DRIVERS-2416 Add support for a second Azure client (#360)

* DRIVERS-2416 Add second Azure resource * skip legacy shell * cleanup * cleanup * try with two client_ids * debug * remove debug * use a closure for client_id
mongodb-labs · Nov 15, 2023 · a93743f · a93743f
1 parent 5da5037
commit a93743f
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 19 deletions.
diff --git a/.evergreen/auth_oidc/azure/create-and-setup-vm.sh b/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
@@ -3,6 +3,8 @@ set -o errexit
 set -o pipefail
 set -o nounset
 
+AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS:-$DRIVERS_TOOLS}
+
 if [ -z "${AZUREOIDC_VMNAME_PREFIX:-}" ] || \
    [ -z "${AZUREOIDC_CLIENTID:-}" ] || \
    [ -z "${AZUREOIDC_TENANTID:-}" ] || \
@@ -57,8 +59,8 @@ export AZUREKMS_VMNAME="$AZUREOIDC_VMNAME"
 
 # Update expansions and env viles.
 echo "AZUREOIDC_VMNAME: $AZUREOIDC_VMNAME" > testazureoidc-expansions.yml
-echo "AZUREOIDC_VMNAME=${AZUREOIDC_VMNAME}" >> $AZUREOIDC_ENVPATH
-echo "AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS}" >> $AZUREOIDC_ENVPATH
+echo "export AZUREOIDC_VMNAME=${AZUREOIDC_VMNAME}" >> $AZUREOIDC_ENVPATH
+echo "export AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS}" >> $AZUREOIDC_ENVPATH
 
 # Install dependencies.
 AZUREKMS_SRC="$AZUREOIDC_DRIVERS_TOOLS/.evergreen/csfle/azurekms/remote-scripts/setup-azure-vm.sh" \
@@ -72,11 +74,23 @@ AZUREKMS_SRC=$AZUREOIDC_ENVPATH \
 AZUREKMS_DST="./" \
     "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/copy-file.sh
 
+# Push Drivers Evergreen Tools onto the VM
+TARFILE=/tmp/drivers-evergreen-tools.tgz
+pushd $AZUREOIDC_DRIVERS_TOOLS
+git archive --format=tar.gz -o $TARFILE --prefix=drivers-evergreen-tools/ HEAD
+TARFILE_BASE=$(basename ${TARFILE})
+AZUREKMS_SRC=${TARFILE} \
+    AZUREKMS_DST="~/" \
+    $DRIVERS_TOOLS/.evergreen/csfle/azurekms/copy-file.sh
+echo "Copying files ... end"
+echo "Untarring file ... begin"
+AZUREKMS_CMD="tar xf ${TARFILE_BASE}" \
+  $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh
+echo "Untarring file ... end"
+popd
+
 # Start mongodb.
-AZUREKMS_SRC="$AZUREOIDC_DRIVERS_TOOLS/.evergreen/auth_oidc/azure/start-mongodb.sh" \
-AZUREKMS_DST="./" \
-    "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/copy-file.sh
-AZUREKMS_CMD="./start-mongodb.sh" \
+AZUREKMS_CMD="./drivers-evergreen-tools/.evergreen/auth_oidc/azure/start-mongodb.sh" \
     "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh
 
 # Run the self-test

diff --git a/.evergreen/auth_oidc/azure/handle_secrets.py b/.evergreen/auth_oidc/azure/handle_secrets.py
@@ -25,19 +25,21 @@ def main():
     client = SecretClient(vault_url=vault_uri, credential=credential)
 
     secrets = dict()
-    for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'TOKENCLIENT', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY']:
+    for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'TOKENCLIENT', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY',
+                   'TOKENCLIENT2', 'IDENTITY2']:
         retrieved = client.get_secret(secret)
         secrets[secret] = retrieved.value
 
     with open(env_file, 'w') as fid:
         fid.write(f'export AZUREOIDC_RESOURCEGROUP={secrets["RESOURCEGROUP"]}\n')
         fid.write(f'export AZUREKMS_RESOURCEGROUP={secrets["RESOURCEGROUP"]}\n')
         fid.write(f'export AZUREOIDC_TOKENCLIENT={secrets["TOKENCLIENT"]}\n')
+        fid.write(f'export AZUREOIDC_TOKENCLIENT2={secrets["TOKENCLIENT2"]}\n')
         fid.write(f'export AZUREOIDC_AUTHCLAIM={secrets["AUTHCLAIM"]}\n')
         fid.write(f'export AZUREOIDC_CLIENTID={client_id}\n')
         fid.write(f'export AZUREOIDC_TENANTID={tenant_id}\n')
         fid.write(f'export AZUREOIDC_AUTHPREFIX={secrets["AUTHPREFIX"]}\n')
-        fid.write(f'export AZUREKMS_IDENTITY={secrets["IDENTITY"]}\n')
+        fid.write(f'export AZUREKMS_IDENTITY="{secrets["IDENTITY"]} {secrets["IDENTITY2"]}"\n')
 
     if os.path.exists(private_key_file):
         os.remove(private_key_file)
@@ -56,4 +58,4 @@ def main():
 
 
 if __name__ == '__main__':
-    main()
+    main()
diff --git a/.evergreen/auth_oidc/azure/start-mongodb.sh b/.evergreen/auth_oidc/azure/start-mongodb.sh
@@ -12,12 +12,9 @@ export ORCHESTRATION_FILE=auth-oidc.json
 export DRIVERS_TOOLS=$HOME/drivers-evergreen-tools
 export PROJECT_ORCHESTRATION_HOME=$DRIVERS_TOOLS/.evergreen/orchestration
 export MONGO_ORCHESTRATION_HOME=$HOME
+export SKIP_LEGACY_SHELL=true
 export NO_IPV6=${NO_IPV6:-""}
 
-if [ ! -d $DRIVERS_TOOLS ]; then
-    git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS
-fi
-
 cd $DRIVERS_TOOLS/.evergreen/auth_oidc
 . ./activate-authoidcvenv.sh
 python oidc_write_orchestration.py --azure

diff --git a/.evergreen/auth_oidc/azure/test.py b/.evergreen/auth_oidc/azure/test.py
@@ -1,4 +1,5 @@
 from pymongo import MongoClient
+from functools import partial
 import os
 import json
 from urllib.request import urlopen, Request
@@ -9,10 +10,11 @@
 
 app_id = os.environ['AZUREOIDC_CLIENTID']
 
-def callback(client_info, server_info):
+def callback(client_id, client_info, server_info):
     url = "http://169.254.169.254/metadata/identity/oauth2/token"
     url += "?api-version=2018-02-01"
     url += f"&resource=api://{app_id}"
+    url += f"&client_id={client_id}"
     headers = { "Metadata": "true", "Accept": "application/json" }
     request = Request(url, headers=headers)
     try:
@@ -39,10 +41,19 @@ def callback(client_info, server_info):
             raise ValueError(msg)
     return dict(access_token=data['access_token'])
 
+props = dict(request_token_callback=partial(callback(os.environ['AZUREOIDC_TOKENCLIENT'])))
+print('Testing MONGODB-OIDC on azure...')
+print('Testing resource 1...')
+c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props)
+c.test.test.insert_one({})
+c.close()
+print('Testing resource 1... done.')
 
-props = dict(request_token_callback=callback)
-print('Testing MONGODB-OIDC on azure')
+print('Testing resource 2...')
+props = dict(request_token_callback=partial(callback(os.environ['AZUREOIDC_TOKENCLIENT2'])))
 c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props)
 c.test.test.find_one({})
 c.close()
-print('Self test complete!')
+print('Testing resource 2... done.')
+print('Testing MONGODB-OIDC on azure... done.')
+print('Self test complete!')
diff --git a/.evergreen/auth_oidc/oidc_write_orchestration.py b/.evergreen/auth_oidc/oidc_write_orchestration.py
@@ -26,8 +26,7 @@ def azure():
         "issuer": f"https://sts.windows.net/{tenant_id}/",
         "clientId": client_id,
         "audience": f"api://{app_id}",
-        "authorizationClaim": "groups",
-
+        "authorizationClaim": "groups"
     }
     providers = json.dumps([provider_info], separators=(',',':'))