test(NODE-5038): setup OIDC CI environment (mongodb#3560)

Co-authored-by: Anna Henningsen <anna.henningsen@mongodb.com>

Author: durran

.evergreen/config.in.yml

@@ -94,6 +94,63 @@ functions:
  - .evergreen/run-kms-servers.sh
  env:
  DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+
+ "bootstrap oidc":
+ - command: ec2.assume_role
+ params:
+ role_arn: ${OIDC_AWS_ROLE_ARN}
+ - command: shell.exec
+ type: test
+ params:
+ working_dir: "src"
+ shell: bash
+ script: |
+ ${PREPARE_SHELL}
+
+ # TODO(NODE-5035): Remove when merged - need to replace with branch just for OIDC.
+ rm -rf "${DRIVERS_TOOLS}"
+ git clone --branch DRIVERS-2415 https://github.com/blink1073/drivers-evergreen-tools.git "${DRIVERS_TOOLS}"
+
+ cd "${DRIVERS_TOOLS}"/.evergreen/auth_oidc
+
+ # This is a bit confusing but the ec2.assume_role command before
+ # this task will overwrite these variables to a different value
+ # than we have set in our evergreen project config. As these are
+ # now specific to the OIDC ARN, we re-export for the python
+ # scripts.
+ export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+ export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+ export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+ export AWS_TOKEN_DIR=/tmp/tokens
+
+ . ./activate_venv.sh
+ python oidc_write_orchestration.py
+ python oidc_get_tokens.py
+
+ "setup oidc roles":
+ - command: subprocess.exec
+ params:
+ working_dir: src
+ binary: bash
+ args:
+ - .evergreen/setup-oidc-roles.sh
+ env:
+ DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+
+ "run oidc tests aws":
+ - command: shell.exec
+ type: test
+ params:
+ working_dir: "src"
+ timeout_secs: 300
+ shell: bash
+ script: |
+ ${PREPARE_SHELL}
+
+ AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test1" \
+ PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
+ bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh
+
  "run tests":
  - command: shell.exec
  type: test

.evergreen/config.yml

@@ -68,6 +68,59 @@ functions:
  - .evergreen/run-kms-servers.sh
  env:
  DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+ bootstrap oidc:
+ - command: ec2.assume_role
+ params:
+ role_arn: ${OIDC_AWS_ROLE_ARN}
+ - command: shell.exec
+ type: test
+ params:
+ working_dir: src
+ shell: bash
+ script: |
+ ${PREPARE_SHELL}
+
+ # TODO(NODE-5035): Remove when merged - need to replace with branch just for OIDC.
+ rm -rf "${DRIVERS_TOOLS}"
+ git clone --branch DRIVERS-2415 https://github.com/blink1073/drivers-evergreen-tools.git "${DRIVERS_TOOLS}"
+
+ cd "${DRIVERS_TOOLS}"/.evergreen/auth_oidc
+
+ # This is a bit confusing but the ec2.assume_role command before
+ # this task will overwrite these variables to a different value
+ # than we have set in our evergreen project config. As these are
+ # now specific to the OIDC ARN, we re-export for the python
+ # scripts.
+ export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+ export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+ export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+ export AWS_TOKEN_DIR=/tmp/tokens
+
+ . ./activate_venv.sh
+ python oidc_write_orchestration.py
+ python oidc_get_tokens.py
+ setup oidc roles:
+ - command: subprocess.exec
+ params:
+ working_dir: src
+ binary: bash
+ args:
+ - .evergreen/setup-oidc-roles.sh
+ env:
+ DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+ run oidc tests aws:
+ - command: shell.exec
+ type: test
+ params:
+ working_dir: src
+ timeout_secs: 300
+ shell: bash
+ script: |
+ ${PREPARE_SHELL}
+
+ AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test1" \
+ PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
+ bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh
  run tests:
  - command: shell.exec
  type: test
@@ -1380,6 +1433,22 @@ tasks:
  commands:
  - func: install dependencies
  - func: run ldap tests
+ - name: test-auth-oidc
+ tags:
+ - latest
+ - replica_set
+ - oidc
+ commands:
+ - func: install dependencies
+ - func: bootstrap oidc
+ - func: bootstrap mongo-orchestration
+ vars:
+ VERSION: latest
+ TOPOLOGY: replica_set
+ AUTH: auth
+ ORCHESTRATION_FILE: auth-oidc.json
+ - func: setup oidc roles
+ - func: run oidc tests aws
  - name: test-socks5
  tags: []
  commands:
@@ -3005,6 +3074,7 @@ buildvariants:
  - test-latest-load-balanced
  - test-auth-kerberos
  - test-auth-ldap
+ - test-auth-oidc
  - test-socks5
  - test-socks5-csfle
  - test-socks5-tls
@@ -3054,6 +3124,7 @@ buildvariants:
  - test-latest-load-balanced
  - test-auth-kerberos
  - test-auth-ldap
+ - test-auth-oidc
  - test-socks5
  - test-socks5-csfle
  - test-socks5-tls
@@ -3101,6 +3172,7 @@ buildvariants:
  - test-latest-load-balanced
  - test-auth-kerberos
  - test-auth-ldap
+ - test-auth-oidc
  - test-socks5
  - test-socks5-csfle
  - test-socks5-tls
@@ -3147,6 +3219,7 @@ buildvariants:
  - test-6.0-load-balanced
  - test-latest-load-balanced
  - test-auth-ldap
+ - test-auth-oidc
  - test-socks5-csfle
  - test-socks5-tls
  - test-tls-support-latest

.evergreen/generate_evergreen_tasks.js

@@ -33,8 +33,8 @@ const OPERATING_SYSTEMS = [
  ...osConfig
 }));
 
-// TODO: NODE-3060: enable skipped tests on windows
-const WINDOWS_SKIP_TAGS = new Set(['atlas-connect', 'auth', 'load_balancer', 'socks5-csfle']);
+// TODO: NODE-3060: enable skipped tests on windows except oidc (not supported)
+const WINDOWS_SKIP_TAGS = new Set(['atlas-connect', 'auth', 'load_balancer', 'socks5-csfle', 'oidc']);
 
 const TASKS = [];
 const SINGLETON_TASKS = [];
@@ -183,6 +183,25 @@ TASKS.push(
  tags: ['auth', 'ldap'],
  commands: [{ func: 'install dependencies' }, { func: 'run ldap tests' }]
  },
+ {
+ name: 'test-auth-oidc',
+ tags: ['latest', 'replica_set', 'oidc'],
+ commands: [
+ { func: 'install dependencies' },
+ { func: 'bootstrap oidc' },
+ {
+ func: 'bootstrap mongo-orchestration',
+ vars: {
+ VERSION: 'latest',
+ TOPOLOGY: 'replica_set',
+ AUTH: 'auth',
+ ORCHESTRATION_FILE: 'auth-oidc.json'
+ }
+ },
+ { func: 'setup oidc roles' },
+ { func: 'run oidc tests aws' }
+ ]
+ },
  {
  name: 'test-socks5',
  tags: [],

.evergreen/run-oidc-tests.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -o errexit # Exit the script with error if any of the commands fail
+set -o xtrace # Write all commands first to stderr
+
+source "${PROJECT_DIRECTORY}/.evergreen/init-nvm.sh"
+
+MONGODB_URI=${MONGODB_URI:-"mongodb://127.0.0.1:27017"}
+MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC&authMechanismProperties=DEVICE_NAME:aws"
+
+echo $MONGODB_URI_SINGLE
+
+export MONGODB_URI="$MONGODB_URI_SINGLE"
+
+npm run check:oidc

.evergreen/setup-oidc-roles.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -o errexit # Exit the script with error if any of the commands fail
+set -o xtrace # Write all commands first to stderr
+
+cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
+. ./activate_venv.sh
+
+${DRIVERS_TOOLS}/mongodb/bin/mongosh setup_oidc.js

package.json

@@ -128,6 +128,7 @@
  "check:atlas": "mocha --config test/manual/mocharc.json test/manual/atlas_connectivity.test.js",
  "check:adl": "mocha --config test/mocha_mongodb.json test/manual/atlas-data-lake-testing",
  "check:aws": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_aws.test.ts",
+ "check:oidc": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc.test.ts",
  "check:ocsp": "mocha --config test/manual/mocharc.json test/manual/ocsp_support.test.js",
  "check:kerberos": "mocha --config test/manual/mocharc.json test/manual/kerberos.test.js",
  "check:tls": "mocha --config test/manual/mocharc.json test/manual/tls_support.test.js",

test/integration/auth/mongodb_oidc.test.ts

@@ -0,0 +1,17 @@
+import { expect } from 'chai';
+
+describe('MONGODB-OIDC', function () {
+ beforeEach(function () {
+ const MONGODB_URI = process.env.MONGODB_URI;
+ if (!MONGODB_URI || !MONGODB_URI.includes('MONGODB-OIDC')) {
+ this.currentTest.skipReason = 'requires MONGODB_URI to contain MONGODB-OIDC auth mechanism';
+ this.skip();
+ }
+ });
+
+ context('when running in the environment', function () {
+ it('contains AWS_WEB_IDENTITY_TOKEN_FILE', function () {
+ expect(process.env).to.have.property('AWS_WEB_IDENTITY_TOKEN_FILE');
+ });
+ });
+});

test/tools/runner/hooks/configuration.js

@@ -100,6 +100,14 @@ const skipBrokenAuthTestBeforeEachHook = function ({ skippedTests } = { skippedT
 };
 
 const testConfigBeforeHook = async function () {
+ // TODO(NODE-5035): Implement OIDC support. Creating the MongoClient will fail
+ // with "MongoInvalidArgumentError: AuthMechanism 'MONGODB-OIDC' not supported"
+ // as is expected until that ticket goes in. Then this condition gets removed.
+ if (MONGODB_URI && MONGODB_URI.includes('MONGODB-OIDC')) {
+ this.configuration = new TestConfiguration(MONGODB_URI, {});
+ return;
+ }
+
  const client = new MongoClient(loadBalanced ? SINGLE_MONGOS_LB_URI : MONGODB_URI, {
  ...getEnvironmentalOptions(),
  // TODO(NODE-4884): once happy eyeballs support is added, we no longer need to set