feat(NODE-4929): Add OIDC Azure workflow

[durran]

Description

Adds the ability for OIDC auth to use the Azure Identity Provider to get an access token.

What is changing?

• Adds an AzureServiceWorkflow that gets a token from the Azure Instance Metadata Service
• Adds an AzureTokenCache for caching Azure tokens separate from the callback cache.
• Adds a new auth mechanism property TOKEN_AUDIENCE, that indicates the resource to query for the token.
• Adds new Azure OIDC auth prose tests.

Is there new documentation needed for these changes?

None

What is the motivation for this change?

NODE-4929 / DRIVERS-2416

Spec PR: mongodb/specifications#1421

Double check the following

• Ran npm run check:lint script
• Self-review completed using the steps outlined here
• PR title follows the correct format: type(NODE-xxxx)[!]: description
  • Example: feat(NODE-1234)!: rewriting everything in coffeescript
• Changes are covered by tests
• New TODOs have a related JIRA ticket

[durran]

Moving this all out of the AWS module into utils as Azure will reuse this as well as GCP.

[durran]

Once we bring CSFLE into the driver we can move these constants into a common Azure shared module.

[nbbeeken]

Sonuds good, wanna add a bullet to the FLE ticket calling that out, just something simple as "consolidate constants" would make us remember to go looking for dupes.

We also have an azure token cache in FLE ( cc: @baileympearson ) allegedly there could be a way to combine these as well.

[durran]

I've updated https://jira.mongodb.org/browse/NODE-5283 AC to note this now.

[durran]

Creating this class as we now have 2 caches that have expiring entries of the same expiration time. (Azure, Callbacks)

[durran]

Cleaning up the cache interfaces to all use the "entry" terminology.

[durran]

Azure needs to run its prose tests in a separate environment so they are split out.

[nbbeeken]

With the GCP/Azure KMS, the tests live in the integration folder but only run on the specialized hosts/environment due to beforeEach skipping. It seems like we're approaching the specialized environment stuff in different ways, I don't feel strongly but should we do away with the manual/ dir (for this work) in favor of encoding things into mocha?

[durran]

I've moved to test/integration/auth and put the skip logic in now.

[durran]

This moved to ExpiringCacheEntry

[durran]

This change is to handle authMechanismProperties such as TOKEN_AUDIENCE:api://foo where we need the entire string after the first ":"

[addaleax]

… TIL that .split() inserts capture groups into the split result! :)

[durran]

Yeah that came in handy. :)

[addaleax]

Suggested change

	const ALLOWED_PROVIDER_NAMES = ['aws', 'azure'];
	const ALLOWED_PROVIDER_NAMES: AuthMechanismProperties['PROVIDER_NAME'][] = ['aws', 'azure'];

(tiny suggestion for type safety)

[durran]

Added suggestion.

[nbbeeken]

With the GCP/Azure KMS, the tests live in the integration folder but only run on the specialized hosts/environment due to beforeEach skipping. It seems like we're approaching the specialized environment stuff in different ways, I don't feel strongly but should we do away with the manual/ dir (for this work) in favor of encoding things into mocha?

[nbbeeken]

Sonuds good, wanna add a bullet to the FLE ticket calling that out, just something simple as "consolidate constants" would make us remember to go looking for dupes.

We also have an azure token cache in FLE ( cc: @baileympearson ) allegedly there could be a way to combine these as well.

[nbbeeken]

Seems like the abstract class already covers enforcing the cacheKey method exists on all subclasses, what is this providing?

[durran]

Abstract class is now called Cache and this interface is removed.