From 0361b3fd3a9f1641518aa2f37d872d3346e8a450 Mon Sep 17 00:00:00 2001
From: Noah Stapp <noah.stapp@mongodb.com>
Date: Tue, 8 Aug 2023 16:00:06 -0700
Subject: [PATCH] DRIVERS-2585 Use AWS Secrets Manager for AWS-Related Test
 Secrets (#334)

---
 .evergreen/auth_aws/setup_secrets.py    | 89 +++++++++++++++++++++++++
 .evergreen/auth_oidc/oidc_get_tokens.py |  2 +-
 .gitignore                              |  2 +
 3 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 .evergreen/auth_aws/setup_secrets.py

diff --git a/.evergreen/auth_aws/setup_secrets.py b/.evergreen/auth_aws/setup_secrets.py
new file mode 100644
index 00000000..7bdea542
--- /dev/null
+++ b/.evergreen/auth_aws/setup_secrets.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+"""
+Script for fetching AWS Secrets Vault secrets for use in testing.
+"""
+import argparse
+import json
+import os
+import yaml
+import boto3
+
+
+def get_secrets(vaults, region="us-east-1", profile="default"):
+    """Get the driver secret values."""
+    # Handle local credentials.
+    try:
+        session = boto3.Session(profile_name=profile)
+        client = session.client(service_name='secretsmanager', region_name=region)
+    except Exception:
+        print("Failed to connect using AWS credentials, trying with environment variables")
+        if "AWS_SESSION_TOKEN" not in os.environ:
+            if "AWS_ROLE_ARN" in os.environ:
+                session = boto3.Session(aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'],
+                                        aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'])
+                client = session.client(service_name='sts', region_name=region)
+                creds = client.assume_role(RoleArn=os.environ['AWS_ROLE_ARN'], RoleSessionName='test')['Credentials']
+                os.environ['AWS_ACCESS_KEY_ID'] = creds['AccessKeyId']
+                os.environ['AWS_SECRET_ACCESS_KEY'] = creds['SecretAccessKey']
+                os.environ['AWS_SESSION_TOKEN'] = creds['SessionToken']
+            else:
+                raise ValueError('Missing AWS credentials')
+
+        # Create a session using the given creds
+        session = boto3.Session(aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'],
+                                aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'],
+                                aws_session_token=os.environ['AWS_SESSION_TOKEN'])
+        client = session.client(service_name='secretsmanager', region_name=region)
+
+    secrets = []
+    try:
+        for vault in vaults:
+            secrets.append(client.get_secret_value(
+                SecretId=vault
+            )['SecretString'])
+    except Exception as e:
+        # For a list of exceptions thrown, see
+        # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
+        raise e
+
+    # Decrypts secret using the associated KMS key.
+    return [json.loads(s) for s in secrets]
+
+
+def write_secrets(vaults, region, profile):
+    pairs = {}
+    secrets = get_secrets(vaults, region, profile)
+    for secret in secrets:
+        for key, val in secret.items():
+            pairs[key.upper()] = val
+
+    with open("secrets-expansion.yml", "w") as yaml_out:
+        yaml.dump(pairs, yaml_out, default_flow_style=False, allow_unicode=True, default_style='"')
+
+    with open("secrets-export.sh", "w") as out:
+        # These values are secrets, do not print them
+        out.write("#!/usr/bin/env bash\n\nset +x\n")
+        for key, val in pairs.items():
+            out.write("export " + key + "=" + "\"" + val + "\"\n")
+
+
+def main():
+    parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+                                     description='MongoDB AWS Secrets Vault fetcher. If connecting with the given AWS '
+                                                 'profile fails, will attempt to use local environment variables '
+                                                 'instead.')
+
+    parser.add_argument("-p", "--profile", type=str, metavar="profile", default="default", help="a local AWS profile "
+                                                                                                "to use credentials "
+                                                                                                "from.")
+    parser.add_argument("-r", "--region", type=str, metavar="region", default="us-east-1",
+                        help="the AWS region containing the given vaults.")
+    parser.add_argument("vaults", metavar="V", type=str, nargs="+", help="a vault to fetch secrets from")
+
+    args = parser.parse_args()
+
+    write_secrets(args.vaults, args.region, args.profile)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/.evergreen/auth_oidc/oidc_get_tokens.py b/.evergreen/auth_oidc/oidc_get_tokens.py
index 10b22cca..d554cf7e 100644
--- a/.evergreen/auth_oidc/oidc_get_tokens.py
+++ b/.evergreen/auth_oidc/oidc_get_tokens.py
@@ -16,7 +16,7 @@ def main():
         'rsa_key': secrets['oidc_rsa_key'],
         'audience': DEFAULT_CLIENT,
         'client_id': DEFAULT_CLIENT,
-        'client_secret':secrets['oidc_client_secret'],
+        'client_secret': secrets['oidc_client_secret'],
         'username': 'test_user1',
         'token_file': os.path.join(token_dir, 'test_user1')
     }
diff --git a/.gitignore b/.gitignore
index 2f6f2ebd..b01d2142 100644
--- a/.gitignore
+++ b/.gitignore
@@ -106,3 +106,5 @@ lb-expansion.yml
 .DS_Store
 *.log
 orchestration.config
+secrets-expansion.yml
+secrets-export.sh