-
Notifications
You must be signed in to change notification settings - Fork 455
CDRIVER-4454 add integration tests for Azure KMS #1124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
32 commits
Select commit
Hold shift + click to select a range
ba846d4
WIP: add testazurekms_task_group to create and destroy an Azure vm
kevinAlbs c89ecb4
TEMP: add xtrace
kevinAlbs f65610a
fix spelling
kevinAlbs 787a93e
remove .json suffix
kevinAlbs 904cd56
use chmod 600 on private key file
kevinAlbs b49378d
add test-azurekms
kevinAlbs 6ccb1d8
add compile script
kevinAlbs 73afe98
remove additional optional dependencies
kevinAlbs e47105a
clone libmongocrypt 1.6.0
kevinAlbs 6e9b916
use type:test in testazurekms-task
kevinAlbs c92c001
parameterize the keyName and keyVaultEndpoint
kevinAlbs dbff90c
test running on remote
kevinAlbs d6475d6
TEMP: add intentional failure to test task failure
kevinAlbs 502f0ed
fix placement of setup and test
kevinAlbs 6a0ce51
Remove intentional error
kevinAlbs c67b5c8
add testazurekms-fail-task
kevinAlbs 60f4f8f
update expected error
kevinAlbs 6a80d31
add required AZUREKMS_VMNAME_PREFIX
kevinAlbs 80fa14c
remove xtrace
kevinAlbs ba7db5b
add minimal support for TaskGroup
kevinAlbs 61807f7
move Azure KMS config into python scripts
kevinAlbs 2521f5d
update comment
kevinAlbs eb8d691
Merge branch 'master' into DRIVERS-2411
kevinAlbs eb16079
rename DRIVER_TOOLS to DRIVERS_TOOLS
kevinAlbs c671361
use debian 10
kevinAlbs 3fed994
pass paths rather than relying on the working directory
kevinAlbs f31f4c2
remove cmake options soon to be superceded
kevinAlbs 77c5fb7
use . instead of ~
kevinAlbs 453d3d3
update git clone of drivers-evergreen-tools
kevinAlbs 38864a1
use $PWD in LD_LIBRARY_PATH
kevinAlbs 1adac5c
check KEY_NAME and KEY_VAULT_ENDPOINT env vars
kevinAlbs 4d9869a
merge decl+init
kevinAlbs File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| #!/usr/bin/env bash | ||
| set -o errexit | ||
| set -o pipefail | ||
| set -o nounset | ||
|
|
||
| # Working directory is expected to be mongo-c-driver repo. | ||
| ROOT=$(pwd) | ||
| INSTALL_DIR=$ROOT/install | ||
| . .evergreen/find-cmake.sh | ||
| echo "Installing libmongocrypt ... begin" | ||
| git clone https://github.com/mongodb/libmongocrypt --branch 1.6.0 | ||
| $CMAKE -DCMAKE_INSTALL_PREFIX="$INSTALL_DIR" \ | ||
| -DBUILD_TESTING=OFF \ | ||
| "-H$ROOT/libmongocrypt" \ | ||
| "-B$ROOT/libmongocrypt" | ||
| $CMAKE --build "$ROOT/libmongocrypt" --target install | ||
| echo "Installing libmongocrypt ... end" | ||
|
|
||
| echo "Compile test-azurekms ... begin" | ||
| # Disable unnecessary dependencies. test-azurekms is copied to a remote host for testing, which may not have all dependent libraries. | ||
| $CMAKE \ | ||
| -DENABLE_SASL=OFF \ | ||
| -DENABLE_SNAPPY=OFF \ | ||
| -DENABLE_ZSTD=OFF \ | ||
| -DENABLE_ZLIB=OFF \ | ||
| -DENABLE_ICU=OFF \ | ||
| -DENABLE_SRV=OFF \ | ||
| -DENABLE_CLIENT_SIDE_ENCRYPTION=ON \ | ||
| -DCMAKE_PREFIX_PATH=$INSTALL_DIR \ | ||
| . | ||
| $CMAKE --build . --target test-azurekms | ||
| echo "Compile test-azurekms ... end" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| # Copyright 2018-present MongoDB, Inc. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| from evergreen_config_generator import ConfigObject | ||
|
|
||
|
|
||
| class TaskGroup(ConfigObject): | ||
| def __init__(self, name): | ||
| super(TaskGroup, self).__init__() | ||
| self._task_group_name = name | ||
|
|
||
| @property | ||
| def name(self): | ||
| return self._task_group_name | ||
|
|
||
| def to_dict(self): | ||
| v = super(TaskGroup, self).to_dict() | ||
| # See possible TaskGroup attributes from the Evergreen wiki: | ||
| # https://github.com/evergreen-ci/evergreen/wiki/Project-Configuration-Files#task-groups | ||
| attrs = [ | ||
| 'setup_group', | ||
| 'teardown_group', | ||
| 'setup_task', | ||
| 'teardown_task', | ||
| 'max_hosts', | ||
| 'timeout', | ||
| 'setup_group_can_fail_task', | ||
| 'setup_group_timeout_secs', | ||
| 'setup_group_can_fail_task', | ||
| 'share_processes', | ||
| 'tasks' | ||
| ] | ||
|
|
||
| for i in attrs: | ||
| if getattr(self, i, None): | ||
| v[i] = getattr(self, i) | ||
| return v |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # Copyright 2018-present MongoDB, Inc. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| all_task_groups = [] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,141 @@ | ||
| #!/usr/bin/env python | ||
| # | ||
| # Copyright 2022-present MongoDB, Inc. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
|
|
||
| from collections import OrderedDict as OD | ||
|
|
||
| from evergreen_config_generator.functions import (shell_exec, func) | ||
| from evergreen_config_generator.tasks import (NamedTask) | ||
| from evergreen_config_generator.variants import (Variant) | ||
| from evergreen_config_generator.taskgroups import (TaskGroup) | ||
|
|
||
| def _create_tasks(): | ||
| # passtask is expected to run on a remote Azure VM and succeed at obtaining credentials. | ||
| passtask = NamedTask (task_name="testazurekms-task") | ||
| passtask.commands = [ | ||
| func("fetch source"), | ||
| shell_exec (r''' | ||
| echo "Building test-azurekms ... begin" | ||
| pushd mongoc | ||
| ./.evergreen/compile-test-azurekms.sh | ||
| popd | ||
| echo "Building test-azurekms ... end" | ||
|
|
||
| echo "Copying files ... begin" | ||
| export AZUREKMS_RESOURCEGROUP=${testazurekms_resourcegroup} | ||
| export AZUREKMS_VMNAME=${AZUREKMS_VMNAME} | ||
| export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms_privatekey | ||
| DRIVERS_TOOLS=$(pwd)/drivers-evergreen-tools | ||
| mkdir testazurekms | ||
| cp ./mongoc/src/libmongoc/test-azurekms ./mongoc/install/lib/libmongocrypt.* testazurekms | ||
| tar czf testazurekms.tgz testazurekms/* | ||
| AZUREKMS_SRC="testazurekms.tgz" \ | ||
| AZUREKMS_DST="./" \ | ||
| $DRIVERS_TOOLS/.evergreen/csfle/azurekms/copy-file.sh | ||
| echo "Copying files ... end" | ||
|
|
||
| echo "Untarring file ... begin" | ||
| AZUREKMS_CMD="tar xf testazurekms.tgz" \ | ||
| $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh | ||
| echo "Untarring file ... end" | ||
| ''', test=False), | ||
| shell_exec (r''' | ||
| export AZUREKMS_RESOURCEGROUP=${testazurekms_resourcegroup} | ||
| export AZUREKMS_VMNAME=${AZUREKMS_VMNAME} | ||
| export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms_privatekey | ||
| DRIVERS_TOOLS=$(pwd)/drivers-evergreen-tools | ||
| AZUREKMS_CMD="LD_LIBRARY_PATH=./testazurekms MONGODB_URI='mongodb://localhost:27017' KEY_NAME='${testazurekms_keyname}' KEY_VAULT_ENDPOINT='${testazurekms_keyvaultendpoint}' ./testazurekms/test-azurekms" \ | ||
| $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh | ||
| ''') | ||
| ] | ||
|
|
||
| failtask = NamedTask (task_name="testazurekms-fail-task") | ||
| failtask.commands = [ | ||
| func("fetch source"), | ||
| shell_exec (r''' | ||
| pushd mongoc | ||
| ./.evergreen/compile-test-azurekms.sh | ||
| popd | ||
| ''', test=False), | ||
| shell_exec (r''' | ||
| LD_LIBRARY_PATH=$PWD/install \ | ||
| MONGODB_URI='mongodb://localhost:27017' \ | ||
| KEY_NAME='${testazurekms_keyname}' \ | ||
| KEY_VAULT_ENDPOINT='${testazurekms_keyvaultendpoint}' \ | ||
| EXPECT_ERROR='Error from Azure IMDS server' \ | ||
| ./mongoc/src/libmongoc/test-azurekms | ||
| ''') | ||
| ] | ||
| return [passtask, failtask] | ||
|
|
||
|
|
||
| def _create_variant(): | ||
| return Variant( | ||
| name="testazurekms-variant", | ||
| display_name="Azure KMS", | ||
| # Azure Virtual Machine created is Debian 10. | ||
| run_on="debian10-small", tasks=[ | ||
| "testazurekms_task_group", | ||
| "testazurekms-fail-task" | ||
| ], batchtime=20160) # Use a batchtime of 14 days as suggested by the CSFLE test README | ||
|
|
||
|
|
||
| def _create_task_group(): | ||
| task_group = TaskGroup(name="testazurekms_task_group") | ||
| task_group.setup_group_can_fail_task = True | ||
| task_group.setup_group_timeout_secs = 1800 # 30 minutes | ||
| task_group.setup_group = [ | ||
| shell_exec(r''' | ||
| git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git --depth=1 drivers-evergreen-tools | ||
| DRIVERS_TOOLS=$(pwd)/drivers-evergreen-tools | ||
| echo '${testazurekms_publickey}' > /tmp/testazurekms_publickey | ||
| echo '${testazurekms_privatekey}' > /tmp/testazurekms_privatekey | ||
| # Set 600 permissions on private key file. Otherwise ssh / scp may error with permissions "are too open". | ||
| chmod 600 /tmp/testazurekms_privatekey | ||
| export AZUREKMS_CLIENTID=${testazurekms_clientid} | ||
| export AZUREKMS_TENANTID=${testazurekms_tenantid} | ||
| export AZUREKMS_SECRET=${testazurekms_secret} | ||
| export AZUREKMS_DRIVERS_TOOLS=$DRIVERS_TOOLS | ||
| export AZUREKMS_RESOURCEGROUP=${testazurekms_resourcegroup} | ||
| export AZUREKMS_PUBLICKEYPATH=/tmp/testazurekms_publickey | ||
| export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms_privatekey | ||
| export AZUREKMS_SCOPE=${testazurekms_scope} | ||
| export AZUREKMS_VMNAME_PREFIX=CDRIVER | ||
| $DRIVERS_TOOLS/.evergreen/csfle/azurekms/create-and-setup-vm.sh | ||
| ''', test=False), | ||
| # Load the AZUREKMS_VMNAME expansion. | ||
| OD([('command', 'expansions.update'), | ||
| ('params', OD([ | ||
| ('file', 'testazurekms-expansions.yml'), | ||
| ]))]) | ||
| ] | ||
|
|
||
| task_group.teardown_group = [ | ||
| shell_exec(r''' | ||
| DRIVERS_TOOLS=$(pwd)/drivers-evergreen-tools | ||
| export AZUREKMS_VMNAME=${AZUREKMS_VMNAME} | ||
| export AZUREKMS_RESOURCEGROUP=${testazurekms_resourcegroup} | ||
| $DRIVERS_TOOLS/.evergreen/csfle/azurekms/delete-vm.sh | ||
| ''', test=False) | ||
| ] | ||
| task_group.tasks = ["testazurekms-task"] | ||
| return task_group | ||
|
|
||
|
|
||
| def testazurekms_generate(all_tasks, all_variants, all_task_groups): | ||
| all_tasks.extend(_create_tasks()) | ||
| all_variants.append(_create_variant()) | ||
| all_task_groups.append(_create_task_group()) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NOTE: if you use DRIVERS_TOOLS, this value should already be assigned, at least this is what I saw in the c# driver (same in other places)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missed your explanation above. It's a bit strange, but ok :)