RUST-1830 Switch to standard scripts for csfle test servers (#1113)

abr-egn · web-flow · commit 243d15427310 · 2024-05-31T13:03:46.000-04:00
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -30,6 +30,7 @@ pre:
 
 # Functions to run after all tasks (except those in task groups).
 post:
+  - func: "stop csfle servers"
   - func: "stop load balancer"
   - func: "stop mongo orchestration"
   - func: "tear down aws"
@@ -357,7 +358,6 @@ buildvariants:
 
   - name: in-use-encryption-openssl
     display_name: "In-Use Encryption (OpenSSL)"
-    patchable: false
     run_on:
       - rhel80-small
     expansions:
@@ -904,7 +904,7 @@ tasks:
         vars:
           MONGODB_VERSION: 4.2
           TOPOLOGY: replica_set
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle tests"
 
   - name: test-in-use-encryption-4.4
@@ -915,7 +915,7 @@ tasks:
         vars:
           MONGODB_VERSION: 4.4
           TOPOLOGY: replica_set
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle tests"
 
   - name: test-in-use-encryption-5.0
@@ -926,7 +926,7 @@ tasks:
         vars:
           MONGODB_VERSION: 5.0
           TOPOLOGY: replica_set
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle tests"
 
   - name: test-in-use-encryption-6.0
@@ -937,7 +937,7 @@ tasks:
         vars:
           MONGODB_VERSION: 6.0
           TOPOLOGY: replica_set
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle tests"
 
   - name: test-in-use-encryption-7.0
@@ -948,7 +948,7 @@ tasks:
         vars:
           MONGODB_VERSION: 7.0
           TOPOLOGY: replica_set
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle tests"
 
   - name: test-in-use-encryption-rapid
@@ -959,7 +959,7 @@ tasks:
         vars:
           MONGODB_VERSION: rapid
           TOPOLOGY: replica_set
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle tests"
 
   - name: test-in-use-encryption-latest
@@ -970,7 +970,7 @@ tasks:
         vars:
           MONGODB_VERSION: latest
           TOPOLOGY: replica_set
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle tests"
 
   - name: test-in-use-encryption-openssl
@@ -980,8 +980,7 @@ tasks:
         vars:
           MONGODB_VERSION: rapid
           TOPOLOGY: replica_set
-      - func: "run kmip server"
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle tests"
 
   - name: test-in-use-encryption-serverless
@@ -993,8 +992,7 @@ tasks:
         params:
           file: serverless-expansion.yml
       - func: "install libmongocrypt"
-      - func: "run kmip server"
-      - func: "run mock azure imds server"
+      - func: "start csfle servers"
       - func: "run csfle serverless tests"
 
   - name: test-load-balancer-5.0
@@ -1432,26 +1430,38 @@ functions:
 
           .evergreen/run-atlas-tests.sh
 
-  "run kmip server":
-    - command: shell.exec
+  "start csfle servers":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+    - command: subprocess.exec
       params:
         working_dir: src
-        shell: bash
+        binary: bash
+        include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+        args:
+          - ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh
+    - command: subprocess.exec
+      params:
+        working_dir: src
+        binary: bash
         background: true
-        script: |
-          ${PREPARE_SHELL}
-          export TLS_FEATURE=${TLS_FEATURE}
-          .evergreen/run-csfle-kmip-servers.sh
+        args:
+          - ${DRIVERS_TOOLS}/.evergreen/csfle/start-servers.sh
+    - command: subprocess.exec
+      params:
+        working_dir: src
+        binary: bash
+        args:
+          - ${DRIVERS_TOOLS}/.evergreen/csfle/await-servers.sh
 
-  "run mock azure imds server":
+  "stop csfle servers":
     - command: subprocess.exec
       params:
         working_dir: src
-        background: true
         binary: bash
         args:
-          - .evergreen/run-csfle-mock-azure-imds.sh
-        add_expansions_to_env: true
+          - ${DRIVERS_TOOLS}/.evergreen/csfle/stop-servers.sh
 
   "run csfle tests":
     - command: subprocess.exec
diff --git a/.evergreen/create-expansions.sh b/.evergreen/create-expansions.sh
@@ -43,7 +43,7 @@ LD_LIBRARY_PATH: "${LD_LIBRARY_PATH}"
 TMPDIR: "${TMPDIR}"
 PATH: "${PATH}"
 PROJECT: "${PROJECT}"
-AZURE_IMDS_MOCK_PORT: 44175
+AZURE_IMDS_MOCK_PORT: 8080
 PREPARE_SHELL: |
     set -o errexit
     set -o xtrace
diff --git a/.evergreen/run-csfle-tests.sh b/.evergreen/run-csfle-tests.sh
@@ -22,14 +22,7 @@ if [ "$OS" = "Windows_NT" ]; then
   export SSL_CERT_DIR=$(cygpath /etc/ssl/certs --windows)
 fi
 
-pushd ${DRIVERS_TOOLS}/.evergreen/csfle
-. ./activate-kmstlsvenv.sh
-popd
-export PYTHON=python  # use the venv-provided python
-export AWS_DEFAULT_REGION=us-east-1
-. ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh
-
-echo "cargo test options: $(cargo_test_options)"
+. ./secrets-export.sh
 
 set +o errexit
 
diff --git a/src/client/auth/aws.rs b/src/client/auth/aws.rs
@@ -170,24 +170,32 @@ pub(crate) struct AwsCredential {
     expiration: Option<bson::DateTime>,
 }
 
+fn non_empty(s: Option<String>) -> Option<String> {
+    match s {
+        None => None,
+        Some(s) if s.is_empty() => None,
+        Some(s) => Some(s),
+    }
+}
+
 impl AwsCredential {
     /// Derives the credentials for an authentication attempt given the set of credentials the user
     /// passed in.
     pub(crate) async fn get(credential: &Credential, http_client: &HttpClient) -> Result<Self> {
         let access_key = credential
             .username
             .clone()
-            .or_else(|| std::env::var("AWS_ACCESS_KEY_ID").ok());
+            .or_else(|| non_empty(std::env::var("AWS_ACCESS_KEY_ID").ok()));
         let secret_key = credential
             .password
             .clone()
-            .or_else(|| std::env::var("AWS_SECRET_ACCESS_KEY").ok());
+            .or_else(|| non_empty(std::env::var("AWS_SECRET_ACCESS_KEY").ok()));
         let session_token = credential
             .mechanism_properties
             .as_ref()
             .and_then(|d| d.get_str("AWS_SESSION_TOKEN").ok())
             .map(|s| s.to_string())
-            .or_else(|| std::env::var("AWS_SESSION_TOKEN").ok());
+            .or_else(|| non_empty(std::env::var("AWS_SESSION_TOKEN").ok()));
 
         let found_access_key = access_key.is_some();
         let found_secret_key = secret_key.is_some();
diff --git a/src/test/csfle.rs b/src/test/csfle.rs
@@ -91,25 +91,25 @@ static KMS_PROVIDERS: Lazy<KmsProviderList> = Lazy::new(|| {
         (
             KmsProvider::Aws,
             doc! {
-                "accessKeyId": env("AWS_ACCESS_KEY_ID"),
-                "secretAccessKey": env("AWS_SECRET_ACCESS_KEY"),
+                "accessKeyId": env("FLE_AWS_KEY"),
+                "secretAccessKey": env("FLE_AWS_SECRET"),
             },
             None,
         ),
         (
             KmsProvider::Azure,
             doc! {
-                "tenantId": env("AZURE_TENANT_ID"),
-                "clientId": env("AZURE_CLIENT_ID"),
-                "clientSecret": env("AZURE_CLIENT_SECRET"),
+                "tenantId": env("FLE_AZURE_TENANTID"),
+                "clientId": env("FLE_AZURE_CLIENTID"),
+                "clientSecret": env("FLE_AZURE_CLIENTSECRET"),
             },
             None,
         ),
         (
             KmsProvider::Gcp,
             doc! {
-                "email": env("GCP_EMAIL"),
-                "privateKey": env("GCP_PRIVATE_KEY"),
+                "email": env("FLE_GCP_EMAIL"),
+                "privateKey": env("FLE_GCP_PRIVATEKEY"),
             },
             None,
         ),
@@ -1641,6 +1641,10 @@ impl DeadlockExpectation {
     }
 }
 
+const KMS_EXPIRED: &str = "127.0.0.1:9000";
+const KMS_WRONG_HOST: &str = "127.0.0.1:9001";
+const KMS_CORRECT: &str = "127.0.0.1:9002";
+
 // Prose test 10. KMS TLS Tests
 #[tokio::test]
 async fn kms_tls() -> Result<()> {
@@ -1649,15 +1653,15 @@ async fn kms_tls() -> Result<()> {
     }
 
     // Invalid KMS Certificate
-    let err = run_kms_tls_test("127.0.0.1:9000").await.unwrap_err();
+    let err = run_kms_tls_test(KMS_EXPIRED).await.unwrap_err();
     assert!(
         err.to_string().contains("certificate verify failed"),
         "unexpected error: {}",
         err
     );
 
     // Invalid Hostname in KMS Certificate
-    let err = run_kms_tls_test("127.0.0.1:9001").await.unwrap_err();
+    let err = run_kms_tls_test(KMS_WRONG_HOST).await.unwrap_err();
     assert!(
         err.to_string().contains("certificate verify failed"),
         "unexpected error: {}",
@@ -1716,12 +1720,12 @@ async fn kms_tls_options() -> Result<()> {
         .get_mut(&KmsProvider::Azure)
         .unwrap()
         .0
-        .insert("identityPlatformEndpoint", "127.0.0.1:9002");
+        .insert("identityPlatformEndpoint", KMS_CORRECT);
     base_providers
         .get_mut(&KmsProvider::Gcp)
         .unwrap()
         .0
-        .insert("endpoint", "127.0.0.1:9002");
+        .insert("endpoint", KMS_CORRECT);
 
     let cert_dir = PathBuf::from(std::env::var("CSFLE_TLS_CERT_DIR").unwrap());
     let ca_path = cert_dir.join("ca.pem");
@@ -1754,17 +1758,17 @@ async fn kms_tls_options() -> Result<()> {
             .get_mut(&KmsProvider::Azure)
             .unwrap()
             .0
-            .insert("identityPlatformEndpoint", "127.0.0.1:9000");
+            .insert("identityPlatformEndpoint", KMS_EXPIRED);
         providers
             .get_mut(&KmsProvider::Gcp)
             .unwrap()
             .0
-            .insert("endpoint", "127.0.0.1:9000");
+            .insert("endpoint", KMS_EXPIRED);
         providers
             .get_mut(&KmsProvider::Kmip)
             .unwrap()
             .0
-            .insert("endpoint", "127.0.0.1:9000");
+            .insert("endpoint", KMS_EXPIRED);
 
         ClientEncryption::new(
             TestClient::new().await.into_client(),
@@ -1782,17 +1786,17 @@ async fn kms_tls_options() -> Result<()> {
             .get_mut(&KmsProvider::Azure)
             .unwrap()
             .0
-            .insert("identityPlatformEndpoint", "127.0.0.1:9001");
+            .insert("identityPlatformEndpoint", KMS_WRONG_HOST);
         providers
             .get_mut(&KmsProvider::Gcp)
             .unwrap()
             .0
-            .insert("endpoint", "127.0.0.1:9001");
+            .insert("endpoint", KMS_WRONG_HOST);
         providers
             .get_mut(&KmsProvider::Kmip)
             .unwrap()
             .0
-            .insert("endpoint", "127.0.0.1:9001");
+            .insert("endpoint", KMS_WRONG_HOST);
 
         ClientEncryption::new(
             TestClient::new().await.into_client(),
@@ -1832,25 +1836,25 @@ async fn kms_tls_options() -> Result<()> {
 
     provider_test(
         &client_encryption_no_client_cert,
-        aws_key("127.0.0.1:9002"),
+        aws_key(KMS_CORRECT),
         &["SSL routines", "connection was forcibly closed"],
     )
     .await?;
     provider_test(
         &client_encryption_with_tls,
-        aws_key("127.0.0.1:9002"),
+        aws_key(KMS_CORRECT),
         &["parse error"],
     )
     .await?;
     provider_test(
         &client_encryption_expired,
-        aws_key("127.0.0.1:9000"),
+        aws_key(KMS_EXPIRED),
         &["certificate verify failed"],
     )
     .await?;
     provider_test(
         &client_encryption_invalid_hostname,
-        aws_key("127.0.0.1:9001"),
+        aws_key(KMS_WRONG_HOST),
         &["certificate verify failed"],
     )
     .await?;
