Merge branch 'v1' into godriver3140

Author: qingyang-hu

.evergreen/config.yml

@@ -350,6 +350,23 @@ functions:
             chmod +x $i
           done
 
+  assume-ec2-role:
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+
+  run-oidc-auth-test-with-test-credentials:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src/go.mongodb.org/mongo-driver
+        shell: bash
+        include_expansions_in_env: ["DRIVERS_TOOLS", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+        script: |
+          ${PREPARE_SHELL}
+          export OIDC="oidc"
+          bash ${PROJECT_DIRECTORY}/etc/run-oidc-test.sh 'make -s evg-test-oidc-auth'
+
   run-make:
     - command: shell.exec
       type: test
@@ -560,8 +577,6 @@ functions:
         working_dir: src/go.mongodb.org/mongo-driver
         script: |
           ${PREPARE_SHELL}
-
-          IS_SERVERLESS_PROXY="${IS_SERVERLESS_PROXY}" \
           bash etc/run-serverless-test.sh
 
   run-atlas-data-lake-test:
@@ -1954,6 +1969,60 @@ tasks:
             popd
             ./.evergreen/run-deployed-lambda-aws-tests.sh
 
+  - name: "oidc-auth-test-latest"
+    commands:
+      - func: "run-oidc-auth-test-with-test-credentials"
+
+  - name: "oidc-auth-test-azure-latest"
+    commands:
+    - command: shell.exec
+      params:
+        working_dir: src/go.mongodb.org/mongo-driver
+        shell: bash
+        script: |-
+          set -o errexit
+          ${PREPARE_SHELL}
+          export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/mongo-go-driver.tar.gz
+          # we need to statically link libc to avoid the situation where the VM has a different
+          # version of libc
+          go build -tags osusergo,netgo -ldflags '-w -extldflags "-static -lgcc -lc"' -o test ./cmd/testoidcauth/main.go
+          rm "$AZUREOIDC_DRIVERS_TAR_FILE" || true
+          tar -cf $AZUREOIDC_DRIVERS_TAR_FILE ./test
+          tar -uf $AZUREOIDC_DRIVERS_TAR_FILE ./etc
+          rm "$AZUREOIDC_DRIVERS_TAR_FILE".gz || true
+          gzip $AZUREOIDC_DRIVERS_TAR_FILE
+          export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/mongo-go-driver.tar.gz
+          # Define the command to run on the azure VM.
+          # Ensure that we source the environment file created for us, set up any other variables we need,
+          # and then run our test suite on the vm.
+          export AZUREOIDC_TEST_CMD="PROJECT_DIRECTORY='.' OIDC_ENV=azure OIDC=oidc ./etc/run-oidc-test.sh ./test"
+          bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh
+
+  - name: "oidc-auth-test-gcp-latest"
+    commands:
+    - command: shell.exec
+      params:
+        working_dir: src/go.mongodb.org/mongo-driver
+        shell: bash
+        script: |-
+          set -o errexit
+          ${PREPARE_SHELL}
+          export GCPOIDC_DRIVERS_TAR_FILE=/tmp/mongo-go-driver.tar.gz
+          # we need to statically link libc to avoid the situation where the VM has a different
+          # version of libc
+          go build -tags osusergo,netgo -ldflags '-w -extldflags "-static -lgcc -lc"' -o test ./cmd/testoidcauth/main.go
+          rm "$GCPOIDC_DRIVERS_TAR_FILE" || true
+          tar -cf $GCPOIDC_DRIVERS_TAR_FILE ./test
+          tar -uf $GCPOIDC_DRIVERS_TAR_FILE ./etc
+          rm "$GCPOIDC_DRIVERS_TAR_FILE".gz || true
+          gzip $GCPOIDC_DRIVERS_TAR_FILE
+          export GCPOIDC_DRIVERS_TAR_FILE=/tmp/mongo-go-driver.tar.gz
+          # Define the command to run on the gcp VM.
+          # Ensure that we source the environment file created for us, set up any other variables we need,
+          # and then run our test suite on the vm.
+          export GCPOIDC_TEST_CMD="PROJECT_DIRECTORY='.' OIDC_ENV=gcp OIDC=oidc ./etc/run-oidc-test.sh ./test"
+          bash $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/run-driver-test.sh
+
   - name: "test-search-index"
     commands:
       - func: "bootstrap-mongo-orchestration"
@@ -2014,7 +2083,7 @@ axes:
       - id: "windows-64-go-1-20"
         display_name: "Windows 64-bit"
         run_on:
-          - windows-vsCurrent-latest-small
+          - windows-vsCurrent-small
         variables:
           GCC_PATH: "/cygdrive/c/ProgramData/chocolatey/lib/mingw/tools/install/mingw64/bin"
           GO_DIST: "C:\\golang\\go1.20"
@@ -2038,7 +2107,7 @@ axes:
       - id: "windows-64-go-1-20"
         display_name: "Windows 64-bit"
         run_on:
-          - windows-vsCurrent-latest-small
+          - windows-vsCurrent-small
         variables:
           GCC_PATH: "/cygdrive/c/ProgramData/chocolatey/lib/mingw/tools/install/mingw64/bin"
           GO_DIST: "C:\\golang\\go1.20"
@@ -2070,7 +2139,7 @@ axes:
       - id: "windows-64-vsCurrent-latest-small-go-1-20"
         display_name: "Windows 64-bit"
         run_on:
-          - windows-vsCurrent-latest-small
+          - windows-vsCurrent-small
         variables:
           GCC_PATH: "/cygdrive/c/ProgramData/chocolatey/lib/mingw/tools/install/mingw64/bin"
           GO_DIST: "C:\\golang\\go1.20"
@@ -2108,17 +2177,6 @@ axes:
         variables:
           GO_DIST: "/opt/golang/go1.20"
 
-  - id: serverless-type
-    display_name: "Serverless Type"
-    values:
-      - id: "original"
-        display_name: "Serverless"
-      - id: "proxy"
-        display_name: "Serverless Proxy"
-        variables:
-          VAULT_NAME: "serverless_next"
-          IS_SERVERLESS_PROXY: "true"
-
 task_groups:
   - name: serverless_task_group
     setup_group_can_fail_task: true
@@ -2247,6 +2305,79 @@ task_groups:
     tasks:
       - testazurekms-task
 
+  - name: testoidc_task_group
+    setup_group:
+      - func: fetch-source
+      - func: prepare-resources
+      - func: fix-absolute-paths
+      - func: make-files-executable
+      - func: assume-ec2-role
+      - command: shell.exec
+        params:
+          shell: bash
+          include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+          script: |
+            ${PREPARE_SHELL}
+            ${DRIVERS_TOOLS}/.evergreen/auth_oidc/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-latest
+
+  - name: testazureoidc_task_group
+    setup_group:
+      - func: fetch-source
+      - func: prepare-resources
+      - func: fix-absolute-paths
+      - func: make-files-executable
+      - command: subprocess.exec
+        params:
+          binary: bash
+          env:
+            AZUREOIDC_VMNAME_PREFIX: "GO_DRIVER"
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/azure/delete-vm.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-azure-latest
+
+  - name: testgcpoidc_task_group
+    setup_group:
+      - func: fetch-source
+      - func: prepare-resources
+      - func: fix-absolute-paths
+      - func: make-files-executable
+      - command: subprocess.exec
+        params:
+          binary: bash
+          env:
+            AZUREOIDC_VMNAME_PREFIX: "GO_DRIVER"
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/gcp/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/gcp/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-gcp-latest
+
   - name: test-aws-lambda-task-group
     setup_group:
       - func: fetch-source
@@ -2391,23 +2522,48 @@ buildvariants:
     tasks:
       - name: "test-docker-runner"
 
-  - matrix_name: "tests-36-with-zlib-support"
+  - matrix_name: "tests-rhel-36-with-zlib-support"
     tags: ["pullrequest"]
-    matrix_spec: { version: ["3.6"], os-ssl-32: ["windows-64-go-1-20", "rhel87-64-go-1-20"] }
+    matrix_spec: { version: ["3.6"], os-ssl-32: ["rhel87-64-go-1-20"] }
     display_name: "${version} ${os-ssl-32}"
     tasks:
       - name: ".test !.enterprise-auth !.snappy !.zstd"
 
-  - matrix_name: "tests-40-with-zlib-support"
+  - matrix_name: "tests-windows-36-with-zlib-support"
+    matrix_spec: { version: ["3.6"], os-ssl-32: ["windows-64-go-1-20"] }
+    display_name: "${version} ${os-ssl-32}"
+    tasks:
+      - name: ".test !.enterprise-auth !.snappy !.zstd"
+
+  - matrix_name: "tests-rhel-40-with-zlib-support"
     tags: ["pullrequest"]
-    matrix_spec: { version: ["4.0"], os-ssl-40: ["windows-64-go-1-20", "rhel87-64-go-1-20"] }
+    matrix_spec: { version: ["4.0"], os-ssl-40: ["rhel87-64-go-1-20"] }
+    display_name: "${version} ${os-ssl-40}"
+    tasks:
+      - name: ".test !.enterprise-auth !.snappy !.zstd"
+
+  - matrix_name: "tests-windows-40-with-zlib-support"
+    matrix_spec: { version: ["4.0"], os-ssl-40: ["windows-64-go-1-20"] }
     display_name: "${version} ${os-ssl-40}"
     tasks:
       - name: ".test !.enterprise-auth !.snappy !.zstd"
 
-  - matrix_name: "tests-42-plus-zlib-zstd-support"
+  - matrix_name: "tests-rhel-42-plus-zlib-zstd-support"
+    tags: ["pullrequest"]
+    matrix_spec: { version: ["4.2", "4.4", "5.0", "6.0", "7.0", "8.0"], os-ssl-40: ["rhel87-64-go-1-20"] }
+    display_name: "${version} ${os-ssl-40}"
+    tasks:
+      - name: ".test !.enterprise-auth !.snappy"
+
+  - matrix_name: "tests-windows-42-plus-zlib-zstd-support"
+    matrix_spec: { version: ["4.2", "4.4", "5.0", "6.0", "7.0"], os-ssl-40: ["windows-64-go-1-20"] }
+    display_name: "${version} ${os-ssl-40}"
+    tasks:
+      - name: ".test !.enterprise-auth !.snappy"
+
+  - matrix_name: "tests-windows-80-zlib-zstd-support"
     tags: ["pullrequest"]
-    matrix_spec: { version: ["4.2", "4.4", "5.0", "6.0", "7.0", "8.0"], os-ssl-40: ["windows-64-go-1-20", "rhel87-64-go-1-20"] }
+    matrix_spec: { version: ["8.0"], os-ssl-40: ["windows-64-go-1-20"] }
     display_name: "${version} ${os-ssl-40}"
     tasks:
       - name: ".test !.enterprise-auth !.snappy"
@@ -2494,14 +2650,8 @@ buildvariants:
 
   - matrix_name: "serverless"
     tags: ["pullrequest"]
-    matrix_spec: { os-serverless: "*", serverless-type: "original" }
-    display_name: "${serverless-type} ${os-serverless}"
-    tasks:
-      - "serverless_task_group"
-
-  - matrix_name: "serverless-proxy"
-    matrix_spec: { os-serverless: "*", serverless-type: "proxy" }
-    display_name: "${serverless-type} ${os-serverless}"
+    matrix_spec: { os-serverless: "*" }
+    display_name: "Serverless ${os-serverless}"
     tasks:
       - "serverless_task_group"
 
@@ -2561,3 +2711,17 @@ buildvariants:
       - name: testazurekms_task_group
         batchtime: 20160 # Use a batchtime of 14 days as suggested by the CSFLE test README
       - testazurekms-fail-task
+
+  - name: testoidc-variant
+    display_name: "OIDC"
+    run_on:
+      - ubuntu2204-large
+    expansions:
+      GO_DIST: "/opt/golang/go1.20"
+    tasks:
+      - name: testoidc_task_group
+        batchtime: 20160 # Use a batchtime of 14 days as suggested by the CSFLE test README
+      - name: testazureoidc_task_group
+        batchtime: 20160 # Use a batchtime of 14 days as suggested by the CSFLE test README
+      - name: testgcpoidc_task_group
+        batchtime: 20160 # Use a batchtime of 14 days as suggested by the CSFLE test README

.github/workflows/codeql.yml

@@ -0,0 +1,51 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "v1", "cloud-*", "master", "release/*" ]
+  pull_request:
+    branches: [ "v1", "cloud-*", "master", "release/*" ]
+  schedule:
+    - cron: '36 17 * * 0'
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: go
+          build-mode: manual
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        make build
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"