From d002731185da651c62c17115ba83937eb20b1990 Mon Sep 17 00:00:00 2001
From: Rhys Howell <rhys.howell@mongodb.com>
Date: Mon, 18 Dec 2023 16:01:13 -0500
Subject: [PATCH 1/3] start mongodb with auth enabled to ensure we're testing
 it correctly

---
 docker/oidc/mock-oidc-provider/Dockerfile     |  5 ++-
 .../mock-oidc-provider/install-mongosh.sh     | 14 ++++++++
 .../oidc/mock-oidc-provider/start-server.sh   | 34 ++++++++++++++++++-
 3 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 docker/oidc/mock-oidc-provider/install-mongosh.sh

diff --git a/docker/oidc/mock-oidc-provider/Dockerfile b/docker/oidc/mock-oidc-provider/Dockerfile
index 79f64df..c00f67d 100644
--- a/docker/oidc/mock-oidc-provider/Dockerfile
+++ b/docker/oidc/mock-oidc-provider/Dockerfile
@@ -2,7 +2,8 @@ FROM mongodb/mongodb-enterprise-server:latest
 USER root
 RUN apt-get update && apt-get install -y \
     ca-certificates \
-    curl
+    curl jq netcat
+ARG TARGETARCH
 ARG NODE_VERSION=20.10.0
 ARG NODE_PACKAGE=node-v$NODE_VERSION-linux-arm64
 ARG NODE_HOME=/opt/$NODE_PACKAGE
@@ -10,6 +11,8 @@ ENV NODE_PATH $NODE_HOME/lib/node_modules
 ENV PATH $NODE_HOME/bin:$PATH
 RUN curl https://nodejs.org/dist/v$NODE_VERSION/$NODE_PACKAGE.tar.gz | tar -xzC /opt/
 RUN mkdir -p /tmp/mock-provider && cd /tmp/mock-provider && npm init -y && npm install @mongodb-js/oidc-mock-provider
+COPY install-mongosh.sh /install-mongosh.sh
+RUN bash install-mongosh.sh
 COPY start-server.sh /start-server.sh
 COPY oidc-mock-provider.js /tmp/mock-provider/oidc-mock-provider.js
 COPY proxy.js /tmp/mock-provider/proxy.js
diff --git a/docker/oidc/mock-oidc-provider/install-mongosh.sh b/docker/oidc/mock-oidc-provider/install-mongosh.sh
new file mode 100644
index 0000000..13e460e
--- /dev/null
+++ b/docker/oidc/mock-oidc-provider/install-mongosh.sh
@@ -0,0 +1,14 @@
+set -e
+
+if [ "$TARGETARCH" = "arm64" ];
+  then export BUILT_MONGOSH_ARCH=arm64;
+  else export BUILT_MONGOSH_ARCH=amd64;
+fi
+
+LATEST_MONGOSH_VERSION=$(curl https://info-mongodb-com.s3.amazonaws.com/com-download-center/mongosh.json | jq -r '.versions[0]._id')
+
+echo "Building for $TARGETARCH"
+echo "mongosh arch: ${BUILT_MONGOSH_ARCH}"
+curl -f "https://downloads.mongodb.com/compass/mongodb-mongosh_${LATEST_MONGOSH_VERSION}_${BUILT_MONGOSH_ARCH}.deb" > "/mongodb-mongosh.deb"
+dpkg -i "mongodb-mongosh.deb"
+mongosh --version
diff --git a/docker/oidc/mock-oidc-provider/start-server.sh b/docker/oidc/mock-oidc-provider/start-server.sh
index 5878624..18053f1 100755
--- a/docker/oidc/mock-oidc-provider/start-server.sh
+++ b/docker/oidc/mock-oidc-provider/start-server.sh
@@ -8,10 +8,42 @@ echo Waiting to make sure that oidc mock provider and proxy are running
 until $(curl --output /dev/null --silent --head --fail http://localhost:$OIDC_PROVIDER_PROXY_PORT/.well-known/openid-configuration); do
     sleep 0.3
 done
+
+echo Setting up user roles
+# Start the server (without auth).
+# This is original mongodb/mongodb-enterprise-server entrypoint
+python3 /usr/local/bin/docker-entrypoint.py \
+    --setParameter authenticationMechanisms="MONGODB-OIDC" \
+    --setParameter enableTestCommands="true" \
+    --setParameter oidcIdentityProviders="$OIDC_IDENTITY_PROVIDERS" > /dev/null &
+MDB_PID="$!"
+
+# Wait for the mongodb server to start.
+# sleep 5
+until nc -z localhost 27017; do
+    sleep 1
+done
+
+# Creates the OIDC user role in the database.
+mongosh "mongodb://localhost:27017/admin" --eval "JSON.stringify(db.createRole({ role: \"dev/groups\", privileges: [ ], roles: [ \"dbOwner\" ] }));"
+
+# Stop the no auth database (we re-start it with auth enabled next).
+echo Stopping no-auth server pid $MDB_PID
+kill $MDB_PID
+
+pkill mongod
+
+# Wait for the mongodb server to shut down.
+# sleep 15
+until ! nc -z localhost 27017; do
+    sleep 1
+done
+
 echo Starting server
 OIDC_IDENTITY_PROVIDERS="[$(curl --fail http://localhost:29091/server-oidc-config)]"
 # This is original mongodb/mongodb-enterprise-server entrypoint
 python3 /usr/local/bin/docker-entrypoint.py \
-    --setParameter authenticationMechanisms="SCRAM-SHA-256,MONGODB-OIDC" \
+    --setParameter authenticationMechanisms="MONGODB-OIDC" \
     --setParameter enableTestCommands="true" \
+    --auth \
     --setParameter oidcIdentityProviders="$OIDC_IDENTITY_PROVIDERS"

From af46446d0738da3866dd9de492f7e997d02f03c4 Mon Sep 17 00:00:00 2001
From: Rhys Howell <rhys.howell@mongodb.com>
Date: Mon, 18 Dec 2023 16:06:41 -0500
Subject: [PATCH 2/3] remove comments

---
 docker/oidc/mock-oidc-provider/start-server.sh | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/docker/oidc/mock-oidc-provider/start-server.sh b/docker/oidc/mock-oidc-provider/start-server.sh
index 18053f1..2d972c5 100755
--- a/docker/oidc/mock-oidc-provider/start-server.sh
+++ b/docker/oidc/mock-oidc-provider/start-server.sh
@@ -16,10 +16,8 @@ python3 /usr/local/bin/docker-entrypoint.py \
     --setParameter authenticationMechanisms="MONGODB-OIDC" \
     --setParameter enableTestCommands="true" \
     --setParameter oidcIdentityProviders="$OIDC_IDENTITY_PROVIDERS" > /dev/null &
-MDB_PID="$!"
 
 # Wait for the mongodb server to start.
-# sleep 5
 until nc -z localhost 27017; do
     sleep 1
 done
@@ -28,13 +26,9 @@ done
 mongosh "mongodb://localhost:27017/admin" --eval "JSON.stringify(db.createRole({ role: \"dev/groups\", privileges: [ ], roles: [ \"dbOwner\" ] }));"
 
 # Stop the no auth database (we re-start it with auth enabled next).
-echo Stopping no-auth server pid $MDB_PID
-kill $MDB_PID
-
 pkill mongod
 
 # Wait for the mongodb server to shut down.
-# sleep 15
 until ! nc -z localhost 27017; do
     sleep 1
 done

From c2ca7d119ce9c58bca5d637d0d5a9e228bedc785 Mon Sep 17 00:00:00 2001
From: Rhys Howell <rhys.howell@mongodb.com>
Date: Tue, 19 Dec 2023 11:33:44 -0500
Subject: [PATCH 3/3] remove mongosh install, create expected roles

---
 docker/oidc/mock-oidc-provider/Dockerfile         |  2 --
 docker/oidc/mock-oidc-provider/install-mongosh.sh | 14 --------------
 docker/oidc/mock-oidc-provider/start-server.sh    |  3 +--
 3 files changed, 1 insertion(+), 18 deletions(-)
 delete mode 100644 docker/oidc/mock-oidc-provider/install-mongosh.sh

diff --git a/docker/oidc/mock-oidc-provider/Dockerfile b/docker/oidc/mock-oidc-provider/Dockerfile
index c00f67d..a8e18df 100644
--- a/docker/oidc/mock-oidc-provider/Dockerfile
+++ b/docker/oidc/mock-oidc-provider/Dockerfile
@@ -11,8 +11,6 @@ ENV NODE_PATH $NODE_HOME/lib/node_modules
 ENV PATH $NODE_HOME/bin:$PATH
 RUN curl https://nodejs.org/dist/v$NODE_VERSION/$NODE_PACKAGE.tar.gz | tar -xzC /opt/
 RUN mkdir -p /tmp/mock-provider && cd /tmp/mock-provider && npm init -y && npm install @mongodb-js/oidc-mock-provider
-COPY install-mongosh.sh /install-mongosh.sh
-RUN bash install-mongosh.sh
 COPY start-server.sh /start-server.sh
 COPY oidc-mock-provider.js /tmp/mock-provider/oidc-mock-provider.js
 COPY proxy.js /tmp/mock-provider/proxy.js
diff --git a/docker/oidc/mock-oidc-provider/install-mongosh.sh b/docker/oidc/mock-oidc-provider/install-mongosh.sh
deleted file mode 100644
index 13e460e..0000000
--- a/docker/oidc/mock-oidc-provider/install-mongosh.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-set -e
-
-if [ "$TARGETARCH" = "arm64" ];
-  then export BUILT_MONGOSH_ARCH=arm64;
-  else export BUILT_MONGOSH_ARCH=amd64;
-fi
-
-LATEST_MONGOSH_VERSION=$(curl https://info-mongodb-com.s3.amazonaws.com/com-download-center/mongosh.json | jq -r '.versions[0]._id')
-
-echo "Building for $TARGETARCH"
-echo "mongosh arch: ${BUILT_MONGOSH_ARCH}"
-curl -f "https://downloads.mongodb.com/compass/mongodb-mongosh_${LATEST_MONGOSH_VERSION}_${BUILT_MONGOSH_ARCH}.deb" > "/mongodb-mongosh.deb"
-dpkg -i "mongodb-mongosh.deb"
-mongosh --version
diff --git a/docker/oidc/mock-oidc-provider/start-server.sh b/docker/oidc/mock-oidc-provider/start-server.sh
index 2d972c5..00c7c6a 100755
--- a/docker/oidc/mock-oidc-provider/start-server.sh
+++ b/docker/oidc/mock-oidc-provider/start-server.sh
@@ -21,9 +21,8 @@ python3 /usr/local/bin/docker-entrypoint.py \
 until nc -z localhost 27017; do
     sleep 1
 done
-
 # Creates the OIDC user role in the database.
-mongosh "mongodb://localhost:27017/admin" --eval "JSON.stringify(db.createRole({ role: \"dev/groups\", privileges: [ ], roles: [ \"dbOwner\" ] }));"
+mongosh "mongodb://localhost:27017/admin" --json --eval "(process.env.OIDC_TOKEN_PAYLOAD_GROUPS ?? 'testgroup').split(',').map(group => db.createRole({ role: 'dev/' + group, privileges: [ ], roles: [ \"readWriteAnyDatabase\" ] }));"
 
 # Stop the no auth database (we re-start it with auth enabled next).
 pkill mongod