From a93743f64e6b1f279ced53ccd766e1042b23db96 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 15 Nov 2023 11:29:41 -0600 Subject: [PATCH] DRIVERS-2416 Add support for a second Azure client (#360) * DRIVERS-2416 Add second Azure resource * skip legacy shell * cleanup * cleanup * try with two client_ids * debug * remove debug * use a closure for client_id --- .../auth_oidc/azure/create-and-setup-vm.sh | 26 ++++++++++++++----- .evergreen/auth_oidc/azure/handle_secrets.py | 8 +++--- .evergreen/auth_oidc/azure/start-mongodb.sh | 5 +--- .evergreen/auth_oidc/azure/test.py | 19 +++++++++++--- .../auth_oidc/oidc_write_orchestration.py | 3 +-- 5 files changed, 42 insertions(+), 19 deletions(-) diff --git a/.evergreen/auth_oidc/azure/create-and-setup-vm.sh b/.evergreen/auth_oidc/azure/create-and-setup-vm.sh index a6a89e90..37ea31ec 100755 --- a/.evergreen/auth_oidc/azure/create-and-setup-vm.sh +++ b/.evergreen/auth_oidc/azure/create-and-setup-vm.sh @@ -3,6 +3,8 @@ set -o errexit set -o pipefail set -o nounset +AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS:-$DRIVERS_TOOLS} + if [ -z "${AZUREOIDC_VMNAME_PREFIX:-}" ] || \ [ -z "${AZUREOIDC_CLIENTID:-}" ] || \ [ -z "${AZUREOIDC_TENANTID:-}" ] || \ @@ -57,8 +59,8 @@ export AZUREKMS_VMNAME="$AZUREOIDC_VMNAME" # Update expansions and env viles. echo "AZUREOIDC_VMNAME: $AZUREOIDC_VMNAME" > testazureoidc-expansions.yml -echo "AZUREOIDC_VMNAME=${AZUREOIDC_VMNAME}" >> $AZUREOIDC_ENVPATH -echo "AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS}" >> $AZUREOIDC_ENVPATH +echo "export AZUREOIDC_VMNAME=${AZUREOIDC_VMNAME}" >> $AZUREOIDC_ENVPATH +echo "export AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS}" >> $AZUREOIDC_ENVPATH # Install dependencies. AZUREKMS_SRC="$AZUREOIDC_DRIVERS_TOOLS/.evergreen/csfle/azurekms/remote-scripts/setup-azure-vm.sh" \ @@ -72,11 +74,23 @@ AZUREKMS_SRC=$AZUREOIDC_ENVPATH \ AZUREKMS_DST="./" \ "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/copy-file.sh +# Push Drivers Evergreen Tools onto the VM +TARFILE=/tmp/drivers-evergreen-tools.tgz +pushd $AZUREOIDC_DRIVERS_TOOLS +git archive --format=tar.gz -o $TARFILE --prefix=drivers-evergreen-tools/ HEAD +TARFILE_BASE=$(basename ${TARFILE}) +AZUREKMS_SRC=${TARFILE} \ + AZUREKMS_DST="~/" \ + $DRIVERS_TOOLS/.evergreen/csfle/azurekms/copy-file.sh +echo "Copying files ... end" +echo "Untarring file ... begin" +AZUREKMS_CMD="tar xf ${TARFILE_BASE}" \ + $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh +echo "Untarring file ... end" +popd + # Start mongodb. -AZUREKMS_SRC="$AZUREOIDC_DRIVERS_TOOLS/.evergreen/auth_oidc/azure/start-mongodb.sh" \ -AZUREKMS_DST="./" \ - "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/copy-file.sh -AZUREKMS_CMD="./start-mongodb.sh" \ +AZUREKMS_CMD="./drivers-evergreen-tools/.evergreen/auth_oidc/azure/start-mongodb.sh" \ "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh # Run the self-test diff --git a/.evergreen/auth_oidc/azure/handle_secrets.py b/.evergreen/auth_oidc/azure/handle_secrets.py index a1884ccb..10a85380 100644 --- a/.evergreen/auth_oidc/azure/handle_secrets.py +++ b/.evergreen/auth_oidc/azure/handle_secrets.py @@ -25,7 +25,8 @@ def main(): client = SecretClient(vault_url=vault_uri, credential=credential) secrets = dict() - for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'TOKENCLIENT', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY']: + for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'TOKENCLIENT', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY', + 'TOKENCLIENT2', 'IDENTITY2']: retrieved = client.get_secret(secret) secrets[secret] = retrieved.value @@ -33,11 +34,12 @@ def main(): fid.write(f'export AZUREOIDC_RESOURCEGROUP={secrets["RESOURCEGROUP"]}\n') fid.write(f'export AZUREKMS_RESOURCEGROUP={secrets["RESOURCEGROUP"]}\n') fid.write(f'export AZUREOIDC_TOKENCLIENT={secrets["TOKENCLIENT"]}\n') + fid.write(f'export AZUREOIDC_TOKENCLIENT2={secrets["TOKENCLIENT2"]}\n') fid.write(f'export AZUREOIDC_AUTHCLAIM={secrets["AUTHCLAIM"]}\n') fid.write(f'export AZUREOIDC_CLIENTID={client_id}\n') fid.write(f'export AZUREOIDC_TENANTID={tenant_id}\n') fid.write(f'export AZUREOIDC_AUTHPREFIX={secrets["AUTHPREFIX"]}\n') - fid.write(f'export AZUREKMS_IDENTITY={secrets["IDENTITY"]}\n') + fid.write(f'export AZUREKMS_IDENTITY="{secrets["IDENTITY"]} {secrets["IDENTITY2"]}"\n') if os.path.exists(private_key_file): os.remove(private_key_file) @@ -56,4 +58,4 @@ def main(): if __name__ == '__main__': - main() \ No newline at end of file + main() diff --git a/.evergreen/auth_oidc/azure/start-mongodb.sh b/.evergreen/auth_oidc/azure/start-mongodb.sh index 655bb434..92c06d37 100755 --- a/.evergreen/auth_oidc/azure/start-mongodb.sh +++ b/.evergreen/auth_oidc/azure/start-mongodb.sh @@ -12,12 +12,9 @@ export ORCHESTRATION_FILE=auth-oidc.json export DRIVERS_TOOLS=$HOME/drivers-evergreen-tools export PROJECT_ORCHESTRATION_HOME=$DRIVERS_TOOLS/.evergreen/orchestration export MONGO_ORCHESTRATION_HOME=$HOME +export SKIP_LEGACY_SHELL=true export NO_IPV6=${NO_IPV6:-""} -if [ ! -d $DRIVERS_TOOLS ]; then - git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS -fi - cd $DRIVERS_TOOLS/.evergreen/auth_oidc . ./activate-authoidcvenv.sh python oidc_write_orchestration.py --azure diff --git a/.evergreen/auth_oidc/azure/test.py b/.evergreen/auth_oidc/azure/test.py index d76e6a0e..52facfa2 100644 --- a/.evergreen/auth_oidc/azure/test.py +++ b/.evergreen/auth_oidc/azure/test.py @@ -1,4 +1,5 @@ from pymongo import MongoClient +from functools import partial import os import json from urllib.request import urlopen, Request @@ -9,10 +10,11 @@ app_id = os.environ['AZUREOIDC_CLIENTID'] -def callback(client_info, server_info): +def callback(client_id, client_info, server_info): url = "http://169.254.169.254/metadata/identity/oauth2/token" url += "?api-version=2018-02-01" url += f"&resource=api://{app_id}" + url += f"&client_id={client_id}" headers = { "Metadata": "true", "Accept": "application/json" } request = Request(url, headers=headers) try: @@ -39,10 +41,19 @@ def callback(client_info, server_info): raise ValueError(msg) return dict(access_token=data['access_token']) +props = dict(request_token_callback=partial(callback(os.environ['AZUREOIDC_TOKENCLIENT']))) +print('Testing MONGODB-OIDC on azure...') +print('Testing resource 1...') +c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props) +c.test.test.insert_one({}) +c.close() +print('Testing resource 1... done.') -props = dict(request_token_callback=callback) -print('Testing MONGODB-OIDC on azure') +print('Testing resource 2...') +props = dict(request_token_callback=partial(callback(os.environ['AZUREOIDC_TOKENCLIENT2']))) c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props) c.test.test.find_one({}) c.close() -print('Self test complete!') \ No newline at end of file +print('Testing resource 2... done.') +print('Testing MONGODB-OIDC on azure... done.') +print('Self test complete!') diff --git a/.evergreen/auth_oidc/oidc_write_orchestration.py b/.evergreen/auth_oidc/oidc_write_orchestration.py index 8f3415cf..921f882f 100644 --- a/.evergreen/auth_oidc/oidc_write_orchestration.py +++ b/.evergreen/auth_oidc/oidc_write_orchestration.py @@ -26,8 +26,7 @@ def azure(): "issuer": f"https://sts.windows.net/{tenant_id}/", "clientId": client_id, "audience": f"api://{app_id}", - "authorizationClaim": "groups", - + "authorizationClaim": "groups" } providers = json.dumps([provider_info], separators=(',',':'))