CDRIVER-4548 Support ENVIRONMENT:azure for MONGODB-OIDC.
#2166
Conversation
Support a custom token resource, optional timeout, and optional client_id.
And move check that both env+user callbacks are not set from auth to cache (to simplify).
The tasks already define their `run_on`.
| cmake \ | ||
| -DENABLE_SASL=OFF \ | ||
| -DENABLE_SNAPPY=OFF \ | ||
| -DENABLE_ZSTD=OFF \ | ||
| -DENABLE_ZLIB=OFF \ | ||
| -DENABLE_SRV=OFF \ | ||
| -DENABLE_CLIENT_SIDE_ENCRYPTION=OFF \ | ||
| -DENABLE_EXAMPLES=OFF \ | ||
| -DENABLE_SRV=OFF \ | ||
| -S. -Bcmake-build |
There was a problem hiding this comment.
| cmake \ | |
| -DENABLE_SASL=OFF \ | |
| -DENABLE_SNAPPY=OFF \ | |
| -DENABLE_ZSTD=OFF \ | |
| -DENABLE_ZLIB=OFF \ | |
| -DENABLE_SRV=OFF \ | |
| -DENABLE_CLIENT_SIDE_ENCRYPTION=OFF \ | |
| -DENABLE_EXAMPLES=OFF \ | |
| -DENABLE_SRV=OFF \ | |
| -S. -Bcmake-build | |
| cmake_flags=( | |
| -DENABLE_SASL=OFF | |
| -DENABLE_SNAPPY=OFF | |
| -DENABLE_ZSTD=OFF | |
| -DENABLE_ZLIB=OFF | |
| -DENABLE_SRV=OFF | |
| -DENABLE_CLIENT_SIDE_ENCRYPTION=OFF | |
| -DENABLE_EXAMPLES=OFF | |
| -DENABLE_SRV=OFF | |
| ) | |
| cmake "${cmake_flags[@]}" -Bcmake-build |
Avoid awkward backslashes + redundant -S for current working directory as source.
| -DENABLE_EXAMPLES=OFF \ | ||
| -DENABLE_SRV=OFF \ | ||
| -S. -Bcmake-build | ||
| cmake --build cmake-build --target test-libmongoc --parallel |
There was a problem hiding this comment.
| cmake --build cmake-build --target test-libmongoc --parallel | |
| cmake --build cmake-build --target test-libmongoc |
Ninja generator already uses max parallelism by default.
| # shellcheck source=.evergreen/scripts/use-tools.sh | ||
| . "$(dirname "${BASH_SOURCE[0]}")/use-tools.sh" paths # Sets MONGOC_DIR | ||
|
|
||
| cd "$MONGOC_DIR" |
There was a problem hiding this comment.
Working directory is already set to mongoc via the EVG task definition:
bash_exec(
working_dir="mongoc",
add_expansions_to_env=True,
command_type=EvgCommandType.TEST,
script='.evergreen/scripts/oidc-azure-compile.sh',
),There was a problem hiding this comment.
Removed unnecessary cd and include of use-tools.sh.
| tar -czf test-libmongoc.tar.gz \ | ||
| .evergreen/scripts/oidc-azure-test.sh \ | ||
| ./cmake-build/src/libmongoc/test-libmongoc \ | ||
| src/libmongoc/tests/json \ | ||
| src/libbson/tests/json |
There was a problem hiding this comment.
| tar -czf test-libmongoc.tar.gz \ | |
| .evergreen/scripts/oidc-azure-test.sh \ | |
| ./cmake-build/src/libmongoc/test-libmongoc \ | |
| src/libmongoc/tests/json \ | |
| src/libbson/tests/json | |
| files=( | |
| .evergreen/scripts/oidc-azure-test.sh | |
| cmake-build/src/libmongoc/test-libmongoc | |
| src/libmongoc/tests/json | |
| src/libbson/tests/json | |
| ) | |
| tar -czf test-libmongoc.tar.gz "${files[@]}" |
Avoid awkward backslashes.
| # Install required OpenSSL runtime library. | ||
| sudo apt install -y libssl-dev | ||
|
|
||
| ./cmake-build/src/libmongoc/test-libmongoc -d --match '/auth/unified/*' --match '/oidc/*' |
There was a problem hiding this comment.
Should this include -f/--no-fork?
Aside: I think most scripts use the shorter -l instead of --match.
There was a problem hiding this comment.
I left it out --no-fork for now. Leaving out --no-fork has the benefit of reporting all failing tests, but I expect is slower. In this case, it is likely a small difference since the forked tests take 3 seconds only. Another comment notes "ASAN does not play well with spawned processes", but this task does not currently use ASAN.
Updated to use -l for consistency with run-tests.sh.
src/libmongoc/src/mongoc/mcd-azure.h
Outdated
| const char *const opt_imds_host, | ||
| int opt_port, | ||
| const char *opt_extra_headers, | ||
| int opt_timeout_ms, |
There was a problem hiding this comment.
| int opt_timeout_ms, | |
| int32_t opt_timeout_ms, |
We really need to address CDRIVER-1329 and CDRIVER-4589 sometime soon so that new API does not continue to be burdened by int32_t compatibility issues. 🫠
There was a problem hiding this comment.
Switched to mlib_duration for the timeout parameter. Submitted #2168 to replace the (now redundant) mcd-time.h with mlib utilities.
| if (timeout_us) { | ||
| int64_t remaining_ms = (*timeout_us - bson_get_monotonic_time()) / 1000; | ||
| if (remaining_ms <= 0) { | ||
| // No time remaining. Immediately fail. | ||
| mongoc_oidc_callback_params_cancel_with_timeout(params); | ||
| goto fail; | ||
| } | ||
| if (mlib_narrow(&max_duration_ms, remaining_ms)) { | ||
| // Requested timeout too large to fit. Cap at INT_MAX. | ||
| max_duration_ms = mlib_maxof(int); | ||
| } | ||
| } |
There was a problem hiding this comment.
| if (timeout_us) { | |
| int64_t remaining_ms = (*timeout_us - bson_get_monotonic_time()) / 1000; | |
| if (remaining_ms <= 0) { | |
| // No time remaining. Immediately fail. | |
| mongoc_oidc_callback_params_cancel_with_timeout(params); | |
| goto fail; | |
| } | |
| if (mlib_narrow(&max_duration_ms, remaining_ms)) { | |
| // Requested timeout too large to fit. Cap at INT_MAX. | |
| max_duration_ms = mlib_maxof(int); | |
| } | |
| } | |
| if (timeout_us) { | |
| const mlib_timer timer = {.expires_at = mlib_duration(*timeout_us, us)}; | |
| if (mlib_timer_is_expired(timer, NULL)) { | |
| // No time remaining. Immediately fail. | |
| mongoc_oidc_callback_params_cancel_with_timeout(params); | |
| goto fail; | |
| } | |
| if (mlib_narrow(&max_duration_ms, mlib_milliseconds_count(mlib_timer_remaining(timer)))) { | |
| // Requested timeout too large to fit. Cap at INT_MAX. | |
| max_duration_ms = mlib_maxof(int); | |
| } | |
| } |
Suggest implementing new timer/expiry/duration code in terms of mlib utilities when able.
There was a problem hiding this comment.
Implemented with slight tweak (.expires_at is a mlib_time_point, not a mlib_duration).
src/libmongoc/src/mongoc/mcd-azure.c
Outdated
| int timeout_ms = 3 * 1000; // Default 3 second timeout | ||
| if (opt_timeout_ms > 0) { | ||
| timeout_ms = opt_timeout_ms; | ||
| } |
There was a problem hiding this comment.
| int timeout_ms = 3 * 1000; // Default 3 second timeout | |
| if (opt_timeout_ms > 0) { | |
| timeout_ms = opt_timeout_ms; | |
| } | |
| const mlib_time_point now = mlib_now(); | |
| mlib_timer timer = mlib_expires_at(mlib_time_add(now, (3, s))); // Default 3 second timeout. | |
| if (opt_timeout_ms > 0) { | |
| timer = mlib_expires_at(mlib_time_add(now, (opt_timeout_ms, ms))); | |
| } |
Suggest implementing new timer/expiry/duration code in terms of mlib utilities when able.
|
|
||
| ret = mongoc_oidc_credential_new_with_expires_in(token.access_token, mcd_get_microseconds(token.expires_in)); | ||
| if (!ret) { | ||
| MONGOC_ERROR("Failed to process Azure OIDC access token"); |
There was a problem hiding this comment.
Suggest providing more descriptive error messages for users when able, e.g.:
if (!ret) {
MONGOC_ERROR("Failed to process Azure OIDC access token");
if (!token.access_token) {
MONGOC_ERROR("missing Azure OIDC access token string");
}
if (token.expires_in < 0) {
MONGOC_ERROR("Azure OIDC access token expiration must not be a negative value");
}
goto fail;
}| if (mongoc_oidc_callback_params_get_cancelled_with_timeout(params)) { | ||
| SET_ERROR("MONGODB-OIDC callback was cancelled due to timeout"); | ||
| goto unlock_and_return; | ||
| } |
There was a problem hiding this comment.
Confirming: this will surface timeouts as an authentication error via mongoc_cluster_run_command_monitored or _mongoc_cluster_auth_node. Is this correct?
There was a problem hiding this comment.
I think yes. I expect an error is appropriate since the callback failed to get an auth token. This is intended to give the reason rather than the more generic "MONGODB-OIDC callback failed" message.
To avoid backslashes with multi-line commands.
Ninja uses parallel by default.
Working directory is set by Evergreen task
Already set at the project level.
Saves a small amount of clean-up if topology creation fails before.
2 participants
Summary
Support
ENVIRONMENT:azureforMONGODB-OIDC.mcd-azure.hto support Azure IMDS requests for OIDC. This internal header previously only supported Azure IMDS requests to Azure Key Vault for In-Use Encryption.Patch build: https://spruce.mongodb.com/version/6904afbc379d3a0007e1ac83
Testing
Evergreen testing is described in the drivers-evergreen-tools README.md. Testing follows a similar pattern to the
testazurekms-task: buildtest-libmongocon an Evergreen host, create a remote Azure VM with a matching OS, copy the binary, run the test.oidc-compile-azure.shincludes a temporary workaround to install UV (as was done in #2163).