PYTHON-3460 Implement OIDC SASL mechanism

.evergreen/config.yml

@@ -738,6 +738,68 @@ functions:
           fi
           PYTHON_BINARY=${PYTHON_BINARY} ASSERT_NO_URI_CREDS=true .evergreen/run-mongodb-aws-test.sh
 
+  "bootstrap oidc":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+          if [ "${skip_EC2_auth_test}" = "true" ]; then
+             echo "This platform does not support the oidc auth test, skipping..."
+             exit 0
+          fi
+
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
+          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+          export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+          export OIDC_TOKEN_DIR=/tmp/tokens
+
+          . ./activate-authoidcvenv.sh
+          python oidc_write_orchestration.py
+          python oidc_get_tokens.py
+
+  "run oidc auth test with aws credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+          if [ "${skip_EC2_auth_test}" = "true" ]; then
+             echo "This platform does not support the oidc auth test, skipping..."
+             exit 0
+          fi
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
+          mongosh setup_oidc.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh"
+            export OIDC_TOKEN_DIR=/tmp/tokens
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          if [ "${skip_web_identity_auth_test}" = "true" ]; then
+             echo "This platform does not support the oidc auth test, skipping..."
+             exit 0
+          fi
+          PYTHON_BINARY=${PYTHON_BINARY} ASSERT_NO_URI_CREDS=true .evergreen/run-mongodb-oidc-test.sh
+
   "run aws auth test with aws credentials as environment variables":
     - command: shell.exec
       type: test
@@ -1973,6 +2035,19 @@ tasks:
         - func: "run aws auth test with aws web identity credentials"
         - func: "run aws ECS auth test"
 
+    - name: "oidc-auth-test-latest"
+      commands:
+        - func: "bootstrap oidc"
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            AUTH: "auth"
+            ORCHESTRATION_FILE: "auth-oidc.json"
+            TOPOLOGY: "replica_set"
+            VERSION: "latest"
+        - func: "run oidc auth test with aws credentials"
+          vars:
+            AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/tokens/test1
+
     - name: load-balancer-test
       commands:
         - func: "bootstrap mongo-orchestration"
@@ -2179,6 +2254,12 @@ axes:
         batchtime: 10080  # 7 days
         variables:
           libmongocrypt_url: https://s3.amazonaws.com/mciuploads/libmongocrypt/rhel-70-64-bit/master/latest/libmongocrypt.tar.gz
+      - id: rhel80-xlarge
+        display_name: "RHEL 8.0"
+        run_on: rhel80-xlarge
+        batchtime: 10080  # 7 days
+        variables:
+          libmongocrypt_url: https://s3.amazonaws.com/mciuploads/libmongocrypt/rhel-70-64-bit/master/latest/libmongocrypt.tar.gz
       - id: rhel70-fips
         display_name: "RHEL 7.0 FIPS"
         run_on: rhel70-fips
@@ -3019,6 +3100,14 @@ buildvariants:
     # macOS MongoDB servers do not staple OCSP responses and only support RSA.
     - name: ".ocsp-rsa !.ocsp-staple"
 
+- matrix_name: "oidc-auth-test"
+  matrix_spec:
+    platform: [ ubuntu-20.04 ]
+    python-version: ["3.9"]
+  display_name: "MONGODB-OIDC Auth ${platform} ${python-version}"
+  tasks:
+    - name: "oidc-auth-test-latest"
+
 - matrix_name: "aws-auth-test"
   matrix_spec:
     platform: [ubuntu-18.04]

.evergreen/resync-specs.sh

@@ -70,6 +70,9 @@ for spec in "$@"
 do
   # Match the spec dir name, the python test dir name, and/or common abbreviations.
   case "$spec" in
+    auth)
+      cpjson auth/tests/ auth
+      ;;
     atlas-data-lake-testing|data_lake)
       cpjson atlas-data-lake-testing/tests/ data_lake
       ;;

.evergreen/run-mongodb-oidc-test.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+set -o xtrace
+set -o errexit  # Exit the script with error if any of the commands fail
+
+############################################
+#            Main Program                  #
+############################################
+
+# Supported/used environment variables:
+#  MONGODB_URI    Set the URI, including an optional username/password to use
+#                 to connect to the server via MONGODB-OIDC authentication
+#                 mechanism.
+#  PYTHON_BINARY  The Python version to use.
+
+echo "Running MONGODB-OIDC authentication tests"
+# ensure no secrets are printed in log files
+set +x
+
+# load the script
+shopt -s expand_aliases # needed for `urlencode` alias
+[ -s "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh" ] && source "${PROJECT_DIRECTORY}/prepare_mongodb_oidc.sh"
+
+MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
+MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
+MONGODB_URI_MULTIPLE="${MONGODB_URI}:27018/?authMechanism=MONGODB-OIDC&directConnection=true"
+
+if [ -z "${OIDC_TOKEN_DIR}" ]; then
+    echo "Must specify OIDC_TOKEN_DIR"
+    exit 1
+fi
+
+export MONGODB_URI_SINGLE="$MONGODB_URI_SINGLE"
+export MONGODB_URI_MULTIPLE="$MONGODB_URI_MULTIPLE"
+export MONGODB_URI="$MONGODB_URI"
+
+echo $MONGODB_URI_SINGLE
+echo $MONGODB_URI_MULTIPLE
+echo $MONGODB_URI
+
+if [ "$ASSERT_NO_URI_CREDS" = "true" ]; then
+    if echo "$MONGODB_URI" | grep -q "@"; then
+        echo "MONGODB_URI unexpectedly contains user credentials!";
+        exit 1
+    fi
+fi
+
+# show test output
+set -x
+
+# Workaround macOS python 3.9 incompatibility with system virtualenv.
+if [ "$(uname -s)" = "Darwin" ]; then
+    # TODO: change back to 3.9 before merging.
+    VIRTUALENV="/Library/Frameworks/Python.framework/Versions/3.10/bin/python3 -m virtualenv"
+else
+    VIRTUALENV=$(command -v virtualenv)
+fi
+
+authtest () {
+    if [ "Windows_NT" = "$OS" ]; then
+      PYTHON=$(cygpath -m $PYTHON)
+    fi
+
+    echo "Running MONGODB-OIDC authentication tests with $PYTHON"
+    $PYTHON --version
+
+    $VIRTUALENV -p $PYTHON --never-download venvoidc
+    if [ "Windows_NT" = "$OS" ]; then
+      . venvoidc/Scripts/activate
+    else
+      . venvoidc/bin/activate
+    fi
+    python -m pip install -U pip setuptools
+    python -m pip install '.[aws]'
+    python test/auth_aws/test_auth_oidc.py -v
+    deactivate
+    rm -rf venvoidc
+}
+
+PYTHON=${PYTHON_BINARY:-}
+if [ -z "$PYTHON" ]; then
+    echo "Cannot test without specifying PYTHON_BINARY"
+    exit 1
+fi
+
+authtest

doc/changelog.rst

@@ -4,6 +4,7 @@ Changelog
 Changes in Version 4.4
 -----------------------
 
+- Added support for :ref:`OIDC <oidc_sasl>` authentication with MongoDB Enterprise 7.0+.
 - Added support for passing a list containing (key, direction) pairs
   or keys to :meth:`~pymongo.collection.Collection.create_index`.
 - **BETA** Added support for range queries on client side field level encrypted collections.

doc/examples/authentication.rst

@@ -384,3 +384,127 @@ would be::
 .. _Assume Role: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
 .. _EC2 instance: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
 .. _environment variables: https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime
+
+
+.. _oidc_sasl:
+
+MONGODB-OIDC
+------------
+.. versionadded:: 4.4
+
+The MONGODB-OIDC authentication mechanism is available in MongoDB Enterprise 7.0+.
+
+AWS OIDC Support
+~~~~~~~~~~~~~~~~
+
+PyMongo supports automatic authentication when AWS OIDC credentials are
+available, by installing pymongo with the
+``aws`` extra::
+
+  $ python -m pip install 'pymongo[aws]'
+
+A sample URI would be:
+
+  >>> from pymongo import MongoClient
+  >>> uri = "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws")
+  >>> client = MongoClient(uri)
+
+The driver will use the authentication token from the file given by the
+``AWS_WEB_IDENTITY_TOKEN_FILE`` environment variable provided by AWS to
+authenticate with the server.
+
+Callback-based OIDC Support
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+PyMongo supports user-provided callbacks for OIDC, which are are given to the
+``MongoClient``.  The ``on_oidc_request_callback`` is intended to accept
+information about the Identity Provider, and return credentials that are used
+to authenticate with the server, usually through a browser interaction with
+the user.  The callback must be of the form::
+
+  def request_callback(ProviderInfo, timeout_seconds) -> TokenResult:
+    ...
+    return dict(access_token=...)
+
+Where ``ProviderInfo`` is a dictionary of the following form::
+
+      authorization_endpoint:
+        description: >-
+          URL where the IDP may be contacted for end user
+          authentication and authorization code generation.
+        type: string
+        optional: true # Req if device_authorization_endpoint not present
+      token_endpoint:
+        description: >-
+          URL where the IDP may be contacted for authorization
+          code <=> ID/access token exchange.
+        type: string
+        optional: true # Req if device_authorization_endpoint not present
+      device_authorization_endpoint:
+        description: >-
+          URL where the IDP may be contacted for device
+          authentication and authorization code generation.
+        type: string
+        optional: true # Req if authorization_endpoint not present
+      client_id:
+        description: "Unique client ID for this OIDC client"
+        type: string
+      client_ecret:
+        description: "Secret used when communicating with IDP"
+        type: string
+        optional: true
+      request_scopes:
+        description: "Additional scopes to request from IDP"
+        type: array<string>
+        optional: true
+
+And ``TokenResult`` is a dictionary of the following form::
+
+    access_token:
+        description: "The OIDC access token"
+        type: string
+    expires_in_seconds:
+        description: "The expiration time in seconds from the current time"
+        type: int
+        optional: true
+    refresh_token:
+        description: "The OIDC refresh token"
+        type: str
+        optional: true
+
+And ``timeout_seconds`` will always be 300 (5 minutes).  An example
+client would be::
+
+  >>> from pymongo import MongoClient
+  >>> uri = "mongodb://localhost/?authMechanism=MONGODB-OIDC")
+  >>> client = MongoClient(uri, on_oidc_request_callback=my_callback)
+
+If the identity provider supports refresh, a refresh callback can also
+be provided.  If a refresh callback is provided, it will be called
+if ``expires_in_seconds`` was given in the request response and is
+within 5 minutes, or the server raises a ``ReAuthenticationRequired``
+error during an operation.  The refresh callback must of the form::
+
+
+  def request_callback(ProviderInfo, TokenResult, timeout_seconds) -> TokenResult:
+    ...
+    return dict(access_token=...)
+
+Where ``ProviderInfo``, ``timeout_seconds`` and the return value are of
+the same form as the request callback, and the ``TokenResult`` parameter
+is the result of the request callback, which will contain the ``refresh_token``
+if it was provided.  An example using both callbacks would be::
+
+  >>> from pymongo import MongoClient
+  >>> uri = "mongodb://localhost/?authMechanism=MONGODB-OIDC")
+  >>> client = MongoClient(uri, on_oidc_request_callback=my_request_callback,
+  ... on_oidc_refresh_callback=my_refresh_callback)
+
+Note: when multiple identity providers
+are configured on the server, a ``username`` must be provided, which is the
+Principal Name used on the provider.  For example::
+
+  >>> from pymongo import MongoClient
+  >>> uri = "mongodb://my_username@localhost/?authMechanism=MONGODB-OIDC")
+  >>> client = MongoClient(uri, on_oidc_request_callback=my_request_callback,
+  ... on_oidc_refresh_callback=my_refresh_callback)