test(NODE-3409): support AWS temp credentials in CSFLE tests (#2968)

emadum · web-flow · commit a07aa56b4f43 · 2021-08-31T15:57:20.000-04:00
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -95,6 +95,9 @@ functions:
             cat <<EOT > prepare_client_encryption.sh
             export CLIENT_ENCRYPTION=${CLIENT_ENCRYPTION}
             export CSFLE_KMS_PROVIDERS='${CSFLE_KMS_PROVIDERS}'
+            export AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}'
+            export AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}'
+            export AWS_DEFAULT_REGION='us-east-1'
           EOT
           fi
     - command: shell.exec
@@ -549,39 +552,6 @@ tasks:
       - func: run tests
         vars:
           UNIFIED: 1
-  - name: test-5.0-server
-    tags:
-      - '5.0'
-      - server
-    commands:
-      - func: install dependencies
-      - func: bootstrap mongo-orchestration
-        vars:
-          VERSION: '5.0'
-          TOPOLOGY: server
-      - func: run tests
-  - name: test-5.0-replica_set
-    tags:
-      - '5.0'
-      - replica_set
-    commands:
-      - func: install dependencies
-      - func: bootstrap mongo-orchestration
-        vars:
-          VERSION: '5.0'
-          TOPOLOGY: replica_set
-      - func: run tests
-  - name: test-5.0-sharded_cluster
-    tags:
-      - '5.0'
-      - sharded_cluster
-    commands:
-      - func: install dependencies
-      - func: bootstrap mongo-orchestration
-        vars:
-          VERSION: '5.0'
-          TOPOLOGY: sharded_cluster
-      - func: run tests
   - name: test-5.0-server-unified
     tags:
       - '5.0'
@@ -1843,9 +1813,6 @@ buildvariants:
       - test-latest-server-unified
       - test-latest-replica_set-unified
       - test-latest-sharded_cluster-unified
-      - test-5.0-server
-      - test-5.0-replica_set
-      - test-5.0-sharded_cluster
       - test-5.0-server-unified
       - test-5.0-replica_set-unified
       - test-5.0-sharded_cluster-unified
@@ -1966,9 +1933,6 @@ buildvariants:
       - test-latest-server-unified
       - test-latest-replica_set-unified
       - test-latest-sharded_cluster-unified
-      - test-5.0-server
-      - test-5.0-replica_set
-      - test-5.0-sharded_cluster
       - test-5.0-server-unified
       - test-5.0-replica_set-unified
       - test-5.0-sharded_cluster-unified
@@ -2166,9 +2130,6 @@ buildvariants:
       - test-latest-server-unified
       - test-latest-replica_set-unified
       - test-latest-sharded_cluster-unified
-      - test-5.0-server
-      - test-5.0-replica_set
-      - test-5.0-sharded_cluster
       - test-5.0-server-unified
       - test-5.0-replica_set-unified
       - test-5.0-sharded_cluster-unified
diff --git a/.evergreen/config.yml.in b/.evergreen/config.yml.in
@@ -114,6 +114,9 @@ functions:
             cat <<EOT > prepare_client_encryption.sh
             export CLIENT_ENCRYPTION=${CLIENT_ENCRYPTION}
             export CSFLE_KMS_PROVIDERS='${CSFLE_KMS_PROVIDERS}'
+            export AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}'
+            export AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}'
+            export AWS_DEFAULT_REGION='us-east-1'
           EOT
           fi
     - command: shell.exec
diff --git a/.evergreen/generate_evergreen_tasks.js b/.evergreen/generate_evergreen_tasks.js
@@ -9,7 +9,7 @@ const LEGACY_MONGODB_VERSIONS = new Set(['4.4', '4.2', '4.0', '3.6', '3.4', '3.2
 const MONGODB_VERSIONS = ['latest', '5.0'].concat(Array.from(LEGACY_MONGODB_VERSIONS));
 const AWS_AUTH_VERSIONS = ['latest', '5.0', '4.4'];
 const OCSP_VERSIONS = ['latest', '5.0', '4.4'];
-const TLS_VERSIONS = ['latest', '5.0', '4.2']; // also test on 4.2 because 4.4+ currently skipped on windows
+const TLS_VERSIONS = ['latest', '5.0', '4.4', '4.2']; // also test on 4.2 because 4.4+ currently skipped on windows
 const NODE_VERSIONS = ['fermium', 'erbium', 'dubnium', 'carbon', 'boron', 'argon'];
 const LEGACY_TOPOLOGIES = new Set(['server', 'replica_set', 'sharded_cluster']);
 const UNIFIED_TOPOLOGIES = Array.from(LEGACY_TOPOLOGIES).map(topology => `${topology}-unified`);
diff --git a/.evergreen/run-custom-csfle-tests.sh b/.evergreen/run-custom-csfle-tests.sh
@@ -10,6 +10,11 @@ if [ -z ${CSFLE_KMS_PROVIDERS+omitted} ]; then echo "CSFLE_KMS_PROVIDERS is unse
 set -o xtrace   # Write all commands first to stderr
 set -o errexit  # Exit the script with error if any of the commands fail
 
+# Get access to the AWS temporary credentials:
+echo "adding temporary AWS credentials to environment"
+# CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN
+. $DRIVERS_TOOLS/.evergreen/csfle/set-temp-creds.sh
+
 # Environment Variables:
 # CSFLE_GIT_REF - set the git reference to checkout for a custom CSFLE version
 # CDRIVER_GIT_REF - set the git reference to checkout for a custom CDRIVER version (this is for libbson)
diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh
@@ -53,6 +53,11 @@ if [[ -z "${CLIENT_ENCRYPTION}" ]]; then
   unset AWS_SECRET_ACCESS_KEY;
 else
   npm install mongodb-client-encryption@latest
+
+  # Get access to the AWS temporary credentials:
+  echo "adding temporary AWS credentials to environment"
+  # CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN
+  . $DRIVERS_TOOLS/.evergreen/csfle/set-temp-creds.sh
 fi
 
 nvm use 12
diff --git a/test/functional/mongodb_aws.test.js b/test/functional/mongodb_aws.test.js
@@ -46,7 +46,7 @@ describe('MONGODB-AWS', function() {
       authMechanismProperties: { AWS_SESSION_TOKEN: '' }
     });
     expect(client)
-      .to.have.nested.property('options.credentials.mechanismProperties.AWS_SESSION_TOKEN')
+      .to.have.nested.property('s.options.authMechanismProperties.AWS_SESSION_TOKEN')
       .that.equals('');
   });
 });
diff --git a/test/functional/spec-runner/index.js b/test/functional/spec-runner/index.js
@@ -48,6 +48,21 @@ function translateClientOptions(options) {
           kmsProviders.local = options.autoEncryptOpts.kmsProviders.local;
         }
 
+        if (options.autoEncryptOpts.kmsProviders.awsTemporary) {
+          kmsProviders.aws = {
+            accessKeyId: process.env.CSFLE_AWS_TEMP_ACCESS_KEY_ID,
+            secretAccessKey: process.env.CSFLE_AWS_TEMP_SECRET_ACCESS_KEY,
+            sessionToken: process.env.CSFLE_AWS_TEMP_SESSION_TOKEN
+          };
+        }
+
+        if (options.autoEncryptOpts.kmsProviders.awsTemporaryNoSessionToken) {
+          kmsProviders.aws = {
+            accessKeyId: process.env.CSFLE_AWS_TEMP_ACCESS_KEY_ID,
+            secretAccessKey: process.env.CSFLE_AWS_TEMP_SECRET_ACCESS_KEY
+          };
+        }
+
         options.autoEncryption.kmsProviders = kmsProviders;
       }
 
diff --git a/test/spec/client-side-encryption/awsTemporary.json b/test/spec/client-side-encryption/awsTemporary.json
@@ -0,0 +1,225 @@
+{
+  "runOn": [
+    {
+      "minServerVersion": "4.1.10"
+    }
+  ],
+  "database_name": "default",
+  "collection_name": "default",
+  "data": [],
+  "json_schema": {
+    "properties": {
+      "encrypted_w_altname": {
+        "encrypt": {
+          "keyId": "/altname",
+          "bsonType": "string",
+          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
+        }
+      },
+      "encrypted_string": {
+        "encrypt": {
+          "keyId": [
+            {
+              "$binary": {
+                "base64": "AAAAAAAAAAAAAAAAAAAAAA==",
+                "subType": "04"
+              }
+            }
+          ],
+          "bsonType": "string",
+          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+        }
+      },
+      "random": {
+        "encrypt": {
+          "keyId": [
+            {
+              "$binary": {
+                "base64": "AAAAAAAAAAAAAAAAAAAAAA==",
+                "subType": "04"
+              }
+            }
+          ],
+          "bsonType": "string",
+          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
+        }
+      },
+      "encrypted_string_equivalent": {
+        "encrypt": {
+          "keyId": [
+            {
+              "$binary": {
+                "base64": "AAAAAAAAAAAAAAAAAAAAAA==",
+                "subType": "04"
+              }
+            }
+          ],
+          "bsonType": "string",
+          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+        }
+      }
+    },
+    "bsonType": "object"
+  },
+  "key_vault_data": [
+    {
+      "status": 1,
+      "_id": {
+        "$binary": {
+          "base64": "AAAAAAAAAAAAAAAAAAAAAA==",
+          "subType": "04"
+        }
+      },
+      "masterKey": {
+        "provider": "aws",
+        "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+        "region": "us-east-1"
+      },
+      "updateDate": {
+        "$date": {
+          "$numberLong": "1552949630483"
+        }
+      },
+      "keyMaterial": {
+        "$binary": {
+          "base64": "AQICAHhQNmWG2CzOm1dq3kWLM+iDUZhEqnhJwH9wZVpuZ94A8gEqnsxXlR51T5EbEVezUqqKAAAAwjCBvwYJKoZIhvcNAQcGoIGxMIGuAgEAMIGoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDHa4jo6yp0Z18KgbUgIBEIB74sKxWtV8/YHje5lv5THTl0HIbhSwM6EqRlmBiFFatmEWaeMk4tO4xBX65eq670I5TWPSLMzpp8ncGHMmvHqRajNBnmFtbYxN3E3/WjxmdbOOe+OXpnGJPcGsftc7cB2shRfA4lICPnE26+oVNXT6p0Lo20nY5XC7jyCO",
+          "subType": "00"
+        }
+      },
+      "creationDate": {
+        "$date": {
+          "$numberLong": "1552949630483"
+        }
+      },
+      "keyAltNames": [
+        "altname",
+        "another_altname"
+      ]
+    }
+  ],
+  "tests": [
+    {
+      "description": "Insert a document with auto encryption using the AWS provider with temporary credentials",
+      "clientOptions": {
+        "autoEncryptOpts": {
+          "kmsProviders": {
+            "awsTemporary": {}
+          }
+        }
+      },
+      "operations": [
+        {
+          "name": "insertOne",
+          "arguments": {
+            "document": {
+              "_id": 1,
+              "encrypted_string": "string0"
+            }
+          }
+        }
+      ],
+      "expectations": [
+        {
+          "command_started_event": {
+            "command": {
+              "listCollections": 1,
+              "filter": {
+                "name": "default"
+              }
+            },
+            "command_name": "listCollections"
+          }
+        },
+        {
+          "command_started_event": {
+            "command": {
+              "find": "datakeys",
+              "filter": {
+                "$or": [
+                  {
+                    "_id": {
+                      "$in": [
+                        {
+                          "$binary": {
+                            "base64": "AAAAAAAAAAAAAAAAAAAAAA==",
+                            "subType": "04"
+                          }
+                        }
+                      ]
+                    }
+                  },
+                  {
+                    "keyAltNames": {
+                      "$in": []
+                    }
+                  }
+                ]
+              },
+              "$db": "keyvault"
+            },
+            "command_name": "find"
+          }
+        },
+        {
+          "command_started_event": {
+            "command": {
+              "insert": "default",
+              "documents": [
+                {
+                  "_id": 1,
+                  "encrypted_string": {
+                    "$binary": {
+                      "base64": "AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==",
+                      "subType": "06"
+                    }
+                  }
+                }
+              ],
+              "ordered": true
+            },
+            "command_name": "insert"
+          }
+        }
+      ],
+      "outcome": {
+        "collection": {
+          "data": [
+            {
+              "_id": 1,
+              "encrypted_string": {
+                "$binary": {
+                  "base64": "AQAAAAAAAAAAAAAAAAAAAAACwj+3zkv2VM+aTfk60RqhXq6a/77WlLwu/BxXFkL7EppGsju/m8f0x5kBDD3EZTtGALGXlym5jnpZAoSIkswHoA==",
+                  "subType": "06"
+                }
+              }
+            }
+          ]
+        }
+      }
+    },
+    {
+      "description": "Insert with invalid temporary credentials",
+      "clientOptions": {
+        "autoEncryptOpts": {
+          "kmsProviders": {
+            "awsTemporaryNoSessionToken": {}
+          }
+        }
+      },
+      "operations": [
+        {
+          "name": "insertOne",
+          "arguments": {
+            "document": {
+              "_id": 1,
+              "encrypted_string": "string0"
+            }
+          },
+          "result": {
+            "errorContains": "security token"
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/test/spec/client-side-encryption/awsTemporary.yml b/test/spec/client-side-encryption/awsTemporary.yml
