RUBY-3303 Add OIDC machine workflow auth

Author: durran

.evergreen/config.yml

@@ -454,6 +454,34 @@ functions:
 
           CRYPT_SHARED_LIB_PATH="${CRYPT_SHARED_LIB_PATH}" SERVERLESS=1 SSL=ssl RVM_RUBY="${RVM_RUBY}" SINGLE_MONGOS="${SINGLE_MONGOS}" SERVERLESS_URI="${SERVERLESS_URI}" FLE="${FLE}" SERVERLESS_MONGODB_VERSION="${SERVERLESS_MONGODB_VERSION}" .evergreen/run-tests-serverless.sh
 
+  "run oidc prose tests":
+    - command: subprocess.exec
+      type: test
+      params:
+        working_dir: src
+        binary: bash
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+          ENVIRONMENT: ${ENVIRONMENT}
+          RVM_RUBY: ${RVM_RUBY}
+        args:
+          - .evergreen/run-tests-oidc-prose.sh
+
+  "run oidc unified tests":
+    - command: subprocess.exec
+      type: test
+      params:
+        working_dir: src
+        binary: bash
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+          ENVIRONMENT: ${ENVIRONMENT}
+          RVM_RUBY: ${RVM_RUBY}
+        args:
+          - .evergreen/run-tests-oidc-unified.sh
+
 pre:
   - func: "fetch source"
   - func: "create expansions"
@@ -751,6 +779,77 @@ task_groups:
     tasks:
       - testazurekms-task
 
+  - name: test_oidc_task_group
+    setup_group:
+      - func: fetch source
+      - func: create expansions
+      - command: ec2.assume_role
+        params:
+          role_arn: ${aws_test_secrets_role}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          env:
+            MONGODB_VERSION: '8.0'
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/setup.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-latest
+
+  - name: test_oidc_azure_task_group
+    setup_group:
+      - func: fetch source
+      - func: create expansions
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            export AZUREOIDC_VMNAME_PREFIX="RUBY_DRIVER"
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/setup.sh
+    teardown_task:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            ${PREPARE_SHELL}
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-azure-latest
+
+  - name: test_oidc_gcp_task_group
+    setup_group:
+      - func: fetch source
+      - func: create expansions
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            export GCPOIDC_VMNAME_PREFIX="RUBY_DRIVER"
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/setup.sh
+    teardown_task:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            ${PREPARE_SHELL}
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-gcp-latest
+
 tasks:
   - name: "test-atlas"
     commands:
@@ -895,8 +994,35 @@ tasks:
             LAMBDA_STACK_NAME: "dbx-ruby-lambda"
             RVM_RUBY: ruby-3.2
             MONGODB_URI: ${MONGODB_URI}
-axes:
 
+  - name: oidc-auth-test-latest
+    commands:
+      - func: "run oidc prose tests"
+        vars:
+          ENVIRONMENT: test
+      - func: "run oidc unified tests"
+        vars:
+          ENVIRONMENT: test
+
+  - name: oidc-auth-test-azure-latest
+    commands:
+      - func: "run oidc prose tests"
+        vars:
+          ENVIRONMENT: azure
+      - func: "run oidc unified tests"
+        vars:
+          ENVIRONMENT: azure
+
+  - name: oidc-auth-test-gcp-latest
+    commands:
+      - func: "run oidc prose tests"
+        vars:
+          ENVIRONMENT: gcp
+      - func: "run oidc unified tests"
+        vars:
+          ENVIRONMENT: gcp
+
+axes:
   - id: preload
     display_name: Preload server
     values:
@@ -1898,3 +2024,16 @@ buildvariants:
     display_name: "AWS Lambda"
     tasks:
        - name: test_aws_lambda_task_group
+
+  - matrix_name: test-oidc-variant
+    matrix_spec:
+      ruby: "ruby-3.2"
+      fle: helper
+      topology: standalone
+      os: ubuntu2004
+      mongodb-version: latest
+    display_name: "OIDC auth tests: latest ruby-3.2"
+    tasks:
+      - test_oidc_task_group
+      - test_oidc_azure_task_group
+      - test_oidc_gcp_task_group

.evergreen/run-tests-oidc-prose.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -ex
+
+ENVIRONMENT=${ENVIRONMENT:-"test"}
+
+. `dirname "$0"`/../spec/shared/shlib/distro.sh
+. `dirname "$0"`/../spec/shared/shlib/set_env.sh
+. `dirname "$0"`/functions.sh
+
+set_env_vars
+set_env_python
+set_env_ruby
+
+bundle_install
+bundle exec rspec -fd spec/integration/oidc/${ENVIRONMENT}_machine_auth_flow_prose_spec.rb
+
+test_status=$?
+
+kill_jruby
+
+exit ${test_status}

.evergreen/run-tests-oidc-unified.sh

@@ -27,6 +27,7 @@
 require 'mongo/auth/cr'
 require 'mongo/auth/gssapi'
 require 'mongo/auth/ldap'
+require 'mongo/auth/oidc'
 require 'mongo/auth/scram'
 require 'mongo/auth/scram256'
 require 'mongo/auth/x509'
@@ -70,6 +71,7 @@ module Auth
       aws: Aws,
       gssapi: Gssapi,
       mongodb_cr: CR,
+      mongodb_oidc: Oidc,
       mongodb_x509: X509,
       plain: LDAP,
       scram: Scram,
@@ -89,7 +91,7 @@ module Auth
     #   value of speculativeAuthenticate field of hello response of
     #   the handshake on the specified connection.
     #
-    # @return [ Auth::Aws | Auth::CR | Auth::Gssapi | Auth::LDAP |
+    # @return [ Auth::Aws | Auth::CR | Auth::Gssapi | Auth::LDAP | Auth::Oidc
     #   Auth::Scram | Auth::Scram256 | Auth::X509 ] The authenticator.
     #
     # @since 2.0.0

.mod/drivers-evergreen-tools

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2014-2024 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+
+    # Defines behavior for OIDC authentication.
+    #
+    # @api private
+    class Oidc < Base
+      attr_reader :speculative_auth_result
+
+      # The authentication mechanism string.
+      #
+      # @since 2.20.0
+      MECHANISM = 'MONGODB-OIDC'.freeze
+
+      # Initializes the OIDC authenticator.
+      #
+      # @param [ Auth::User ] user The user to authenticate.
+      # @param [ Mongo::Connection ] connection The connection to authenticate over.
+      #
+      # @option opts [ BSON::Document | nil ] speculative_auth_result The
+      #   value of speculativeAuthenticate field of hello response of
+      #   the handshake on the specified connection.
+      def initialize(user, connection, **opts)
+        super
+        @speculative_auth_result = opts[:speculative_auth_result]
+        @machine_workflow = MachineWorkflow::new(auth_mech_properties: user.auth_mech_properties)
+      end
+
+      # Log the user in on the current connection.
+      #
+      # @return [ BSON::Document ] The document of the authentication response.
+      def login
+        execute_workflow(connection: connection, conversation: conversation)
+      end
+
+      private
+
+      def execute_workflow(connection:, conversation:)
+        # If there is a cached access token, try to authenticate with it. If
+        # authentication fails with an Authentication error (18),
+        # invalidate the access token, fetch a new access token, and try
+        # to authenticate again.
+        # If the server fails for any other reason, do not clear the cache.
+        if cache.access_token?
+          token = cache.access_token
+          msg = conversation.start(connection: connection, token: token)
+          begin
+            dispatch_msg(connection, conversation, msg)
+          rescue AuthError => error
+            cache.invalidate(token: token)
+            execute_workflow(connection: connection, conversation: conversation)
+          end
+        end
+        # This is the normal flow when no token is in the cache. Execute the
+        # machine callback to get the token, put it in the caches, and then
+        # send the saslStart to the server.
+        token = machine_workflow.execute
+        cache.access_token = token
+        connection.access_token = token
+        msg = conversation.start(connection: connection, token: token)
+        dispatch_msg(connection, conversation, msg)
+      end
+    end
+  end
+end
+
+require 'mongo/auth/oidc/conversation'
+require 'mongo/auth/oidc/machine_workflow'
+require 'mongo/auth/oidc/token_cache'

lib/mongo/auth.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+    class Oidc
+      # Defines behaviour around a single OIDC conversation between the
+      # client and the server.
+      #
+      # @api private
+      class Conversation < ConversationBase
+        # The base client message.
+        START_MESSAGE = { saslStart: 1, mechanism: Oidc::MECHANISM }.freeze
+
+        # Create the new conversation.
+        #
+        # @example Create the new conversation.
+        #   Conversation.new(user, 'test.example.com')
+        #
+        # @param [ Auth::User ] user The user to converse about.
+        # @param [ Mongo::Connection ] connection The connection to
+        #   authenticate over.
+        #
+        # @since 2.20.0
+        def initialize(user, connection, **opts)
+          super
+        end
+
+        # OIDC machine workflow is always a saslStart with the payload being
+        # the serialized jwt token.
+        #
+        # @param [ String ] token The access token.
+        #
+        # @return [ Hash ] The start document.
+        def client_start_document(token:)
+          START_MESSAGE.merge(payload: finish_payload(token: token))
+        end
+
+        # Gets the serialized jwt payload for the token.
+        #
+        # @param [ String ] token The access token.
+        #
+        # @return [ BSON::Binary ] The serialized payload.
+        def finish_payload(token:)
+          payload = { jwt: token }.to_bson.to_s
+          BSON::Binary.new(payload)
+        end
+
+        # Start the OIDC conversation. This returns the first message that
+        # needs to be sent to the server.
+        #
+        # @param [ Server::Connection ] connection The connection being authenticated.
+        #
+        # @return [ Protocol::Message ] The first OIDC conversation message.
+        def start(connection:, token:)
+          selector = client_start_document(token: token)
+          build_message(connection, '$external', selector)
+        end
+      end
+    end
+  end
+end