feat(NODE-5464): OIDC machine workflow

Author: durran

.evergreen/config.in.yml

@@ -171,10 +171,29 @@ functions:
           ${PREPARE_SHELL}
 
           OIDC_TOKEN_DIR="/tmp/tokens" \
+          PROVIDER_NAME="aws" \
           AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test_user1" \
+          OIDC_ATLAS_URI_SINGLE="${OIDC_ATLAS_URI_SINGLE}" \
+          OIDC_ATLAS_URI_MULTI="${OIDC_ATLAS_URI_MULTI}" \
           PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
             bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh
 
+  "run oidc auth tests aws":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        timeout_secs: 300
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+
+          OIDC_TOKEN_DIR="/tmp/tokens" \
+          PROVIDER_NAME="aws" \
+          AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test_user1" \
+          PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
+            bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-auth-tests.sh
+
   "run tests":
     - command: shell.exec
       type: test
@@ -1271,8 +1290,28 @@ tasks:
           env:
             DRIVERS_TOOLS: ${DRIVERS_TOOLS}
             PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
-            AZUREOIDC_CLIENTID: ${testazureoidc_clientid}
             PROVIDER_NAME: azure
+            SCRIPT: run-oidc-tests.sh
+          args:
+            - .evergreen/run-oidc-tests-azure.sh
+
+  - name: "oidc-auth-test-azure-latest-auth"
+    commands:
+      - command: expansions.update
+        type: setup
+        params:
+          updates:
+            - { key: NPM_VERSION, value: "9" }
+      - func: "install dependencies"
+      - command: subprocess.exec
+        params:
+          working_dir: src
+          binary: bash
+          env:
+            DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+            PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+            PROVIDER_NAME: azure
+            SCRIPT: run-oidc-auth-tests.sh
           args:
             - .evergreen/run-oidc-tests-azure.sh
 
@@ -1427,14 +1466,9 @@ task_groups:
           script: |-
             set -o errexit
             ${PREPARE_SHELL}
-            export AZUREOIDC_CLIENTID="${testazureoidc_clientid}"
-            export AZUREOIDC_TENANTID="${testazureoic_tenantid}"
-            export AZUREOIDC_SECRET="${testazureoidc_secret}"
-            export AZUREOIDC_KEYVAULT=${testazureoidc_keyvault}
-            export AZUREOIDC_DRIVERS_TOOLS="$DRIVERS_TOOLS"
             export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER"
             $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
-    teardown_group:
+    teardown_task:
       - command: shell.exec
         params:
           shell: bash
@@ -1446,6 +1480,29 @@ task_groups:
     tasks:
       - oidc-auth-test-azure-latest
 
+  - name: testazureoidcauth_task_group
+    setup_group:
+      - func: fetch source
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER"
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+    teardown_task:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            ${PREPARE_SHELL}
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/delete-vm.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-azure-latest-auth
+
   - name: test_atlas_task_group
     setup_group:
       - func: fetch source

.evergreen/config.yml

@@ -142,9 +142,27 @@ functions:
           ${PREPARE_SHELL}
 
           OIDC_TOKEN_DIR="/tmp/tokens" \
+          PROVIDER_NAME="aws" \
           AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test_user1" \
+          OIDC_ATLAS_URI_SINGLE="${OIDC_ATLAS_URI_SINGLE}" \
+          OIDC_ATLAS_URI_MULTI="${OIDC_ATLAS_URI_MULTI}" \
           PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
             bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-tests.sh
+  run oidc auth tests aws:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src
+        timeout_secs: 300
+        shell: bash
+        script: |
+          ${PREPARE_SHELL}
+
+          OIDC_TOKEN_DIR="/tmp/tokens" \
+          PROVIDER_NAME="aws" \
+          AWS_WEB_IDENTITY_TOKEN_FILE="/tmp/tokens/test_user1" \
+          PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
+            bash ${PROJECT_DIRECTORY}/.evergreen/run-oidc-auth-tests.sh
   run tests:
     - command: shell.exec
       type: test
@@ -1222,8 +1240,27 @@ tasks:
           env:
             DRIVERS_TOOLS: ${DRIVERS_TOOLS}
             PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
-            AZUREOIDC_CLIENTID: ${testazureoidc_clientid}
             PROVIDER_NAME: azure
+            SCRIPT: run-oidc-tests.sh
+          args:
+            - .evergreen/run-oidc-tests-azure.sh
+  - name: oidc-auth-test-azure-latest-auth
+    commands:
+      - command: expansions.update
+        type: setup
+        params:
+          updates:
+            - {key: NPM_VERSION, value: '9'}
+      - func: install dependencies
+      - command: subprocess.exec
+        params:
+          working_dir: src
+          binary: bash
+          env:
+            DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+            PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+            PROVIDER_NAME: azure
+            SCRIPT: run-oidc-auth-tests.sh
           args:
             - .evergreen/run-oidc-tests-azure.sh
   - name: test-aws-lambda-deployed
@@ -1837,6 +1874,25 @@ tasks:
       - func: bootstrap mongo-orchestration
       - func: setup oidc roles
       - func: run oidc tests aws
+  - name: test-auth-oidc-aws
+    tags:
+      - latest
+      - replica_set
+      - oidc
+    commands:
+      - command: expansions.update
+        type: setup
+        params:
+          updates:
+            - {key: VERSION, value: latest}
+            - {key: TOPOLOGY, value: replica_set}
+            - {key: AUTH, value: auth}
+            - {key: ORCHESTRATION_FILE, value: auth-oidc.json}
+      - func: install dependencies
+      - func: bootstrap oidc
+      - func: bootstrap mongo-orchestration
+      - func: setup oidc roles
+      - func: run oidc auth tests aws
   - name: test-socks5
     tags: []
     commands:
@@ -3814,14 +3870,9 @@ task_groups:
           script: |-
             set -o errexit
             ${PREPARE_SHELL}
-            export AZUREOIDC_CLIENTID="${testazureoidc_clientid}"
-            export AZUREOIDC_TENANTID="${testazureoic_tenantid}"
-            export AZUREOIDC_SECRET="${testazureoidc_secret}"
-            export AZUREOIDC_KEYVAULT=${testazureoidc_keyvault}
-            export AZUREOIDC_DRIVERS_TOOLS="$DRIVERS_TOOLS"
             export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER"
             $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
-    teardown_group:
+    teardown_task:
       - command: shell.exec
         params:
           shell: bash
@@ -3832,6 +3883,28 @@ task_groups:
     setup_group_timeout_secs: 1800
     tasks:
       - oidc-auth-test-azure-latest
+  - name: testazureoidcauth_task_group
+    setup_group:
+      - func: fetch source
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            export AZUREOIDC_VMNAME_PREFIX="NODE_DRIVER"
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+    teardown_task:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            ${PREPARE_SHELL}
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/delete-vm.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-azure-latest-auth
   - name: test_atlas_task_group
     setup_group:
       - func: fetch source
@@ -3947,6 +4020,7 @@ buildvariants:
       - test-auth-kerberos
       - test-auth-ldap
       - test-auth-oidc
+      - test-auth-oidc-aws
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -3998,6 +4072,7 @@ buildvariants:
       - test-auth-kerberos
       - test-auth-ldap
       - test-auth-oidc
+      - test-auth-oidc-aws
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -4049,6 +4124,7 @@ buildvariants:
       - test-auth-kerberos
       - test-auth-ldap
       - test-auth-oidc
+      - test-auth-oidc-aws
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -4099,6 +4175,7 @@ buildvariants:
       - test-auth-kerberos
       - test-auth-ldap
       - test-auth-oidc
+      - test-auth-oidc-aws
       - test-socks5
       - test-socks5-csfle
       - test-socks5-tls
@@ -4386,6 +4463,18 @@ buildvariants:
     tasks:
       - test_azurekms_task_group
       - test-azurekms-fail-task
+  - name: ubuntu20-test-azure-oidc
+    display_name: Azure OIDC
+    run_on: ubuntu2004-small
+    batchtime: 20160
+    tasks:
+      - testazureoidc_task_group
+  - name: ubuntu20-test-azure-oidc-auth
+    display_name: Azure OIDC Auth Tests
+    run_on: ubuntu2004-small
+    batchtime: 20160
+    tasks:
+      - testazureoidcauth_task_group
   - name: rhel8-test-atlas
     display_name: Atlas Cluster Tests
     run_on: rhel80-large

.evergreen/generate_evergreen_tasks.js

@@ -199,6 +199,23 @@ TASKS.push(
         { func: 'run oidc tests aws' }
       ]
     },
+    {
+      name: 'test-auth-oidc-aws',
+      tags: ['latest', 'replica_set', 'oidc'],
+      commands: [
+        updateExpansions({
+          VERSION: 'latest',
+          TOPOLOGY: 'replica_set',
+          AUTH: 'auth',
+          ORCHESTRATION_FILE: 'auth-oidc.json'
+        }),
+        { func: 'install dependencies' },
+        { func: 'bootstrap oidc' },
+        { func: 'bootstrap mongo-orchestration' },
+        { func: 'setup oidc roles' },
+        { func: 'run oidc auth tests aws' }
+      ]
+    },
     {
       name: 'test-socks5',
       tags: [],
@@ -710,16 +727,21 @@ BUILD_VARIANTS.push({
   tasks: ['test_azurekms_task_group', 'test-azurekms-fail-task']
 });
 
-// TODO(DRIVERS-2416/NODE-4929) - Azure credentials are expired, a new drivers ticket
-//   should be created but at the moment for our test failures we will reference the
-//   open DRIVERS ticket and completed NODE ticket.
-// BUILD_VARIANTS.push({
-//   name: 'ubuntu20-test-azure-oidc',
-//   display_name: 'Azure OIDC',
-//   run_on: UBUNTU_20_OS,
-//   batchtime: 20160,
-//   tasks: ['testazureoidc_task_group']
-// });
+BUILD_VARIANTS.push({
+  name: 'ubuntu20-test-azure-oidc',
+  display_name: 'Azure OIDC',
+  run_on: UBUNTU_20_OS,
+  batchtime: 20160,
+  tasks: ['testazureoidc_task_group']
+});
+
+BUILD_VARIANTS.push({
+  name: 'ubuntu20-test-azure-oidc-auth',
+  display_name: 'Azure OIDC Auth Tests',
+  run_on: UBUNTU_20_OS,
+  batchtime: 20160,
+  tasks: ['testazureoidcauth_task_group']
+});
 
 BUILD_VARIANTS.push({
   name: 'rhel8-test-atlas',

.evergreen/run-oidc-auth-tests.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -o errexit  # Exit the script with error if any of the commands fail
+set -o xtrace   # Write all commands first to stderr
+
+PROVIDER_NAME=${PROVIDER_NAME:-"aws"}
+PROJECT_DIRECTORY=${PROJECT_DIRECTORY:-"."}
+source "${PROJECT_DIRECTORY}/.evergreen/init-node-and-npm-env.sh"
+
+MONGODB_URI=${MONGODB_URI:-"mongodb://127.0.0.1:27017"}
+
+export OIDC_TOKEN_DIR=${OIDC_TOKEN_DIR}
+
+export MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
+
+if [ "$PROVIDER_NAME" = "azure" ]; then
+  if [ -z "${AZUREOIDC_CLIENTID}" ]; then
+    echo "Must specify an AZUREOIDC_CLIENTID"
+    exit 1
+  fi
+
+  export UTIL_CLIENT_USER=$AZUREOIDC_USERNAME
+  export UTIL_CLIENT_PASSWORD="pwd123"
+  MONGODB_URI="${MONGODB_URI}/?authMechanism=MONGODB-OIDC"
+  MONGODB_URI="${MONGODB_URI}&authMechanismProperties=PROVIDER_NAME:azure"
+  MONGODB_URI="${MONGODB_URI},TOKEN_AUDIENCE:api%3A%2F%2F${AZUREOIDC_CLIENTID}"
+  export MONGODB_URI="${MONGODB_URI},TOKEN_CLIENT_ID:${AZUREOIDC_TOKENCLIENT}"
+else
+  if [ -z "${OIDC_TOKEN_DIR}" ]; then
+    echo "Must specify OIDC_TOKEN_DIR"
+    exit 1
+  fi
+
+  export UTIL_CLIENT_USER="bob"
+  export UTIL_CLIENT_PASSWORD="pwd123"
+  export MONGODB_URI="${MONGODB_URI}/test?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws"
+fi
+
+npm run check:oidc-auth

.evergreen/run-oidc-tests-azure.sh

@@ -4,8 +4,7 @@ set -o errexit  # Exit the script with error if any of the commands fail
 
 export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/node-mongodb-native.tgz
 tar czf $AZUREOIDC_DRIVERS_TAR_FILE .
-export AZUREOIDC_TEST_CMD="source ./env.sh && PROVIDER_NAME=azure ./.evergreen/run-oidc-tests.sh"
-export AZUREOIDC_CLIENTID=$AZUREOIDC_CLIENTID
+export AZUREOIDC_TEST_CMD="source ./env.sh && PROVIDER_NAME=azure ./.evergreen/${SCRIPT}"
 export PROJECT_DIRECTORY=$PROJECT_DIRECTORY
 export PROVIDER_NAME=$PROVIDER_NAME
 bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh