chore(e2e-tests): add workload OIDC test MONGOSH-1832 (#2283)

addaleax · web-flow · commit e422e02fa071 · 2024-12-04T13:01:20.000+01:00
Now that the driver has support for the Kubernetes OIDC workload
integration, it's quite easy to add a test for OIDC workload
usage with mongosh.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/e2e-tests/package.json b/packages/e2e-tests/package.json
@@ -29,6 +29,7 @@
   "dependencies": {
     "@mongosh/cli-repl": "0.0.0-dev.0",
     "@mongosh/service-provider-core": "0.0.0-dev.0",
+    "@mongodb-js/oidc-plugin": "^1.1.5",
     "strip-ansi": "^6.0.0"
   },
   "devDependencies": {
diff --git a/packages/e2e-tests/test/e2e-oidc.spec.ts b/packages/e2e-tests/test/e2e-oidc.spec.ts
@@ -16,6 +16,7 @@ import {
   commonOidcServerArgs,
   skipOIDCTestsDueToPlatformOrServerVersion,
 } from './oidc-helpers';
+import { createMongoDBOIDCPlugin } from '@mongodb-js/oidc-plugin';
 
 /**
  * @securityTest OIDC Authentication End-to-End Tests
@@ -528,4 +529,43 @@ describe('OIDC auth e2e', function () {
     shell.assertContainsOutput('"lastServerIdPInfo":');
     shell.assertContainsOutput(/"refreshToken": "(?!debugid:)/);
   });
+
+  it('can successfully authenticate using workload OIDC', async function () {
+    // Get a token from the OIDC server, store it to disk, then pass that to mongosh
+    const tokenFile = path.join(tmpdir.path, 'token');
+    let accessToken!: string;
+    const plugin = createMongoDBOIDCPlugin({
+      notifyDeviceFlow: () => {},
+      allowedFlows: ['device-auth'],
+    });
+    try {
+      ({ accessToken } =
+        await plugin.mongoClientOptions.authMechanismProperties.OIDC_HUMAN_CALLBACK(
+          {
+            version: 1,
+            idpInfo: { issuer: oidcMockProvider.issuer, clientId: 'workload' },
+          }
+        ));
+    } finally {
+      await plugin.destroy();
+    }
+    await fs.writeFile(tokenFile, accessToken);
+
+    shell = this.startTestShell({
+      args: [
+        await testServer.connectionString({
+          authMechanism: 'MONGODB-OIDC',
+          authMechanismProperties: 'ENVIRONMENT:k8s',
+        }),
+      ],
+      env: {
+        ...process.env,
+        AWS_WEB_IDENTITY_TOKEN_FILE: tokenFile,
+      },
+    });
+    await shell.waitForPrompt();
+
+    await verifyUser(shell, 'testuser', 'workload-group');
+    shell.assertNoErrors();
+  });
 });
