diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 8cb9ff977c..c0283e45c3 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -123,7 +123,7 @@ functions: export UPLOAD_BUCKET="$UPLOAD_BUCKET" export PROJECT="$PROJECT" export TMPDIR="$MONGO_ORCHESTRATION_HOME/db" - export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig:$(pwd)/install/mongo-c-driver/lib/pkgconfig + export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib64 export PATH="$PATH" EOT @@ -299,6 +299,13 @@ functions: # Attempt to shut down a running load balancer. Ignore any errors that happen if the load # balancer is not running. DRIVERS_TOOLS=${DRIVERS_TOOLS} MONGODB_URI=${MONGODB_URI} bash ${DRIVERS_TOOLS}/.evergreen/run-load-balancer.sh stop || echo "Ignoring load balancer stop error" + - command: shell.exec + params: + shell: "bash" + script: | + ${PREPARE_SHELL} + # Clean up cse servers + bash ${DRIVERS_TOOLS}/.evergreen/csfle/stop_servers.sh - command: shell.exec params: shell: "bash" @@ -309,6 +316,7 @@ functions: cd - rm -rf $DRIVERS_TOOLS || true + fix-absolute-paths: - command: shell.exec params: @@ -506,27 +514,7 @@ functions: working_dir: src/go.mongodb.org/mongo-driver script: | ${PREPARE_SHELL} - - # Set temp credentials for AWS. - export AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" - export AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" - export AWS_DEFAULT_REGION="us-east-1" - - # Set client-side encryption credentials. - export CSFLE_TLS_CA_FILE="$PROJECT_DIRECTORY/testdata/kmip-certs/ca-ec.pem" - export CSFLE_TLS_CERTIFICATE_KEY_FILE="$PROJECT_DIRECTORY/testdata/kmip-certs/client-ec.pem" - - ${PYTHON3_BINARY} -m venv ./venv - ./venv/${VENV_BIN_DIR|bin}/pip3 install boto3 - - # Set the PYTHON environment variable to point to the active python3 binary. This is used by the - # set-temp-creds.sh script. - if [ "Windows_NT" = "$OS" ]; then - export PYTHON="$(pwd)/venv/Scripts/python" - else - export PYTHON="$(pwd)/venv/bin/python" - fi - . ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh + source ./secrets-export.sh if [ "${SKIP_CRYPT_SHARED_LIB}" = "true" ]; then CRYPT_SHARED_LIB_PATH="" @@ -545,17 +533,6 @@ functions: TOPOLOGY="${TOPOLOGY}" \ MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \ BUILD_TAGS="-tags=cse" \ - AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" \ - AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" \ - AWS_DEFAULT_REGION="us-east-1" \ - CSFLE_AWS_TEMP_ACCESS_KEY_ID="$CSFLE_AWS_TEMP_ACCESS_KEY_ID" \ - CSFLE_AWS_TEMP_SECRET_ACCESS_KEY="$CSFLE_AWS_TEMP_SECRET_ACCESS_KEY" \ - CSFLE_AWS_TEMP_SESSION_TOKEN="$CSFLE_AWS_TEMP_SESSION_TOKEN" \ - AZURE_TENANT_ID="${cse_azure_tenant_id}" \ - AZURE_CLIENT_ID="${cse_azure_client_id}" \ - AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \ - GCP_EMAIL="${cse_gcp_email}" \ - GCP_PRIVATE_KEY="${cse_gcp_private_key}" \ REQUIRE_API_VERSION="${REQUIRE_API_VERSION}" \ CRYPT_SHARED_LIB_PATH="$CRYPT_SHARED_LIB_PATH" \ make evg-test-versioned-api \ @@ -867,91 +844,24 @@ functions: export AWS_ROLE_SESSION_NAME="test" ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh web-identity - start-kms-mock-server: - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - - command: shell.exec - params: - shell: "bash" - background: true - script: | - cd ${DRIVERS_TOOLS}/.evergreen/csfle - ./kmstlsvenv/bin/python3 -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/${CERT_FILE} --port ${PORT} - - start-kms-mock-server-require-client-cert: - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - - command: shell.exec - params: - shell: "bash" - background: true - script: | - cd ${DRIVERS_TOOLS}/.evergreen/csfle - ./kmstlsvenv/bin/python3 -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/${CERT_FILE} --port ${PORT} --require_client_cert - start-cse-servers: - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - - - command: shell.exec + - command: ec2.assume_role params: - shell: "bash" - background: true - script: | - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - python -u kms_kmip_server.py \ - --port 5698 \ - --ca_file "${PROJECT_DIRECTORY}/testdata/kmip-certs/ca-ec.pem" \ - --cert_file "${PROJECT_DIRECTORY}/testdata/kmip-certs/server-ec.pem" - - - command: shell.exec + role_arn: ${aws_test_secrets_role} + - command: subprocess.exec params: - shell: "bash" + working_dir: src/go.mongodb.org/mongo-driver + binary: bash background: true - script: | - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - python bottle.py fake_azure:imds - - - command: shell.exec + include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "DRIVERS_TOOLS"] + args: + - etc/setup-encryption.sh + - command: subprocess.exec params: - script: | - # Ensure mock servers are running before starting tests. - await_server() { - for i in $(seq 300); do - # Exit code 7: "Failed to connect to host". - if curl -s "localhost:$2"; test $? -ne 7; then - return 0 - else - sleep 1 - fi - done - echo "could not detect '$1' server on port $2" - } - # * List servers to await here ... - await_server "KMS", 5698 - await_server "Azure", 8080 - - echo "finished awaiting servers" + working_dir: src/go.mongodb.org/mongo-driver + binary: bash + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/await_servers.sh run-kms-tls-test: - command: shell.exec @@ -961,6 +871,7 @@ functions: working_dir: src/go.mongodb.org/mongo-driver script: | ${PREPARE_SHELL} + source ./secrets-export.sh export KMS_TLS_TESTCASE="${KMS_TLS_TESTCASE}" export GOFLAGS=-mod=vendor @@ -970,13 +881,6 @@ functions: TOPOLOGY="${TOPOLOGY}" \ MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \ BUILD_TAGS="-tags=cse" \ - AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" \ - AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" \ - AZURE_TENANT_ID="${cse_azure_tenant_id}" \ - AZURE_CLIENT_ID="${cse_azure_client_id}" \ - AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \ - GCP_EMAIL="${cse_gcp_email}" \ - GCP_PRIVATE_KEY="${cse_gcp_private_key}" \ make evg-test-kms \ PKG_CONFIG_PATH=$PKG_CONFIG_PATH \ LD_LIBRARY_PATH=$LD_LIBRARY_PATH @@ -989,6 +893,7 @@ functions: working_dir: src/go.mongodb.org/mongo-driver script: | ${PREPARE_SHELL} + source ./secrets-export.sh export KMS_MOCK_SERVERS_RUNNING="true" export GOFLAGS=-mod=vendor @@ -998,15 +903,6 @@ functions: TOPOLOGY="${TOPOLOGY}" \ MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \ BUILD_TAGS="-tags=cse" \ - AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" \ - AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" \ - AZURE_TENANT_ID="${cse_azure_tenant_id}" \ - AZURE_CLIENT_ID="${cse_azure_client_id}" \ - AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \ - GCP_EMAIL="${cse_gcp_email}" \ - GCP_PRIVATE_KEY="${cse_gcp_private_key}" \ - CSFLE_TLS_CA_FILE="$PROJECT_DIRECTORY/testdata/kmip-certs/ca-ec.pem" - CSFLE_TLS_CERTIFICATE_KEY_FILE="$PROJECT_DIRECTORY/testdata/kmip-certs/client-ec.pem" make evg-test-kmip \ PKG_CONFIG_PATH=$PKG_CONFIG_PATH \ LD_LIBRARY_PATH=$LD_LIBRARY_PATH @@ -1879,10 +1775,7 @@ tasks: TOPOLOGY: "server" AUTH: "noauth" SSL: "nossl" - - func: start-kms-mock-server - vars: - CERT_FILE: "expired.pem" - PORT: 8000 + - func: start-cse-servers - func: run-kms-tls-test vars: KMS_TLS_TESTCASE: "INVALID_CERT" @@ -1898,10 +1791,7 @@ tasks: TOPOLOGY: "server" AUTH: "noauth" SSL: "nossl" - - func: start-kms-mock-server - vars: - CERT_FILE: "wrong-host.pem" - PORT: 8000 + - func: start-cse-servers - func: run-kms-tls-test vars: KMS_TLS_TESTCASE: "INVALID_HOSTNAME" @@ -1917,18 +1807,7 @@ tasks: TOPOLOGY: "server" AUTH: "noauth" SSL: "nossl" - - func: start-kms-mock-server - vars: - CERT_FILE: "expired.pem" - PORT: 8000 - - func: start-kms-mock-server - vars: - CERT_FILE: "wrong-host.pem" - PORT: 8001 - - func: start-kms-mock-server-require-client-cert - vars: - CERT_FILE: "server.pem" - PORT: 8002 + - func: start-cse-servers - func: run-kmip-tests vars: TOPOLOGY: "server" diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh index 4b558bcd7d..07793f8024 100644 --- a/.evergreen/run-tests.sh +++ b/.evergreen/run-tests.sh @@ -10,7 +10,7 @@ if [ -z $DRIVERS_TOOLS ]; then export DRIVERS_TOOLS="$(dirname $(dirname $(dirname `pwd`)))/drivers-tools" fi -if [ "Windows_NT" = "$OS" ]; then +if [ "Windows_NT" = "${OS:-}" ]; then export GOPATH=$(cygpath -m $GOPATH) export GOCACHE=$(cygpath -m $GOCACHE) export DRIVERS_TOOLS=$(cygpath -m $DRIVERS_TOOLS) @@ -19,8 +19,15 @@ fi export GOROOT="${GOROOT}" export PATH="${GOROOT}/bin:${GCC_PATH}:$GOPATH/bin:$PATH" export PROJECT="${project}" -export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig:$(pwd)/install/mongo-c-driver/lib/pkgconfig -export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib64 + +if [ "$(uname -s)" = "Darwin" ]; then + export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib/pkgconfig + export DYLD_FALLBACK_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib +else + export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig + export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib64 +fi + export GOFLAGS=-mod=vendor SSL=${SSL:-nossl} @@ -38,33 +45,8 @@ if [ "$SSL" != "nossl" -a -z "${SERVERLESS+x}" ]; then fi fi -if [ -z ${AWS_ACCESS_KEY_ID+x} ]; then - export AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" - export AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" -fi - -# Set temp credentials for AWS if python3 is available. -# -# Using python3-venv in Ubuntu 14.04 (an OS required for legacy server version -# tasks) requires the use of apt-get, which we wish to avoid. So, we do not set -# a python3 binary on Ubuntu 14.04. Setting AWS temp credentials for legacy -# server version tasks is unnecessary, as temp credentials are only needed on 4.2+. -if [ ! -z ${PYTHON3_BINARY} ]; then - export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" - export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" - export AWS_DEFAULT_REGION="us-east-1" - ${PYTHON3_BINARY} -m venv ./venv - - # Set the PYTHON environment variable to point to the active python3 binary. This is used by the - # set-temp-creds.sh script. - if [ "Windows_NT" = "$OS" ]; then - export PYTHON="$(pwd)/venv/Scripts/python" - else - export PYTHON="$(pwd)/venv/bin/python" - fi - - ./venv/${VENV_BIN_DIR:-bin}/pip3 install boto3 - . ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh +if [ -f "secrets-export.sh" ]; then + source $(pwd)/secrets-export.sh fi # If GO_BUILD_TAGS is not set, set the default Go build tags to "cse" to enable @@ -73,6 +55,17 @@ if [ -z ${GO_BUILD_TAGS+x} ]; then GO_BUILD_TAGS="cse" fi +if [[ $GO_BUILD_TAGS == *"cse"* ]]; then + if [ "Windows_NT" = "$OS" ]; then + if [ ! -d /cygdrive/c/libmongocrypt/bin ]; then + bash $(pwd)/etc/install-libmongocrypt.sh + fi + export PATH=$PATH:/cygdrive/c/libmongocrypt/bin + elif [ ! -d "$PKG_CONFIG_PATH" ]; then + bash $(pwd)/etc/install-libmongocrypt.sh + fi +fi + if [ "${SKIP_CRYPT_SHARED_LIB}" = "true" ]; then CRYPT_SHARED_LIB_PATH="" echo "crypt_shared library is skipped" @@ -83,14 +76,6 @@ else echo "crypt_shared library will be loaded from path: $CRYPT_SHARED_LIB_PATH" fi -CSFLE_TLS_CA_FILE="$(pwd)/testdata/kmip-certs/ca-ec.pem" -CSFLE_TLS_CERTIFICATE_KEY_FILE="$(pwd)/testdata/kmip-certs/client-ec.pem" - -if [ "Windows_NT" = "$OS" ]; then - CSFLE_TLS_CA_FILE=$(cygpath -m $CSFLE_TLS_CA_FILE) - CSFLE_TLS_CERTIFICATE_KEY_FILE=$(cygpath -m $CSFLE_TLS_CERTIFICATE_KEY_FILE) -fi - if [ -z ${MAKEFILE_TARGET+x} ]; then if [ "$(uname -s)" = "Darwin" ]; then # Run a subset of the tests on Darwin @@ -110,20 +95,8 @@ MONGODB_URI="${MONGODB_URI}" \ TOPOLOGY=${TOPOLOGY} \ MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \ BUILD_TAGS="${RACE} -tags=${GO_BUILD_TAGS}" \ -AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ -AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ -AWS_DEFAULT_REGION="us-east-1" \ -CSFLE_AWS_TEMP_ACCESS_KEY_ID="$CSFLE_AWS_TEMP_ACCESS_KEY_ID" \ -CSFLE_AWS_TEMP_SECRET_ACCESS_KEY="$CSFLE_AWS_TEMP_SECRET_ACCESS_KEY" \ -CSFLE_AWS_TEMP_SESSION_TOKEN="$CSFLE_AWS_TEMP_SESSION_TOKEN" \ -AZURE_TENANT_ID="${cse_azure_tenant_id}" \ -AZURE_CLIENT_ID="${cse_azure_client_id}" \ -AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \ -GCP_EMAIL="${cse_gcp_email}" \ -GCP_PRIVATE_KEY="${cse_gcp_private_key}" \ -CSFLE_TLS_CA_FILE="$CSFLE_TLS_CA_FILE" \ -CSFLE_TLS_CERTIFICATE_KEY_FILE="$CSFLE_TLS_CERTIFICATE_KEY_FILE" \ CRYPT_SHARED_LIB_PATH=$CRYPT_SHARED_LIB_PATH \ PKG_CONFIG_PATH=$PKG_CONFIG_PATH \ LD_LIBRARY_PATH=$LD_LIBRARY_PATH \ +MACOS_LIBRARY_PATH=$DYLD_FALLBACK_LIBRARY_PATH \ make $MAKEFILE_TARGET diff --git a/Makefile b/Makefile index 67c57d11af..2c21ef0fa9 100644 --- a/Makefile +++ b/Makefile @@ -121,7 +121,7 @@ build-aws-ecs-test: .PHONY: evg-test evg-test: - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s -p 1 ./... >> test.suite + go test -exec "env PKG_CONFIG_PATH=${PKG_CONFIG_PATH} LD_LIBRARY_PATH=${LD_LIBRARY_PATH} DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)}" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s -p 1 ./... >> test.suite .PHONY: evg-test-atlas-data-lake evg-test-atlas-data-lake: @@ -134,15 +134,15 @@ evg-test-enterprise-auth: .PHONY: evg-test-kmip evg-test-kmip: - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionSpec/kmipKMS >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/data_key_and_double_encryption >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/corpus >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/custom_endpoint >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/kms_tls_options_test >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionSpec/kmipKMS >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/data_key_and_double_encryption >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/corpus >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/custom_endpoint >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/kms_tls_options_test >> test.suite .PHONY: evg-test-kms evg-test-kms: - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/kms_tls_tests >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/kms_tls_tests >> test.suite .PHONY: evg-test-load-balancers evg-test-load-balancers: @@ -185,15 +185,15 @@ evg-test-serverless: go test $(BUILD_TAGS) ./mongo/integration -run TestConvenientTransactions -v -timeout $(TEST_TIMEOUT)s >> test.suite go test $(BUILD_TAGS) ./mongo/integration -run TestCursor -v -timeout $(TEST_TIMEOUT)s >> test.suite go test $(BUILD_TAGS) ./mongo/integration/unified -run TestUnifiedSpec -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionSpec >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionSpec >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse >> test.suite .PHONY: evg-test-versioned-api evg-test-versioned-api: # Versioned API related tests are in the mongo, integration and unified packages. - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration/unified >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration >> test.suite + go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration/unified >> test.suite .PHONY: build-kms-test build-kms-test: diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 6d0816eea6..990f58b2a6 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -152,6 +152,18 @@ The usage of host.docker.internal comes from the [Docker networking documentatio There is currently no arm64 support for the go1.x runtime, see [here](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html). Known issues running on linux/arm64 include the inability to network with the localhost from the public.ecr.aws/lambda/go Docker image. +### Encryption Tests + +Most of the tests requiring `libmongocrypt` can be run using the Docker workflow. + +However, some of the tests require secrets handling. Please see the team [Wiki](https://wiki.corp.mongodb.com/pages/viewpage.action?spaceKey=DRIVERS&title=Testing+CSFLE) for more information. + +The test suite can be run with or without the secrets as follows: + +```bash +MAKEFILE_TARGET=evg-test-versioned-api bash .evergreen/run-tests.sh +``` + ### Load Balancer To launch the load balancer on MacOS, run the following. diff --git a/etc/setup-encryption.sh b/etc/setup-encryption.sh new file mode 100644 index 0000000000..8a049415f1 --- /dev/null +++ b/etc/setup-encryption.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# +# Script to set up encryption assets and servers. +set -eux + +if [ -z "$DRIVERS_TOOLS" ]; then + echo "Please define DRIVERS_TOOLS variable" + exit 1 +fi + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +PARENT_DIR=$(dirname $SCRIPT_DIR) + +# Handle the secrets +export CSFLE_TLS_CA_FILE="${PARENT_DIR}/testdata/kmip-certs/ca-ec.pem" +export CSFLE_TLS_CERT_FILE="${PARENT_DIR}/testdata/kmip-certs/server-ec.pem" +export CSFLE_TLS_CLIENT_CERT_FILE="${PARENT_DIR}/testdata/kmip-certs/client-ec.pem" + +bash $DRIVERS_TOOLS/.evergreen/csfle/setup_secrets.sh +bash $DRIVERS_TOOLS/.evergreen/csfle/start_servers.sh diff --git a/mongo/integration/client_side_encryption_prose_test.go b/mongo/integration/client_side_encryption_prose_test.go index b157767d2d..4820556004 100644 --- a/mongo/integration/client_side_encryption_prose_test.go +++ b/mongo/integration/client_side_encryption_prose_test.go @@ -1392,7 +1392,8 @@ func TestClientSideEncryptionProse(t *testing.T) { } }) - // These tests only run when a KMS mock server is running on localhost:8000. + // These tests only run when 3 KMS HTTP servers and 1 KMS KMIP server are running. See specification for port numbers and necessary arguments: + // https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/tests/README.rst#kms-tls-options-tests mt.RunOpts("10. kms tls tests", noClientOpts, func(mt *mtest.T) { kmsTlsTestcase := os.Getenv("KMS_TLS_TESTCASE") if kmsTlsTestcase == "" { @@ -1401,16 +1402,19 @@ func TestClientSideEncryptionProse(t *testing.T) { testcases := []struct { name string + port int envValue string errMessage string }{ { "invalid certificate", + 9000, "INVALID_CERT", "expired", }, { "invalid hostname", + 9001, "INVALID_HOSTNAME", "SANs", }, @@ -1433,7 +1437,7 @@ func TestClientSideEncryptionProse(t *testing.T) { bson.D{ {"region", "us-east-1"}, {"key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"}, - {"endpoint", "127.0.0.1:8000"}, + {"endpoint", fmt.Sprintf("127.0.0.1:%d", tc.port)}, }, )) assert.NotNil(mt, err, "expected CreateDataKey error, got nil") @@ -1458,12 +1462,12 @@ func TestClientSideEncryptionProse(t *testing.T) { "tenantId": azureTenantID, "clientId": azureClientID, "clientSecret": azureClientSecret, - "identityPlatformEndpoint": "127.0.0.1:8002", + "identityPlatformEndpoint": "127.0.0.1:9002", }, "gcp": { "email": gcpEmail, "privateKey": gcpPrivateKey, - "endpoint": "127.0.0.1:8002", + "endpoint": "127.0.0.1:9002", }, "kmip": { "endpoint": "127.0.0.1:5698", @@ -1479,15 +1483,15 @@ func TestClientSideEncryptionProse(t *testing.T) { "tenantId": azureTenantID, "clientId": azureClientID, "clientSecret": azureClientSecret, - "identityPlatformEndpoint": "127.0.0.1:8000", + "identityPlatformEndpoint": "127.0.0.1:9000", }, "gcp": { "email": gcpEmail, "privateKey": gcpPrivateKey, - "endpoint": "127.0.0.1:8000", + "endpoint": "127.0.0.1:9000", }, "kmip": { - "endpoint": "127.0.0.1:8000", + "endpoint": "127.0.0.1:9000", }, } @@ -1500,15 +1504,15 @@ func TestClientSideEncryptionProse(t *testing.T) { "tenantId": azureTenantID, "clientId": azureClientID, "clientSecret": azureClientSecret, - "identityPlatformEndpoint": "127.0.0.1:8001", + "identityPlatformEndpoint": "127.0.0.1:9001", }, "gcp": { "email": gcpEmail, "privateKey": gcpPrivateKey, - "endpoint": "127.0.0.1:8001", + "endpoint": "127.0.0.1:9001", }, "kmip": { - "endpoint": "127.0.0.1:8001", + "endpoint": "127.0.0.1:9001", }, } @@ -1566,22 +1570,22 @@ func TestClientSideEncryptionProse(t *testing.T) { awsMasterKeyNoClientCert := map[string]interface{}{ "region": "us-east-1", "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "127.0.0.1:8002", + "endpoint": "127.0.0.1:9002", } awsMasterKeyWithTLS := map[string]interface{}{ "region": "us-east-1", "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "127.0.0.1:8002", + "endpoint": "127.0.0.1:9002", } awsMasterKeyExpired := map[string]interface{}{ "region": "us-east-1", "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "127.0.0.1:8000", + "endpoint": "127.0.0.1:9000", } awsMasterKeyInvalidHostname := map[string]interface{}{ "region": "us-east-1", "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "127.0.0.1:8001", + "endpoint": "127.0.0.1:9001", } azureMasterKey := map[string]interface{}{ "keyVaultEndpoint": "doesnotexist.local", diff --git a/mongo/integration/json_helpers_test.go b/mongo/integration/json_helpers_test.go index 8ddc2b6867..463d1e54dc 100644 --- a/mongo/integration/json_helpers_test.go +++ b/mongo/integration/json_helpers_test.go @@ -28,18 +28,18 @@ import ( ) var ( - awsAccessKeyID = os.Getenv("AWS_ACCESS_KEY_ID") - awsSecretAccessKey = os.Getenv("AWS_SECRET_ACCESS_KEY") + awsAccessKeyID = os.Getenv("FLE_AWS_KEY") + awsSecretAccessKey = os.Getenv("FLE_AWS_SECRET") awsTempAccessKeyID = os.Getenv("CSFLE_AWS_TEMP_ACCESS_KEY_ID") awsTempSecretAccessKey = os.Getenv("CSFLE_AWS_TEMP_SECRET_ACCESS_KEY") awsTempSessionToken = os.Getenv("CSFLE_AWS_TEMP_SESSION_TOKEN") - azureTenantID = os.Getenv("AZURE_TENANT_ID") - azureClientID = os.Getenv("AZURE_CLIENT_ID") - azureClientSecret = os.Getenv("AZURE_CLIENT_SECRET") - gcpEmail = os.Getenv("GCP_EMAIL") - gcpPrivateKey = os.Getenv("GCP_PRIVATE_KEY") + azureTenantID = os.Getenv("FLE_AZURE_TENANTID") + azureClientID = os.Getenv("FLE_AZURE_CLIENTID") + azureClientSecret = os.Getenv("FLE_AZURE_CLIENTSECRET") + gcpEmail = os.Getenv("FLE_GCP_EMAIL") + gcpPrivateKey = os.Getenv("FLE_GCP_PRIVATEKEY") tlsCAFileKMIP = os.Getenv("CSFLE_TLS_CA_FILE") - tlsClientCertificateKeyFileKMIP = os.Getenv("CSFLE_TLS_CERTIFICATE_KEY_FILE") + tlsClientCertificateKeyFileKMIP = os.Getenv("CSFLE_TLS_CLIENT_CERT_FILE") ) // Helper functions to do read JSON spec test files and convert JSON objects into the appropriate driver types. diff --git a/mongo/integration/unified/entity.go b/mongo/integration/unified/entity.go index 19c6952ef6..0ae9fc006f 100644 --- a/mongo/integration/unified/entity.go +++ b/mongo/integration/unified/entity.go @@ -31,7 +31,7 @@ var ( var ( tlsCAFile = os.Getenv("CSFLE_TLS_CA_FILE") - tlsClientCertificateKeyFile = os.Getenv("CSFLE_TLS_CERTIFICATE_KEY_FILE") + tlsClientCertificateKeyFile = os.Getenv("CSFLE_TLS_CLIENT_CERT_FILE") ) type storeEventsAsEntitiesConfig struct { @@ -557,7 +557,7 @@ func (em *EntityMap) addClientEncryptionEntity(entityOptions *entityOptions) err kmsProviders["aws"]["secretAccessKey"] = awsSecretAccessKey } } else { - awsAccessKeyID, err := getKmsCredential(aws, "accessKeyId", "AWS_ACCESS_KEY_ID", "") + awsAccessKeyID, err := getKmsCredential(aws, "accessKeyId", "FLE_AWS_KEY", "") if err != nil { return err } @@ -565,7 +565,7 @@ func (em *EntityMap) addClientEncryptionEntity(entityOptions *entityOptions) err kmsProviders["aws"]["accessKeyId"] = awsAccessKeyID } - awsSecretAccessKey, err := getKmsCredential(aws, "secretAccessKey", "AWS_SECRET_ACCESS_KEY", "") + awsSecretAccessKey, err := getKmsCredential(aws, "secretAccessKey", "FLE_AWS_SECRET", "") if err != nil { return err } @@ -579,7 +579,7 @@ func (em *EntityMap) addClientEncryptionEntity(entityOptions *entityOptions) err if azure, ok := ceo.KmsProviders["azure"]; ok { kmsProviders["azure"] = make(map[string]interface{}) - azureTenantID, err := getKmsCredential(azure, "tenantId", "AZURE_TENANT_ID", "") + azureTenantID, err := getKmsCredential(azure, "tenantId", "FLE_AZURE_TENANTID", "") if err != nil { return err } @@ -587,7 +587,7 @@ func (em *EntityMap) addClientEncryptionEntity(entityOptions *entityOptions) err kmsProviders["azure"]["tenantId"] = azureTenantID } - azureClientID, err := getKmsCredential(azure, "clientId", "AZURE_CLIENT_ID", "") + azureClientID, err := getKmsCredential(azure, "clientId", "FLE_AZURE_CLIENTID", "") if err != nil { return err } @@ -595,7 +595,7 @@ func (em *EntityMap) addClientEncryptionEntity(entityOptions *entityOptions) err kmsProviders["azure"]["clientId"] = azureClientID } - azureClientSecret, err := getKmsCredential(azure, "clientSecret", "AZURE_CLIENT_SECRET", "") + azureClientSecret, err := getKmsCredential(azure, "clientSecret", "FLE_AZURE_CLIENTSECRET", "") if err != nil { return err } @@ -607,7 +607,7 @@ func (em *EntityMap) addClientEncryptionEntity(entityOptions *entityOptions) err if gcp, ok := ceo.KmsProviders["gcp"]; ok { kmsProviders["gcp"] = make(map[string]interface{}) - gcpEmail, err := getKmsCredential(gcp, "email", "GCP_EMAIL", "") + gcpEmail, err := getKmsCredential(gcp, "email", "FLE_GCP_EMAIL", "") if err != nil { return err } @@ -615,7 +615,7 @@ func (em *EntityMap) addClientEncryptionEntity(entityOptions *entityOptions) err kmsProviders["gcp"]["email"] = gcpEmail } - gcpPrivateKey, err := getKmsCredential(gcp, "privateKey", "GCP_PRIVATE_KEY", "") + gcpPrivateKey, err := getKmsCredential(gcp, "privateKey", "FLE_GCP_PRIVATEKEY", "") if err != nil { return err }