ALLOWED_HOSTS validation, 1 minute machine timeout

katcharov · katcharov · commit 03e22f0278b1 · 2024-05-03T15:58:55.000-06:00
diff --git a/driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java b/driver-core/src/main/com/mongodb/internal/connection/OidcAuthenticator.java
@@ -85,7 +85,8 @@ public final class OidcAuthenticator extends SaslAuthenticator {
     private static final List<String> ALLOWS_USERNAME = Arrays.asList(
             AZURE_ENVIRONMENT);
 
-    private static final Duration CALLBACK_TIMEOUT = Duration.ofMinutes(5);
+    private static final Duration CALLBACK_TIMEOUT = Duration.ofMinutes(1);
+    private static final Duration HUMAN_CALLBACK_TIMEOUT = Duration.ofMinutes(5);
 
     public static final String OIDC_TOKEN_FILE = "OIDC_TOKEN_FILE";
 
@@ -112,6 +113,10 @@ public OidcAuthenticator(final MongoCredentialWithCache credential,
         }
     }
 
+    private Duration getCallbackTimeout() {
+        return isHumanCallback() ? HUMAN_CALLBACK_TIMEOUT : CALLBACK_TIMEOUT;
+    }
+
     @Override
     public String getMechanismName() {
         return MONGODB_OIDC.getMechanismName();
@@ -306,7 +311,7 @@ private byte[] evaluate(final byte[] challenge) {
                 // Invoke Callback using cached Refresh Token
                 fallbackState = FallbackState.PHASE_2_REFRESH_CALLBACK_TOKEN;
                 OidcCallbackResult result = requestCallback.onRequest(new OidcCallbackContextImpl(
-                        CALLBACK_TIMEOUT, cachedIdpInfo, cachedRefreshToken, userName));
+                        getCallbackTimeout(), cachedIdpInfo, cachedRefreshToken, userName));
                 jwt[0] = populateCacheWithCallbackResultAndPrepareJwt(cachedIdpInfo, result);
             } else {
                 // cache is empty
@@ -315,7 +320,7 @@ private byte[] evaluate(final byte[] challenge) {
                     // no principal request
                     fallbackState = FallbackState.PHASE_3B_CALLBACK_TOKEN;
                     OidcCallbackResult result = requestCallback.onRequest(new OidcCallbackContextImpl(
-                            CALLBACK_TIMEOUT, userName));
+                            getCallbackTimeout(), userName));
                     jwt[0] = populateCacheWithCallbackResultAndPrepareJwt(null, result);
                     if (result.getRefreshToken() != null) {
                         throw new MongoConfigurationException(
@@ -345,7 +350,7 @@ private byte[] evaluate(final byte[] challenge) {
                         // there is no cached refresh token
                         fallbackState = FallbackState.PHASE_3B_CALLBACK_TOKEN;
                         OidcCallbackResult result = requestCallback.onRequest(new OidcCallbackContextImpl(
-                                CALLBACK_TIMEOUT, idpInfo, null, userName));
+                                getCallbackTimeout(), idpInfo, null, userName));
                         jwt[0] = populateCacheWithCallbackResultAndPrepareJwt(idpInfo, result);
                     }
                 }
@@ -606,6 +611,11 @@ public static void validateBeforeUse(final MongoCredential credential) {
             Object environmentName = credential.getMechanismProperty(ENVIRONMENT_KEY, null);
             Object machineCallback = credential.getMechanismProperty(OIDC_CALLBACK_KEY, null);
             Object humanCallback = credential.getMechanismProperty(OIDC_HUMAN_CALLBACK_KEY, null);
+            boolean allowedHostsIsSet = credential.getMechanismProperty(ALLOWED_HOSTS_KEY, null) != null;
+            if (humanCallback == null && allowedHostsIsSet) {
+                throw new IllegalArgumentException(ALLOWED_HOSTS_KEY + " must be specified only when "
+                        + OIDC_HUMAN_CALLBACK_KEY + " is specified");
+            }
             if (environmentName == null) {
                 // callback
                 if (machineCallback == null && humanCallback == null) {
diff --git a/driver-core/src/test/resources/unified-test-format/auth/mongodb-oidc-no-retry.json b/driver-core/src/test/resources/unified-test-format/auth/mongodb-oidc-no-retry.json
@@ -5,7 +5,8 @@
     {
       "minServerVersion": "7.0",
       "auth": true,
-      "authMechanism": "MONGODB-OIDC"
+      "authMechanism": "MONGODB-OIDC",
+      "serverless": "forbid"
     }
   ],
   "createEntities": [
diff --git a/driver-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java b/driver-sync/src/test/functional/com/mongodb/internal/connection/OidcAuthenticationProseTests.java
@@ -96,15 +96,15 @@ private void assumeTestEnvironment() {
     }
 
     protected static String getOidcUri() {
-        return getenv("MONGODB_URI_SINGLE");
+        return assertNotNull(getenv("MONGODB_URI_SINGLE"));
     }
 
     private static String getOidcUriMulti() {
-        return getenv("MONGODB_URI_MULTI");
+        return assertNotNull(getenv("MONGODB_URI_MULTI"));
     }
 
     private static String getOidcEnv() {
-        return getenv("OIDC_ENV");
+        return assertNotNull(getenv("OIDC_ENV"));
     }
 
     private static void assumeAzure() {
@@ -179,13 +179,13 @@ public void test1p2CallbackCalledOnceForMultipleConnections() {
 
     @Test
     public void test2p1ValidCallbackInputs() {
-        Duration expectedSeconds = Duration.ofMinutes(5);
+        Duration expectedTimeoutDuration = Duration.ofMinutes(1);
 
         TestCallback callback1 = createCallback();
         // #. Verify that the request callback was called with the appropriate
         //    inputs, including the timeout parameter if possible.
         OidcCallback callback2 = (context) -> {
-            assertEquals(expectedSeconds, context.getTimeout());
+            assertEquals(expectedTimeoutDuration, context.getTimeout());
             return callback1.onRequest(context);
         };
         MongoClientSettings clientSettings = createSettings(callback2);
@@ -232,6 +232,28 @@ public void test2p4InvalidClientConfigurationWithCallback() {
                 () -> performFind(settings));
     }
 
+    @Test
+    public void test2p5InvalidAllowedHosts() {
+        //String uri = getOidcUri() + "&authMechanismProperties=ENVIRONMENT:" + getOidcEnv();
+        String uri = "mongodb://localhost/?authMechanism=MONGODB-OIDC&&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:123";
+        ConnectionString cs = new ConnectionString(uri);
+        MongoCredential credential = assertNotNull(cs.getCredential())
+                .withMechanismProperty("ALLOWED_HOSTS", Collections.emptyList());
+        MongoClientSettings settings = MongoClientSettings.builder()
+                .applicationName(appName)
+                .applyConnectionString(cs)
+                .retryReads(false)
+                .credential(credential)
+                .build();
+        assertCause(IllegalArgumentException.class,
+                "ALLOWED_HOSTS must not be specified only when OIDC_HUMAN_CALLBACK is specified",
+                () -> {
+                    try (MongoClient mongoClient = createMongoClient(settings)) {
+                        performFind(mongoClient);
+                    }
+                });
+    }
+
     @Test
     public void test3p1AuthFailsWithCachedToken() throws ExecutionException, InterruptedException, NoSuchFieldException, IllegalAccessException {
         TestCallback callbackWrapped = createCallback();

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,8 @@`
`5`	`5`	`{`
`6`	`6`	`"minServerVersion": "7.0",`
`7`	`7`	`"auth": true,`
`8`		`- "authMechanism": "MONGODB-OIDC"`
	`8`	`+ "authMechanism": "MONGODB-OIDC",`
	`9`	`+ "serverless": "forbid"`
`9`	`10`	`}`
`10`	`11`	`],`
`11`	`12`	`"createEntities": [`