Add oidc mongodb version specific validation (#160)

# Summary

This pull request introduces a new validation function to ensure OIDC
provider configurations have unique `IssuerURI` values or unique
`IssuerURI` + `Audience` combinations, depending on the MongoDB version.

### New Validation Logic for OIDC Provider Configurations:

* Added `oidcProviderConfigUniqueIssuerURIValidation` to enforce unique
`IssuerURI` values for MongoDB versions that do not support duplicate
issuers, and unique `IssuerURI` + `Audience` combinations for versions
that do. This ensures compatibility with MongoDB's documented behavior.

### Unit Tests for Validation:

* Added `TestOIDCProviderConfigUniqueIssuerURIValidation` to cover
various scenarios, including:
  - Duplicate `IssuerURI` values for MongoDB 6.0 (error).
- Unique and duplicate `IssuerURI` + `Audience` combinations for MongoDB
7.0, 7.3, and 8.0 (success or warning as applicable).
  - Handling of enterprise versions with the `-ent` suffix. 
  
## Proof of Work

Unit tests pass
---------

Co-authored-by: Maciej Karaś <[email protected]>

Author: anandsyncs

api/v1/mdb/mongodb_validation.go

@@ -113,6 +113,7 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 
 	authentication := db.Security.Authentication
 	validators = append(validators, oidcAuthModeValidator(authentication))
+	validators = append(validators, oidcAuthRequiresEnterprise)
 
 	providerConfigs := authentication.OIDCProviderConfigs
 	if len(providerConfigs) == 0 {
@@ -122,6 +123,7 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 	validators = append(validators,
 		oidcProviderConfigsUniqueNameValidation(providerConfigs),
 		oidcProviderConfigsSingleWorkforceIdentityFederationValidation(providerConfigs),
+		oidcProviderConfigUniqueIssuerURIValidation(providerConfigs),
 	)
 
 	for _, config := range providerConfigs {
@@ -130,13 +132,58 @@ func oidcAuthValidators(db DbCommonSpec) []func(DbCommonSpec) v1.ValidationResul
 			oidcProviderConfigClientIdValidator(config),
 			oidcProviderConfigRequestedScopesValidator(config),
 			oidcProviderConfigAuthorizationTypeValidator(config),
-			oidcAuthRequiresEnterprise,
 		)
 	}
 
 	return validators
 }
 
+// oidcProviderConfigUniqueIssuerURIValidation is based on the documentation here:
+// https://www.mongodb.com/docs/manual/reference/parameters/#oidcidentityproviders-fields
+func oidcProviderConfigUniqueIssuerURIValidation(configs []OIDCProviderConfig) func(DbCommonSpec) v1.ValidationResult {
+	return func(d DbCommonSpec) v1.ValidationResult {
+		if len(configs) == 0 {
+			return v1.ValidationSuccess()
+		}
+
+		// Check if version supports duplicate issuers (7.0, 7.3, or 8.0+)
+		versionParts := strings.Split(strings.TrimSuffix(d.Version, "-ent"), ".")
+		supportsMultipleIssuers := false
+		if len(versionParts) >= 2 {
+			major := versionParts[0]
+			minor := versionParts[1]
+			if major == "8" || (major == "7" && (minor == "0" || minor == "3")) {
+				supportsMultipleIssuers = true
+			}
+		}
+
+		if supportsMultipleIssuers {
+			// Track issuer+audience combinations
+			issuerAudienceCombos := make(map[string]string)
+			for _, config := range configs {
+				comboKey := config.IssuerURI + ":" + config.Audience
+				if previousConfig, exists := issuerAudienceCombos[comboKey]; exists {
+					return v1.ValidationWarning("OIDC provider configs %q and %q have duplicate IssuerURI and Audience combination",
+						previousConfig, config.ConfigurationName)
+				}
+				issuerAudienceCombos[comboKey] = config.ConfigurationName
+			}
+		} else {
+			// For older versions, require unique issuers
+			uris := make(map[string]string)
+			for _, config := range configs {
+				if previousConfig, exists := uris[config.IssuerURI]; exists {
+					return v1.ValidationError("OIDC provider configs %q and %q have duplicate IssuerURI: %s",
+						previousConfig, config.ConfigurationName, config.IssuerURI)
+				}
+				uris[config.IssuerURI] = config.ConfigurationName
+			}
+		}
+
+		return v1.ValidationSuccess()
+	}
+}
+
 func oidcAuthModeValidator(authentication *Authentication) func(DbCommonSpec) v1.ValidationResult {
 	return func(spec DbCommonSpec) v1.ValidationResult {
 		// OIDC cannot be used for agent authentication so other auth mode has to enabled as well

api/v1/mdb/mongodb_validation_test.go

@@ -497,3 +497,131 @@ func TestOIDCAuthValidation(t *testing.T) {
 		})
 	}
 }
+
+func TestOIDCProviderConfigUniqueIssuerURIValidation(t *testing.T) {
+	tests := []struct {
+		name           string
+		mongoVersion   string
+		configs        []OIDCProviderConfig
+		expectedResult v1.ValidationResult
+	}{
+		{
+			name:         "MongoDB 6.0 with duplicate issuer URIs - error",
+			mongoVersion: "6.0.0",
+			configs: []OIDCProviderConfig{
+				{
+					ConfigurationName: "config1",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience1",
+				},
+				{
+					ConfigurationName: "config2",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience2",
+				},
+			},
+			expectedResult: v1.ValidationError("OIDC provider configs %q and %q have duplicate IssuerURI: %s",
+				"config1", "config2", "https://provider.com"),
+		},
+		{
+			name:         "MongoDB 7.0 with unique issuer+audience combinations",
+			mongoVersion: "7.0.0",
+			configs: []OIDCProviderConfig{
+				{
+					ConfigurationName: "config1",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience1",
+				},
+				{
+					ConfigurationName: "config2",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience2",
+				},
+			},
+			expectedResult: v1.ValidationSuccess(),
+		},
+		{
+			name:         "MongoDB 7.0 with duplicate issuer+audience combinations - warning",
+			mongoVersion: "7.0.0",
+			configs: []OIDCProviderConfig{
+				{
+					ConfigurationName: "config1",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience1",
+				},
+				{
+					ConfigurationName: "config2",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience1",
+				},
+			},
+			expectedResult: v1.ValidationWarning("OIDC provider configs %q and %q have duplicate IssuerURI and Audience combination",
+				"config1", "config2"),
+		},
+		{
+			name:         "MongoDB 7.3 with unique issuer+audience combinations",
+			mongoVersion: "7.3.0",
+			configs: []OIDCProviderConfig{
+				{
+					ConfigurationName: "config1",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience1",
+				},
+				{
+					ConfigurationName: "config2",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience2",
+				},
+			},
+			expectedResult: v1.ValidationSuccess(),
+		},
+		{
+			name:         "MongoDB 8.0 with unique issuer+audience combinations",
+			mongoVersion: "8.0.0",
+			configs: []OIDCProviderConfig{
+				{
+					ConfigurationName: "config1",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience1",
+				},
+				{
+					ConfigurationName: "config2",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience2",
+				},
+			},
+			expectedResult: v1.ValidationSuccess(),
+		},
+		{
+			name:         "MongoDB enterprise version with -ent suffix",
+			mongoVersion: "7.0.0-ent",
+			configs: []OIDCProviderConfig{
+				{
+					ConfigurationName: "config1",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience1",
+				},
+				{
+					ConfigurationName: "config2",
+					IssuerURI:         "https://provider.com",
+					Audience:          "audience2",
+				},
+			},
+			expectedResult: v1.ValidationSuccess(),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			validationFunc := oidcProviderConfigUniqueIssuerURIValidation(tt.configs)
+
+			dbSpec := DbCommonSpec{
+				Version: tt.mongoVersion,
+			}
+
+			result := validationFunc(dbSpec)
+
+			assert.Equal(t, tt.expectedResult, result)
+		})
+	}
+}