From 599605092406a8ed76be11b97099dc61ff89d0d8 Mon Sep 17 00:00:00 2001 From: Oleksandr Poliakov Date: Thu, 14 Nov 2024 08:53:07 -0800 Subject: [PATCH 1/5] CSHARP-4741: Use AWS Secrets Manager for Evergreen Test Secrets --- evergreen/evergreen.yml | 320 ++++++------------ evergreen/run-tests.sh | 5 + evergreen/set-temp-fle-aws-creds.sh | 18 +- .../EncryptionTestHelper.cs | 28 +- .../prose-tests/ClientEncryptionProseTests.cs | 6 +- 5 files changed, 145 insertions(+), 232 deletions(-) diff --git a/evergreen/evergreen.yml b/evergreen/evergreen.yml index 94c6cddffa8..e9fc37dd843 100644 --- a/evergreen/evergreen.yml +++ b/evergreen/evergreen.yml @@ -353,19 +353,9 @@ functions: type: test params: working_dir: mongo-csharp-driver - include_expansions_in_env: - - "FLE_AWS_ACCESS_KEY_ID" - - "FLE_AWS_SECRET_ACCESS_KEY" - - "FLE_AWS_NAMED2_ACCESS_KEY_ID" - - "FLE_AWS_NAMED2_SECRET_ACCESS_KEY" - - "FLE_AZURE_TENANT_ID" - - "FLE_AZURE_CLIENT_ID" - - "FLE_AZURE_CLIENT_SECRET" - - "FLE_GCP_EMAIL" - - "FLE_GCP_PRIVATE_KEY" script: | . ./evergreen/set-virtualenv.sh - . ./evergreen/set-temp-fle-aws-creds.sh + DRIVERS_TOOLS=${DRIVERS_TOOLS} . ./evergreen/set-temp-fle-aws-creds.sh ${PREPARE_SHELL} OS=${OS} \ evergreen/add-ca-certs.sh @@ -390,16 +380,6 @@ functions: params: working_dir: "mongo-csharp-driver" shell: "bash" - include_expansions_in_env: - - "FLE_AWS_ACCESS_KEY_ID" - - "FLE_AWS_SECRET_ACCESS_KEY" - - "FLE_AWS_NAMED2_ACCESS_KEY_ID" - - "FLE_AWS_NAMED2_SECRET_ACCESS_KEY" - - "FLE_AZURE_TENANT_ID" - - "FLE_AZURE_CLIENT_ID" - - "FLE_AZURE_CLIENT_SECRET" - - "FLE_GCP_EMAIL" - - "FLE_GCP_PRIVATE_KEY" script: | export KMS_MOCK_SERVERS_ENABLED=true export GCE_METADATA_HOST="localhost:5000" @@ -426,19 +406,9 @@ functions: params: working_dir: mongo-csharp-driver shell: "bash" - include_expansions_in_env: - - "FLE_AWS_ACCESS_KEY_ID" - - "FLE_AWS_SECRET_ACCESS_KEY" - - "FLE_AWS_NAMED2_ACCESS_KEY_ID" - - "FLE_AWS_NAMED2_SECRET_ACCESS_KEY" - - "FLE_AZURE_TENANT_ID" - - "FLE_AZURE_CLIENT_ID" - - "FLE_AZURE_CLIENT_SECRET" - - "FLE_GCP_EMAIL" - - "FLE_GCP_PRIVATE_KEY" script: | . ./evergreen/set-virtualenv.sh - . ./evergreen/set-temp-fle-aws-creds.sh + DRIVERS_TOOLS=${DRIVERS_TOOLS} . ./evergreen/set-temp-fle-aws-creds.sh ${PREPARE_SHELL} OS=${OS} \ evergreen/add-ca-certs.sh @@ -783,16 +753,6 @@ functions: type: test params: working_dir: mongo-csharp-driver - include_expansions_in_env: - - "FLE_AWS_ACCESS_KEY_ID" - - "FLE_AWS_SECRET_ACCESS_KEY" - - "FLE_AWS_NAMED2_ACCESS_KEY_ID" - - "FLE_AWS_NAMED2_SECRET_ACCESS_KEY" - - "FLE_AZURE_TENANT_ID" - - "FLE_AZURE_CLIENT_ID" - - "FLE_AZURE_CLIENT_SECRET" - - "FLE_GCP_EMAIL" - - "FLE_GCP_PRIVATE_KEY" script: | ${PREPARE_SHELL} AUTH=${AUTH} \ @@ -834,96 +794,34 @@ functions: git clone https://github.com/microsoft/semantic-kernel.git ./evergreen/run-sk.sh - start-kms-mock-servers: - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - - command: shell.exec - params: - background: true - shell: "bash" - script: | - #expired client cert - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - python -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 - - command: shell.exec - params: - background: true - shell: "bash" - script: | - #wrong-host client cert - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - python -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 - - command: shell.exec - params: - background: true - shell: "bash" - script: | - #server.pem client cert - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - python -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 8002 --require_client_cert - - start-kms-mock-kmip-server: - - command: shell.exec + setup-csfle-secrets: + - command: ec2.assume_role params: - shell: "bash" - script: | - ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - - command: shell.exec + role_arn: ${aws_test_secrets_role} + - command: subprocess.exec params: - shell: "bash" - background: true - script: | - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - python -u kms_kmip_server.py + working_dir: mongo-csharp-driver + binary: bash + include_expansions_in_env: + - "AWS_ACCESS_KEY_ID" + - "AWS_SECRET_ACCESS_KEY" + - "AWS_SESSION_TOKEN" + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh - start-kms-mock-gcp-server: - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - - command: shell.exec + start-cse-servers: + - command: subprocess.exec params: + working_dir: mongo-csharp-driver + binary: bash background: true - shell: "bash" - script: | - cd ${DRIVERS_TOOLS}/.evergreen/csfle/gcpkms - . ./activate-kmstlsvenv.sh - python -m pip install PyJWT - mkdir ${DRIVERS_TOOLS}/tmp - echo '${GOOGLE_APPLICATION_CREDENTIALS_CONTENT}' > ${DRIVERS_TOOLS}/tmp/testgcpkms_key_file.json - export GOOGLE_APPLICATION_CREDENTIALS=${DRIVERS_TOOLS}/tmp/testgcpkms_key_file.json - python -u mock_server.py - - start-kms-mock-azure-imds-server: - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - - command: shell.exec + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/start-servers.sh + - command: subprocess.exec params: - background: true - shell: "bash" - script: | - cd ${DRIVERS_TOOLS}/.evergreen/csfle - . ./activate-kmstlsvenv.sh - python bottle.py fake_azure:imds + binary: bash + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/await-servers.sh trace-artifacts: - command: papertrail.trace @@ -1158,6 +1056,7 @@ post: tasks: - name: test-net472 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration - func: run-tests vars: @@ -1165,6 +1064,7 @@ tasks: - name: test-netstandard21 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration - func: run-tests vars: @@ -1172,6 +1072,7 @@ tasks: - name: test-net60 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration - func: run-tests vars: @@ -1179,6 +1080,7 @@ tasks: - name: test-csfle-with-mongocryptd-net472 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration - func: run-csfle-with-mongocryptd-tests vars: @@ -1186,6 +1088,7 @@ tasks: - name: test-csfle-with-mongocryptd-netstandard21 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration - func: run-csfle-with-mongocryptd-tests vars: @@ -1193,6 +1096,7 @@ tasks: - name: test-csfle-with-mongocryptd-net60 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration - func: run-csfle-with-mongocryptd-tests vars: @@ -1200,10 +1104,8 @@ tasks: - name: test-csfle-with-mocked-kms-tls-net472 commands: - - func: start-kms-mock-servers - - func: start-kms-mock-kmip-server - - func: start-kms-mock-gcp-server - - func: start-kms-mock-azure-imds-server + - func: setup-csfle-secrets + - func: start-cse-servers - func: bootstrap-mongo-orchestration - func: run-csfle-with-mocked-kms-tests vars: @@ -1211,10 +1113,8 @@ tasks: - name: test-csfle-with-mocked-kms-tls-netstandard21 commands: - - func: start-kms-mock-servers - - func: start-kms-mock-kmip-server - - func: start-kms-mock-gcp-server - - func: start-kms-mock-azure-imds-server + - func: setup-csfle-secrets + - func: start-cse-servers - func: bootstrap-mongo-orchestration - func: run-csfle-with-mocked-kms-tests vars: @@ -1222,10 +1122,8 @@ tasks: - name: test-csfle-with-mocked-kms-tls-net60 commands: - - func: start-kms-mock-servers - - func: start-kms-mock-kmip-server - - func: start-kms-mock-gcp-server - - func: start-kms-mock-azure-imds-server + - func: setup-csfle-secrets + - func: start-cse-servers - func: bootstrap-mongo-orchestration - func: run-csfle-with-mocked-kms-tests vars: @@ -1304,6 +1202,7 @@ tasks: - name: stable-api-tests-net472 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration vars: REQUIRE_API_VERSION: true @@ -1314,6 +1213,7 @@ tasks: - name: stable-api-tests-netstandard21 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration vars: REQUIRE_API_VERSION: true @@ -1324,6 +1224,7 @@ tasks: - name: stable-api-tests-net60 commands: + - func: setup-csfle-secrets - func: bootstrap-mongo-orchestration vars: REQUIRE_API_VERSION: true @@ -1389,6 +1290,7 @@ tasks: - name: test-serverless exec_timeout_secs: 2700 # 45 minutes: 15 for setup + 30 for tests commands: + - func: setup-csfle-secrets - func: run-serverless-tests - name: test-ocsp-rsa-valid-cert-server-staples-ca-responder @@ -2122,28 +2024,25 @@ task_groups: - func: fix-absolute-paths - func: init-test-results - func: make-files-executable - - command: shell.exec + - func: assume-ec2-role + - command: subprocess.exec params: - shell: "bash" - silent: true + binary: bash + include_expansions_in_env: + - "AWS_ACCESS_KEY_ID" + - "AWS_SECRET_ACCESS_KEY" + - "AWS_SESSION_TOKEN" env: - AZUREKMS_CLIENTID : ${testazurekms_clientid} - AZUREKMS_TENANTID : ${testazurekms_tenantid} - AZUREKMS_SECRET= : ${testazurekms_secret} - AZUREKMS_RESOURCEGROUP: ${testazurekms_resourcegroup} - AZUREKMS_SCOPE : ${testazurekms_scope} - script: | - ${PREPARE_SHELL} - echo '${testazurekms_publickey}' > /tmp/testazurekms_publickey - echo '${testazurekms_privatekey}' > /tmp/testazurekms_privatekey - # Set 600 permissions on private key file. Otherwise ssh / scp may error with permissions "are too open". - chmod 600 /tmp/testazurekms_privatekey - - export AZUREKMS_DRIVERS_TOOLS=$DRIVERS_TOOLS - export AZUREKMS_PUBLICKEYPATH=/tmp/testazurekms_publickey - export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms_privatekey - export AZUREKMS_VMNAME_PREFIX=CSHARPDRIVER - $DRIVERS_TOOLS/.evergreen/csfle/azurekms/create-and-setup-vm.sh + VAULT_NAME: "azurekms" + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/setup-secrets.sh + - command: subprocess.exec + params: + binary: bash + env: + AZUREKMS_VMNAME_PREFIX: "CSHARPDRIVER" + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/create-and-setup-vm.sh - command: expansions.update params: file: testazurekms-expansions.yml @@ -2153,15 +2052,13 @@ task_groups: - command: expansions.update params: file: testazurekms-expansions.yml - - command: shell.exec + - command: subprocess.exec params: - shell: "bash" + binary: bash env: - AZUREKMS_VMNAME : ${AZUREKMS_VMNAME} - AZUREKMS_RESOURCEGROUP : ${testazurekms_resourcegroup} - script: | - ${PREPARE_SHELL} - $DRIVERS_TOOLS/.evergreen/csfle/azurekms/delete-vm.sh + AZUREKMS_VMNAME: ${AZUREKMS_VMNAME} + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/delete-vm.sh tasks: - test-csfle-with-azure-kms @@ -2175,35 +2072,40 @@ task_groups: - func: fix-absolute-paths - func: init-test-results - func: make-files-executable - - command: shell.exec + - func: assume-ec2-role + - command: subprocess.exec params: - shell: "bash" - silent: true + binary: bash include_expansions_in_env: - - "GCPKMS_SERVICEACCOUNT" - script: | - ${PREPARE_SHELL} - echo '${GOOGLE_APPLICATION_CREDENTIALS_CONTENT}' > /tmp/testgcpkms_key_file.json - export GCPKMS_KEYFILE=/tmp/testgcpkms_key_file.json - export GCPKMS_DRIVERS_TOOLS=$DRIVERS_TOOLS - export GCPKMS_MACHINETYPE="e2-standard-4" - $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/create-and-setup-instance.sh - # Load the GCPKMS_GCLOUD, GCPKMS_INSTANCE, GCPKMS_REGION, and GCPKMS_ZONE expansions. + - "AWS_ACCESS_KEY_ID" + - "AWS_SECRET_ACCESS_KEY" + - "AWS_SESSION_TOKEN" + env: + VAULT_NAME: "gcpkms" + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/gcpkms/setup-secrets.sh + - command: subprocess.exec + params: + binary: bash + include_expansions_in_env: + - "DRIVERS_TOOLS" + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/gcpkms/create-and-setup-instance.sh - command: expansions.update params: file: testgcpkms-expansions.yml teardown_group: - func: upload-test-results - - command: shell.exec + - command: subprocess.exec params: - shell: "bash" - script: | - ${PREPARE_SHELL} - export GCPKMS_GCLOUD=${GCPKMS_GCLOUD} - export GCPKMS_PROJECT=${GCPKMS_PROJECT} - export GCPKMS_ZONE=${GCPKMS_ZONE} - export GCPKMS_INSTANCENAME=${GCPKMS_INSTANCENAME} - $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/delete-instance.sh + binary: bash + include_expansions_in_env: + - "GCPKMS_GCLOUD" + - "GCPKMS_PROJECT" + - "GCPKMS_ZONE" + - "GCPKMS_INSTANCENAME" + args: + - ${DRIVERS_TOOLS}/.evergreen/csfle/gcpkms/delete-instance.sh tasks: - test-csfle-with-gcp-kms @@ -2216,39 +2118,37 @@ task_groups: - func: fix-absolute-paths - func: init-test-results - func: make-files-executable - - command: shell.exec + - func: assume-ec2-role + - command: subprocess.exec params: + binary: bash + include_expansions_in_env: + - "AWS_ACCESS_KEY_ID" + - "AWS_SECRET_ACCESS_KEY" + - "AWS_SESSION_TOKEN" env: - DRIVERS_ATLAS_PUBLIC_API_KEY: "${DRIVERS_ATLAS_PUBLIC_API_KEY}" - DRIVERS_ATLAS_PRIVATE_API_KEY: "${DRIVERS_ATLAS_PRIVATE_API_KEY}" - DRIVERS_ATLAS_GROUP_ID: "${DRIVERS_ATLAS_GROUP_ID}" - DRIVERS_ATLAS_LAMBDA_USER: "${DRIVERS_ATLAS_LAMBDA_USER}" - DRIVERS_ATLAS_LAMBDA_PASSWORD: "${DRIVERS_ATLAS_LAMBDA_PASSWORD}" - LAMBDA_STACK_NAME: "${LAMBDA_STACK_NAME}" - add_expansions_to_env: true - shell: "bash" - script: | - ${PREPARE_SHELL} - $DRIVERS_TOOLS/.evergreen/atlas/setup-atlas-cluster.sh + VAULT_NAME: "atlas" + args: + - ${DRIVERS_TOOLS}/.evergreen/atlas/setup-secrets.sh + - command: subprocess.exec + params: + binary: bash + env: + LAMBDA_STACK_NAME: dbx-csharp-lambda + args: + - ${DRIVERS_TOOLS}/.evergreen/atlas/setup-atlas-cluster.sh - command: expansions.update params: file: atlas-expansion.yml teardown_group: - func: upload-test-results - - command: shell.exec + - command: subprocess.exec params: + binary: bash env: - DRIVERS_ATLAS_PUBLIC_API_KEY: "${DRIVERS_ATLAS_PUBLIC_API_KEY}" - DRIVERS_ATLAS_PRIVATE_API_KEY: "${DRIVERS_ATLAS_PRIVATE_API_KEY}" - DRIVERS_ATLAS_GROUP_ID: "${DRIVERS_ATLAS_GROUP_ID}" - DRIVERS_ATLAS_LAMBDA_USER: "${DRIVERS_ATLAS_LAMBDA_USER}" - DRIVERS_ATLAS_LAMBDA_PASSWORD: "${DRIVERS_ATLAS_LAMBDA_PASSWORD}" - LAMBDA_STACK_NAME: "${LAMBDA_STACK_NAME}" - add_expansions_to_env: true - shell: "bash" - script: | - ${PREPARE_SHELL} - $DRIVERS_TOOLS/.evergreen/atlas/teardown-atlas-cluster.sh + LAMBDA_STACK_NAME: dbx-csharp-lambda + args: + - ${DRIVERS_TOOLS}/.evergreen/atlas/teardown-atlas-cluster.sh tasks: - atlas-search-index-helpers-test diff --git a/evergreen/run-tests.sh b/evergreen/run-tests.sh index e07a879b2e4..2468f1fb621 100755 --- a/evergreen/run-tests.sh +++ b/evergreen/run-tests.sh @@ -16,6 +16,7 @@ set -o errexit # Exit the script with error if any of the commands fail # MONGO_X509_CLIENT_CERTIFICATE_PASSWORD password for client certificate # FRAMEWORK Set to specify .NET framework to test against. Values: "Net472", "NetStandard21", # TARGET Set to specify a custom test target. Default: "nil" +# DRIVERS_TOOLS Set base path to evergreen-drivers-tools project # # Environment variables produced as output: # MONGODB_X509_CLIENT_P12_PATH Absolute path to client certificate in p12 format @@ -141,6 +142,10 @@ if [[ -z "$MONGO_X509_CLIENT_CERTIFICATE_PATH" && -z "$MONGO_X509_CLIENT_CERTIFI export MONGO_X509_CLIENT_CERTIFICATE_PASSWORD="${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD}" fi +if [ -f "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" ]; then + source "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" +fi + . ./evergreen/export-libmongocrypt-path.sh if [[ "$TARGET" =~ "SmokeTests" ]]; then diff --git a/evergreen/set-temp-fle-aws-creds.sh b/evergreen/set-temp-fle-aws-creds.sh index 35f36335978..fc62e2ac4e3 100644 --- a/evergreen/set-temp-fle-aws-creds.sh +++ b/evergreen/set-temp-fle-aws-creds.sh @@ -10,8 +10,9 @@ # environment variable. # # Environment variables used as input: -# FLE_AWS_ACCESS_KEY_ID Set to access for global FLE_AWS_ACCESS_KEY_ID -# FLE_AWS_SECRET_ACCESS_KEY Set to access for global FLE_AWS_SECRET_ACCESS_KEY +# FLE_AWS_KEY Set to access for global FLE_AWS_KEY +# FLE_AWS_SECRET Set to access for global FLE_AWS_SECRET +# FLE_AWS_DEFAULT_REGION Set default AWS region for FLE_AWS_KEY # # Environment variables produced as output: # FLE_AWS_TEMP_ACCESS_KEY_ID Temporary AWS_ACCESS_KEY_ID @@ -20,10 +21,17 @@ set +o xtrace # Disable tracing. +if [ -f "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" ]; then + source "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" +else + echo "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh does not exists." + exit 2 +fi + #boto3 expects env variables in a bit different form than we use -export AWS_ACCESS_KEY_ID=$FLE_AWS_ACCESS_KEY_ID -export AWS_SECRET_ACCESS_KEY=$FLE_AWS_SECRET_ACCESS_KEY -export AWS_DEFAULT_REGION=us-east-1 +export AWS_ACCESS_KEY_ID=$FLE_AWS_KEY +export AWS_SECRET_ACCESS_KEY=$FLE_AWS_SECRET +export AWS_DEFAULT_REGION=$FLE_AWS_DEFAULT_REGION echo "Triggering temporary CSFLE credentials" diff --git a/tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/EncryptionTestHelper.cs b/tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/EncryptionTestHelper.cs index 4b70c532ff5..11b75eae163 100644 --- a/tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/EncryptionTestHelper.cs +++ b/tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/EncryptionTestHelper.cs @@ -42,22 +42,22 @@ private static IReadOnlyDictionary> { "aws", new Dictionary { - { "accessKeyId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_ACCESS_KEY_ID") }, - { "secretAccessKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_SECRET_ACCESS_KEY") } + { "accessKeyId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_KEY") }, + { "secretAccessKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_SECRET") } } }, { "aws:name1", new Dictionary { - { "accessKeyId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_ACCESS_KEY_ID") }, - { "secretAccessKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_SECRET_ACCESS_KEY") } + { "accessKeyId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_KEY") }, + { "secretAccessKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_SECRET") } } }, { "aws:name2", new Dictionary { - { "accessKeyId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_NAMED2_ACCESS_KEY_ID") }, - { "secretAccessKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_NAMED2_SECRET_ACCESS_KEY") } + { "accessKeyId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_KEY2") }, + { "secretAccessKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AWS_SECRET2") } } }, { @@ -81,31 +81,31 @@ private static IReadOnlyDictionary> { "azure", new Dictionary { - { "tenantId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_TENANT_ID") }, - { "clientId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_CLIENT_ID") }, - { "clientSecret", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_CLIENT_SECRET") } + { "tenantId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_TENANTID") }, + { "clientId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_CLIENTID") }, + { "clientSecret", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_CLIENTSECRET") } } }, { "azure:name1", new Dictionary { - { "tenantId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_TENANT_ID") }, - { "clientId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_CLIENT_ID") }, - { "clientSecret", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_CLIENT_SECRET") } + { "tenantId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_TENANTID") }, + { "clientId", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_CLIENTID") }, + { "clientSecret", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_AZURE_CLIENTSECRET") } } }, { "gcp", new Dictionary { { "email", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_GCP_EMAIL") }, - { "privateKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_GCP_PRIVATE_KEY") } + { "privateKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_GCP_PRIVATEKEY") } } }, { "gcp:name1", new Dictionary { { "email", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_GCP_EMAIL") }, - { "privateKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_GCP_PRIVATE_KEY") } + { "privateKey", GetEnvironmentVariableOrDefaultOrThrowIfNothing("FLE_GCP_PRIVATEKEY") } } }, { diff --git a/tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/prose-tests/ClientEncryptionProseTests.cs b/tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/prose-tests/ClientEncryptionProseTests.cs index 51ba57dd7b7..7ffdbfc28aa 100644 --- a/tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/prose-tests/ClientEncryptionProseTests.cs +++ b/tests/MongoDB.Driver.Tests/Specifications/client-side-encryption/prose-tests/ClientEncryptionProseTests.cs @@ -1734,9 +1734,9 @@ void KmsProviderEndpointConfigurator(string kmsProviderName, Dictionary certificateType switch { - CertificateType.Expired => "127.0.0.1:8000", - CertificateType.InvalidHostName => "127.0.0.1:8001", - CertificateType.TlsWithClientCert or CertificateType.TlsWithoutClientCert => !kmsProvider.StartsWith("kmip") ? "127.0.0.1:8002" : "127.0.0.1:5698", + CertificateType.Expired => "127.0.0.1:9000", + CertificateType.InvalidHostName => "127.0.0.1:9001", + CertificateType.TlsWithClientCert or CertificateType.TlsWithoutClientCert => !kmsProvider.StartsWith("kmip") ? "127.0.0.1:9002" : "127.0.0.1:5698", _ => throw new Exception($"Not supported client certificate type {certificateType}."), }; From 2b51694f43faa2c703ab08145f3907ddf000f1ef Mon Sep 17 00:00:00 2001 From: Oleksandr Poliakov Date: Thu, 14 Nov 2024 14:29:55 -0800 Subject: [PATCH 2/5] fix ubuntu --- evergreen/run-tests.sh | 2 +- evergreen/set-temp-fle-aws-creds.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/evergreen/run-tests.sh b/evergreen/run-tests.sh index 2468f1fb621..19343206891 100755 --- a/evergreen/run-tests.sh +++ b/evergreen/run-tests.sh @@ -143,7 +143,7 @@ if [[ -z "$MONGO_X509_CLIENT_CERTIFICATE_PATH" && -z "$MONGO_X509_CLIENT_CERTIFI fi if [ -f "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" ]; then - source "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" + source $DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh fi . ./evergreen/export-libmongocrypt-path.sh diff --git a/evergreen/set-temp-fle-aws-creds.sh b/evergreen/set-temp-fle-aws-creds.sh index fc62e2ac4e3..424e635cb9f 100644 --- a/evergreen/set-temp-fle-aws-creds.sh +++ b/evergreen/set-temp-fle-aws-creds.sh @@ -22,7 +22,7 @@ set +o xtrace # Disable tracing. if [ -f "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" ]; then - source "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" + source $DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh else echo "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh does not exists." exit 2 From ff4b22f7beb27bc030025df84756ddeaad5335e9 Mon Sep 17 00:00:00 2001 From: Oleksandr Poliakov Date: Thu, 14 Nov 2024 16:46:33 -0800 Subject: [PATCH 3/5] Fix --- evergreen/evergreen.yml | 1 + evergreen/set-temp-fle-aws-creds.sh | 2 ++ 2 files changed, 3 insertions(+) diff --git a/evergreen/evergreen.yml b/evergreen/evergreen.yml index e9fc37dd843..98d4288ad6a 100644 --- a/evergreen/evergreen.yml +++ b/evergreen/evergreen.yml @@ -353,6 +353,7 @@ functions: type: test params: working_dir: mongo-csharp-driver + shell: "bash" script: | . ./evergreen/set-virtualenv.sh DRIVERS_TOOLS=${DRIVERS_TOOLS} . ./evergreen/set-temp-fle-aws-creds.sh diff --git a/evergreen/set-temp-fle-aws-creds.sh b/evergreen/set-temp-fle-aws-creds.sh index 424e635cb9f..49e2a837b93 100644 --- a/evergreen/set-temp-fle-aws-creds.sh +++ b/evergreen/set-temp-fle-aws-creds.sh @@ -22,6 +22,8 @@ set +o xtrace # Disable tracing. if [ -f "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" ]; then + echo "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" + tail $DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh source $DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh else echo "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh does not exists." From 669a5012b4a3ee7c963e3a6ee909e9dd140f6343 Mon Sep 17 00:00:00 2001 From: Oleksandr Poliakov Date: Thu, 14 Nov 2024 16:47:03 -0800 Subject: [PATCH 4/5] fix --- evergreen/set-temp-fle-aws-creds.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/evergreen/set-temp-fle-aws-creds.sh b/evergreen/set-temp-fle-aws-creds.sh index 49e2a837b93..424e635cb9f 100644 --- a/evergreen/set-temp-fle-aws-creds.sh +++ b/evergreen/set-temp-fle-aws-creds.sh @@ -22,8 +22,6 @@ set +o xtrace # Disable tracing. if [ -f "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" ]; then - echo "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh" - tail $DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh source $DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh else echo "$DRIVERS_TOOLS/.evergreen/csfle/secrets-export.sh does not exists." From 506710c4a45748e0de93f6325654148f737b5e29 Mon Sep 17 00:00:00 2001 From: Oleksandr Poliakov Date: Wed, 20 Nov 2024 21:03:32 -0800 Subject: [PATCH 5/5] Fix KMS --- evergreen/evergreen.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/evergreen/evergreen.yml b/evergreen/evergreen.yml index 98d4288ad6a..990cad7e94a 100644 --- a/evergreen/evergreen.yml +++ b/evergreen/evergreen.yml @@ -1664,9 +1664,8 @@ tasks: script: | ${PREPARE_SHELL} echo "Copying files ... begin" - export AZUREKMS_RESOURCEGROUP=${testazurekms_resourcegroup} - export AZUREKMS_VMNAME=${AZUREKMS_VMNAME} export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms_privatekey + source $DRIVERS_TOOLS/.evergreen/csfle/azurekms/secrets-export.sh tar czf /tmp/mongo-csharp-driver.tgz . AZUREKMS_SRC=/tmp/mongo-csharp-driver.tgz AZUREKMS_DST="~/" $DRIVERS_TOOLS/.evergreen/csfle/azurekms/copy-file.sh echo "Copying files ... end" @@ -1681,10 +1680,9 @@ tasks: shell: "bash" script: | ${PREPARE_SHELL} - export AZUREKMS_RESOURCEGROUP=${testazurekms_resourcegroup} - export AZUREKMS_VMNAME=${AZUREKMS_VMNAME} + source $DRIVERS_TOOLS/.evergreen/csfle/azurekms/secrets-export.sh export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms_privatekey - AZUREKMS_CMD="MONGODB_URI='mongodb://localhost:27017' KEY_NAME='${testazurekms_keyname}' KEY_VAULT_ENDPOINT='${testazurekms_keyvaultendpoint}' OS='${OS}' ./evergreen/run-csfle-azure-tests.sh" $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh + AZUREKMS_CMD="MONGODB_URI='mongodb://localhost:27017' KEY_NAME='${AZUREKMS_KEYNAME}' KEY_VAULT_ENDPOINT='${AZUREKMS_KEYVAULTENDPOINT}' OS='${OS}' ./evergreen/run-csfle-azure-tests.sh" $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh - name: test-csfle-with-gcp-kms commands: @@ -1696,11 +1694,8 @@ tasks: script: | ${PREPARE_SHELL} echo "Copying files ... begin" - export GCPKMS_GCLOUD=${GCPKMS_GCLOUD} - export GCPKMS_PROJECT=${GCPKMS_PROJECT} - export GCPKMS_ZONE=${GCPKMS_ZONE} - export GCPKMS_INSTANCENAME=${GCPKMS_INSTANCENAME} tar czf /tmp/mongo-csharp-driver.tgz . + source $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/secrets-export.sh GCPKMS_SRC=/tmp/mongo-csharp-driver.tgz GCPKMS_DST=$GCPKMS_INSTANCENAME: $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/copy-file.sh echo "Copying files ... end" echo "Untarring file ... begin" @@ -1714,10 +1709,7 @@ tasks: shell: "bash" script: | ${PREPARE_SHELL} - export GCPKMS_GCLOUD=${GCPKMS_GCLOUD} - export GCPKMS_PROJECT=${GCPKMS_PROJECT} - export GCPKMS_ZONE=${GCPKMS_ZONE} - export GCPKMS_INSTANCENAME=${GCPKMS_INSTANCENAME} + source $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/secrets-export.sh GCPKMS_CMD="MONGODB_URI='mongodb://localhost:27017' OS='${OS}' ./evergreen/run-csfle-gcp-tests.sh" $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/run-command.sh - name: test-SK