Skip to content

Commit

Permalink
Fix OIDC prose tests and update spec auth description in handshake spec.
Browse files Browse the repository at this point in the history
  • Loading branch information
matthewdale committed Jan 4, 2024
1 parent 4e1a5f5 commit 7f79ecd
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 80 deletions.
89 changes: 12 additions & 77 deletions source/auth/tests/mongodb-oidc.rst
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ For example, if the selected AWS profile ID is "drivers-test", run:
.. _oidc_get_tokens.sh: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/oidc_get_tokens.sh
.. _drivers-evergreen-tools: https://github.com/mongodb-labs/drivers-evergreen-tools/

----------

Prose Tests
===========

Expand Down Expand Up @@ -59,90 +61,23 @@ Prose Tests
handshake, and again during reauthentication).
- Close the client.

(3) Authentication failures with cached tokens retry with a new token
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(3) Authentication failures with cached tokens fetch a new token and retry
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Create a ``MongoClient`` configured with ``retryReads=false`` and a custom
OIDC callback that implements the AWS provider logic.
- Set a fail point for ``find`` commands of the form:

.. code:: javascript
{
configureFailPoint: "failCommand",
mode: {
times: 1
},
data: {
failCommands: [
"find"
],
closeConnection: true
}
}
- Perform a ``find`` operation that fails. This is to force the ``MongoClient``
to cache an access token.
- Set a fail point for ``saslStart`` commands of the form:

.. code:: javascript
{
configureFailPoint: "failCommand",
mode: {
times: 2
},
data: {
failCommands: [
"saslStart"
],
errorCode: 18
}
}
- Perform a ``find`` operation that fails.
- Verify that the callback was called 2 times during connection handshake (once
to get the initial token, and once to refresh the token after the
authentication failure).
- Close the client.

(4) Reauthentication messages are sent
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Create a ``MongoClient`` configured with a custom OIDC callback that
implements the AWS provider logic.
- Poison the cache with an invalid access token.
- Perform a ``find`` operation that succeeds.
- Set fail points for ``find`` and ``saslStart`` of the form:

.. code:: javascript
{
configureFailPoint: "failCommand",
mode: {
times: 1
},
data: {
failCommands: [
"find"
],
errorCode: 391
}
}
- Verify that the callback was called 1 time.
- Close the client.

{
configureFailPoint: "failCommand",
mode: {
times: 2
},
data: {
failCommands: [
"saslStart"
],
errorCode: 18
}
}
(4) Authentication failures without cached tokens return an error
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Create a ``MongoClient`` configured with ``retryReads=false`` and a custom
OIDC callback that always returns invalid access tokens.
- Perform a ``find`` operation that fails.
- Verify that the callback was called 1 time.
- Close the client.

----------
Expand Down
8 changes: 5 additions & 3 deletions source/mongodb-handshake/handshake.rst
Original file line number Diff line number Diff line change
Expand Up @@ -410,9 +410,11 @@ SCRAM-SHA-256 sections in the `Driver Authentication spec <https://github.com/mo
with an additional ``db`` field to specify the name of the authentication database.

When the mechanism is ``MONGODB-OIDC``, ``speculativeAuthenticate`` has the same
structure as seen in the MONGODB-OIDC conversation section in the
`Driver Authentication spec <https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#supported-authentication-methods>`_. However,
the driver MUST not call a callback as part of ``speculativeAuthenticate``.
structure as seen in the MONGODB-OIDC conversation section in the `Driver
Authentication spec
<https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#supported-authentication-methods>`_.
However, the driver MUST not call a callback as part of
``speculativeAuthenticate`` during the `OIDC Human Authentication Flow <../auth/auth.rst#human-authentication-flow>`_.

If the initial handshake command with a ``speculativeAuthenticate`` argument succeeds,
the client should proceed with the next step of the exchange. If the initial handshake
Expand Down

0 comments on commit 7f79ecd

Please sign in to comment.