test(NODE-5038): setup OIDC CI environment (#3560)

Co-authored-by: Anna Henningsen <[email protected]>

Author: durran

.evergreen/config.in.yml

@@ -94,6 +94,63 @@ functions:
           - .evergreen/run-kms-servers.sh
         env:
           DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+
+  "bootstrap oidc":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${OIDC_AWS_ROLE_ARN}
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+
+          # TODO(NODE-5035): Remove when merged - need to replace with branch just for OIDC.
+          rm -rf "${DRIVERS_TOOLS}"
+          git clone --branch DRIVERS-2415 https://github.com/blink1073/drivers-evergreen-tools.git "${DRIVERS_TOOLS}"
+
+          cd "${DRIVERS_TOOLS}"/.evergreen/auth_oidc
+
+          # This is a bit confusing but the ec2.assume_role command before
+          # this task will overwrite these variables to a different value
+          # than we have set in our evergreen project config. As these are
+          # now specific to the OIDC ARN, we re-export for the python
+          # scripts.
+          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+          export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+          export AWS_TOKEN_DIR=/tmp/tokens
+
+          . ./activate_venv.sh
+          python oidc_write_orchestration.py
+          python oidc_get_tokens.py
+
+  "setup oidc roles":
+    - command: subprocess.exec
+      params:
+        working_dir: src
+        binary: bash
+        args:
+          - .evergreen/setup-oidc-roles.sh
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+
+  "run oidc tests aws":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        timeout_secs: 300
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+
+          AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test1" \
+          PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
+            bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh
+
   "run tests":
     - command: shell.exec
       type: test

.evergreen/config.yml

@@ -68,6 +68,59 @@ functions:
           - .evergreen/run-kms-servers.sh
         env:
           DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+  bootstrap oidc:
+    - command: ec2.assume_role
+      params:
+        role_arn: ${OIDC_AWS_ROLE_ARN}
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+
+          # TODO(NODE-5035): Remove when merged - need to replace with branch just for OIDC.
+          rm -rf "${DRIVERS_TOOLS}"
+          git clone --branch DRIVERS-2415 https://github.com/blink1073/drivers-evergreen-tools.git "${DRIVERS_TOOLS}"
+
+          cd "${DRIVERS_TOOLS}"/.evergreen/auth_oidc
+
+          # This is a bit confusing but the ec2.assume_role command before
+          # this task will overwrite these variables to a different value
+          # than we have set in our evergreen project config. As these are
+          # now specific to the OIDC ARN, we re-export for the python
+          # scripts.
+          export AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+          export AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+          export AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+          export AWS_TOKEN_DIR=/tmp/tokens
+
+          . ./activate_venv.sh
+          python oidc_write_orchestration.py
+          python oidc_get_tokens.py
+  setup oidc roles:
+    - command: subprocess.exec
+      params:
+        working_dir: src
+        binary: bash
+        args:
+          - .evergreen/setup-oidc-roles.sh
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+  run oidc tests aws:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src
+        timeout_secs: 300
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+
+          AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test1" \
+          PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
+            bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh
   run tests:
     - command: shell.exec
       type: test
@@ -1380,6 +1433,22 @@ tasks:
     commands:
       - func: install dependencies
       - func: run ldap tests
+  - name: test-auth-oidc
+    tags:
+      - latest
+      - replica_set
+      - oidc
+    commands:
+      - func: install dependencies
+      - func: bootstrap oidc
+      - func: bootstrap mongo-orchestration
+        vars:
+          VERSION: latest
+          TOPOLOGY: replica_set
+          AUTH: auth
+          ORCHESTRATION_FILE: auth-oidc.json
+      - func: setup oidc roles
+      - func: run oidc tests aws
   - name: test-socks5
     tags: []
     commands:
@@ -3005,6 +3074,7 @@ buildvariants:
       - test-latest-load-balanced
       - test-auth-kerberos
       - test-auth-ldap
+      - test-auth-oidc
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -3054,6 +3124,7 @@ buildvariants:
       - test-latest-load-balanced
       - test-auth-kerberos
       - test-auth-ldap
+      - test-auth-oidc
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -3101,6 +3172,7 @@ buildvariants:
       - test-latest-load-balanced
       - test-auth-kerberos
       - test-auth-ldap
+      - test-auth-oidc
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -3147,6 +3219,7 @@ buildvariants:
       - test-6.0-load-balanced
       - test-latest-load-balanced
       - test-auth-ldap
+      - test-auth-oidc
       - test-socks5-csfle
       - test-socks5-tls
       - test-tls-support-latest

.evergreen/generate_evergreen_tasks.js

@@ -33,8 +33,8 @@ const OPERATING_SYSTEMS = [
   ...osConfig
 }));
 
-// TODO: NODE-3060: enable skipped tests on windows
-const WINDOWS_SKIP_TAGS = new Set(['atlas-connect', 'auth', 'load_balancer', 'socks5-csfle']);
+// TODO: NODE-3060: enable skipped tests on windows except oidc (not supported)
+const WINDOWS_SKIP_TAGS = new Set(['atlas-connect', 'auth', 'load_balancer', 'socks5-csfle', 'oidc']);
 
 const TASKS = [];
 const SINGLETON_TASKS = [];
@@ -183,6 +183,25 @@ TASKS.push(
       tags: ['auth', 'ldap'],
       commands: [{ func: 'install dependencies' }, { func: 'run ldap tests' }]
     },
+    {
+      name: 'test-auth-oidc',
+      tags: ['latest', 'replica_set', 'oidc'],
+      commands: [
+        { func: 'install dependencies' },
+        { func: 'bootstrap oidc' },
+        {
+          func: 'bootstrap mongo-orchestration',
+          vars: {
+            VERSION: 'latest',
+            TOPOLOGY: 'replica_set',
+            AUTH: 'auth',
+            ORCHESTRATION_FILE: 'auth-oidc.json'
+          }
+        },
+        { func: 'setup oidc roles' },
+        { func: 'run oidc tests aws' }
+      ]
+    },
     {
       name: 'test-socks5',
       tags: [],

.evergreen/run-oidc-tests.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -o errexit  # Exit the script with error if any of the commands fail
+set -o xtrace   # Write all commands first to stderr
+
+source "${PROJECT_DIRECTORY}/.evergreen/init-nvm.sh"
+
+MONGODB_URI=${MONGODB_URI:-"mongodb://127.0.0.1:27017"}
+MONGODB_URI_SINGLE="${MONGODB_URI}/?authMechanism=MONGODB-OIDC&authMechanismProperties=DEVICE_NAME:aws"
+
+echo $MONGODB_URI_SINGLE
+
+export MONGODB_URI="$MONGODB_URI_SINGLE"
+
+npm run check:oidc

.evergreen/setup-oidc-roles.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -o errexit  # Exit the script with error if any of the commands fail
+set -o xtrace   # Write all commands first to stderr
+
+cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
+. ./activate_venv.sh
+
+${DRIVERS_TOOLS}/mongodb/bin/mongosh setup_oidc.js

package.json

@@ -128,6 +128,7 @@
     "check:atlas": "mocha --config test/manual/mocharc.json test/manual/atlas_connectivity.test.js",
     "check:adl": "mocha --config test/mocha_mongodb.json test/manual/atlas-data-lake-testing",
     "check:aws": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_aws.test.ts",
+    "check:oidc": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc.test.ts",
     "check:ocsp": "mocha --config test/manual/mocharc.json test/manual/ocsp_support.test.js",
     "check:kerberos": "mocha --config test/manual/mocharc.json test/manual/kerberos.test.js",
     "check:tls": "mocha --config test/manual/mocharc.json test/manual/tls_support.test.js",

test/integration/auth/mongodb_oidc.test.ts

@@ -0,0 +1,17 @@
+import { expect } from 'chai';
+
+describe('MONGODB-OIDC', function () {
+  beforeEach(function () {
+    const MONGODB_URI = process.env.MONGODB_URI;
+    if (!MONGODB_URI || !MONGODB_URI.includes('MONGODB-OIDC')) {
+      this.currentTest.skipReason = 'requires MONGODB_URI to contain MONGODB-OIDC auth mechanism';
+      this.skip();
+    }
+  });
+
+  context('when running in the environment', function () {
+    it('contains AWS_WEB_IDENTITY_TOKEN_FILE', function () {
+      expect(process.env).to.have.property('AWS_WEB_IDENTITY_TOKEN_FILE');
+    });
+  });
+});

test/tools/runner/hooks/configuration.js

@@ -100,6 +100,14 @@ const skipBrokenAuthTestBeforeEachHook = function ({ skippedTests } = { skippedT
 };
 
 const testConfigBeforeHook = async function () {
+  // TODO(NODE-5035): Implement OIDC support. Creating the MongoClient will fail
+  // with "MongoInvalidArgumentError: AuthMechanism 'MONGODB-OIDC' not supported"
+  // as is expected until that ticket goes in. Then this condition gets removed.
+  if (MONGODB_URI && MONGODB_URI.includes('MONGODB-OIDC')) {
+    this.configuration = new TestConfiguration(MONGODB_URI, {});
+    return;
+  }
+
   const client = new MongoClient(loadBalanced ? SINGLE_MONGOS_LB_URI : MONGODB_URI, {
     ...getEnvironmentalOptions(),
     // TODO(NODE-4884): once happy eyeballs support is added, we no longer need to set