-
Notifications
You must be signed in to change notification settings - Fork 902
/
Copy pathclient_examples_test.go
721 lines (648 loc) · 24.2 KB
/
client_examples_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
// Copyright (C) MongoDB, Inc. 2017-present.
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License. You may obtain
// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
package mongo_test
import (
"context"
"fmt"
"log"
"os"
"go.mongodb.org/mongo-driver/v2/bson"
"go.mongodb.org/mongo-driver/v2/mongo"
"go.mongodb.org/mongo-driver/v2/mongo/options"
"go.mongodb.org/mongo-driver/v2/mongo/readpref"
)
func ExampleClient() {
// Create a Client and execute a ListDatabases operation.
client, err := mongo.Connect(
options.Client().ApplyURI("mongodb://localhost:27017"))
if err != nil {
log.Panic(err)
}
defer func() {
if err = client.Disconnect(context.TODO()); err != nil {
log.Panic(err)
}
}()
collection := client.Database("db").Collection("coll")
result, err := collection.InsertOne(context.TODO(), bson.D{{"x", 1}})
if err != nil {
log.Panic(err)
}
fmt.Printf("inserted ID: %v\n", result.InsertedID)
}
func ExampleConnect_ping() {
// Create a Client to a MongoDB server and use Ping to verify that the
// server is running.
clientOpts := options.Client().ApplyURI("mongodb://localhost:27017")
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
defer func() {
if err = client.Disconnect(context.TODO()); err != nil {
log.Panic(err)
}
}()
// Call Ping to verify that the deployment is up and the Client was
// configured successfully. As mentioned in the Ping documentation, this
// reduces application resiliency as the server may be temporarily
// unavailable when Ping is called.
if err = client.Ping(context.TODO(), readpref.Primary()); err != nil {
log.Panic(err)
}
}
func ExampleConnect_replicaSet() {
// Create and connect a Client to a replica set deployment.
// Given this URI, the Go driver will first communicate with localhost:27017
// and use the response to discover any other members in the replica set.
// The URI in this example specifies multiple members of the replica set to
// increase resiliency as one of the members may be down when the
// application is started.
clientOpts := options.Client().ApplyURI(
"mongodb://localhost:27017,localhost:27018/?replicaSet=replset")
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
_ = client
}
func ExampleConnect_sharded() {
// Create and connect a Client to a sharded deployment.
// The URI for a sharded deployment should specify the mongos servers that
// the application wants to send messages to.
clientOpts := options.Client().ApplyURI(
"mongodb://localhost:27017,localhost:27018")
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
_ = client
}
func ExampleConnect_sRV() {
// Create and connect a Client using an SRV record.
// SRV records allow administrators to configure a single domain to return a
// list of host names. The driver will resolve SRV records prefixed with
// "_mongodb_tcp" and use the returned host names to build its view of the
// deployment.
// See https://www.mongodb.com/docs/manual/reference/connection-string/ for more
// information about SRV. Full support for SRV records with sharded clusters
// requires driver version 1.1.0 or higher.
clientOpts := options.Client().ApplyURI("mongodb+srv://mongodb.example.com")
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
_ = client
}
func ExampleConnect_direct() {
// Create a direct connection to a host. The driver will send all requests
// to that host and will not automatically discover other hosts in the
// deployment.
clientOpts := options.Client().ApplyURI(
"mongodb://localhost:27017/?connect=direct")
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
_ = client
}
func ExampleConnect_sCRAM() {
// Configure a Client with SCRAM authentication
// (https://www.mongodb.com/docs/manual/core/security-scram/).
// The default authentication database for SCRAM is "admin". This can be
// configured via the authSource query parameter in the URI or the
// AuthSource field in the options.Credential struct. SCRAM is the default
// auth mechanism so specifying a mechanism is not required.
// To configure auth via URI instead of a Credential, use
// "mongodb://user:password@localhost:27017".
credential := options.Credential{
Username: "user",
Password: "password",
}
clientOpts := options.Client().ApplyURI("mongodb://localhost:27017").
SetAuth(credential)
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
_ = client
}
func ExampleConnect_x509() {
// Configure a Client with X509 authentication
// (https://www.mongodb.com/docs/manual/core/security-x.509/).
// X509 can be configured with different sets of options in the connection
// string:
// 1. tlsCAFile (or SslCertificateAuthorityFile): Path to the file with
// either a single or bundle of certificate authorities to be considered
// trusted when making a TLS connection.
// 2. tlsCertificateKeyFile (or SslClientCertificateKeyFile): Path to the
// client certificate file or the client private key file. In the case that
// both are needed, the files should be concatenated.
// The SetAuth client option should also be used. The username field is
// optional. If it is not specified, it will be extracted from the
// certificate key file. The AuthSource is required to be $external.
caFilePath := "path/to/cafile"
certificateKeyFilePath := "path/to/client-certificate"
// To configure auth via a URI instead of a Credential, append
// "&authMechanism=MONGODB-X509" to the URI.
uri := "mongodb://host:port/?tlsCAFile=%s&tlsCertificateKeyFile=%s"
uri = fmt.Sprintf(uri, caFilePath, certificateKeyFilePath)
credential := options.Credential{
AuthMechanism: "MONGODB-X509",
}
clientOpts := options.Client().ApplyURI(uri).SetAuth(credential)
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
_ = client
}
func ExampleConnect_pLAIN() {
// Configure a Client with LDAP authentication
// (https://www.mongodb.com/docs/manual/core/authentication-mechanisms-enterprise/#security-auth-ldap).
// MongoDB Enterprise supports proxy authentication through an LDAP service
// that can be used through the PLAIN authentication mechanism.
// This auth mechanism sends the password in plaintext and therefore should
// only be used with TLS connections.
// To configure auth via a URI instead of a Credential, use
// "mongodb://ldap-user:ldap-pwd@localhost:27017/?authMechanism=PLAIN".
credential := options.Credential{
AuthMechanism: "PLAIN",
Username: "ldap-user",
Password: "ldap-pwd",
}
clientOpts := options.Client().ApplyURI("mongodb://localhost:27017").
SetAuth(credential)
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
_ = client
}
func ExampleConnect_kerberos() {
// Configure a Client with GSSAPI/SSPI authentication (https://www.mongodb.com/docs/manual/core/kerberos/).
// MongoDB Enterprise supports proxy authentication through a Kerberos
// service. Using Kerberos authentication requires the "gssapi" build tag
// and cgo support during compilation. The default service name for Kerberos
// is "mongodb". This can be configured via the AuthMechanismProperties
// field in the options.Credential struct or the authMechanismProperties URI
// parameter.
// For Linux, the libkrb5 library is required.
// Users can authenticate in one of two ways:
// 1. Use an explicit password. In this case, a password must be specified
// in the URI or the options.Credential struct and no further setup is
// required.
// 2. Store authentication keys in keytab files. To do this, the kinit
// binary should be used to initialize a credential cache for authenticating
// the user principal. In this example, the invocation would be
// "kinit drivers@KERBEROS.EXAMPLE.COM".
// To configure auth via a URI instead of a Credential, use
// "mongodb://drivers%40KERBEROS.EXAMPLE.COM@mongo-server.example.com:27017/?authMechanism=GSSAPI".
credential := options.Credential{
AuthMechanism: "GSSAPI",
Username: "drivers@KERBEROS.EXAMPLE.COM",
}
uri := "mongo-server.example.com:27017"
clientOpts := options.Client().ApplyURI(uri).SetAuth(credential)
client, err := mongo.Connect(clientOpts)
if err != nil {
log.Panic(err)
}
_ = client
}
func ExampleConnect_aWS() {
// Configure a Client with authentication using the MONGODB-AWS
// authentication mechanism. Credentials for this mechanism can come from
// one of four sources:
//
// 1. AWS IAM credentials (an access key ID and a secret access key)
//
// 2. Temporary AWS IAM credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
// obtained from an AWS Security Token Service (STS) Assume Role request
// (https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
//
// 3. AWS Lambda environment variables
// (https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime)
//
// 4. Temporary AWS IAM credentials assigned to an EC2 instance or ECS task
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)
// The order in which the driver searches for credentials is:
//
// 1. Credentials passed through the URI
// 2. Environment variables
// 3. ECS endpoint if and only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is
// set
// 4. EC2 endpoint
//
// The following examples set the appropriate credentials via the
// ClientOptions.SetAuth method. All of these credentials can be specified
// via the ClientOptions.ApplyURI method as well. If using ApplyURI, both
// the username and password must be URL encoded (see net.URL.QueryEscape())
// AWS IAM Credentials
// Applications can authenticate using AWS IAM credentials by providing a
// valid access key ID and secret access key pair as the username and
// password, respectively.
var accessKeyID, secretAccessKey string
awsCredential := options.Credential{
AuthMechanism: "MONGODB-AWS",
Username: accessKeyID,
Password: secretAccessKey,
}
awsIAMClient, err := mongo.Connect(
options.Client().SetAuth(awsCredential))
if err != nil {
panic(err)
}
_ = awsIAMClient
// AssumeRole
// Applications can authenticate using temporary credentials returned from
// an assume role request. These temporary credentials consist of an access
// key ID, a secret access key, and a security token.
var sessionToken string
assumeRoleCredential := options.Credential{
AuthMechanism: "MONGODB-AWS",
Username: accessKeyID,
Password: secretAccessKey,
AuthMechanismProperties: map[string]string{
"AWS_SESSION_TOKEN": sessionToken,
},
}
assumeRoleClient, err := mongo.Connect(
options.Client().SetAuth(assumeRoleCredential))
if err != nil {
panic(err)
}
_ = assumeRoleClient
// AWS Lambda (Environment Variables)
// When the username and password are not provided and the MONGODB-AWS
// mechanism is set, the client will fallback to using the environment
// variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN
// for the access key ID, secret access key, and session token,
// respectively. These environment variables must not be URL encoded.
// $ export AWS_ACCESS_KEY_ID=<accessKeyID>
// $ export AWS_SECRET_ACCESS_KEY=<secretAccessKey>
// $ export AWS_SESSION_TOKEN=<sessionToken>
envVariablesCredential := options.Credential{
AuthMechanism: "MONGODB-AWS",
}
envVariablesClient, err := mongo.Connect(
options.Client().SetAuth(envVariablesCredential))
if err != nil {
panic(err)
}
_ = envVariablesClient
// ECS Container or EC2 Instance
// Applications can authenticate from an ECS container or EC2 instance via
// temporary credentials assigned to the machine. If using an ECS container,
// the "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable must be
// set to a non-empty value. The driver will query the ECS or EC2 endpoint
// to obtain the relevant credentials.
ecCredential := options.Credential{
AuthMechanism: "MONGODB-AWS",
}
ecClient, err := mongo.Connect(options.Client().SetAuth(ecCredential))
if err != nil {
panic(err)
}
_ = ecClient
}
func ExampleConnect_stableAPI() {
// Configure a Client with stable API.
//
// Stable API is a new feature in MongoDB 5.0 that allows user-selectable
// API versions, subsets of MongoDB server semantics, to be declared on a
// Client. During communication with a server, Clients with a declared API
// version will force that server to behave in a manner compatible with the
// API version. Declaring an API version on your Client can be used to
// ensure consistent responses from a server, providing long term API
// stability for an application.
//
// The declared API version is applied to all commands run through the
// Client, including those sent through the generic RunCommand helper.
// Specifying stable API options in the command document AND declaring
// an API version on the Client is not supported and will lead to undefined
// behavior. To run any command with a different API version or without
// declaring one, create a separate Client that declares the appropriate API
// version.
// ServerAPIOptions must be declared with an API version. ServerAPIVersion1
// is a constant equal to "1".
serverAPI := options.ServerAPI(options.ServerAPIVersion1)
serverAPIClient, err := mongo.Connect(
options.Client().SetServerAPIOptions(serverAPI))
if err != nil {
panic(err)
}
_ = serverAPIClient
// ServerAPIOptions can be declared with a Strict option. Declaring a strict
// API version will cause the MongoDB server to reject all commands that are
// not part of the declared API version. This includes command options and
// aggregation pipeline stages. For example, the following Distinct call
// would fail because the distinct command is not part of API version 1:
serverAPIStrict := options.ServerAPI(options.ServerAPIVersion1).
SetStrict(true)
serverAPIStrictClient, err := mongo.Connect(
options.Client().SetServerAPIOptions(serverAPIStrict))
if err != nil {
panic(err)
}
coll := serverAPIStrictClient.Database("db").Collection("coll")
// Fails with error: (APIStrictError) Provided apiStrict:true, but the
// command distinct is not in API Version 1
err = coll.Distinct(context.TODO(), "distinct", bson.D{}).Err()
log.Println(err)
// ServerAPIOptions can be declared with a DeprecationErrors option.
// DeprecationErrors can be used to enable command failures when using
// functionality that is deprecated in the declared API version. Note that
// at the time of this writing, no deprecations in API version 1 exist.
serverAPIDeprecation := options.ServerAPI(options.ServerAPIVersion1).
SetDeprecationErrors(true)
serverAPIDeprecationClient, err := mongo.Connect(
options.Client().SetServerAPIOptions(serverAPIDeprecation))
if err != nil {
panic(err)
}
_ = serverAPIDeprecationClient
}
func ExampleConnect_bSONOptions() {
// Configure a client that customizes the BSON marshal and unmarshal
// behavior.
// Specify BSON options that cause the driver to fallback to "json"
// struct tags if "bson" struct tags are missing, marshal nil Go maps as
// empty BSON documents, and marshals nil Go slices as empty BSON
// arrays.
bsonOpts := &options.BSONOptions{
UseJSONStructTags: true,
NilMapAsEmpty: true,
NilSliceAsEmpty: true,
}
clientOpts := options.Client().
ApplyURI("mongodb://localhost:27017").
SetBSONOptions(bsonOpts)
client, err := mongo.Connect(clientOpts)
if err != nil {
panic(err)
}
defer func() {
if err := client.Disconnect(context.TODO()); err != nil {
panic(err)
}
}()
coll := client.Database("db").Collection("coll")
// Define a struct that contains a map and a slice and uses "json" struct
// tags to specify field names.
type myDocument struct {
MyMap map[string]interface{} `json:"a"`
MySlice []string `json:"b"`
}
// Insert an instance of the struct with all empty fields. Expect the
// resulting BSON document to have a structure like {"a": {}, "b": []}
_, err = coll.InsertOne(context.TODO(), myDocument{})
if err != nil {
panic(err)
}
}
func ExampleConnect_oIDC() {
// The `MONGODB-OIDC authentication mechanism` is available in MongoDB 7.0+
// on Linux platforms.
//
// The MONGODB-OIDC mechanism authenticates using an OpenID Connect (OIDC)
// access token. The driver supports OIDC for workload identity, defined as
// an identity you assign to a software workload (such as an application,
// service, script, or container) to authenticate and access other services
// and resources.
//
// The driver also supports OIDC for workforce identity for a more secure
// flow with a human in the loop.
// Credentials can be configured through the MongoDB URI or as arguments in
// the options.ClientOptions struct that is passed into the mongo.Connect
// function.
// Built-in Support
// The driver has built-in support for Azure IMDS and GCP
// IMDS environments. Other environments are supported with `Custom
// Callbacks`.
// Azure IMDS
// For an application running on an Azure VM or otherwise using the `Azure
// Internal Metadata Service`, you can use the built-in support for Azure,
// where "<client_id>" below is the client id of the Azure managed identity,
// and ``<audience>`` is the url-encoded ``audience`` `configured on your
// MongoDB deployment`.
{
uri := os.Getenv("MONGODB_URI")
props := map[string]string{
"ENVIRONMENT": "azure",
"TOKEN_RESOURCE": "<audience>",
}
opts := options.Client().ApplyURI(uri)
opts.SetAuth(
options.Credential{
Username: "<client_id>",
AuthMechanism: "MONGODB-OIDC",
AuthMechanismProperties: props,
},
)
c, err := mongo.Connect(opts)
if err != nil {
panic(err)
}
defer func() { _ = c.Disconnect(context.TODO()) }()
_, err = c.Database("test").
Collection("test").
InsertOne(context.TODO(), bson.D{})
if err != nil {
panic(err)
}
}
// If the application is running on an Azure VM and only one managed
// identity is associated with the VM, "username" can be omitted.
// GCP IMDS
// For an application running on an GCP VM or otherwise using the `GCP
// Internal Metadata Service`_, you can use the built-in support for GCP,
// where "<audience>" below is the url-encoded "audience" `configured on
// your MongoDB deployment`.
{
uri := os.Getenv("MONGODB_URI")
props := map[string]string{
"ENVIRONMENT": "gcp",
"TOKEN_RESOURCE": "<audience>",
}
opts := options.Client().ApplyURI(uri)
opts.SetAuth(
options.Credential{
AuthMechanism: "MONGODB-OIDC",
AuthMechanismProperties: props,
},
)
c, err := mongo.Connect(opts)
if err != nil {
panic(err)
}
defer func() { _ = c.Disconnect(context.TODO()) }()
_, err = c.Database("test").
Collection("test").
InsertOne(context.TODO(), bson.D{})
if err != nil {
panic(err)
}
}
// Custom Callbacks
// For environments that are not directly supported by the driver, you can
// use options.OIDCCallback. Some examples are given below.
// AWS EKS
// For an EKS Cluster with a configured `IAM OIDC provider`, the token can
// be read from a path given by the "AWS_WEB_IDENTITY_TOKEN_FILE"
// environment variable.
{
eksCallback := func(_ context.Context,
_ *options.OIDCArgs) (*options.OIDCCredential, error) {
accessToken, err := os.ReadFile(
os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"))
if err != nil {
return nil, err
}
return &options.OIDCCredential{
AccessToken: string(accessToken),
}, nil
}
uri := os.Getenv("MONGODB_URI")
opts := options.Client().ApplyURI(uri)
opts.SetAuth(
options.Credential{
AuthMechanism: "MONGODB-OIDC",
OIDCMachineCallback: eksCallback,
},
)
c, err := mongo.Connect(opts)
if err != nil {
panic(err)
}
defer func() { _ = c.Disconnect(context.TODO()) }()
_, err = c.Database("test").
Collection("test").
InsertOne(context.TODO(), bson.D{})
if err != nil {
panic(err)
}
}
// Other Azure Environments
// For applications running on Azure Functions, App Service Environment
// (ASE), or Azure Kubernetes Service (AKS), you can use the `azidentity
// package`
// (https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity) to
// fetch the credentials. In each case, the OIDCCallback function should
// return the AccessToken from the azidentity package.
// GCP GKE
// For a Google Kubernetes Engine cluster with a `configured service
// account`, the token can be read from the standard service account token
// file location.
{
gkeCallback := func(_ context.Context,
_ *options.OIDCArgs) (*options.OIDCCredential, error) {
accessToken, err := os.ReadFile(
"/var/run/secrets/kubernetes.io/serviceaccount/token")
if err != nil {
return nil, err
}
return &options.OIDCCredential{
AccessToken: string(accessToken),
}, nil
}
uri := os.Getenv("MONGODB_URI")
props := map[string]string{
"ENVIRONMENT": "gcp",
"TOKEN_RESOURCE": "<audience>",
}
opts := options.Client().ApplyURI(uri)
opts.SetAuth(
options.Credential{
AuthMechanism: "MONGODB-OIDC",
AuthMechanismProperties: props,
OIDCMachineCallback: gkeCallback,
},
)
c, err := mongo.Connect(opts)
if err != nil {
panic(err)
}
defer func() { _ = c.Disconnect(context.TODO()) }()
_, err = c.Database("test").
Collection("test").
InsertOne(context.TODO(), bson.D{})
if err != nil {
panic(err)
}
}
// For workforce identity, the Client must be configured with the
// OIDCHumanCallback rather than the OIDCMachineCallback. The
// OIDCHumanCallback is used by the driver in a process that is two step. In
// the first step, the driver retrieves the Identity Provider (IDP)
// Information (IDPInfo) for the passed username. The OIDCHumanCallback then
// needs to negotiate with the IDP in order to obtain an AccessToken,
// possible RefreshToken, any timeouts, and return them, similar to the
// OIDCMachineCallbacks seen above. See
// https://docs.hidglobal.com/dev/auth-service/integration/openid-authentication-flows.html
// for more information on various OIDC authentication flows.
{
humanCallback := func(ctx context.Context,
opts *options.OIDCArgs) (*options.OIDCCredential, error) {
// idpInfo passed from the driver by asking the MongoDB server for
// the info configured for the username
idpInfo := opts.IDPInfo
// negotiateWithIDP must work with the IdP to obtain an access
// token. In many cases this will involve opening a webbrowser or
// providing a URL on the command line to a human-in-the-loop who
// can give permissions to the IdP.
accessToken, err := negotiateWithIDP(ctx, idpInfo.Issuer)
if err != nil {
return nil, err
}
return &options.OIDCCredential{
AccessToken: accessToken,
}, nil
}
uri := os.Getenv("MONGODB_URI")
props := map[string]string{
"ENVIRONMENT": "gcp",
"TOKEN_RESOURCE": "<audience>",
}
opts := options.Client().ApplyURI(uri)
opts.SetAuth(
options.Credential{
AuthMechanism: "MONGODB-OIDC",
AuthMechanismProperties: props,
OIDCHumanCallback: humanCallback,
},
)
c, err := mongo.Connect(opts)
if err != nil {
panic(err)
}
defer func() { _ = c.Disconnect(context.TODO()) }()
_, err = c.Database("test").
Collection("test").
InsertOne(context.TODO(), bson.D{})
if err != nil {
panic(err)
}
}
// * MONGODB-OIDC authentication mechanism:
// https://www.mongodb.com/docs/manual/core/security-oidc/
// * OIDC Identity Provider Configuration:
// https://www.mongodb.com/docs/manual/reference/parameters/#mongodb-parameter-param.oidcIdentityProviders
// * Azure Internal Metadata Service:
// https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service
// * GCP Internal Metadata Service:
// https://cloud.google.com/compute/docs/metadata/querying-metadata
// * IAM OIDC provider:
// https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
// * azure-identity package:
// https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity
// * configured service account:
// https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts
}
func negotiateWithIDP(_ context.Context, _ string) (string, error) {
return "", nil
}