CLOUDP-317713: Separate authentication mechanism checks (#143)

## Summary of Changes

- Introduced a new `IsDeploymentAuthenticationEnabled` method to the
`Mechanism` interface.
- Implemented `IsDeploymentAuthenticationEnabled` for all authentication
mechanism types to check only if a mechanism is enabled (present in the
config), without comparing configuration objects.
- Updated the removal/disable logic to use this new method, ensuring
mechanisms like LDAP and OIDC can be properly disabled even when
configuration objects differ or are missing.
- Retained the original `IsDeploymentAuthenticationConfigured` method
for cases where strict configuration matching is required.

Previously, the `IsDeploymentAuthenticationConfigured` method was used
for both modifying and removing authentication mechanisms. However, its
implementation checked both presence and exact configuration, which
caused issues when removing mechanisms like LDAP or OIDC—these have
separate configuration objects that may not exist locally after removal,
causing the method to return `false` and preventing proper disabling.

By separating this logic:
- `IsDeploymentAuthenticationEnabled` is used for removal/disabling and
checks only for presence.
- `IsDeploymentAuthenticationConfigured` remains for full config
matching.


## Proof of Work

Tests pass, added an Ldap removal test to verify that mechanism removal
works.

## Checklist
- [x] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [ ] Have you checked for release_note changes?

Author: anandsyncs

controllers/operator/authentication/authentication.go

@@ -320,7 +320,7 @@ func removeUnsupportedDeploymentMechanisms(conn om.Connection, opts Options, log
 	unsupportedMechanisms := mechanismsToDisable(automationConfigAuthMechanisms)
 
 	log.Infow("Removing unsupported deployment authentication mechanisms", "Mechanisms", unsupportedMechanisms)
-	if err := ensureDeploymentMechanismsAreDisabled(conn, ac, unsupportedMechanisms, opts, log); err != nil {
+	if err := ensureDeploymentMechanismsAreDisabled(conn, ac, unsupportedMechanisms, log); err != nil {
 		return xerrors.Errorf("error ensuring deployment mechanisms are disabled: %w", err)
 	}
 
@@ -397,10 +397,10 @@ func ensureDeploymentMechanisms(conn om.Connection, ac *om.AutomationConfig, mec
 
 // ensureDeploymentMechanismsAreDisabled configures the given AutomationConfig to allow deployments to
 // authenticate using the specified mechanisms
-func ensureDeploymentMechanismsAreDisabled(conn om.Connection, ac *om.AutomationConfig, mechanismsToDisable MechanismList, opts Options, log *zap.SugaredLogger) error {
+func ensureDeploymentMechanismsAreDisabled(conn om.Connection, ac *om.AutomationConfig, mechanismsToDisable MechanismList, log *zap.SugaredLogger) error {
 	deploymentMechanismsToDisable := make([]Mechanism, 0)
 	for _, mechanism := range mechanismsToDisable {
-		if mechanism.IsDeploymentAuthenticationConfigured(ac, opts) {
+		if mechanism.IsDeploymentAuthenticationEnabled(ac) {
 			deploymentMechanismsToDisable = append(deploymentMechanismsToDisable, mechanism)
 		}
 	}

controllers/operator/authentication/authentication_mechanism.go

@@ -21,6 +21,7 @@ type Mechanism interface {
 	// called directly after deserializing the response from OM which should not contain the util.MergoDelete value in any field.
 	IsAgentAuthenticationConfigured(ac *om.AutomationConfig, opts Options) bool
 	IsDeploymentAuthenticationConfigured(ac *om.AutomationConfig, opts Options) bool
+	IsDeploymentAuthenticationEnabled(ac *om.AutomationConfig) bool
 	GetName() MechanismName
 }
 

controllers/operator/authentication/ldap.go

@@ -116,7 +116,11 @@ func (l *ldapAuthMechanism) IsAgentAuthenticationConfigured(ac *om.AutomationCon
 }
 
 func (l *ldapAuthMechanism) IsDeploymentAuthenticationConfigured(ac *om.AutomationConfig, opts Options) bool {
-	return stringutil.Contains(ac.Auth.DeploymentAuthMechanisms, string(LDAPPlain)) && ldapObjectsEqual(ac.Ldap, opts.Ldap)
+	return l.IsDeploymentAuthenticationEnabled(ac) && ldapObjectsEqual(ac.Ldap, opts.Ldap)
+}
+
+func (l *ldapAuthMechanism) IsDeploymentAuthenticationEnabled(ac *om.AutomationConfig) bool {
+	return stringutil.Contains(ac.Auth.DeploymentAuthMechanisms, string(LDAPPlain))
 }
 
 func ldapObjectsEqual(lhs *ldap.Ldap, rhs *ldap.Ldap) bool {

controllers/operator/authentication/scramsha.go

@@ -83,6 +83,10 @@ func (s *automationConfigScramSha) IsAgentAuthenticationConfigured(ac *om.Automa
 }
 
 func (s *automationConfigScramSha) IsDeploymentAuthenticationConfigured(ac *om.AutomationConfig, _ Options) bool {
+	return s.IsDeploymentAuthenticationEnabled(ac)
+}
+
+func (s *automationConfigScramSha) IsDeploymentAuthenticationEnabled(ac *om.AutomationConfig) bool {
 	return stringutil.Contains(ac.Auth.DeploymentAuthMechanisms, string(s.MechanismName))
 }
 

controllers/operator/authentication/x509.go

@@ -131,6 +131,10 @@ func (x *connectionX509) IsAgentAuthenticationConfigured(ac *om.AutomationConfig
 }
 
 func (x *connectionX509) IsDeploymentAuthenticationConfigured(ac *om.AutomationConfig, _ Options) bool {
+	return x.IsDeploymentAuthenticationEnabled(ac)
+}
+
+func (x *connectionX509) IsDeploymentAuthenticationEnabled(ac *om.AutomationConfig) bool {
 	return stringutil.Contains(ac.Auth.DeploymentAuthMechanisms, string(MongoDBX509))
 }
 

docker/mongodb-kubernetes-tests/tests/authentication/replica_set_ldap_tls.py

@@ -1,4 +1,3 @@
-import time
 from typing import Dict
 
 from kubetester import create_or_update_secret, find_fixture, wait_until
@@ -145,4 +144,14 @@ def test_remove_ldap_settings(replica_set: MongoDB):
     replica_set["spec"]["security"]["authentication"]["modes"] = ["SCRAM"]
     replica_set.update()
 
+    def wait_for_ac_pushed() -> bool:
+        ac = replica_set.get_automation_config_tester()
+        try:
+            ac.assert_authentication_mechanism_disabled(LDAP_AUTHENTICATION_MECHANISM, check_auth_mechanism=False)
+            return True
+        except AssertionError:
+            return False
+
+    wait_until(wait_for_ac_pushed, timeout=400)
+
     replica_set.assert_reaches_phase(Phase.Running, timeout=400)