PHPC-2099: crypt_shared testing (#1333)

* Use non-breaking space in OS axis labels

* Revise titles and Manager construction in autoEncryption tests

* Define CSFLE_KEY_VAULT_NS and CSFLE_LOCAL_KEY constants

The value for CSFLE_KEY_VAULT_NS is based on the example from PHPLIB-826. This was not required but helps makes all tests consistent and will make it easier if we need to add functionality to a helper to drop the key vault collection before a test.

Using CSFLE_LOCAL_KEY allows removal of a duplicated string literal in various CSFLE tests. Although the new constant wasn't required for all tests (empty strings worked fine to satisfy option validation), using a constant helps ensure consistency across the test suite.

Also use create_test_manager() in more places when basic.inc is included. The remaining instances of direct Manager construction should only be in tests where basic.inc isn't used.

Author: jmikola

.evergreen/config.yml

@@ -466,6 +466,18 @@ functions:
             ${DRIVERS_TOOLS}/.evergreen/run-load-balancer.sh stop
           fi
 
+  "fetch crypt_shared":
+    - command: shell.exec
+      params:
+        script: |
+          # TODO: Specify same version provisioned by download-mongodb.sh (see: DRIVERS-2355)
+          python3 ${DRIVERS_TOOLS}/.evergreen/mongodl.py --component crypt_shared --version latest --only "**/mongo_crypt_v1.so" --out ${DRIVERS_TOOLS}/.evergreen/csfle --strip-path-components 1
+    - command: expansions.update
+      params:
+        updates:
+          - key: client_side_encryption_crypt_shared_lib_path
+            value: ${DRIVERS_TOOLS}/.evergreen/csfle/mongo_crypt_v1.so
+
 pre:
   - func: "fetch source"
   - func: "prepare resources"
@@ -585,6 +597,17 @@ tasks:
           vars:
             TESTS: "tests/atlas.phpt"
 
+    - name: "test-crypt_shared"
+      commands:
+        - func: "compile driver"
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            TOPOLOGY: "replica_set"
+        - func: "fetch crypt_shared"
+        - func: "run tests"
+          vars:
+            CRYPT_SHARED_LIB_PATH: "${client_side_encryption_crypt_shared_lib_path}"
+
     - name: "test-loadBalanced"
       tags: ["loadbalanced"]
       commands:
@@ -1107,10 +1130,10 @@ axes:
         display_name: "RHEL 7.1 Power 8"
         run_on: rhel71-power8-build
       - id: rhel72-zseries
-        display_name: "RHEL 7.2 zSeries"
+        display_name: "RHEL 7.2 zSeries"
         run_on: rhel72-zseries-build
       - id: ubuntu1804-arm64
-        display_name: "Ubuntu 18.04 ARM64"
+        display_name: "Ubuntu 18.04 ARM64"
         run_on: ubuntu1804-arm64-test
       # Pending installation of PHP toolchain on macOS hosts (see: PHPC-869)
       # - id: macos-1014
@@ -1233,3 +1256,10 @@ buildvariants:
   display_name: "Load balanced - ${mongodb-versions}"
   tasks:
     - name: "test-loadBalanced"
+
+# CSFLE crypt_shared is available from MongoDB 6.0+
+- matrix_name: "test-csfle-crypt_shared"
+  matrix_spec: { "os": "debian11", "mongodb-versions": "6.0", "php-edge-versions": "latest-stable" }
+  display_name: "CSFLE crypt_shared - ${mongodb-versions}"
+  tasks:
+    - name: "test-crypt_shared"

CONTRIBUTING.md

@@ -111,6 +111,10 @@ The test suite references the following environment variables:
    which will then be specified as the `serverApi` driver option for
    [`MongoDB\Driver\Manager`](https://www.php.net/manual/en/class.mongodb-driver-manager.php)
    objects created by the test suite.
+ * `CRYPT_SHARED_LIB_PATH`: If defined, this value will be used to set the
+   `cryptSharedLibPath` autoEncryption driver option for
+   [`MongoDB\Driver\Manager`](https://www.php.net/manual/en/class.mongodb-driver-manager.php)
+   objects created by the test suite.
 
 ### Mongo Orchestration
 

tests/clientEncryption/clientEncryption-createDataKey-001.phpt

@@ -6,12 +6,15 @@ MongoDB\Driver\ClientEncryption::createDataKey()
 <?php skip_if_not_live(); ?>
 --FILE--
 <?php
-require_once __DIR__ . "/../utils/basic.inc";
 
-$key = base64_decode('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk');
+require_once __DIR__ . "/../utils/basic.inc";
 
 $manager = create_test_manager();
-$clientEncryption = $manager->createClientEncryption(['keyVaultNamespace' => 'default.keys', 'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary($key, 0)]]]);
+
+$clientEncryption = $manager->createClientEncryption([
+  'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+  'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
+]);
 
 var_dump($clientEncryption->createDataKey('local'));
 

tests/clientEncryption/clientEncryption-createDataKey_error-001.phpt

@@ -6,9 +6,8 @@ MongoDB\Driver\ClientEncryption::createDataKey() with invalid keyAltNames
 <?php skip_if_not_live(); ?>
 --FILE--
 <?php
-require_once __DIR__ . "/../utils/basic.inc";
 
-$key = base64_decode('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk');
+require_once __DIR__ . "/../utils/basic.inc";
 
 $tests = [
     ['keyAltNames' => 'foo'],
@@ -17,7 +16,10 @@ $tests = [
 ];
 
 $manager = create_test_manager();
-$clientEncryption = $manager->createClientEncryption(['keyVaultNamespace' => 'default.keys', 'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary($key, 0)]]]);
+$clientEncryption = $manager->createClientEncryption([
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
+]);
 
 foreach ($tests as $opts) {
     echo throws(function () use ($clientEncryption, $opts) {

tests/clientEncryption/clientEncryption-ctor-001.phpt

@@ -6,12 +6,12 @@ MongoDB\Driver\ClientEncryption::__construct()
 --FILE--
 <?php
 
-$key = base64_decode('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk');
+require_once __DIR__ . "/../utils/basic.inc";
 
 $clientEncryption = new MongoDB\Driver\ClientEncryption([
-    'keyVaultClient' => new MongoDB\Driver\Manager(),
-    'keyVaultNamespace' => 'default.keys',
-    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary($key, 0)]]
+    'keyVaultClient' => create_test_manager(),
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
 ]);
 
 var_dump($clientEncryption);

tests/clientEncryption/clientEncryption-ctor_error-002.phpt

@@ -19,7 +19,7 @@ $tests = [
     [
         'keyVaultNamespace' => 'not_a_namespace',
         // keyVaultNamespace requires a valid kmsProviders option
-        'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary('', 0)]],
+        'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
     ] + $baseOptions,
     ['kmsProviders' => 'not_an_array_or_object'] + $baseOptions,
     ['tlsOptions' => 'not_an_array_or_object'] + $baseOptions,

tests/clientEncryption/clientEncryption-decrypt-001.phpt

@@ -7,16 +7,19 @@ MongoDB\Driver\ClientEncryption::decrypt()
 <?php skip_if_not_server_storage_engine('wiredTiger'); ?>
 --FILE--
 <?php
-require_once __DIR__ . "/../utils/basic.inc";
 
-$key = base64_decode('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk');
+require_once __DIR__ . "/../utils/basic.inc";
 
 $manager = create_test_manager();
-$clientEncryption = $manager->createClientEncryption(['keyVaultNamespace' => 'default.keys', 'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary($key, 0)]]]);
 
-$key = $clientEncryption->createDataKey('local');
+$clientEncryption = $manager->createClientEncryption([
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
+]);
+
+$keyId = $clientEncryption->createDataKey('local');
 
-$encrypted = $clientEncryption->encrypt('top-secret', ['keyId' => $key, 'algorithm' => MongoDB\Driver\ClientEncryption::AEAD_AES_256_CBC_HMAC_SHA_512_DETERMINISTIC]);
+$encrypted = $clientEncryption->encrypt('top-secret', ['keyId' => $keyId, 'algorithm' => MongoDB\Driver\ClientEncryption::AEAD_AES_256_CBC_HMAC_SHA_512_DETERMINISTIC]);
 var_dump($clientEncryption->decrypt($encrypted));
 
 ?>

tests/clientEncryption/clientEncryption-encrypt-001.phpt

@@ -7,16 +7,19 @@ MongoDB\Driver\ClientEncryption::encrypt()
 <?php skip_if_not_server_storage_engine('wiredTiger'); ?>
 --FILE--
 <?php
-require_once __DIR__ . "/../utils/basic.inc";
 
-$key = base64_decode('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk');
+require_once __DIR__ . "/../utils/basic.inc";
 
 $manager = create_test_manager();
-$clientEncryption = $manager->createClientEncryption(['keyVaultNamespace' => 'default.keys', 'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary($key, 0)]]]);
 
-$key = $clientEncryption->createDataKey('local');
+$clientEncryption = $manager->createClientEncryption([
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
+]);
+
+$keyId = $clientEncryption->createDataKey('local');
 
-var_dump($clientEncryption->encrypt('top-secret', ['keyId' => $key, 'algorithm' => MongoDB\Driver\ClientEncryption::AEAD_AES_256_CBC_HMAC_SHA_512_DETERMINISTIC]));
+var_dump($clientEncryption->encrypt('top-secret', ['keyId' => $keyId, 'algorithm' => MongoDB\Driver\ClientEncryption::AEAD_AES_256_CBC_HMAC_SHA_512_DETERMINISTIC]));
 
 ?>
 ===DONE===

tests/cursor/bug1529-001.phpt

@@ -46,8 +46,8 @@ class CommandLogger implements MongoDB\Driver\Monitoring\CommandSubscriber
 $keyVaultClient = create_test_manager(URI, [], ['disableClientPersistence' => true]);
 $autoEncryptionOpts = [
     'keyVaultClient' => $keyVaultClient,
-    'keyVaultNamespace' => 'default.keys',
-    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(str_repeat('0', 96), 0)]],
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
 ];
 
 $manager = create_test_manager(URI, [], ['autoEncryption' => $autoEncryptionOpts, 'disableClientPersistence' => true]);

tests/manager/manager-createClientEncryption-001.phpt

@@ -6,13 +6,13 @@ MongoDB\Driver\Manager::createClientEncryption()
 --FILE--
 <?php
 
-$key = base64_decode('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk');
+require_once __DIR__ . '/../utils/basic.inc';
 
-$manager = new MongoDB\Driver\Manager();
+$manager = create_test_manager();
 
 $clientEncryption = $manager->createClientEncryption([
-    'keyVaultNamespace' => 'default.keys',
-    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary($key, 0)]]
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]]
 ]);
 
 var_dump($clientEncryption);

tests/manager/manager-createClientEncryption-error-002.phpt

@@ -13,7 +13,7 @@ $tests = [
     [
         'keyVaultNamespace' => 'not_a_namespace',
         // keyVaultNamespace requires a valid kmsProviders option
-        'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary('', 0)]],
+        'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
     ],
     ['kmsProviders' => 'not_an_array_or_object'],
     ['tlsOptions' => 'not_an_array_or_object'],

tests/manager/manager-ctor-auto_encryption-001.phpt

@@ -1,22 +1,24 @@
 --TEST--
-MongoDB\Driver\Manager::__construct(): auto encryption options
+MongoDB\Driver\Manager::__construct(): autoEncryption options
 --SKIPIF--
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_appveyor(); /* AppVeyor does not have mongocryptd installed */ ?>
 <?php skip_if_not_libmongocrypt(); ?>
 --FILE--
 <?php
 
+require_once __DIR__ . '/../utils/basic.inc';
+
 $baseOptions = [
-    'keyVaultNamespace' => 'admin.dataKeys',
-    'kmsProviders' => ['aws' => (object) ['accessKeyId' => 'abc', 'secretAccessKey' => 'def']]
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
 ];
 
 $tests = [
     [],
     ['bypassAutoEncryption' => true],
     ['bypassQueryAnalysis' => true],
-    ['keyVaultClient' => new MongoDB\Driver\Manager()],
+    ['keyVaultClient' => create_test_manager()],
     ['schemaMap' => [
         'default.default' => [
             'properties' => [
@@ -42,7 +44,7 @@ $tests = [
 ];
 
 foreach ($tests as $autoEncryptionOptions) {
-    $manager = new MongoDB\Driver\Manager(null, [], ['autoEncryption' => $autoEncryptionOptions + $baseOptions]);
+    create_test_manager(null, [], ['autoEncryption' => $autoEncryptionOptions + $baseOptions]);
 }
 
 ?>

tests/manager/manager-ctor-auto_encryption-002.phpt

@@ -0,0 +1,24 @@
+--TEST--
+MongoDB\Driver\Manager::__construct(): crypt_shared is required
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_libmongocrypt(); ?>
+<?php skip_if_no_crypt_shared(); ?>
+--FILE--
+<?php
+
+require_once __DIR__ . '/../utils/basic.inc';
+
+$autoEncryptionOptions = [
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
+    'extraOptions' => ['cryptSharedLibRequired' => true],
+];
+
+create_test_manager(null, [], ['autoEncryption' => $autoEncryptionOptions]);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+===DONE===

tests/manager/manager-ctor-auto_encryption-error-001.phpt

@@ -1,21 +1,20 @@
 --TEST--
-MongoDB\Driver\Manager::__construct(): incomplete auto encryption options
+MongoDB\Driver\Manager::__construct(): incomplete autoEncryption options
 --SKIPIF--
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongocrypt(); ?>
 --FILE--
 <?php
-
 require_once __DIR__ . '/../utils/basic.inc';
 
 $tests = [
     [],
-    ['keyVaultNamespace' => 'admin.keys'],
+    ['keyVaultNamespace' => CSFLE_KEY_VAULT_NS],
 ];
 
-foreach ($tests as $driverOptions) {
-    echo throws(function() use ($driverOptions) {
-        $manager = create_test_manager(null, [], ['autoEncryption' => $driverOptions]);
+foreach ($tests as $autoEncryptionOptions) {
+    echo throws(function() use ($autoEncryptionOptions) {
+        create_test_manager(null, [], ['autoEncryption' => $autoEncryptionOptions]);
     }, MongoDB\Driver\Exception\InvalidArgumentException::class), "\n\n";
 }
 

tests/manager/manager-ctor-auto_encryption-error-002.phpt

@@ -1,5 +1,5 @@
 --TEST--
-MongoDB\Driver\Manager::__construct(): auto encryption when compiling without libmongocrypt
+MongoDB\Driver\Manager::__construct(): autoEncryption when compiling without libmongocrypt
 --SKIPIF--
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_libmongocrypt(); ?>
@@ -9,7 +9,7 @@ MongoDB\Driver\Manager::__construct(): auto encryption when compiling without li
 require_once __DIR__ . '/../utils/basic.inc';
 
 echo throws(function () {
-    $manager = create_test_manager(null, [], ['autoEncryption' => []]);
+    create_test_manager(null, [], ['autoEncryption' => []]);
 }, MongoDB\Driver\Exception\InvalidArgumentException::class), "\n";
 
 ?>

tests/manager/manager-ctor-auto_encryption-error-003.phpt

@@ -1,5 +1,5 @@
 --TEST--
-MongoDB\Driver\Manager::__construct(): invalid option types
+MongoDB\Driver\Manager::__construct(): invalid types in autoEncryption options
 --SKIPIF--
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongocrypt(); ?>
@@ -15,17 +15,17 @@ $tests = [
     [
         'keyVaultNamespace' => 'not_a_namespace',
         // keyVaultNamespace requires a valid kmsProviders option
-        'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary('', 0)]],
+        'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
     ],
     ['kmsProviders' => 'not_an_array_or_object'],
     ['schemaMap' => 'not_an_array_or_object'],
     ['tlsOptions' => 'not_an_array_or_object'],
     ['extraOptions' => 'not_an_array_or_object'],
 ];
 
-foreach ($tests as $test) {
-    echo throws(function() use ($test) {
-        $manager = create_test_manager(null, [], ['autoEncryption' => $test]);
+foreach ($tests as $autoEncryptionOptions) {
+    echo throws(function() use ($autoEncryptionOptions) {
+        create_test_manager(null, [], ['autoEncryption' => $autoEncryptionOptions]);
     }, MongoDB\Driver\Exception\InvalidArgumentException::class), "\n\n";
 }