CDRIVER-4611 Support ENVIRONMENT:gcp for MONGODB-OIDC (#2177)

* add path and optional audience args to `gcp_request_init`
* add `gcp_identity_token_from_gcp_server`
  * Use a separate helper from `gcp_access_token_from_gcp_server`: the response format differs, a timer is required, an audience is required, and the path differs.
* implement `mongoc_oidc_env_fn_gcp`

Author: kevinAlbs

.evergreen/config_generator/components/oidc.py

@@ -58,6 +58,29 @@ def task_groups():
                 ),
             ],
         ),
+        EvgTaskGroup(
+            name='test-oidc-gcp-task-group',
+            tasks=['oidc-gcp-auth-test-task'],
+            setup_group_can_fail_task=True,
+            teardown_group_can_fail_task=True,
+            teardown_group_timeout_secs=180,  # 3 minutes
+            setup_group=[
+                FetchDET.call(),
+                ec2_assume_role(role_arn='${aws_test_secrets_role}'),
+                bash_exec(
+                    command_type=EvgCommandType.SETUP,
+                    include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'],
+                    env={'GCPOIDC_VMNAME_PREFIX': 'CDRIVER'},
+                    script='./drivers-evergreen-tools/.evergreen/auth_oidc/gcp/setup.sh',
+                ),
+            ],
+            teardown_group=[
+                bash_exec(
+                    command_type=EvgCommandType.SETUP,
+                    script='./drivers-evergreen-tools/.evergreen/auth_oidc/gcp/teardown.sh',
+                ),
+            ],
+        ),
     ]
 
 
@@ -105,6 +128,29 @@ def tasks():
                 ),
             ],
         ),
+        EvgTask(
+            name='oidc-gcp-auth-test-task',
+            run_on=['debian11-small'],  # TODO: switch to 'debian11-latest' after DEVPROD-23011 fixed.
+            commands=[
+                FetchSource.call(),
+                bash_exec(
+                    working_dir='mongoc',
+                    add_expansions_to_env=True,
+                    command_type=EvgCommandType.TEST,
+                    script='.evergreen/scripts/oidc-gcp-compile.sh',
+                ),
+                expansions_update(file='mongoc/oidc-remote-test-expansion.yml'),
+                bash_exec(
+                    add_expansions_to_env=True,
+                    command_type=EvgCommandType.TEST,
+                    env={
+                        'GCPOIDC_DRIVERS_TAR_FILE': '${OIDC_TEST_TARBALL}',
+                        'GCPOIDC_TEST_CMD': 'source ./secrets-export.sh && ./.evergreen/scripts/oidc-gcp-test.sh',
+                    },
+                    script='./drivers-evergreen-tools/.evergreen/auth_oidc/gcp/run-driver-test.sh',
+                ),
+            ],
+        ),
     ]
 
 
@@ -113,6 +159,10 @@ def variants():
         BuildVariant(
             name='oidc',
             display_name='OIDC',
-            tasks=[EvgTaskRef(name='test-oidc-task-group'), EvgTaskRef(name='test-oidc-azure-task-group')],
+            tasks=[
+                EvgTaskRef(name='test-oidc-task-group'),
+                EvgTaskRef(name='test-oidc-azure-task-group'),
+                EvgTaskRef(name='test-oidc-gcp-task-group'),
+            ],
         ),
     ]

.evergreen/generated_configs/task_groups.yml

@@ -30,6 +30,37 @@ task_groups:
             - -c
             - ./drivers-evergreen-tools/.evergreen/auth_oidc/azure/delete-vm.sh
     teardown_group_timeout_secs: 180
+  - name: test-oidc-gcp-task-group
+    setup_group:
+      - func: fetch-det
+      - command: ec2.assume_role
+        params:
+          role_arn: ${aws_test_secrets_role}
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          env:
+            GCPOIDC_VMNAME_PREFIX: CDRIVER
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          args:
+            - -c
+            - ./drivers-evergreen-tools/.evergreen/auth_oidc/gcp/setup.sh
+    setup_group_can_fail_task: true
+    tasks:
+      - oidc-gcp-auth-test-task
+    teardown_group:
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          args:
+            - -c
+            - ./drivers-evergreen-tools/.evergreen/auth_oidc/gcp/teardown.sh
+    teardown_group_timeout_secs: 180
   - name: test-oidc-task-group
     setup_group:
       - func: fetch-det

.evergreen/generated_configs/tasks.yml

@@ -4249,6 +4249,34 @@ tasks:
           args:
             - -c
             - ./drivers-evergreen-tools/.evergreen/auth_oidc/azure/run-driver-test.sh
+  - name: oidc-gcp-auth-test-task
+    run_on:
+      - debian11-small
+    commands:
+      - func: fetch-source
+      - command: subprocess.exec
+        type: test
+        params:
+          binary: bash
+          working_dir: mongoc
+          add_expansions_to_env: true
+          args:
+            - -c
+            - .evergreen/scripts/oidc-gcp-compile.sh
+      - command: expansions.update
+        params:
+          file: mongoc/oidc-remote-test-expansion.yml
+      - command: subprocess.exec
+        type: test
+        params:
+          binary: bash
+          add_expansions_to_env: true
+          env:
+            GCPOIDC_DRIVERS_TAR_FILE: ${OIDC_TEST_TARBALL}
+            GCPOIDC_TEST_CMD: source ./secrets-export.sh && ./.evergreen/scripts/oidc-gcp-test.sh
+          args:
+            - -c
+            - ./drivers-evergreen-tools/.evergreen/auth_oidc/gcp/run-driver-test.sh
   - name: openssl-compat-1.0.2-shared-ubuntu2404-gcc
     run_on: ubuntu2404-large
     tags: [openssl-compat, openssl-1.0.2, openssl-shared, ubuntu2404, gcc]

.evergreen/generated_configs/variants.yml

@@ -258,6 +258,7 @@ buildvariants:
     tasks:
       - name: test-oidc-task-group
       - name: test-oidc-azure-task-group
+      - name: test-oidc-gcp-task-group
   - name: openssl-compat-matrix
     display_name: OpenSSL Compatibility Matrix
     tasks:

.evergreen/scripts/oidc-gcp-compile.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o pipefail
+set -o nounset
+
+if [[ "${distro_id:?}" == "debian11-small" ]]; then
+  # Temporary workaround for lack of uv on `debian11`. TODO: remove after DEVPROD-23011 is resolved.
+  uv_dir="$(mktemp -d)"
+  python3 -m virtualenv "${uv_dir:?}"
+  # shellcheck source=/dev/null
+  (. "${uv_dir:?}/bin/activate" && python -m pip install uv)
+  PATH="${uv_dir:?}/bin:${PATH:-}"
+  command -V uv >/dev/null
+fi
+
+. .evergreen/scripts/install-build-tools.sh
+install_build_tools
+export CMAKE_GENERATOR="Ninja"
+
+# Use ccache if able.
+. .evergreen/scripts/find-ccache.sh
+find_ccache_and_export_vars "$(pwd)" || true
+
+echo "Compile mongoc-ping ... begin"
+# Disable unnecessary dependencies. mongoc-ping is copied to a remote host for testing, which may not have all dependent libraries.
+cmake_flags=(
+  -DENABLE_SASL=OFF
+  -DENABLE_SNAPPY=OFF
+  -DENABLE_ZSTD=OFF
+  -DENABLE_ZLIB=OFF
+  -DENABLE_SRV=ON # To support mongodb+srv URIs
+  -DENABLE_CLIENT_SIDE_ENCRYPTION=OFF
+  -DENABLE_EXAMPLES=ON # To build mongoc-ping
+)
+cmake "${cmake_flags[@]}" -Bcmake-build
+cmake --build cmake-build --target mongoc-ping
+echo "Compile mongoc-ping ... end"
+
+# Create tarball for remote testing.
+echo "Creating mongoc-ping tarball ... begin"
+
+# Copy test binary and test script.
+files=(
+  .evergreen/scripts/oidc-gcp-test.sh
+  cmake-build/src/libmongoc/libmongoc2*
+  cmake-build/src/libbson/libbson2*
+  cmake-build/src/libmongoc/mongoc-ping
+)
+tar -czf mongoc-ping.tar.gz "${files[@]}"
+echo "Creating mongoc-ping tarball ... end"
+
+cat <<EOT >oidc-remote-test-expansion.yml
+OIDC_TEST_TARBALL: $(pwd)/mongoc-ping.tar.gz
+EOT

.evergreen/scripts/oidc-gcp-test.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o pipefail
+set -o nounset
+
+# Install required OpenSSL runtime library.
+sudo apt install -y libssl-dev
+
+mongoc_ping=./cmake-build/src/libmongoc/mongoc-ping
+
+export LD_LIBRARY_PATH
+LD_LIBRARY_PATH="$(pwd)/cmake-build/src/libmongoc:$(pwd)/cmake-build/src/libbson:${LD_LIBRARY_PATH:-}"
+
+echo "Testing good auth ..."
+if ! "$mongoc_ping" "$MONGODB_URI?authMechanism=MONGODB-OIDC&authSource=%24external&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:$GCPOIDC_AUDIENCE" &>output.txt; then
+  echo "mongoc-ping failed to authenticate using OIDC in GCP" 1>&2
+  cat output.txt 1>&2
+  exit 1
+fi
+echo "Testing good auth ... done"
+
+echo "Testing bad TOKEN_RESOURCE ..."
+if "$mongoc_ping" "$MONGODB_URI?authMechanism=MONGODB-OIDC&authSource=%24external&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:bad" &>output.txt; then
+  echo "mongoc-ping unexpectedly succeeded with bad token resource" 1>&2
+  exit 1
+fi
+echo "Testing bad TOKEN_RESOURCE ... done"

src/libmongoc/src/mongoc/mcd-azure.h

@@ -46,8 +46,8 @@ typedef struct mcd_azure_access_token {
 /**
  * @brief Try to parse an Azure access token from an IMDS metadata JSON response
  *
- * @param out The token to initialize. Should be uninitialized. Must later be
- * destroyed by the caller.
+ * @param out Overwritten with the obtained token. Must later be destroyed.
+ * @pre `*out` must be in a non-owning state (e.g. uninitialized or zero-initialized).
  * @param json The JSON string body
  * @param len The length of 'body'
  * @param error An output parameter for errors
@@ -92,7 +92,7 @@ typedef struct mcd_azure_imds_request {
  * @brief Initialize a new IMDS HTTP request
  *
  * @param out The object to initialize
- * @param token_resource Percent encoded and passed as the "resource" query parameter.
+ * @param token_resource Will be percent encoded and passed as the "resource" query parameter.
  * @param opt_imds_host (Optional) the IP host of the IMDS server
  * @param opt_port (Optional) The port of the IMDS HTTP server (default is 80)
  * @param opt_extra_headers (Optional) Set extra HTTP headers for the request
@@ -123,9 +123,9 @@ mcd_azure_imds_request_destroy(mcd_azure_imds_request *req);
  * @brief Attempt to obtain a new OAuth2 access token from an Azure IMDS HTTP
  * server.
  *
- * @param out The output parameter for the obtained token. Must later be
- * destroyed
- * @param token_resource Percent encoded and passed as the "resource" query parameter.
+ * @param out Overwritten with the obtained token. Must later be destroyed.
+ * @pre `*out` must be in a non-owning state (e.g. uninitialized or zero-initialized).
+ * @param token_resource Will be percent encoded and passed as the "resource" query parameter.
  * @param opt_imds_host (Optional) Override the IP host of the IMDS server
  * @param opt_port (Optional) The port of the IMDS HTTP server (default is 80)
  * @param opt_extra_headers (Optional) Set extra HTTP headers for the request

src/libmongoc/src/mongoc/mongoc-oidc-env.c

@@ -18,6 +18,7 @@
 
 #include <mongoc/mcd-azure.h>
 #include <mongoc/mongoc-oidc-callback.h>
+#include <mongoc/service-gcp.h>
 
 #include <mlib/duration.h>
 #include <mlib/time_point.h>
@@ -101,9 +102,39 @@ mongoc_oidc_env_fn_azure(mongoc_oidc_callback_params_t *params)
 static mongoc_oidc_credential_t *
 mongoc_oidc_env_fn_gcp(mongoc_oidc_callback_params_t *params)
 {
-   BSON_UNUSED(params);
-   // TODO (CDRIVER-4489)
-   return NULL;
+   BSON_ASSERT_PARAM(params);
+
+   bson_error_t error;
+   gcp_service_account_token token = {0};
+   mongoc_oidc_credential_t *ret = NULL;
+   mongoc_oidc_env_callback_t *callback = mongoc_oidc_callback_params_get_user_data(params);
+   BSON_ASSERT(callback);
+
+   mlib_timer timer = {0};
+   const int64_t *timeout_us = mongoc_oidc_callback_params_get_timeout(params);
+   if (timeout_us) {
+      timer = mlib_expires_at((mlib_time_point){.time_since_monotonic_start = mlib_duration(*timeout_us, us)});
+      if (mlib_timer_is_expired(timer)) {
+         // No time remaining. Immediately fail.
+         mongoc_oidc_callback_params_cancel_with_timeout(params);
+         goto fail;
+      }
+   }
+
+   if (!gcp_identity_token_from_gcp_server(&token, callback->token_resource, timer, &error)) {
+      MONGOC_ERROR("Failed to obtain GCP OIDC access token: %s", error.message);
+      goto fail;
+   }
+
+   ret = mongoc_oidc_credential_new(token.access_token);
+   if (!ret) {
+      MONGOC_ERROR("Failed to process GCP OIDC access token");
+      goto fail;
+   }
+
+fail:
+   gcp_access_token_destroy(&token);
+   return ret;
 }
 
 static mongoc_oidc_credential_t *