Skip to content

Commit a5a237e

Browse files
blink1073prestonvasquez
blink1073
and
prestonvasquez
authored
GODRIVER-3100 Use AWS Secrets Manager for CSFLE Tests (#1520)
Co-authored-by: Preston Vasquez <[email protected]>
1 parent 1fd1bc2 commit a5a237e

File tree

8 files changed

+130
-242
lines changed

8 files changed

+130
-242
lines changed

.evergreen/config.yml

+28-149
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,7 @@ functions:
123123
export UPLOAD_BUCKET="$UPLOAD_BUCKET"
124124
export PROJECT="$PROJECT"
125125
export TMPDIR="$MONGO_ORCHESTRATION_HOME/db"
126-
export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig:$(pwd)/install/mongo-c-driver/lib/pkgconfig
126+
export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig
127127
export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib64
128128
export PATH="$PATH"
129129
EOT
@@ -299,6 +299,13 @@ functions:
299299
# Attempt to shut down a running load balancer. Ignore any errors that happen if the load
300300
# balancer is not running.
301301
DRIVERS_TOOLS=${DRIVERS_TOOLS} MONGODB_URI=${MONGODB_URI} bash ${DRIVERS_TOOLS}/.evergreen/run-load-balancer.sh stop || echo "Ignoring load balancer stop error"
302+
- command: shell.exec
303+
params:
304+
shell: "bash"
305+
script: |
306+
${PREPARE_SHELL}
307+
# Clean up cse servers
308+
bash ${DRIVERS_TOOLS}/.evergreen/csfle/stop_servers.sh
302309
- command: shell.exec
303310
params:
304311
shell: "bash"
@@ -309,6 +316,7 @@ functions:
309316
cd -
310317
rm -rf $DRIVERS_TOOLS || true
311318
319+
312320
fix-absolute-paths:
313321
- command: shell.exec
314322
params:
@@ -506,27 +514,7 @@ functions:
506514
working_dir: src/go.mongodb.org/mongo-driver
507515
script: |
508516
${PREPARE_SHELL}
509-
510-
# Set temp credentials for AWS.
511-
export AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}"
512-
export AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}"
513-
export AWS_DEFAULT_REGION="us-east-1"
514-
515-
# Set client-side encryption credentials.
516-
export CSFLE_TLS_CA_FILE="$PROJECT_DIRECTORY/testdata/kmip-certs/ca-ec.pem"
517-
export CSFLE_TLS_CERTIFICATE_KEY_FILE="$PROJECT_DIRECTORY/testdata/kmip-certs/client-ec.pem"
518-
519-
${PYTHON3_BINARY} -m venv ./venv
520-
./venv/${VENV_BIN_DIR|bin}/pip3 install boto3
521-
522-
# Set the PYTHON environment variable to point to the active python3 binary. This is used by the
523-
# set-temp-creds.sh script.
524-
if [ "Windows_NT" = "$OS" ]; then
525-
export PYTHON="$(pwd)/venv/Scripts/python"
526-
else
527-
export PYTHON="$(pwd)/venv/bin/python"
528-
fi
529-
. ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh
517+
source ./secrets-export.sh
530518
531519
if [ "${SKIP_CRYPT_SHARED_LIB}" = "true" ]; then
532520
CRYPT_SHARED_LIB_PATH=""
@@ -545,17 +533,6 @@ functions:
545533
TOPOLOGY="${TOPOLOGY}" \
546534
MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \
547535
BUILD_TAGS="-tags=cse" \
548-
AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" \
549-
AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" \
550-
AWS_DEFAULT_REGION="us-east-1" \
551-
CSFLE_AWS_TEMP_ACCESS_KEY_ID="$CSFLE_AWS_TEMP_ACCESS_KEY_ID" \
552-
CSFLE_AWS_TEMP_SECRET_ACCESS_KEY="$CSFLE_AWS_TEMP_SECRET_ACCESS_KEY" \
553-
CSFLE_AWS_TEMP_SESSION_TOKEN="$CSFLE_AWS_TEMP_SESSION_TOKEN" \
554-
AZURE_TENANT_ID="${cse_azure_tenant_id}" \
555-
AZURE_CLIENT_ID="${cse_azure_client_id}" \
556-
AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \
557-
GCP_EMAIL="${cse_gcp_email}" \
558-
GCP_PRIVATE_KEY="${cse_gcp_private_key}" \
559536
REQUIRE_API_VERSION="${REQUIRE_API_VERSION}" \
560537
CRYPT_SHARED_LIB_PATH="$CRYPT_SHARED_LIB_PATH" \
561538
make evg-test-versioned-api \
@@ -867,91 +844,24 @@ functions:
867844
export AWS_ROLE_SESSION_NAME="test"
868845
${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh web-identity
869846
870-
start-kms-mock-server:
871-
- command: shell.exec
872-
params:
873-
shell: "bash"
874-
script: |
875-
${PREPARE_SHELL}
876-
877-
cd ${DRIVERS_TOOLS}/.evergreen/csfle
878-
. ./activate-kmstlsvenv.sh
879-
- command: shell.exec
880-
params:
881-
shell: "bash"
882-
background: true
883-
script: |
884-
cd ${DRIVERS_TOOLS}/.evergreen/csfle
885-
./kmstlsvenv/bin/python3 -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/${CERT_FILE} --port ${PORT}
886-
887-
start-kms-mock-server-require-client-cert:
888-
- command: shell.exec
889-
params:
890-
shell: "bash"
891-
script: |
892-
${PREPARE_SHELL}
893-
894-
cd ${DRIVERS_TOOLS}/.evergreen/csfle
895-
. ./activate-kmstlsvenv.sh
896-
- command: shell.exec
897-
params:
898-
shell: "bash"
899-
background: true
900-
script: |
901-
cd ${DRIVERS_TOOLS}/.evergreen/csfle
902-
./kmstlsvenv/bin/python3 -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/${CERT_FILE} --port ${PORT} --require_client_cert
903-
904847
start-cse-servers:
905-
- command: shell.exec
906-
params:
907-
shell: "bash"
908-
script: |
909-
${PREPARE_SHELL}
910-
911-
cd ${DRIVERS_TOOLS}/.evergreen/csfle
912-
. ./activate-kmstlsvenv.sh
913-
914-
- command: shell.exec
848+
- command: ec2.assume_role
915849
params:
916-
shell: "bash"
917-
background: true
918-
script: |
919-
cd ${DRIVERS_TOOLS}/.evergreen/csfle
920-
. ./activate-kmstlsvenv.sh
921-
python -u kms_kmip_server.py \
922-
--port 5698 \
923-
--ca_file "${PROJECT_DIRECTORY}/testdata/kmip-certs/ca-ec.pem" \
924-
--cert_file "${PROJECT_DIRECTORY}/testdata/kmip-certs/server-ec.pem"
925-
926-
- command: shell.exec
850+
role_arn: ${aws_test_secrets_role}
851+
- command: subprocess.exec
927852
params:
928-
shell: "bash"
853+
working_dir: src/go.mongodb.org/mongo-driver
854+
binary: bash
929855
background: true
930-
script: |
931-
cd ${DRIVERS_TOOLS}/.evergreen/csfle
932-
. ./activate-kmstlsvenv.sh
933-
python bottle.py fake_azure:imds
934-
935-
- command: shell.exec
856+
include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "DRIVERS_TOOLS"]
857+
args:
858+
- etc/setup-encryption.sh
859+
- command: subprocess.exec
936860
params:
937-
script: |
938-
# Ensure mock servers are running before starting tests.
939-
await_server() {
940-
for i in $(seq 300); do
941-
# Exit code 7: "Failed to connect to host".
942-
if curl -s "localhost:$2"; test $? -ne 7; then
943-
return 0
944-
else
945-
sleep 1
946-
fi
947-
done
948-
echo "could not detect '$1' server on port $2"
949-
}
950-
# * List servers to await here ...
951-
await_server "KMS", 5698
952-
await_server "Azure", 8080
953-
954-
echo "finished awaiting servers"
861+
working_dir: src/go.mongodb.org/mongo-driver
862+
binary: bash
863+
args:
864+
- ${DRIVERS_TOOLS}/.evergreen/csfle/await_servers.sh
955865

956866
run-kms-tls-test:
957867
- command: shell.exec
@@ -961,6 +871,7 @@ functions:
961871
working_dir: src/go.mongodb.org/mongo-driver
962872
script: |
963873
${PREPARE_SHELL}
874+
source ./secrets-export.sh
964875
export KMS_TLS_TESTCASE="${KMS_TLS_TESTCASE}"
965876
966877
export GOFLAGS=-mod=vendor
@@ -970,13 +881,6 @@ functions:
970881
TOPOLOGY="${TOPOLOGY}" \
971882
MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \
972883
BUILD_TAGS="-tags=cse" \
973-
AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" \
974-
AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" \
975-
AZURE_TENANT_ID="${cse_azure_tenant_id}" \
976-
AZURE_CLIENT_ID="${cse_azure_client_id}" \
977-
AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \
978-
GCP_EMAIL="${cse_gcp_email}" \
979-
GCP_PRIVATE_KEY="${cse_gcp_private_key}" \
980884
make evg-test-kms \
981885
PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
982886
LD_LIBRARY_PATH=$LD_LIBRARY_PATH
@@ -989,6 +893,7 @@ functions:
989893
working_dir: src/go.mongodb.org/mongo-driver
990894
script: |
991895
${PREPARE_SHELL}
896+
source ./secrets-export.sh
992897
export KMS_MOCK_SERVERS_RUNNING="true"
993898
994899
export GOFLAGS=-mod=vendor
@@ -998,15 +903,6 @@ functions:
998903
TOPOLOGY="${TOPOLOGY}" \
999904
MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \
1000905
BUILD_TAGS="-tags=cse" \
1001-
AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" \
1002-
AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" \
1003-
AZURE_TENANT_ID="${cse_azure_tenant_id}" \
1004-
AZURE_CLIENT_ID="${cse_azure_client_id}" \
1005-
AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \
1006-
GCP_EMAIL="${cse_gcp_email}" \
1007-
GCP_PRIVATE_KEY="${cse_gcp_private_key}" \
1008-
CSFLE_TLS_CA_FILE="$PROJECT_DIRECTORY/testdata/kmip-certs/ca-ec.pem"
1009-
CSFLE_TLS_CERTIFICATE_KEY_FILE="$PROJECT_DIRECTORY/testdata/kmip-certs/client-ec.pem"
1010906
make evg-test-kmip \
1011907
PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
1012908
LD_LIBRARY_PATH=$LD_LIBRARY_PATH
@@ -1879,10 +1775,7 @@ tasks:
18791775
TOPOLOGY: "server"
18801776
AUTH: "noauth"
18811777
SSL: "nossl"
1882-
- func: start-kms-mock-server
1883-
vars:
1884-
CERT_FILE: "expired.pem"
1885-
PORT: 8000
1778+
- func: start-cse-servers
18861779
- func: run-kms-tls-test
18871780
vars:
18881781
KMS_TLS_TESTCASE: "INVALID_CERT"
@@ -1898,10 +1791,7 @@ tasks:
18981791
TOPOLOGY: "server"
18991792
AUTH: "noauth"
19001793
SSL: "nossl"
1901-
- func: start-kms-mock-server
1902-
vars:
1903-
CERT_FILE: "wrong-host.pem"
1904-
PORT: 8000
1794+
- func: start-cse-servers
19051795
- func: run-kms-tls-test
19061796
vars:
19071797
KMS_TLS_TESTCASE: "INVALID_HOSTNAME"
@@ -1917,18 +1807,7 @@ tasks:
19171807
TOPOLOGY: "server"
19181808
AUTH: "noauth"
19191809
SSL: "nossl"
1920-
- func: start-kms-mock-server
1921-
vars:
1922-
CERT_FILE: "expired.pem"
1923-
PORT: 8000
1924-
- func: start-kms-mock-server
1925-
vars:
1926-
CERT_FILE: "wrong-host.pem"
1927-
PORT: 8001
1928-
- func: start-kms-mock-server-require-client-cert
1929-
vars:
1930-
CERT_FILE: "server.pem"
1931-
PORT: 8002
1810+
- func: start-cse-servers
19321811
- func: run-kmip-tests
19331812
vars:
19341813
TOPOLOGY: "server"

.evergreen/run-tests.sh

+24-51
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ if [ -z $DRIVERS_TOOLS ]; then
1010
export DRIVERS_TOOLS="$(dirname $(dirname $(dirname `pwd`)))/drivers-tools"
1111
fi
1212

13-
if [ "Windows_NT" = "$OS" ]; then
13+
if [ "Windows_NT" = "${OS:-}" ]; then
1414
export GOPATH=$(cygpath -m $GOPATH)
1515
export GOCACHE=$(cygpath -m $GOCACHE)
1616
export DRIVERS_TOOLS=$(cygpath -m $DRIVERS_TOOLS)
@@ -19,8 +19,15 @@ fi
1919
export GOROOT="${GOROOT}"
2020
export PATH="${GOROOT}/bin:${GCC_PATH}:$GOPATH/bin:$PATH"
2121
export PROJECT="${project}"
22-
export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig:$(pwd)/install/mongo-c-driver/lib/pkgconfig
23-
export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib64
22+
23+
if [ "$(uname -s)" = "Darwin" ]; then
24+
export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib/pkgconfig
25+
export DYLD_FALLBACK_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib
26+
else
27+
export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig
28+
export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib64
29+
fi
30+
2431
export GOFLAGS=-mod=vendor
2532

2633
SSL=${SSL:-nossl}
@@ -38,33 +45,8 @@ if [ "$SSL" != "nossl" -a -z "${SERVERLESS+x}" ]; then
3845
fi
3946
fi
4047

41-
if [ -z ${AWS_ACCESS_KEY_ID+x} ]; then
42-
export AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}"
43-
export AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}"
44-
fi
45-
46-
# Set temp credentials for AWS if python3 is available.
47-
#
48-
# Using python3-venv in Ubuntu 14.04 (an OS required for legacy server version
49-
# tasks) requires the use of apt-get, which we wish to avoid. So, we do not set
50-
# a python3 binary on Ubuntu 14.04. Setting AWS temp credentials for legacy
51-
# server version tasks is unnecessary, as temp credentials are only needed on 4.2+.
52-
if [ ! -z ${PYTHON3_BINARY} ]; then
53-
export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}"
54-
export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}"
55-
export AWS_DEFAULT_REGION="us-east-1"
56-
${PYTHON3_BINARY} -m venv ./venv
57-
58-
# Set the PYTHON environment variable to point to the active python3 binary. This is used by the
59-
# set-temp-creds.sh script.
60-
if [ "Windows_NT" = "$OS" ]; then
61-
export PYTHON="$(pwd)/venv/Scripts/python"
62-
else
63-
export PYTHON="$(pwd)/venv/bin/python"
64-
fi
65-
66-
./venv/${VENV_BIN_DIR:-bin}/pip3 install boto3
67-
. ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh
48+
if [ -f "secrets-export.sh" ]; then
49+
source $(pwd)/secrets-export.sh
6850
fi
6951

7052
# If GO_BUILD_TAGS is not set, set the default Go build tags to "cse" to enable
@@ -73,6 +55,17 @@ if [ -z ${GO_BUILD_TAGS+x} ]; then
7355
GO_BUILD_TAGS="cse"
7456
fi
7557

58+
if [[ $GO_BUILD_TAGS == *"cse"* ]]; then
59+
if [ "Windows_NT" = "$OS" ]; then
60+
if [ ! -d /cygdrive/c/libmongocrypt/bin ]; then
61+
bash $(pwd)/etc/install-libmongocrypt.sh
62+
fi
63+
export PATH=$PATH:/cygdrive/c/libmongocrypt/bin
64+
elif [ ! -d "$PKG_CONFIG_PATH" ]; then
65+
bash $(pwd)/etc/install-libmongocrypt.sh
66+
fi
67+
fi
68+
7669
if [ "${SKIP_CRYPT_SHARED_LIB}" = "true" ]; then
7770
CRYPT_SHARED_LIB_PATH=""
7871
echo "crypt_shared library is skipped"
@@ -83,14 +76,6 @@ else
8376
echo "crypt_shared library will be loaded from path: $CRYPT_SHARED_LIB_PATH"
8477
fi
8578

86-
CSFLE_TLS_CA_FILE="$(pwd)/testdata/kmip-certs/ca-ec.pem"
87-
CSFLE_TLS_CERTIFICATE_KEY_FILE="$(pwd)/testdata/kmip-certs/client-ec.pem"
88-
89-
if [ "Windows_NT" = "$OS" ]; then
90-
CSFLE_TLS_CA_FILE=$(cygpath -m $CSFLE_TLS_CA_FILE)
91-
CSFLE_TLS_CERTIFICATE_KEY_FILE=$(cygpath -m $CSFLE_TLS_CERTIFICATE_KEY_FILE)
92-
fi
93-
9479
if [ -z ${MAKEFILE_TARGET+x} ]; then
9580
if [ "$(uname -s)" = "Darwin" ]; then
9681
# Run a subset of the tests on Darwin
@@ -110,20 +95,8 @@ MONGODB_URI="${MONGODB_URI}" \
11095
TOPOLOGY=${TOPOLOGY} \
11196
MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \
11297
BUILD_TAGS="${RACE} -tags=${GO_BUILD_TAGS}" \
113-
AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
114-
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
115-
AWS_DEFAULT_REGION="us-east-1" \
116-
CSFLE_AWS_TEMP_ACCESS_KEY_ID="$CSFLE_AWS_TEMP_ACCESS_KEY_ID" \
117-
CSFLE_AWS_TEMP_SECRET_ACCESS_KEY="$CSFLE_AWS_TEMP_SECRET_ACCESS_KEY" \
118-
CSFLE_AWS_TEMP_SESSION_TOKEN="$CSFLE_AWS_TEMP_SESSION_TOKEN" \
119-
AZURE_TENANT_ID="${cse_azure_tenant_id}" \
120-
AZURE_CLIENT_ID="${cse_azure_client_id}" \
121-
AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \
122-
GCP_EMAIL="${cse_gcp_email}" \
123-
GCP_PRIVATE_KEY="${cse_gcp_private_key}" \
124-
CSFLE_TLS_CA_FILE="$CSFLE_TLS_CA_FILE" \
125-
CSFLE_TLS_CERTIFICATE_KEY_FILE="$CSFLE_TLS_CERTIFICATE_KEY_FILE" \
12698
CRYPT_SHARED_LIB_PATH=$CRYPT_SHARED_LIB_PATH \
12799
PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
128100
LD_LIBRARY_PATH=$LD_LIBRARY_PATH \
101+
MACOS_LIBRARY_PATH=$DYLD_FALLBACK_LIBRARY_PATH \
129102
make $MAKEFILE_TARGET

0 commit comments

Comments
 (0)