From 4b8ca02f83e99389dc9e4a3203e66ea31794b766 Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Tue, 7 Nov 2023 13:43:22 -0500 Subject: [PATCH] feat(NODE-5464): OIDC machine workflow --- .evergreen/config.in.yml | 71 +- .evergreen/config.yml | 103 ++- .evergreen/generate_evergreen_tasks.js | 42 +- .evergreen/run-oidc-auth-tests.sh | 38 + .evergreen/run-oidc-tests-azure.sh | 3 +- .evergreen/run-oidc-tests.sh | 22 +- package.json | 1 + src/cmap/auth/auth_provider.ts | 31 +- src/cmap/auth/mongo_credentials.ts | 31 +- src/cmap/auth/mongodb_oidc.ts | 55 +- ...ce_workflow.ts => aws_machine_workflow.ts} | 4 +- ..._workflow.ts => azure_machine_workflow.ts} | 24 +- .../auth/mongodb_oidc/azure_token_cache.ts | 2 +- .../auth/mongodb_oidc/callback_lock_cache.ts | 114 --- .../auth/mongodb_oidc/callback_workflow.ts | 260 ++---- .../auth/mongodb_oidc/command_builders.ts | 43 + ...ervice_workflow.ts => machine_workflow.ts} | 34 +- .../auth/mongodb_oidc/token_entry_cache.ts | 77 -- src/cmap/auth/token_cache.ts | 26 + src/cmap/connect.ts | 51 +- src/cmap/connection.ts | 3 + src/cmap/connection_pool.ts | 14 +- src/index.ts | 9 +- src/mongo_client.ts | 3 + src/sdam/topology.ts | 4 + .../auth/mongodb_oidc_azure.prose.test.ts | 13 +- test/manual/mongodb_oidc.prose.test.ts | 812 +++++------------- test/mongodb.ts | 8 +- test/spec/auth/legacy/connection-string.json | 91 +- test/spec/auth/legacy/connection-string.yml | 84 +- ...h_retry.json => oidc-auth-with-retry.json} | 65 +- ...ith_retry.yml => oidc-auth-with-retry.yml} | 38 +- ...etry.json => oidc-auth-without-retry.json} | 76 +- ..._retry.yml => oidc-auth-without-retry.yml} | 46 +- test/tools/runner/config.ts | 5 + .../runner/filters/mongodb_version_filter.js | 1 + test/tools/runner/hooks/configuration.js | 7 - test/tools/unified-spec-runner/runner.ts | 7 + test/tools/unified-spec-runner/schema.ts | 1 + .../unified-spec-runner/unified-utils.ts | 18 +- test/tools/uri_spec_runner.ts | 11 +- .../mongodb_oidc/aws_service_workflow.test.ts | 4 +- .../mongodb_oidc/callback_lock_cache.test.ts | 145 ---- .../mongodb_oidc/token_entry_cache.test.ts | 144 ---- 44 files changed, 885 insertions(+), 1756 deletions(-) create mode 100755 .evergreen/run-oidc-auth-tests.sh rename src/cmap/auth/mongodb_oidc/{aws_service_workflow.ts => aws_machine_workflow.ts} (84%) rename src/cmap/auth/mongodb_oidc/{azure_service_workflow.ts => azure_machine_workflow.ts} (76%) delete mode 100644 src/cmap/auth/mongodb_oidc/callback_lock_cache.ts create mode 100644 src/cmap/auth/mongodb_oidc/command_builders.ts rename src/cmap/auth/mongodb_oidc/{service_workflow.ts => machine_workflow.ts} (56%) delete mode 100644 src/cmap/auth/mongodb_oidc/token_entry_cache.ts create mode 100644 src/cmap/auth/token_cache.ts rename test/spec/auth/unified/{reauthenticate_with_retry.json => oidc-auth-with-retry.json} (72%) rename test/spec/auth/unified/{reauthenticate_with_retry.yml => oidc-auth-with-retry.yml} (71%) rename test/spec/auth/unified/{reauthenticate_without_retry.json => oidc-auth-without-retry.json} (69%) rename test/spec/auth/unified/{reauthenticate_without_retry.yml => oidc-auth-without-retry.yml} (68%) delete mode 100644 test/unit/cmap/auth/mongodb_oidc/callback_lock_cache.test.ts delete mode 100644 test/unit/cmap/auth/mongodb_oidc/token_entry_cache.test.ts diff --git a/.evergreen/config.in.yml b/.evergreen/config.in.yml index 6ac4ff68f5d..027b8afccda 100644 --- a/.evergreen/config.in.yml +++ b/.evergreen/config.in.yml @@ -171,10 +171,29 @@ functions: ${PREPARE_SHELL} OIDC_TOKEN_DIR="/tmp/tokens" \ + PROVIDER_NAME="aws" \ AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test_user1" \ + OIDC_ATLAS_URI_SINGLE="${OIDC_ATLAS_URI_SINGLE}" \ + OIDC_ATLAS_URI_MULTI="${OIDC_ATLAS_URI_MULTI}" \ PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \ bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh + "run oidc auth tests aws": + - command: shell.exec + type: test + params: + working_dir: "src" + timeout_secs: 300 + shell: bash + script: | + ${PREPARE_SHELL} + + OIDC_TOKEN_DIR="/tmp/tokens" \ + PROVIDER_NAME="aws" \ + AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test_user1" \ + PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \ + bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-auth-tests.sh + "run tests": - command: shell.exec type: test @@ -1271,8 +1290,28 @@ tasks: env: DRIVERS_TOOLS: ${DRIVERS_TOOLS} PROJECT_DIRECTORY: ${PROJECT_DIRECTORY} - AZUREOIDC_CLIENTID: ${testazureoidc_clientid} PROVIDER_NAME: azure + SCRIPT: run-oidc-tests.sh + args: + - .evergreen/run-oidc-tests-azure.sh + + - name: "oidc-auth-test-azure-latest-auth" + commands: + - command: expansions.update + type: setup + params: + updates: + - { key: NPM_VERSION, value: "9" } + - func: "install dependencies" + - command: subprocess.exec + params: + working_dir: src + binary: bash + env: + DRIVERS_TOOLS: ${DRIVERS_TOOLS} + PROJECT_DIRECTORY: ${PROJECT_DIRECTORY} + PROVIDER_NAME: azure + SCRIPT: run-oidc-auth-tests.sh args: - .evergreen/run-oidc-tests-azure.sh @@ -1427,14 +1466,9 @@ task_groups: script: |- set -o errexit ${PREPARE_SHELL} - export AZUREOIDC_CLIENTID="${testazureoidc_clientid}" - export AZUREOIDC_TENANTID="${testazureoic_tenantid}" - export AZUREOIDC_SECRET="${testazureoidc_secret}" - export AZUREOIDC_KEYVAULT=${testazureoidc_keyvault} - export AZUREOIDC_DRIVERS_TOOLS="$DRIVERS_TOOLS" export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER" $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh - teardown_group: + teardown_task: - command: shell.exec params: shell: bash @@ -1446,6 +1480,29 @@ task_groups: tasks: - oidc-auth-test-azure-latest + - name: testazureoidcauth_task_group + setup_group: + - func: fetch source + - command: shell.exec + params: + shell: bash + script: |- + set -o errexit + ${PREPARE_SHELL} + export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER" + $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh + teardown_task: + - command: shell.exec + params: + shell: bash + script: |- + ${PREPARE_SHELL} + $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/delete-vm.sh + setup_group_can_fail_task: true + setup_group_timeout_secs: 1800 + tasks: + - oidc-auth-test-azure-latest-auth + - name: test_atlas_task_group setup_group: - func: fetch source diff --git a/.evergreen/config.yml b/.evergreen/config.yml index c1056a6f0b4..408a9f41b02 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -142,9 +142,27 @@ functions: ${PREPARE_SHELL} OIDC_TOKEN_DIR="/tmp/tokens" \ + PROVIDER_NAME="aws" \ AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test_user1" \ + OIDC_ATLAS_URI_SINGLE="${OIDC_ATLAS_URI_SINGLE}" \ + OIDC_ATLAS_URI_MULTI="${OIDC_ATLAS_URI_MULTI}" \ PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \ bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh + run oidc auth tests aws: + - command: shell.exec + type: test + params: + working_dir: src + timeout_secs: 300 + shell: bash + script: | + ${PREPARE_SHELL} + + OIDC_TOKEN_DIR="/tmp/tokens" \ + PROVIDER_NAME="aws" \ + AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test_user1" \ + PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \ + bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-auth-tests.sh run tests: - command: shell.exec type: test @@ -1222,8 +1240,27 @@ tasks: env: DRIVERS_TOOLS: ${DRIVERS_TOOLS} PROJECT_DIRECTORY: ${PROJECT_DIRECTORY} - AZUREOIDC_CLIENTID: ${testazureoidc_clientid} PROVIDER_NAME: azure + SCRIPT: run-oidc-tests.sh + args: + - .evergreen/run-oidc-tests-azure.sh + - name: oidc-auth-test-azure-latest-auth + commands: + - command: expansions.update + type: setup + params: + updates: + - {key: NPM_VERSION, value: '9'} + - func: install dependencies + - command: subprocess.exec + params: + working_dir: src + binary: bash + env: + DRIVERS_TOOLS: ${DRIVERS_TOOLS} + PROJECT_DIRECTORY: ${PROJECT_DIRECTORY} + PROVIDER_NAME: azure + SCRIPT: run-oidc-auth-tests.sh args: - .evergreen/run-oidc-tests-azure.sh - name: test-aws-lambda-deployed @@ -1837,6 +1874,25 @@ tasks: - func: bootstrap mongo-orchestration - func: setup oidc roles - func: run oidc tests aws + - name: test-auth-oidc-aws + tags: + - latest + - replica_set + - oidc + commands: + - command: expansions.update + type: setup + params: + updates: + - {key: VERSION, value: latest} + - {key: TOPOLOGY, value: replica_set} + - {key: AUTH, value: auth} + - {key: ORCHESTRATION_FILE, value: auth-oidc.json} + - func: install dependencies + - func: bootstrap oidc + - func: bootstrap mongo-orchestration + - func: setup oidc roles + - func: run oidc auth tests aws - name: test-socks5 tags: [] commands: @@ -3814,14 +3870,9 @@ task_groups: script: |- set -o errexit ${PREPARE_SHELL} - export AZUREOIDC_CLIENTID="${testazureoidc_clientid}" - export AZUREOIDC_TENANTID="${testazureoic_tenantid}" - export AZUREOIDC_SECRET="${testazureoidc_secret}" - export AZUREOIDC_KEYVAULT=${testazureoidc_keyvault} - export AZUREOIDC_DRIVERS_TOOLS="$DRIVERS_TOOLS" export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER" $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh - teardown_group: + teardown_task: - command: shell.exec params: shell: bash @@ -3832,6 +3883,28 @@ task_groups: setup_group_timeout_secs: 1800 tasks: - oidc-auth-test-azure-latest + - name: testazureoidcauth_task_group + setup_group: + - func: fetch source + - command: shell.exec + params: + shell: bash + script: |- + set -o errexit + ${PREPARE_SHELL} + export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER" + $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh + teardown_task: + - command: shell.exec + params: + shell: bash + script: |- + ${PREPARE_SHELL} + $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/delete-vm.sh + setup_group_can_fail_task: true + setup_group_timeout_secs: 1800 + tasks: + - oidc-auth-test-azure-latest-auth - name: test_atlas_task_group setup_group: - func: fetch source @@ -3947,6 +4020,7 @@ buildvariants: - test-auth-kerberos - test-auth-ldap - test-auth-oidc + - test-auth-oidc-aws - test-socks5 - test-socks5-csfle - test-socks5-tls @@ -3998,6 +4072,7 @@ buildvariants: - test-auth-kerberos - test-auth-ldap - test-auth-oidc + - test-auth-oidc-aws - test-socks5 - test-socks5-csfle - test-socks5-tls @@ -4049,6 +4124,7 @@ buildvariants: - test-auth-kerberos - test-auth-ldap - test-auth-oidc + - test-auth-oidc-aws - test-socks5 - test-socks5-csfle - test-socks5-tls @@ -4099,6 +4175,7 @@ buildvariants: - test-auth-kerberos - test-auth-ldap - test-auth-oidc + - test-auth-oidc-aws - test-socks5 - test-socks5-csfle - test-socks5-tls @@ -4386,6 +4463,18 @@ buildvariants: tasks: - test_azurekms_task_group - test-azurekms-fail-task + - name: ubuntu20-test-azure-oidc + display_name: Azure OIDC + run_on: ubuntu2004-small + batchtime: 20160 + tasks: + - testazureoidc_task_group + - name: ubuntu20-test-azure-oidc-auth + display_name: Azure OIDC Auth Tests + run_on: ubuntu2004-small + batchtime: 20160 + tasks: + - testazureoidcauth_task_group - name: rhel8-test-atlas display_name: Atlas Cluster Tests run_on: rhel80-large diff --git a/.evergreen/generate_evergreen_tasks.js b/.evergreen/generate_evergreen_tasks.js index 89d2eb7c889..de2e9b15497 100644 --- a/.evergreen/generate_evergreen_tasks.js +++ b/.evergreen/generate_evergreen_tasks.js @@ -199,6 +199,23 @@ TASKS.push( { func: 'run oidc tests aws' } ] }, + { + name: 'test-auth-oidc-aws', + tags: ['latest', 'replica_set', 'oidc'], + commands: [ + updateExpansions({ + VERSION: 'latest', + TOPOLOGY: 'replica_set', + AUTH: 'auth', + ORCHESTRATION_FILE: 'auth-oidc.json' + }), + { func: 'install dependencies' }, + { func: 'bootstrap oidc' }, + { func: 'bootstrap mongo-orchestration' }, + { func: 'setup oidc roles' }, + { func: 'run oidc auth tests aws' } + ] + }, { name: 'test-socks5', tags: [], @@ -710,16 +727,21 @@ BUILD_VARIANTS.push({ tasks: ['test_azurekms_task_group', 'test-azurekms-fail-task'] }); -// TODO(DRIVERS-2416/NODE-4929) - Azure credentials are expired, a new drivers ticket -// should be created but at the moment for our test failures we will reference the -// open DRIVERS ticket and completed NODE ticket. -// BUILD_VARIANTS.push({ -// name: 'ubuntu20-test-azure-oidc', -// display_name: 'Azure OIDC', -// run_on: UBUNTU_20_OS, -// batchtime: 20160, -// tasks: ['testazureoidc_task_group'] -// }); +BUILD_VARIANTS.push({ + name: 'ubuntu20-test-azure-oidc', + display_name: 'Azure OIDC', + run_on: UBUNTU_20_OS, + batchtime: 20160, + tasks: ['testazureoidc_task_group'] +}); + +BUILD_VARIANTS.push({ + name: 'ubuntu20-test-azure-oidc-auth', + display_name: 'Azure OIDC Auth Tests', + run_on: UBUNTU_20_OS, + batchtime: 20160, + tasks: ['testazureoidcauth_task_group'] +}); BUILD_VARIANTS.push({ name: 'rhel8-test-atlas', diff --git a/.evergreen/run-oidc-auth-tests.sh b/.evergreen/run-oidc-auth-tests.sh new file mode 100755 index 00000000000..56ca5f7c688 --- /dev/null +++ b/.evergreen/run-oidc-auth-tests.sh @@ -0,0 +1,38 @@ +#!/bin/bash +set -o errexit # Exit the script with error if any of the commands fail +set -o xtrace # Write all commands first to stderr + +PROVIDER_NAME=${PROVIDER_NAME:-"aws"} +PROJECT_DIRECTORY=${PROJECT_DIRECTORY:-"."} +source "${PROJECT_DIRECTORY}/.evergreen/init-node-and-npm-env.sh" + +MONGODB_URI=${MONGODB_URI:-"mongodb://127.0.0.1:27017"} + +export OIDC_TOKEN_DIR=${OIDC_TOKEN_DIR} + +export MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"} + +if [ "$PROVIDER_NAME" = "azure" ]; then + if [ -z "${AZUREOIDC_CLIENTID}" ]; then + echo "Must specify an AZUREOIDC_CLIENTID" + exit 1 + fi + + export UTIL_CLIENT_USER=$AZUREOIDC_USERNAME + export UTIL_CLIENT_PASSWORD="pwd123" + MONGODB_URI="${MONGODB_URI}/?authMechanism=MONGODB-OIDC" + MONGODB_URI="${MONGODB_URI}&authMechanismProperties=PROVIDER_NAME:azure" + MONGODB_URI="${MONGODB_URI},TOKEN_AUDIENCE:api%3A%2F%2F${AZUREOIDC_CLIENTID}" + export MONGODB_URI="${MONGODB_URI},TOKEN_CLIENT_ID:${AZUREOIDC_TOKENCLIENT}" +else + if [ -z "${OIDC_TOKEN_DIR}" ]; then + echo "Must specify OIDC_TOKEN_DIR" + exit 1 + fi + + export UTIL_CLIENT_USER="bob" + export UTIL_CLIENT_PASSWORD="pwd123" + export MONGODB_URI="${MONGODB_URI}/test?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws" +fi + +npm run check:oidc-auth \ No newline at end of file diff --git a/.evergreen/run-oidc-tests-azure.sh b/.evergreen/run-oidc-tests-azure.sh index 6e65bff3f44..e8353620c10 100644 --- a/.evergreen/run-oidc-tests-azure.sh +++ b/.evergreen/run-oidc-tests-azure.sh @@ -4,8 +4,7 @@ set -o errexit # Exit the script with error if any of the commands fail export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/node-mongodb-native.tgz tar czf $AZUREOIDC_DRIVERS_TAR_FILE . -export AZUREOIDC_TEST_CMD="source ./env.sh && PROVIDER_NAME=azure ./.evergreen/run-oidc-tests.sh" -export AZUREOIDC_CLIENTID=$AZUREOIDC_CLIENTID +export AZUREOIDC_TEST_CMD="source ./env.sh && PROVIDER_NAME=azure ./.evergreen/${SCRIPT}" export PROJECT_DIRECTORY=$PROJECT_DIRECTORY export PROVIDER_NAME=$PROVIDER_NAME bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh \ No newline at end of file diff --git a/.evergreen/run-oidc-tests.sh b/.evergreen/run-oidc-tests.sh index 98881a0c2d2..e2c474673b1 100755 --- a/.evergreen/run-oidc-tests.sh +++ b/.evergreen/run-oidc-tests.sh @@ -12,24 +12,24 @@ export OIDC_TOKEN_DIR=${OIDC_TOKEN_DIR} export MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"} -if [ "$PROVIDER_NAME" = "aws" ]; then - export MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC" - export MONGODB_URI_MULTIPLE="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true" - - if [ -z "${OIDC_TOKEN_DIR}" ]; then - echo "Must specify OIDC_TOKEN_DIR" - exit 1 - fi - npm run check:oidc -elif [ "$PROVIDER_NAME" = "azure" ]; then +if [ "$PROVIDER_NAME" = "azure" ]; then if [ -z "${AZUREOIDC_CLIENTID}" ]; then echo "Must specify an AZUREOIDC_CLIENTID" exit 1 fi - MONGODB_URI="${MONGODB_URI}/?authMechanism=MONGODB-OIDC" + MONGODB_URI="mongodb://${AZUREOIDC_USERNAME}@127.0.0.1:27017/?authMechanism=MONGODB-OIDC" MONGODB_URI="${MONGODB_URI}&authMechanismProperties=PROVIDER_NAME:azure" export MONGODB_URI="${MONGODB_URI},TOKEN_AUDIENCE:api%3A%2F%2F${AZUREOIDC_CLIENTID}" npm run check:oidc-azure else + echo $OIDC_ATLAS_URI_SINGLE + echo $OIDC_ATLAS_URI_MULTI + export MONGODB_URI_SINGLE=${OIDC_ATLAS_URI_SINGLE} + export MONGODB_URI_MULTI=${OIDC_ATLAS_URI_MULTI} + + if [ -z "${OIDC_TOKEN_DIR}" ]; then + echo "Must specify OIDC_TOKEN_DIR" + exit 1 + fi npm run check:oidc fi diff --git a/package.json b/package.json index f6f78951e77..d198a0c3367 100644 --- a/package.json +++ b/package.json @@ -148,6 +148,7 @@ "check:adl": "mocha --config test/mocha_mongodb.json test/manual/atlas-data-lake-testing", "check:aws": "nyc mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_aws.test.ts", "check:oidc": "mocha --config test/mocha_mongodb.json test/manual/mongodb_oidc.prose.test.ts", + "check:oidc-auth": "mocha --config test/mocha_mongodb.json test/integration/auth/auth.spec.test.ts", "check:oidc-azure": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc_azure.prose.test.ts", "check:ocsp": "mocha --config test/manual/mocharc.json test/manual/ocsp_support.test.js", "check:kerberos": "nyc mocha --config test/manual/mocharc.json test/manual/kerberos.test.ts", diff --git a/src/cmap/auth/auth_provider.ts b/src/cmap/auth/auth_provider.ts index 37a47889b91..00f0d4e9d71 100644 --- a/src/cmap/auth/auth_provider.ts +++ b/src/cmap/auth/auth_provider.ts @@ -1,8 +1,17 @@ import type { Document } from '../../bson'; -import { MongoRuntimeError } from '../../error'; +import { MongoInvalidArgumentError, MongoRuntimeError } from '../../error'; import type { HandshakeDocument } from '../connect'; import type { Connection, ConnectionOptions } from '../connection'; +import { GSSAPI } from './gssapi'; import type { MongoCredentials } from './mongo_credentials'; +import { MongoCR } from './mongocr'; +import { MongoDBAWS } from './mongodb_aws'; +import { MongoDBOIDC } from './mongodb_oidc'; +import { Plain } from './plain'; +import { AuthMechanism } from './providers'; +import { ScramSHA1, ScramSHA256 } from './scram'; +import { type TokenCache } from './token_cache'; +import { X509 } from './x509'; /** * Context used during authentication @@ -34,6 +43,26 @@ export class AuthContext { } } +export const SINGLETON_AUTH_PROVIDERS = new Map([ + [AuthMechanism.MONGODB_AWS, new MongoDBAWS()], + [AuthMechanism.MONGODB_CR, new MongoCR()], + [AuthMechanism.MONGODB_GSSAPI, new GSSAPI()], + [AuthMechanism.MONGODB_PLAIN, new Plain()], + [AuthMechanism.MONGODB_SCRAM_SHA1, new ScramSHA1()], + [AuthMechanism.MONGODB_SCRAM_SHA256, new ScramSHA256()], + [AuthMechanism.MONGODB_X509, new X509()] +]); + +/** @internal */ +export function authProviderFor(name: AuthMechanism | string, cache?: TokenCache): AuthProvider { + // OIDC needs to contain a MongoClient scoped token cache, so it cannot be + // used as a singleton. + if (name === AuthMechanism.MONGODB_OIDC) return new MongoDBOIDC(cache); + const provider = SINGLETON_AUTH_PROVIDERS.get(name); + if (provider) return provider; + throw new MongoInvalidArgumentError(`No auth provider found for type ${name}`); +} + export abstract class AuthProvider { /** * Prepare the handshake document before the initial handshake. diff --git a/src/cmap/auth/mongo_credentials.ts b/src/cmap/auth/mongo_credentials.ts index c086afb4e7e..592a910a340 100644 --- a/src/cmap/auth/mongo_credentials.ts +++ b/src/cmap/auth/mongo_credentials.ts @@ -8,7 +8,7 @@ import { MongoMissingCredentialsError } from '../../error'; import { GSSAPICanonicalizationValue } from './gssapi'; -import type { OIDCRefreshFunction, OIDCRequestFunction } from './mongodb_oidc'; +import type { OIDCCallbackFunction } from './mongodb_oidc'; import { AUTH_MECHS_AUTH_SRC_EXTERNAL, AuthMechanism } from './providers'; // https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst @@ -38,6 +38,7 @@ const ALLOWED_HOSTS_ERROR = 'Auth mechanism property ALLOWED_HOSTS must be an ar /** @internal */ export const DEFAULT_ALLOWED_HOSTS = [ '*.mongodb.net', + '*.mongodb-qa.net', '*.mongodb-dev.net', '*.mongodbgov.net', 'localhost', @@ -57,15 +58,17 @@ export interface AuthMechanismProperties extends Document { CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue; AWS_SESSION_TOKEN?: string; /** @experimental */ - REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction; + OIDC_CALLBACK?: OIDCCallbackFunction; /** @experimental */ - REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction; + OIDC_HUMAN_CALLBACK?: OIDCCallbackFunction; /** @experimental */ PROVIDER_NAME?: 'aws' | 'azure'; /** @experimental */ ALLOWED_HOSTS?: string[]; /** @experimental */ TOKEN_AUDIENCE?: string; + /** @experimental */ + TOKEN_CLIENT_ID?: string; } /** @public */ @@ -179,9 +182,13 @@ export class MongoCredentials { } if (this.mechanism === AuthMechanism.MONGODB_OIDC) { - if (this.username && this.mechanismProperties.PROVIDER_NAME) { + if ( + this.username && + this.mechanismProperties.PROVIDER_NAME && + this.mechanismProperties.PROVIDER_NAME !== 'azure' + ) { throw new MongoInvalidArgumentError( - `username and PROVIDER_NAME may not be used together for mechanism '${this.mechanism}'.` + `username and PROVIDER_NAME '${this.mechanismProperties.PROVIDER_NAME}' may not be used together for mechanism '${this.mechanism}'.` ); } @@ -203,21 +210,13 @@ export class MongoCredentials { ); } - if ( - this.mechanismProperties.REFRESH_TOKEN_CALLBACK && - !this.mechanismProperties.REQUEST_TOKEN_CALLBACK - ) { - throw new MongoInvalidArgumentError( - `A REQUEST_TOKEN_CALLBACK must be provided when using a REFRESH_TOKEN_CALLBACK for mechanism '${this.mechanism}'` - ); - } - if ( !this.mechanismProperties.PROVIDER_NAME && - !this.mechanismProperties.REQUEST_TOKEN_CALLBACK + !this.mechanismProperties.OIDC_CALLBACK && + !this.mechanismProperties.OIDC_HUMAN_CALLBACK ) { throw new MongoInvalidArgumentError( - `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.` + `Either a PROVIDER_NAME, OIDC_CALLBACK, or OIDC_HUMAN_CALLBACK must be specified for mechanism '${this.mechanism}'.` ); } diff --git a/src/cmap/auth/mongodb_oidc.ts b/src/cmap/auth/mongodb_oidc.ts index f3584c4893e..1e5ae2b6d5b 100644 --- a/src/cmap/auth/mongodb_oidc.ts +++ b/src/cmap/auth/mongodb_oidc.ts @@ -5,9 +5,10 @@ import type { HandshakeDocument } from '../connect'; import type { Connection } from '../connection'; import { type AuthContext, AuthProvider } from './auth_provider'; import type { MongoCredentials } from './mongo_credentials'; -import { AwsServiceWorkflow } from './mongodb_oidc/aws_service_workflow'; -import { AzureServiceWorkflow } from './mongodb_oidc/azure_service_workflow'; +import { AwsMachineWorkflow } from './mongodb_oidc/aws_machine_workflow'; +import { AzureMachineWorkflow } from './mongodb_oidc/azure_machine_workflow'; import { CallbackWorkflow } from './mongodb_oidc/callback_workflow'; +import type { TokenCache } from './token_cache'; /** Error when credentials are missing. */ const MISSING_CREDENTIALS_ERROR = 'AuthContext must provide credentials.'; @@ -16,7 +17,7 @@ const MISSING_CREDENTIALS_ERROR = 'AuthContext must provide credentials.'; * @public * @experimental */ -export interface IdPServerInfo { +export interface IdPInfo { issuer: string; clientId: string; requestScopes?: string[]; @@ -36,30 +37,28 @@ export interface IdPServerResponse { * @public * @experimental */ -export interface OIDCCallbackContext { +export interface OIDCResponse { + accessToken: string; + expiresInSeconds?: number; refreshToken?: string; - timeoutSeconds?: number; - timeoutContext?: AbortSignal; - version: number; } /** * @public * @experimental */ -export type OIDCRequestFunction = ( - info: IdPServerInfo, - context: OIDCCallbackContext -) => Promise; +export interface OIDCCallbackParams { + timeoutContext: AbortSignal; + version: number; + idpInfo?: IdPInfo; + refreshToken?: string; +} /** * @public * @experimental */ -export type OIDCRefreshFunction = ( - info: IdPServerInfo, - context: OIDCCallbackContext -) => Promise; +export type OIDCCallbackFunction = (params: OIDCCallbackParams) => Promise; type ProviderName = 'aws' | 'azure' | 'callback'; @@ -71,10 +70,19 @@ export interface Workflow { execute( connection: Connection, credentials: MongoCredentials, - reauthenticating: boolean, + cache?: TokenCache, response?: Document ): Promise; + /** + * Each workflow should specify the correct custom behaviour for reauthentication. + */ + reauthenticate( + connection: Connection, + credentials: MongoCredentials, + cache?: TokenCache + ): Promise; + /** * Get the document to add for speculative authentication. */ @@ -84,19 +92,22 @@ export interface Workflow { /** @internal */ export const OIDC_WORKFLOWS: Map = new Map(); OIDC_WORKFLOWS.set('callback', new CallbackWorkflow()); -OIDC_WORKFLOWS.set('aws', new AwsServiceWorkflow()); -OIDC_WORKFLOWS.set('azure', new AzureServiceWorkflow()); +OIDC_WORKFLOWS.set('aws', new AwsMachineWorkflow()); +OIDC_WORKFLOWS.set('azure', new AzureMachineWorkflow()); /** * OIDC auth provider. * @experimental */ export class MongoDBOIDC extends AuthProvider { + cache?: TokenCache; + /** * Instantiate the auth provider. */ - constructor() { + constructor(cache?: TokenCache) { super(); + this.cache = cache; } /** @@ -106,7 +117,11 @@ export class MongoDBOIDC extends AuthProvider { const { connection, reauthenticating, response } = authContext; const credentials = getCredentials(authContext); const workflow = getWorkflow(credentials); - await workflow.execute(connection, credentials, reauthenticating, response); + if (reauthenticating) { + await workflow.reauthenticate(connection, credentials, this.cache); + } else { + await workflow.execute(connection, credentials, this.cache, response); + } } /** diff --git a/src/cmap/auth/mongodb_oidc/aws_service_workflow.ts b/src/cmap/auth/mongodb_oidc/aws_machine_workflow.ts similarity index 84% rename from src/cmap/auth/mongodb_oidc/aws_service_workflow.ts rename to src/cmap/auth/mongodb_oidc/aws_machine_workflow.ts index 5dd07b1d28e..138954b29af 100644 --- a/src/cmap/auth/mongodb_oidc/aws_service_workflow.ts +++ b/src/cmap/auth/mongodb_oidc/aws_machine_workflow.ts @@ -1,7 +1,7 @@ import * as fs from 'fs'; import { MongoAWSError } from '../../../error'; -import { ServiceWorkflow } from './service_workflow'; +import { MachineWorkflow } from './machine_workflow'; /** Error for when the token is missing in the environment. */ const TOKEN_MISSING_ERROR = 'AWS_WEB_IDENTITY_TOKEN_FILE must be set in the environment.'; @@ -11,7 +11,7 @@ const TOKEN_MISSING_ERROR = 'AWS_WEB_IDENTITY_TOKEN_FILE must be set in the envi * * @internal */ -export class AwsServiceWorkflow extends ServiceWorkflow { +export class AwsMachineWorkflow extends MachineWorkflow { constructor() { super(); } diff --git a/src/cmap/auth/mongodb_oidc/azure_service_workflow.ts b/src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts similarity index 76% rename from src/cmap/auth/mongodb_oidc/azure_service_workflow.ts rename to src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts index fadbf5e9fd9..89c97a65717 100644 --- a/src/cmap/auth/mongodb_oidc/azure_service_workflow.ts +++ b/src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts @@ -2,11 +2,10 @@ import { MongoAzureError } from '../../../error'; import { request } from '../../../utils'; import type { MongoCredentials } from '../mongo_credentials'; import { AzureTokenCache } from './azure_token_cache'; -import { ServiceWorkflow } from './service_workflow'; +import { MachineWorkflow } from './machine_workflow'; /** Base URL for getting Azure tokens. */ -const AZURE_BASE_URL = - 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01'; +const AZURE_BASE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token?'; /** Azure request headers. */ const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' }); @@ -33,7 +32,7 @@ export interface AzureAccessToken { * * @internal */ -export class AzureServiceWorkflow extends ServiceWorkflow { +export class AzureMachineWorkflow extends MachineWorkflow { cache = new AzureTokenCache(); /** @@ -41,6 +40,7 @@ export class AzureServiceWorkflow extends ServiceWorkflow { */ async getToken(credentials?: MongoCredentials): Promise { const tokenAudience = credentials?.mechanismProperties.TOKEN_AUDIENCE; + const username = credentials?.username; if (!tokenAudience) { throw new MongoAzureError(TOKEN_AUDIENCE_MISSING_ERROR); } @@ -50,7 +50,7 @@ export class AzureServiceWorkflow extends ServiceWorkflow { token = entry.token; } else { this.cache.deleteEntry(tokenAudience); - const response = await getAzureTokenData(tokenAudience); + const response = await getAzureTokenData(tokenAudience, username); if (!isEndpointResultValid(response)) { throw new MongoAzureError(ENDPOINT_RESULT_ERROR); } @@ -64,9 +64,17 @@ export class AzureServiceWorkflow extends ServiceWorkflow { /** * Hit the Azure endpoint to get the token data. */ -async function getAzureTokenData(tokenAudience: string): Promise { - const url = `${AZURE_BASE_URL}&resource=${tokenAudience}`; - const data = await request(url, { +async function getAzureTokenData( + tokenAudience: string, + username?: string +): Promise { + const url = new URL(AZURE_BASE_URL); + url.searchParams.append('api-version', '2018-02-01'); + url.searchParams.append('resource', tokenAudience); + if (username) { + url.searchParams.append('object_id', username); + } + const data = await request(url.toString(), { json: true, headers: AZURE_HEADERS }); diff --git a/src/cmap/auth/mongodb_oidc/azure_token_cache.ts b/src/cmap/auth/mongodb_oidc/azure_token_cache.ts index f68725120e8..07794c7f3aa 100644 --- a/src/cmap/auth/mongodb_oidc/azure_token_cache.ts +++ b/src/cmap/auth/mongodb_oidc/azure_token_cache.ts @@ -1,4 +1,4 @@ -import type { AzureAccessToken } from './azure_service_workflow'; +import type { AzureAccessToken } from './azure_machine_workflow'; import { Cache, ExpiringCacheEntry } from './cache'; /** @internal */ diff --git a/src/cmap/auth/mongodb_oidc/callback_lock_cache.ts b/src/cmap/auth/mongodb_oidc/callback_lock_cache.ts deleted file mode 100644 index b92a504b0a8..00000000000 --- a/src/cmap/auth/mongodb_oidc/callback_lock_cache.ts +++ /dev/null @@ -1,114 +0,0 @@ -import { MongoInvalidArgumentError } from '../../../error'; -import type { Connection } from '../../connection'; -import type { MongoCredentials } from '../mongo_credentials'; -import type { - IdPServerInfo, - IdPServerResponse, - OIDCCallbackContext, - OIDCRefreshFunction, - OIDCRequestFunction -} from '../mongodb_oidc'; -import { Cache } from './cache'; - -/** Error message for when request callback is missing. */ -const REQUEST_CALLBACK_REQUIRED_ERROR = - 'Auth mechanism property REQUEST_TOKEN_CALLBACK is required.'; -/* Counter for function "hashes".*/ -let FN_HASH_COUNTER = 0; -/* No function present function */ -const NO_FUNCTION: OIDCRequestFunction = async () => ({ accessToken: 'test' }); -/* The map of function hashes */ -const FN_HASHES = new WeakMap(); -/* Put the no function hash in the map. */ -FN_HASHES.set(NO_FUNCTION, FN_HASH_COUNTER); - -/** - * An entry of callbacks in the cache. - */ -interface CallbacksEntry { - requestCallback: OIDCRequestFunction; - refreshCallback?: OIDCRefreshFunction; - callbackHash: string; -} - -/** - * A cache of request and refresh callbacks per server/user. - */ -export class CallbackLockCache extends Cache { - /** - * Get the callbacks for the connection and credentials. If an entry does not - * exist a new one will get set. - */ - getEntry(connection: Connection, credentials: MongoCredentials): CallbacksEntry { - const requestCallback = credentials.mechanismProperties.REQUEST_TOKEN_CALLBACK; - const refreshCallback = credentials.mechanismProperties.REFRESH_TOKEN_CALLBACK; - if (!requestCallback) { - throw new MongoInvalidArgumentError(REQUEST_CALLBACK_REQUIRED_ERROR); - } - const callbackHash = hashFunctions(requestCallback, refreshCallback); - const key = this.cacheKey(connection.address, credentials.username, callbackHash); - const entry = this.entries.get(key); - if (entry) { - return entry; - } - return this.addEntry(key, callbackHash, requestCallback, refreshCallback); - } - - /** - * Set locked callbacks on for connection and credentials. - */ - private addEntry( - key: string, - callbackHash: string, - requestCallback: OIDCRequestFunction, - refreshCallback?: OIDCRefreshFunction - ): CallbacksEntry { - const entry = { - requestCallback: withLock(requestCallback), - refreshCallback: refreshCallback ? withLock(refreshCallback) : undefined, - callbackHash: callbackHash - }; - this.entries.set(key, entry); - return entry; - } - - /** - * Create a cache key from the address and username. - */ - cacheKey(address: string, username: string, callbackHash: string): string { - return this.hashedCacheKey(address, username, callbackHash); - } -} - -/** - * Ensure the callback is only executed one at a time. - */ -function withLock(callback: OIDCRequestFunction | OIDCRefreshFunction) { - let lock: Promise = Promise.resolve(); - return async (info: IdPServerInfo, context: OIDCCallbackContext): Promise => { - await lock; - lock = lock.then(() => callback(info, context)); - return lock; - }; -} - -/** - * Get the hash string for the request and refresh functions. - */ -function hashFunctions(requestFn: OIDCRequestFunction, refreshFn?: OIDCRefreshFunction): string { - let requestHash = FN_HASHES.get(requestFn); - let refreshHash = FN_HASHES.get(refreshFn ?? NO_FUNCTION); - if (requestHash == null) { - // Create a new one for the function and put it in the map. - FN_HASH_COUNTER++; - requestHash = FN_HASH_COUNTER; - FN_HASHES.set(requestFn, FN_HASH_COUNTER); - } - if (refreshHash == null && refreshFn) { - // Create a new one for the function and put it in the map. - FN_HASH_COUNTER++; - refreshHash = FN_HASH_COUNTER; - FN_HASHES.set(refreshFn, FN_HASH_COUNTER); - } - return `${requestHash}-${refreshHash}`; -} diff --git a/src/cmap/auth/mongodb_oidc/callback_workflow.ts b/src/cmap/auth/mongodb_oidc/callback_workflow.ts index 9822fd1e505..85f3429da07 100644 --- a/src/cmap/auth/mongodb_oidc/callback_workflow.ts +++ b/src/cmap/auth/mongodb_oidc/callback_workflow.ts @@ -1,26 +1,24 @@ -import { Binary, BSON, type Document } from 'bson'; +import { BSON, type Document } from 'bson'; -import { MONGODB_ERROR_CODES, MongoError, MongoMissingCredentialsError } from '../../../error'; +import { MongoMissingCredentialsError } from '../../../error'; import { ns } from '../../../utils'; import type { Connection } from '../../connection'; -import type { MongoCredentials } from '../mongo_credentials'; +import type { AuthMechanismProperties, MongoCredentials } from '../mongo_credentials'; import type { - IdPServerInfo, + IdPInfo, IdPServerResponse, - OIDCCallbackContext, - OIDCRefreshFunction, - OIDCRequestFunction, + OIDCCallbackFunction, + OIDCCallbackParams, Workflow } from '../mongodb_oidc'; -import { AuthMechanism } from '../providers'; -import { CallbackLockCache } from './callback_lock_cache'; -import { TokenEntryCache } from './token_entry_cache'; +import { type TokenCache } from '../token_cache'; +import { finishCommandDocument, startCommandDocument } from './command_builders'; /** The current version of OIDC implementation. */ -const OIDC_VERSION = 0; +const OIDC_VERSION = 1; -/** 5 minutes in seconds */ -const TIMEOUT_S = 300; +/** 5 minutes in milliseconds */ +const HUMAN_TIMEOUT_MS = 300000; /** Properties allowed on results of callbacks. */ const RESULT_PROPERTIES = ['accessToken', 'expiresInSeconds', 'refreshToken']; @@ -29,22 +27,21 @@ const RESULT_PROPERTIES = ['accessToken', 'expiresInSeconds', 'refreshToken']; const CALLBACK_RESULT_ERROR = 'User provided OIDC callbacks must return a valid object with an accessToken.'; +const NO_CALLBACK = 'No OIDC_CALLBACK or OIDC_HUMAN_CALLBACK provided for callback workflow.'; + +/** + * The OIDC callback information. + */ +interface OIDCCallbackInfo { + callback: OIDCCallbackFunction; + isHumanWorkflow: boolean; +} + /** * OIDC implementation of a callback based workflow. * @internal */ export class CallbackWorkflow implements Workflow { - cache: TokenEntryCache; - callbackCache: CallbackLockCache; - - /** - * Instantiate the workflow - */ - constructor() { - this.cache = new TokenEntryCache(); - this.callbackCache = new CallbackLockCache(); - } - /** * Get the document to add for speculative authentication. This also needs * to add a db field from the credentials source. @@ -55,96 +52,55 @@ export class CallbackWorkflow implements Workflow { return { speculativeAuthenticate: document }; } + /** + * Reauthenticate the callback workflow. + * For reauthentication: + * - Check if the connection's accessToken is not equal to the token manager's. + * - If they are different, use the token from the manager and set it on the connection and finish auth. + * - On success return, on error continue. + * - start auth to update the IDP information + * - If the idp info has changed, clear access token and refresh token. + * - If the idp info has not changed, attempt to use the refresh token. + * - if there's still a refresh token at this point, attempt to finish auth with that. + * - Attempt the full auth run, on error, raise to user. + */ + async reauthenticate( + connection: Connection, + credentials: MongoCredentials, + cache?: TokenCache + ): Promise { + // Reauthentication should always remove the access token. + cache?.remove(); + return this.execute(connection, credentials, cache); + } + /** * Execute the OIDC callback workflow. */ async execute( connection: Connection, credentials: MongoCredentials, - reauthenticating: boolean, + cache?: TokenCache, response?: Document ): Promise { - // Get the callbacks with locks from the callback lock cache. - const { requestCallback, refreshCallback, callbackHash } = this.callbackCache.getEntry( - connection, - credentials - ); - // Look for an existing entry in the cache. - const entry = this.cache.getEntry(connection.address, credentials.username, callbackHash); - let result; - if (entry) { - // Reauthentication cannot use a token from the cache since the server has - // stated it is invalid by the request for reauthentication. - if (entry.isValid() && !reauthenticating) { - // Presence of a valid cache entry means we can skip to the finishing step. - result = await this.finishAuthentication( - connection, - credentials, - entry.tokenResult, - response?.speculativeAuthenticate?.conversationId - ); - } else { - // Presence of an expired cache entry means we must fetch a new one and - // then execute the final step. - const tokenResult = await this.fetchAccessToken( - connection, - credentials, - entry.serverInfo, - reauthenticating, - callbackHash, - requestCallback, - refreshCallback - ); - try { - result = await this.finishAuthentication( - connection, - credentials, - tokenResult, - reauthenticating ? undefined : response?.speculativeAuthenticate?.conversationId - ); - } catch (error) { - // If we are reauthenticating and this errors with reauthentication - // required, we need to do the entire process over again and clear - // the cache entry. - if ( - reauthenticating && - error instanceof MongoError && - error.code === MONGODB_ERROR_CODES.Reauthenticate - ) { - this.cache.deleteEntry(connection.address, credentials.username, callbackHash); - result = await this.execute(connection, credentials, reauthenticating); - } else { - throw error; - } - } - } + const callbackInfo = getCallback(credentials.mechanismProperties); + const startDocument = await this.startAuthentication(connection, credentials, response); + const conversationId = startDocument.conversationId; + const idpInfo = BSON.deserialize(startDocument.payload.buffer) as IdPInfo; + // If we are not reauthenticating we can use the token from the cache. + let tokenResult: IdPServerResponse; + if (cache?.hasToken()) { + tokenResult = cache.get(); } else { - // No entry in the cache requires us to do all authentication steps - // from start to finish, including getting a fresh token for the cache. - const startDocument = await this.startAuthentication( - connection, - credentials, - reauthenticating, - response - ); - const conversationId = startDocument.conversationId; - const serverResult = BSON.deserialize(startDocument.payload.buffer) as IdPServerInfo; - const tokenResult = await this.fetchAccessToken( - connection, - credentials, - serverResult, - reauthenticating, - callbackHash, - requestCallback, - refreshCallback - ); - result = await this.finishAuthentication( - connection, - credentials, - tokenResult, - conversationId - ); + tokenResult = await this.fetchAccessToken(connection, credentials, idpInfo, callbackInfo); + cache?.put(tokenResult); } + const result = await this.finishAuthentication( + connection, + credentials, + tokenResult, + conversationId + ); return result; } @@ -156,11 +112,10 @@ export class CallbackWorkflow implements Workflow { private async startAuthentication( connection: Connection, credentials: MongoCredentials, - reauthenticating: boolean, response?: Document ): Promise { let result; - if (!reauthenticating && response?.speculativeAuthenticate) { + if (response?.speculativeAuthenticate) { result = response.speculativeAuthenticate; } else { result = await connection.command( @@ -196,76 +151,39 @@ export class CallbackWorkflow implements Workflow { private async fetchAccessToken( connection: Connection, credentials: MongoCredentials, - serverInfo: IdPServerInfo, - reauthenticating: boolean, - callbackHash: string, - requestCallback: OIDCRequestFunction, - refreshCallback?: OIDCRefreshFunction + idpInfo: IdPInfo, + callbackInfo: OIDCCallbackInfo ): Promise { - // Get the token from the cache. - const entry = this.cache.getEntry(connection.address, credentials.username, callbackHash); - let result; - const context: OIDCCallbackContext = { timeoutSeconds: TIMEOUT_S, version: OIDC_VERSION }; - // Check if there's a token in the cache. - if (entry) { - // If the cache entry is valid, return the token result. - if (entry.isValid() && !reauthenticating) { - return entry.tokenResult; - } - // If the cache entry is not valid, remove it from the cache and first attempt - // to use the refresh callback to get a new token. If no refresh callback - // exists, then fallback to the request callback. - if (refreshCallback) { - context.refreshToken = entry.tokenResult.refreshToken; - result = await refreshCallback(serverInfo, context); - } else { - result = await requestCallback(serverInfo, context); - } - } else { - // With no token in the cache we use the request callback. - result = await requestCallback(serverInfo, context); - } + const params: OIDCCallbackParams = { + timeoutContext: AbortSignal.timeout( + callbackInfo.isHumanWorkflow ? HUMAN_TIMEOUT_MS : HUMAN_TIMEOUT_MS + ), // TODO: CSOT + version: OIDC_VERSION, + idpInfo: idpInfo // TODO: refreshToken? + }; + // With no token in the cache we use the request callback. + const result = await callbackInfo.callback(params); // Validate that the result returned by the callback is acceptable. If it is not // we must clear the token result from the cache. if (isCallbackResultInvalid(result)) { - this.cache.deleteEntry(connection.address, credentials.username, callbackHash); throw new MongoMissingCredentialsError(CALLBACK_RESULT_ERROR); } - // Cleanup the cache. - this.cache.deleteExpiredEntries(); - // Put the new entry into the cache. - this.cache.addEntry( - connection.address, - credentials.username || '', - callbackHash, - result, - serverInfo - ); return result; } } /** - * Generate the finishing command document for authentication. Will be a - * saslStart or saslContinue depending on the presence of a conversation id. + * Returns a callback, either machine or human, and a flag whether the workflow is + * human or not. */ -function finishCommandDocument(token: string, conversationId?: number): Document { - if (conversationId != null && typeof conversationId === 'number') { - return { - saslContinue: 1, - conversationId: conversationId, - payload: new Binary(BSON.serialize({ jwt: token })) - }; +function getCallback(mechanismProperties: AuthMechanismProperties): OIDCCallbackInfo { + if (!mechanismProperties.OIDC_CALLBACK || !mechanismProperties.OIDC_HUMAN_CALLBACK) { + throw new MongoMissingCredentialsError(NO_CALLBACK); } - // saslContinue requires a conversationId in the command to be valid so in this - // case the server allows "step two" to actually be a saslStart with the token - // as the jwt since the use of the cached value has no correlating conversating - // on the particular connection. - return { - saslStart: 1, - mechanism: AuthMechanism.MONGODB_OIDC, - payload: new Binary(BSON.serialize({ jwt: token })) - }; + if (mechanismProperties.OIDC_CALLBACK) { + return { callback: mechanismProperties.OIDC_CALLBACK, isHumanWorkflow: false }; + } + return { callback: mechanismProperties.OIDC_HUMAN_CALLBACK, isHumanWorkflow: true }; } /** @@ -278,19 +196,3 @@ function isCallbackResultInvalid(tokenResult: unknown): boolean { if (!('accessToken' in tokenResult)) return true; return !Object.getOwnPropertyNames(tokenResult).every(prop => RESULT_PROPERTIES.includes(prop)); } - -/** - * Generate the saslStart command document. - */ -function startCommandDocument(credentials: MongoCredentials): Document { - const payload: Document = {}; - if (credentials.username) { - payload.n = credentials.username; - } - return { - saslStart: 1, - autoAuthorize: 1, - mechanism: AuthMechanism.MONGODB_OIDC, - payload: new Binary(BSON.serialize(payload)) - }; -} diff --git a/src/cmap/auth/mongodb_oidc/command_builders.ts b/src/cmap/auth/mongodb_oidc/command_builders.ts new file mode 100644 index 00000000000..ee6284343f3 --- /dev/null +++ b/src/cmap/auth/mongodb_oidc/command_builders.ts @@ -0,0 +1,43 @@ +import { Binary, BSON, type Document } from 'bson'; + +import { type MongoCredentials } from '../mongo_credentials'; +import { AuthMechanism } from '../providers'; + +/** + * Generate the finishing command document for authentication. Will be a + * saslStart or saslContinue depending on the presence of a conversation id. + */ +export function finishCommandDocument(token: string, conversationId?: number): Document { + if (conversationId != null && typeof conversationId === 'number') { + return { + saslContinue: 1, + conversationId: conversationId, + payload: new Binary(BSON.serialize({ jwt: token })) + }; + } + // saslContinue requires a conversationId in the command to be valid so in this + // case the server allows "step two" to actually be a saslStart with the token + // as the jwt since the use of the cached value has no correlating conversating + // on the particular connection. + return { + saslStart: 1, + mechanism: AuthMechanism.MONGODB_OIDC, + payload: new Binary(BSON.serialize({ jwt: token })) + }; +} + +/** + * Generate the saslStart command document. + */ +export function startCommandDocument(credentials: MongoCredentials): Document { + const payload: Document = {}; + if (credentials.username) { + payload.n = credentials.username; + } + return { + saslStart: 1, + autoAuthorize: 1, + mechanism: AuthMechanism.MONGODB_OIDC, + payload: new Binary(BSON.serialize(payload)) + }; +} diff --git a/src/cmap/auth/mongodb_oidc/service_workflow.ts b/src/cmap/auth/mongodb_oidc/machine_workflow.ts similarity index 56% rename from src/cmap/auth/mongodb_oidc/service_workflow.ts rename to src/cmap/auth/mongodb_oidc/machine_workflow.ts index afea78fad53..73372fd6933 100644 --- a/src/cmap/auth/mongodb_oidc/service_workflow.ts +++ b/src/cmap/auth/mongodb_oidc/machine_workflow.ts @@ -1,32 +1,39 @@ -import { BSON, type Document } from 'bson'; +import { type Document } from 'bson'; import { ns } from '../../../utils'; import type { Connection } from '../../connection'; import type { MongoCredentials } from '../mongo_credentials'; import type { Workflow } from '../mongodb_oidc'; -import { AuthMechanism } from '../providers'; +import { finishCommandDocument } from './command_builders'; /** - * Common behaviour for OIDC device workflows. + * Common behaviour for OIDC machine workflows. * @internal */ -export abstract class ServiceWorkflow implements Workflow { +export abstract class MachineWorkflow implements Workflow { /** - * Execute the workflow. Looks for AWS_WEB_IDENTITY_TOKEN_FILE in the environment - * and then attempts to read the token from that path. + * Execute the workflow. Gets the token from the subclass implementation. */ async execute(connection: Connection, credentials: MongoCredentials): Promise { const token = await this.getToken(credentials); - const command = commandDocument(token); + const command = finishCommandDocument(token); return connection.command(ns(credentials.source), command, undefined); } + /** + * Reauthenticate on a machine workflow just grabs the token again since the server + * has said the current access token is invalid or expired. + */ + async reauthenticate(connection: Connection, credentials: MongoCredentials): Promise { + return this.execute(connection, credentials); + } + /** * Get the document to add for speculative authentication. */ async speculativeAuth(credentials: MongoCredentials): Promise { const token = await this.getToken(credentials); - const document = commandDocument(token); + const document = finishCommandDocument(token); document.db = credentials.source; return { speculativeAuthenticate: document }; } @@ -36,14 +43,3 @@ export abstract class ServiceWorkflow implements Workflow { */ abstract getToken(credentials: MongoCredentials): Promise; } - -/** - * Create the saslStart command document. - */ -export function commandDocument(token: string): Document { - return { - saslStart: 1, - mechanism: AuthMechanism.MONGODB_OIDC, - payload: BSON.serialize({ jwt: token }) - }; -} diff --git a/src/cmap/auth/mongodb_oidc/token_entry_cache.ts b/src/cmap/auth/mongodb_oidc/token_entry_cache.ts deleted file mode 100644 index 1b5b9de3314..00000000000 --- a/src/cmap/auth/mongodb_oidc/token_entry_cache.ts +++ /dev/null @@ -1,77 +0,0 @@ -import type { IdPServerInfo, IdPServerResponse } from '../mongodb_oidc'; -import { Cache, ExpiringCacheEntry } from './cache'; - -/* Default expiration is now for when no expiration provided */ -const DEFAULT_EXPIRATION_SECS = 0; - -/** @internal */ -export class TokenEntry extends ExpiringCacheEntry { - tokenResult: IdPServerResponse; - serverInfo: IdPServerInfo; - - /** - * Instantiate the entry. - */ - constructor(tokenResult: IdPServerResponse, serverInfo: IdPServerInfo, expiration: number) { - super(expiration); - this.tokenResult = tokenResult; - this.serverInfo = serverInfo; - } -} - -/** - * Cache of OIDC token entries. - * @internal - */ -export class TokenEntryCache extends Cache { - /** - * Set an entry in the token cache. - */ - addEntry( - address: string, - username: string, - callbackHash: string, - tokenResult: IdPServerResponse, - serverInfo: IdPServerInfo - ): TokenEntry { - const entry = new TokenEntry( - tokenResult, - serverInfo, - tokenResult.expiresInSeconds ?? DEFAULT_EXPIRATION_SECS - ); - this.entries.set(this.cacheKey(address, username, callbackHash), entry); - return entry; - } - - /** - * Delete an entry from the cache. - */ - deleteEntry(address: string, username: string, callbackHash: string): void { - this.entries.delete(this.cacheKey(address, username, callbackHash)); - } - - /** - * Get an entry from the cache. - */ - getEntry(address: string, username: string, callbackHash: string): TokenEntry | undefined { - return this.entries.get(this.cacheKey(address, username, callbackHash)); - } - - /** - * Delete all expired entries from the cache. - */ - deleteExpiredEntries(): void { - for (const [key, entry] of this.entries) { - if (!entry.isValid()) { - this.entries.delete(key); - } - } - } - - /** - * Create a cache key from the address and username. - */ - cacheKey(address: string, username: string, callbackHash: string): string { - return this.hashedCacheKey(address, username, callbackHash); - } -} diff --git a/src/cmap/auth/token_cache.ts b/src/cmap/auth/token_cache.ts new file mode 100644 index 00000000000..ebe0c9cb4ae --- /dev/null +++ b/src/cmap/auth/token_cache.ts @@ -0,0 +1,26 @@ +import { MongoDriverError } from '../../error'; +import { type IdPServerResponse } from './mongodb_oidc'; + +/** @internal */ +export class TokenCache { + private tokenResult?: IdPServerResponse; + + hasToken(): boolean { + return !!this.tokenResult; + } + + get(): IdPServerResponse { + if (!this.tokenResult) { + throw new MongoDriverError('no token'); + } + return this.tokenResult; + } + + put(result: IdPServerResponse) { + this.tokenResult = result; + } + + remove() { + this.tokenResult = undefined; + } +} diff --git a/src/cmap/connect.ts b/src/cmap/connect.ts index c484a80f49a..6c21d9792c6 100644 --- a/src/cmap/connect.ts +++ b/src/cmap/connect.ts @@ -17,15 +17,8 @@ import { needsRetryableWriteLabel } from '../error'; import { HostAddress, ns, promiseWithResolvers } from '../utils'; -import { AuthContext, type AuthProvider } from './auth/auth_provider'; -import { GSSAPI } from './auth/gssapi'; -import { MongoCR } from './auth/mongocr'; -import { MongoDBAWS } from './auth/mongodb_aws'; -import { MongoDBOIDC } from './auth/mongodb_oidc'; -import { Plain } from './auth/plain'; +import { AuthContext, authProviderFor } from './auth/auth_provider'; import { AuthMechanism } from './auth/providers'; -import { ScramSHA1, ScramSHA256 } from './auth/scram'; -import { X509 } from './auth/x509'; import { type CommandOptions, Connection, @@ -40,18 +33,6 @@ import { MIN_SUPPORTED_WIRE_VERSION } from './wire_protocol/constants'; -/** @internal */ -export const AUTH_PROVIDERS = new Map([ - [AuthMechanism.MONGODB_AWS, new MongoDBAWS()], - [AuthMechanism.MONGODB_CR, new MongoCR()], - [AuthMechanism.MONGODB_GSSAPI, new GSSAPI()], - [AuthMechanism.MONGODB_OIDC, new MongoDBOIDC()], - [AuthMechanism.MONGODB_PLAIN, new Plain()], - [AuthMechanism.MONGODB_SCRAM_SHA1, new ScramSHA1()], - [AuthMechanism.MONGODB_SCRAM_SHA256, new ScramSHA256()], - [AuthMechanism.MONGODB_X509, new X509()] -]); - /** @public */ export type Stream = Socket | TLSSocket; @@ -108,15 +89,6 @@ export async function performInitialHandshake( ): Promise { const credentials = options.credentials; - if (credentials) { - if ( - !(credentials.mechanism === AuthMechanism.MONGODB_DEFAULT) && - !AUTH_PROVIDERS.get(credentials.mechanism) - ) { - throw new MongoInvalidArgumentError(`AuthMechanism '${credentials.mechanism}' not supported`); - } - } - const authContext = new AuthContext(conn, credentials, options); conn.authContext = authContext; @@ -166,12 +138,7 @@ export async function performInitialHandshake( authContext.response = response; const resolvedCredentials = credentials.resolveAuthMechanism(response); - const provider = AUTH_PROVIDERS.get(resolvedCredentials.mechanism); - if (!provider) { - throw new MongoInvalidArgumentError( - `No AuthProvider for ${resolvedCredentials.mechanism} defined.` - ); - } + const provider = authProviderFor(resolvedCredentials.mechanism, options.tokenCache); try { await provider.auth(authContext); @@ -231,20 +198,10 @@ export async function prepareHandshakeDocument( if (credentials) { if (credentials.mechanism === AuthMechanism.MONGODB_DEFAULT && credentials.username) { handshakeDoc.saslSupportedMechs = `${credentials.source}.${credentials.username}`; - - const provider = AUTH_PROVIDERS.get(AuthMechanism.MONGODB_SCRAM_SHA256); - if (!provider) { - // This auth mechanism is always present. - throw new MongoInvalidArgumentError( - `No AuthProvider for ${AuthMechanism.MONGODB_SCRAM_SHA256} defined.` - ); - } + const provider = authProviderFor(AuthMechanism.MONGODB_SCRAM_SHA256, options.tokenCache); return provider.prepare(handshakeDoc, authContext); } - const provider = AUTH_PROVIDERS.get(credentials.mechanism); - if (!provider) { - throw new MongoInvalidArgumentError(`No AuthProvider for ${credentials.mechanism} defined.`); - } + const provider = authProviderFor(credentials.mechanism, options.tokenCache); return provider.prepare(handshakeDoc, authContext); } return handshakeDoc; diff --git a/src/cmap/connection.ts b/src/cmap/connection.ts index 7b277794edc..4518dc1663a 100644 --- a/src/cmap/connection.ts +++ b/src/cmap/connection.ts @@ -42,6 +42,7 @@ import { import type { WriteConcern } from '../write_concern'; import type { AuthContext } from './auth/auth_provider'; import type { MongoCredentials } from './auth/mongo_credentials'; +import type { TokenCache } from './auth/token_cache'; import { CommandFailedEvent, CommandStartedEvent, @@ -117,6 +118,8 @@ export interface ConnectionOptions metadata: ClientMetadata; /** @internal */ mongoLogger?: MongoLogger | undefined; + /** @internal */ + tokenCache?: TokenCache; } /** @internal */ diff --git a/src/cmap/connection_pool.ts b/src/cmap/connection_pool.ts index 4fe5249738f..838b45b4091 100644 --- a/src/cmap/connection_pool.ts +++ b/src/cmap/connection_pool.ts @@ -28,7 +28,8 @@ import { import { CancellationToken, TypedEventEmitter } from '../mongo_types'; import type { Server } from '../sdam/server'; import { type Callback, eachAsync, List, makeCounter, TimeoutController } from '../utils'; -import { AUTH_PROVIDERS, connect } from './connect'; +import { authProviderFor } from './auth/auth_provider'; +import { connect } from './connect'; import { Connection, type ConnectionEvents, type ConnectionOptions } from './connection'; import { ConnectionCheckedInEvent, @@ -622,14 +623,7 @@ export class ConnectionPool extends TypedEventEmitter { ); } const resolvedCredentials = credentials.resolveAuthMechanism(connection.hello); - const provider = AUTH_PROVIDERS.get(resolvedCredentials.mechanism); - if (!provider) { - return callback( - new MongoMissingCredentialsError( - `Reauthenticate failed due to no auth provider for ${credentials.mechanism}` - ) - ); - } + const provider = authProviderFor(resolvedCredentials.mechanism, this.options.tokenCache); provider.reauth(authContext).then( () => { fn(undefined, connection, (fnErr, fnResult) => { @@ -639,7 +633,7 @@ export class ConnectionPool extends TypedEventEmitter { callback(undefined, fnResult); }); }, - error => callback(error) + (error: AnyError | undefined) => callback(error) ); } diff --git a/src/index.ts b/src/index.ts index 6366e746655..52aaf139a02 100644 --- a/src/index.ts +++ b/src/index.ts @@ -100,6 +100,7 @@ export { BatchType } from './bulk/common'; export { AutoEncryptionLoggerLevel } from './client-side-encryption/auto_encrypter'; export { GSSAPICanonicalizationValue } from './cmap/auth/gssapi'; export { AuthMechanism } from './cmap/auth/providers'; +export { TokenCache } from './cmap/auth/token_cache'; export { Compressor } from './cmap/wire_protocol/compression'; export { CURSOR_FLAGS } from './cursor/abstract_cursor'; export { MongoErrorLabel } from './error'; @@ -250,11 +251,11 @@ export type { MongoCredentialsOptions } from './cmap/auth/mongo_credentials'; export type { - IdPServerInfo, + IdPInfo, IdPServerResponse, - OIDCCallbackContext, - OIDCRefreshFunction, - OIDCRequestFunction + OIDCCallbackFunction, + OIDCCallbackParams, + OIDCResponse } from './cmap/auth/mongodb_oidc'; export type { MessageHeader, diff --git a/src/mongo_client.ts b/src/mongo_client.ts index 476a912aece..18d57460937 100644 --- a/src/mongo_client.ts +++ b/src/mongo_client.ts @@ -12,6 +12,7 @@ import { type MongoCredentials } from './cmap/auth/mongo_credentials'; import { AuthMechanism } from './cmap/auth/providers'; +import { type TokenCache } from './cmap/auth/token_cache'; import type { LEGAL_TCP_SOCKET_OPTIONS, LEGAL_TLS_SOCKET_OPTIONS } from './cmap/connect'; import type { Connection } from './cmap/connection'; import type { ClientMetadata } from './cmap/handshake/client_metadata'; @@ -824,6 +825,8 @@ export interface MongoOptions metadata: ClientMetadata; /** @internal */ autoEncrypter?: AutoEncrypter; + /** @internal */ + tokenCache?: TokenCache; proxyHost?: string; proxyPort?: number; proxyUsername?: string; diff --git a/src/sdam/topology.ts b/src/sdam/topology.ts index 4bf816f2380..c68315e840f 100644 --- a/src/sdam/topology.ts +++ b/src/sdam/topology.ts @@ -2,6 +2,7 @@ import { promisify } from 'util'; import type { BSONSerializeOptions, Document } from '../bson'; import type { MongoCredentials } from '../cmap/auth/mongo_credentials'; +import { TokenCache } from '../cmap/auth/token_cache'; import type { ConnectionEvents, DestroyOptions } from '../cmap/connection'; import type { CloseOptions, ConnectionPoolEvents } from '../cmap/connection_pool'; import type { ClientMetadata } from '../cmap/handshake/client_metadata'; @@ -213,6 +214,8 @@ export class Topology extends TypedEventEmitter { _type?: string; client!: MongoClient; + /** Client scoped cache used for authentication */ + tokenCache: TokenCache; /** @event */ static readonly SERVER_OPENING = SERVER_OPENING; @@ -253,6 +256,7 @@ export class Topology extends TypedEventEmitter { super(); this.client = client; + this.tokenCache = new TokenCache(); this.selectServerAsync = promisify( ( selector: string | ReadPreference | ServerSelector, diff --git a/test/integration/auth/mongodb_oidc_azure.prose.test.ts b/test/integration/auth/mongodb_oidc_azure.prose.test.ts index 2dc95b4c935..a8b70fe64fd 100644 --- a/test/integration/auth/mongodb_oidc_azure.prose.test.ts +++ b/test/integration/auth/mongodb_oidc_azure.prose.test.ts @@ -10,7 +10,6 @@ import { } from '../../mongodb'; describe('OIDC Auth Spec Prose Tests', function () { - const callbackCache = OIDC_WORKFLOWS.get('callback').cache; const azureCache = OIDC_WORKFLOWS.get('azure').cache; describe('3. Azure Automatic Auth', function () { @@ -39,7 +38,7 @@ describe('OIDC Auth Spec Prose Tests', function () { // Close the client. it('successfully authenticates', async function () { const result = await collection.findOne(); - expect(result).to.be.null; + expect(result).to.not.be.null; }); }); @@ -59,13 +58,12 @@ describe('OIDC Auth Spec Prose Tests', function () { // Close the client. it('successfully authenticates', async function () { const result = await collection.findOne(); - expect(result).to.be.null; + expect(result).to.not.be.null; }); }); describe('3.3 Main Cache Not Used', function () { beforeEach(function () { - callbackCache?.clear(); client = this.configuration.newClient(process.env.MONGODB_URI); collection = client.db('test').collection('test'); }); @@ -77,14 +75,12 @@ describe('OIDC Auth Spec Prose Tests', function () { // Assert that the main OIDC cache is empty. it('does not use the main callback cache', async function () { const result = await collection.findOne(); - expect(result).to.be.null; - expect(callbackCache.entries).to.be.empty; + expect(result).to.not.be.null; }); }); describe('3.4 Azure Cache is Used', function () { beforeEach(function () { - callbackCache?.clear(); azureCache?.clear(); client = this.configuration.newClient(process.env.MONGODB_URI); collection = client.db('test').collection('test'); @@ -97,8 +93,7 @@ describe('OIDC Auth Spec Prose Tests', function () { // Assert that the Azure OIDC cache has one entry. it('uses the Azure OIDC cache', async function () { const result = await collection.findOne(); - expect(result).to.be.null; - expect(callbackCache.entries).to.be.empty; + expect(result).to.not.be.null; expect(azureCache.entries.size).to.equal(1); }); }); diff --git a/test/manual/mongodb_oidc.prose.test.ts b/test/manual/mongodb_oidc.prose.test.ts index bb4cfcb671f..0fe8a1c11fc 100644 --- a/test/manual/mongodb_oidc.prose.test.ts +++ b/test/manual/mongodb_oidc.prose.test.ts @@ -9,15 +9,13 @@ import { type CommandFailedEvent, type CommandStartedEvent, type CommandSucceededEvent, - type IdPServerInfo, MongoClient, MongoInvalidArgumentError, MongoMissingCredentialsError, MongoServerError, - OIDC_WORKFLOWS, - type OIDCCallbackContext + type OIDCToken, + type OIDCTokenParams } from '../mongodb'; -import { sleep } from '../tools/utils'; describe('MONGODB-OIDC', function () { context('when running in the environment', function () { @@ -27,48 +25,25 @@ describe('MONGODB-OIDC', function () { }); describe('OIDC Auth Spec Prose Tests', function () { - // Set up the cache variable. - const cache = OIDC_WORKFLOWS.get('callback').cache; - const callbackCache = OIDC_WORKFLOWS.get('callback').callbackCache; // Creates a request function for use in the test. const createRequestCallback = ( username = 'test_user1', expiresInSeconds?: number, extraFields?: any ) => { - return async (info: IdPServerInfo, context: OIDCCallbackContext) => { + return async (params: OIDCTokenParams) => { const token = await readFile(path.join(process.env.OIDC_TOKEN_DIR, username), { encoding: 'utf8' }); // Do some basic property assertions. - expect(context).to.have.property('timeoutSeconds'); - expect(info).to.have.property('issuer'); - expect(info).to.have.property('clientId'); - return generateResult(token, expiresInSeconds, extraFields); - }; - }; - - // Creates a refresh function for use in the test. - const createRefreshCallback = ( - username = 'test_user1', - expiresInSeconds?: number, - extraFields?: any - ) => { - return async (info: IdPServerInfo, context: OIDCCallbackContext) => { - const token = await readFile(path.join(process.env.OIDC_TOKEN_DIR, username), { - encoding: 'utf8' - }); - // Do some basic property assertions. - expect(context).to.have.property('timeoutSeconds'); - expect(info).to.have.property('issuer'); - expect(info).to.have.property('clientId'); + expect(params).to.have.property('timeoutContext'); return generateResult(token, expiresInSeconds, extraFields); }; }; // Generates the result the request or refresh callback returns. const generateResult = (token: string, expiresInSeconds?: number, extraFields?: any) => { - const response: OIDCRequestTokenResult = { accessToken: token }; + const response: OIDCToken = { accessToken: token }; if (expiresInSeconds) { response.expiresInSeconds = expiresInSeconds; } @@ -78,36 +53,25 @@ describe('MONGODB-OIDC', function () { return response; }; - beforeEach(function () { - callbackCache.clear(); - }); - describe('1. Callback-Driven Auth', function () { let client: MongoClient; let collection: Collection; - beforeEach(function () { - cache.clear(); - }); - afterEach(async function () { await client?.close(); }); describe('1.1 Single Principal Implicit Username', function () { before(function () { - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { + // Create the default OIDC client. + client = new MongoClient(`${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, { authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: createRequestCallback() + OIDC_TOKEN_CALLBACK: createRequestCallback() } }); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); - // Clear the cache. - // Create a request callback returns a valid token. - // Create a client that uses the default OIDC url and the request callback. - // Perform a find operation. that succeeds. // Close the client. it('successfully authenticates', async function () { const result = await collection.findOne(); @@ -117,17 +81,18 @@ describe('MONGODB-OIDC', function () { describe('1.2 Single Principal Explicit Username', function () { before(function () { - client = new MongoClient('mongodb://test_user1@localhost/?authMechanism=MONGODB-OIDC', { + // Create a client with ``MONGODB_URI_SINGLE``, a username of ``test_user1``, and the OIDC request callback. + const url = new URL(process.env.MONGODB_URI_SINGLE); + url.username = 'test_user1'; + url.searchParams.set('authMechanism', 'MONGODB-OIDC'); + client = new MongoClient(url.toString(), { authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: createRequestCallback() + OIDC_TOKEN_CALLBACK: createRequestCallback() } }); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); - // Clear the cache. - // Create a request callback that returns a valid token. - // Create a client with a url of the form mongodb://test_user1@localhost/?authMechanism=MONGODB-OIDC and the OIDC request callback. // Perform a find operation that succeeds. // Close the client. it('successfully authenticates', async function () { @@ -138,20 +103,18 @@ describe('MONGODB-OIDC', function () { describe('1.3 Multiple Principal User 1', function () { before(function () { - client = new MongoClient( - 'mongodb://test_user1@localhost:27018/?authMechanism=MONGODB-OIDC&directConnection=true&readPreference=secondaryPreferred', - { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: createRequestCallback() - } + // Create a client with ``MONGODB_URI_MULTI``, a username of ``test_user1``, and the OIDC request callback. + const url = new URL(process.env.MONGODB_URI_MULTI); + url.username = 'test_user1'; + url.searchParams.set('authMechanism', 'MONGODB-OIDC'); + client = new MongoClient(url.toString(), { + authMechanismProperties: { + OIDC_TOKEN_CALLBACK: createRequestCallback() } - ); - collection = client.db('test').collection('test'); + }); + collection = client.db('test').collection('nodeOidcTest'); }); - // Clear the cache. - // Create a request callback that returns a valid token. - // Create a client with a url of the form mongodb://test_user1@localhost:27018/?authMechanism=MONGODB-OIDC&directConnection=true&readPreference=secondaryPreferred and a valid OIDC request callback. // Perform a find operation that succeeds. // Close the client. it('successfully authenticates', async function () { @@ -162,20 +125,18 @@ describe('MONGODB-OIDC', function () { describe('1.4 Multiple Principal User 2', function () { before(function () { - client = new MongoClient( - 'mongodb://test_user2@localhost:27018/?authMechanism=MONGODB-OIDC&directConnection=true&readPreference=secondaryPreferred', - { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user2') - } + // Create a client with ``MONGODB_URI_MULTI``, a username of ``test_user2``, and the OIDC request callback. + const url = new URL(process.env.MONGODB_URI_MULTI); + url.username = 'test_user2'; + url.searchParams.set('authMechanism', 'MONGODB-OIDC'); + client = new MongoClient(url.toString(), { + authMechanismProperties: { + OIDC_TOKEN_CALLBACK: createRequestCallback('test_user2') } - ); - collection = client.db('test').collection('test'); + }); + collection = client.db('test').collection('nodeOidcTest'); }); - // Clear the cache. - // Create a request callback that reads in the generated test_user2 token file. - // Create a client with a url of the form mongodb://test_user2@localhost:27018/?authMechanism=MONGODB-OIDC&directConnection=true&readPreference=secondaryPreferred and a valid OIDC request callback. // Perform a find operation that succeeds. // Close the client. it('successfully authenticates', async function () { @@ -186,19 +147,15 @@ describe('MONGODB-OIDC', function () { describe('1.5 Multiple Principal No User', function () { before(function () { - client = new MongoClient( - 'mongodb://localhost:27018/?authMechanism=MONGODB-OIDC&directConnection=true&readPreference=secondaryPreferred', - { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: createRequestCallback() - } + // Create a client with ``MONGODB_URI_MULTI``, no username, and the OIDC request callback. + client = new MongoClient(`${process.env.MONGODB_URI_MULTI}?authMechanism=MONGODB-OIDC`, { + authMechanismProperties: { + OIDC_TOKEN_CALLBACK: createRequestCallback() } - ); - collection = client.db('test').collection('test'); + }); + collection = client.db('test').collection('nodeOidcTest'); }); - // Clear the cache. - // Create a client with a url of the form mongodb://localhost:27018/?authMechanism=MONGODB-OIDC&directConnection=true&readPreference=secondaryPreferred and a valid OIDC request callback. // Assert that a find operation fails. // Close the client. it('fails authentication', async function () { @@ -213,26 +170,22 @@ describe('MONGODB-OIDC', function () { }); describe('1.6 Allowed Hosts Blocked', function () { - before(function () { - cache.clear(); - }); - - // Clear the cache. - // Create a client that uses the OIDC url and a request callback, and an - // ``ALLOWED_HOSTS`` that is an empty list. // Assert that a ``find`` operation fails with a client-side error. // Close the client. context('when ALLOWED_HOSTS is empty', function () { before(function () { + // Create a default OIDC client, with an ``ALLOWED_HOSTS`` that is an empty list. client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { authMechanismProperties: { ALLOWED_HOSTS: [], - REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user1', 600) + OIDC_TOKEN_CALLBACK: createRequestCallback() } }); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); + // Assert that a ``find`` operation fails with a client-side error. + // Close the client. it('fails validation', async function () { const error = await collection.findOne().catch(error => error); expect(error).to.be.instanceOf(MongoInvalidArgumentError); @@ -255,7 +208,7 @@ describe('MONGODB-OIDC', function () { // { // authMechanismProperties: { // ALLOWED_HOSTS: ['example.com'], - // REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user1', 600) + // OIDC_TOKEN_CALLBACK: createRequestCallback('test_user1', 600) // } // } // ); @@ -281,10 +234,10 @@ describe('MONGODB-OIDC', function () { client = new MongoClient('mongodb://evilmongodb.com/?authMechanism=MONGODB-OIDC', { authMechanismProperties: { ALLOWED_HOSTS: ['*mongodb.com'], - REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user1', 600) + OIDC_TOKEN_CALLBACK: createRequestCallback('test_user1', 600) } }); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); it('fails validation', async function () { @@ -296,73 +249,6 @@ describe('MONGODB-OIDC', function () { }); }); }); - - describe('1.7 Lock Avoids Extra Callback Calls', function () { - let requestCounter = 0; - - before(function () { - cache.clear(); - }); - - const requestCallback = async () => { - requestCounter++; - if (requestCounter > 1) { - throw new Error('Request callback was entered simultaneously.'); - } - const token = await readFile(path.join(process.env.OIDC_TOKEN_DIR, 'test_user1'), { - encoding: 'utf8' - }); - await sleep(3000); - requestCounter--; - return generateResult(token, 300); - }; - const refreshCallback = createRefreshCallback(); - const requestSpy = sinon.spy(requestCallback); - const refreshSpy = sinon.spy(refreshCallback); - - const createClient = () => { - return new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: requestSpy, - REFRESH_TOKEN_CALLBACK: refreshSpy - } - }); - }; - - const authenticate = async () => { - const client = createClient(); - await client.db('test').collection('test').findOne(); - await client.close(); - }; - - const testPromise = async () => { - await authenticate(); - await authenticate(); - }; - - // Clear the cache. - // Create a request callback that returns a token that will expire soon, and - // a refresh callback. Ensure that the request callback has a time delay, and - // that we can record the number of times each callback is called. - // Spawn two threads that do the following: - // - Create a client with the callbacks. - // - Run a find operation that succeeds. - // - Close the client. - // - Create a new client with the callbacks. - // - Run a find operation that succeeds. - // - Close the client. - // Join the two threads. - // Ensure that the request callback has been called once, and the refresh - // callback has been called twice. - it('does not simultaneously enter a callback', async function () { - await Promise.all([testPromise(), testPromise()]); - // The request callback will get called twice, but will not be entered - // simultaneously. If it does, the function will throw and we'll have - // and exception here. - expect(requestSpy).to.have.been.calledTwice; - expect(refreshSpy).to.have.been.calledTwice; - }); - }); }); describe('2. AWS Automatic Auth', function () { @@ -378,7 +264,7 @@ describe('MONGODB-OIDC', function () { client = new MongoClient( 'mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws' ); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); // Create a client with a url of the form mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws. @@ -395,7 +281,7 @@ describe('MONGODB-OIDC', function () { client = new MongoClient( 'mongodb://localhost:27018/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws&directConnection=true&readPreference=secondaryPreferred' ); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); // Create a client with a url of the form mongodb://localhost:27018/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws&directConnection=true&readPreference=secondaryPreferred. @@ -419,7 +305,7 @@ describe('MONGODB-OIDC', function () { client = new MongoClient( 'mongodb://localhost:27018/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws&directConnection=true&readPreference=secondaryPreferred' ); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); after(function () { @@ -447,7 +333,7 @@ describe('MONGODB-OIDC', function () { } } ); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); // Create a client with a url of the form mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws, and an ALLOWED_HOSTS that is an empty list. @@ -469,55 +355,42 @@ describe('MONGODB-OIDC', function () { }); describe('3.1 Valid Callbacks', function () { + // Create request callback that validates its inputs and returns a valid token. const requestSpy = sinon.spy(createRequestCallback('test_user1', 60)); - const refreshSpy = sinon.spy(createRefreshCallback()); const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: requestSpy, - REFRESH_TOKEN_CALLBACK: refreshSpy + OIDC_TOKEN_CALLBACK: requestSpy }; before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { + // Create a client that uses the above callbacks. + client = new MongoClient(`${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, { authMechanismProperties: authMechanismProperties }); - collection = client.db('test').collection('test'); - await collection.findOne(); - expect(requestSpy).to.have.been.calledOnce; - await client.close(); + collection = client.db('test').collection('nodeOidcTest'); }); - // Clear the cache. - // Create request and refresh callback that validate their inputs and return a valid token. The request callback must return a token that expires in one minute. - // Create a client that uses the above callbacks. - // Perform a find operation that succeeds. Verify that the request callback was called with the appropriate inputs, including the timeout parameter if possible. Ensure that there are no unexpected fields. - // Perform another find operation that succeeds. Verify that the refresh callback was called with the appropriate inputs, including the timeout parameter if possible. + // Perform a find operation that succeeds. Verify that the request callback was called with the + // appropriate inputs, including the timeout parameter if possible. Ensure that there are no unexpected fields. // Close the client. it('successfully authenticates with the request and refresh callbacks', async function () { - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - collection = client.db('test').collection('test'); await collection.findOne(); - expect(refreshSpy).to.have.been.calledOnce; + expect(requestSpy).to.have.been.calledOnce; }); }); describe('3.2 Request Callback Returns Null', function () { before(function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { + // Create a client with a request callback that returns null. + client = new MongoClient(`${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, { authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: () => { + OIDC_TOKEN_CALLBACK: () => { return Promise.resolve(null); } } }); - collection = client.db('test').collection('test'); + collection = client.db('test').collection('nodeOidcTest'); }); - // Clear the cache. - // Create a client with a request callback that returns null. // Perform a find operation that fails. // Close the client. it('fails authentication', async function () { @@ -533,61 +406,24 @@ describe('MONGODB-OIDC', function () { }); }); - describe('3.3 Refresh Callback Returns Null', function () { - const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user1', 60), - REFRESH_TOKEN_CALLBACK: () => { - return Promise.resolve(null); - } - }; - - before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - collection = client.db('test').collection('test'); - await collection.findOne(); - await client.close(); - }); - - // Clear the cache. - // Create request callback that returns a valid token that will expire in a minute, and a refresh callback that returns null. - // Perform a find operation that succeeds. - // Perform a find operation that fails. - // Close the client. - it('fails authentication on refresh', async function () { - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - try { - await client.db('test').collection('test').findOne(); - expect.fail('Expected OIDC auth to fail with invlid return from refresh callback'); - } catch (e) { - expect(e).to.be.instanceOf(MongoMissingCredentialsError); - expect(e.message).to.include( - 'User provided OIDC callbacks must return a valid object with an accessToken' - ); - } - }); - }); - describe('3.4 Request Callback Returns Invalid Data', function () { context('when the request callback has missing fields', function () { before(function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: () => { - return Promise.resolve({}); + // Create a client with a request callback that returns data not conforming to + // the OIDCRequestTokenResult with missing field(s). + client = new MongoClient( + `${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, + { + authMechanismProperties: { + OIDC_TOKEN_CALLBACK: () => { + return Promise.resolve({}); + } } } - }); - collection = client.db('test').collection('test'); + ); + collection = client.db('test').collection('nodeOidcTest'); }); - // Clear the cache. - // Create a client with a request callback that returns data not conforming to the OIDCRequestTokenResult with missing field(s). // Perform a find operation that fails. // Close the client. it('fails authentication', async function () { @@ -602,291 +438,14 @@ describe('MONGODB-OIDC', function () { } }); }); - - context('when the request callback has extra fields', function () { - before(function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user1', 60, { foo: 'bar' }) - } - }); - collection = client.db('test').collection('test'); - }); - - // Create a client with a request callback that returns data not conforming to the OIDCRequestTokenResult with extra field(s). - // Perform a find operation that fails. - // Close the client. - it('fails authentication', async function () { - try { - await collection.findOne(); - expect.fail('Expected OIDC auth to fail with extra fields from request callback'); - } catch (e) { - expect(e).to.be.instanceOf(MongoMissingCredentialsError); - expect(e.message).to.include( - 'User provided OIDC callbacks must return a valid object with an accessToken' - ); - } - }); - }); - }); - - describe('3.5 Refresh Callback Returns Missing Data', function () { - const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user1', 60), - REFRESH_TOKEN_CALLBACK: () => { - return Promise.resolve({}); - } - }; - - before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - await client.db('test').collection('test').findOne(); - await client.close(); - }); - - // Clear the cache. - // Create request callback that returns a valid token that will expire in a minute, and a refresh callback that returns data not conforming to the OIDCRequestTokenResult with missing field(s). - // Create a client with the callbacks. - // Perform a find operation that succeeds. - // Close the client. - // Create a new client with the same callbacks. - // Perform a find operation that fails. - // Close the client. - it('fails authentication on the refresh', async function () { - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - try { - await client.db('test').collection('test').findOne(); - expect.fail('Expected OIDC auth to fail with missing data from refresh callback'); - } catch (e) { - expect(e).to.be.instanceOf(MongoMissingCredentialsError); - expect(e.message).to.include( - 'User provided OIDC callbacks must return a valid object with an accessToken' - ); - } - }); - }); - - describe('3.6 Refresh Callback Returns Extra Data', function () { - const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user1', 60), - REFRESH_TOKEN_CALLBACK: createRefreshCallback('test_user1', 60, { foo: 'bar' }) - }; - - before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - await client.db('test').collection('test').findOne(); - await client.close(); - }); - - // Clear the cache. - // Create request callback that returns a valid token that will expire in a minute, and a refresh callback that returns data not conforming to the OIDCRequestTokenResult with extra field(s). - // Create a client with the callbacks. - // Perform a find operation that succeeds. - // Close the client. - // Create a new client with the same callbacks. - // Perform a find operation that fails. - // Close the client. - it('fails authentication on the refresh', async function () { - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - try { - await client.db('test').collection('test').findOne(); - expect.fail('Expected OIDC auth to fail with extra fields from refresh callback'); - } catch (e) { - expect(e).to.be.instanceOf(MongoMissingCredentialsError); - expect(e.message).to.include( - 'User provided OIDC callbacks must return a valid object with an accessToken' - ); - } - }); }); }); - describe('4. Cached Credentials', function () { - let client: MongoClient; - let collection: Collection; - - afterEach(async function () { - await client?.close(); - }); - - describe('4.1 Cache with refresh', function () { - const requestCallback = createRequestCallback('test_user1', 60); - const refreshSpy = sinon.spy(createRefreshCallback('test_user1', 60)); - const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: requestCallback, - REFRESH_TOKEN_CALLBACK: refreshSpy - }; - - before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - await client.db('test').collection('test').findOne(); - await client.close(); - }); - // Clear the cache. - // Create a new client with a request callback that gives credentials that expire in on minute. - // Ensure that a find operation adds credentials to the cache. - // Close the client. - // Create a new client with the same request callback and a refresh callback. - // Ensure that a find operation results in a call to the refresh callback. - // Close the client. - it('successfully authenticates and calls the refresh callback', async function () { - // Ensure credentials added to the cache. - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - await client.db('test').collection('test').findOne(); - expect(refreshSpy).to.have.been.calledOnce; - }); - }); - - describe('4.2 Cache with no refresh', function () { - const requestSpy = sinon.spy(createRequestCallback('test_user1', 60)); - - before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: requestSpy - } - }); - await client.db('test').collection('test').findOne(); - await client.close(); - }); - - // Clear the cache. - // Create a new client with a request callback that gives credentials that expire in one minute. - // Ensure that a find operation adds credentials to the cache. - // Close the client. - // Create a new client with the a request callback but no refresh callback. - // Ensure that a find operation results in a call to the request callback. - // Close the client. - it('successfully authenticates and calls only the request callback', async function () { - expect(cache.entries.size).to.equal(1); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: requestSpy - } - }); - await client.db('test').collection('test').findOne(); - expect(requestSpy).to.have.been.calledTwice; - }); - }); - - describe('4.3 Cache key includes callback', function () { - const firstRequestCallback = createRequestCallback('test_user1'); - const secondRequestCallback = createRequestCallback('test_user1'); - - before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: firstRequestCallback - } - }); - await client.db('test').collection('test').findOne(); - await client.close(); - }); - - // Clear the cache. - // Create a new client with a request callback that does not give an `expiresInSeconds` value. - // Ensure that a find operation adds credentials to the cache. - // Close the client. - // Create a new client with a different request callback. - // Ensure that a find operation replaces the one-time entry with a new entry to the cache. - // Close the client. - it('replaces expired entries in the cache', async function () { - expect(cache.entries.size).to.equal(1); - const initialKey = cache.entries.keys().next().value; - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: { - REQUEST_TOKEN_CALLBACK: secondRequestCallback - } - }); - await client.db('test').collection('test').findOne(); - expect(cache.entries.size).to.equal(1); - const newKey = cache.entries.keys().next().value; - expect(newKey).to.not.equal(initialKey); - }); - }); - - describe('4.4 Error clears cache', function () { - const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: createRequestCallback('test_user1', 300), - REFRESH_TOKEN_CALLBACK: () => { - return Promise.resolve({}); - } - }; - - before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - await client.db('test').collection('test').findOne(); - expect(cache.entries.size).to.equal(1); - await client.close(); - }); - - // Clear the cache. - // Create a new client with a valid request callback that gives credentials that expire within 5 minutes and a refresh callback that gives invalid credentials. - // Ensure that a find operation adds a new entry to the cache. - // Ensure that a subsequent find operation results in an error. - // Ensure that the cached token has been cleared. - // Close the client. - it('clears the cache on authentication error', async function () { - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - try { - await client.db('test').collection('test').findOne(); - expect.fail('Expected OIDC auth to fail with invalid fields from refresh callback'); - } catch (error) { - expect(error).to.be.instanceOf(MongoMissingCredentialsError); - expect(error.message).to.include(''); - expect(cache.entries.size).to.equal(0); - } - }); - }); - - describe('4.5 AWS Automatic workflow does not use cache', function () { - before(function () { - cache.clear(); - client = new MongoClient( - 'mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws' - ); - collection = client.db('test').collection('test'); - }); - - // Clear the cache. - // Create a new client that uses the AWS automatic workflow. - // Ensure that a find operation does not add credentials to the cache. - // Close the client. - it('authenticates with no cache usage', async function () { - await collection.findOne(); - expect(cache.entries.size).to.equal(0); - }); - }); - }); - - describe('5. Speculative Authentication', function () { + describe('4. Speculative Authentication', function () { let client: MongoClient; const requestCallback = createRequestCallback('test_user1', 600); const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: requestCallback + OIDC_TOKEN_CALLBACK: requestCallback }; // Removes the fail point. @@ -920,53 +479,41 @@ describe('MONGODB-OIDC', function () { }); before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { + // Create a client with a request callback that returns a valid token. + client = new MongoClient(`${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, { authMechanismProperties: authMechanismProperties }); + // Set a fail point for saslStart commands of the form: + // + // { + // "configureFailPoint": "failCommand", + // "mode": { + // "times": 2 + // }, + // "data": { + // "failCommands": [ + // "saslStart" + // ], + // "errorCode": 18 + // } + // } + // + // Note + // + // The driver MUST either use a unique appName or explicitly remove the failCommand after the test to prevent leakage. + // await setupFailPoint(); - await client.db('test').collection('test').findOne(); - await client.close(); }); - // Clear the cache. - // Create a client with a request callback that returns a valid token that will not expire soon. - // Set a fail point for saslStart commands of the form: - // - // { - // "configureFailPoint": "failCommand", - // "mode": { - // "times": 2 - // }, - // "data": { - // "failCommands": [ - // "saslStart" - // ], - // "errorCode": 18 - // } - // } - // - // Note - // - // The driver MUST either use a unique appName or explicitly remove the failCommand after the test to prevent leakage. - // - // Perform a find operation that succeeds. - // Close the client. - // Create a new client with the same properties without clearing the cache. - // Set a fail point for saslStart commands. // Perform a find operation that succeeds. // Close the client. it('successfully speculative authenticates', async function () { - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties - }); - await setupFailPoint(); - const result = await client.db('test').collection('test').findOne(); + const result = await client.db('test').collection('nodeOidcTest').findOne(); expect(result).to.be.null; }); }); - describe('6. Reauthentication', function () { + describe('5. Reauthentication', function () { let client: MongoClient; // Removes the fail point. @@ -977,12 +524,10 @@ describe('MONGODB-OIDC', function () { }); }; - describe('6.1 Succeeds', function () { - const requestCallback = createRequestCallback('test_user1', 600); - const refreshSpy = sinon.spy(createRefreshCallback('test_user1', 600)); + describe('5.1 Succeeds', function () { + const requestSpy = sinon.spy(createRequestCallback('test_user1', 60)); const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: requestCallback, - REFRESH_TOKEN_CALLBACK: refreshSpy + OIDC_TOKEN_CALLBACK: requestSpy }; const commandStartedEvents: CommandStartedEvent[] = []; const commandSucceededEvents: CommandSucceededEvent[] = []; @@ -1028,13 +573,18 @@ describe('MONGODB-OIDC', function () { }; before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties + // Create a default OIDC client and an event listener. The following assumes that the driver does not + // emit saslStart or saslContinue events. If the driver does emit those events, + // ignore/filter them for the purposes of this test. + client = new MongoClient(`${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, { + authMechanismProperties: authMechanismProperties, + monitorCommands: true }); - await client.db('test').collection('test').findOne(); - expect(refreshSpy).to.not.be.called; - client.close(); + // Perform a find operation that succeeds. + // Assert that the request callback has been called once. + // Clear the listener state if possible. + await client.db('test').collection('nodeOidcTest').findOne(); + expect(requestSpy).to.have.been.calledOnce; }); afterEach(async function () { @@ -1042,12 +592,6 @@ describe('MONGODB-OIDC', function () { await client.close(); }); - // Clear the cache. - // Create request and refresh callbacks that return valid credentials that will not expire soon. - // Create a client with the callbacks and an event listener. The following assumes that the driver does not emit saslStart or saslContinue events. If the driver does emit those events, ignore/filter them for the purposes of this test. - // Perform a find operation that succeeds. - // Assert that the refresh callback has not been called. - // Clear the listener state if possible. // Force a reauthenication using a failCommand of the form: // // { @@ -1068,20 +612,16 @@ describe('MONGODB-OIDC', function () { // the driver MUST either use a unique appName or explicitly remove the failCommand after the test to prevent leakage. // // Perform another find operation that succeeds. - // Assert that the refresh callback has been called once, if possible. + // Assert that the request callback has been called twice. // Assert that the ordering of list started events is [find], , find. Note that if the listener stat could not be cleared then there will and be extra find command. // Assert that the list of command succeeded events is [find]. // Assert that a find operation failed once during the command execution. // Close the client. it('successfully reauthenticates', async function () { - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { - authMechanismProperties: authMechanismProperties, - monitorCommands: true - }); - addListeners(); await setupFailPoint(); - await client.db('test').collection('test').findOne(); - expect(refreshSpy).to.have.been.calledOnce; + addListeners(); + await client.db('test').collection('nodeOidcTest').findOne(); + expect(requestSpy).to.have.been.calledTwice; expect(commandStartedEvents.map(event => event.commandName)).to.deep.equal([ 'find', 'find' @@ -1091,12 +631,11 @@ describe('MONGODB-OIDC', function () { }); }); - describe('6.2 Retries and Succeeds with Cache', function () { + describe('5.2 Succeeds no refresh', function () { const requestCallback = createRequestCallback('test_user1', 600); - const refreshCallback = createRefreshCallback('test_user1', 600); + const requestSpy = sinon.spy(requestCallback); const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: requestCallback, - REFRESH_TOKEN_CALLBACK: refreshCallback + OIDC_TOKEN_CALLBACK: requestSpy }; // Sets up the fail point for the find to reauthenticate. const setupFailPoint = async () => { @@ -1109,18 +648,21 @@ describe('MONGODB-OIDC', function () { times: 1 }, data: { - failCommands: ['find', 'saslStart'], + failCommands: ['find'], errorCode: 391 } }); }; before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { + // Create a default OIDC client with a request callback that does not return a refresh token. + client = new MongoClient(`${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, { authMechanismProperties: authMechanismProperties }); - await client.db('test').collection('test').findOne(); + // Perform a ``find`` operation that succeeds. + // Assert that the request callback has been called once. + await client.db('test').collection('nodeOidcTest').findOne(); + expect(requestSpy).to.have.been.calledOnce; await setupFailPoint(); }); @@ -1129,9 +671,71 @@ describe('MONGODB-OIDC', function () { await client.close(); }); - // Clear the cache. - // Create request and refresh callbacks that return valid credentials that will not expire soon. + // Force a reauthenication using a failCommand of the form: + // + // { + // "configureFailPoint": "failCommand", + // "mode": { + // "times": 1 + // }, + // "data": { + // "failCommands": [ + // "find" + // ], + // "errorCode": 391 + // } + // } + // // Perform a find operation that succeeds. + // Assert that the request callback has been called twice. + // Close the client. + it('successfully authenticates', async function () { + const result = await client.db('test').collection('nodeOidcTest').findOne(); + expect(requestSpy).to.have.been.calledTwice; + expect(result).to.be.null; + }); + }); + + describe('5.3 Succeeds after refresh fails', function () { + const requestCallback = createRequestCallback('test_user1', 600); + const requestSpy = sinon.spy(requestCallback); + const authMechanismProperties = { + OIDC_TOKEN_CALLBACK: requestSpy + }; + // Sets up the fail point for the find to reauthenticate. + const setupFailPoint = async () => { + return await client + .db() + .admin() + .command({ + configureFailPoint: 'failCommand', + mode: { + times: 2 + }, + data: { + failCommands: ['find', 'saslContinue'], + errorCode: 391 + } + }); + }; + + before(async function () { + // Create a default OIDC client. + client = new MongoClient(`${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, { + authMechanismProperties: authMechanismProperties + }); + // Perform a ``find`` operation that succeeds. + // Assert that the request callback has been called once. + await client.db('test').collection('nodeOidcTest').findOne(); + expect(requestSpy).to.have.been.calledOnce; + await setupFailPoint(); + }); + + afterEach(async function () { + await removeFailPoint(); + await client.close(); + }); + // Force a reauthenication using a failCommand of the form: // // { @@ -1141,26 +745,27 @@ describe('MONGODB-OIDC', function () { // }, // "data": { // "failCommands": [ - // "find", "saslStart" + // "find", "saslContinue" // ], // "errorCode": 391 // } // } // // Perform a find operation that succeeds. + // Assert that the request callback has been called three times. // Close the client. it('successfully authenticates', async function () { - const result = await client.db('test').collection('test').findOne(); + const result = await client.db('test').collection('nodeOidcTest').findOne(); + expect(requestSpy).to.have.been.calledThrice; expect(result).to.be.null; }); }); - describe('6.3 Retries and Fails with no Cache', function () { + describe('5.3 Fails', function () { const requestCallback = createRequestCallback('test_user1', 600); - const refreshCallback = createRefreshCallback('test_user1', 600); + const requestSpy = sinon.spy(requestCallback); const authMechanismProperties = { - REQUEST_TOKEN_CALLBACK: requestCallback, - REFRESH_TOKEN_CALLBACK: refreshCallback + OIDC_TOKEN_CALLBACK: requestSpy }; // Sets up the fail point for the find to reauthenticate. const setupFailPoint = async () => { @@ -1180,12 +785,14 @@ describe('MONGODB-OIDC', function () { }; before(async function () { - cache.clear(); - client = new MongoClient('mongodb://localhost/?authMechanism=MONGODB-OIDC', { + // Create a default OIDC client. + client = new MongoClient(`${process.env.MONGODB_URI_SINGLE}?authMechanism=MONGODB-OIDC`, { authMechanismProperties: authMechanismProperties }); - await client.db('test').collection('test').findOne(); - cache.clear(); + // Perform a find operation that succeeds (to force a speculative auth). + // Assert that the request callback has been called once. + await client.db('test').collection('nodeOidcTest').findOne(); + expect(requestSpy).to.have.been.calledOnce; await setupFailPoint(); }); @@ -1194,10 +801,6 @@ describe('MONGODB-OIDC', function () { await client.close(); }); - // Clear the cache. - // Create request and refresh callbacks that return valid credentials that will not expire soon. - // Perform a find operation that succeeds (to force a speculative auth). - // Clear the cache. // Force a reauthenication using a failCommand of the form: // // { @@ -1214,17 +817,20 @@ describe('MONGODB-OIDC', function () { // } // // Perform a find operation that fails. + // Assert that the request callback has been called twice. // Close the client. it('fails authentication', async function () { try { - await client.db('test').collection('test').findOne(); + await client.db('test').collection('nodeOidcTest').findOne(); expect.fail('Reauthentication must fail on the saslStart error'); } catch (error) { // This is the saslStart failCommand bubbled up. expect(error).to.be.instanceOf(MongoServerError); + expect(requestSpy).to.have.been.calledTwice; } }); }); }); + // describe('6. Separate Connections Avoid Extra Callback Calls', function () {}); }); }); diff --git a/test/mongodb.ts b/test/mongodb.ts index 18986610e56..c4155e70b62 100644 --- a/test/mongodb.ts +++ b/test/mongodb.ts @@ -106,13 +106,11 @@ export * from '../src/cmap/auth/mongo_credentials'; export * from '../src/cmap/auth/mongocr'; export * from '../src/cmap/auth/mongodb_aws'; export * from '../src/cmap/auth/mongodb_oidc'; -export * from '../src/cmap/auth/mongodb_oidc/aws_service_workflow'; -export * from '../src/cmap/auth/mongodb_oidc/azure_service_workflow'; +export * from '../src/cmap/auth/mongodb_oidc/aws_machine_workflow'; +export * from '../src/cmap/auth/mongodb_oidc/azure_machine_workflow'; export * from '../src/cmap/auth/mongodb_oidc/azure_token_cache'; -export * from '../src/cmap/auth/mongodb_oidc/callback_lock_cache'; export * from '../src/cmap/auth/mongodb_oidc/callback_workflow'; -export * from '../src/cmap/auth/mongodb_oidc/service_workflow'; -export * from '../src/cmap/auth/mongodb_oidc/token_entry_cache'; +export * from '../src/cmap/auth/mongodb_oidc/machine_workflow'; export * from '../src/cmap/auth/plain'; export * from '../src/cmap/auth/providers'; export * from '../src/cmap/auth/scram'; diff --git a/test/spec/auth/legacy/connection-string.json b/test/spec/auth/legacy/connection-string.json index fcb2dbf57d3..982edb8b36a 100644 --- a/test/spec/auth/legacy/connection-string.json +++ b/test/spec/auth/legacy/connection-string.json @@ -480,70 +480,9 @@ "AWS_SESSION_TOKEN": "token!@#$%^&*()_+" } } - }, - { - "description": "should recognise the mechanism and request callback (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC", - "callback": ["oidcRequest"], - "valid": true, - "credential": { - "username": null, - "password": null, - "source": "$external", - "mechanism": "MONGODB-OIDC", - "mechanism_properties": { - "REQUEST_TOKEN_CALLBACK": true - } - } }, { - "description": "should recognise the mechanism when auth source is explicitly specified and with request callback (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external", - "callback": ["oidcRequest"], - "valid": true, - "credential": { - "username": null, - "password": null, - "source": "$external", - "mechanism": "MONGODB-OIDC", - "mechanism_properties": { - "REQUEST_TOKEN_CALLBACK": true - } - } - }, - { - "description": "should recognise the mechanism with request and refresh callback (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC", - "callback": ["oidcRequest", "oidcRefresh"], - "valid": true, - "credential": { - "username": null, - "password": null, - "source": "$external", - "mechanism": "MONGODB-OIDC", - "mechanism_properties": { - "REQUEST_TOKEN_CALLBACK": true, - "REFRESH_TOKEN_CALLBACK": true - } - } - }, - { - "description": "should recognise the mechanism and username with request callback (MONGODB-OIDC)", - "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC", - "callback": ["oidcRequest"], - "valid": true, - "credential": { - "username": "principalName", - "password": null, - "source": "$external", - "mechanism": "MONGODB-OIDC", - "mechanism_properties": { - "REQUEST_TOKEN_CALLBACK": true - } - } - }, - { - "description": "should recognise the mechanism with aws device (MONGODB-OIDC)", + "description": "should recognise the mechanism with aws provider (MONGODB-OIDC)", "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws", "valid": true, "credential": { @@ -552,12 +491,12 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "PROVIDER_NAME": "aws" + "PROVIDER_NAME": "aws" } } }, { - "description": "should recognise the mechanism when auth source is explicitly specified and with aws device (MONGODB-OIDC)", + "description": "should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)", "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws", "valid": true, "credential": { @@ -566,39 +505,31 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "PROVIDER_NAME": "aws" + "PROVIDER_NAME": "aws" } } }, { - "description": "should throw an exception if username and password are specified (MONGODB-OIDC)", - "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC", - "callback": ["oidcRequest"], - "valid": false, - "credential": null - }, - { - "description": "should throw an exception if username and deviceName are specified (MONGODB-OIDC)", - "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:gcp", + "description": "should throw an exception if supplied a password (MONGODB-OIDC)", + "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws", "valid": false, "credential": null }, { - "description": "should throw an exception if specified deviceName is not supported (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:unexisted", + "description": "should throw an exception if username is specified for aws (MONGODB-OIDC)", + "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws", "valid": false, "credential": null }, { - "description": "should throw an exception if neither deviceName nor callbacks specified (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC", + "description": "should throw an exception if specified provider is not supported (MONGODB-OIDC)", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid", "valid": false, "credential": null }, { - "description": "should throw an exception when only refresh callback is specified (MONGODB-OIDC)", + "description": "should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC)", "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC", - "callback": ["oidcRefresh"], "valid": false, "credential": null }, diff --git a/test/spec/auth/legacy/connection-string.yml b/test/spec/auth/legacy/connection-string.yml index 9f8aab4a725..d2658e0309b 100644 --- a/test/spec/auth/legacy/connection-string.yml +++ b/test/spec/auth/legacy/connection-string.yml @@ -350,58 +350,7 @@ tests: mechanism: MONGODB-AWS mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ -- description: should recognise the mechanism and request callback (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC - callback: - - oidcRequest - valid: true - credential: - username: - password: - source: "$external" - mechanism: MONGODB-OIDC - mechanism_properties: - REQUEST_TOKEN_CALLBACK: true -- description: should recognise the mechanism when auth source is explicitly specified - and with request callback (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external - callback: - - oidcRequest - valid: true - credential: - username: - password: - source: "$external" - mechanism: MONGODB-OIDC - mechanism_properties: - REQUEST_TOKEN_CALLBACK: true -- description: should recognise the mechanism with request and refresh callback (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC - callback: - - oidcRequest - - oidcRefresh - valid: true - credential: - username: - password: - source: "$external" - mechanism: MONGODB-OIDC - mechanism_properties: - REQUEST_TOKEN_CALLBACK: true - REFRESH_TOKEN_CALLBACK: true -- description: should recognise the mechanism and username with request callback (MONGODB-OIDC) - uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC - callback: - - oidcRequest - valid: true - credential: - username: principalName - password: - source: "$external" - mechanism: MONGODB-OIDC - mechanism_properties: - REQUEST_TOKEN_CALLBACK: true -- description: should recognise the mechanism with aws device (MONGODB-OIDC) +- description: should recognise the mechanism with aws provider (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws valid: true credential: @@ -411,8 +360,7 @@ tests: mechanism: MONGODB-OIDC mechanism_properties: PROVIDER_NAME: aws -- description: should recognise the mechanism when auth source is explicitly specified - and with aws device (MONGODB-OIDC) +- description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws valid: true credential: @@ -422,35 +370,23 @@ tests: mechanism: MONGODB-OIDC mechanism_properties: PROVIDER_NAME: aws -- description: should throw an exception if username and password are specified (MONGODB-OIDC) - uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC - callback: - - oidcRequest - valid: false - credential: -- description: should throw an exception if username and deviceName are specified - (MONGODB-OIDC) - uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:gcp +- description: should throw an exception if supplied a password (MONGODB-OIDC) + uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws valid: false credential: -- description: should throw an exception if specified deviceName is not supported - (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:unexisted +- description: should throw an exception if username is specified for aws (MONGODB-OIDC) + uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws valid: false credential: -- description: should throw an exception if neither deviceName nor callbacks specified - (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC +- description: should throw an exception if specified provider is not supported (MONGODB-OIDC) + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid valid: false credential: -- description: should throw an exception when only refresh callback is specified (MONGODB-OIDC) +- description: should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC - callback: - - oidcRefresh valid: false credential: -- description: should throw an exception when unsupported auth property is specified - (MONGODB-OIDC) +- description: should throw an exception when unsupported auth property is specified (MONGODB-OIDC) uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=UnsupportedProperty:unexisted valid: false credential: diff --git a/test/spec/auth/unified/reauthenticate_with_retry.json b/test/spec/auth/unified/oidc-auth-with-retry.json similarity index 72% rename from test/spec/auth/unified/reauthenticate_with_retry.json rename to test/spec/auth/unified/oidc-auth-with-retry.json index ef110562ede..aeae3288c98 100644 --- a/test/spec/auth/unified/reauthenticate_with_retry.json +++ b/test/spec/auth/unified/oidc-auth-with-retry.json @@ -1,10 +1,11 @@ { - "description": "reauthenticate_with_retry", - "schemaVersion": "1.12", + "description": "OIDC authentication with retry", + "schemaVersion": "1.18", "runOnRequirements": [ { - "minServerVersion": "6.3", - "auth": true + "minServerVersion": "7.0", + "auth": true, + "authMechanism": "MONGODB-OIDC" } ], "createEntities": [ @@ -12,6 +13,10 @@ "client": { "id": "client0", "uriOptions": { + "authMechanism": "MONGODB-OIDC", + "authMechanismProperties": { + "$$placeholder": 1 + }, "retryReads": true, "retryWrites": true }, @@ -26,7 +31,7 @@ "database": { "id": "database0", "client": "client0", - "databaseName": "db" + "databaseName": "test" } }, { @@ -40,40 +45,26 @@ "initialData": [ { "collectionName": "collName", - "databaseName": "db", - "documents": [] + "databaseName": "test", + "documents": [ + + ] } ], "tests": [ { - "description": "Read command should reauthenticate when receive ReauthenticationRequired error code and retryReads=true", + "description": "A simple find operation should succeed", "operations": [ - { - "name": "failPoint", - "object": "testRunner", - "arguments": { - "client": "client0", - "failPoint": { - "configureFailPoint": "failCommand", - "mode": { - "times": 1 - }, - "data": { - "failCommands": [ - "find" - ], - "errorCode": 391 - } - } - } - }, { "name": "find", "arguments": { - "filter": {} + "filter": { + } }, "object": "collection0", - "expectResult": [] + "expectResult": [ + + ] } ], "expectEvents": [ @@ -84,20 +75,8 @@ "commandStartedEvent": { "command": { "find": "collName", - "filter": {} - } - } - }, - { - "commandFailedEvent": { - "commandName": "find" - } - }, - { - "commandStartedEvent": { - "command": { - "find": "collName", - "filter": {} + "filter": { + } } } }, diff --git a/test/spec/auth/unified/reauthenticate_with_retry.yml b/test/spec/auth/unified/oidc-auth-with-retry.yml similarity index 71% rename from test/spec/auth/unified/reauthenticate_with_retry.yml rename to test/spec/auth/unified/oidc-auth-with-retry.yml index bf7cb56f3c8..47481d963d8 100644 --- a/test/spec/auth/unified/reauthenticate_with_retry.yml +++ b/test/spec/auth/unified/oidc-auth-with-retry.yml @@ -1,13 +1,20 @@ --- -description: reauthenticate_with_retry -schemaVersion: '1.12' +description: "OIDC authentication with retry" +schemaVersion: "1.18" runOnRequirements: -- minServerVersion: '6.3' +- minServerVersion: "7.0" auth: true + authMechanism: "MONGODB-OIDC" createEntities: - client: id: client0 uriOptions: + authMechanism: "MONGODB-OIDC" + # The $$placeholder document should be replaced by auth mechanism + # properties that enable OIDC auth on the target cloud platform. For + # example, when running the test on AWS, replace the $$placeholder + # document with {"PROVIDER_NAME": "aws"}. + authMechanismProperties: { $$placeholder: 1 } retryReads: true retryWrites: true observeEvents: @@ -17,31 +24,18 @@ createEntities: - database: id: database0 client: client0 - databaseName: db + databaseName: test - collection: id: collection0 database: database0 collectionName: collName initialData: - collectionName: collName - databaseName: db + databaseName: test documents: [] tests: -- description: Read command should reauthenticate when receive ReauthenticationRequired - error code and retryReads=true +- description: A simple find operation should succeed operations: - - name: failPoint - object: testRunner - arguments: - client: client0 - failPoint: - configureFailPoint: failCommand - mode: - times: 1 - data: - failCommands: - - find - errorCode: 391 - name: find arguments: filter: {} @@ -50,12 +44,6 @@ tests: expectEvents: - client: client0 events: - - commandStartedEvent: - command: - find: collName - filter: {} - - commandFailedEvent: - commandName: find - commandStartedEvent: command: find: collName diff --git a/test/spec/auth/unified/reauthenticate_without_retry.json b/test/spec/auth/unified/oidc-auth-without-retry.json similarity index 69% rename from test/spec/auth/unified/reauthenticate_without_retry.json rename to test/spec/auth/unified/oidc-auth-without-retry.json index 6fded476344..ad8c93c03ff 100644 --- a/test/spec/auth/unified/reauthenticate_without_retry.json +++ b/test/spec/auth/unified/oidc-auth-without-retry.json @@ -1,19 +1,29 @@ { - "description": "reauthenticate_without_retry", - "schemaVersion": "1.12", + "description": "OIDC authentication without retry", + "schemaVersion": "1.18", "runOnRequirements": [ { - "minServerVersion": "6.3", - "auth": true + "minServerVersion": "7.0", + "auth": true, + "authMechanism": "MONGODB-OIDC" } ], "createEntities": [ + { + "client": { + "id": "authClient" + } + }, { "client": { "id": "client0", "uriOptions": { - "retryReads": false, - "retryWrites": false + "authMechanism": "MONGODB-OIDC", + "authMechanismProperties": { + "$$placeholder": 1 + }, + "retryReads": true, + "retryWrites": true }, "observeEvents": [ "commandStartedEvent", @@ -26,7 +36,7 @@ "database": { "id": "database0", "client": "client0", - "databaseName": "db" + "databaseName": "test" } }, { @@ -40,40 +50,26 @@ "initialData": [ { "collectionName": "collName", - "databaseName": "db", - "documents": [] + "databaseName": "test", + "documents": [ + + ] } ], "tests": [ { - "description": "Read command should reauthenticate when receive ReauthenticationRequired error code and retryReads=false", + "description": "A simple find operation should succeed", "operations": [ - { - "name": "failPoint", - "object": "testRunner", - "arguments": { - "client": "client0", - "failPoint": { - "configureFailPoint": "failCommand", - "mode": { - "times": 1 - }, - "data": { - "failCommands": [ - "find" - ], - "errorCode": 391 - } - } - } - }, { "name": "find", "arguments": { - "filter": {} + "filter": { + } }, "object": "collection0", - "expectResult": [] + "expectResult": [ + + ] } ], "expectEvents": [ @@ -84,20 +80,8 @@ "commandStartedEvent": { "command": { "find": "collName", - "filter": {} - } - } - }, - { - "commandFailedEvent": { - "commandName": "find" - } - }, - { - "commandStartedEvent": { - "command": { - "find": "collName", - "filter": {} + "filter": { + } } } }, @@ -111,7 +95,7 @@ ] }, { - "description": "Write command should reauthenticate when receive ReauthenticationRequired error code and retryWrites=false", + "description": "Write command should reauthenticate when receive ReauthenticationRequired error code and retryWrites=true", "operations": [ { "name": "failPoint", diff --git a/test/spec/auth/unified/reauthenticate_without_retry.yml b/test/spec/auth/unified/oidc-auth-without-retry.yml similarity index 68% rename from test/spec/auth/unified/reauthenticate_without_retry.yml rename to test/spec/auth/unified/oidc-auth-without-retry.yml index 394c4be91e0..16b4978d1d1 100644 --- a/test/spec/auth/unified/reauthenticate_without_retry.yml +++ b/test/spec/auth/unified/oidc-auth-without-retry.yml @@ -1,15 +1,24 @@ --- -description: reauthenticate_without_retry -schemaVersion: '1.13' +description: "OIDC authentication without retry" +schemaVersion: "1.18" runOnRequirements: -- minServerVersion: '6.3' +- minServerVersion: "7.0" auth: true + authMechanism: "MONGODB-OIDC" createEntities: +- client: + id: authClient - client: id: client0 uriOptions: - retryReads: false - retryWrites: false + authMechanism: "MONGODB-OIDC" + # The $$placeholder document should be replaced by auth mechanism + # properties that enable OIDC auth on the target cloud platform. For + # example, when running the test on AWS, replace the $$placeholder + # document with {"PROVIDER_NAME": "aws"}. + authMechanismProperties: { $$placeholder: 1 } + retryReads: true + retryWrites: true observeEvents: - commandStartedEvent - commandSucceededEvent @@ -17,31 +26,18 @@ createEntities: - database: id: database0 client: client0 - databaseName: db + databaseName: test - collection: id: collection0 database: database0 collectionName: collName initialData: - collectionName: collName - databaseName: db + databaseName: test documents: [] tests: -- description: Read command should reauthenticate when receive ReauthenticationRequired - error code and retryReads=false +- description: A simple find operation should succeed operations: - - name: failPoint - object: testRunner - arguments: - client: client0 - failPoint: - configureFailPoint: failCommand - mode: - times: 1 - data: - failCommands: - - find - errorCode: 391 - name: find arguments: filter: {} @@ -50,12 +46,6 @@ tests: expectEvents: - client: client0 events: - - commandStartedEvent: - command: - find: collName - filter: {} - - commandFailedEvent: - commandName: find - commandStartedEvent: command: find: collName @@ -63,7 +53,7 @@ tests: - commandSucceededEvent: commandName: find - description: Write command should reauthenticate when receive ReauthenticationRequired - error code and retryWrites=false + error code and retryWrites=true operations: - name: failPoint object: testRunner diff --git a/test/tools/runner/config.ts b/test/tools/runner/config.ts index e4f3dd52a3f..8c4b95ac499 100644 --- a/test/tools/runner/config.ts +++ b/test/tools/runner/config.ts @@ -340,6 +340,11 @@ export class TestConfiguration { url.searchParams.append('authSource', 'admin'); } + if (this.uri.includes('MONGODB-OIDC')) { + // eslint-disable-next-line @typescript-eslint/no-non-null-assertion + return process.env.MONGODB_URI!; + } + const connectionString = url.toString().replace(FILLER_HOST, actualHostsString); return connectionString; diff --git a/test/tools/runner/filters/mongodb_version_filter.js b/test/tools/runner/filters/mongodb_version_filter.js index eff44d56a96..3281ce51f76 100755 --- a/test/tools/runner/filters/mongodb_version_filter.js +++ b/test/tools/runner/filters/mongodb_version_filter.js @@ -25,6 +25,7 @@ class MongoDBVersionFilter { } client.db('admin').command({ buildInfo: true }, (err, result) => { + console.log(err, result); if (err) { callback(err); return; diff --git a/test/tools/runner/hooks/configuration.js b/test/tools/runner/hooks/configuration.js index e947a6f069d..08089bb8fc6 100644 --- a/test/tools/runner/hooks/configuration.js +++ b/test/tools/runner/hooks/configuration.js @@ -113,13 +113,6 @@ const testConfigBeforeHook = async function () { this.configuration = new AstrolabeTestConfiguration(process.env.DRIVERS_ATLAS_TESTING_URI, {}); return; } - // TODO(NODE-5035): Implement OIDC support. Creating the MongoClient will fail - // with "MongoInvalidArgumentError: AuthMechanism 'MONGODB-OIDC' not supported" - // as is expected until that ticket goes in. Then this condition gets removed. - if (MONGODB_URI && MONGODB_URI.includes('MONGODB-OIDC')) { - this.configuration = new TestConfiguration(MONGODB_URI, {}); - return; - } const client = new MongoClient(loadBalanced ? SINGLE_MONGOS_LB_URI : MONGODB_URI, { ...getEnvironmentalOptions(), diff --git a/test/tools/unified-spec-runner/runner.ts b/test/tools/unified-spec-runner/runner.ts index 9f1fb3925f5..4a18655619f 100644 --- a/test/tools/unified-spec-runner/runner.ts +++ b/test/tools/unified-spec-runner/runner.ts @@ -73,6 +73,13 @@ async function runUnifiedTest( if (ctx.configuration.isLoadBalanced) { // The util client can always point at the single mongos LB frontend. utilClient = ctx.configuration.newClient(ctx.configuration.singleMongosLoadBalancerUri); + } else if (process.env.UTIL_CLIENT_USER && process.env.UTIL_CLIENT_PASSWORD) { + utilClient = ctx.configuration.newClient({ + auth: { + username: process.env.UTIL_CLIENT_USER, + password: process.env.UTIL_CLIENT_PASSWORD + } + }); } else { utilClient = ctx.configuration.newClient(); } diff --git a/test/tools/unified-spec-runner/schema.ts b/test/tools/unified-spec-runner/schema.ts index 3b3daef8042..f9bbd534e9f 100644 --- a/test/tools/unified-spec-runner/schema.ts +++ b/test/tools/unified-spec-runner/schema.ts @@ -107,6 +107,7 @@ export type TopologyId = (typeof TopologyType)[keyof typeof TopologyType]; export interface RunOnRequirement { serverless?: 'forbid' | 'allow' | 'require'; auth?: boolean; + authMechanism?: string; maxServerVersion?: string; minServerVersion?: string; topologies?: TopologyId[]; diff --git a/test/tools/unified-spec-runner/unified-utils.ts b/test/tools/unified-spec-runner/unified-utils.ts index 233274b2925..374ae467927 100644 --- a/test/tools/unified-spec-runner/unified-utils.ts +++ b/test/tools/unified-spec-runner/unified-utils.ts @@ -100,6 +100,13 @@ export async function topologySatisfies( if (!ok && skipReason == null) { skipReason = `requires auth but auth is not enabled`; } + if ( + r.authMechanism && + !config.parameters.authenticationMechanisms.includes(r.authMechanism) + ) { + ok &&= false; + skipReason = `requires ${r.authMechanism} to be supported by the server`; + } } else if (r.auth === false) { ok &&= process.env.AUTH === 'noauth' || process.env.AUTH == null; if (!ok && skipReason == null) skipReason = `requires no auth but auth is enabled`; @@ -203,7 +210,16 @@ export function makeConnectionString( ): string { const connectionString = new ConnectionString(uri); for (const [name, value] of Object.entries(uriOptions ?? {})) { - connectionString.searchParams.set(name, String(value)); + // If name is authMechanismProperties and value is { $$placeholder: 1 } + // Then look at the environment for the proper value to set. + if (name === 'authMechanismProperties' && '$$placeholder' in (value as any)) { + // If we're in AWS set the PROVIDER_NAME. + if (process.env.AWS_WEB_IDENTITY_TOKEN_FILE) { + connectionString.searchParams.set(name, 'PROVIDER_NAME:aws'); + } + } else { + connectionString.searchParams.set(name, String(value)); + } } return connectionString.toString(); } diff --git a/test/tools/uri_spec_runner.ts b/test/tools/uri_spec_runner.ts index 6ad6e863819..09b7d24cdc6 100644 --- a/test/tools/uri_spec_runner.ts +++ b/test/tools/uri_spec_runner.ts @@ -91,15 +91,11 @@ export function executeUriValidationTest( const CALLBACKS = { oidcRequest: async () => { return { accessToken: '' }; - }, - oidcRefresh: async () => { - return { accessToken: '' }; } }; const CALLBACK_MAPPINGS = { - oidcRequest: 'REQUEST_TOKEN_CALLBACK', - oidcRefresh: 'REFRESH_TOKEN_CALLBACK' + oidcRequest: 'OIDC_TOKEN_CALLBACK' }; const mongoClientOptions = {}; @@ -223,10 +219,7 @@ export function executeUriValidationTest( // TODO(NODE-3925): Ensure default SERVICE_NAME is set on the parsed mechanism properties continue; } - if ( - expectedMechProp === 'REQUEST_TOKEN_CALLBACK' || - expectedMechProp === 'REFRESH_TOKEN_CALLBACK' - ) { + if (expectedMechProp === 'OIDC_TOKEN_CALLBACK') { expect( options, `${errorMessage} credentials.mechanismProperties.${expectedMechProp}` diff --git a/test/unit/cmap/auth/mongodb_oidc/aws_service_workflow.test.ts b/test/unit/cmap/auth/mongodb_oidc/aws_service_workflow.test.ts index 55438240e7f..03999beff3f 100644 --- a/test/unit/cmap/auth/mongodb_oidc/aws_service_workflow.test.ts +++ b/test/unit/cmap/auth/mongodb_oidc/aws_service_workflow.test.ts @@ -1,11 +1,11 @@ import { expect } from 'chai'; import * as sinon from 'sinon'; -import { AwsServiceWorkflow, Connection, MongoCredentials } from '../../../../mongodb'; +import { AwsMachineWorkflow, Connection, MongoCredentials } from '../../../../mongodb'; describe('AwsDeviceWorkFlow', function () { describe('#execute', function () { - const workflow = new AwsServiceWorkflow(); + const workflow = new AwsMachineWorkflow(); context('when AWS_WEB_IDENTITY_TOKEN_FILE is not in the env', function () { let file; diff --git a/test/unit/cmap/auth/mongodb_oidc/callback_lock_cache.test.ts b/test/unit/cmap/auth/mongodb_oidc/callback_lock_cache.test.ts deleted file mode 100644 index d10490fa5b0..00000000000 --- a/test/unit/cmap/auth/mongodb_oidc/callback_lock_cache.test.ts +++ /dev/null @@ -1,145 +0,0 @@ -import { expect } from 'chai'; -import * as sinon from 'sinon'; - -import { - CallbackLockCache, - Connection, - MongoCredentials, - MongoInvalidArgumentError -} from '../../../../mongodb'; -import { sleep } from '../../../../tools/utils'; - -describe('CallbackLockCache', function () { - describe('#getCallbacks', function () { - const connection = sinon.createStubInstance(Connection); - connection.address = 'localhost:27017'; - - context('when a request callback does not exist', function () { - const credentials = new MongoCredentials({ - username: 'test_user', - password: 'pwd', - source: '$external', - mechanismProperties: {} - }); - const cache = new CallbackLockCache(); - - it('raises an error', function () { - try { - cache.getEntry(connection, credentials); - expect.fail('Must raise error when no request callback exists.'); - } catch (error) { - expect(error).to.be.instanceOf(MongoInvalidArgumentError); - expect(error.message).to.include( - 'Auth mechanism property REQUEST_TOKEN_CALLBACK is required' - ); - } - }); - }); - - context('when no entry exists in the cache', function () { - context('when a refresh callback exists', function () { - let requestCount = 0; - let refreshCount = 0; - - const request = async () => { - requestCount++; - if (requestCount > 1) { - throw new Error('Cannot execute request simultaneously.'); - } - await sleep(1000); - requestCount--; - return { accessToken: '' }; - }; - const refresh = async () => { - refreshCount++; - if (refreshCount > 1) { - throw new Error('Cannot execute refresh simultaneously.'); - } - await sleep(1000); - refreshCount--; - return Promise.resolve({ accessToken: '' }); - }; - const requestSpy = sinon.spy(request); - const refreshSpy = sinon.spy(refresh); - const credentials = new MongoCredentials({ - username: 'test_user', - password: 'pwd', - source: '$external', - mechanismProperties: { - REQUEST_TOKEN_CALLBACK: requestSpy, - REFRESH_TOKEN_CALLBACK: refreshSpy - } - }); - const cache = new CallbackLockCache(); - const { requestCallback, refreshCallback, callbackHash } = cache.getEntry( - connection, - credentials - ); - - it('puts a new entry in the cache', function () { - expect(cache.entries).to.have.lengthOf(1); - }); - - it('returns the new entry', function () { - expect(requestCallback).to.exist; - expect(refreshCallback).to.exist; - expect(callbackHash).to.exist; - }); - - it('locks the callbacks', async function () { - await Promise.allSettled([ - requestCallback(), - requestCallback(), - refreshCallback(), - refreshCallback() - ]); - expect(requestSpy).to.have.been.calledTwice; - expect(refreshSpy).to.have.been.calledTwice; - }); - }); - - context('when a refresh function does not exist', function () { - let requestCount = 0; - - const request = async () => { - requestCount++; - if (requestCount > 1) { - throw new Error('Cannot execute request simultaneously.'); - } - await sleep(1000); - requestCount--; - return Promise.resolve({ accessToken: '' }); - }; - const requestSpy = sinon.spy(request); - const credentials = new MongoCredentials({ - username: 'test_user', - password: 'pwd', - source: '$external', - mechanismProperties: { - REQUEST_TOKEN_CALLBACK: requestSpy - } - }); - const cache = new CallbackLockCache(); - const { requestCallback, refreshCallback, callbackHash } = cache.getEntry( - connection, - credentials - ); - - it('puts a new entry in the cache', function () { - expect(cache.entries).to.have.lengthOf(1); - }); - - it('returns the new entry', function () { - expect(requestCallback).to.exist; - expect(refreshCallback).to.not.exist; - expect(callbackHash).to.exist; - }); - - it('locks the callbacks', async function () { - await Promise.allSettled([requestCallback(), requestCallback()]); - expect(requestSpy).to.have.been.calledTwice; - }); - }); - }); - }); -}); diff --git a/test/unit/cmap/auth/mongodb_oidc/token_entry_cache.test.ts b/test/unit/cmap/auth/mongodb_oidc/token_entry_cache.test.ts deleted file mode 100644 index 90f3a940858..00000000000 --- a/test/unit/cmap/auth/mongodb_oidc/token_entry_cache.test.ts +++ /dev/null @@ -1,144 +0,0 @@ -import { expect } from 'chai'; - -import { type TokenEntry, TokenEntryCache } from '../../../../mongodb'; - -describe('TokenEntryCache', function () { - const tokenResultWithExpiration = Object.freeze({ - accessToken: 'test', - expiresInSeconds: 100 - }); - const serverResult = Object.freeze({ - issuer: 'test', - clientId: '1' - }); - const callbackHash = '1'; - - describe('#addEntry', function () { - context('when expiresInSeconds is provided', function () { - const cache = new TokenEntryCache(); - let entry; - - before(function () { - cache.addEntry('localhost', 'user', callbackHash, tokenResultWithExpiration, serverResult); - entry = cache.getEntry('localhost', 'user', callbackHash); - }); - - it('adds the token result', function () { - expect(entry.tokenResult).to.deep.equal(tokenResultWithExpiration); - }); - - it('adds the server result', function () { - expect(entry.serverInfo).to.deep.equal(serverResult); - }); - - it('creates an expiration', function () { - expect(entry.expiration).to.be.within(Date.now(), Date.now() + 100 * 1000); - }); - }); - - context('when expiresInSeconds is not provided', function () { - const cache = new TokenEntryCache(); - let entry: TokenEntry | undefined; - - const expiredResult = Object.freeze({ accessToken: 'test' }); - - before(function () { - cache.addEntry('localhost', 'user', callbackHash, expiredResult, serverResult); - entry = cache.getEntry('localhost', 'user', callbackHash); - }); - - it('sets an immediate expiration', function () { - expect(entry?.expiration).to.be.at.most(Date.now()); - }); - }); - - context('when expiresInSeconds is null', function () { - const cache = new TokenEntryCache(); - let entry: TokenEntry | undefined; - - const expiredResult = Object.freeze({ - accessToken: 'test', - expiredInSeconds: null - }); - - before(function () { - cache.addEntry('localhost', 'user', callbackHash, expiredResult, serverResult); - entry = cache.getEntry('localhost', 'user', callbackHash); - }); - - it('sets an immediate expiration', function () { - expect(entry?.expiration).to.be.at.most(Date.now()); - }); - }); - }); - - describe('#clear', function () { - const cache = new TokenEntryCache(); - - before(function () { - cache.addEntry('localhost', 'user', callbackHash, tokenResultWithExpiration, serverResult); - cache.clear(); - }); - - it('clears the cache', function () { - expect(cache.entries.size).to.equal(0); - }); - }); - - describe('#deleteExpiredEntries', function () { - const cache = new TokenEntryCache(); - - const nonExpiredResult = Object.freeze({ - accessToken: 'test', - expiresInSeconds: 600 - }); - - before(function () { - cache.addEntry('localhost', 'user', callbackHash, tokenResultWithExpiration, serverResult); - cache.addEntry('localhost', 'user2', callbackHash, nonExpiredResult, serverResult); - cache.deleteExpiredEntries(); - }); - - it('deletes all expired tokens from the cache 5 minutes before expiredInSeconds', function () { - expect(cache.entries.size).to.equal(1); - expect(cache.getEntry('localhost', 'user', callbackHash)).to.not.exist; - expect(cache.getEntry('localhost', 'user2', callbackHash)).to.exist; - }); - }); - - describe('#deleteEntry', function () { - const cache = new TokenEntryCache(); - - before(function () { - cache.addEntry('localhost', 'user', callbackHash, tokenResultWithExpiration, serverResult); - cache.deleteEntry('localhost', 'user', callbackHash); - }); - - it('deletes the entry', function () { - expect(cache.getEntry('localhost', 'user', callbackHash)).to.not.exist; - }); - }); - - describe('#getEntry', function () { - const cache = new TokenEntryCache(); - - before(function () { - cache.addEntry('localhost', 'user', callbackHash, tokenResultWithExpiration, serverResult); - cache.addEntry('localhost', 'user2', callbackHash, tokenResultWithExpiration, serverResult); - }); - - context('when there is a matching entry', function () { - it('returns the entry', function () { - expect(cache.getEntry('localhost', 'user', callbackHash)?.tokenResult).to.equal( - tokenResultWithExpiration - ); - }); - }); - - context('when there is no matching entry', function () { - it('returns undefined', function () { - expect(cache.getEntry('localhost', 'user1', callbackHash)).to.equal(undefined); - }); - }); - }); -});