From e422e02fa07133cca6717022adcf6a1ed4b39c91 Mon Sep 17 00:00:00 2001 From: Anna Henningsen Date: Wed, 4 Dec 2024 13:01:20 +0100 Subject: [PATCH] chore(e2e-tests): add workload OIDC test MONGOSH-1832 (#2283) Now that the driver has support for the Kubernetes OIDC workload integration, it's quite easy to add a test for OIDC workload usage with mongosh. --- package-lock.json | 1 + packages/e2e-tests/package.json | 1 + packages/e2e-tests/test/e2e-oidc.spec.ts | 40 ++++++++++++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/package-lock.json b/package-lock.json index e766e97ee..e007480ef 100644 --- a/package-lock.json +++ b/package-lock.json @@ -29291,6 +29291,7 @@ "version": "0.0.0-dev.0", "license": "Apache-2.0", "dependencies": { + "@mongodb-js/oidc-plugin": "^1.1.5", "@mongosh/cli-repl": "0.0.0-dev.0", "@mongosh/service-provider-core": "0.0.0-dev.0", "strip-ansi": "^6.0.0" diff --git a/packages/e2e-tests/package.json b/packages/e2e-tests/package.json index 2e3ddce49..7f760695e 100644 --- a/packages/e2e-tests/package.json +++ b/packages/e2e-tests/package.json @@ -29,6 +29,7 @@ "dependencies": { "@mongosh/cli-repl": "0.0.0-dev.0", "@mongosh/service-provider-core": "0.0.0-dev.0", + "@mongodb-js/oidc-plugin": "^1.1.5", "strip-ansi": "^6.0.0" }, "devDependencies": { diff --git a/packages/e2e-tests/test/e2e-oidc.spec.ts b/packages/e2e-tests/test/e2e-oidc.spec.ts index ba464f882..50d2f5582 100644 --- a/packages/e2e-tests/test/e2e-oidc.spec.ts +++ b/packages/e2e-tests/test/e2e-oidc.spec.ts @@ -16,6 +16,7 @@ import { commonOidcServerArgs, skipOIDCTestsDueToPlatformOrServerVersion, } from './oidc-helpers'; +import { createMongoDBOIDCPlugin } from '@mongodb-js/oidc-plugin'; /** * @securityTest OIDC Authentication End-to-End Tests @@ -528,4 +529,43 @@ describe('OIDC auth e2e', function () { shell.assertContainsOutput('"lastServerIdPInfo":'); shell.assertContainsOutput(/"refreshToken": "(?!debugid:)/); }); + + it('can successfully authenticate using workload OIDC', async function () { + // Get a token from the OIDC server, store it to disk, then pass that to mongosh + const tokenFile = path.join(tmpdir.path, 'token'); + let accessToken!: string; + const plugin = createMongoDBOIDCPlugin({ + notifyDeviceFlow: () => {}, + allowedFlows: ['device-auth'], + }); + try { + ({ accessToken } = + await plugin.mongoClientOptions.authMechanismProperties.OIDC_HUMAN_CALLBACK( + { + version: 1, + idpInfo: { issuer: oidcMockProvider.issuer, clientId: 'workload' }, + } + )); + } finally { + await plugin.destroy(); + } + await fs.writeFile(tokenFile, accessToken); + + shell = this.startTestShell({ + args: [ + await testServer.connectionString({ + authMechanism: 'MONGODB-OIDC', + authMechanismProperties: 'ENVIRONMENT:k8s', + }), + ], + env: { + ...process.env, + AWS_WEB_IDENTITY_TOKEN_FILE: tokenFile, + }, + }); + await shell.waitForPrompt(); + + await verifyUser(shell, 'testuser', 'workload-group'); + shell.assertNoErrors(); + }); });