From 0b518ec5d6499d5126edfb23a29935341d022f07 Mon Sep 17 00:00:00 2001 From: Isabel Atkinson Date: Tue, 25 Feb 2025 15:57:19 -0700 Subject: [PATCH 1/2] RUST-1954 Disallow commas in authMechanismProperties values --- src/client/auth.rs | 4 + src/client/options.rs | 66 +-- src/client/options/test.rs | 3 - src/test/spec/auth.rs | 6 +- src/test/spec/json/auth/README.md | 47 ++ src/test/spec/json/auth/README.rst | 53 -- .../auth/{ => legacy}/connection-string.json | 2 +- .../auth/{ => legacy}/connection-string.yml | 2 +- src/test/spec/json/auth/mongodb-aws.md | 169 ++++++ src/test/spec/json/auth/mongodb-aws.rst | 94 --- src/test/spec/json/auth/mongodb-oidc.md | 557 ++++++++++++++++++ .../auth/unified/mongodb-oidc-no-retry.json | 422 +++++++++++++ .../auth/unified/mongodb-oidc-no-retry.yml | 229 +++++++ .../json/connection-string/valid-options.json | 5 +- .../json/connection-string/valid-options.yml | 7 +- .../connection-string/valid-warnings.json | 8 +- .../json/connection-string/valid-warnings.yml | 5 +- 17 files changed, 1468 insertions(+), 211 deletions(-) create mode 100644 src/test/spec/json/auth/README.md delete mode 100644 src/test/spec/json/auth/README.rst rename src/test/spec/json/auth/{ => legacy}/connection-string.json (99%) rename src/test/spec/json/auth/{ => legacy}/connection-string.yml (99%) create mode 100644 src/test/spec/json/auth/mongodb-aws.md delete mode 100644 src/test/spec/json/auth/mongodb-aws.rst create mode 100644 src/test/spec/json/auth/mongodb-oidc.md create mode 100644 src/test/spec/json/auth/unified/mongodb-oidc-no-retry.json create mode 100644 src/test/spec/json/auth/unified/mongodb-oidc-no-retry.yml diff --git a/src/client/auth.rs b/src/client/auth.rs index 31f203a34..6acff3926 100644 --- a/src/client/auth.rs +++ b/src/client/auth.rs @@ -401,6 +401,10 @@ pub struct Credential { pub mechanism: Option, /// Additional properties for the given mechanism. + /// + /// If any value in the properties contains a comma, this field must be set directly on + /// [`ClientOptions`](crate::options::ClientOptions) and cannot be parsed from a connection + /// string. pub mechanism_properties: Option, /// The token callback for OIDC authentication. diff --git a/src/client/options.rs b/src/client/options.rs index d4526a62c..bac3a0c67 100644 --- a/src/client/options.rs +++ b/src/client/options.rs @@ -1345,17 +1345,6 @@ fn split_once_right<'a>(s: &'a str, delimiter: &str) -> (Option<&'a str>, &'a st } } -/// Splits a string into a section before a given index and a section exclusively after the index. -/// Empty portions are returned as `None`. -fn exclusive_split_at(s: &str, i: usize) -> (Option<&str>, Option<&str>) { - let (l, r) = s.split_at(i); - - let lout = if !l.is_empty() { Some(l) } else { None }; - let rout = if r.len() > 1 { Some(&r[1..]) } else { None }; - - (lout, rout) -} - fn percent_decode(s: &str, err_message: &str) -> Result { match percent_encoding::percent_decode_str(s).decode_utf8() { Ok(result) => Ok(result.to_string()), @@ -1817,47 +1806,26 @@ impl ConnectionString { } "authsource" => parts.auth_source = Some(value.to_string()), "authmechanismproperties" => { - let mut doc = Document::new(); - let err_func = || { - ErrorKind::InvalidArgument { - message: "improperly formatted authMechanismProperties".to_string(), - } - .into() - }; + let mut properties = Document::new(); - for kvp in value.split(',') { - match kvp.find(':') { - Some(index) => { - let (k, v) = exclusive_split_at(kvp, index); - let key = k.ok_or_else(err_func)?; - match key { - "ALLOWED_HOSTS" => { - return Err(Error::invalid_argument( - "ALLOWED_HOSTS must only be specified through client \ - options", - )); - } - "OIDC_CALLBACK" => { - return Err(Error::invalid_argument( - "OIDC_CALLBACK must only be specified through client \ - options", - )); - } - "OIDC_HUMAN_CALLBACK" => { - return Err(Error::invalid_argument( - "OIDC_HUMAN_CALLBACK must only be specified through \ - client options", - )); - } - _ => {} - } - let value = v.ok_or_else(err_func)?; - doc.insert(key, value); - } - None => return Err(err_func()), + for property in value.split(",") { + let Some((k, v)) = property.split_once(":") else { + return Err(Error::invalid_argument(format!( + "each entry in authMechanismProperties must be a colon-separated \ + key-value pair, got {}", + property + ))); }; + if k == "ALLOWED_HOSTS" || k == "OIDC_CALLBACK" || k == "OIDC_HUMAN_CALLBACK" { + return Err(Error::invalid_argument(format!( + "{} must only be specified through client options", + k + ))); + } + properties.insert(k, v); } - parts.auth_mechanism_properties = Some(doc); + + parts.auth_mechanism_properties = Some(properties); } #[cfg(any( feature = "zstd-compression", diff --git a/src/client/options/test.rs b/src/client/options/test.rs index 833f71c40..3df1a9613 100644 --- a/src/client/options/test.rs +++ b/src/client/options/test.rs @@ -22,9 +22,6 @@ static SKIPPED_TESTS: Lazy> = Lazy::new(|| { "maxPoolSize=0 does not error", #[cfg(not(feature = "cert-key-password"))] "Valid tlsCertificateKeyFilePassword is parsed correctly", - // TODO RUST-1954: unskip these tests - "Colon in a key value pair", - "Comma in a key value pair causes a warning", ]; // TODO RUST-1896: unskip this test when openssl-tls is enabled diff --git a/src/test/spec/auth.rs b/src/test/spec/auth.rs index 35a0f8dff..a6a94ec71 100644 --- a/src/test/spec/auth.rs +++ b/src/test/spec/auth.rs @@ -106,6 +106,8 @@ async fn run_auth_test(test_file: TestFile) { } #[tokio::test] -async fn run() { - run_spec_test(&["auth"], run_auth_test).await; +async fn run_legacy() { + run_spec_test(&["auth", "legacy"], run_auth_test).await; } + +// TODO RUST-1665: run unified tests diff --git a/src/test/spec/json/auth/README.md b/src/test/spec/json/auth/README.md new file mode 100644 index 000000000..c4b3eec74 --- /dev/null +++ b/src/test/spec/json/auth/README.md @@ -0,0 +1,47 @@ +# Auth Tests + +## Introduction + +This document describes the format of the driver spec tests included in the JSON and YAML files included in the `legacy` +sub-directory. Tests in the `unified` directory are written using the +[Unified Test Format](../../unified-test-format/unified-test-format.md). + +The YAML and JSON files in the `legacy` directory tree are platform-independent tests that drivers can use to prove +their conformance to the Auth Spec at least with respect to connection string URI input. + +Drivers should do additional unit testing if there are alternate ways of configuring credentials on a client. + +Driver must also conduct the prose tests in the Auth Spec test plan section. + +## Format + +Each YAML file contains an object with a single `tests` key. This key is an array of test case objects, each of which +have the following keys: + +- `description`: A string describing the test. +- `uri`: A string containing the URI to be parsed. +- `valid:` A boolean indicating if the URI should be considered valid. +- `credential`: If null, the credential must not be considered configured for the the purpose of deciding if the driver + should authenticate to the topology. If non-null, it is an object containing one or more of the following properties + of a credential: + - `username`: A string containing the username. For auth mechanisms that do not utilize a password, this may be the + entire `userinfo` token from the connection string. + - `password`: A string containing the password. + - `source`: A string containing the authentication database. + - `mechanism`: A string containing the authentication mechanism. A null value for this key is used to indicate that a + mechanism wasn't specified and that mechanism negotiation is required. Test harnesses should modify the mechanism + test as needed to assert this condition. + - `mechanism_properties`: A document containing mechanism-specific properties. It specifies a subset of properties + that must match. If a key exists in the test data, it must exist with the corresponding value in the credential. + Other values may exist in the credential without failing the test. + +If any key is missing, no assertion about that key is necessary. Except as specified explicitly above, if a key is +present, but the test value is null, the observed value for that key must be uninitialized (whatever that means for a +given driver and data type). + +## Implementation notes + +Testing whether a URI is valid or not should simply be a matter of checking whether URI parsing (or MongoClient +construction) raises an error or exception. + +If a credential is configured, its properties must be compared to the `credential` field. diff --git a/src/test/spec/json/auth/README.rst b/src/test/spec/json/auth/README.rst deleted file mode 100644 index 3bf86f4fb..000000000 --- a/src/test/spec/json/auth/README.rst +++ /dev/null @@ -1,53 +0,0 @@ -========== -Auth Tests -========== - -The YAML and JSON files in this directory tree are platform-independent tests -that drivers can use to prove their conformance to the Auth Spec at least with -respect to connection string URI input. - -Drivers should do additional unit testing if there are alternate ways of -configuring credentials on a client. - -Driver must also conduct the prose tests in the Auth Spec test plan section. - -Format ------- - -Each YAML file contains an object with a single ``tests`` key. This key is an -array of test case objects, each of which have the following keys: - -- ``description``: A string describing the test. -- ``uri``: A string containing the URI to be parsed. -- ``valid:`` A boolean indicating if the URI should be considered valid. -- ``credential``: If null, the credential must not be considered configured for the - the purpose of deciding if the driver should authenticate to the topology. If non-null, - it is an object containing one or more of the following properties of a credential: - - - ``username``: A string containing the username. For auth mechanisms - that do not utilize a password, this may be the entire ``userinfo`` token - from the connection string. - - ``password``: A string containing the password. - - ``source``: A string containing the authentication database. - - ``mechanism``: A string containing the authentication mechanism. A null value for - this key is used to indicate that a mechanism wasn't specified and that mechanism - negotiation is required. Test harnesses should modify the mechanism test as needed - to assert this condition. - - ``mechanism_properties``: A document containing mechanism-specific properties. It - specifies a subset of properties that must match. If a key exists in the test data, - it must exist with the corresponding value in the credential. Other values may - exist in the credential without failing the test. - -If any key is missing, no assertion about that key is necessary. Except as -specified explicitly above, if a key is present, but the test value is null, -the observed value for that key must be uninitialized (whatever that means for -a given driver and data type). - -Implementation notes -==================== - -Testing whether a URI is valid or not should simply be a matter of checking -whether URI parsing (or MongoClient construction) raises an error or exception. - -If a credential is configured, its properties must be compared to the -``credential`` field. diff --git a/src/test/spec/json/auth/connection-string.json b/src/test/spec/json/auth/legacy/connection-string.json similarity index 99% rename from src/test/spec/json/auth/connection-string.json rename to src/test/spec/json/auth/legacy/connection-string.json index 29920de65..3a099c813 100644 --- a/src/test/spec/json/auth/connection-string.json +++ b/src/test/spec/json/auth/legacy/connection-string.json @@ -648,4 +648,4 @@ "credential": null } ] -} \ No newline at end of file +} diff --git a/src/test/spec/json/auth/connection-string.yml b/src/test/spec/json/auth/legacy/connection-string.yml similarity index 99% rename from src/test/spec/json/auth/connection-string.yml rename to src/test/spec/json/auth/legacy/connection-string.yml index 6b82ef422..1f5d47004 100644 --- a/src/test/spec/json/auth/connection-string.yml +++ b/src/test/spec/json/auth/legacy/connection-string.yml @@ -468,4 +468,4 @@ tests: (MONGODB-OIDC) uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s valid: false - credential: null \ No newline at end of file + credential: null diff --git a/src/test/spec/json/auth/mongodb-aws.md b/src/test/spec/json/auth/mongodb-aws.md new file mode 100644 index 000000000..6e166d285 --- /dev/null +++ b/src/test/spec/json/auth/mongodb-aws.md @@ -0,0 +1,169 @@ +# MongoDB AWS + +Drivers MUST test the following scenarios: + +1. `Regular Credentials`: Auth via an `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` pair +2. `EC2 Credentials`: Auth from an EC2 instance via temporary credentials assigned to the machine +3. `ECS Credentials`: Auth from an ECS instance via temporary credentials assigned to the task +4. `Assume Role`: Auth via temporary credentials obtained from an STS AssumeRole request +5. `Assume Role with Web Identity`: Auth via temporary credentials obtained from an STS AssumeRoleWithWebIdentity + request +6. `AWS Lambda`: Auth via environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`. +7. Caching of AWS credentials fetched by the driver. + +For brevity, this section gives the values ``, `` and `` in place of a valid access +key ID, secret access key and session token (also known as a security token). Note that if these values are passed into +the URI they MUST be URL encoded. Sample values are below. + +```text +AccessKeyId=AKIAI44QH8DHBEXAMPLE +SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY +Token=AQoDYXdzEJr... +``` + +## Regular credentials + +Drivers MUST be able to authenticate by providing a valid access key id and secret access key pair as the username and +password, respectively, in the MongoDB URI. An example of a valid URI would be: + +```text +mongodb://:@localhost/?authMechanism=MONGODB-AWS +``` + +## EC2 Credentials + +Drivers MUST be able to authenticate from an EC2 instance via temporary credentials assigned to the machine. A sample +URI on an EC2 machine would be: + +```text +mongodb://localhost/?authMechanism=MONGODB-AWS +``` + +> [!NOTE] +> No username, password or session token is passed into the URI. Drivers MUST query the EC2 instance endpoint to obtain +> these credentials. + +## ECS instance + +Drivers MUST be able to authenticate from an ECS container via temporary credentials. A sample URI in an ECS container +would be: + +```text +mongodb://localhost/?authMechanism=MONGODB-AWS +``` + +> [!NOTE] +> No username, password or session token is passed into the URI. Drivers MUST query the ECS container endpoint to obtain +> these credentials. + +## AssumeRole + +Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary +credentials consist of an access key ID, a secret access key, and a security token passed into the URI. A sample URI +would be: + +```text +mongodb://:@localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN: +``` + +## Assume Role with Web Identity + +Drivers MUST be able to authentiate using a valid OIDC token and associated role ARN taken from environment variables, +respectively: + +```text +AWS_WEB_IDENTITY_TOKEN_FILE +AWS_ROLE_ARN +AWS_ROLE_SESSION_NAME (optional) +``` + +A sample URI in for a web identity test would be: + +```text +mongodb://localhost/?authMechanism=MONGODB-AWS +``` + +Drivers MUST test with and without AWS_ROLE_SESSION_NAME set. + +> [!NOTE] +> No username, password or session token is passed into the URI. + +Drivers MUST check the environment variables listed above and make an +[AssumeRoleWithWebIdentity request](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) +to obtain credentials. + +## AWS Lambda + +Drivers MUST be able to authenticate via an access key ID, secret access key and optional session token taken from the +environment variables, respectively: + +```text +AWS_ACCESS_KEY_ID +AWS_SECRET_ACCESS_KEY +AWS_SESSION_TOKEN +``` + +Sample URIs both with and without optional session tokens set are shown below. Drivers MUST test both cases. + +```bash +# without a session token +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" + +URI="mongodb://localhost/?authMechanism=MONGODB-AWS" +``` + +```bash +# with a session token +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +export AWS_SESSION_TOKEN="" + +URI="mongodb://localhost/?authMechanism=MONGODB-AWS" +``` + +> [!NOTE] +> No username, password or session token is passed into the URI. Drivers MUST check the environment variables listed +> above for these values. If the session token is set Drivers MUST use it. + +## Cached Credentials + +Drivers MUST ensure that they are testing the ability to cache credentials. Drivers will need to be able to query and +override the cached credentials to verify usage. To determine whether to run the cache tests, the driver can check for +the absence of the AWS_ACCESS_KEY_ID environment variable and of credentials in the URI. + +1. Clear the cache. +2. Create a new client. +3. Ensure that a `find` operation adds credentials to the cache. +4. Override the cached credentials with an "Expiration" that is within one minute of the current UTC time. +5. Create a new client. +6. Ensure that a `find` operation updates the credentials in the cache. +7. Poison the cache with an invalid access key id. +8. Create a new client. +9. Ensure that a `find` operation results in an error. +10. Ensure that the cache has been cleared. +11. Ensure that a subsequent `find` operation succeeds. +12. Ensure that the cache has been set. + +If the drivers's language supports dynamically setting environment variables, add the following tests. Note that if +integration tests are run in parallel for the driver, then these tests must be run as unit tests interacting with the +auth provider directly instead of using a client. + +1. Clear the cache. +2. Create a new client. +3. Ensure that a `find` operation adds credentials to the cache. +4. Set the AWS environment variables based on the cached credentials. +5. Clear the cache. +6. Create a new client. +7. Ensure that a `find` operation succeeds and does not add credentials to the cache. +8. Set the AWS environment variables to invalid values. +9. Create a new client. +10. Ensure that a `find` operation results in an error. +11. Clear the AWS environment variables. +12. Clear the cache. +13. Create a new client. +14. Ensure that a `find` operation adds credentials to the cache. +15. Set the AWS environment variables to invalid values. +16. Create a new client. +17. Ensure that a `find` operation succeeds. +18. Clear the AWS environment variables. diff --git a/src/test/spec/json/auth/mongodb-aws.rst b/src/test/spec/json/auth/mongodb-aws.rst deleted file mode 100644 index 1a256b560..000000000 --- a/src/test/spec/json/auth/mongodb-aws.rst +++ /dev/null @@ -1,94 +0,0 @@ -=========== -MongoDB AWS -=========== - -There are 5 scenarios drivers MUST test: - -#. ``Regular Credentials``: Auth via an ``ACCESS_KEY_ID`` and ``SECRET_ACCESS_KEY`` pair -#. ``EC2 Credentials``: Auth from an EC2 instance via temporary credentials assigned to the machine -#. ``ECS Credentials``: Auth from an ECS instance via temporary credentials assigned to the task -#. ``Assume Role``: Auth via temporary credentials obtained from an STS AssumeRole request -#. ``AWS Lambda``: Auth via environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and ``AWS_SESSION_TOKEN``. - -For brevity, this section gives the values ````, ```` and ```` in place of a valid access key ID, secret access key and session token (also known as a security token). Note that if these values are passed into the URI they MUST be URL encoded. Sample values are below. - -.. code-block:: - - AccessKeyId=AKIAI44QH8DHBEXAMPLE - SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - Token=AQoDYXdzEJr... -| -.. sectnum:: - -Regular credentials -====================== - -Drivers MUST be able to authenticate by providing a valid access key id and secret access key pair as the username and password, respectively, in the MongoDB URI. An example of a valid URI would be: - -.. code-block:: - - mongodb://:@localhost/?authMechanism=MONGODB-AWS -| -EC2 Credentials -=============== - -Drivers MUST be able to authenticate from an EC2 instance via temporary credentials assigned to the machine. A sample URI on an EC2 machine would be: - -.. code-block:: - - mongodb://localhost/?authMechanism=MONGODB-AWS -| -.. note:: No username, password or session token is passed into the URI. Drivers MUST query the EC2 instance endpoint to obtain these credentials. - -ECS instance -============ - -Drivers MUST be able to authenticate from an ECS container via temporary credentials. A sample URI in an ECS container would be: - -.. code-block:: - - mongodb://localhost/?authMechanism=MONGODB-AWS -| -.. note:: No username, password or session token is passed into the URI. Drivers MUST query the ECS container endpoint to obtain these credentials. - -AssumeRole -========== - -Drivers MUST be able to authenticate using temporary credentials returned from an assume role request. These temporary credentials consist of an access key ID, a secret access key, and a security token passed into the URI. A sample URI would be: - -.. code-block:: - - mongodb://:@localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN: -| -AWS Lambda -========== - -Drivers MUST be able to authenticate via an access key ID, secret access key and optional session token taken from the environment variables, respectively: - -.. code-block:: - - AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY - AWS_SESSION_TOKEN -| - -Sample URIs both with and without optional session tokens set are shown below. Drivers MUST test both cases. - -.. code-block:: bash - - # without a session token - export AWS_ACCESS_KEY_ID="" - export AWS_SECRET_ACCESS_KEY="" - - URI="mongodb://localhost/?authMechanism=MONGODB-AWS" -| -.. code-block:: bash - - # with a session token - export AWS_ACCESS_KEY_ID="" - export AWS_SECRET_ACCESS_KEY="" - export AWS_SESSION_TOKEN="" - - URI="mongodb://localhost/?authMechanism=MONGODB-AWS" -| -.. note:: No username, password or session token is passed into the URI. Drivers MUST check the environment variables listed above for these values. If the session token is set Drivers MUST use it. diff --git a/src/test/spec/json/auth/mongodb-oidc.md b/src/test/spec/json/auth/mongodb-oidc.md new file mode 100644 index 000000000..e95f45e68 --- /dev/null +++ b/src/test/spec/json/auth/mongodb-oidc.md @@ -0,0 +1,557 @@ +# MongoDB OIDC + +## Local Testing + +See the detailed instructions in +[drivers-evergreen-tools](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md) +for how to set up your environment for OIDC testing. + +______________________________________________________________________ + +## Unified Spec Tests + +Drivers MUST run the unified spec tests in all supported OIDC environments. Drivers MUST set the placeholder +authMechanism properties (`ENVIRONMENT` and `TOKEN_RESOURCE`, if applicable). These will typically be read from +environment variables set by the test runner, e,g. `AZUREOIDC_RESOURCE`. + +______________________________________________________________________ + +## Machine Authentication Flow Prose Tests + +Drivers MUST run the machine prose tests when `OIDC_TOKEN_DIR` is set. Drivers can either set the `ENVIRONMENT:test` +auth mechanism property, or use a custom callback that also reads the file. + +Drivers can also choose to run the machine prose tests on GCP or Azure VMs, or on the Kubernetes clusters. + +Drivers MUST implement all prose tests in this section. Unless otherwise noted, all `MongoClient` instances MUST be +configured with `retryReads=false`. + +> [!NOTE] +> For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point +> callback to prevent interaction between test cases. + +After setting up your OIDC +[environment](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md), +source the `secrets-export.sh` file and use the associated env variables in your tests. + +### Callback Authentication + +**1.1 Callback is called during authentication** + +- Create an OIDC configured client. +- Perform a `find` operation that succeeds. +- Assert that the callback was called 1 time. +- Close the client. + +**1.2 Callback is called once for multiple connections** + +- Create an OIDC configured client. +- Start 10 threads and run 100 `find` operations in each thread that all succeed. +- Assert that the callback was called 1 time. +- Close the client. + +### (2) OIDC Callback Validation + +**2.1 Valid Callback Inputs** + +- Create an OIDC configured client with an OIDC callback that validates its inputs and returns a valid access token. +- Perform a `find` operation that succeeds. +- Assert that the OIDC callback was called with the appropriate inputs, including the timeout parameter if possible. +- Close the client. + +**2.2 OIDC Callback Returns Null** + +- Create an OIDC configured client with an OIDC callback that returns `null`. +- Perform a `find` operation that fails. +- Close the client. + +**2.3 OIDC Callback Returns Missing Data** + +- Create an OIDC configured client with an OIDC callback that returns data not conforming to the `OIDCCredential` with + missing fields. +- Perform a `find` operation that fails. +- Close the client. + +**2.4 Invalid Client Configuration with Callback** + +- Create an OIDC configured client with an OIDC callback and auth mechanism property `ENVIRONMENT:test`. +- Assert it returns a client configuration error upon client creation, or client connect if your driver validates on + connection. + +**2.5 Invalid use of ALLOWED_HOSTS** + +- Create an OIDC configured client with auth mechanism properties `{"ENVIRONMENT": "azure", "ALLOWED_HOSTS": []}`. +- Assert it returns a client configuration error upon client creation, or client connect if your driver validates on + connection. + +### (3) Authentication Failure + +**3.1 Authentication failure with cached tokens fetch a new token and retry auth** + +- Create an OIDC configured client. +- Poison the *Client Cache* with an invalid access token. +- Perform a `find` operation that succeeds. +- Assert that the callback was called 1 time. +- Close the client. + +**3.2 Authentication failures without cached tokens return an error** + +- Create an OIDC configured client with an OIDC callback that always returns invalid access tokens. +- Perform a `find` operation that fails. +- Assert that the callback was called 1 time. +- Close the client. + +**3.3 Unexpected error code does not clear the cache** + +- Create a `MongoClient` with an OIDC callback that returns a valid token. +- Set a fail point for `saslStart` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "saslStart" + ], + errorCode: 20 // IllegalOperation + } +} +``` + +- Perform a `find` operation that fails. +- Assert that the callback has been called once. +- Perform a `find` operation that succeeds. +- Assert that the callback has been called once. +- Close the client. + +### (4) Reauthentication + +#### 4.1 Reauthentication Succeeds + +- Create an OIDC configured client. +- Set a fail point for `find` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find" + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform a `find` operation that succeeds. +- Assert that the callback was called 2 times (once during the connection handshake, and again during reauthentication). +- Close the client. + +#### 4.2 Read Commands Fail If Reauthentication Fails + +- Create a `MongoClient` whose OIDC callback returns one good token and then bad tokens after the first call. +- Perform a `find` operation that succeeds. +- Set a fail point for `find` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find" + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform a `find` operation that fails. +- Assert that the callback was called 2 times. +- Close the client. + +#### 4.3 Write Commands Fail If Reauthentication Fails + +- Create a `MongoClient` whose OIDC callback returns one good token and then bad tokens after the first call. +- Perform an `insert` operation that succeeds. +- Set a fail point for `insert` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "insert" + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform a `find` operation that fails. +- Assert that the callback was called 2 times. +- Close the client. + +#### 4.4 Speculative Authentication should be ignored on Reauthentication + +- Create an OIDC configured client. +- Populate the *Client Cache* with a valid access token to enforce Speculative Authentication. +- Perform an `insert` operation that succeeds. +- Assert that the callback was not called. +- Assert there were no `SaslStart` commands executed. +- Set a fail point for `insert` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "insert" + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform an `insert` operation that succeeds. +- Assert that the callback was called once. +- Assert there were `SaslStart` commands executed. +- Close the client. + +## (5) Azure Tests + +Drivers MUST only run the Azure tests when testing on an Azure VM. See instructions in +[Drivers Evergreen Tools](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/azure/README.md) +for test setup. + +# 5.1 Azure With No Username + +- Create an OIDC configured client with `ENVIRONMENT:azure` and a valid `TOKEN_RESOURCE` and no username. +- Perform a `find` operation that succeeds. +- Close the client. + +# 5.2 Azure with Bad Username + +- Create an OIDC configured client with `ENVIRONMENT:azure` and a valid `TOKEN_RESOURCE` and a username of `"bad"`. +- Perform a `find` operation that fails. +- Close the client. + +______________________________________________________________________ + +## Human Authentication Flow Prose Tests + +Drivers that support the [Human Authentication Flow](../auth.md#human-authentication-flow) MUST implement all prose +tests in this section. Unless otherwise noted, all `MongoClient` instances MUST be configured with `retryReads=false`. + +The human workflow tests MUST only be run when `OIDC_TOKEN_DIR` is set. + +> [!NOTE] +> For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point +> after the test to prevent interaction between test cases. + +Drivers MUST be able to authenticate against a server configured with either one or two configured identity providers. + +Unless otherwise specified, use `MONGODB_URI_SINGLE` and the `test_user1` token in the `OIDC_TOKEN_DIR` as the +"access_token", and a dummy "refresh_token" for all tests. + +When using an explicit username for the client, we use the token name and the domain name given by `OIDC_DOMAIN`, e.g. +`test_user1@${OIDC_DOMAIN}`. + +### (1) OIDC Human Callback Authentication + +Drivers MUST be able to authenticate using OIDC callback(s) when there is one principal configured. + +**1.1 Single Principal Implicit Username** + +- Create an OIDC configured client. +- Perform a `find` operation that succeeds. +- Close the client. + +**1.2 Single Principal Explicit Username** + +- Create an OIDC configured client with `MONGODB_URI_SINGLE` and a username of `test_user1@${OIDC_DOMAIN}`. +- Perform a `find` operation that succeeds. +- Close the client. + +**1.3 Multiple Principal User 1** + +- Create an OIDC configured client with `MONGODB_URI_MULTI` and username of `test_user1@${OIDC_DOMAIN}`. +- Perform a `find` operation that succeeds. +- Close the client. + +**1.4 Multiple Principal User 2** + +- Create an OIDC configured client with `MONGODB_URI_MULTI` and username of `test_user2@${OIDC_DOMAIN}`. that reads the + `test_user2` token file. +- Perform a `find` operation that succeeds. +- Close the client. + +**1.5 Multiple Principal No User** + +- Create an OIDC configured client with `MONGODB_URI_MULTI` and no username. +- Assert that a `find` operation fails. +- Close the client. + +**1.6 Allowed Hosts Blocked** + +- Create an OIDC configured client with an `ALLOWED_HOSTS` that is an empty list. +- Assert that a `find` operation fails with a client-side error. +- Close the client. +- Create a client that uses the URL `mongodb://localhost/?authMechanism=MONGODB-OIDC&ignored=example.com`, a human + callback, and an `ALLOWED_HOSTS` that contains `["example.com"]`. +- Assert that a `find` operation fails with a client-side error. +- Close the client. + +**1.7 Allowed Hosts in Connection String Ignored** + +- Create an OIDC configured client with the connection string: + `mongodb+srv://example.com/?authMechanism=MONGODB-OIDC&authMechanismProperties=ALLOWED_HOSTS:%5B%22example.com%22%5D` + and a Human Callback. +- Assert that the creation of the client raises a configuration error. + +**1.8 Machine IdP with Human Callback** + +This test MUST only be run when `OIDC_IS_LOCAL` is set. This indicates that the server is local and not using Atlas. In +this case, `MONGODB_URI_SINGLE` will be configured with a human user `test_user1`, and a machine user `test_machine`. +This test uses the machine user with a human callback, ensuring that the missing `clientId` in the +`PrincipalStepRequest` response is handled by the driver. + +- Create an OIDC configured client with `MONGODB_URI_SINGLE` and a username of `test_machine` that uses the + `test_machine` token. +- Perform a find operation that succeeds. +- Close the client. + +### (2) OIDC Human Callback Validation + +**2.1 Valid Callback Inputs** + +- Create an OIDC configured client with a human callback that validates its inputs and returns a valid access token. +- Perform a `find` operation that succeeds. Verify that the human callback was called with the appropriate inputs, + including the timeout parameter if possible. +- Close the client. + +**2.2 Human Callback Returns Missing Data** + +- Create an OIDC configured client with a human callback that returns data not conforming to the `OIDCCredential` with + missing fields. +- Perform a `find` operation that fails. +- Close the client. + +**2.3 Refresh Token Is Passed To The Callback** + +- Create a `MongoClient` with a human callback that checks for the presence of a refresh token. +- Perform a find operation that succeeds. +- Set a fail point for `find` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find" + ], + errorCode: 391 + } +} +``` + +- Perform a `find` operation that succeeds. +- Assert that the callback has been called twice. +- Assert that the refresh token was provided to the callback once. + +### (3) Speculative Authentication + +**3.1 Uses speculative authentication if there is a cached token** + +- Create an OIDC configured client with a human callback that returns a valid token. +- Set a fail point for `find` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find" + ], + closeConnection: true + } +} +``` + +- Perform a `find` operation that fails. +- Set a fail point for `saslStart` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "saslStart" + ], + errorCode: 18 + } +} +``` + +- Perform a `find` operation that succeeds. +- Close the client. + +**3.2 Does not use speculative authentication if there is no cached token** + +- Create an OIDC configured client with a human callback that returns a valid token. +- Set a fail point for `saslStart` commands of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "saslStart" + ], + errorCode: 18 + } +} +``` + +- Perform a `find` operation that fails. +- Close the client. + +### (4) Reauthentication + +**4.1 Succeeds** + +- Create an OIDC configured client and add an event listener. The following assumes that the driver does not emit + `saslStart` or `saslContinue` events. If the driver does emit those events, ignore/filter them for the purposes of + this test. +- Perform a `find` operation that succeeds. +- Assert that the human callback has been called once. +- Clear the listener state if possible. +- Force a reauthenication using a fail point of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find" + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform another find operation that succeeds. +- Assert that the human callback has been called twice. +- Assert that the ordering of list started events is \[`find`\], , `find`. Note that if the listener stat could not be + cleared then there will and be extra `find` command. +- Assert that the list of command succeeded events is \[`find`\]. +- Assert that a `find` operation failed once during the command execution. +- Close the client. + +**4.2 Succeeds no refresh** + +- Create an OIDC configured client with a human callback that does not return a refresh token. +- Perform a `find` operation that succeeds. +- Assert that the human callback has been called once. +- Force a reauthenication using a fail point of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find" + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform a `find` operation that succeeds. +- Assert that the human callback has been called twice. +- Close the client. + +**4.3 Succeeds after refresh fails** + +- Create an OIDC configured client with a callback that returns the `test_user1` access token and a bad refresh token. +- Perform a `find` operation that succeeds. +- Assert that the human callback has been called once. +- Force a reauthenication using a fail point of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find", + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform a `find` operation that succeeds. +- Assert that the human callback has been called 2 times. +- Close the client. + +**4.4 Fails** + +- Create an OIDC configured client that returns invalid refresh tokens and returns invalid access tokens after the first + access. +- Perform a find operation that succeeds (to force a speculative auth). +- Assert that the human callback has been called once. +- Force a reauthenication using a failCommand of the form: + +```javascript +{ + configureFailPoint: "failCommand", + mode: { + times: 1 + }, + data: { + failCommands: [ + "find", + ], + errorCode: 391 // ReauthenticationRequired + } +} +``` + +- Perform a find operation that fails. +- Assert that the human callback has been called three times. +- Close the client. diff --git a/src/test/spec/json/auth/unified/mongodb-oidc-no-retry.json b/src/test/spec/json/auth/unified/mongodb-oidc-no-retry.json new file mode 100644 index 000000000..0a8658455 --- /dev/null +++ b/src/test/spec/json/auth/unified/mongodb-oidc-no-retry.json @@ -0,0 +1,422 @@ +{ + "description": "MONGODB-OIDC authentication with retry disabled", + "schemaVersion": "1.19", + "runOnRequirements": [ + { + "minServerVersion": "7.0", + "auth": true, + "authMechanism": "MONGODB-OIDC", + "serverless": "forbid" + } + ], + "createEntities": [ + { + "client": { + "id": "failPointClient", + "useMultipleMongoses": false + } + }, + { + "client": { + "id": "client0", + "uriOptions": { + "authMechanism": "MONGODB-OIDC", + "authMechanismProperties": { + "$$placeholder": 1 + }, + "retryReads": false, + "retryWrites": false + }, + "observeEvents": [ + "commandStartedEvent", + "commandSucceededEvent", + "commandFailedEvent" + ] + } + }, + { + "database": { + "id": "database0", + "client": "client0", + "databaseName": "test" + } + }, + { + "collection": { + "id": "collection0", + "database": "database0", + "collectionName": "collName" + } + } + ], + "initialData": [ + { + "collectionName": "collName", + "databaseName": "test", + "documents": [] + } + ], + "tests": [ + { + "description": "A read operation should succeed", + "operations": [ + { + "name": "find", + "object": "collection0", + "arguments": { + "filter": {} + }, + "expectResult": [] + } + ], + "expectEvents": [ + { + "client": "client0", + "events": [ + { + "commandStartedEvent": { + "command": { + "find": "collName", + "filter": {} + } + } + }, + { + "commandSucceededEvent": { + "commandName": "find" + } + } + ] + } + ] + }, + { + "description": "A write operation should succeed", + "operations": [ + { + "name": "insertOne", + "object": "collection0", + "arguments": { + "document": { + "_id": 1, + "x": 1 + } + } + } + ], + "expectEvents": [ + { + "client": "client0", + "events": [ + { + "commandStartedEvent": { + "command": { + "insert": "collName", + "documents": [ + { + "_id": 1, + "x": 1 + } + ] + } + } + }, + { + "commandSucceededEvent": { + "commandName": "insert" + } + } + ] + } + ] + }, + { + "description": "Read commands should reauthenticate and retry when a ReauthenticationRequired error happens", + "operations": [ + { + "name": "failPoint", + "object": "testRunner", + "arguments": { + "client": "failPointClient", + "failPoint": { + "configureFailPoint": "failCommand", + "mode": { + "times": 1 + }, + "data": { + "failCommands": [ + "find" + ], + "errorCode": 391 + } + } + } + }, + { + "name": "find", + "object": "collection0", + "arguments": { + "filter": {} + }, + "expectResult": [] + } + ], + "expectEvents": [ + { + "client": "client0", + "events": [ + { + "commandStartedEvent": { + "command": { + "find": "collName", + "filter": {} + } + } + }, + { + "commandFailedEvent": { + "commandName": "find" + } + }, + { + "commandStartedEvent": { + "command": { + "find": "collName", + "filter": {} + } + } + }, + { + "commandSucceededEvent": { + "commandName": "find" + } + } + ] + } + ] + }, + { + "description": "Write commands should reauthenticate and retry when a ReauthenticationRequired error happens", + "operations": [ + { + "name": "failPoint", + "object": "testRunner", + "arguments": { + "client": "failPointClient", + "failPoint": { + "configureFailPoint": "failCommand", + "mode": { + "times": 1 + }, + "data": { + "failCommands": [ + "insert" + ], + "errorCode": 391 + } + } + } + }, + { + "name": "insertOne", + "object": "collection0", + "arguments": { + "document": { + "_id": 1, + "x": 1 + } + } + } + ], + "expectEvents": [ + { + "client": "client0", + "events": [ + { + "commandStartedEvent": { + "command": { + "insert": "collName", + "documents": [ + { + "_id": 1, + "x": 1 + } + ] + } + } + }, + { + "commandFailedEvent": { + "commandName": "insert" + } + }, + { + "commandStartedEvent": { + "command": { + "insert": "collName", + "documents": [ + { + "_id": 1, + "x": 1 + } + ] + } + } + }, + { + "commandSucceededEvent": { + "commandName": "insert" + } + } + ] + } + ] + }, + { + "description": "Handshake with cached token should use speculative authentication", + "operations": [ + { + "name": "failPoint", + "object": "testRunner", + "arguments": { + "client": "failPointClient", + "failPoint": { + "configureFailPoint": "failCommand", + "mode": { + "times": 1 + }, + "data": { + "failCommands": [ + "insert" + ], + "closeConnection": true + } + } + } + }, + { + "name": "insertOne", + "object": "collection0", + "arguments": { + "document": { + "_id": 1, + "x": 1 + } + }, + "expectError": { + "isClientError": true + } + }, + { + "name": "failPoint", + "object": "testRunner", + "arguments": { + "client": "failPointClient", + "failPoint": { + "configureFailPoint": "failCommand", + "mode": { + "times": 1 + }, + "data": { + "failCommands": [ + "saslStart" + ], + "errorCode": 18 + } + } + } + }, + { + "name": "insertOne", + "object": "collection0", + "arguments": { + "document": { + "_id": 1, + "x": 1 + } + } + } + ], + "expectEvents": [ + { + "client": "client0", + "events": [ + { + "commandStartedEvent": { + "command": { + "insert": "collName", + "documents": [ + { + "_id": 1, + "x": 1 + } + ] + } + } + }, + { + "commandFailedEvent": { + "commandName": "insert" + } + }, + { + "commandStartedEvent": { + "command": { + "insert": "collName", + "documents": [ + { + "_id": 1, + "x": 1 + } + ] + } + } + }, + { + "commandSucceededEvent": { + "commandName": "insert" + } + } + ] + } + ] + }, + { + "description": "Handshake without cached token should not use speculative authentication", + "operations": [ + { + "name": "failPoint", + "object": "testRunner", + "arguments": { + "client": "failPointClient", + "failPoint": { + "configureFailPoint": "failCommand", + "mode": { + "times": 1 + }, + "data": { + "failCommands": [ + "saslStart" + ], + "errorCode": 18 + } + } + } + }, + { + "name": "insertOne", + "object": "collection0", + "arguments": { + "document": { + "_id": 1, + "x": 1 + } + }, + "expectError": { + "errorCode": 18 + } + } + ] + } + ] +} diff --git a/src/test/spec/json/auth/unified/mongodb-oidc-no-retry.yml b/src/test/spec/json/auth/unified/mongodb-oidc-no-retry.yml new file mode 100644 index 000000000..339f88174 --- /dev/null +++ b/src/test/spec/json/auth/unified/mongodb-oidc-no-retry.yml @@ -0,0 +1,229 @@ +--- +description: "MONGODB-OIDC authentication with retry disabled" +schemaVersion: "1.19" +runOnRequirements: +- minServerVersion: "7.0" + auth: true + authMechanism: "MONGODB-OIDC" + serverless: forbid +createEntities: +- client: + id: &failPointClient failPointClient + useMultipleMongoses: false +- client: + id: client0 + uriOptions: + authMechanism: "MONGODB-OIDC" + # The $$placeholder document should be replaced by auth mechanism + # properties that enable OIDC auth on the target cloud platform. For + # example, when running the test on EC2, replace the $$placeholder + # document with {"ENVIRONMENT": "test"}. + authMechanismProperties: { $$placeholder: 1 } + retryReads: false + retryWrites: false + observeEvents: + - commandStartedEvent + - commandSucceededEvent + - commandFailedEvent +- database: + id: database0 + client: client0 + databaseName: test +- collection: + id: collection0 + database: database0 + collectionName: collName +initialData: +- collectionName: collName + databaseName: test + documents: [] +tests: +- description: A read operation should succeed + operations: + - name: find + object: collection0 + arguments: + filter: {} + expectResult: [] + expectEvents: + - client: client0 + events: + - commandStartedEvent: + command: + find: collName + filter: {} + - commandSucceededEvent: + commandName: find +- description: A write operation should succeed + operations: + - name: insertOne + object: collection0 + arguments: + document: + _id: 1 + x: 1 + expectEvents: + - client: client0 + events: + - commandStartedEvent: + command: + insert: collName + documents: + - _id: 1 + x: 1 + - commandSucceededEvent: + commandName: insert +- description: Read commands should reauthenticate and retry when a ReauthenticationRequired error happens + operations: + - name: failPoint + object: testRunner + arguments: + client: failPointClient + failPoint: + configureFailPoint: failCommand + mode: + times: 1 + data: + failCommands: + - find + errorCode: 391 # ReauthenticationRequired + - name: find + object: collection0 + arguments: + filter: {} + expectResult: [] + expectEvents: + - client: client0 + events: + - commandStartedEvent: + command: + find: collName + filter: {} + - commandFailedEvent: + commandName: find + - commandStartedEvent: + command: + find: collName + filter: {} + - commandSucceededEvent: + commandName: find +- description: Write commands should reauthenticate and retry when a ReauthenticationRequired error happens + operations: + - name: failPoint + object: testRunner + arguments: + client: failPointClient + failPoint: + configureFailPoint: failCommand + mode: + times: 1 + data: + failCommands: + - insert + errorCode: 391 # ReauthenticationRequired + - name: insertOne + object: collection0 + arguments: + document: + _id: 1 + x: 1 + expectEvents: + - client: client0 + events: + - commandStartedEvent: + command: + insert: collName + documents: + - _id: 1 + x: 1 + - commandFailedEvent: + commandName: insert + - commandStartedEvent: + command: + insert: collName + documents: + - _id: 1 + x: 1 + - commandSucceededEvent: + commandName: insert +- description: Handshake with cached token should use speculative authentication + operations: + - name: failPoint + object: testRunner + arguments: + client: failPointClient + failPoint: + configureFailPoint: failCommand + mode: + times: 1 + data: + failCommands: + - insert + closeConnection: true + - name: insertOne + object: collection0 + arguments: + document: + _id: 1 + x: 1 + expectError: + isClientError: true + - name: failPoint + object: testRunner + arguments: + client: failPointClient + failPoint: + configureFailPoint: failCommand + mode: + times: 1 + data: + failCommands: + - saslStart + errorCode: 18 + - name: insertOne + object: collection0 + arguments: + document: + _id: 1 + x: 1 + expectEvents: + - client: client0 + events: + - commandStartedEvent: + command: + insert: collName + documents: + - _id: 1 + x: 1 + - commandFailedEvent: + commandName: insert + - commandStartedEvent: + command: + insert: collName + documents: + - _id: 1 + x: 1 + - commandSucceededEvent: + commandName: insert +- description: Handshake without cached token should not use speculative authentication + operations: + - name: failPoint + object: testRunner + arguments: + client: failPointClient + failPoint: + configureFailPoint: failCommand + mode: + times: 1 + data: + failCommands: + - saslStart + errorCode: 18 + - name: insertOne + object: collection0 + arguments: + document: + _id: 1 + x: 1 + expectError: + errorCode: 18 \ No newline at end of file diff --git a/src/test/spec/json/connection-string/valid-options.json b/src/test/spec/json/connection-string/valid-options.json index 6c86172d0..fce53873a 100644 --- a/src/test/spec/json/connection-string/valid-options.json +++ b/src/test/spec/json/connection-string/valid-options.json @@ -40,7 +40,7 @@ }, { "description": "Colon in a key value pair", - "uri": "mongodb://example.com/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:mongodb://test-cluster", + "uri": "mongodb://example.com/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:mongodb://test-cluster,ENVIRONMENT:azure", "valid": true, "warning": false, "hosts": [ @@ -53,7 +53,8 @@ "auth": null, "options": { "authmechanismProperties": { - "TOKEN_RESOURCE": "mongodb://test-cluster" + "TOKEN_RESOURCE": "mongodb://test-cluster", + "ENVIRONMENT": "azure" } } } diff --git a/src/test/spec/json/connection-string/valid-options.yml b/src/test/spec/json/connection-string/valid-options.yml index 86523c7f3..c5d61f974 100644 --- a/src/test/spec/json/connection-string/valid-options.yml +++ b/src/test/spec/json/connection-string/valid-options.yml @@ -30,15 +30,16 @@ tests: tls: true - description: Colon in a key value pair - uri: mongodb://example.com/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:mongodb://test-cluster + uri: mongodb://example.com/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:mongodb://test-cluster,ENVIRONMENT:azure valid: true warning: false hosts: - - + - type: hostname host: example.com port: ~ auth: ~ options: authmechanismProperties: - TOKEN_RESOURCE: 'mongodb://test-cluster' \ No newline at end of file + TOKEN_RESOURCE: 'mongodb://test-cluster' + ENVIRONMENT: azure diff --git a/src/test/spec/json/connection-string/valid-warnings.json b/src/test/spec/json/connection-string/valid-warnings.json index daf814a75..2bc48487e 100644 --- a/src/test/spec/json/connection-string/valid-warnings.json +++ b/src/test/spec/json/connection-string/valid-warnings.json @@ -96,7 +96,7 @@ }, { "description": "Comma in a key value pair causes a warning", - "uri": "mongodb://localhost?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:mongodb://host1%2Chost2", + "uri": "mongodb://localhost?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:mongodb://host1%2Chost2,ENVIRONMENT:azure", "valid": true, "warning": true, "hosts": [ @@ -108,7 +108,11 @@ ], "auth": null, "options": { - "authMechanism": "MONGODB-OIDC" + "authMechanism": "MONGODB-OIDC", + "authmechanismProperties": { + "TOKEN_RESOURCE": "mongodb://test-cluster", + "ENVIRONMENT": "azure" + } } } ] diff --git a/src/test/spec/json/connection-string/valid-warnings.yml b/src/test/spec/json/connection-string/valid-warnings.yml index 495f1827f..df128c9a1 100644 --- a/src/test/spec/json/connection-string/valid-warnings.yml +++ b/src/test/spec/json/connection-string/valid-warnings.yml @@ -75,7 +75,7 @@ tests: options: ~ - description: Comma in a key value pair causes a warning - uri: mongodb://localhost?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:mongodb://host1%2Chost2 + uri: mongodb://localhost?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:mongodb://host1%2Chost2,ENVIRONMENT:azure valid: true warning: true hosts: @@ -86,3 +86,6 @@ tests: auth: ~ options: authMechanism: MONGODB-OIDC + authmechanismProperties: + TOKEN_RESOURCE: 'mongodb://test-cluster' + ENVIRONMENT: azure From f641a2dd791f8bf794a559063466a247ca1e603f Mon Sep 17 00:00:00 2001 From: Isabel Atkinson Date: Wed, 26 Feb 2025 09:20:47 -0700 Subject: [PATCH 2/2] resync tests --- src/test/spec/json/connection-string/valid-warnings.json | 6 +----- src/test/spec/json/connection-string/valid-warnings.yml | 3 --- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/src/test/spec/json/connection-string/valid-warnings.json b/src/test/spec/json/connection-string/valid-warnings.json index 2bc48487e..e11757eb0 100644 --- a/src/test/spec/json/connection-string/valid-warnings.json +++ b/src/test/spec/json/connection-string/valid-warnings.json @@ -108,11 +108,7 @@ ], "auth": null, "options": { - "authMechanism": "MONGODB-OIDC", - "authmechanismProperties": { - "TOKEN_RESOURCE": "mongodb://test-cluster", - "ENVIRONMENT": "azure" - } + "authMechanism": "MONGODB-OIDC" } } ] diff --git a/src/test/spec/json/connection-string/valid-warnings.yml b/src/test/spec/json/connection-string/valid-warnings.yml index df128c9a1..3495b5077 100644 --- a/src/test/spec/json/connection-string/valid-warnings.yml +++ b/src/test/spec/json/connection-string/valid-warnings.yml @@ -86,6 +86,3 @@ tests: auth: ~ options: authMechanism: MONGODB-OIDC - authmechanismProperties: - TOKEN_RESOURCE: 'mongodb://test-cluster' - ENVIRONMENT: azure