Replace security-sensitive system properties with env vars (#1314)

This prevents then from being echoed in build logs.

JAVA-5311

Author: jyemin

.evergreen/.evg.yml

@@ -227,24 +227,29 @@ functions:
       type: test
       params:
         working_dir: "src"
+        env:
+          AWS_ACCESS_KEY_ID: ${aws_access_key_id}
+          AWS_SECRET_ACCESS_KEY: ${aws_secret_access_key}
+          AWS_DEFAULT_REGION: us-east-1
+          AZURE_TENANT_ID: ${azure_tenant_id}
+          AZURE_CLIENT_ID: ${azure_client_id}
+          AZURE_CLIENT_SECRET: ${azure_client_secret}
+          GCP_EMAIL: ${gcp_email}
+          GCP_PRIVATE_KEY: ${gcp_private_key}
+          AZUREKMS_KEY_VAULT_ENDPOINT: ${testazurekms_keyvaultendpoint}
+          AZUREKMS_KEY_NAME: ${testazurekms_keyname}
         script: |
           ${PREPARE_SHELL}
-          export AWS_ACCESS_KEY_ID=${aws_access_key_id}
-          export AWS_SECRET_ACCESS_KEY=${aws_secret_access_key}
-          export AWS_DEFAULT_REGION=us-east-1
+          
           . ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh
+          
+          export AWS_TEMP_ACCESS_KEY_ID=$CSFLE_AWS_TEMP_ACCESS_KEY_ID
+          export AWS_TEMP_SECRET_ACCESS_KEY=$CSFLE_AWS_TEMP_SECRET_ACCESS_KEY
+          export AWS_TEMP_SESSION_TOKEN=$CSFLE_AWS_TEMP_SESSION_TOKEN
+          export CRYPT_SHARED_LIB_PATH=${CRYPT_SHARED_LIB_PATH}
+
           AUTH="${AUTH}" SSL="${SSL}" MONGODB_URI="${MONGODB_URI}" SAFE_FOR_MULTI_MONGOS="${SAFE_FOR_MULTI_MONGOS}" TOPOLOGY="${TOPOLOGY}" \
-          COMPRESSOR="${COMPRESSOR}" JAVA_VERSION="${JAVA_VERSION}" \
-          AWS_ACCESS_KEY_ID=${aws_access_key_id} AWS_SECRET_ACCESS_KEY=${aws_secret_access_key} \
-          AWS_TEMP_ACCESS_KEY_ID=$CSFLE_AWS_TEMP_ACCESS_KEY_ID \
-          AWS_TEMP_SECRET_ACCESS_KEY=$CSFLE_AWS_TEMP_SECRET_ACCESS_KEY \
-          AWS_TEMP_SESSION_TOKEN=$CSFLE_AWS_TEMP_SESSION_TOKEN \
-          AZURE_TENANT_ID=${azure_tenant_id} AZURE_CLIENT_ID=${azure_client_id} AZURE_CLIENT_SECRET=${azure_client_secret} \
-          GCP_EMAIL=${gcp_email} GCP_PRIVATE_KEY=${gcp_private_key} \
-          AZUREKMS_KEY_VAULT_ENDPOINT=${testazurekms_keyvaultendpoint} \
-          AZUREKMS_KEY_NAME=${testazurekms_keyname} \
-          REQUIRE_API_VERSION=${REQUIRE_API_VERSION} \
-          CRYPT_SHARED_LIB_PATH="${CRYPT_SHARED_LIB_PATH}" \
+          COMPRESSOR="${COMPRESSOR}" JAVA_VERSION="${JAVA_VERSION}" REQUIRE_API_VERSION=${REQUIRE_API_VERSION} \
           .evergreen/run-tests.sh
 
   "run load-balancer tests":
@@ -784,52 +789,65 @@ functions:
       type: test
       params:
         working_dir: "src"
+        env:
+          AWS_ACCESS_KEY_ID: ${aws_access_key_id}
+          AWS_SECRET_ACCESS_KEY: ${aws_secret_access_key}
         script: |
           ${PREPARE_SHELL}
           set +o xtrace
-          MONGODB_URI="${MONGODB_URI}" AWS_ACCESS_KEY_ID=${aws_access_key_id} AWS_SECRET_ACCESS_KEY=${aws_secret_access_key} \
-          .evergreen/run-csfle-aws-from-environment.sh
+          MONGODB_URI="${MONGODB_URI}" .evergreen/run-csfle-aws-from-environment.sh
 
   "run csfle tests with mongocryptd":
     - command: shell.exec
       type: test
       params:
         working_dir: "src"
+        env:
+          AWS_ACCESS_KEY_ID: ${aws_access_key_id}
+          AWS_SECRET_ACCESS_KEY: ${aws_secret_access_key}
+          AWS_DEFAULT_REGION: us-east-1
+          AZURE_TENANT_ID: ${azure_tenant_id}
+          AZURE_CLIENT_ID: ${azure_client_id}
+          AZURE_CLIENT_SECRET: ${azure_client_secret}
+          GCP_EMAIL: ${gcp_email}
+          GCP_PRIVATE_KEY: ${gcp_private_key}
+          AZUREKMS_KEY_VAULT_ENDPOINT: ${testazurekms_keyvaultendpoint}
+          AZUREKMS_KEY_NAME: ${testazurekms_keyname}
         script: |
           ${PREPARE_SHELL}
-          export AWS_ACCESS_KEY_ID=${aws_access_key_id}
-          export AWS_SECRET_ACCESS_KEY=${aws_secret_access_key}
-          export AWS_DEFAULT_REGION=us-east-1
           . ${DRIVERS_TOOLS}/.evergreen/csfle/set-temp-creds.sh
-          MONGODB_URI="${MONGODB_URI}" \
-          JAVA_VERSION="${JAVA_VERSION}" \
-          AWS_ACCESS_KEY_ID=${aws_access_key_id} AWS_SECRET_ACCESS_KEY=${aws_secret_access_key} \
-          AWS_TEMP_ACCESS_KEY_ID=$CSFLE_AWS_TEMP_ACCESS_KEY_ID \
-          AWS_TEMP_SECRET_ACCESS_KEY=$CSFLE_AWS_TEMP_SECRET_ACCESS_KEY \
-          AWS_TEMP_SESSION_TOKEN=$CSFLE_AWS_TEMP_SESSION_TOKEN \
-          AZURE_TENANT_ID=${azure_tenant_id} AZURE_CLIENT_ID=${azure_client_id} AZURE_CLIENT_SECRET=${azure_client_secret} \
-          GCP_EMAIL=${gcp_email} GCP_PRIVATE_KEY=${gcp_private_key} \
-          AZUREKMS_KEY_VAULT_ENDPOINT=${testazurekms_keyvaultendpoint} \
-          AZUREKMS_KEY_NAME=${testazurekms_keyname} \
-          .evergreen/run-csfle-tests-with-mongocryptd.sh
+          
+          export AWS_TEMP_ACCESS_KEY_ID=$CSFLE_AWS_TEMP_ACCESS_KEY_ID
+          export AWS_TEMP_SECRET_ACCESS_KEY=$CSFLE_AWS_TEMP_SECRET_ACCESS_KEY
+          export AWS_TEMP_SESSION_TOKEN=$CSFLE_AWS_TEMP_SESSION_TOKEN
+          
+          MONGODB_URI="${MONGODB_URI}" JAVA_VERSION="${JAVA_VERSION}" .evergreen/run-csfle-tests-with-mongocryptd.sh
 
   "publish snapshot":
     - command: shell.exec
       type: test
       params:
         working_dir: "src"
+        env:
+          NEXUS_USERNAME: ${nexus_username}
+          NEXUS_PASSWORD: ${nexus_password}
+          SIGNING_PASSWORD: ${signing_password}
+          SIGNING_KEY: ${gpg_ascii_armored}
         script: |
-          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
-          RELEASE=false PROJECT_DIRECTORY=${PROJECT_DIRECTORY} NEXUS_USERNAME=${nexus_username} NEXUS_PASSWORD=${nexus_password} SIGNING_PASSWORD=${signing_password} SIGNING_KEY="${gpg_ascii_armored}" .evergreen/publish.sh
+          RELEASE=false PROJECT_DIRECTORY=${PROJECT_DIRECTORY} .evergreen/publish.sh
 
   "publish release":
     - command: shell.exec
       type: test
       params:
         working_dir: "src"
+        env:
+          NEXUS_USERNAME: ${nexus_username}
+          NEXUS_PASSWORD: ${nexus_password}
+          SIGNING_PASSWORD: ${signing_password}
+          SIGNING_KEY: ${gpg_ascii_armored}
         script: |
-          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
-          RELEASE=true PROJECT_DIRECTORY=${PROJECT_DIRECTORY} NEXUS_USERNAME=${nexus_username} NEXUS_PASSWORD=${nexus_password} SIGNING_PASSWORD=${signing_password} SIGNING_KEY="${gpg_ascii_armored}" .evergreen/publish.sh
+          RELEASE=true PROJECT_DIRECTORY=${PROJECT_DIRECTORY} .evergreen/publish.sh
 
   "cleanup":
     - command: shell.exec

.evergreen/run-csfle-tests-with-mongocryptd.sh

@@ -49,19 +49,14 @@ provision_ssl () {
 provision_ssl
 
 echo "Running tests with Java ${JAVA_VERSION}"
+
 ./gradlew -version
 
-# By not specifying the path to the `crypt_shared` via the `org.mongodb.test.crypt.shared.lib.path` Java system property,
+# By not specifying the path to the `crypt_shared` via the `CRYPT_SHARED_LIB_PATH` Java system property,
 # we force the driver to start `mongocryptd` instead of loading and using `crypt_shared`.
 ./gradlew -PjavaVersion=${JAVA_VERSION} -Dorg.mongodb.test.uri=${MONGODB_URI} \
-      -Dorg.mongodb.test.fle.on.demand.credential.test.failure.enabled="true" \
-      -Dorg.mongodb.test.fle.on.demand.credential.test.azure.keyVaultEndpoint="${AZUREKMS_KEY_VAULT_ENDPOINT}" \
-      -Dorg.mongodb.test.fle.on.demand.credential.test.azure.keyName="${AZUREKMS_KEY_NAME}" \
-      -Dorg.mongodb.test.awsAccessKeyId=${AWS_ACCESS_KEY_ID} -Dorg.mongodb.test.awsSecretAccessKey=${AWS_SECRET_ACCESS_KEY} \
-      -Dorg.mongodb.test.tmpAwsAccessKeyId=${AWS_TEMP_ACCESS_KEY_ID} -Dorg.mongodb.test.tmpAwsSecretAccessKey=${AWS_TEMP_SECRET_ACCESS_KEY} -Dorg.mongodb.test.tmpAwsSessionToken=${AWS_TEMP_SESSION_TOKEN} \
-      -Dorg.mongodb.test.azureTenantId=${AZURE_TENANT_ID} -Dorg.mongodb.test.azureClientId=${AZURE_CLIENT_ID} -Dorg.mongodb.test.azureClientSecret=${AZURE_CLIENT_SECRET} \
-      -Dorg.mongodb.test.gcpEmail=${GCP_EMAIL} -Dorg.mongodb.test.gcpPrivateKey=${GCP_PRIVATE_KEY} \
       ${GRADLE_EXTRA_VARS} \
+      -Dorg.mongodb.test.fle.on.demand.credential.test.failure.enabled=true \
       --stacktrace --info --continue \
       driver-legacy:test \
           --tests "*.Client*Encryption*" \

.evergreen/run-fle-on-demand-credential-test.sh

@@ -20,20 +20,16 @@ if ! which java ; then
     sudo apt install openjdk-17-jdk -y
 fi
 
+export PROVIDER=${PROVIDER}
+
 ./gradlew -Dorg.mongodb.test.uri="${MONGODB_URI}" \
- -Dorg.mongodb.test.fle.on.demand.credential.test.success.enabled="true" \
- -Dorg.mongodb.test.fle.on.demand.credential.test.azure.keyVaultEndpoint="${AZUREKMS_KEY_VAULT_ENDPOINT}" \
- -Dorg.mongodb.test.fle.on.demand.credential.test.azure.keyName="${AZUREKMS_KEY_NAME}" \
- -Dorg.mongodb.test.fle.on.demand.credential.provider="${PROVIDER}" \
+ -Dorg.mongodb.test.fle.on.demand.credential.test.success.enabled=true \
  --stacktrace --debug --info  driver-sync:test --tests ClientSideEncryptionOnDemandCredentialsTest
 first=$?
 echo $first
 
 ./gradlew -Dorg.mongodb.test.uri="${MONGODB_URI}" \
- -Dorg.mongodb.test.fle.on.demand.credential.test.success.enabled="true" \
- -Dorg.mongodb.test.fle.on.demand.credential.test.azure.keyVaultEndpoint="${AZUREKMS_KEY_VAULT_ENDPOINT}" \
- -Dorg.mongodb.test.fle.on.demand.credential.test.azure.keyName="${AZUREKMS_KEY_NAME}" \
- -Dorg.mongodb.test.fle.on.demand.credential.provider="${PROVIDER}" \
+ -Dorg.mongodb.test.fle.on.demand.credential.test.success.enabled=true \
  --stacktrace --debug --info  driver-reactive-streams:test --tests ClientSideEncryptionOnDemandCredentialsTest
 second=$?
 echo $second

.evergreen/run-tests.sh

@@ -141,15 +141,8 @@ if [ "$SLOW_TESTS_ONLY" == "true" ]; then
               --stacktrace --info testSlowOnly
 else
     ./gradlew -PjavaVersion=${JAVA_VERSION} -Dorg.mongodb.test.uri=${MONGODB_URI} \
-              -Dorg.mongodb.test.fle.on.demand.credential.test.failure.enabled="true" \
-              -Dorg.mongodb.test.fle.on.demand.credential.test.azure.keyVaultEndpoint="${AZUREKMS_KEY_VAULT_ENDPOINT}" \
-              -Dorg.mongodb.test.fle.on.demand.credential.test.azure.keyName="${AZUREKMS_KEY_NAME}" \
-              -Dorg.mongodb.test.awsAccessKeyId=${AWS_ACCESS_KEY_ID} -Dorg.mongodb.test.awsSecretAccessKey=${AWS_SECRET_ACCESS_KEY} \
-              -Dorg.mongodb.test.tmpAwsAccessKeyId=${AWS_TEMP_ACCESS_KEY_ID} -Dorg.mongodb.test.tmpAwsSecretAccessKey=${AWS_TEMP_SECRET_ACCESS_KEY} -Dorg.mongodb.test.tmpAwsSessionToken=${AWS_TEMP_SESSION_TOKEN} \
-              -Dorg.mongodb.test.azureTenantId=${AZURE_TENANT_ID} -Dorg.mongodb.test.azureClientId=${AZURE_CLIENT_ID} -Dorg.mongodb.test.azureClientSecret=${AZURE_CLIENT_SECRET} \
-              -Dorg.mongodb.test.gcpEmail=${GCP_EMAIL} -Dorg.mongodb.test.gcpPrivateKey=${GCP_PRIVATE_KEY} \
               ${MULTI_MONGOS_URI_SYSTEM_PROPERTY} ${API_VERSION} ${GRADLE_EXTRA_VARS} ${ASYNC_TYPE} \
-              -Dorg.mongodb.test.crypt.shared.lib.path=${CRYPT_SHARED_LIB_PATH} \
               ${JAVA_SYSPROP_NETTY_SSL_PROVIDER} \
+              -Dorg.mongodb.test.fle.on.demand.credential.test.failure.enabled=true \
               --stacktrace --info --continue test
 fi

driver-core/src/test/functional/com/mongodb/ClusterFixture.java

@@ -201,7 +201,7 @@ public static boolean hasEncryptionTestsEnabled() {
         List<String> requiredSystemProperties = asList("awsAccessKeyId", "awsSecretAccessKey", "azureTenantId", "azureClientId",
                 "azureClientSecret", "gcpEmail", "gcpPrivateKey", "tmpAwsAccessKeyId", "tmpAwsSecretAccessKey", "tmpAwsSessionToken");
         return requiredSystemProperties.stream()
-                        .map(name -> System.getProperty("org.mongodb.test." + name, ""))
+                        .map(name -> getEnv("org.mongodb.test." + name, ""))
                         .filter(s -> !s.isEmpty())
                         .count() == requiredSystemProperties.size();
     }
@@ -228,6 +228,16 @@ public void run() {
         }
     }
 
+    public static String getEnv(final String name, final String defaultValue) {
+        String value = getEnv(name);
+        return value == null ? defaultValue : value;
+    }
+
+    @Nullable
+    public static String getEnv(final String name) {
+        return System.getenv(name);
+    }
+
     public static boolean getOcspShouldSucceed() {
         return Integer.parseInt(System.getProperty(MONGODB_OCSP_SHOULD_SUCCEED)) == 1;
     }
@@ -541,7 +551,7 @@ public static boolean isAuthenticated() {
     }
 
     public static boolean isClientSideEncryptionTest() {
-        return !System.getProperty("org.mongodb.test.awsAccessKeyId", "").isEmpty();
+        return !getEnv("AWS_ACCESS_KEY_ID", "").isEmpty();
     }
 
     public static boolean isAtlasSearchTest() {

driver-reactive-streams/src/test/functional/com/mongodb/reactivestreams/client/ClientEncryptionDataKeyAndDoubleEncryptionTest.java

@@ -40,6 +40,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import static com.mongodb.ClusterFixture.getEnv;
 import static com.mongodb.ClusterFixture.hasEncryptionTestsEnabled;
 import static com.mongodb.ClusterFixture.serverVersionAtLeast;
 import static com.mongodb.client.Fixture.getMongoClientSettingsBuilder;
@@ -81,17 +82,17 @@ public void setUp() {
         // Step 2: Create encrypted client and client encryption
         Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>() {{
             put("aws",  new HashMap<String, Object>() {{
-                put("accessKeyId", System.getProperty("org.mongodb.test.awsAccessKeyId"));
-                put("secretAccessKey", System.getProperty("org.mongodb.test.awsSecretAccessKey"));
+                put("accessKeyId", getEnv("AWS_ACCESS_KEY_ID"));
+                put("secretAccessKey", getEnv("AWS_SECRET_ACCESS_KEY"));
             }});
             put("azure",  new HashMap<String, Object>() {{
-                put("tenantId", System.getProperty("org.mongodb.test.azureTenantId"));
-                put("clientId", System.getProperty("org.mongodb.test.azureClientId"));
-                put("clientSecret", System.getProperty("org.mongodb.test.azureClientSecret"));
+                put("tenantId", getEnv("AZURE_TENANT_ID"));
+                put("clientId", getEnv("AZURE_CLIENT_ID"));
+                put("clientSecret", getEnv("AZURE_CLIENT_SECRET"));
             }});
             put("gcp",  new HashMap<String, Object>() {{
-                put("email", System.getProperty("org.mongodb.test.gcpEmail"));
-                put("privateKey", System.getProperty("org.mongodb.test.gcpPrivateKey"));
+                put("email", getEnv("GCP_EMAIL"));
+                put("privateKey", getEnv("GCP_PRIVATE_KEY"));
             }});
             put("local", new HashMap<String, Object>() {{
                 put("key", "Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBM"

driver-reactive-streams/src/test/functional/com/mongodb/reactivestreams/client/ClientSideEncryptionBsonSizeLimitsSpecification.groovy

@@ -53,7 +53,7 @@ class ClientSideEncryptionBsonSizeLimitsSpecification extends FunctionalSpecific
     def setup() {
         assumeTrue(serverVersionAtLeast(4, 2))
         assumeTrue('Key vault tests disabled',
-                !System.getProperty('org.mongodb.test.awsAccessKeyId', '').isEmpty())
+                !System.getProperty('AWS_ACCESS_KEY_ID', '').isEmpty())
         drop(keyVaultNamespace)
         drop(autoEncryptingCollectionNamespace)
 

driver-reactive-streams/src/test/functional/com/mongodb/reactivestreams/client/ClientSideEncryptionCorpusTest.java

@@ -48,6 +48,7 @@
 import java.util.Map;
 
 import static com.mongodb.ClusterFixture.TIMEOUT_DURATION;
+import static com.mongodb.ClusterFixture.getEnv;
 import static com.mongodb.ClusterFixture.hasEncryptionTestsEnabled;
 import static com.mongodb.ClusterFixture.serverVersionAtLeast;
 import static com.mongodb.reactivestreams.client.Fixture.getMongoClientBuilderFromConnectionString;
@@ -109,20 +110,20 @@ public void setUp() throws IOException, URISyntaxException {
         // Step 4: Configure our objects
         Map<String, Map<String, Object>> kmsProviders = new HashMap<String, Map<String, Object>>() {{
             put("aws",  new HashMap<String, Object>() {{
-                put("accessKeyId", System.getProperty("org.mongodb.test.awsAccessKeyId"));
-                put("secretAccessKey", System.getProperty("org.mongodb.test.awsSecretAccessKey"));
+                put("accessKeyId", getEnv("AWS_ACCESS_KEY_ID"));
+                put("secretAccessKey", getEnv("AWS_SECRET_ACCESS_KEY"));
             }});
             put("azure",  new HashMap<String, Object>() {{
-                put("tenantId", System.getProperty("org.mongodb.test.azureTenantId"));
-                put("clientId", System.getProperty("org.mongodb.test.azureClientId"));
-                put("clientSecret", System.getProperty("org.mongodb.test.azureClientSecret"));
+                put("tenantId", getEnv("AZURE_TENANT_ID"));
+                put("clientId", getEnv("AZURE_CLIENT_ID"));
+                put("clientSecret", getEnv("AZURE_CLIENT_SECRET"));
             }});
             put("gcp",  new HashMap<String, Object>() {{
-                put("email", System.getProperty("org.mongodb.test.gcpEmail"));
-                put("privateKey", System.getProperty("org.mongodb.test.gcpPrivateKey"));
+                put("email", getEnv("GCP_EMAIL"));
+                put("privateKey", getEnv("GCP_PRIVATE_KEY"));
             }});
             put("kmip",  new HashMap<String, Object>() {{
-                put("endpoint", System.getProperty("org.mongodb.test.kmipEndpoint", "localhost:5698"));
+                put("endpoint", getEnv("org.mongodb.test.kmipEndpoint", "localhost:5698"));
             }});
             put("local", new HashMap<String, Object>() {{
                 put("key", "Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBM"