Skip to content

Commit

Permalink
address review
Browse files Browse the repository at this point in the history
  • Loading branch information
@blink1073
blink1073 committed Apr 3, 2024
1 parent 9953782 commit 1036c8d
Showing 1 changed file with 21 additions and 21 deletions.
42 changes: 21 additions & 21 deletions source/auth/tests/mongodb-oidc.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ After setting up your OIDC
[environment](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md),
source the `secrets-export.sh` file and use the associated env variables in your tests.

An OIDC configured client MUST set the appropriate `ENVIRONMENT` auth mechanism property and include a callback that gets the
appropriate token for the given environment.
An OIDC configured client MUST set the appropriate `ENVIRONMENT` auth mechanism property and include a callback that
gets the appropriate token for the given environment.

### Callback Authentication

Expand Down Expand Up @@ -72,7 +72,7 @@ appropriate token for the given environment.

**2.4 Invalid Client Configuration with Callback**

- Create a `MongoClient` configured with an OIDC callback and auth mechanism property `ENVIRONMENT:test`.
- Create an OIDC configured client with an OIDC callback and auth mechanism property `ENVIRONMENT:test`.
- Assert it returns a client configuration error.

### (3) Authentication Failure
Expand Down Expand Up @@ -124,13 +124,13 @@ for test setup.

# 5.1 Azure With No Username

- Create a `MongoClient` configured with `ENVIRONMENT:azure` and a valid `TOKEN_RESOURCE` and no username.
- Create an OIDC configured client with `ENVIRONMENT:azure` and a valid `TOKEN_RESOURCE` and no username.
- Perform a `find` operation that succeeds.
- Close the client.

# 5.2 Azure with Bad Usernam

- Create a `MongoClient` configured with `ENVIRONMENT:azure` and a valid `TOKEN_RESOURCE` and a username of `"bad"`.
- Create an OIDC configured client with `ENVIRONMENT:azure` and a valid `TOKEN_RESOURCE` and a username of `"bad"`.
- Perform a `find` operation that fails.
- Close the client.

Expand Down Expand Up @@ -161,38 +161,38 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr

**1.1 Single Principal Implicit Username**

- Create default client
- Create an OIDC configured client.
- Perform a `find` operation that succeeds.
- Close the client.

**1.2 Single Principal Explicit Username**

- Create a client with `MONGODB_URI_SINGLE` and a username of `test_user1@${OIDC_DOMAIN}`.
- Create an OIDC configured client with `MONGODB_URI_SINGLE` and a username of `test_user1@${OIDC_DOMAIN}`.
- Perform a `find` operation that succeeds.
- Close the client.

**1.3 Multiple Principal User 1**

- Create a client with `MONGODB_URI_MULTI` and username of `test_user1@${OIDC_DOMAIN}`.
- Create an OIDC configured client with `MONGODB_URI_MULTI` and username of `test_user1@${OIDC_DOMAIN}`.
- Perform a `find` operation that succeeds.
- Close the client.

**1.4 Multiple Principal User 2**

- Create a client with `MONGODB_URI_MULTI` and username of `test_user2@${OIDC_DOMAIN}`. that reads the `test_user2`
token file.
- Create an OIDC configured client with `MONGODB_URI_MULTI` and username of `test_user2@${OIDC_DOMAIN}`. that reads the
`test_user2` token file.
- Perform a `find` operation that succeeds.
- Close the client.

**1.5 Multiple Principal No User**

- Create a client with `MONGODB_URI_MULTI` and no username.
- Create an OIDC configured client with `MONGODB_URI_MULTI` and no username.
- Assert that a `find` operation fails.
- Close the client.

**1.6 Allowed Hosts Blocked**

- Create a client with an `ALLOWED_HOSTS` that is an empty list.
- Create an OIDC configured client with an `ALLOWED_HOSTS` that is an empty list.
- Assert that a `find` operation fails with a client-side error.
- Close the client.
- Create a client that uses the URL `mongodb://localhost/?authMechanism=MONGODB-OIDC&ignored=example.com`, a human
Expand All @@ -204,23 +204,23 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr

**2.1 Valid Callback Inputs**

- Create a `MongoClient` with a human callback that validates its inputs and returns a valid access token.
- Create an OIDC configured client with a human callback that validates its inputs and returns a valid access token.
- Perform a `find` operation that succeeds. Verify that the human callback was called with the appropriate inputs,
including the timeout parameter if possible.
- Close the client.

**2.3 Human Callback Returns Missing Data**

- Create a `MongoClient` with a human callback that returns data not conforming to the `OIDCCredential` with missing
fields.
- Create an OIDC configured client with a human callback that returns data not conforming to the `OIDCCredential` with
missing fields.
- Perform a `find` operation that fails.
- Close the client.

### (3) Speculative Authentication

**3.1 Uses speculative authentication if there is a cached token**

- Create a `MongoClient` with a human callback that returns a valid token.
- Create an OIDC configured client with a human callback that returns a valid token.
- Set a fail point for `find` commands of the form:

```javascript
Expand Down Expand Up @@ -259,7 +259,7 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr

**3.2 Does not use speculative authentication if there is no cached token**

- Create a `MongoClient` with a human callback that returns a valid token.
- Create an OIDC configured client with a human callback that returns a valid token.
- Set a fail point for `saslStart` commands of the form:

```javascript
Expand All @@ -282,7 +282,7 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr

**4.1 Succeeds**

- Create a default OIDC client and add an event listener. The following assumes that the driver does not emit
- Create an OIDC configured client and add an event listener. The following assumes that the driver does not emit
`saslStart` or `saslContinue` events. If the driver does emit those events, ignore/filter them for the purposes of
this test.
- Perform a `find` operation that succeeds.
Expand Down Expand Up @@ -315,7 +315,7 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr

**4.2 Succeeds no refresh**

- Create a default OIDC client with a human callback that does not return a refresh token.
- Create an OIDC configured client with a human callback that does not return a refresh token.
- Perform a `find` operation that succeeds.
- Assert that the human callback has been called once.
- Force a reauthenication using a fail point of the form:
Expand All @@ -341,7 +341,7 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr

**4.3 Succeeds after refresh fails**

- Create a default OIDC client.
- Create an OIDC configured client.
- Perform a `find` operation that succeeds.
- Assert that the human callback has been called once.
- Force a reauthenication using a fail point of the form:
Expand All @@ -367,7 +367,7 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr

**4.4 Fails**

- Create a default OIDC client.
- Create an OIDC configured client.
- Perform a find operation that succeeds (to force a speculative auth).
- Assert that the human callback has been called once.
- Force a reauthenication using a failCommand of the form:
Expand Down

0 comments on commit 1036c8d

Please sign in to comment.