diff --git a/source/auth/auth.md b/source/auth/auth.md index 7731d22ae3..a91c159471 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -53,7 +53,7 @@ Drivers SHOULD contain a type called `MongoCredential`. It SHOULD contain some o - username (string) - Applies to all mechanisms. - - Optional for MONGODB-X509 and MONGODB-AWS. + - Optional for MONGODB-X509, MONGODB-AWS, and MONGODB-OIDC. - source (string) @@ -1222,8 +1222,7 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall the same `MongoClient`, the driver MUST raise an error. - TOKEN_RESOURCE\ - The URI of the target resource. This property is currently only used and required by the Azure - built-in OIDC provider integration. If `TOKEN_RESOURCE` is provided and `ENVIRONMENT` is not one of + The URI of the target resource. If `TOKEN_RESOURCE` is provided and `ENVIRONMENT` is not one of `["azure", "gcp"]` or `TOKEN_RESOURCE` is not provided and `ENVIRONMENT` is one of `["azure", "gcp"]`, the driver MUST raise an error. @@ -1265,9 +1264,9 @@ purposes, and is not meant to be documented as a user-facing feature. If enabled, drivers MUST generate a token using a script in the `auth_oidc` [folder](https://github.com/mongodb-labs/drivers-evergreen-tools/tree/master/.evergreen/auth_oidc#readme) in Drivers -Evergreen Tools. The must then set the `OIDC_TOKEN_FILE` environment variable to the path to that file. At runtime, the -driver MUST use the `OIDC_TOKEN_FILE` environment variable and read the OIDC access token from that path. The driver -MUST use the contents of that file as value in the `jwt` field of the `saslStart` payload. +Evergreen Tools. The driver MUST then set the `OIDC_TOKEN_FILE` environment variable to the path to that file. At +runtime, the driver MUST use the `OIDC_TOKEN_FILE` environment variable and read the OIDC access token from that path. +The driver MUST use the contents of that file as value in the `jwt` field of the `saslStart` payload. Drivers MAY implement the "test" integration so that it conforms to the function signature of the [OIDC Callback](#oidc-callback) to prevent having to re-implement the "test" integration logic in the OIDC prose tests. @@ -1426,10 +1425,10 @@ The driver MUST pass the following information to the callback: The callback MUST be able to return the following information: - `accessToken`: An OIDC access token string. The driver MUST NOT attempt to validate `accessToken` directly. -- `expiresIn`: An optional expiry duration for the access token. Drivers MUST interpret the value 0 as an infinite - duration and error if a negative value is returned. Drivers SHOULD use the most idiomatic type for representing a - duration in the driver's language. Note that the access token expiry value is currently not used in - [Credential Caching](#credential-caching), but is intended to support future caching optimizations. +- `expiresIn`: An optional expiry duration for the access token. Drivers with optional parameters MAY interpret a + missing value as infinite. Drivers MUST error if a negative value is returned. Drivers SHOULD use the most idiomatic + type for representing a duration in the driver's language. Note that the access token expiry value is currently not + used in [Credential Caching](#credential-caching), but is intended to support future caching optimizations. The signature and naming of the callback API is up to the driver's discretion. Drivers MUST ensure that additional optional input parameters and return values can be added to the callback signature in the future without breaking @@ -1483,7 +1482,7 @@ An example human callback API might look like: ```typescript interface IdpInfo { issuer: string; - clientId: string; + clientId: Optional; requestScopes: Optional>; } @@ -1544,6 +1543,7 @@ An example OIDC one-step SASL conversation with access token string "abcd1234" l { saslStart: 1, mechanism: "MONGODB-OIDC", + db: "$external" // payload is a BSON generic binary field containing a JwtStepRequest BSON // document: {"jwt": "abcd1234"} payload: BinData(0, "FwAAAAJqd3QACQAAAGFiY2QxMjM0AAA=") @@ -1618,6 +1618,7 @@ An example OIDC two-step SASL conversation with username "myidp" and access toke { saslStart: 1, mechanism: "MONGODB-OIDC", + db: "$external", // payload is a BSON generic binary field containing a PrincipalStepRequest // BSON document: {"n": "myidp"} payload: BinData(0, "EgAAAAJuAAYAAABteWlkcAAA") @@ -1712,9 +1713,10 @@ Use the following algorithm to authenticate a new connection: - Check if the the *Client Cache* has an access token. - If it does, cache the access token in the *Connection Cache* and perform a `One-Step` SASL conversation using the - access token in the *Client Cache*. If the server returns an error, invalidate that access token, sleep 100ms then - continue. -- Call the configured built-in provider integration or the OIDC callback to retrieve a new access token. + access token in the *Client Cache*. If the server returns a Authentication error (18), invalidate that access token. + Raise any other errors to the user. On success, exit the algorithm. +- Call the configured built-in provider integration or the OIDC callback to retrieve a new access token. Wait until it + has been at least 100ms since the last callback invocation, to avoid overloading the callback. - Cache the new access token in the *Client Cache* and *Connection Cache*. - Perform a `One-Step` SASL conversation using the new access token. Raise any errors to the user. @@ -1725,18 +1727,19 @@ def auth(connection): access_token, is_cache = get_access_token() # If there is a cached access token, try to authenticate with it. If - # authentication fails, it's possible the cached access token is expired. In - # that case, invalidate the access token, fetch a new access token, and try + # authentication fails with an Authentication error (18), + # invalidate the access token, fetch a new access token, and try # to authenticate again. + # If the server fails for any other reason, do not clear the cache. if is_cache: try: connection.oidc_cache.access_token = access_token sasl_start(connection, payload={"jwt": access_token}) return - except ServerError: - invalidate(access_token) - sleep(0.1) - access_token, _ = get_access_token() + except ServerError as e: + if e.code == 18: + invalidate(access_token) + access_token, _ = get_access_token() connection.oidc_cache.access_token = access_token sasl_start(connection, payload={"jwt": access_token}) @@ -1747,14 +1750,15 @@ authenticate a new connection when a [OIDC Human Callback](#oidc-human-callback) - Check if the *Client Cache* has an access token. - If it does, cache the access token in the *Connection Cache* and perform a [One-Step](#one-step) SASL conversation - using the access token. If the server returns an error, invalidate the access token token from the *Client Cache*, - clear the *Connection Cache*, and continue. + using the access token. If the server returns an Authentication error (18), invalidate the access token token from + the *Client Cache*, clear the *Connection Cache*, and restart the authentication flow. Raise any other errors to the + user. On success, exit the algorithm. - Check if the *Client Cache* has a refresh token. - If it does, call the [OIDC Human Callback](#oidc-human-callback) with the cached refresh token and `IdpInfo` to get a new access token. Cache the new access token in the *Client Cache* and *Connection Cache*. Perform a - [One-Step](#one-step) SASL conversation using the new access token. If the - [OIDC Human Callback](#oidc-human-callback) or the server return an error, invalidate the access token from the - *Client Cache*, clear the *Connection Cache*, and continue. + [One-Step](#one-step) SASL conversation using the new access token. If the the server returns an Authentication + error (18), clear the refresh token, invalidate the access token from the *Client Cache*, clear the *Connection + Cache*, and restart the authentication flow. Raise any other errors to the user. On success, exit the algorithm. - Start a new [Two-Step](#two-step) SASL conversation. - Run a `PrincipalStepRequest` to get the `IdpInfo`. - Call the [OIDC Human Callback](#oidc-human-callback) with the new `IdpInfo` to get a new access token and optional @@ -1776,7 +1780,7 @@ Use the following algorithm to perform speculative authentication: - If it does, cache the access token in the *Connection Cache* and send a `JwtStepRequest` with the cached access token in the speculative authentication SASL payload. If the response is missing a speculative authentication document or the speculative authentication document indicates authentication was not successful, clear the the - *Connection Cache* and continue. + *Connection Cache* and proceed to the next step. - Authenticate with the standard authentication handshake. Example code for speculative authentication using the `auth` function described above: @@ -2053,6 +2057,8 @@ to EC2 instance metadata in ECS, for security reasons, Amazon states it's best p ## Changelog +- 2024-04-22: Updated OIDC authentication flow and prose tests. + - 2024-04-22: Clarify that driver should not validate `saslSupportedMechs` content. - 2024-04-03: Added GCP built-in OIDC provider integration. diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 3c7a6b1d14..e4a03a0d9c 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -482,7 +482,7 @@ } }, { - "description": "should recognise the mechanism with test integration (MONGODB-OIDC)", + "description": "should recognise the mechanism with test environment (MONGODB-OIDC)", "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test", "valid": true, "credential": { @@ -609,4 +609,4 @@ "credential": null } ] -} +} \ No newline at end of file diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index dcb90b2744..cf10cbf8db 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -374,7 +374,7 @@ tests: uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test valid: false credential: -- description: should throw an exception if username is specified for aws (MONGODB-OIDC) +- description: should throw an exception if username is specified for test (MONGODB-OIDC) uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&ENVIRONMENT:test valid: false credential: diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index 899f943067..28588c89c4 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -10,17 +10,22 @@ ______________________________________________________________________ ## Unified Spec Tests -Drivers MUST run the unified spec tests in all supported OIDC environments. +Drivers MUST run the unified spec tests in all supported OIDC environments. Drivers MUST set the placeholder +authMechanism properties (`ENVIRONMENT` and `TOKEN_RESOURCE`, if applicable). These will typically be read from +environment variables set by the test runner, e,g. `AZUREOIDC_RESOURCE`. ______________________________________________________________________ -## Prose Tests +## Machine Authentication Flow Prose Tests + +Drivers MUST run the machine prose tests when `OIDC_TOKEN_DIR` is set. Drivers can either set the `ENVIRONMENT:test` +auth mechanism property, or use a custom callback that also reads the file. + +Drivers can also choose to run the machine prose tests on GCP or Azure VMs. Drivers MUST implement all prose tests in this section. Unless otherwise noted, all `MongoClient` instances MUST be configured with `retryReads=false`. -Drivers MUST run the prose tests in all supported OIDC environments. - > [!NOTE] > For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point > callback to prevent interaction between test cases. @@ -29,9 +34,6 @@ After setting up your OIDC [environment](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md), source the `secrets-export.sh` file and use the associated env variables in your tests. -An OIDC configured client MUST set the appropriate `ENVIRONMENT` auth mechanism property and include a callback that -gets the appropriate token for the given environment. - ### Callback Authentication **1.1 Callback is called during authentication** @@ -92,8 +94,36 @@ gets the appropriate token for the given environment. - Assert that the callback was called 1 time. - Close the client. +**3.3 Unexpected error code does not clear the cache** + +- Create a `MongoClient` with a human callback that returns a valid token. +- Set a fail point for `saslStart` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "saslStart" + ], + errorCode: 20 // IllegalOperation + } +} +``` + +- Perform a `find` operation that fails. +- Assert that the human callback has been called once. +- Perform a `find` operation that succeeds. +- Assert that the human callback has been called once. +- Close the client. + ### (4) Reauthentication +\*\*4.1 Reauthentication Succeeds + - Create an OIDC configured client. - Set a fail point for `find` commands of the form: @@ -116,6 +146,56 @@ gets the appropriate token for the given environment. - Assert that the callback was called 2 times (once during the connection handshake, and again during reauthentication). - Close the client. +\*\*4.2 Read Commands Fail If Reauthentication Fails + +- Create a `MongoClient` whose OIDC callback returns one good token and then bad tokens after the first call. +- Perform a `find` operation that succeeds. +- Set a fail point for `find` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find" + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform a `find` operation that fails. +- Assert that the callback was called 2 times. +- Close the client. + +\*\*4.3 Write Commands Fail If Reauthentication Fails + +- Create a `MongoClient` whose OIDC callback returns one good token and then bad tokens after the first call. +- Perform an `insert` operation that succeeds. +- Set a fail point for `insert` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "insert" + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform a `find` operation that fails. +- Assert that the callback was called 2 times. +- Close the client. + ## (5) Azure Tests Drivers MUST only run the Azure tests when testing on an Azure VM. See instructions in @@ -141,7 +221,7 @@ ______________________________________________________________________ Drivers that support the [Human Authentication Flow](../auth.md#human-authentication-flow) MUST implement all prose tests in this section. Unless otherwise noted, all `MongoClient` instances MUST be configured with `retryReads=false`. -The human workflow tests MUST only be run when in `ENVIRONMENT:test`. +The human workflow tests MUST only be run when `OIDC_TOKEN_DIR` is set. > [!NOTE] > For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point @@ -200,6 +280,25 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr - Assert that a `find` operation fails with a client-side error. - Close the client. +**1.7 Allowed Hosts in Connection String Ignored** + +- Create an OIDC configured client with the connection string: + `mongodb+srv://example.com/?authMechanism=MONGODB-OIDC&authMechanismProperties=ALLOWED_HOSTS:%5B%22example.com%22%5D` + and a Human Callback. +- Assert that the creation of the client raises a configuration error. + +**1.8 Machine IdP with Human Callback** + +This test MUST only be run when `OIDC_IS_LOCAL` is set. This indicates that the server is local and not using Atlas. In +this case, `MONGODB_URI_SINGLE` will be configured with a human user `test_user1`, and a machine user `test_machine`. +This test uses the machine user with a human callback, ensuring that the missing `clientId` in the +`PrincipalStepRequest` response is handled by the driver. + +- Create an OIDC configured client with `MONGODB_URI_SINGLE` and a username of `test_machine` that uses the + `test_machine` token. +- Perform a find operation that succeeds. +- Close the client. + ### (2) OIDC Human Callback Validation **2.1 Valid Callback Inputs** @@ -209,13 +308,38 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr including the timeout parameter if possible. - Close the client. -**2.3 Human Callback Returns Missing Data** +**2.2 Human Callback Returns Missing Data** - Create an OIDC configured client with a human callback that returns data not conforming to the `OIDCCredential` with missing fields. - Perform a `find` operation that fails. - Close the client. +**2.3 Refresh Token Is Passed To The Callback** + +- Create a `MongoClient` with a human callback that checks for the presence of a refresh token. +- Perform a find operation that succeeds. +- Set a fail point for `find` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find" + ], + errorCode: 391 + } +} +``` + +- Perform a `find` operation that succeeds. +- Assert that the callback has been called twice. +- Assert that the refresh token was provided to the callback once. + ### (3) Speculative Authentication **3.1 Uses speculative authentication if there is a cached token** @@ -244,12 +368,14 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr ```javascript { configureFailPoint: "failCommand", - mode: "alwaysOn", + mode: { + times: 1 + }, data: { failCommands: [ "saslStart" ], - errorCode: 20 + errorCode: 18 } } ``` @@ -265,12 +391,14 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr ```javascript { configureFailPoint: "failCommand", - mode: "alwaysOn", + mode: { + times: 1 + }, data: { failCommands: [ "saslStart" ], - errorCode: 20 // IllegalOperation + errorCode: 18 } } ``` @@ -341,7 +469,7 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr **4.3 Succeeds after refresh fails** -- Create an OIDC configured client. +- Create an OIDC configured client with a callback that returns the `test_user1` access token and a bad refresh token. - Perform a `find` operation that succeeds. - Assert that the human callback has been called once. - Force a reauthenication using a fail point of the form: @@ -350,11 +478,11 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr { configureFailPoint: "failCommand", mode: { - times: 2 + times: 1 }, data: { failCommands: [ - "find", "saslStart" + "find", ], errorCode: 391 // ReauthenticationRequired } @@ -362,12 +490,13 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr ``` - Perform a `find` operation that succeeds. -- Assert that the human callback has been called 3 times. +- Assert that the human callback has been called 2 times. - Close the client. **4.4 Fails** -- Create an OIDC configured client. +- Create an OIDC configured client that returns invalid refresh tokens and returns invalid access tokens after the first + access. - Perform a find operation that succeeds (to force a speculative auth). - Assert that the human callback has been called once. - Force a reauthenication using a failCommand of the form: @@ -376,11 +505,11 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr { configureFailPoint: "failCommand", mode: { - times: 3 + times: 1 }, data: { failCommands: [ - "find", "saslStart" + "find", ], errorCode: 391 // ReauthenticationRequired } @@ -388,5 +517,5 @@ Drivers MUST be able to authenticate using OIDC callback(s) when there is one pr ``` - Perform a find operation that fails. -- Assert that the human callback has been called twice. +- Assert that the human callback has been called three times. - Close the client. diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.json b/source/auth/tests/unified/mongodb-oidc-no-retry.json index 83d73e4e50..9dbe198270 100644 --- a/source/auth/tests/unified/mongodb-oidc-no-retry.json +++ b/source/auth/tests/unified/mongodb-oidc-no-retry.json @@ -52,9 +52,7 @@ { "collectionName": "collName", "databaseName": "test", - "documents": [ - - ] + "documents": [] } ], "tests": [ @@ -65,12 +63,9 @@ "name": "find", "object": "collection0", "arguments": { - "filter": { - } + "filter": {} }, - "expectResult": [ - - ] + "expectResult": [] } ], "expectEvents": [ @@ -81,8 +76,7 @@ "commandStartedEvent": { "command": { "find": "collName", - "filter": { - } + "filter": {} } } }, @@ -161,12 +155,9 @@ "name": "find", "object": "collection0", "arguments": { - "filter": { - } + "filter": {} }, - "expectResult": [ - - ] + "expectResult": [] } ], "expectEvents": [ @@ -177,8 +168,7 @@ "commandStartedEvent": { "command": { "find": "collName", - "filter": { - } + "filter": {} } } }, @@ -191,8 +181,7 @@ "commandStartedEvent": { "command": { "find": "collName", - "filter": { - } + "filter": {} } } }, @@ -324,12 +313,14 @@ "client": "failPointClient", "failPoint": { "configureFailPoint": "failCommand", - "mode": "alwaysOn", + "mode": { + "times": 1 + }, "data": { "failCommands": [ "saslStart" ], - "errorCode": 20 + "errorCode": 18 } } } @@ -392,52 +383,6 @@ { "description": "Handshake without cached token should not use speculative authentication", "operations": [ - { - "name": "failPoint", - "object": "testRunner", - "arguments": { - "client": "failPointClient", - "failPoint": { - "configureFailPoint": "failCommand", - "mode": "alwaysOn", - "data": { - "failCommands": [ - "saslStart" - ], - "errorCode": 20 - } - } - } - }, - { - "name": "insertOne", - "object": "collection0", - "arguments": { - "document": { - "_id": 1, - "x": 1 - } - }, - "expectError": { - "errorCode": 20 - } - } - ] - }, - { - "description": "Read commands should fail if reauthentication fails", - "operations": [ - { - "name": "find", - "object": "collection0", - "arguments": { - "filter": { - } - }, - "expectResult": [ - - ] - }, { "name": "failPoint", "object": "testRunner", @@ -446,69 +391,17 @@ "failPoint": { "configureFailPoint": "failCommand", "mode": { - "times": 2 + "times": 1 }, "data": { "failCommands": [ - "find", "saslStart" ], - "errorCode": 391 + "errorCode": 18 } } } }, - { - "name": "find", - "object": "collection0", - "arguments": { - "filter": { - } - }, - "expectError": { - "errorCode": 391 - } - } - ], - "expectEvents": [ - { - "client": "client0", - "events": [ - { - "commandStartedEvent": { - "command": { - "find": "collName", - "filter": { - } - } - } - }, - { - "commandSucceededEvent": { - "commandName": "find" - } - }, - { - "commandStartedEvent": { - "command": { - "find": "collName", - "filter": { - } - } - } - }, - { - "commandFailedEvent": { - "commandName": "find" - } - } - ] - } - ] - }, - { - "description": "Write commands should fail if reauthentication fails", - "operations": [ { "name": "insertOne", "object": "collection0", @@ -517,84 +410,11 @@ "_id": 1, "x": 1 } - } - }, - { - "name": "failPoint", - "object": "testRunner", - "arguments": { - "client": "failPointClient", - "failPoint": { - "configureFailPoint": "failCommand", - "mode": { - "times": 2 - }, - "data": { - "failCommands": [ - "insert", - "saslStart" - ], - "errorCode": 391 - } - } - } - }, - { - "name": "insertOne", - "object": "collection0", - "arguments": { - "document": { - "_id": 2, - "x": 2 - } }, "expectError": { - "errorCode": 391 + "errorCode": 18 } } - ], - "expectEvents": [ - { - "client": "client0", - "events": [ - { - "commandStartedEvent": { - "command": { - "insert": "collName", - "documents": [ - { - "_id": 1, - "x": 1 - } - ] - } - } - }, - { - "commandSucceededEvent": { - "commandName": "insert" - } - }, - { - "commandStartedEvent": { - "command": { - "insert": "collName", - "documents": [ - { - "_id": 2, - "x": 2 - } - ] - } - } - }, - { - "commandFailedEvent": { - "commandName": "insert" - } - } - ] - } ] } ] diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml index 8108acb501..426fd72466 100644 --- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml +++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml @@ -173,11 +173,12 @@ tests: client: failPointClient failPoint: configureFailPoint: failCommand - mode: "alwaysOn" + mode: + times: 1 data: failCommands: - saslStart - errorCode: 20 # IllegalOperation + errorCode: 18 - name: insertOne object: collection0 arguments: @@ -211,11 +212,12 @@ tests: client: failPointClient failPoint: configureFailPoint: failCommand - mode: "alwaysOn" + mode: + times: 1 data: failCommands: - saslStart - errorCode: 20 # IllegalOperation + errorCode: 18 - name: insertOne object: collection0 arguments: @@ -223,91 +225,4 @@ tests: _id: 1 x: 1 expectError: - errorCode: 20 # IllegalOperation -- description: Read commands should fail if reauthentication fails - operations: - - name: find - object: collection0 - arguments: - filter: {} - expectResult: [] - - name: failPoint - object: testRunner - arguments: - client: failPointClient - failPoint: - configureFailPoint: failCommand - mode: - times: 2 - data: - failCommands: - - find - - saslStart - errorCode: 391 # ReauthenticationRequired - - name: find - object: collection0 - arguments: - filter: {} - expectError: { errorCode: 391 } - expectEvents: - - client: client0 - events: - - commandStartedEvent: - command: - find: collName - filter: {} - - commandSucceededEvent: - commandName: find - - commandStartedEvent: - command: - find: collName - filter: {} - - commandFailedEvent: - commandName: find -- description: Write commands should fail if reauthentication fails - operations: - - name: insertOne - object: collection0 - arguments: - document: - _id: 1 - x: 1 - - name: failPoint - object: testRunner - arguments: - client: failPointClient - failPoint: - configureFailPoint: failCommand - mode: - times: 2 - data: - failCommands: - - insert - - saslStart - errorCode: 391 # ReauthenticationRequired - - name: insertOne - object: collection0 - arguments: - document: - _id: 2 - x: 2 - expectError: { errorCode: 391 } - expectEvents: - - client: client0 - events: - - commandStartedEvent: - command: - insert: collName - documents: - - _id: 1 - x: 1 - - commandSucceededEvent: - commandName: insert - - commandStartedEvent: - command: - insert: collName - documents: - - _id: 2 - x: 2 - - commandFailedEvent: - commandName: insert + errorCode: 18 \ No newline at end of file