Merge branch 'master' of github.com:mongodb/mongo-python-driver

Author: blink1073

doc/changelog.rst

@@ -6,18 +6,26 @@ Changes in Version 4.7
 
 PyMongo 4.7 brings a number of improvements including:
 
-- Added the :class:`pymongo.hello.Hello.connection_id`,
-  :attr:`pymongo.monitoring.CommandStartedEvent.server_connection_id`,
-  :attr:`pymongo.monitoring.CommandSucceededEvent.server_connection_id`, and
-  :attr:`pymongo.monitoring.CommandFailedEvent.server_connection_id` properties.
-- Fixed a bug where inflating a :class:`~bson.raw_bson.RawBSONDocument` containing a :class:`~bson.code.Code` would cause an error.
+- Added support for ``MONGODB-OIDC`` authentication.  The MONGODB-OIDC mechanism authenticates
+  using an OpenID Connect (OIDC) access token.
+  The driver supports OIDC for workload identity, defined as an identity you assign to a software workload
+  (such as an application, service, script, or container) to authenticate and access other services and resources.
+  Please see :doc:`examples/authentication` for more information.
+- Added support for Python's `native logging library <https://docs.python.org/3/howto/logging.html>`_,
+  enabling developers to customize the verbosity of log messages for their applications.
+  Please see :doc:`examples/logging` for more information.
 - Significantly improved the performance of encoding BSON documents to JSON.
-- Support for named KMS providers for client side field level encryption.
+- Added support for named KMS providers for client side field level encryption.
   Previously supported KMS providers were only: aws, azure, gcp, kmip, and local.
   The KMS provider is now expanded to support name suffixes (e.g. local:myname).
   Named KMS providers enables more than one of each KMS provider type to be configured.
   See the docstring for :class:`~pymongo.encryption_options.AutoEncryptionOpts`.
   Note that named KMS providers requires pymongocrypt >=1.9 and libmongocrypt >=1.9.
+- Added the :class:`pymongo.hello.Hello.connection_id`,
+  :attr:`pymongo.monitoring.CommandStartedEvent.server_connection_id`,
+  :attr:`pymongo.monitoring.CommandSucceededEvent.server_connection_id`, and
+  :attr:`pymongo.monitoring.CommandFailedEvent.server_connection_id` properties.
+- Fixed a bug where inflating a :class:`~bson.raw_bson.RawBSONDocument` containing a :class:`~bson.code.Code` would cause an error.
 - :meth:`~pymongo.encryption.ClientEncryption.encrypt` and
   :meth:`~pymongo.encryption.ClientEncryption.encrypt_expression` now allow ``key_id``
   to be passed in as a :class:`uuid.UUID`.

doc/examples/authentication.rst

@@ -455,32 +455,6 @@ Custom Callbacks
 For environments that are not directly supported by the driver, you can use :class:`~pymongo.auth_oidc.OIDCCallback`.
 Some examples are given below.
 
-AWS EKS
-^^^^^^^
-
-For an EKS Cluster with a configured `IAM OIDC provider`_, the token can be read from a path given by
-the ``AWS_WEB_IDENTITY_TOKEN_FILE`` environment variable.
-
-.. code-block:: python
-
-    import os
-    from pymongo.auth_oidc import OIDCCallback, OIDCCallbackContext, OIDCCallbackResult
-
-
-    class MyCallback(OIDCCallback):
-        def fetch(self, context: OIDCCallbackContext) -> OIDCCallbackResult:
-            with open(os.environ["AWS_WEB_IDENTITY_TOKEN_FILE"]) as fid:
-                token = fid.read()
-            return OIDCCallbackResult(access_token=token)
-
-
-    uri = os.environ["MONGODB_URI"]
-    props = {"OIDC_CALLBACK": MyCallback()}
-    c = MongoClient(uri, authMechanism="MONGODB-OIDC", authMechanismProperties=props)
-    c.test.test.insert_one({})
-    c.close()
-
-
 Other Azure Environments
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -510,7 +484,7 @@ managed identity.
 
 
   props = {"OIDC_CALLBACK": MyCallback()}
-  c = MongoClient(uri, authMechanismProperties=props)
+  c = MongoClient(uri, authMechanism="MONGODB-OIDC", authMechanismProperties=props)
   c.test.test.insert_one({})
   c.close()
 
@@ -543,6 +517,5 @@ service account token file location.
 .. _Azure Internal Metadata Service: https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service
 .. _configured on your MongoDB deployment: https://www.mongodb.com/docs/manual/reference/parameters/#mongodb-parameter-param.oidcIdentityProviders
 .. _GCP Internal Metadata Service: https://cloud.google.com/compute/docs/metadata/querying-metadata
-.. _IAM OIDC provider: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
 .. _azure-identity package: https://pypi.org/project/azure-identity/
 .. _configured service account: https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts

pymongo/_gcp_helpers.py

@@ -22,7 +22,7 @@
 def _get_gcp_response(resource: str, timeout: float = 5) -> dict[str, Any]:
     url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity"
     url += f"?audience={resource}"
-    headers = {"Metadata-Flavor": "Google", "Accept": "application/json"}
+    headers = {"Metadata-Flavor": "Google"}
     request = Request(url, headers=headers)  # noqa: S310
     try:
         with urlopen(request, timeout=timeout) as response:  # noqa: S310

pymongo/_version.py

@@ -17,7 +17,7 @@
 
 from typing import Tuple, Union
 
-version_tuple: Tuple[Union[int, str], ...] = (4, 7, 0, ".dev0")
+version_tuple: Tuple[Union[int, str], ...] = (4, 8, 0, '.dev0')
 
 
 def get_version_string() -> str:

pymongo/auth.py

@@ -33,7 +33,7 @@
     Optional,
     cast,
 )
-from urllib.parse import quote
+from urllib.parse import quote, unquote
 
 from bson.binary import Binary
 from pymongo.auth_aws import _authenticate_aws
@@ -173,6 +173,8 @@ def _build_credentials_tuple(
         human_callback = properties.get("OIDC_HUMAN_CALLBACK")
         environ = properties.get("ENVIRONMENT")
         token_resource = properties.get("TOKEN_RESOURCE", "")
+        if unquote(token_resource) == token_resource:
+            token_resource = quote(token_resource)
         default_allowed = [
             "*.mongodb.net",
             "*.mongodb-dev.net",

test/auth/legacy/connection-string.json

@@ -539,6 +539,36 @@
         }
       }
     },
+    {
+      "description": "should accept a url-encoded TOKEN_RESOURCE (MONGODB-OIDC)",
+      "uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:mongodb%253A//test-cluster",
+      "valid": true,
+      "credential": {
+        "username": "user",
+        "password": null,
+        "source": "$external",
+        "mechanism": "MONGODB-OIDC",
+        "mechanism_properties": {
+          "ENVIRONMENT": "azure",
+          "TOKEN_RESOURCE": "mongodb%253A//test-cluster"
+        }
+      }
+    },
+    {
+      "description": "should url-encode a TOKEN_RESOURCE (MONGODB-OIDC)",
+      "uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:a$b",
+      "valid": true,
+      "credential": {
+        "username": "user",
+        "password": null,
+        "source": "$external",
+        "mechanism": "MONGODB-OIDC",
+        "mechanism_properties": {
+          "ENVIRONMENT": "azure",
+          "TOKEN_RESOURCE": "a%24b"
+        }
+      }
+    },
     {
       "description": "should accept a username and throw an error for a password with azure provider (MONGODB-OIDC)",
       "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:foo",