Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DRIVERS-2672 Add OIDC machine workflow spec. #1471

Merged
merged 46 commits into from
Jan 31, 2024
Merged

DRIVERS-2672 Add OIDC machine workflow spec. #1471

Show file tree
Hide file tree
Changes from 36 commits
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
fbc3d72
DRIVERS-2616 OIDC-SASL Follow-Up
blink1073 Sep 4, 2023
f01c678
finish refactor
blink1073 Sep 5, 2023
62130cf
syntax
blink1073 Sep 5, 2023
d09ae6c
Update source/auth/auth.rst
blink1073 Sep 5, 2023
67c9794
Update source/auth/auth.rst
blink1073 Sep 5, 2023
b7f750c
address review
blink1073 Sep 5, 2023
a333353
Update source/auth/auth.rst
blink1073 Sep 20, 2023
aa1ada7
address review
blink1073 Sep 20, 2023
93d9b27
add qa
blink1073 Sep 20, 2023
46afc8d
DRIVERS-2672 Add OIDC machine workflow spec.
matthewdale Oct 22, 2023
2c0e07a
Separate OIDC machine and human auth flow specs.
matthewdale Nov 3, 2023
becadd5
Apply suggestions from code review
matthewdale Nov 3, 2023
5b0665e
Remove references to GCP OIDC provider flows, fix heading formatting,…
matthewdale Nov 6, 2023
88de5b9
Update OIDC token callback signature and make the OIDC conversation m…
matthewdale Nov 9, 2023
e9972de
DRIVERS-2672 Update unified test format to support OIDC tests.
matthewdale Oct 16, 2023
17fd8a5
Add spec test for OIDC auth with built-in providers.
matthewdale Nov 9, 2023
cf5455e
Fix quotes in ALLOWED_HOSTS
matthewdale Nov 9, 2023
b349eb2
Clarify timeout documentation and callback API. Respond to PR feedback.
matthewdale Nov 14, 2023
1fb61b6
Update spec tests to use the expected database name.
matthewdale Nov 16, 2023
be7f515
Add OIDC spec and prose tests. Refine OIDC spec.
matthewdale Nov 18, 2023
48f9fd4
Clarify caching section and add examples.
matthewdale Nov 28, 2023
f841d13
Align caching, authentication, and reauthentication logic. Complete m…
matthewdale Nov 29, 2023
9523a84
Specify cache algorithms for auth and reauth. Reorganize caching info.
matthewdale Nov 30, 2023
98eec93
Wrap up spec and prose tests.
matthewdale Dec 7, 2023
f8c3b4b
Fix indentation spaces.
matthewdale Dec 7, 2023
1ec045c
Remove the undocumented 'callback' param from auth spec tests and com…
matthewdale Jan 4, 2024
82a20d4
Apply suggestions from code review
matthewdale Jan 4, 2024
9ff52c0
Fix RST formatting.
matthewdale Jan 4, 2024
4e1a5f5
Fix Sphinx lint errors.
matthewdale Jan 4, 2024
7f79ecd
Fix OIDC prose tests and update spec auth description in handshake spec.
matthewdale Jan 4, 2024
697bed6
Rewrite the OIDC spec to make human auth an extension to machine auth.
matthewdale Jan 17, 2024
cd1470d
Combine OIDC and reauthentication spec tests. Add OIDC prose tests.
matthewdale Jan 18, 2024
9ef2650
Merge branch 'master' into drivers2672-oidc-machine
matthewdale Jan 18, 2024
bb09469
Fix master merge.
matthewdale Jan 18, 2024
f2135be
Complete OIDC prose tests. PR feedback.
matthewdale Jan 20, 2024
9b6bd5f
Add type test for authMechanism runOnRequirement.
matthewdale Jan 22, 2024
11357db
Update source/auth/auth.rst
matthewdale Jan 24, 2024
357cad9
Allow drivers to use either a unified or separate callback API. Addit…
matthewdale Jan 24, 2024
09554a6
Update callback naming. Fix auth connection string tests.
matthewdale Jan 25, 2024
37102c5
Simplify speculative auth. Clarify cache behaviors. PR feedback.
matthewdale Jan 26, 2024
03a0f8b
Fix prose and spec tests. Add to prose test local testing guide.
matthewdale Jan 30, 2024
95395e2
Clarify config of retryReads in prose tests. Remove checking for extr…
matthewdale Jan 31, 2024
f41bb37
Bump unified test format to 1.19
matthewdale Jan 31, 2024
6b07e16
Merge branch 'master' into drivers2672-oidc-machine
matthewdale Jan 31, 2024
353fa83
Correct Unified Test Format spec current schema version.
matthewdale Jan 31, 2024
4203a6d
Include all changes from unified test spec 1.18 in 1.19.
matthewdale Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
837 changes: 597 additions & 240 deletions source/auth/auth.rst
View file
Open in desktop

Large diffs are not rendered by default.

16 changes: 12 additions & 4 deletions source/auth/tests/README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,25 @@
Auth Tests
==========

The YAML and JSON files in this directory tree are platform-independent tests
that drivers can use to prove their conformance to the Auth Spec at least with
respect to connection string URI input.
Introduction
============

This document describes the format of the driver spec tests included in the
JSON and YAML files included in the ``legacy`` sub-directory. Tests in the
``unified`` directory are written using the `Unified Test Format
<../../unified-test-format/unified-test-format.rst>`_.

The YAML and JSON files in the ``legacy`` directory tree are
platform-independent tests that drivers can use to prove their conformance to
the Auth Spec at least with respect to connection string URI input.

Drivers should do additional unit testing if there are alternate ways of
configuring credentials on a client.

Driver must also conduct the prose tests in the Auth Spec test plan section.

Format
------
======

Each YAML file contains an object with a single ``tests`` key. This key is an
array of test case objects, each of which have the following keys:
Expand Down
95 changes: 15 additions & 80 deletions source/auth/tests/legacy/connection-string.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

84 changes: 16 additions & 68 deletions source/auth/tests/legacy/connection-string.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -350,59 +350,30 @@ tests:
mechanism: MONGODB-AWS
mechanism_properties:
AWS_SESSION_TOKEN: token!@#$%^&*()_+
- description: should recognise the mechanism and request callback (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC
callback:
- oidcRequest
- description: should recognise the mechanism with aws provider (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws
valid: true
credential:
username:
password:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
REQUEST_TOKEN_CALLBACK: true
- description: should recognise the mechanism when auth source is explicitly specified
and with request callback (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external
callback:
- oidcRequest
PROVIDER_NAME: aws
- description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws
valid: true
credential:
username:
password:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
REQUEST_TOKEN_CALLBACK: true
- description: should recognise the mechanism with request and refresh callback (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC
PROVIDER_NAME: aws
- description: should ignore username and password if specified for aws provider (MONGODB-OIDC)
uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PROVIDER_NAME and callbacks are mutual exclusive. Callback parameter probably has to be removed from this test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're correct. The callback legacy test case parameter was never documented and is not supported by most drivers, so I intended to remove it from all test cases here, but accidentally left that one in. I've updated that test case to assert that providing a password causes a validation error, which matches the spec.

callback:
- oidcRequest
- oidcRefresh
valid: true
credential:
username:
password:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
REQUEST_TOKEN_CALLBACK: true
REFRESH_TOKEN_CALLBACK: true
- description: should recognise the mechanism and username with request callback (MONGODB-OIDC)
uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC
callback:
- oidcRequest
valid: true
credential:
username: principalName
password:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
REQUEST_TOKEN_CALLBACK: true
- description: should recognise the mechanism with aws device (MONGODB-OIDC)
durran marked this conversation as resolved.
Show resolved Hide resolved
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws
valid: true
credential:
username:
Expand All @@ -411,46 +382,23 @@ tests:
mechanism: MONGODB-OIDC
mechanism_properties:
PROVIDER_NAME: aws
- description: should recognise the mechanism when auth source is explicitly specified
and with aws device (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws
valid: true
credential:
username:
password:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
PROVIDER_NAME: aws
- description: should throw an exception if username and password are specified (MONGODB-OIDC)
uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC
callback:
- oidcRequest
- description: should throw an exception if username is specified for aws (MONGODB-OIDC)
uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws
valid: false
credential:
- description: should throw an exception if username and deviceName are specified
(MONGODB-OIDC)
uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:gcp
- description: should throw an exception if specified provider is not supported (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid
valid: false
credential:
- description: should throw an exception if specified deviceName is not supported
(MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:unexisted
- description: should throw an exception custom callback is chosen but no callback is provided (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:custom
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose "custom" is not allowed value for PROVIDER_NAME. As far as I remember there is only "aws" allowed so far.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, that test is vestigial from an earlier version of the spec. I've removed this test case because it's no longer relevant.

valid: false
credential:
- description: should throw an exception if neither deviceName nor callbacks specified
(MONGODB-OIDC)
- description: should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC
valid: false
credential:
- description: should throw an exception when only refresh callback is specified (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC
callback:
- oidcRefresh
valid: false
credential:
- description: should throw an exception when unsupported auth property is specified
(MONGODB-OIDC)
- description: should throw an exception when unsupported auth property is specified (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=UnsupportedProperty:unexisted
valid: false
credential:
Loading
Loading