PHPLIB-866: CSFLE prose test for on-demand AWS credentials (#1009)

jmikola · web-flow · commit 8e8364f74c59 · 2022-11-29T04:12:12.000-05:00
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -598,6 +598,18 @@ tasks:
             SKIP_CRYPT_SHARED: "yes"
             TESTS: "csfle"
 
+    - name: "test-without_aws_credentials"
+      commands:
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            TOPOLOGY: "replica_set"
+        - func: "start kms servers"
+        - func: "run tests"
+          vars:
+            client_side_encryption_aws_access_key_id: ""
+            client_side_encryption_aws_secret_access_key: ""
+            TESTS: "csfle"
+
 # }}}
 
 
@@ -863,3 +875,10 @@ buildvariants:
   display_name: "CSFLE skip_crypt_shared - ${mongodb-versions}"
   tasks:
     - name: "test-skip_crypt_shared"
+
+# Run CSFLE tests without AWS credentials (for "On-demand AWS Credentials" prose test)
+- matrix_name: "test-csfle-without_aws_credentials"
+  matrix_spec: { "os": "debian11", "mongodb-versions": "6.0", "php-edge-versions": "latest-stable", "driver-versions": "latest-stable" }
+  display_name: "CSFLE without_aws_credentials - ${mongodb-versions}"
+  tasks:
+    - name: "test-without_aws_credentials"
diff --git a/tests/SpecTests/ClientSideEncryptionSpecTest.php b/tests/SpecTests/ClientSideEncryptionSpecTest.php
@@ -1642,6 +1642,48 @@ static function (self $test, Client $setupClient, ClientEncryption $clientEncryp
         ];
     }
 
+    /**
+     * Prose test 15: On-demand AWS Credentials
+     *
+     * @see https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/tests#on-demand-aws-credentials
+     * @testWith [true]
+     *           [false]
+     */
+    public function testOnDemandAwsCredentials(bool $shouldSucceed): void
+    {
+        $hasCredentials = (getenv('AWS_ACCESS_KEY_ID') && getenv('AWS_SECRET_ACCESS_KEY'));
+
+        if ($hasCredentials !== $shouldSucceed) {
+            Assert::markTestSkipped(sprintf('AWS credentials %s available', $hasCredentials ? 'are' : 'are not'));
+        }
+
+        $keyVaultClient = static::createTestClient();
+
+        $clientEncryption = new ClientEncryption([
+            'keyVaultClient' => $keyVaultClient->getManager(),
+            'keyVaultNamespace' => 'keyvault.datakeys',
+            'kmsProviders' => ['aws' => (object) []],
+        ]);
+
+        $dataKeyOpts = [
+            'masterKey' => [
+                'region' => 'us-east-1',
+                'key' => 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0',
+            ],
+        ];
+
+        if (! $shouldSucceed) {
+            $this->expectException(AuthenticationException::class);
+        }
+
+        $dataKeyId = $clientEncryption->createDataKey('aws', $dataKeyOpts);
+
+        if ($shouldSucceed) {
+            $this->assertInstanceOf(Binary::class, $dataKeyId);
+            $this->assertSame(Binary::TYPE_UUID, $dataKeyId->getType());
+        }
+    }
+
     /**
      * Prose test 16: RewrapManyDataKey
      *
