diff --git a/.evergreen/.evg.yml b/.evergreen/.evg.yml
index e511c022186..7c1ae2250cc 100644
--- a/.evergreen/.evg.yml
+++ b/.evergreen/.evg.yml
@@ -798,6 +798,30 @@ functions:
${PREPARE_SHELL}
MONGODB_URI="${MONGODB_URI}" JAVA_VERSION="${JAVA_VERSION}" .evergreen/run-graalvm-native-image-app.sh
+ "oidc-auth-test-k8s-func":
+ - command: shell.exec
+ type: test
+ params:
+ shell: bash
+ include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+ script: |-
+ set -o errexit
+ ${PREPARE_SHELL}
+ export K8S_VARIANT=${VARIANT}
+ cd src
+ git add .
+ git commit --allow-empty -m "add files"
+ # uncompressed tar used to allow appending .git folder
+ export K8S_DRIVERS_TAR_FILE=/tmp/mongo-java-driver.tar
+ git archive -o $K8S_DRIVERS_TAR_FILE HEAD
+ tar -rf $K8S_DRIVERS_TAR_FILE .git
+ export K8S_TEST_CMD="OIDC_ENV=k8s VARIANT=${VARIANT} ./.evergreen/run-mongodb-oidc-test.sh"
+ bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/setup-pod.sh
+ bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/run-self-test.sh
+ source $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/secrets-export.sh
+ bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/run-driver-test.sh
+ bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/teardown-pod.sh
+
# Anchors
pre:
@@ -921,6 +945,22 @@ tasks:
export GCPOIDC_TEST_CMD="OIDC_ENV=gcp ./.evergreen/run-mongodb-oidc-test.sh"
bash $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/run-driver-test.sh
+ - name: "oidc-auth-test-k8s"
+ commands:
+ - command: ec2.assume_role
+ params:
+ role_arn: ${aws_test_secrets_role}
+ duration_seconds: 1800
+ - func: "oidc-auth-test-k8s-func"
+ vars:
+ VARIANT: eks
+ - func: "oidc-auth-test-k8s-func"
+ vars:
+ VARIANT: aks
+ - func: "oidc-auth-test-k8s-func"
+ vars:
+ VARIANT: gke
+
- name: serverless-test
commands:
- func: "run serverless"
@@ -2011,7 +2051,7 @@ task_groups:
tasks:
- testazurekms-task
- - name: testoidc_task_group
+ - name: test-oidc-task-group
setup_group:
- func: fetch source
- func: prepare resources
@@ -2036,7 +2076,7 @@ task_groups:
tasks:
- oidc-auth-test
- - name: testazureoidc_task_group
+ - name: test-oidc-azure-task-group
setup_group:
- func: fetch source
- func: prepare resources
@@ -2059,7 +2099,7 @@ task_groups:
tasks:
- oidc-auth-test-azure
- - name: testgcpoidc_task_group
+ - name: test-oidc-gcp-task-group
setup_group:
- func: fetch source
- func: prepare resources
@@ -2083,6 +2123,33 @@ task_groups:
tasks:
- oidc-auth-test-gcp
+ - name: test-oidc-k8s-task-group
+ setup_group_can_fail_task: true
+ setup_group_timeout_secs: 1800
+ teardown_task_can_fail_task: true
+ teardown_group_timeout_secs: 180
+ setup_group:
+ - func: fetch source
+ - func: prepare resources
+ - func: fix absolute paths
+ - command: ec2.assume_role
+ params:
+ role_arn: ${aws_test_secrets_role}
+ - command: subprocess.exec
+ params:
+ binary: bash
+ include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+ args:
+ - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/setup.sh
+ teardown_group:
+ - command: subprocess.exec
+ params:
+ binary: bash
+ args:
+ - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/teardown.sh
+ tasks:
+ - oidc-auth-test-k8s
+
buildvariants:
# Test packaging and other release related routines
@@ -2254,21 +2321,28 @@ buildvariants:
display_name: "OIDC Auth"
run_on: ubuntu2204-small
tasks:
- - name: testoidc_task_group
+ - name: test-oidc-task-group
batchtime: 20160 # 14 days
-- name: testazureoidc-variant
+- name: test-oidc-azure-variant
display_name: "OIDC Auth Azure"
run_on: ubuntu2204-small
tasks:
- - name: testazureoidc_task_group
+ - name: test-oidc-azure-task-group
batchtime: 20160 # 14 days
-- name: testgcpoidc-variant
+- name: test-oidc-gcp-variant
display_name: "OIDC Auth GCP"
run_on: ubuntu2204-small
tasks:
- - name: testgcpoidc_task_group
+ - name: test-oidc-gcp-task-group
+ batchtime: 20160 # 14 days
+
+- name: test-oidc-k8s-variant
+ display_name: "OIDC Auth K8S"
+ run_on: ubuntu2204-small
+ tasks:
+ - name: test-oidc-k8s-task-group
batchtime: 20160 # 14 days
- matrix_name: "aws-auth-test"
diff --git a/.evergreen/run-mongodb-oidc-test.sh b/.evergreen/run-mongodb-oidc-test.sh
index ec2b2c19610..55b0599fd02 100755
--- a/.evergreen/run-mongodb-oidc-test.sh
+++ b/.evergreen/run-mongodb-oidc-test.sh
@@ -19,6 +19,16 @@ elif [ $OIDC_ENV == "azure" ]; then
source ./env.sh
elif [ $OIDC_ENV == "gcp" ]; then
source ./secrets-export.sh
+elif [ $OIDC_ENV == "k8s" ]; then
+ # Make sure K8S_VARIANT is set.
+ if [ -z "$K8S_VARIANT" ]; then
+ echo "Must specify K8S_VARIANT"
+ popd
+ exit 1
+ fi
+
+ # fix for git permissions issue:
+ git config --global --add safe.directory /tmp/test
else
echo "Unrecognized OIDC_ENV $OIDC_ENV"
exit 1
diff --git a/driver-core/src/main/com/mongodb/MongoCredential.java b/driver-core/src/main/com/mongodb/MongoCredential.java
index f55251a7603..6e83e54a3cf 100644
--- a/driver-core/src/main/com/mongodb/MongoCredential.java
+++ b/driver-core/src/main/com/mongodb/MongoCredential.java
@@ -189,7 +189,7 @@ public final class MongoCredential {
/**
* Mechanism property key for specifying the environment for OIDC, which is
* the name of a built-in OIDC application environment integration to use
- * to obtain credentials. The value must be either "gcp" or "azure".
+ * to obtain credentials. The value must be either "k8s", "gcp", or "azure".
* This is an alternative to supplying a callback.
*
* The "gcp" and "azure" environments require
@@ -199,6 +199,11 @@ public final class MongoCredential {
* {@link MongoCredential#OIDC_CALLBACK_KEY} and
* {@link MongoCredential#OIDC_HUMAN_CALLBACK_KEY}
* must not be provided.
+ *
+ * The "k8s" environment will check the env vars
+ * {@code AZURE_FEDERATED_TOKEN_FILE}, and then {@code AWS_WEB_IDENTITY_TOKEN_FILE},
+ * for the token file path, and if neither is set will then use the path
+ * {@code /var/run/secrets/kubernetes.io/serviceaccount/token}.
*
* @see #createOidcCredential(String)
* @see MongoCredential#TOKEN_RESOURCE_KEY
@@ -265,7 +270,7 @@ public final class MongoCredential {
"*.mongodb.net", "*.mongodb-qa.net", "*.mongodb-dev.net", "*.mongodbgov.net", "localhost", "127.0.0.1", "::1"));
/**
- * Mechanism property key for specifying he URI of the target resource (sometimes called the audience),
+ * Mechanism property key for specifying the URI of the target resource (sometimes called the audience),
* used in some OIDC environments.
*
*
A TOKEN_RESOURCE with a comma character must be given as a `MongoClient` configuration and not as
diff --git a/driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java b/driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
index 3d778ae0349..99fcee788ed 100644
--- a/driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
+++ b/driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
@@ -76,10 +76,11 @@ public final class OidcAuthenticator extends SaslAuthenticator {
private static final String TEST_ENVIRONMENT = "test";
private static final String AZURE_ENVIRONMENT = "azure";
private static final String GCP_ENVIRONMENT = "gcp";
+ private static final String K8S_ENVIRONMENT = "k8s";
private static final List IMPLEMENTED_ENVIRONMENTS = Arrays.asList(
- AZURE_ENVIRONMENT, GCP_ENVIRONMENT, TEST_ENVIRONMENT);
+ AZURE_ENVIRONMENT, GCP_ENVIRONMENT, K8S_ENVIRONMENT, TEST_ENVIRONMENT);
private static final List USER_SUPPORTED_ENVIRONMENTS = Arrays.asList(
- AZURE_ENVIRONMENT, GCP_ENVIRONMENT);
+ AZURE_ENVIRONMENT, GCP_ENVIRONMENT, K8S_ENVIRONMENT);
private static final List REQUIRES_TOKEN_RESOURCE = Arrays.asList(
AZURE_ENVIRONMENT, GCP_ENVIRONMENT);
private static final List ALLOWS_USERNAME = Arrays.asList(
@@ -90,6 +91,10 @@ public final class OidcAuthenticator extends SaslAuthenticator {
public static final String OIDC_TOKEN_FILE = "OIDC_TOKEN_FILE";
+ private static final String K8S_FALLBACK_FILE = "/var/run/secrets/kubernetes.io/serviceaccount/token";
+ private static final String K8S_AZURE_FILE = "AZURE_FEDERATED_TOKEN_FILE";
+ private static final String K8S_AWS_FILE = "AWS_WEB_IDENTITY_TOKEN_FILE";
+
private static final int CALLBACK_API_VERSION_NUMBER = 1;
@Nullable
@@ -192,6 +197,8 @@ private OidcCallback getRequestCallback() {
machine = getAzureCallback(getMongoCredential());
} else if (GCP_ENVIRONMENT.equals(environment)) {
machine = getGcpCallback(getMongoCredential());
+ } else if (K8S_ENVIRONMENT.equals(environment)) {
+ machine = getK8sCallback();
} else {
machine = getOidcCallbackMechanismProperty(OIDC_CALLBACK_KEY);
}
@@ -206,6 +213,24 @@ private static OidcCallback getTestCallback() {
};
}
+ @VisibleForTesting(otherwise = VisibleForTesting.AccessModifier.PRIVATE)
+ static OidcCallback getK8sCallback() {
+ return (context) -> {
+ String azure = System.getenv(K8S_AZURE_FILE);
+ String aws = System.getenv(K8S_AWS_FILE);
+ String path;
+ if (azure != null) {
+ path = azure;
+ } else if (aws != null) {
+ path = aws;
+ } else {
+ path = K8S_FALLBACK_FILE;
+ }
+ String accessToken = readTokenFromFile(path);
+ return new OidcCallbackResult(accessToken);
+ };
+ }
+
@VisibleForTesting(otherwise = VisibleForTesting.AccessModifier.PRIVATE)
static OidcCallback getAzureCallback(final MongoCredential credential) {
return (context) -> {
@@ -499,6 +524,10 @@ private static String readTokenFromFile() {
throw new MongoClientException(
format("Environment variable must be specified: %s", OIDC_TOKEN_FILE));
}
+ return readTokenFromFile(path);
+ }
+
+ private static String readTokenFromFile(final String path) {
try {
return new String(Files.readAllBytes(Paths.get(path)), StandardCharsets.UTF_8);
} catch (IOException e) {
diff --git a/driver-core/src/test/functional/com/mongodb/ClusterFixture.java b/driver-core/src/test/functional/com/mongodb/ClusterFixture.java
index dde9682de8d..f0004cd9e03 100644
--- a/driver-core/src/test/functional/com/mongodb/ClusterFixture.java
+++ b/driver-core/src/test/functional/com/mongodb/ClusterFixture.java
@@ -261,7 +261,14 @@ static class ShutdownHook extends Thread {
@Override
public void run() {
if (cluster != null) {
- new DropDatabaseOperation(getDefaultDatabaseName(), WriteConcern.ACKNOWLEDGED).execute(getBinding());
+ try {
+ new DropDatabaseOperation(getDefaultDatabaseName(), WriteConcern.ACKNOWLEDGED).execute(getBinding());
+ } catch (MongoCommandException e) {
+ // if we do not have permission to drop the database, assume it is cleaned up in some other way
+ if (!e.getMessage().contains("Command dropDatabase requires authentication")) {
+ throw e;
+ }
+ }
cluster.close();
}
}
diff --git a/driver-core/src/test/resources/auth/legacy/connection-string.json b/driver-core/src/test/resources/auth/legacy/connection-string.json
index f8b0f9426c1..dfed11656d4 100644
--- a/driver-core/src/test/resources/auth/legacy/connection-string.json
+++ b/driver-core/src/test/resources/auth/legacy/connection-string.json
@@ -481,7 +481,7 @@
},
{
"description": "should throw an exception if username is specified for test (MONGODB-OIDC)",
- "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&ENVIRONMENT:test",
+ "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test",
"valid": false,
"credential": null
},
@@ -631,6 +631,26 @@
"uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp",
"valid": false,
"credential": null
+ },
+ {
+ "description": "should recognise the mechanism with k8s provider (MONGODB-OIDC)",
+ "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s",
+ "valid": true,
+ "credential": {
+ "username": null,
+ "password": null,
+ "source": "$external",
+ "mechanism": "MONGODB-OIDC",
+ "mechanism_properties": {
+ "ENVIRONMENT": "k8s"
+ }
+ }
+ },
+ {
+ "description": "should throw an error for a username and password with k8s provider (MONGODB-OIDC)",
+ "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s",
+ "valid": false,
+ "credential": null
}
]
}
diff --git a/driver-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java b/driver-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
index 2d82ecf3d92..85722fade52 100644
--- a/driver-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
+++ b/driver-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
@@ -826,6 +826,7 @@ private MongoClientSettings createSettings(
String cleanedConnectionString = callback == null ? connectionString : connectionString
.replace("ENVIRONMENT:azure,", "")
.replace("ENVIRONMENT:gcp,", "")
+ .replace("&authMechanismProperties=ENVIRONMENT:k8s", "")
.replace("ENVIRONMENT:test,", "");
return createSettings(cleanedConnectionString, callback, commandListener, OIDC_CALLBACK_KEY);
}
@@ -1042,6 +1043,8 @@ private OidcCallbackResult callback(final OidcCallbackContext context) {
c = OidcAuthenticator.getAzureCallback(credential);
} else if (oidcEnv.contains("gcp")) {
c = OidcAuthenticator.getGcpCallback(credential);
+ } else if (oidcEnv.contains("k8s")) {
+ c = OidcAuthenticator.getK8sCallback();
} else {
c = getProseTestCallback();
}