CDRIVER-4689 Implement OIDC machine callback (#2147)

* add binary op to BSON DSL
* clarify timeout is a duration, not an absolute time point

---------

Co-authored-by: mdb-ad <198671546+mdb-ad@users.noreply.github.com>
Co-authored-by: Connor MacDonald <connor.macdonald@mongodb.com>

Author: 3 people

.evergreen/config_generator/components/oidc.py

@@ -0,0 +1,74 @@
+from shrub.v3.evg_build_variant import BuildVariant
+from shrub.v3.evg_command import EvgCommandType, ec2_assume_role, KeyValueParam, expansions_update
+from shrub.v3.evg_task import EvgTask, EvgTaskRef
+from shrub.v3.evg_task_group import EvgTaskGroup
+
+from config_generator.components.funcs.run_tests import RunTests
+from config_generator.components.funcs.fetch_det import FetchDET
+from config_generator.components.funcs.fetch_source import FetchSource
+from config_generator.components.sasl.openssl import SaslCyrusOpenSSLCompile
+from config_generator.etc.utils import bash_exec
+from config_generator.etc.distros import find_small_distro
+
+
+def task_groups():
+    return [
+        EvgTaskGroup(
+            name='test-oidc-task-group',
+            tasks=['oidc-auth-test-task'],
+            setup_group_can_fail_task=True,
+            setup_group_timeout_secs=60 * 60,  # 1 hour
+            teardown_group_can_fail_task=True,
+            teardown_group_timeout_secs=180,  # 3 minutes
+            setup_group=[
+                FetchDET.call(),
+                ec2_assume_role(role_arn='${aws_test_secrets_role}'),
+                bash_exec(
+                    command_type=EvgCommandType.SETUP,
+                    include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'],
+                    script='./drivers-evergreen-tools/.evergreen/auth_oidc/setup.sh',
+                ),
+            ],
+            teardown_group=[
+                bash_exec(
+                    command_type=EvgCommandType.SETUP,
+                    script='./drivers-evergreen-tools/.evergreen/auth_oidc/teardown.sh',
+                )
+            ],
+        )
+    ]
+
+
+def tasks():
+    return [
+        EvgTask(
+            name='oidc-auth-test-task',
+            run_on=[find_small_distro('ubuntu2404').name],
+            commands=[
+                FetchSource.call(),
+                SaslCyrusOpenSSLCompile.call(),
+                expansions_update(
+                    updates=[
+                        KeyValueParam(key='CC', value='clang'),
+                        # OIDC test servers support both OIDC and user/password.
+                        KeyValueParam(key='AUTH', value='auth'),  # Use user/password for default test clients.
+                        KeyValueParam(key='OIDC', value='oidc'),  # Enable OIDC tests.
+                        KeyValueParam(key='MONGODB_VERSION', value='latest'),
+                        KeyValueParam(key='TOPOLOGY', value='replica_set'),
+                    ]
+                ),
+                RunTests.call(),
+            ],
+        )
+    ]
+
+
+def variants():
+    return [
+        BuildVariant(
+            name='oidc',
+            display_name='OIDC',
+            run_on=[find_small_distro('ubuntu2404').name],
+            tasks=[EvgTaskRef(name='test-oidc-task-group')],
+        ),
+    ]

.evergreen/generated_configs/task_groups.yml

@@ -1 +1,31 @@
-task_groups: []
+task_groups:
+  - name: test-oidc-task-group
+    setup_group:
+      - func: fetch-det
+      - command: ec2.assume_role
+        params:
+          role_arn: ${aws_test_secrets_role}
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          args:
+            - -c
+            - ./drivers-evergreen-tools/.evergreen/auth_oidc/setup.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 3600
+    tasks:
+      - oidc-auth-test-task
+    teardown_group:
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          args:
+            - -c
+            - ./drivers-evergreen-tools/.evergreen/auth_oidc/teardown.sh
+    teardown_group_timeout_secs: 180

.evergreen/generated_configs/tasks.yml

@@ -4206,6 +4206,21 @@ tasks:
           args:
             - -c
             - .evergreen/scripts/run-mock-server-tests.sh
+  - name: oidc-auth-test-task
+    run_on:
+      - ubuntu2404-small
+    commands:
+      - func: fetch-source
+      - func: sasl-cyrus-openssl-compile
+      - command: expansions.update
+        params:
+          updates:
+            - { key: CC, value: clang }
+            - { key: AUTH, value: auth }
+            - { key: OIDC, value: oidc }
+            - { key: MONGODB_VERSION, value: latest }
+            - { key: TOPOLOGY, value: replica_set }
+      - func: run-tests
   - name: openssl-compat-1.0.2-shared-ubuntu2404-gcc
     run_on: ubuntu2404-large
     tags: [openssl-compat, openssl-1.0.2, openssl-shared, ubuntu2404, gcc]

.evergreen/generated_configs/variants.yml

@@ -253,6 +253,12 @@ buildvariants:
       SANITIZE: address,undefined
     tasks:
       - name: mock-server-test
+  - name: oidc
+    display_name: OIDC
+    run_on:
+      - ubuntu2404-small
+    tasks:
+      - name: test-oidc-task-group
   - name: openssl-compat-matrix
     display_name: OpenSSL Compatibility Matrix
     tasks:

.evergreen/scripts/run-tests.sh

@@ -22,6 +22,7 @@ check_var_opt SINGLE_MONGOS_LB_URI
 check_var_opt SKIP_CRYPT_SHARED_LIB
 check_var_opt SSL "nossl"
 check_var_opt URI
+check_var_opt OIDC "nooidc"
 
 declare script_dir
 script_dir="$(to_absolute "$(dirname "${BASH_SOURCE[0]}")")"
@@ -154,6 +155,13 @@ if [[ "${DNS}" != "nodns" ]]; then
   fi
 fi
 
+if [[ "${OIDC}" != "nooidc" ]]; then
+  export MONGOC_TEST_OIDC="ON"
+  # Only run OIDC tests.
+  test_args+=("-l" "/oidc/*")
+  test_args+=("-l" "/auth/unified/*")
+fi
+
 wait_for_server() {
   declare name="${1:?"wait_for_server requires a server name"}"
   declare port="${2:?"wait_for_server requires a server port"}"

CONTRIBUTING.md

@@ -320,6 +320,8 @@ To run test cases with large allocations, set:
 
 * `MONGOC_TEST_LARGE_ALLOCATIONS=on` This may result in sudden test suite termination due to allocation failure. Use with caution.
 
+* `MONGOC_TEST_OIDC=on` to test OIDC using a test environment described [here](https://github.com/mongodb-labs/drivers-evergreen-tools/tree/d7a7337b384392a09fbe7fc80a7244e6f1226c18/.evergreen/auth_oidc).
+
 All tests should pass before submitting a patch.
 
 ## Configuring the test runner

src/common/src/bson-dsl.md

@@ -261,6 +261,10 @@ Generate an integral value from the given C integer expression.
 Generate a UTF-8 value from the given null-terminated character array beginning
 at `zstr`.
 
+#### `binary(bson_subtype_t subtype, const uint8_t *binary, uint32_t length)`
+
+Generate a binary value from a subtype, pointer, and length.
+
 
 #### `oid(const bson_oid_t* oid)`
 

src/common/src/common-bson-dsl-private.h

@@ -275,6 +275,12 @@ BSON_IF_GNU_LIKE(_Pragma("GCC diagnostic ignored \"-Wshadow\""))
    }                                                                           \
    _bsonDSL_end
 
+#define _bsonValueOperation_binary(SubType, Data, Len)                         \
+   if (!bson_append_binary(_bsonBuildAppendArgs, (SubType), (Data), (Len))) {  \
+      bsonBuildError = "Error while appending binary(" _bsonDSL_str(Data) ")"; \
+   } else                                                                      \
+      ((void)0)
+
 /// Insert the given BSON document into the parent document in-place
 #define _bsonDocOperation_insert(OtherBSON, Pred)                                                \
    _bsonDSL_begin("Insert other document: [%s]", _bsonDSL_str(OtherBSON));                       \

src/libmongoc/CMakeLists.txt

@@ -557,6 +557,7 @@ set (MONGOC_SOURCES
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client-side-encryption.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-aws.c
+   ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-oidc.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-sasl.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-collection.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-compression.c
@@ -1092,6 +1093,7 @@ set (test-libmongoc-sources
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-long-namespace.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-max-staleness.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-mongos-pinning.c
+   ${PROJECT_SOURCE_DIR}/tests/test-mongoc-oidc.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-oidc-callback.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-oidc-cache.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-opts.c

src/libmongoc/doc/mongoc_client_pool_set_oidc_callback.rst

@@ -0,0 +1,33 @@
+:man_page: mongoc_client_pool_set_oidc_callback
+
+mongoc_client_pool_set_oidc_callback()
+======================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   bool
+   mongoc_client_pool_set_oidc_callback(mongoc_client_pool_t *pool,
+                                        const mongoc_oidc_callback_t *callback);
+
+Register a callback for the ``MONGODB-OIDC`` authentication mechanism.
+
+Parameters
+----------
+
+* ``pool``: A :symbol:`mongoc_client_pool_t`.
+* ``callback``: A :symbol:`mongoc_oidc_callback_t`.
+
+Returns
+-------
+
+Returns true on success. Returns false and logs on error.
+
+.. include:: includes/mongoc_client_pool_call_once.txt
+
+.. seealso::
+   | :doc:`mongoc_client_set_oidc_callback` for setting a callback on a single-threaded client.
+   | :doc:`mongoc_oidc_callback_t`
+   | :doc:`mongoc_oidc_callback_params_t`