From 907e2b6c4ce8385191fdc3fddb690dea3dd1c093 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Thu, 4 Dec 2025 10:58:17 -0500 Subject: [PATCH 1/4] DRIVERS-3197 run machine prose tests on all environments Skip steps that require a custom callback on other environments. Intended to add test coverage. The bug in NODE-6962 is triggered in test 3.1 when testing a non-callback environment. --- source/auth/tests/mongodb-oidc.md | 40 +++++++++++++++++++------------ 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index 542ed5bfd7..f6be4bd10b 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -18,10 +18,18 @@ ______________________________________________________________________ ## Machine Authentication Flow Prose Tests -Drivers MUST run the machine prose tests when `OIDC_TOKEN_DIR` is set. Drivers can either set the `ENVIRONMENT:test` -auth mechanism property, or use a custom callback that also reads the file. +Drivers MUST run these tests for in all supported OIDC environments: -Drivers can also choose to run the machine prose tests on GCP or Azure VMs, or on the Kubernetes clusters. +- A callback that reads the token file for `ENVIRONMENT:test`. A callback enables testing additional behaviors. Tests + and assertions limited to a callback are noted with `[callback-only]`. +- `ENVIRONMENT:test` +- `ENVIRONMENT:gcp` +- `ENVIRONMENT:azure` +- `ENVIRONMENT:k8s` + +The token file `ENVIRONMENT:test` is located in `OIDC_TOKEN_DIR` set by +[drivers-evergreen-tools](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md) +scripts. Drivers MUST implement all prose tests in this section. Unless otherwise noted, all `MongoClient` instances MUST be configured with `retryReads=false`. @@ -40,17 +48,17 @@ source the `secrets-export.sh` file and use the associated env variables in your - Create an OIDC configured client. - Perform a `find` operation that succeeds. -- Assert that the callback was called 1 time. +- `[callback-only]` Assert that the callback was called 1 time. - Close the client. **1.2 Callback is called once for multiple connections** - Create an OIDC configured client. - Start 10 threads and run 100 `find` operations in each thread that all succeed. -- Assert that the callback was called 1 time. +- `[callback-only]` Assert that the callback was called 1 time. - Close the client. -### (2) OIDC Callback Validation +### (2) `[callback-only]` OIDC Callback Validation **2.1 Valid Callback Inputs** @@ -91,10 +99,10 @@ source the `secrets-export.sh` file and use the associated env variables in your - Create an OIDC configured client. - Poison the *Client Cache* with an invalid access token. - Perform a `find` operation that succeeds. -- Assert that the callback was called 1 time. +- `[callback-only]` Assert that the callback was called 1 time. - Close the client. -**3.2 Authentication failures without cached tokens return an error** +**3.2 `[callback-only]` Authentication failures without cached tokens return an error** - Create an OIDC configured client with an OIDC callback that always returns invalid access tokens. - Perform a `find` operation that fails. @@ -122,9 +130,9 @@ source the `secrets-export.sh` file and use the associated env variables in your ``` - Perform a `find` operation that fails. -- Assert that the callback has been called once. +- `[callback-only]` Assert that the callback has been called once. - Perform a `find` operation that succeeds. -- Assert that the callback has been called once. +- `[callback-only]` Assert that the callback has been called once. - Close the client. ### (4) Reauthentication @@ -150,10 +158,11 @@ source the `secrets-export.sh` file and use the associated env variables in your ``` - Perform a `find` operation that succeeds. -- Assert that the callback was called 2 times (once during the connection handshake, and again during reauthentication). +- `[callback-only]` Assert that the callback was called 2 times (once during the connection handshake, and again during + reauthentication). - Close the client. -#### 4.2 Read Commands Fail If Reauthentication Fails +#### `[callback-only]` 4.2 Read Commands Fail If Reauthentication Fails - Create a `MongoClient` whose OIDC callback returns one good token and then bad tokens after the first call. - Perform a `find` operation that succeeds. @@ -178,7 +187,7 @@ source the `secrets-export.sh` file and use the associated env variables in your - Assert that the callback was called 2 times. - Close the client. -#### 4.3 Write Commands Fail If Reauthentication Fails +#### `[callback-only]` 4.3 Write Commands Fail If Reauthentication Fails - Create a `MongoClient` whose OIDC callback returns one good token and then bad tokens after the first call. - Perform an `insert` operation that succeeds. @@ -228,7 +237,7 @@ source the `secrets-export.sh` file and use the associated env variables in your ``` - Perform an `insert` operation that succeeds. -- Assert that the callback was called once. +- `[callback-only]` Assert that the callback was called once. - Assert there were `saslStart` commands executed. - Close the client. @@ -254,7 +263,8 @@ source the `secrets-export.sh` file and use the associated env variables in your - Start a new session. - In the started session perform a `find` operation that succeeds. -- Assert that the callback was called 2 times (once during the connection handshake, and again during reauthentication). +- `[callback-only]` Assert that the callback was called 2 times (once during the connection handshake, and again during + reauthentication). - Close the session and the client. ## (5) Azure Tests From c400179ba2a147db09b7c99b8b00ff3d022fc75e Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Thu, 4 Dec 2025 10:54:29 -0500 Subject: [PATCH 2/4] change wording in test 3.3 This test only requires a callback to make assertions. But otherwise this test can run in all environments. --- source/auth/tests/mongodb-oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index f6be4bd10b..bd55fb60cc 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -111,7 +111,7 @@ source the `secrets-export.sh` file and use the associated env variables in your **3.3 Unexpected error code does not clear the cache** -- Create a `MongoClient` with an OIDC callback that returns a valid token. +- Create an OIDC configured client. - Set a fail point for `saslStart` commands of the form: ```javascript From 2b36b2a905bd5b8f67478a504b9f48de403bb45b Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Thu, 4 Dec 2025 10:55:19 -0500 Subject: [PATCH 3/4] clarify test 4.4 can populate the cache by using a temporary MongoClient This required a change in the C driver. The C driver previously was reading the token file directly to populate the cache. --- source/auth/tests/mongodb-oidc.md | 1 + 1 file changed, 1 insertion(+) diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index bd55fb60cc..063ef8767f 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -216,6 +216,7 @@ source the `secrets-export.sh` file and use the associated env variables in your - Create an OIDC configured client. - Populate the *Client Cache* with a valid access token to enforce Speculative Authentication. + - This may be done by authenticating a temporary OIDC configured client and copying the cached token. - Perform an `insert` operation that succeeds. - Assert that the callback was not called. - Assert there were no `saslStart` commands executed. From 8854a4d15f1a577aa0ceee60ca30c5da230adea6 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 16 Dec 2025 08:07:15 -0500 Subject: [PATCH 4/4] fix typo Co-authored-by: Durran Jordan --- source/auth/tests/mongodb-oidc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index 063ef8767f..81a8c025d0 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -18,7 +18,7 @@ ______________________________________________________________________ ## Machine Authentication Flow Prose Tests -Drivers MUST run these tests for in all supported OIDC environments: +Drivers MUST run these tests in all supported OIDC environments: - A callback that reads the token file for `ENVIRONMENT:test`. A callback enables testing additional behaviors. Tests and assertions limited to a callback are noted with `[callback-only]`.