Make SSL certificate path configurable for tests

Since mongo-orchestration will always bring its own certificates, we need to set the correct SSL certificate directory for our tests. This is skipped on GitHub Actions as we don't test SSL builds there (yet). If SSL_DIR was not set, tests requiring SSL will be skipped.

Author: alcaeus

.evergreen/config.yml

@@ -97,6 +97,7 @@ functions:
               export TMPDIR="$MONGO_ORCHESTRATION_HOME/db"
               export PATH="$MONGODB_BINARIES:$PATH"
               export PROJECT="${project}"
+              export SSL_DIR="$DRIVERS_TOOLS/.evergreen/x509gen"
            EOT
            # See what we've done
            cat expansion.yml
@@ -393,8 +394,6 @@ functions:
             cat $i | tr -d '\r' > $i.new
             mv $i.new $i
           done
-          # Copy client certificate because symlinks do not work on Windows.
-          cp ${PROJECT_DIRECTORY}/scripts/ssl/client.pem ${MONGO_ORCHESTRATION_HOME}/lib/client.pem
 
   "make files executable":
     - command: shell.exec

bin/prep-release.php

@@ -71,7 +71,6 @@ function get_files() {
         "Vagrantfile",
 
         "scripts/*/*.{sh}",
-        "scripts/ssl/*.pem",
         "scripts/*.{json,php,py,sh}",
         "tests/utils/*.{inc,json.gz,php}",
         "tests/**/*.{phpt}",

scripts/ssl/ca.pem

@@ -4,16 +4,15 @@ PHPC-720: Do not persist SSL streams to avoid SSL reinitialization errors
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongoc_ssl(); ?>
 <?php skip_if_not_ssl(); ?>
+<?php skip_if_no_ssl_dir(); ?>
 --FILE--
 <?php
 require_once __DIR__ . "/../utils/basic.inc";
 
-$SSL_DIR = realpath(__DIR__ . '/../../scripts/ssl/');
-
 $driverOptions = [
     // libmongoc does not allow the hostname to be overridden as "server"
     'allow_invalid_hostname' => true,
-    'ca_file' => $SSL_DIR . '/ca.pem',
+    'ca_file' => SSL_DIR . '/ca.pem',
 ];
 
 $manager = new MongoDB\Driver\Manager(URI, [], $driverOptions);

scripts/ssl/client.pem

@@ -4,17 +4,16 @@ Connect to MongoDB with SSL and cert verification
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongoc_ssl(); ?>
 <?php skip_if_not_ssl(); ?>
+<?php skip_if_no_ssl_dir(); ?>
 --FILE--
 <?php
 require_once __DIR__ . "/../utils/basic.inc";
 
-$SSL_DIR = realpath(__DIR__ . '/../../scripts/ssl/');
-
 $driverOptions = [
     // libmongoc does not allow the hostname to be overridden as "server"
     'allow_invalid_hostname' => true,
     'weak_cert_validation' => false,
-    'ca_file' => $SSL_DIR . '/ca.pem',
+    'ca_file' => SSL_DIR . '/ca.pem',
 ];
 
 $manager = new MongoDB\Driver\Manager(URI, [], $driverOptions);

scripts/ssl/crl.pem

@@ -4,19 +4,18 @@ Connect to MongoDB with SSL and cert verification (context options)
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongoc_ssl(); ?>
 <?php skip_if_not_ssl(); ?>
+<?php skip_if_no_ssl_dir(); ?>
 --FILE--
 <?php
 require_once __DIR__ . "/../utils/basic.inc";
 
-$SSL_DIR = realpath(__DIR__ . '/../../scripts/ssl/');
-
 $driverOptions = [
     'context' => stream_context_create([
         'ssl' => [
             // libmongoc does not allow the hostname to be overridden as "server"
             'allow_invalid_hostname' => true,
             'allow_self_signed' => false, // "weak_cert_validation" alias
-            'cafile' => $SSL_DIR . '/ca.pem', // "ca_file" alias
+            'cafile' => SSL_DIR . '/ca.pem', // "ca_file" alias
         ],
     ]),
 ];

scripts/ssl/server.pem

@@ -4,19 +4,18 @@ Connect to MongoDB with SSL and X509 auth
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongoc_ssl(); ?>
 <?php skip_if_not_ssl(); ?>
+<?php skip_if_no_ssl_dir(); ?>
 <?php skip_if_not_auth_mechanism('MONGODB-X509'); ?>
 --FILE--
 <?php
 require_once __DIR__ . "/../utils/basic.inc";
 
-$SSL_DIR = realpath(__DIR__ . '/../../scripts/ssl/');
-
 $driverOptions = [
     // libmongoc does not allow the hostname to be overridden as "server"
     'allow_invalid_hostname' => true,
     'weak_cert_validation' => false,
-    'ca_file' => $SSL_DIR . '/ca.pem',
-    'pem_file' => $SSL_DIR . '/client.pem',
+    'ca_file' => SSL_DIR . '/ca.pem',
+    'pem_file' => SSL_DIR . '/client.pem',
 ];
 
 $manager = new MongoDB\Driver\Manager(URI, [], $driverOptions);

tests/connect/bug0720.phpt

@@ -4,21 +4,20 @@ Connect to MongoDB with SSL and X509 auth (stream context)
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongoc_ssl(); ?>
 <?php skip_if_not_ssl(); ?>
+<?php skip_if_no_ssl_dir(); ?>
 <?php skip_if_not_auth_mechanism('MONGODB-X509'); ?>
 --FILE--
 <?php
 require_once __DIR__ . "/../utils/basic.inc";
 
-$SSL_DIR = realpath(__DIR__ . '/../../scripts/ssl/');
-
 $driverOptions = [
     'context' => stream_context_create([
         'ssl' => [
             // libmongoc does not allow the hostname to be overridden as "server"
             'allow_invalid_hostname' => true,
             'allow_self_signed' => false, // "weak_cert_validation" alias
-            'cafile' => $SSL_DIR . '/ca.pem', // "ca_file" alias
-            'local_cert' => $SSL_DIR . '/client.pem', // "pem_file" alias
+            'cafile' => SSL_DIR . '/ca.pem', // "ca_file" alias
+            'local_cert' => SSL_DIR . '/client.pem', // "pem_file" alias
         ],
     ]),
 ];

tests/connect/standalone-ssl-verify_cert-001.phpt

@@ -6,18 +6,17 @@ parse_url() tests must be reimplemented (PHPC-1177)
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongoc_ssl(); ?>
 <?php skip_if_not_ssl(); ?>
+<?php skip_if_no_ssl_dir(); ?>
 <?php skip_if_not_auth_mechanism('MONGODB-X509'); ?>
 --FILE--
 <?php
 require_once __DIR__ . "/../utils/basic.inc";
 
-$SSL_DIR = realpath(__DIR__ . '/../../scripts/ssl/');
-
 $driverOptions = [
     // libmongoc does not allow the hostname to be overridden as "server"
     'allow_invalid_hostname' => true,
-    'ca_file' => $SSL_DIR . '/ca.pem',
-    'pem_file' => $SSL_DIR . '/client.pem',
+    'ca_file' => SSL_DIR . '/ca.pem',
+    'pem_file' => SSL_DIR . '/client.pem',
 ];
 
 // Wrong username for X509 authentication

tests/connect/standalone-ssl-verify_cert-002.phpt

@@ -6,19 +6,18 @@ parse_url() tests must be reimplemented (PHPC-1177)
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongoc_ssl(['OpenSSL', 'Secure Transport', 'Secure Channel']); ?>
 <?php skip_if_not_ssl(); ?>
+<?php skip_if_no_ssl_dir(); ?>
 <?php skip_if_not_auth_mechanism('MONGODB-X509'); ?>
 --FILE--
 <?php
 require_once __DIR__ . "/../utils/basic.inc";
 
-$SSL_DIR = realpath(__DIR__ . '/../../scripts/ssl/');
-
 $driverOptions = [
     // libmongoc does not allow the hostname to be overridden as "server"
     'allow_invalid_hostname' => true,
     'weak_cert_validation' => false,
-    'ca_file' => $SSL_DIR . '/ca.pem',
-    'pem_file' => $SSL_DIR . '/client.pem',
+    'ca_file' => SSL_DIR . '/ca.pem',
+    'pem_file' => SSL_DIR . '/client.pem',
 ];
 
 $uriOptions = ['authMechanism' => 'MONGODB-X509', 'ssl' => true];

tests/connect/standalone-x509-auth-001.phpt

@@ -6,21 +6,20 @@ parse_url() tests must be reimplemented (PHPC-1177)
 <?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
 <?php skip_if_not_libmongoc_ssl(['OpenSSL', 'Secure Transport', 'Secure Channel']); ?>
 <?php skip_if_not_ssl(); ?>
+<?php skip_if_no_ssl_dir(); ?>
 <?php skip_if_not_auth_mechanism('MONGODB-X509'); ?>
 --FILE--
 <?php
 require_once __DIR__ . "/../utils/basic.inc";
 
-$SSL_DIR = realpath(__DIR__ . '/../../scripts/ssl/');
-
 $driverOptions = [
     'context' => stream_context_create([
         'ssl' => [
             // libmongoc does not allow the hostname to be overridden as "server"
             'allow_invalid_hostname' => true,
             'allow_self_signed' => false, // "weak_cert_validation" alias
-            'cafile' => $SSL_DIR . '/ca.pem', // "ca_file" alias
-            'local_cert' => $SSL_DIR . '/client.pem', // "pem_file" alias
+            'cafile' => SSL_DIR . '/ca.pem', // "ca_file" alias
+            'local_cert' => SSL_DIR . '/client.pem', // "pem_file" alias
         ],
     ]),
 ];

tests/connect/standalone-x509-auth-002.phpt

@@ -7,3 +7,4 @@ define('MONGO_ORCHESTRATION_URI', getenv('MONGO_ORCHESTRATION_URI') ?: 'http://l
 define('DATABASE_NAME', getenv('MONGODB_DATABASE') ?: 'phongo');
 define('COLLECTION_NAME', makeCollectionNameFromFilename($_SERVER['SCRIPT_FILENAME']));
 define('NS', DATABASE_NAME . '.' . COLLECTION_NAME);
+define('SSL_DIR', realpath(getenv('SSL_DIR')));

tests/connect/standalone-x509-error-0001.phpt

@@ -200,6 +200,18 @@ function skip_if_not_ssl()
     is_ssl(URI) or exit('skip URI is not using SSL');
 }
 
+/**
+ * Skips the test if no SSL directory has been defined.
+ */
+function skip_if_no_ssl_dir()
+{
+    $sslDir = getenv('SSL_DIR');
+    $sslDir !== false or exit('skip SSL_DIR environment not set');
+
+    $sslDir = realpath($sslDir);
+    ($sslDir !== false && is_dir($sslDir)) or exit('skip SSL_DIR is not a valid directory');
+}
+
 /**
  * Skips the test if the connection string is using auth.
  */