PYTHON-5195 Convert OCSP tests to use new test scripts (#2190)

Co-authored-by: Noah Stapp <noah@noahstapp.com>

Author: blink1073

.evergreen/config.yml

@@ -801,7 +801,7 @@ def create_server_tasks():
             AUTH=auth,
             SSL=ssl,
         )
-        server_func = FunctionCall(func="run-server", vars=server_vars)
+        server_func = FunctionCall(func="run server", vars=server_vars)
         test_vars = dict(AUTH=auth, SSL=ssl, SYNC=sync)
         if sync == "sync":
             test_vars["TEST_NAME"] = "default_sync"
@@ -820,7 +820,7 @@ def create_load_balancer_tasks():
         server_vars = dict(
             TOPOLOGY="sharded_cluster", AUTH=auth, SSL=ssl, TEST_NAME="load_balancer"
         )
-        server_func = FunctionCall(func="run-server", vars=server_vars)
+        server_func = FunctionCall(func="run server", vars=server_vars)
         test_vars = dict(AUTH=auth, SSL=ssl, TEST_NAME="load_balancer")
         test_func = FunctionCall(func="run tests", vars=test_vars)
         tasks.append(EvgTask(name=name, tags=tags, commands=[server_func, test_func]))
@@ -839,7 +839,7 @@ def create_kms_tasks():
                 sub_test_name += "-fail"
             commands = []
             if not success:
-                commands.append(FunctionCall(func="run-server"))
+                commands.append(FunctionCall(func="run server"))
             test_vars = dict(TEST_NAME="kms", SUB_TEST_NAME=sub_test_name)
             test_func = FunctionCall(func="run tests", vars=test_vars)
             commands.append(test_func)
@@ -862,7 +862,7 @@ def create_aws_tasks():
         base_name = f"test-auth-aws-{version}"
         base_tags = ["auth-aws"]
         server_vars = dict(AUTH_AWS="1", VERSION=version)
-        server_func = FunctionCall(func="run-server", vars=server_vars)
+        server_func = FunctionCall(func="run server", vars=server_vars)
         assume_func = FunctionCall(func="assume ec2 role")
         for test_type in aws_test_types:
             tags = [*base_tags, f"auth-aws-{test_type}"]
@@ -884,6 +884,60 @@ def create_aws_tasks():
     return tasks
 
 
+def _create_ocsp_task(algo, variant, server_type, base_task_name):
+    file_name = f"{algo}-basic-tls-ocsp-{variant}.json"
+
+    vars = dict(TEST_NAME="ocsp", ORCHESTRATION_FILE=file_name)
+    server_func = FunctionCall(func="run server", vars=vars)
+
+    vars = dict(ORCHESTRATION_FILE=file_name, OCSP_SERVER_TYPE=server_type, TEST_NAME="ocsp")
+    test_func = FunctionCall(func="run tests", vars=vars)
+
+    tags = ["ocsp", f"ocsp-{algo}"]
+    if "disableStapling" not in variant:
+        tags.append("ocsp-staple")
+
+    task_name = f"test-ocsp-{algo}-{base_task_name}"
+    commands = [server_func, test_func]
+    return EvgTask(name=task_name, tags=tags, commands=commands)
+
+
+def create_ocsp_tasks():
+    tasks = []
+    tests = [
+        ("disableStapling", "valid", "valid-cert-server-does-not-staple"),
+        ("disableStapling", "revoked", "invalid-cert-server-does-not-staple"),
+        ("disableStapling", "valid-delegate", "delegate-valid-cert-server-does-not-staple"),
+        ("disableStapling", "revoked-delegate", "delegate-invalid-cert-server-does-not-staple"),
+        ("disableStapling", "no-responder", "soft-fail"),
+        ("mustStaple", "valid", "valid-cert-server-staples"),
+        ("mustStaple", "revoked", "invalid-cert-server-staples"),
+        ("mustStaple", "valid-delegate", "delegate-valid-cert-server-staples"),
+        ("mustStaple", "revoked-delegate", "delegate-invalid-cert-server-staples"),
+        (
+            "mustStaple-disableStapling",
+            "revoked",
+            "malicious-invalid-cert-mustStaple-server-does-not-staple",
+        ),
+        (
+            "mustStaple-disableStapling",
+            "revoked-delegate",
+            "delegate-malicious-invalid-cert-mustStaple-server-does-not-staple",
+        ),
+        (
+            "mustStaple-disableStapling",
+            "no-responder",
+            "malicious-no-responder-mustStaple-server-does-not-staple",
+        ),
+    ]
+    for algo in ["ecdsa", "rsa"]:
+        for variant, server_type, base_task_name in tests:
+            task = _create_ocsp_task(algo, variant, server_type, base_task_name)
+            tasks.append(task)
+
+    return tasks
+
+
 ##################
 # Generate Config
 ##################

.evergreen/generated_configs/tasks.yml

@@ -32,15 +32,26 @@ def start_server():
     elif test_name == "load_balancer":
         set_env("LOAD_BALANCER")
 
+    elif test_name == "ocsp":
+        opts.ssl = True
+        if "ORCHESTRATION_FILE" not in os.environ:
+            found = False
+            for opt in extra_opts:
+                if opt.startswith("--orchestration-file"):
+                    found = True
+            if not found:
+                raise ValueError("Please provide an orchestration file")
+
     if not os.environ.get("TEST_CRYPT_SHARED"):
         set_env("SKIP_CRYPT_SHARED")
 
     if opts.ssl:
         extra_opts.append("--ssl")
-        certs = ROOT / "test/certificates"
-        set_env("TLS_CERT_KEY_FILE", certs / "client.pem")
-        set_env("TLS_PEM_KEY_FILE", certs / "server.pem")
-        set_env("TLS_CA_FILE", certs / "ca.pem")
+        if test_name != "ocsp":
+            certs = ROOT / "test/certificates"
+            set_env("TLS_CERT_KEY_FILE", certs / "client.pem")
+            set_env("TLS_PEM_KEY_FILE", certs / "server.pem")
+            set_env("TLS_CA_FILE", certs / "ca.pem")
 
     cmd = ["bash", f"{DRIVERS_TOOLS}/.evergreen/run-orchestration.sh", *extra_opts]
     run_command(cmd, cwd=DRIVERS_TOOLS)

.evergreen/scripts/generate_config.py

@@ -239,6 +239,30 @@ def handle_test_env() -> None:
         cmd = f'bash "{DRIVERS_TOOLS}/.evergreen/run-load-balancer.sh" start'
         run_command(cmd)
 
+    if test_name == "ocsp":
+        if sub_test_name:
+            os.environ["OCSP_SERVER_TYPE"] = sub_test_name
+        for name in ["OCSP_SERVER_TYPE", "ORCHESTRATION_FILE"]:
+            if name not in os.environ:
+                raise ValueError(f"Please set {name}")
+
+        server_type = os.environ["OCSP_SERVER_TYPE"]
+        orch_file = os.environ["ORCHESTRATION_FILE"]
+        ocsp_algo = orch_file.split("-")[0]
+        if server_type == "no-responder":
+            tls_should_succeed = "false" if "mustStaple-disableStapling" in orch_file else "true"
+        else:
+            tls_should_succeed = "true" if "valid" in server_type else "false"
+
+        write_env("OCSP_TLS_SHOULD_SUCCEED", tls_should_succeed)
+        write_env("CA_FILE", f"{DRIVERS_TOOLS}/.evergreen/ocsp/{ocsp_algo}/ca.pem")
+
+        if server_type != "no-responder":
+            env = os.environ.copy()
+            env["SERVER_TYPE"] = server_type
+            env["OCSP_ALGORITHM"] = ocsp_algo
+            run_command(f"bash {DRIVERS_TOOLS}/.evergreen/ocsp/setup.sh", env=env)
+
     if SSL != "nossl":
         if not DRIVERS_TOOLS:
             raise RuntimeError("Missing DRIVERS_TOOLS")
@@ -302,10 +326,6 @@ def handle_test_env() -> None:
 
         setup_kms(sub_test_name)
 
-    if test_name == "ocsp":
-        write_env("CA_FILE", os.environ["CA_FILE"])
-        write_env("OCSP_TLS_SHOULD_SUCCEED", os.environ["OCSP_TLS_SHOULD_SUCCEED"])
-
     if test_name == "auth_aws" and sub_test_name != "ecs-remote":
         auth_aws_dir = f"{DRIVERS_TOOLS}/.evergreen/auth_aws"
         if "AWS_ROLE_SESSION_NAME" in os.environ:

.evergreen/scripts/run-ocsp-test.sh

@@ -24,6 +24,10 @@
 
     teardown_kms(SUB_TEST_NAME)
 
+# Tear down ocsp if applicable.
+elif TEST_NAME == "ocsp":
+    run_command(f"bash {DRIVERS_TOOLS}/.evergreen/teardown.sh")
+
 # Tear down auth_aws if applicable.
 # We do not run web-identity hosts on macos, because the hosts lack permissions,
 # so there is no reason to run the teardown, which would error with a 401.

.evergreen/scripts/run_server.py

@@ -218,12 +218,12 @@ the pages will re-render and the browser will automatically refresh.
 ### Usage
 
 - Run `just run-server` with optional args to set up the server.
-  All given flags will be passed to `run-orchestration.sh` in `DRIVERS_TOOLS`.
+  All given flags will be passed to `run-orchestration.sh` in `$DRIVERS_TOOLS`.
 - Run `just setup-tests` with optional args to set up the test environment, secrets, etc.
 - Run `just run-tests` to run the tests in an appropriate Python environment.
 - When done, run `just teardown-tests` to clean up and `just stop-server` to stop the server.
 
-## Encryption tests
+### Encryption tests
 
 - Run `just run-server` to start the server.
 - Run `just setup-tests encryption`.
@@ -236,13 +236,13 @@ the pages will re-render and the browser will automatically refresh.
 - Set up the test with `just setup-tests load_balancer`.
 - Run the tests with `just run-tests`.
 
-## AWS tests
+### AWS tests
 
 - Run `just run-server auth_aws` to start the server.
 - Run `just setup-tests auth_aws <aws-test-type>` to set up the AWS test.
 - Run the tests with `just run-tests`.
 
-## KMS tests
+### KMS tests
 
 For KMS tests that are run locally, and expected to fail, in this case using `azure`:
 
@@ -255,6 +255,17 @@ For KMS tests that run remotely and are expected to pass, in this case using `gc
 - Run `just setup-tests kms gcp`.
 - Run `just run-tests`.
 
+### OCSP tests
+
+  - Export the orchestration file, e.g. `export ORCHESTRATION_FILE=rsa-basic-tls-ocsp-disableStapling.json`.
+    This corresponds to a config file in `$DRIVERS_TOOLS/.evergreen/orchestration/configs/servers`.
+    MongoDB servers on MacOS and Windows do not staple OCSP responses and only support RSA.
+  - Run `just run-server ocsp`.
+  - Run `just setup-tests ocsp <sub test>` (options are "valid", "revoked", "valid-delegate", "revoked-delegate").
+  - Run `just run-tests`
+
+  If you are running one of the `no-responder` tests, omit the `run-server` step.
+
 ## Enable Debug Logs
 - Use `-o log_cli_level="DEBUG" -o log_cli=1` with `just test` or `pytest`.
 - Add `log_cli_level = "DEBUG` and `log_cli = 1` to the `tool.pytest.ini_options` section in `pyproject.toml` for Evergreen patches or to enable debug logs by default on your machine.