From 5fbd083ba3d04904850efe57c4938b358c047da4 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Tue, 6 Jul 2021 14:42:55 -0700 Subject: [PATCH 01/17] PYTHON-2608 Test that KMS TLS connections verify peer certificates --- .evergreen/config.yml | 43 ++++++++++++++++++++++++++++++++++++++++- test/test_encryption.py | 30 ++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index ed5b99b7e1..fbb5353bab 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -97,7 +97,7 @@ functions: # If this was a patch build, doing a fresh clone would not actually test the patch cp -R ${PROJECT_DIRECTORY}/ $DRIVERS_TOOLS else - git clone git://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS + git clone git://github.com/ShaneHarvey/drivers-evergreen-tools.git --branch DRIVERS-1560-allow-mock-kms-port $DRIVERS_TOOLS fi echo "{ \"releases\": { \"default\": \"$MONGODB_BINARIES\" }}" > $MONGO_ORCHESTRATION_HOME/orchestration.config @@ -359,6 +359,47 @@ functions: PYTHON_BINARY=${PYTHON_BINARY} sh ${PROJECT_DIRECTORY}/.evergreen/run-doctests.sh "run tests": + # If testing encryption start the mock KMS servers. + - command: shell.exec + type: system + params: + working_dir: src + background: true + script: | + if [ -n "${test_encryption}" ]; then + ${PREPARE_SHELL} + cd ${DRIVERS_TOOLS}/.evergreen/auth_aws + . ./activate_venv.sh + cd ${DRIVERS_TOOLS}/.evergreen/csfle + cat < kms_setup.json + { + "kms_ca_file": "ca.pem", + "kms_cert_file": "expired.pem", + "kms_port": "8000" + } + EOF + mongo --nodb mock_kms.js + fi + - command: shell.exec + type: system + params: + working_dir: src + background: true + script: | + if [ -n "${test_encryption}" ]; then + ${PREPARE_SHELL} + cd ${DRIVERS_TOOLS}/.evergreen/auth_aws + . ./activate_venv.sh + cd ${DRIVERS_TOOLS}/.evergreen/csfle + cat < kms_setup.json + { + "kms_ca_file": "ca.pem", + "kms_cert_file": "wrong-host.pem", + "kms_port": "8001" + } + EOF + mongo --nodb mock_kms.js + fi - command: shell.exec type: test params: diff --git a/test/test_encryption.py b/test/test_encryption.py index a63311d720..b4d8547a9a 100644 --- a/test/test_encryption.py +++ b/test/test_encryption.py @@ -1624,5 +1624,35 @@ def test_bypassAutoEncryption(self): mongocryptd_client.admin.command('ping') +# https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/tests#kms-tls-tests +class TestKmsTLSProse(EncryptionIntegrationTest): + @unittest.skipUnless(any(AWS_CREDS.values()), + 'AWS environment credentials are not set') + def setUp(self): + self.client_encrypted = ClientEncryption( + {'aws': AWS_CREDS}, 'keyvault.datakeys', self.client, OPTS) + self.addCleanup(self.client_encrypted.close) + + def test_invalid_kms_certificate_expired(self): + key = { + "region": "us-east-1", + "key": "arn:aws:kms:us-east-1:579766882180:key/" + "89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + "endpoint": "mongodb://127.0.0.1:8000", + } + with self.assertRaisesRegex(EncryptionError, 'expired'): + self.client_encrypted.create_data_key('aws', master_key=key) + + def test_invalid_hostname_in_kms_certificate(self): + key = { + "region": "us-east-1", + "key": "arn:aws:kms:us-east-1:579766882180:key/" + "89fcc2c4-08b0-4bd9-9f25-e30687b580d0", + "endpoint": "mongodb://127.0.0.1:8001", + } + with self.assertRaisesRegex(EncryptionError, 'SANs'): + self.client_encrypted.create_data_key('aws', master_key=key) + + if __name__ == "__main__": unittest.main() From dc15b29193fae82be7a7e5e0478f666dcbc38faf Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Tue, 6 Jul 2021 16:30:13 -0700 Subject: [PATCH 02/17] PYTHON-2608 Fix KMS setup --- .evergreen/config.yml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index fbb5353bab..07ba0d55a7 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -360,6 +360,18 @@ functions: "run tests": # If testing encryption start the mock KMS servers. + # First create the virtualenv upfront. + - command: shell.exec + type: system + params: + working_dir: src + script: | + if [ -n "${test_encryption}" ]; then + ${PREPARE_SHELL} + cd ${DRIVERS_TOOLS}/.evergreen/auth_aws + . ./activate_venv.sh + fi + # Start the first mock KMS responder. - command: shell.exec type: system params: @@ -371,15 +383,9 @@ functions: cd ${DRIVERS_TOOLS}/.evergreen/auth_aws . ./activate_venv.sh cd ${DRIVERS_TOOLS}/.evergreen/csfle - cat < kms_setup.json - { - "kms_ca_file": "ca.pem", - "kms_cert_file": "expired.pem", - "kms_port": "8000" - } - EOF - mongo --nodb mock_kms.js + python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 fi + # Start the second mock KMS responder. - command: shell.exec type: system params: @@ -391,14 +397,7 @@ functions: cd ${DRIVERS_TOOLS}/.evergreen/auth_aws . ./activate_venv.sh cd ${DRIVERS_TOOLS}/.evergreen/csfle - cat < kms_setup.json - { - "kms_ca_file": "ca.pem", - "kms_cert_file": "wrong-host.pem", - "kms_port": "8001" - } - EOF - mongo --nodb mock_kms.js + python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 fi - command: shell.exec type: test From febb713fd7c3e14c3e9f99d9e8b9617ed439fbaa Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Tue, 6 Jul 2021 16:43:21 -0700 Subject: [PATCH 03/17] PYTHON-2608 Revert back to using regular evg-tools --- .evergreen/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 07ba0d55a7..d66736da07 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -97,7 +97,7 @@ functions: # If this was a patch build, doing a fresh clone would not actually test the patch cp -R ${PROJECT_DIRECTORY}/ $DRIVERS_TOOLS else - git clone git://github.com/ShaneHarvey/drivers-evergreen-tools.git --branch DRIVERS-1560-allow-mock-kms-port $DRIVERS_TOOLS + git clone git://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS fi echo "{ \"releases\": { \"default\": \"$MONGODB_BINARIES\" }}" > $MONGO_ORCHESTRATION_HOME/orchestration.config From d449fc70998911d575d2ae75d645e475770273ba Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Tue, 6 Jul 2021 16:48:52 -0700 Subject: [PATCH 04/17] PYTHON-2608 Fix wrong port+cert --- .evergreen/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index d66736da07..c8d8f928bc 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -397,7 +397,7 @@ functions: cd ${DRIVERS_TOOLS}/.evergreen/auth_aws . ./activate_venv.sh cd ${DRIVERS_TOOLS}/.evergreen/csfle - python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 + python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 fi - command: shell.exec type: test From 33a0ea55c44d313a5030fdb285311b970e1ea2a7 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 10:18:08 -0700 Subject: [PATCH 05/17] PYTHON-2608 Set SSL_CERT_FILE to configure certs in test --- test/test_encryption.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/test/test_encryption.py b/test/test_encryption.py index b4d8547a9a..1e3a29790e 100644 --- a/test/test_encryption.py +++ b/test/test_encryption.py @@ -19,6 +19,7 @@ import os import traceback import socket +import ssl import sys import textwrap import uuid @@ -49,6 +50,7 @@ WriteError) from pymongo.mongo_client import MongoClient from pymongo.operations import InsertOne +from pymongo.ssl_support import _ssl from pymongo.write_concern import WriteConcern from test import unittest, IntegrationTest, PyMongoTestCase, client_context @@ -60,6 +62,7 @@ rs_or_single_client, wait_until) from test.utils_spec_runner import SpecRunner +from test.test_ssl import CA_PEM def get_client_opts(client): @@ -1629,6 +1632,24 @@ class TestKmsTLSProse(EncryptionIntegrationTest): @unittest.skipUnless(any(AWS_CREDS.values()), 'AWS environment credentials are not set') def setUp(self): + if sys.platform == "win32": + self.skipTest("Can't test system ca certs on Windows.") + + if (ssl.OPENSSL_VERSION.lower().startswith('libressl') and + sys.platform == 'darwin' and not _ssl.IS_PYOPENSSL): + self.skipTest( + "LibreSSL on OSX doesn't support setting CA certificates " + "using SSL_CERT_FILE environment variable.") + self.original_certs = os.environ.get('SSL_CERT_FILE') + def restore_certs(): + if self.original_certs is None: + os.environ.pop('SSL_CERT_FILE') + else: + os.environ['SSL_CERT_FILE'] = self.original_certs + # Tell OpenSSL where CA certificates live. + os.environ['SSL_CERT_FILE'] = CA_PEM + self.addCleanup(restore_certs) + self.client_encrypted = ClientEncryption( {'aws': AWS_CREDS}, 'keyvault.datakeys', self.client, OPTS) self.addCleanup(self.client_encrypted.close) From caa3f3a5a320794593037055240a2fb39a21b59a Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 10:49:37 -0700 Subject: [PATCH 06/17] PYTHON-2608 Test with updated wrong-host.pem --- .evergreen/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index c8d8f928bc..ba3b8b3ef3 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -97,7 +97,7 @@ functions: # If this was a patch build, doing a fresh clone would not actually test the patch cp -R ${PROJECT_DIRECTORY}/ $DRIVERS_TOOLS else - git clone git://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS + git clone git://github.com/ShaneHarvey/drivers-evergreen-tools.git --branch DRIVERS-1560-fix-self-signed-cert $DRIVERS_TOOLS fi echo "{ \"releases\": { \"default\": \"$MONGODB_BINARIES\" }}" > $MONGO_ORCHESTRATION_HOME/orchestration.config From 8f9f18277fdd591e8b8d36de8ea802dd05b5fb68 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 11:10:50 -0700 Subject: [PATCH 07/17] PYTHON-2608 See full tls errors --- test/test_encryption.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/test/test_encryption.py b/test/test_encryption.py index 1e3a29790e..ad1df1a8c7 100644 --- a/test/test_encryption.py +++ b/test/test_encryption.py @@ -1661,18 +1661,18 @@ def test_invalid_kms_certificate_expired(self): "89fcc2c4-08b0-4bd9-9f25-e30687b580d0", "endpoint": "mongodb://127.0.0.1:8000", } - with self.assertRaisesRegex(EncryptionError, 'expired'): - self.client_encrypted.create_data_key('aws', master_key=key) + # with self.assertRaisesRegex(EncryptionError, 'expired'): + self.client_encrypted.create_data_key('aws', master_key=key) def test_invalid_hostname_in_kms_certificate(self): key = { "region": "us-east-1", "key": "arn:aws:kms:us-east-1:579766882180:key/" "89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "mongodb://127.0.0.1:8001", + "endpoint": "mongodb://localhost:8001", } - with self.assertRaisesRegex(EncryptionError, 'SANs'): - self.client_encrypted.create_data_key('aws', master_key=key) + # with self.assertRaisesRegex(EncryptionError, 'SANs'): + self.client_encrypted.create_data_key('aws', master_key=key) if __name__ == "__main__": From 2be2897faf03b94f2a99642374f5da485b5c3f25 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 11:28:31 -0700 Subject: [PATCH 08/17] PYTHON-2608 Test cleanup --- test/test_encryption.py | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/test/test_encryption.py b/test/test_encryption.py index ad1df1a8c7..6e8c1b1809 100644 --- a/test/test_encryption.py +++ b/test/test_encryption.py @@ -1629,17 +1629,15 @@ def test_bypassAutoEncryption(self): # https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/tests#kms-tls-tests class TestKmsTLSProse(EncryptionIntegrationTest): + @unittest.skipIf(sys.platform == 'win32', + "Can't test system ca certs on Windows") + @unittest.skipIf(ssl.OPENSSL_VERSION.lower().startswith('libressl') and + sys.platform == 'darwin' and not _ssl.IS_PYOPENSSL, + "LibreSSL on OSX doesn't support setting CA certificates " + "using SSL_CERT_FILE environment variable.") @unittest.skipUnless(any(AWS_CREDS.values()), 'AWS environment credentials are not set') def setUp(self): - if sys.platform == "win32": - self.skipTest("Can't test system ca certs on Windows.") - - if (ssl.OPENSSL_VERSION.lower().startswith('libressl') and - sys.platform == 'darwin' and not _ssl.IS_PYOPENSSL): - self.skipTest( - "LibreSSL on OSX doesn't support setting CA certificates " - "using SSL_CERT_FILE environment variable.") self.original_certs = os.environ.get('SSL_CERT_FILE') def restore_certs(): if self.original_certs is None: @@ -1661,18 +1659,20 @@ def test_invalid_kms_certificate_expired(self): "89fcc2c4-08b0-4bd9-9f25-e30687b580d0", "endpoint": "mongodb://127.0.0.1:8000", } - # with self.assertRaisesRegex(EncryptionError, 'expired'): - self.client_encrypted.create_data_key('aws', master_key=key) + # certificate verify failed: certificate has expired (_ssl.c:1129) + with self.assertRaisesRegex(EncryptionError, 'expired'): + self.client_encrypted.create_data_key('aws', master_key=key) def test_invalid_hostname_in_kms_certificate(self): key = { "region": "us-east-1", "key": "arn:aws:kms:us-east-1:579766882180:key/" "89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "mongodb://localhost:8001", + "endpoint": "mongodb://127.0.0.1:8001", } - # with self.assertRaisesRegex(EncryptionError, 'SANs'): - self.client_encrypted.create_data_key('aws', master_key=key) + # certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1129)" + with self.assertRaisesRegex(EncryptionError, 'IP address mismatch'): + self.client_encrypted.create_data_key('aws', master_key=key) if __name__ == "__main__": From b03484d883179c26c8992a0710bb38618e2fa6e0 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 11:51:12 -0700 Subject: [PATCH 09/17] PYTHON-2608 Cleanup evg test setup --- .evergreen/config.yml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index ba3b8b3ef3..db79eef4dd 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -360,16 +360,16 @@ functions: "run tests": # If testing encryption start the mock KMS servers. - # First create the virtualenv upfront. + # First create the virtualenv and install dependencies. - command: shell.exec type: system params: working_dir: src script: | - if [ -n "${test_encryption}" ]; then - ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/auth_aws - . ./activate_venv.sh + if [ -n "${test_encryption}" -a "$OS" != "Windows_NT" ]; then + . .evergreen/utils.sh + createvirtualenv ${python3_binary} venvmockkms + python -m pip install boto3 fi # Start the first mock KMS responder. - command: shell.exec @@ -378,10 +378,9 @@ functions: working_dir: src background: true script: | - if [ -n "${test_encryption}" ]; then + if [ -n "${test_encryption}" -a "$OS" != "Windows_NT" ]; then ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/auth_aws - . ./activate_venv.sh + . ./venvmockkms/bin/activate cd ${DRIVERS_TOOLS}/.evergreen/csfle python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 fi @@ -392,10 +391,9 @@ functions: working_dir: src background: true script: | - if [ -n "${test_encryption}" ]; then + if [ -n "${test_encryption}" -a "$OS" != "Windows_NT" ]; then ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/auth_aws - . ./activate_venv.sh + . ./venvmockkms/bin/activate cd ${DRIVERS_TOOLS}/.evergreen/csfle python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 fi From 2671c406ce38b8dbac2b8623082c829e7dac106d Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 12:16:30 -0700 Subject: [PATCH 10/17] PYTHON-2608 Revert drivers-evergreen-tools branch change --- .evergreen/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index db79eef4dd..195220c2c1 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -97,7 +97,7 @@ functions: # If this was a patch build, doing a fresh clone would not actually test the patch cp -R ${PROJECT_DIRECTORY}/ $DRIVERS_TOOLS else - git clone git://github.com/ShaneHarvey/drivers-evergreen-tools.git --branch DRIVERS-1560-fix-self-signed-cert $DRIVERS_TOOLS + git clone git://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS fi echo "{ \"releases\": { \"default\": \"$MONGODB_BINARIES\" }}" > $MONGO_ORCHESTRATION_HOME/orchestration.config From ead47996ef136c2b41ddb21d0ab53b54e12c815e Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 16:55:00 -0700 Subject: [PATCH 11/17] PYTHON-2608 Attempt to simplify mock kms setup --- .evergreen/config.yml | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 195220c2c1..eff130e6b3 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -362,7 +362,7 @@ functions: # If testing encryption start the mock KMS servers. # First create the virtualenv and install dependencies. - command: shell.exec - type: system + type: setup params: working_dir: src script: | @@ -371,22 +371,9 @@ functions: createvirtualenv ${python3_binary} venvmockkms python -m pip install boto3 fi - # Start the first mock KMS responder. - - command: shell.exec - type: system - params: - working_dir: src - background: true - script: | - if [ -n "${test_encryption}" -a "$OS" != "Windows_NT" ]; then - ${PREPARE_SHELL} - . ./venvmockkms/bin/activate - cd ${DRIVERS_TOOLS}/.evergreen/csfle - python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 - fi - # Start the second mock KMS responder. + # Start the mock KMS responders. - command: shell.exec - type: system + type: setup params: working_dir: src background: true @@ -395,6 +382,7 @@ functions: ${PREPARE_SHELL} . ./venvmockkms/bin/activate cd ${DRIVERS_TOOLS}/.evergreen/csfle + python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 & python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 fi - command: shell.exec From ba634c016bd0aecd162793bb2c262cd4883c7673 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 17:16:16 -0700 Subject: [PATCH 12/17] PYTHON-2608 Make test portable --- test/test_encryption.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/test/test_encryption.py b/test/test_encryption.py index 6e8c1b1809..d79339d41b 100644 --- a/test/test_encryption.py +++ b/test/test_encryption.py @@ -1659,8 +1659,11 @@ def test_invalid_kms_certificate_expired(self): "89fcc2c4-08b0-4bd9-9f25-e30687b580d0", "endpoint": "mongodb://127.0.0.1:8000", } + # Some examples: # certificate verify failed: certificate has expired (_ssl.c:1129) - with self.assertRaisesRegex(EncryptionError, 'expired'): + # amazon1-2018 Python 3.6: certificate verify failed (_ssl.c:852) + with self.assertRaisesRegex( + EncryptionError, 'expired|certificate verify failed'): self.client_encrypted.create_data_key('aws', master_key=key) def test_invalid_hostname_in_kms_certificate(self): @@ -1670,8 +1673,11 @@ def test_invalid_hostname_in_kms_certificate(self): "89fcc2c4-08b0-4bd9-9f25-e30687b580d0", "endpoint": "mongodb://127.0.0.1:8001", } + # Some examples: # certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1129)" - with self.assertRaisesRegex(EncryptionError, 'IP address mismatch'): + # hostname '127.0.0.1' doesn't match 'wronghost.com' + with self.assertRaisesRegex( + EncryptionError, 'IP address mismatch|wronghost'): self.client_encrypted.create_data_key('aws', master_key=key) From 80d513ed7781a1f2a2be99af12c1020b91205038 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 17:38:03 -0700 Subject: [PATCH 13/17] PYTHON-2798 attempt to fix with certifi --- .evergreen/test-encryption-requirements.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.evergreen/test-encryption-requirements.txt b/.evergreen/test-encryption-requirements.txt index d02df867ad..78eed0bdd5 100644 --- a/.evergreen/test-encryption-requirements.txt +++ b/.evergreen/test-encryption-requirements.txt @@ -2,3 +2,5 @@ cffi>=1.12.0,<2 cryptography>=2 # boto3 is required by drivers-evergreen-tools/.evergreen/csfle/set-temp-creds.sh boto3<2 +# Needed on Windows due to PYTHON-2798. +certifi; platform_system == 'Windows' From 2b3a8be843a28ea39b764f6aa280a6e9e9c04961 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 7 Jul 2021 17:51:47 -0700 Subject: [PATCH 14/17] Revert "PYTHON-2798 attempt to fix with certifi" This reverts commit 01d736743ee7a5951901145bfe351603745a87c8. --- .evergreen/test-encryption-requirements.txt | 2 -- 1 file changed, 2 deletions(-) diff --git a/.evergreen/test-encryption-requirements.txt b/.evergreen/test-encryption-requirements.txt index 78eed0bdd5..d02df867ad 100644 --- a/.evergreen/test-encryption-requirements.txt +++ b/.evergreen/test-encryption-requirements.txt @@ -2,5 +2,3 @@ cffi>=1.12.0,<2 cryptography>=2 # boto3 is required by drivers-evergreen-tools/.evergreen/csfle/set-temp-creds.sh boto3<2 -# Needed on Windows due to PYTHON-2798. -certifi; platform_system == 'Windows' From b91ce53ef19cce650d097d967b0c534c7ae4aee0 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Fri, 9 Jul 2021 10:05:08 -0700 Subject: [PATCH 15/17] PYTHON-2608 Move KMS setup to run-test --- .evergreen/config.yml | 26 -------------------------- .evergreen/run-tests.sh | 8 ++++++++ 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index eff130e6b3..ed5b99b7e1 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -359,32 +359,6 @@ functions: PYTHON_BINARY=${PYTHON_BINARY} sh ${PROJECT_DIRECTORY}/.evergreen/run-doctests.sh "run tests": - # If testing encryption start the mock KMS servers. - # First create the virtualenv and install dependencies. - - command: shell.exec - type: setup - params: - working_dir: src - script: | - if [ -n "${test_encryption}" -a "$OS" != "Windows_NT" ]; then - . .evergreen/utils.sh - createvirtualenv ${python3_binary} venvmockkms - python -m pip install boto3 - fi - # Start the mock KMS responders. - - command: shell.exec - type: setup - params: - working_dir: src - background: true - script: | - if [ -n "${test_encryption}" -a "$OS" != "Windows_NT" ]; then - ${PREPARE_SHELL} - . ./venvmockkms/bin/activate - cd ${DRIVERS_TOOLS}/.evergreen/csfle - python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 & - python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 - fi - command: shell.exec type: test params: diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh index 4577d2160c..e2f6ed4b50 100755 --- a/.evergreen/run-tests.sh +++ b/.evergreen/run-tests.sh @@ -144,6 +144,14 @@ if [ -n "$TEST_ENCRYPTION" ]; then # Get access to the AWS temporary credentials: # CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN . $DRIVERS_TOOLS/.evergreen/csfle/set-temp-creds.sh + + # Start the mock KMS servers. + if [ "$OS" != "Windows_NT" ]; then + pushd ${DRIVERS_TOOLS}/.evergreen/csfle + python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 & + python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 & + popd + fi fi if [ -z "$DATA_LAKE" ]; then From 9ffa4de8f56de578cbfd85401a584d16b899c875 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Fri, 9 Jul 2021 11:25:28 -0700 Subject: [PATCH 16/17] PYTHON-2608 Kill background KMS servers at exit --- .evergreen/run-tests.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh index e2f6ed4b50..00d095d727 100755 --- a/.evergreen/run-tests.sh +++ b/.evergreen/run-tests.sh @@ -150,6 +150,7 @@ if [ -n "$TEST_ENCRYPTION" ]; then pushd ${DRIVERS_TOOLS}/.evergreen/csfle python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 & python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 & + trap 'kill $(jobs -p)' EXIT HUP popd fi fi From f9341dfad623b26ac8ed19b7fbf4fa43fc9fa02e Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Fri, 9 Jul 2021 12:00:43 -0700 Subject: [PATCH 17/17] PYTHON-2608 Use bash, it's not 1979 anymore --- .evergreen/config.yml | 22 +++++++++++----------- .evergreen/install-dependencies.sh | 2 +- .evergreen/run-mod-wsgi-tests.sh | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index ed5b99b7e1..3c365d66bd 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -292,7 +292,7 @@ functions: DISABLE_TEST_COMMANDS=${DISABLE_TEST_COMMANDS} \ ORCHESTRATION_FILE=${ORCHESTRATION_FILE} \ REQUIRE_API_VERSION=${REQUIRE_API_VERSION} \ - sh ${DRIVERS_TOOLS}/.evergreen/run-orchestration.sh + bash ${DRIVERS_TOOLS}/.evergreen/run-orchestration.sh # run-orchestration generates expansion file with the MONGODB_URI for the cluster - command: expansions.update params: @@ -310,7 +310,7 @@ functions: script: | set -o xtrace ${PREPARE_SHELL} - sh ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/build-mongohouse-local.sh + bash ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/build-mongohouse-local.sh - command: shell.exec type: setup params: @@ -318,7 +318,7 @@ functions: script: | set -o xtrace ${PREPARE_SHELL} - sh ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/run-mongohouse-local.sh + bash ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/run-mongohouse-local.sh "stop mongo-orchestration": - command: shell.exec @@ -326,7 +326,7 @@ functions: script: | set -o xtrace ${PREPARE_SHELL} - sh ${DRIVERS_TOOLS}/.evergreen/stop-orchestration.sh + bash ${DRIVERS_TOOLS}/.evergreen/stop-orchestration.sh "run mod_wsgi tests": - command: shell.exec @@ -336,7 +336,7 @@ functions: script: | set -o xtrace ${PREPARE_SHELL} - PYTHON_BINARY=${PYTHON_BINARY} MOD_WSGI_VERSION=${MOD_WSGI_VERSION} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} sh ${PROJECT_DIRECTORY}/.evergreen/run-mod-wsgi-tests.sh + PYTHON_BINARY=${PYTHON_BINARY} MOD_WSGI_VERSION=${MOD_WSGI_VERSION} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} bash ${PROJECT_DIRECTORY}/.evergreen/run-mod-wsgi-tests.sh "run mockupdb tests": - command: shell.exec @@ -346,7 +346,7 @@ functions: script: | set -o xtrace ${PREPARE_SHELL} - PYTHON_BINARY=${PYTHON_BINARY} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} sh ${PROJECT_DIRECTORY}/.evergreen/run-mockupdb-tests.sh + PYTHON_BINARY=${PYTHON_BINARY} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} bash ${PROJECT_DIRECTORY}/.evergreen/run-mockupdb-tests.sh "run doctests": - command: shell.exec @@ -356,7 +356,7 @@ functions: script: | set -o xtrace ${PREPARE_SHELL} - PYTHON_BINARY=${PYTHON_BINARY} sh ${PROJECT_DIRECTORY}/.evergreen/run-doctests.sh + PYTHON_BINARY=${PYTHON_BINARY} bash ${PROJECT_DIRECTORY}/.evergreen/run-doctests.sh "run tests": - command: shell.exec @@ -425,7 +425,7 @@ functions: SSL=${SSL} \ DATA_LAKE=${DATA_LAKE} \ MONGODB_API_VERSION=${MONGODB_API_VERSION} \ - sh ${PROJECT_DIRECTORY}/.evergreen/run-tests.sh + bash ${PROJECT_DIRECTORY}/.evergreen/run-tests.sh "run enterprise auth tests": - command: shell.exec @@ -435,7 +435,7 @@ functions: working_dir: "src" script: | # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does) - PYTHON_BINARY=${PYTHON_BINARY} SASL_HOST=${sasl_host} SASL_PORT=${sasl_port} SASL_USER=${sasl_user} SASL_PASS=${sasl_pass} SASL_DB=${sasl_db} PRINCIPAL=${principal} GSSAPI_DB=${gssapi_db} KEYTAB_BASE64=${keytab_base64} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} sh ${PROJECT_DIRECTORY}/.evergreen/run-enterprise-auth-tests.sh + PYTHON_BINARY=${PYTHON_BINARY} SASL_HOST=${sasl_host} SASL_PORT=${sasl_port} SASL_USER=${sasl_user} SASL_PASS=${sasl_pass} SASL_DB=${sasl_db} PRINCIPAL=${principal} GSSAPI_DB=${gssapi_db} KEYTAB_BASE64=${keytab_base64} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} bash ${PROJECT_DIRECTORY}/.evergreen/run-enterprise-auth-tests.sh "run atlas tests": - command: shell.exec @@ -705,7 +705,7 @@ functions: ${PREPARE_SHELL} file="${PROJECT_DIRECTORY}/.evergreen/install-dependencies.sh" # Don't use ${file} syntax here because evergreen treats it as an empty expansion. - [ -f "$file" ] && sh $file || echo "$file not available, skipping" + [ -f "$file" ] && bash $file || echo "$file not available, skipping" "run-ocsp-test": - command: shell.exec @@ -717,7 +717,7 @@ functions: PYTHON_BINARY=${PYTHON_BINARY} \ CA_FILE="$DRIVERS_TOOLS/.evergreen/ocsp/${OCSP_ALGORITHM}/ca.pem" \ OCSP_TLS_SHOULD_SUCCEED="${OCSP_TLS_SHOULD_SUCCEED}" \ - sh ${PROJECT_DIRECTORY}/.evergreen/run-ocsp-tests.sh + bash ${PROJECT_DIRECTORY}/.evergreen/run-ocsp-tests.sh run-valid-ocsp-server: - command: shell.exec diff --git a/.evergreen/install-dependencies.sh b/.evergreen/install-dependencies.sh index f28a957746..9f4bcdbb59 100644 --- a/.evergreen/install-dependencies.sh +++ b/.evergreen/install-dependencies.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -o xtrace # Write all commands first to stderr set -o errexit # Exit the script with error if any of the commands fail diff --git a/.evergreen/run-mod-wsgi-tests.sh b/.evergreen/run-mod-wsgi-tests.sh index 5e8b7ca2ac..725023cc3a 100644 --- a/.evergreen/run-mod-wsgi-tests.sh +++ b/.evergreen/run-mod-wsgi-tests.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -o xtrace set -o errexit