GODRIVER-1916 Test that KMS TLS connections verify peer certificates (#619)

Author: benjirewis

.evergreen/config.yml

@@ -759,6 +759,51 @@ functions:
           cat setup.js
           mongo --nodb setup.js aws_e2e_ecs.js
 
+  start-kms-mock-server:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src
+        background: true
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/csfle
+          cat <<EOF > kms_setup.json
+          {
+              "kms_ca_file": "${KMS_CA_FILE}",
+              "kms_cert_file": "${KMS_CERT_FILE}"
+          }
+          EOF
+          mongo --nodb mock_kms.js
+
+  run-kms-tls-test:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: src/go.mongodb.org/mongo-driver
+        script: |
+          ${PREPARE_SHELL}
+          export KMS_TLS_TESTCASE="${KMS_TLS_TESTCASE}"
+
+          export GOFLAGS=-mod=vendor
+          set +o xtrace
+          AUTH="${AUTH}" \
+          SSL="${SSL}" \
+          MONGODB_URI="${MONGODB_URI}" \
+          TOPOLOGY="${TOPOLOGY}" \
+          MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \
+          BUILD_TAGS="-tags cse" \
+          AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" \
+          AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" \
+          AZURE_TENANT_ID="${cse_azure_tenant_id}" \
+          AZURE_CLIENT_ID="${cse_azure_client_id}" \
+          AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \
+          GCP_EMAIL="${cse_gcp_email}" \
+          GCP_PRIVATE_KEY="${cse_gcp_private_key}" \
+          make evg-test-kms \
+          PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
+          LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+
 pre:
   - func: fetch-source
   - func: prepare-resources
@@ -1545,6 +1590,44 @@ tasks:
       - func: run-aws-auth-test-with-aws-EC2-credentials
       - func: run-aws-ECS-auth-test
 
+  - name: "test-kms-tls-invalid-cert"
+    tags: ["kms-tls"]
+    commands:
+      - func: bootstrap-mongo-orchestration
+        vars:
+          TOPOLOGY: "server"
+          AUTH: "noauth"
+          SSL: "nossl"
+      - func: start-kms-mock-server
+        vars:
+          KMS_CA_FILE: "ca.pem"
+          KMS_CERT_FILE: "expired.pem"
+      - func: run-kms-tls-test
+        vars:
+          KMS_TLS_TESTCASE: "INVALID_CERT"
+          TOPOLOGY: "server"
+          AUTH: "noauth"
+          SSL: "nossl"
+
+  - name: "test-kms-tls-invalid-hostname"
+    tags: ["kms-tls"]
+    commands:
+      - func: bootstrap-mongo-orchestration
+        vars:
+          TOPOLOGY: "server"
+          AUTH: "noauth"
+          SSL: "nossl"
+      - func: start-kms-mock-server
+        vars:
+          KMS_CA_FILE: "ca.pem"
+          KMS_CERT_FILE: "wrong-host.pem"
+      - func: run-kms-tls-test
+        vars:
+          KMS_TLS_TESTCASE: "INVALID_HOSTNAME"
+          TOPOLOGY: "server"
+          AUTH: "noauth"
+          SSL: "nossl"
+
 axes:
   - id: version
     display_name: MongoDB Version
@@ -1766,3 +1849,9 @@ buildvariants:
     tasks:
       # macos MongoDB servers do not staple OCSP responses and only support RSA.
       - name: ".ocsp-rsa !.ocsp-staple"
+
+  - matrix_name: "kms-tls-test"
+    matrix_spec: { version: ["latest"], os-ssl-32: ["ubuntu1604-64-go-1-15"] }
+    display_name: "KMS TLS ${version} ${os-ssl-32}"
+    tasks:
+      - name: ".kms-tls"

Makefile

@@ -159,6 +159,10 @@ evg-test-atlas-data-lake:
 	ATLAS_DATA_LAKE_INTEGRATION_TEST=true go test -v ./mongo/integration -run TestUnifiedSpecs/atlas-data-lake-testing >> spec_test.suite
 	ATLAS_DATA_LAKE_INTEGRATION_TEST=true go test -v ./mongo/integration -run TestAtlasDataLake >> spec_test.suite
 
+.PHONY: evg-test-kms
+evg-test-kms:
+	go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse/kms_tls_tests >> test.suite
+
 # benchmark specific targets and support
 perf:driver-test-data.tar.gz
 	tar -zxf $< $(if $(eq $(UNAME_S),Darwin),-s , --transform=s)/data/perf/

mongo/integration/client_side_encryption_prose_test.go

@@ -13,6 +13,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
+	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -1028,6 +1029,57 @@ func TestClientSideEncryptionProse(t *testing.T) {
 			})
 		}
 	})
+
+	// These tests only run when a KMS mock server is running on localhost:8000.
+	mt.RunOpts("kms tls tests", noClientOpts, func(mt *mtest.T) {
+		kmsTlsTestcase := os.Getenv("KMS_TLS_TESTCASE")
+		if kmsTlsTestcase == "" {
+			mt.Skipf("Skipping test as KMS_TLS_TESTCASE is not set")
+		}
+
+		testcases := []struct {
+			name       string
+			envValue   string
+			errMessage string
+		}{
+			{
+				"invalid certificate",
+				"INVALID_CERT",
+				"expired",
+			},
+			{
+				"invalid hostname",
+				"INVALID_HOSTNAME",
+				"SANs",
+			},
+		}
+
+		for _, tc := range testcases {
+			mt.Run(tc.name, func(mt *mtest.T) {
+				// Only run test if correct KMS mock server is running.
+				if kmsTlsTestcase != tc.envValue {
+					mt.Skipf("Skipping test as KMS_TLS_TESTCASE is set to %q, expected %v", kmsTlsTestcase, tc.envValue)
+				}
+
+				ceo := options.ClientEncryption().
+					SetKmsProviders(fullKmsProvidersMap).
+					SetKeyVaultNamespace(kvNamespace)
+				cpt := setup(mt, nil, nil, ceo)
+				defer cpt.teardown(mt)
+
+				_, err := cpt.clientEnc.CreateDataKey(context.Background(), "aws", options.DataKey().SetMasterKey(
+					bson.D{
+						{"region", "us-east-1"},
+						{"key", "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"},
+						{"endpoint", "mongodb://127.0.0.1:8000"},
+					},
+				))
+				assert.NotNil(mt, err, "expected CreateDataKey error, got nil")
+				assert.True(mt, strings.Contains(err.Error(), tc.errMessage),
+					"expected CreateDataKey error to contain %v, got %v", tc.errMessage, err.Error())
+			})
+		}
+	})
 }
 
 func getWatcher(mt *mtest.T, streamType mongo.StreamType, cpt *cseProseTest) watcher {