PYTHON-3460 Implement OIDC SASL mechanism (#1138)

Author: blink1073

.evergreen/config.yml

@@ -749,6 +749,68 @@ functions:
           fi
           PYTHON_BINARY=${PYTHON_BINARY} ASSERT_NO_URI_CREDS=true .evergreen/run-mongodb-aws-test.sh
 
+  "bootstrap oidc":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+          if [ "${skip_EC2_auth_test}" = "true" ]; then
+             echo "This platform does not support the oidc auth test, skipping..."
+             exit 0
+          fi
+
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
+          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+          export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+          export OIDC_TOKEN_DIR=/tmp/tokens
+
+          . ./activate-authoidcvenv.sh
+          python oidc_write_orchestration.py
+          python oidc_get_tokens.py
+
+  "run oidc auth test with aws credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+          if [ "${skip_EC2_auth_test}" = "true" ]; then
+             echo "This platform does not support the oidc auth test, skipping..."
+             exit 0
+          fi
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
+          mongosh setup_oidc.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh"
+            export OIDC_TOKEN_DIR=/tmp/tokens
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          if [ "${skip_web_identity_auth_test}" = "true" ]; then
+             echo "This platform does not support the oidc auth test, skipping..."
+             exit 0
+          fi
+          PYTHON_BINARY=${PYTHON_BINARY} ASSERT_NO_URI_CREDS=true .evergreen/run-mongodb-oidc-test.sh
+
   "run aws auth test with aws credentials as environment variables":
     - command: shell.exec
       type: test
@@ -2034,6 +2096,19 @@ tasks:
         - func: "run aws auth test with aws web identity credentials"
         - func: "run aws ECS auth test"
 
+    - name: "oidc-auth-test-latest"
+      commands:
+        - func: "bootstrap oidc"
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            AUTH: "auth"
+            ORCHESTRATION_FILE: "auth-oidc.json"
+            TOPOLOGY: "replica_set"
+            VERSION: "latest"
+        - func: "run oidc auth test with aws credentials"
+          vars:
+            AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/tokens/test1
+
     - name: load-balancer-test
       commands:
         - func: "bootstrap mongo-orchestration"
@@ -3103,6 +3178,14 @@ buildvariants:
     # macOS MongoDB servers do not staple OCSP responses and only support RSA.
     - name: ".ocsp-rsa !.ocsp-staple"
 
+- matrix_name: "oidc-auth-test"
+  matrix_spec:
+    platform: [ ubuntu-20.04 ]
+    python-version: ["3.9"]
+  display_name: "MONGODB-OIDC Auth ${platform} ${python-version}"
+  tasks:
+    - name: "oidc-auth-test-latest"
+
 - matrix_name: "aws-auth-test"
   matrix_spec:
     platform: [ubuntu-20.04]

.evergreen/resync-specs.sh

@@ -70,6 +70,9 @@ for spec in "$@"
 do
   # Match the spec dir name, the python test dir name, and/or common abbreviations.
   case "$spec" in
+    auth)
+      cpjson auth/tests/ auth
+      ;;
     atlas-data-lake-testing|data_lake)
       cpjson atlas-data-lake-testing/tests/ data_lake
       ;;

.evergreen/run-mongodb-oidc-test.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+set -o xtrace
+set -o errexit  # Exit the script with error if any of the commands fail
+
+############################################
+#            Main Program                  #
+############################################
+
+# Supported/used environment variables:
+#  MONGODB_URI    Set the URI, including an optional username/password to use
+#                 to connect to the server via MONGODB-OIDC authentication
+#                 mechanism.
+#  PYTHON_BINARY  The Python version to use.
+
+echo "Running MONGODB-OIDC authentication tests"
+# ensure no secrets are printed in log files
+set +x
+
+# load the script
+shopt -s expand_aliases # needed for `urlencode` alias
+[ -s "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh" ] && source "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh"
+
+MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
+MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
+MONGODB_URI_MULTIPLE="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true"
+
+if [ -z "${OIDC_TOKEN_DIR}" ]; then
+    echo "Must specify OIDC_TOKEN_DIR"
+    exit 1
+fi
+
+export MONGODB_URI_SINGLE="$MONGODB_URI_SINGLE"
+export MONGODB_URI_MULTIPLE="$MONGODB_URI_MULTIPLE"
+export MONGODB_URI="$MONGODB_URI"
+
+echo $MONGODB_URI_SINGLE
+echo $MONGODB_URI_MULTIPLE
+echo $MONGODB_URI
+
+if [ "$ASSERT_NO_URI_CREDS" = "true" ]; then
+    if echo "$MONGODB_URI" | grep -q "@"; then
+        echo "MONGODB_URI unexpectedly contains user credentials!";
+        exit 1
+    fi
+fi
+
+# show test output
+set -x
+
+# Workaround macOS python 3.9 incompatibility with system virtualenv.
+if [ "$(uname -s)" = "Darwin" ]; then
+    VIRTUALENV="/Library/Frameworks/Python.framework/Versions/3.9/bin/python3 -m virtualenv"
+else
+    VIRTUALENV=$(command -v virtualenv)
+fi
+
+authtest () {
+    if [ "Windows_NT" = "$OS" ]; then
+      PYTHON=$(cygpath -m $PYTHON)
+    fi
+
+    echo "Running MONGODB-OIDC authentication tests with $PYTHON"
+    $PYTHON --version
+
+    $VIRTUALENV -p $PYTHON --never-download venvoidc
+    if [ "Windows_NT" = "$OS" ]; then
+      . venvoidc/Scripts/activate
+    else
+      . venvoidc/bin/activate
+    fi
+    python -m pip install -U pip setuptools
+    python -m pip install '.[aws]'
+    python test/auth_aws/test_auth_oidc.py -v
+    deactivate
+    rm -rf venvoidc
+}
+
+PYTHON=${PYTHON_BINARY:-}
+if [ -z "$PYTHON" ]; then
+    echo "Cannot test without specifying PYTHON_BINARY"
+    exit 1
+fi
+
+authtest

pymongo/auth.py

@@ -27,6 +27,7 @@
 from bson.binary import Binary
 from bson.son import SON
 from pymongo.auth_aws import _authenticate_aws
+from pymongo.auth_oidc import _authenticate_oidc, _get_authenticator, _OIDCProperties
 from pymongo.errors import ConfigurationError, OperationFailure
 from pymongo.saslprep import saslprep
 
@@ -48,6 +49,7 @@
     [
         "GSSAPI",
         "MONGODB-CR",
+        "MONGODB-OIDC",
         "MONGODB-X509",
         "MONGODB-AWS",
         "PLAIN",
@@ -101,7 +103,7 @@ def __hash__(self):
 
 def _build_credentials_tuple(mech, source, user, passwd, extra, database):
     """Build and return a mechanism specific credentials tuple."""
-    if mech not in ("MONGODB-X509", "MONGODB-AWS") and user is None:
+    if mech not in ("MONGODB-X509", "MONGODB-AWS", "MONGODB-OIDC") and user is None:
         raise ConfigurationError("%s requires a username." % (mech,))
     if mech == "GSSAPI":
         if source is not None and source != "$external":
@@ -137,6 +139,32 @@ def _build_credentials_tuple(mech, source, user, passwd, extra, database):
         aws_props = _AWSProperties(aws_session_token=aws_session_token)
         # user can be None for temporary link-local EC2 credentials.
         return MongoCredential(mech, "$external", user, passwd, aws_props, None)
+    elif mech == "MONGODB-OIDC":
+        properties = extra.get("authmechanismproperties", {})
+        request_token_callback = properties.get("request_token_callback")
+        refresh_token_callback = properties.get("refresh_token_callback", None)
+        provider_name = properties.get("PROVIDER_NAME", "")
+        default_allowed = [
+            "*.mongodb.net",
+            "*.mongodb-dev.net",
+            "*.mongodbgov.net",
+            "localhost",
+            "127.0.0.1",
+            "::1",
+        ]
+        allowed_hosts = properties.get("allowed_hosts", default_allowed)
+        if not request_token_callback and provider_name != "aws":
+            raise ConfigurationError(
+                "authentication with MONGODB-OIDC requires providing an request_token_callback or a provider_name of 'aws'"
+            )
+        oidc_props = _OIDCProperties(
+            request_token_callback=request_token_callback,
+            refresh_token_callback=refresh_token_callback,
+            provider_name=provider_name,
+            allowed_hosts=allowed_hosts,
+        )
+        return MongoCredential(mech, "$external", user, passwd, oidc_props, None)
+
     elif mech == "PLAIN":
         source_database = source or database or "$external"
         return MongoCredential(mech, source_database, user, passwd, None, None)
@@ -439,7 +467,7 @@ def _authenticate_x509(credentials, sock_info):
         # MONGODB-X509 is done after the speculative auth step.
         return
 
-    cmd = _X509Context(credentials).speculate_command()
+    cmd = _X509Context(credentials, sock_info.address).speculate_command()
     sock_info.command("$external", cmd)
 
 
@@ -482,6 +510,7 @@ def _authenticate_default(credentials, sock_info):
     "MONGODB-CR": _authenticate_mongo_cr,
     "MONGODB-X509": _authenticate_x509,
     "MONGODB-AWS": _authenticate_aws,
+    "MONGODB-OIDC": _authenticate_oidc,
     "PLAIN": _authenticate_plain,
     "SCRAM-SHA-1": functools.partial(_authenticate_scram, mechanism="SCRAM-SHA-1"),
     "SCRAM-SHA-256": functools.partial(_authenticate_scram, mechanism="SCRAM-SHA-256"),
@@ -490,15 +519,16 @@ def _authenticate_default(credentials, sock_info):
 
 
 class _AuthContext(object):
-    def __init__(self, credentials):
+    def __init__(self, credentials, address):
         self.credentials = credentials
         self.speculative_authenticate = None
+        self.address = address
 
     @staticmethod
-    def from_credentials(creds):
+    def from_credentials(creds, address):
         spec_cls = _SPECULATIVE_AUTH_MAP.get(creds.mechanism)
         if spec_cls:
-            return spec_cls(creds)
+            return spec_cls(creds, address)
         return None
 
     def speculate_command(self):
@@ -512,8 +542,8 @@ def speculate_succeeded(self):
 
 
 class _ScramContext(_AuthContext):
-    def __init__(self, credentials, mechanism):
-        super(_ScramContext, self).__init__(credentials)
+    def __init__(self, credentials, address, mechanism):
+        super(_ScramContext, self).__init__(credentials, address)
         self.scram_data = None
         self.mechanism = mechanism
 
@@ -534,16 +564,30 @@ def speculate_command(self):
         return cmd
 
 
+class _OIDCContext(_AuthContext):
+    def speculate_command(self):
+        authenticator = _get_authenticator(self.credentials, self.address)
+        cmd = authenticator.auth_start_cmd(False)
+        if cmd is None:
+            return
+        cmd["db"] = self.credentials.source
+        return cmd
+
+
 _SPECULATIVE_AUTH_MAP: Mapping[str, Callable] = {
     "MONGODB-X509": _X509Context,
     "SCRAM-SHA-1": functools.partial(_ScramContext, mechanism="SCRAM-SHA-1"),
     "SCRAM-SHA-256": functools.partial(_ScramContext, mechanism="SCRAM-SHA-256"),
+    "MONGODB-OIDC": _OIDCContext,
     "DEFAULT": functools.partial(_ScramContext, mechanism="SCRAM-SHA-256"),
 }
 
 
-def authenticate(credentials, sock_info):
+def authenticate(credentials, sock_info, reauthenticate=False):
     """Authenticate sock_info."""
     mechanism = credentials.mechanism
     auth_func = _AUTH_MAP[mechanism]
-    auth_func(credentials, sock_info)
+    if mechanism == "MONGODB-OIDC":
+        _authenticate_oidc(credentials, sock_info, reauthenticate)
+    else:
+        auth_func(credentials, sock_info)