE
-echo $MONGODB_URI
+# Get the drivers secrets.  Use an existing secrets file first.
+if [ ! -f "./secrets-export.sh" ]; then
+    bash .evergreen/tox.sh -m aws-secrets -- drivers/oidc
+fi
+source ./secrets-export.sh
 
-if [ "$ASSERT_NO_URI_CREDS" = "true" ]; then
-    if echo "$MONGODB_URI" | grep -q "@"; then
-        echo "MONGODB_URI unexpectedly contains user credentials!";
-        exit 1
-    fi
+# # If the file did not have our creds, get them from the vault.
+if [ -z "$OIDC_ATLAS_URI_SINGLE" ]; then
+    bash .evergreen/tox.sh -m aws-secrets -- drivers/oidc
+    source ./secrets-export.sh
 fi
 
-if [ -z "$PYTHON_BINARY" ]; then
-    echo "Cannot test without specifying PYTHON_BINARY"
-    exit 1
+# Make the OIDC tokens.
+set -x
+pushd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
+. ./oidc_get_tokens.sh
+popd
+
+# Set up variables and run the test.
+if [ -n "$LOCAL_OIDC_SERVER" ]; then
+    export MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
+    export MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
+    export MONGODB_URI_MULTI="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true"
+else
+    set +x   # turn off xtrace for this portion
+    export MONGODB_URI="$OIDC_ATLAS_URI_SINGLE"
+    export MONGODB_URI_SINGLE="$OIDC_ATLAS_URI_SINGLE/?authMechanism=MONGODB-OIDC"
+    export MONGODB_URI_MULTI="$OIDC_ATLAS_URI_MULTI/?authMechanism=MONGODB-OIDC"
+    set -x
 fi
 
 export TEST_AUTH_OIDC=1
+export COVERAGE=1
 export AUTH="auth"
-export SET_XTRACE_ON=1
 bash ./.evergreen/tox.sh -m test-eg

.evergreen/run-tests.sh

@@ -49,6 +49,9 @@ if [ "$AUTH" != "noauth" ]; then
     elif [ ! -z "$TEST_SERVERLESS" ]; then
         export DB_USER=$SERVERLESS_ATLAS_USER
         export DB_PASSWORD=$SERVERLESS_ATLAS_PASSWORD
+    elif [ ! -z "$TEST_AUTH_OIDC" ]; then
+        export DB_USER=$OIDC_ALTAS_USER
+        export DB_PASSWORD=$OIDC_ATLAS_PASSWORD
     else
         export DB_USER="bob"
         export DB_PASSWORD="pwd123"
@@ -109,7 +112,7 @@ fi
 if [ -n "$TEST_ENCRYPTION" ] || [ -n "$TEST_FLE_AZURE_AUTO" ] || [ -n "$TEST_FLE_GCP_AUTO" ]; then
 
     # Work around for root certifi not being installed.
-    # TODO: Remove after PYTHON-3827
+    # TODO: Remove after PYTHON-3952 is deployed.
     if [ "$(uname -s)" = "Darwin" ]; then
         python -m pip install certifi
         CERT_PATH=$(python -c "import certifi; print(certifi.where())")
@@ -224,6 +227,17 @@ fi
 
 if [ -n "$TEST_AUTH_OIDC" ]; then
     python -m pip install ".[aws]"
+
+    # Work around for root certifi not being installed.
+    # TODO: Remove after PYTHON-3952 is deployed.
+    if [ "$(uname -s)" = "Darwin" ]; then
+        python -m pip install certifi
+        CERT_PATH=$(python -c "import certifi; print(certifi.where())")
+        export SSL_CERT_FILE=${CERT_PATH}
+        export REQUESTS_CA_BUNDLE=${CERT_PATH}
+        export AWS_CA_BUNDLE=${CERT_PATH}
+    fi
+
     TEST_ARGS="test/auth_oidc/test_auth_oidc.py"
 fi
 
@@ -255,6 +269,9 @@ fi
 # Show the installed packages
 PIP_QUIET=0 python -m pip list
 
+python -c "import urllib.request;urllib.request.urlopen('https://www.google.com')"
+exit 0
+
 if [ -z "$GREEN_FRAMEWORK" ]; then
     if [ -z "$C_EXTENSIONS" ] && [ "$PYTHON_IMPL" = "CPython" ]; then
         python setup.py build_ext -i

pymongo/auth.py

@@ -155,7 +155,6 @@ def _build_credentials_tuple(
     elif mech == "MONGODB-OIDC":
         properties = extra.get("authmechanismproperties", {})
         request_token_callback = properties.get("request_token_callback")
-        refresh_token_callback = properties.get("refresh_token_callback", None)
         provider_name = properties.get("PROVIDER_NAME", "")
         default_allowed = [
             "*.mongodb.net",
@@ -172,11 +171,10 @@ def _build_credentials_tuple(
             )
         oidc_props = _OIDCProperties(
             request_token_callback=request_token_callback,
-            refresh_token_callback=refresh_token_callback,
             provider_name=provider_name,
             allowed_hosts=allowed_hosts,
         )
-        return MongoCredential(mech, "$external", user, passwd, oidc_props, None)
+        return MongoCredential(mech, "$external", user, passwd, oidc_props, _Cache())
 
     elif mech == "PLAIN":
         source_database = source or database or "$external"