CSHARP-5026: Add Kubernetes Support for OIDC (#1560)

Author: sanych-sun

evergreen/evergreen.yml

@@ -1042,6 +1042,26 @@ functions:
           fi
           ./evergreen/upload-apidocs.sh
 
+  run_oidc_k8s_tests:
+    - command: shell.exec
+      params:
+        shell: bash
+        working_dir: mongo-csharp-driver
+        include_expansions_in_env:
+          - "AWS_ACCESS_KEY_ID"
+          - "AWS_SECRET_ACCESS_KEY"
+          - "AWS_SESSION_TOKEN"
+        script: |
+          ${PREPARE_SHELL}
+
+          export K8S_VARIANT=${K8S_VARIANT}
+          export K8S_DRIVERS_TAR_FILE=/tmp/mongo-csharp-driver.tgz
+          export K8S_TEST_CMD="OIDC_ENV=k8s ./evergreen/run-mongodb-oidc-env-tests.sh"
+
+          bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/setup-pod.sh
+          bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/run-driver-test.sh
+          bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/teardown-pod.sh
+
 pre:
   - func: fetch-source
   - func: prepare-resources
@@ -1289,6 +1309,27 @@ tasks:
               export GCPOIDC_TEST_CMD="OIDC_ENV=gcp ./evergreen/run-mongodb-oidc-env-tests.sh"
               bash $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/run-driver-test.sh
 
+    - name: test-oidc-k8s
+      commands:
+        - command: shell.exec
+          params:
+            shell: bash
+            working_dir: mongo-csharp-driver
+            script: |-
+              ${PREPARE_SHELL}
+              dotnet build
+              tar czf /tmp/mongo-csharp-driver.tgz tests/*.Tests/bin/Debug/net6.0/ ./evergreen/run-mongodb-oidc-env-tests.sh
+        - func: assume-ec2-role
+        - func: run_oidc_k8s_tests
+          vars:
+            K8S_VARIANT: eks
+        - func: run_oidc_k8s_tests
+          vars:
+            K8S_VARIANT: gke
+        - func: run_oidc_k8s_tests
+          vars:
+            K8S_VARIANT: aks
+
     - name: test-serverless
       exec_timeout_secs: 2700 # 45 minutes: 15 for setup + 30 for tests
       commands:
@@ -2251,6 +2292,34 @@ task_groups:
     tasks:
       - test-oidc-gcp
 
+  - name: oidc-auth-k8s-task-group
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800 # 30 minutes
+    setup_group:
+      - func: fetch-source
+      - func: prepare-resources
+      - func: fix-absolute-paths
+      - func: make-files-executable
+      - func: install-dotnet
+      - func: assume-ec2-role
+      - command: subprocess.exec
+        params:
+          binary: bash
+          include_expansions_in_env:
+            - "AWS_ACCESS_KEY_ID"
+            - "AWS_SECRET_ACCESS_KEY"
+            - "AWS_SESSION_TOKEN"
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/setup.sh
+    teardown_group:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/teardown.sh
+    tasks:
+      - test-oidc-k8s
+
   - name: serverless-task-group
     setup_group_can_fail_task: true
     setup_group_timeout_secs: 1800 # 30 minutes
@@ -2448,6 +2517,13 @@ buildvariants:
   tasks:
     - name: oidc-auth-gcp-task-group
 
+- matrix_name: mongodb-oidc-k8s-tests
+  matrix_spec: { os: [ "ubuntu-2004" ] }
+  display_name: "MongoDB-OIDC Auth (k8s) - ${os}"
+  batchtime: 20160 # 14 days
+  tasks:
+    - name: oidc-auth-k8s-task-group
+
 - matrix_name: "ocsp-tests"
   matrix_spec: { version: ["4.4", "5.0", "6.0", "7.0", "8.0", "rapid", "latest"], auth: "noauth", ssl: "ssl", topology: "standalone", os: "windows-64" }
   display_name: "OCSP ${version} ${os}"

evergreen/run-mongodb-oidc-env-tests.sh

@@ -7,7 +7,7 @@ DOTNET_SDK_PATH="$(pwd)/.dotnet"
 
 echo "Downloading .NET SDK installer into $DOTNET_SDK_PATH folder..."
 curl -Lfo ./dotnet-install.sh https://dot.net/v1/dotnet-install.sh
-echo "Installing .NET LTS SDK..."
+echo "Installing .NET 6.0 SDK..."
 bash ./dotnet-install.sh --channel 6.0 --install-dir "$DOTNET_SDK_PATH" --no-path
 export PATH=$DOTNET_SDK_PATH:$PATH
 
@@ -17,6 +17,8 @@ if [ "$OIDC_ENV" == "azure" ]; then
 elif [ "$OIDC_ENV" == "gcp" ]; then
   source ./secrets-export.sh
   TOKEN_RESOURCE="$GCPOIDC_AUDIENCE"
+elif [ "$OIDC_ENV" == "k8s" ]; then
+  source ./secrets-export.sh
 else
   echo "Unrecognized OIDC_ENV $OIDC_ENV"
   exit 1
@@ -33,4 +35,7 @@ fi
 
 sleep 60 # sleep for 1 minute to let cluster make the master election
 
+# need set DOTNET_SYSTEM_GLOBALIZATION_INVARIANT to avoid "Couldn't find a valid ICU package installed on the system." error
+export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
+
 dotnet test --no-build --framework net6.0 --filter Category=MongoDbOidc -e OIDC_ENV="$OIDC_ENV" -e TOKEN_RESOURCE="$TOKEN_RESOURCE" -e MONGODB_URI="$MONGODB_URI" --results-directory ./build/test-results --logger "console;verbosity=detailed" ./tests/**/*.Tests.dll

specifications/auth/tests/legacy/connection-string.json

@@ -626,6 +626,26 @@
       "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp",
       "valid": false,
       "credential": null
+    },
+    {
+      "description": "should recognise the mechanism with k8s provider (MONGODB-OIDC)",
+      "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s",
+      "valid": true,
+      "credential": {
+        "username": null,
+        "password": null,
+        "source": "$external",
+        "mechanism": "MONGODB-OIDC",
+        "mechanism_properties": {
+          "ENVIRONMENT": "k8s"
+        }
+      }
+    },
+    {
+      "description": "should throw an error for a username and password with k8s provider (MONGODB-OIDC)",
+      "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s",
+      "valid": false,
+      "credential": null
     }
   ]
 }

specifications/auth/tests/legacy/connection-string.yml

@@ -454,3 +454,18 @@ tests:
   uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp
   valid: false
   credential: null
+- description: should recognise the mechanism with k8s provider (MONGODB-OIDC)
+  uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s
+  valid: true
+  credential:
+    username: null
+    password: null
+    source: $external
+    mechanism: MONGODB-OIDC
+    mechanism_properties:
+      ENVIRONMENT: k8s
+- description: should throw an error for a username and password with k8s provider
+    (MONGODB-OIDC)
+  uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s
+  valid: false
+  credential: null

src/MongoDB.Driver/Authentication/Oidc/FileOidcCallback.cs

@@ -13,7 +13,7 @@
 * limitations under the License.
 */
 
-using System.IO;
+using System;
 using System.Threading;
 using System.Threading.Tasks;
 using MongoDB.Driver.Core.Misc;
@@ -22,35 +22,51 @@ namespace MongoDB.Driver.Authentication.Oidc
 {
     internal sealed class FileOidcCallback : IOidcCallback
     {
+        private readonly IFileSystemProvider _fileSystemProvider;
+
         #region static
-        public static FileOidcCallback CreateFromEnvironmentVariable(string environmentVariableName, IEnvironmentVariableProvider environmentVariableProvider)
+        public static FileOidcCallback CreateFromEnvironmentVariable(
+            IEnvironmentVariableProvider environmentVariableProvider,
+            IFileSystemProvider fileSystemProvider,
+            string[] environmentVariableNames,
+            string defaultPath = null)
         {
-            var tokenPath = Ensure.IsNotNull(environmentVariableProvider, nameof(environmentVariableProvider)).GetEnvironmentVariable(environmentVariableName);
-            return new FileOidcCallback(tokenPath);
+            Ensure.IsNotNull(environmentVariableProvider, nameof(environmentVariableProvider));
+            Ensure.IsNotNull(fileSystemProvider, nameof(fileSystemProvider));
+            Ensure.IsNotNullOrEmpty(environmentVariableNames, nameof(environmentVariableNames));
+
+            string filePath = null;
+            foreach (var variableName in environmentVariableNames)
+            {
+                filePath = environmentVariableProvider.GetEnvironmentVariable(variableName);
+                if (!string.IsNullOrEmpty(filePath))
+                {
+                    break;
+                }
+            }
+
+            filePath ??= defaultPath;
+            return new FileOidcCallback(fileSystemProvider, filePath);
         }
         #endregion
 
-        private readonly string _path;
-
-        public FileOidcCallback(string path)
+        public FileOidcCallback(IFileSystemProvider fileSystemProvider, string filePath)
         {
-            _path = Ensure.IsNotNullOrEmpty(path, nameof(path));
+            _fileSystemProvider = Ensure.IsNotNull(fileSystemProvider, nameof(fileSystemProvider));
+            FilePath = Ensure.IsNotNullOrEmpty(filePath, nameof(filePath));
         }
 
+        public string FilePath { get; }
+
         public OidcAccessToken GetOidcAccessToken(OidcCallbackParameters parameters, CancellationToken cancellationToken)
         {
-            var accessToken = File.ReadAllText(_path);
+            var accessToken = _fileSystemProvider.File.ReadAllText(FilePath);
             return new(accessToken, expiresIn: null);
         }
 
         public async Task<OidcAccessToken> GetOidcAccessTokenAsync(OidcCallbackParameters parameters, CancellationToken cancellationToken)
         {
-#if NETSTANDARD2_1_OR_GREATER || NET6_0_OR_GREATER
-            var accessToken = await File.ReadAllTextAsync(_path, cancellationToken).ConfigureAwait(false);
-#else
-            using var streamReader = new StreamReader(_path, System.Text.Encoding.UTF8, detectEncodingFromByteOrderMarks: true);
-            var accessToken = await streamReader.ReadToEndAsync().ConfigureAwait(false); // no support for cancellationToken
-#endif
+            var accessToken = await _fileSystemProvider.File.ReadAllTextAsync(FilePath).ConfigureAwait(false);
             return new(accessToken, expiresIn: null);
         }
     }

src/MongoDB.Driver/Authentication/Oidc/OidcCallbackAdapterFactory.cs

@@ -26,16 +26,21 @@ internal interface IOidcCallbackAdapterFactory
 
     internal class OidcCallbackAdapterCachingFactory : IOidcCallbackAdapterFactory
     {
-        public static readonly OidcCallbackAdapterCachingFactory Instance = new(SystemClock.Instance, EnvironmentVariableProvider.Instance);
+        public static readonly OidcCallbackAdapterCachingFactory Instance = new(SystemClock.Instance, EnvironmentVariableProvider.Instance, FileSystemProvider.Instance);
 
         private readonly IClock _clock;
         private readonly IEnvironmentVariableProvider _environmentVariableProvider;
+        private readonly IFileSystemProvider _fileSystemProvider;
         private readonly ConcurrentDictionary<OidcConfiguration, IOidcCallbackAdapter> _cache = new();
 
-        public OidcCallbackAdapterCachingFactory(IClock clock, IEnvironmentVariableProvider environmentVariableProvider)
+        public OidcCallbackAdapterCachingFactory(
+            IClock clock,
+            IEnvironmentVariableProvider environmentVariableProvider,
+            IFileSystemProvider fileSystemProvider)
         {
-            _clock = clock;
-            _environmentVariableProvider = environmentVariableProvider;
+            _clock = Ensure.IsNotNull(clock, nameof(clock));
+            _environmentVariableProvider = Ensure.IsNotNull(environmentVariableProvider, nameof(environmentVariableProvider));
+            _fileSystemProvider = Ensure.IsNotNull(fileSystemProvider, nameof(fileSystemProvider));
         }
 
         public IOidcCallbackAdapter Get(OidcConfiguration configuration)
@@ -54,7 +59,15 @@ private IOidcCallbackAdapter CreateCallbackAdapter(OidcConfiguration configurati
                 {
                     "azure" => new AzureOidcCallback(configuration.TokenResource),
                     "gcp" => new GcpOidcCallback(configuration.TokenResource),
-                    "test" => FileOidcCallback.CreateFromEnvironmentVariable("OIDC_TOKEN_FILE", _environmentVariableProvider),
+                    "test" => FileOidcCallback.CreateFromEnvironmentVariable(
+                        _environmentVariableProvider,
+                        _fileSystemProvider,
+                        ["OIDC_TOKEN_FILE"]),
+                    "k8s" => FileOidcCallback.CreateFromEnvironmentVariable(
+                        _environmentVariableProvider,
+                        _fileSystemProvider,
+                        ["AZURE_FEDERATED_TOKEN_FILE", "AWS_WEB_IDENTITY_TOKEN_FILE"],
+                        "/var/run/secrets/kubernetes.io/serviceaccount/token"),
                     _ => throw new NotSupportedException($"Non supported {OidcConfiguration.EnvironmentMechanismPropertyName} value: {configuration.Environment}")
                 };
             }

src/MongoDB.Driver/Authentication/Oidc/OidcConfiguration.cs

@@ -27,7 +27,7 @@ internal sealed class OidcConfiguration
         public const string EnvironmentMechanismPropertyName = "ENVIRONMENT";
         public const string TokenResourceMechanismPropertyName = "TOKEN_RESOURCE";
 
-        private static readonly ISet<string> __supportedEnvironments = new HashSet<string> { "test", "azure", "gcp" };
+        private static readonly ISet<string> __supportedEnvironments = new HashSet<string> { "test", "azure", "gcp", "k8s" };
         private readonly int _hashCode;
 
         public OidcConfiguration(

src/MongoDB.Driver/Authentication/Oidc/OidcSaslMechanism.cs

@@ -25,21 +25,7 @@ internal sealed class OidcSaslMechanism : ISaslMechanism
         public const string MechanismName = "MONGODB-OIDC";
 
         public static OidcSaslMechanism Create(SaslContext context)
-            => Create(context, SystemClock.Instance, EnvironmentVariableProvider.Instance);
-
-        public static OidcSaslMechanism Create(SaslContext context, IClock clock, IEnvironmentVariableProvider environmentVariableProvider)
-        {
-            Ensure.IsNotNull(clock, nameof(clock));
-            Ensure.IsNotNull(environmentVariableProvider, nameof(environmentVariableProvider));
-
-            var callbackAdapterFactory = OidcCallbackAdapterCachingFactory.Instance;
-            if (clock != SystemClock.Instance || environmentVariableProvider != EnvironmentVariableProvider.Instance)
-            {
-                callbackAdapterFactory = new OidcCallbackAdapterCachingFactory(clock, environmentVariableProvider);
-            }
-
-            return Create(context, callbackAdapterFactory);
-        }
+            => Create(context, OidcCallbackAdapterCachingFactory.Instance);
 
         public static OidcSaslMechanism Create(
             SaslContext context,

src/MongoDB.Driver/Core/Misc/FileWrapper.cs

@@ -14,6 +14,7 @@
  */
 
 using System.IO;
+using System.Threading.Tasks;
 
 namespace MongoDB.Driver.Core.Misc
 {
@@ -22,14 +23,27 @@ namespace MongoDB.Driver.Core.Misc
     /// </summary>
     internal interface IFile
     {
-        bool Exists(string name);
+        bool Exists(string path);
+
+        string ReadAllText(string path);
+
+        Task<string> ReadAllTextAsync(string path);
     }
 
     internal sealed class FileWrapper : IFile
     {
-        public bool Exists(string name)
+        public bool Exists(string path) => File.Exists(path);
+
+        public string ReadAllText(string path)
+        {
+            using var streamReader = new StreamReader(path, System.Text.Encoding.UTF8, detectEncodingFromByteOrderMarks: true);
+            return streamReader.ReadToEnd();
+        }
+
+        public async Task<string> ReadAllTextAsync(string path)
         {
-            return File.Exists(name);
+            using var streamReader = new StreamReader(path, System.Text.Encoding.UTF8, detectEncodingFromByteOrderMarks: true);
+            return await streamReader.ReadToEndAsync().ConfigureAwait(false);
         }
     }
 }