diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 978506ae97..be7ad26ab6 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -112,6 +112,7 @@ functions: PROJECT_DIRECTORY: "$PROJECT_DIRECTORY" PREPARE_SHELL: | set -o errexit + export SKIP_LEGACY_SHELL=1 export GOROOT="$GOROOT" export GOPATH="$GOPATH" export GOCACHE="$GOCACHE" @@ -722,61 +723,21 @@ functions: fi add-aws-auth-variables-to-file: - - command: shell.exec - type: test + - command: ec2.assume_role params: - shell: "bash" - working_dir: "src" - silent: true - script: | - cat < ${DRIVERS_TOOLS}/.evergreen/auth_aws/aws_e2e_setup.json - { - "iam_auth_ecs_account" : "${iam_auth_ecs_account}", - "iam_auth_ecs_secret_access_key" : "${iam_auth_ecs_secret_access_key}", - "iam_auth_ecs_account_arn": "arn:aws:iam::557821124784:user/authtest_fargate_user", - "iam_auth_ecs_cluster": "${iam_auth_ecs_cluster}", - "iam_auth_ecs_task_definition": "${iam_auth_ecs_task_definition_ubuntu2004}", - "iam_auth_ecs_subnet_a": "${iam_auth_ecs_subnet_a}", - "iam_auth_ecs_subnet_b": "${iam_auth_ecs_subnet_b}", - "iam_auth_ecs_security_group": "${iam_auth_ecs_security_group}", - "iam_auth_assume_aws_account" : "${iam_auth_assume_aws_account}", - "iam_auth_assume_aws_secret_access_key" : "${iam_auth_assume_aws_secret_access_key}", - "iam_auth_assume_role_name" : "${iam_auth_assume_role_name}", - "iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}", - "iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}", - "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}", - "iam_auth_assume_web_role_name": "${iam_auth_assume_web_role_name}", - "iam_web_identity_issuer": "${iam_web_identity_issuer}", - "iam_web_identity_rsa_key": "${iam_web_identity_rsa_key}", - "iam_web_identity_jwks_uri": "${iam_web_identity_jwks_uri}", - "iam_web_identity_token_file": "${iam_web_identity_token_file}" - } - EOF - - run-aws-auth-test-with-regular-aws-credentials: + role_arn: ${aws_test_secrets_role} - command: shell.exec type: test params: + include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"] shell: "bash" working_dir: "src" script: | ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/auth_aws - . ./activate-authawsvenv.sh - mongo aws_e2e_regular_aws.js - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - silent: true - script: | - cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" - alias urlencode='python3 -c "import sys, urllib.parse as ulp; sys.stdout.write(ulp.quote_plus(sys.argv[1]))"' - USER=$(urlencode ${iam_auth_ecs_account}) - PASS=$(urlencode ${iam_auth_ecs_secret_access_key}) - MONGODB_URI="mongodb://$USER:$PASS@localhost" - EOF + cd $DRIVERS_TOOLS/.evergreen/auth_aws + ./setup_secrets.sh drivers/aws_auth + + run-aws-auth-test-with-regular-aws-credentials: - command: shell.exec type: test params: @@ -784,7 +745,7 @@ functions: working_dir: "src" script: | ${PREPARE_SHELL} - ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh + ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh regular run-aws-auth-test-with-assume-role-credentials: - command: shell.exec @@ -794,36 +755,7 @@ functions: working_dir: "src" script: | ${PREPARE_SHELL} - cd ${DRIVERS_TOOLS}/.evergreen/auth_aws - . ./activate-authawsvenv.sh - mongo aws_e2e_assume_role.js - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - silent: true - script: | - # DO NOT ECHO WITH XTRACE - cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" - alias urlencode='python3 -c "import sys, urllib.parse as ulp; sys.stdout.write(ulp.quote_plus(sys.argv[1]))"' - alias jsonkey='python3 -c "import json,sys;sys.stdout.write(json.load(sys.stdin)[sys.argv[1]])" < ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json' - USER=$(jsonkey AccessKeyId) - USER=$(urlencode $USER) - PASS=$(jsonkey SecretAccessKey) - PASS=$(urlencode $PASS) - SESSION_TOKEN=$(jsonkey SessionToken) - SESSION_TOKEN=$(urlencode $SESSION_TOKEN) - MONGODB_URI="mongodb://$USER:$PASS@localhost" - EOF - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - script: | - ${PREPARE_SHELL} - ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh + ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh assume-role run-aws-auth-test-with-aws-EC2-credentials: - command: shell.exec @@ -837,38 +769,9 @@ functions: echo "This platform does not support the EC2 auth test, skipping..." exit 0 fi - cd ${DRIVERS_TOOLS}/.evergreen/auth_aws - . ./activate-authawsvenv.sh - mongo aws_e2e_ec2.js - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - script: | - ${PREPARE_SHELL} - if [ "${SKIP_EC2_AUTH_TEST}" = "true" ]; then - exit 0 - fi - - # Truncate "prepare_mongodb_aws.sh" to zero length. If file not present, creates zero-length file. - : > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" - - ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh + ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh ec2 run-aws-auth-test-with-aws-credentials-as-environment-variables: - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - silent: true - script: | - # DO NOT ECHO WITH XTRACE - cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" - export AWS_ACCESS_KEY_ID=${iam_auth_ecs_account} - export AWS_SECRET_ACCESS_KEY=${iam_auth_ecs_secret_access_key} - EOF - command: shell.exec type: test params: @@ -876,23 +779,9 @@ functions: working_dir: "src" script: | ${PREPARE_SHELL} - PROJECT_DIRECTORY=${PROJECT_DIRECTORY} ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh + ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh env-creds run-aws-auth-test-with-aws-credentials-and-session-token-as-environment-variables: - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - silent: true - script: | - # DO NOT ECHO WITH XTRACE - cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" - alias jsonkey='python -c "import json,sys;sys.stdout.write(json.load(sys.stdin)[sys.argv[1]])" < ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json' - export AWS_ACCESS_KEY_ID=$(jsonkey AccessKeyId) - export AWS_SECRET_ACCESS_KEY=$(jsonkey SecretAccessKey) - export AWS_SESSION_TOKEN=$(jsonkey SessionToken) - EOF - command: shell.exec type: test params: @@ -900,7 +789,7 @@ functions: working_dir: "src" script: | ${PREPARE_SHELL} - ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh + ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh session-creds run-aws-ECS-auth-test: - command: shell.exec @@ -932,14 +821,9 @@ functions: cp ${PROJECT_DIRECTORY}/main $ECS_SRC_DIR cp ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-ecs-test.sh $ECS_SRC_DIR/.evergreen tar -czf $ECS_SRC_DIR/src.tgz -C $PROJECT_DIRECTORY . - cd $AUTH_AWS_DIR - . ./activate-authawsvenv.sh - cat < setup.js - const mongo_binaries = "$MONGODB_BINARIES"; - const project_dir = "$ECS_SRC_DIR"; - EOF - cat setup.js - mongo --nodb setup.js aws_e2e_ecs.js + + export PROJECT_DIRECTORY="$ECS_SRC_DIR" + $AUTH_AWS_DIR/aws_setup.sh ecs run-aws-auth-test-with-aws-web-identity-credentials: - command: shell.exec @@ -953,56 +837,7 @@ functions: echo "This platform does not support the web identity auth test, skipping..." exit 0 fi - cd ${DRIVERS_TOOLS}/.evergreen/auth_aws - . ./activate_venv.sh - mongo aws_e2e_web_identity.js - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - silent: true - script: | - if [ "${SKIP_WEB_IDENTITY_AUTH_TEST}" = "true" ]; then - echo "This platform does not support the web identity auth test, skipping..." - exit 0 - fi - # DO NOT ECHO WITH XTRACE - cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" - export AWS_ROLE_ARN="${iam_auth_assume_web_role_name}" - export AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}" - export MONGODB_URI="mongodb://localhost" - EOF - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - script: | - ${PREPARE_SHELL} - if [ "${SKIP_WEB_IDENTITY_AUTH_TEST}" = "true" ]; then - echo "This platform does not support the web identity auth test, skipping..." - exit 0 - fi - ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: "src" - silent: true - script: | - if [ "${SKIP_WEB_IDENTITY_AUTH_TEST}" = "true" ]; then - echo "This platform does not support the web identity auth test, skipping..." - exit 0 - fi - # DO NOT ECHO WITH XTRACE - cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" - export AWS_ROLE_ARN="${iam_auth_assume_web_role_name}" - export AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}" - export AWS_ROLE_SESSION_NAME="test" - export MONGODB_URI="mongodb://localhost" - EOF + ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh web-identity - command: shell.exec type: test params: @@ -1014,7 +849,8 @@ functions: echo "This platform does not support the web identity auth test, skipping..." exit 0 fi - ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh + export AWS_ROLE_SESSION_NAME="test" + ${PROJECT_DIRECTORY}/.evergreen/run-mongodb-aws-test.sh web-identity start-kms-mock-server: - command: shell.exec diff --git a/.evergreen/run-mongodb-aws-test.sh b/.evergreen/run-mongodb-aws-test.sh index 4652734ff8..3b213b249c 100644 --- a/.evergreen/run-mongodb-aws-test.sh +++ b/.evergreen/run-mongodb-aws-test.sh @@ -12,20 +12,9 @@ set -o errexit # Exit the script with error if any of the commands fail # mechanism. echo "Running MONGODB-AWS authentication tests" -# ensure no secrets are printed in log files -set +x -# load the script -shopt -s expand_aliases # needed for `urlencode` alias -[ -s "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" ] && source "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" - -MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"} -MONGODB_URI="${MONGODB_URI}/aws?authMechanism=MONGODB-AWS" -if [[ -n ${SESSION_TOKEN} ]]; then - MONGODB_URI="${MONGODB_URI}&authMechanismProperties=AWS_SESSION_TOKEN:${SESSION_TOKEN}" -fi - -export MONGODB_URI="$MONGODB_URI" +# Handle credentials and environment setup. +. $DRIVERS_TOOLS/.evergreen/auth_aws/aws_setup.sh $1 # show test output set -x