diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 0603f385ac..6e71fd660f 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -141,8 +141,8 @@ functions: export UPLOAD_BUCKET="$UPLOAD_BUCKET" export PROJECT="$PROJECT" export TMPDIR="$MONGO_ORCHESTRATION_HOME/db" - export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib/pkgconfig:$(pwd)/install/mongo-c-driver/lib/pkgconfig - export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib + export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig:$(pwd)/install/mongo-c-driver/lib/pkgconfig + export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib64 export PATH="$PATH" EOT # See what we variables we've set. @@ -245,6 +245,7 @@ functions: params: shell: "bash" script: | + set -x ${PREPARE_SHELL} MONGODB_VERSION=${VERSION} \ @@ -2082,7 +2083,7 @@ tasks: export GCPKMS_PROJECT=${GCPKMS_PROJECT} export GCPKMS_ZONE=${GCPKMS_ZONE} export GCPKMS_INSTANCENAME=${GCPKMS_INSTANCENAME} - tar czf testgcpkms.tgz ./testkms ./install/libmongocrypt/lib/libmongocrypt.* + tar czf testgcpkms.tgz ./testkms ./install/libmongocrypt/lib64/libmongocrypt.* GCPKMS_SRC=testgcpkms.tgz GCPKMS_DST=$GCPKMS_INSTANCENAME: $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/copy-file.sh echo "Copying files ... end" @@ -2101,7 +2102,7 @@ tasks: export GCPKMS_PROJECT=${GCPKMS_PROJECT} export GCPKMS_ZONE=${GCPKMS_ZONE} export GCPKMS_INSTANCENAME=${GCPKMS_INSTANCENAME} - GCPKMS_CMD="LD_LIBRARY_PATH=./install/libmongocrypt/lib MONGODB_URI='mongodb://localhost:27017' PROVIDER='gcp' ./testkms" $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/run-command.sh + GCPKMS_CMD="LD_LIBRARY_PATH=./install/libmongocrypt/lib64 MONGODB_URI='mongodb://localhost:27017' PROVIDER='gcp' ./testkms" $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/run-command.sh - name: "testgcpkms-fail-task" # testgcpkms-fail-task runs in a non-GCE environment. @@ -2119,7 +2120,7 @@ tasks: PKG_CONFIG_PATH=$PKG_CONFIG_PATH \ make build-kms-test echo "Building build-kms-test ... end" - LD_LIBRARY_PATH=./install/libmongocrypt/lib \ + LD_LIBRARY_PATH=./install/libmongocrypt/lib64 \ MONGODB_URI='mongodb://localhost:27017/' \ EXPECT_ERROR='unable to retrieve GCP credentials' \ PROVIDER='gcp' \ @@ -2143,7 +2144,7 @@ tasks: export AWS_ACCESS_KEY_ID="${cse_aws_access_key_id}" export AWS_SECRET_ACCESS_KEY="${cse_aws_secret_access_key}" - LD_LIBRARY_PATH=./install/libmongocrypt/lib \ + LD_LIBRARY_PATH=./install/libmongocrypt/lib64 \ MONGODB_URI='${atlas_free_tier_uri}' \ PROVIDER='aws' \ ./testkms @@ -2165,9 +2166,9 @@ tasks: make build-kms-test echo "Building build-kms-test ... end" - LD_LIBRARY_PATH=./install/libmongocrypt/lib \ + LD_LIBRARY_PATH=./install/libmongocrypt/lib64 \ MONGODB_URI='${atlas_free_tier_uri}' \ - EXPECT_ERROR='unable to retrieve aws credentials' \ + EXPECT_ERROR='status=400' \ PROVIDER='aws' \ ./testkms @@ -2191,7 +2192,7 @@ tasks: export AZUREKMS_VMNAME=${AZUREKMS_VMNAME} echo '${testazurekms_privatekey}' > /tmp/testazurekms.prikey export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms.prikey - tar czf testazurekms.tgz ./testkms ./install/libmongocrypt/lib/libmongocrypt.* + tar czf testazurekms.tgz ./testkms ./install/libmongocrypt/lib64/libmongocrypt.* AZUREKMS_SRC=testazurekms.tgz AZUREKMS_DST=/tmp $DRIVERS_TOOLS/.evergreen/csfle/azurekms/copy-file.sh echo "Copying files ... end" echo "Untarring file ... begin" @@ -2209,7 +2210,7 @@ tasks: export AZUREKMS_VMNAME=${AZUREKMS_VMNAME} echo '${testazurekms_privatekey}' > /tmp/testazurekms.prikey export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms.prikey - AZUREKMS_CMD="LD_LIBRARY_PATH=./install/libmongocrypt/lib MONGODB_URI='mongodb://localhost:27017' PROVIDER='azure' AZUREKMS_KEY_NAME='${AZUREKMS_KEY_NAME}' AZUREKMS_KEY_VAULT_ENDPOINT='${AZUREKMS_KEY_VAULT_ENDPOINT}' ./testkms" $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh + AZUREKMS_CMD="LD_LIBRARY_PATH=./install/libmongocrypt/lib64 MONGODB_URI='mongodb://localhost:27017' PROVIDER='azure' AZUREKMS_KEY_NAME='${AZUREKMS_KEY_NAME}' AZUREKMS_KEY_VAULT_ENDPOINT='${AZUREKMS_KEY_VAULT_ENDPOINT}' ./testkms" $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh - name: "testazurekms-fail-task" # testazurekms-fail-task runs without environment variables. @@ -2228,7 +2229,7 @@ tasks: make build-kms-test echo "Building build-kms-test ... end" - LD_LIBRARY_PATH=./install/libmongocrypt/lib \ + LD_LIBRARY_PATH=./install/libmongocrypt/lib64 \ MONGODB_URI='mongodb://localhost:27017' \ EXPECT_ERROR='unable to retrieve azure credentials' \ PROVIDER='azure' AZUREKMS_KEY_NAME='${AZUREKMS_KEY_NAME}' AZUREKMS_KEY_VAULT_ENDPOINT='${AZUREKMS_KEY_VAULT_ENDPOINT}' \ @@ -2311,9 +2312,9 @@ axes: GCC_PATH: "/cygdrive/c/ProgramData/chocolatey/lib/mingw/tools/install/mingw64/bin" GO_DIST: "C:\\golang\\go1.20" VENV_BIN_DIR: "Scripts" - - id: "ubuntu1604-64-go-1-20" - display_name: "Ubuntu 16.04" - run_on: ubuntu1604-build + - id: "rhel87-64-go-1-20" + display_name: "RHEL 8.7" + run_on: rhel8.7-large variables: GO_DIST: "/opt/golang/go1.20" - id: "macos11-go-1-20" @@ -2335,9 +2336,9 @@ axes: GCC_PATH: "/cygdrive/c/ProgramData/chocolatey/lib/mingw/tools/install/mingw64/bin" GO_DIST: "C:\\golang\\go1.20" VENV_BIN_DIR: "Scripts" - - id: "ubuntu1804-64-go-1-20" - display_name: "Ubuntu 18.04" - run_on: ubuntu1804-build + - id: "rhel87-64-go-1-20" + display_name: "RHEL 8.7" + run_on: rhel8.7-large variables: GO_DIST: "/opt/golang/go1.20" - id: "macos11-go-1-20" @@ -2347,13 +2348,12 @@ axes: variables: GO_DIST: "/opt/golang/go1.20" - # OCSP linux tasks need to run against this OS since stapling is disabled on Ubuntu 18.04 (SERVER-51364) - - id: ocsp-rhel-70 + - id: ocsp-rhel-87 display_name: OS values: - - id: "rhel70-go-1-20" - display_name: "RHEL 7.0" - run_on: rhel70-build + - id: "rhel87-go-1-20" + display_name: "RHEL 8.7" + run_on: rhel8.7-large variables: GO_DIST: "/opt/golang/go1.20" @@ -2368,6 +2368,8 @@ axes: GCC_PATH: "/cygdrive/c/ProgramData/chocolatey/lib/mingw/tools/install/mingw64/bin" GO_DIST: "C:\\golang\\go1.20" SKIP_ECS_AUTH_TEST: true + # TODO(BUILD-17329): Update this to Ubuntu 22 after we add a new ECS task + # definition. - id: "ubuntu1804-64-go-1-20" display_name: "Ubuntu 18.04" run_on: ubuntu1804-test @@ -2386,18 +2388,18 @@ axes: - id: os-faas-80 display_name: OS values: - - id: "rhel80-large-go-1-20" - display_name: "RHEL 8.0" - run_on: rhel80-large + - id: "rhel87-large-go-1-20" + display_name: "RHEL 8.7" + run_on: rhel8.7-large variables: GO_DIST: "/opt/golang/go1.20" - id: os-serverless display_name: OS values: - - id: "ubuntu2204-go-1-20" - display_name: "Ubuntu 22.04" - run_on: ubuntu2204-small + - id: "rhel87-go-1-20" + display_name: "RHEL 8.7" + run_on: rhel8.7-small variables: GO_DIST: "/opt/golang/go1.20" @@ -2620,7 +2622,7 @@ buildvariants: - name: static-analysis display_name: "Static Analysis" run_on: - - ubuntu1804-build + - rhel8.7-large expansions: GO_DIST: "/opt/golang/go1.20" tasks: @@ -2629,7 +2631,7 @@ buildvariants: - name: perf display_name: "Performance" run_on: - - ubuntu1804-build + - rhel8.7-large expansions: GO_DIST: "/opt/golang/go1.20" tasks: @@ -2638,16 +2640,16 @@ buildvariants: - name: build-check display_name: "Compile Only Checks" run_on: - - ubuntu1804-test + - rhel8.7-large expansions: GO_DIST: "/opt/golang/go1.20" tasks: - name: ".compile-check" - + - name: atlas-test display_name: "Atlas test" run_on: - - ubuntu1804-build + - rhel8.7-large expansions: GO_DIST: "/opt/golang/go1.20" tasks: @@ -2656,7 +2658,7 @@ buildvariants: - name: atlas-data-lake-test display_name: "Atlas Data Lake Test" run_on: - - ubuntu1804-build + - rhel8.7-large expansions: GO_DIST: "/opt/golang/go1.20" tasks: @@ -2693,8 +2695,8 @@ buildvariants: - name: "aws-auth-test" - matrix_name: "ocsp-test" - matrix_spec: { version: ["4.4", "5.0", "6.0", "7.0", "latest"], ocsp-rhel-70: ["rhel70-go-1-20"] } - display_name: "OCSP ${version} ${ocsp-rhel-70}" + matrix_spec: { version: ["4.4", "5.0", "6.0", "7.0", "latest"], ocsp-rhel-87: ["rhel87-go-1-20"] } + display_name: "OCSP ${version} ${ocsp-rhel-87}" batchtime: 20160 # Use a batchtime of 14 days as suggested by the OCSP test README tasks: - name: ".ocsp" @@ -2716,7 +2718,7 @@ buildvariants: - name: ".ocsp-rsa !.ocsp-staple" - matrix_name: "race-test" - matrix_spec: { version: ["latest"], os-ssl-40: ["ubuntu1804-64-go-1-20"] } + matrix_spec: { version: ["latest"], os-ssl-40: ["rhel87-64-go-1-20"] } display_name: "Race Detector Test" tasks: - name: ".race" @@ -2728,14 +2730,13 @@ buildvariants: - name: ".versioned-api" - matrix_name: "kms-tls-test" - matrix_spec: { version: ["latest"], os-ssl-40: ["ubuntu1804-64-go-1-20"] } + matrix_spec: { version: ["latest"], os-ssl-40: ["rhel87-64-go-1-20"] } display_name: "KMS TLS ${os-ssl-40}" tasks: - name: ".kms-tls" - matrix_name: "load-balancer-test" - # The LB software is only available on Ubuntu 18.04, so we don't test on all OSes. - matrix_spec: { version: ["5.0", "6.0", "7.0", "latest", "rapid"], os-ssl-40: ["ubuntu1804-64-go-1-20"] } + matrix_spec: { version: ["5.0", "6.0", "7.0", "latest", "rapid"], os-ssl-40: ["rhel87-64-go-1-20"] } display_name: "Load Balancer Support ${version} ${os-ssl-40}" tasks: - name: ".load-balancer" @@ -2747,20 +2748,20 @@ buildvariants: - "serverless_task_group" - matrix_name: "kms-kmip-test" - matrix_spec: { version: ["latest"], os-ssl-40: ["ubuntu1804-64-go-1-20"] } + matrix_spec: { version: ["latest"], os-ssl-40: ["rhel87-64-go-1-20"] } display_name: "KMS KMIP ${os-ssl-40}" tasks: - name: ".kms-kmip" - matrix_name: "fuzz-test" - matrix_spec: { version: ["5.0"], os-ssl-40: ["ubuntu1804-64-go-1-20"] } + matrix_spec: { version: ["5.0"], os-ssl-40: ["rhel87-64-go-1-20"] } display_name: "Fuzz ${version} ${os-ssl-40}" tasks: - name: "test-fuzz" batchtime: 1440 # Run at most once per 24 hours. - matrix_name: "faas-test" - matrix_spec: { version: ["latest"], os-faas-80: ["rhel80-large-go-1-20"] } + matrix_spec: { version: ["latest"], os-faas-80: ["rhel87-large-go-1-20"] } display_name: "FaaS ${version} ${os-faas-80}" tasks: - test-aws-lambda-task-group @@ -2768,7 +2769,7 @@ buildvariants: - name: testgcpkms-variant display_name: "GCP KMS" run_on: - - debian11-small + - rhel8.7-small expansions: GO_DIST: "/opt/golang/go1.20" tasks: @@ -2779,7 +2780,7 @@ buildvariants: - name: testawskms-variant display_name: "AWS KMS" run_on: - - debian11-small + - rhel8.7-small expansions: GO_DIST: "/opt/golang/go1.20" tasks: @@ -2789,7 +2790,7 @@ buildvariants: - name: testazurekms-variant display_name: "AZURE KMS" run_on: - - debian11-small + - rhel8.7-small expansions: GO_DIST: "/opt/golang/go1.20" tasks: diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh index 66cb9f394c..001ac6d660 100644 --- a/.evergreen/run-tests.sh +++ b/.evergreen/run-tests.sh @@ -15,8 +15,8 @@ fi export GOROOT="${GOROOT}" export PATH="${GOROOT}/bin:${GCC_PATH}:$GOPATH/bin:$PATH" export PROJECT="${project}" -export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib/pkgconfig:$(pwd)/install/mongo-c-driver/lib/pkgconfig -export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib +export PKG_CONFIG_PATH=$(pwd)/install/libmongocrypt/lib64/pkgconfig:$(pwd)/install/mongo-c-driver/lib/pkgconfig +export LD_LIBRARY_PATH=$(pwd)/install/libmongocrypt/lib64 export GOFLAGS=-mod=vendor SSL=${SSL:-nossl} diff --git a/mongo/integration/client_side_encryption_prose_test.go b/mongo/integration/client_side_encryption_prose_test.go index 88b2b89855..8d8c0db293 100644 --- a/mongo/integration/client_side_encryption_prose_test.go +++ b/mongo/integration/client_side_encryption_prose_test.go @@ -19,7 +19,6 @@ import ( "net/http" "os" "path/filepath" - "runtime" "strings" "testing" "time" @@ -55,6 +54,16 @@ const ( maxBsonObjSize = 16777216 // max bytes in BSON object ) +func containsSubstring(possibleSubstrings []string, str string) bool { + for _, possibleSubstring := range possibleSubstrings { + if strings.Contains(str, possibleSubstring) { + return true + } + } + + return false +} + func TestClientSideEncryptionProse(t *testing.T) { t.Parallel() @@ -866,26 +875,119 @@ func TestClientSideEncryptionProse(t *testing.T) { "endpoint": "doesnotexist.local:5698", } + const ( + errConnectionRefused = "connection refused" + errInvalidKMSResponse = "Invalid KMS response" + errMongocryptError = "mongocrypt error" + errNoSuchHost = "no such host" + errServerMisbehaving = "server misbehaving" + errWindowsTLSConnectionRefused = "No connection could be made because the target machine actively refused it" + ) + testCases := []struct { name string provider string masterKey interface{} - errorSubstring string + errorSubstring []string testInvalidClientEncryption bool - invalidClientEncryptionErrorSubstring string + invalidClientEncryptionErrorSubstring []string }{ - {"Case 1: aws success without endpoint", "aws", awsSuccessWithoutEndpoint, "", false, ""}, - {"Case 2: aws success with endpoint", "aws", awsSuccessWithEndpoint, "", false, ""}, - {"Case 3: aws success with https endpoint", "aws", awsSuccessWithHTTPSEndpoint, "", false, ""}, - {"Case 4: aws failure with connection error", "aws", awsFailureConnectionError, "connection refused", false, ""}, - {"Case 5: aws failure with wrong endpoint", "aws", awsFailureInvalidEndpoint, "mongocrypt error", false, ""}, - {"Case 6: aws failure with parse error", "aws", awsFailureParseError, "no such host", false, ""}, - {"Case 7: azure success", "azure", azure, "", true, "no such host"}, - {"Case 8: gcp success", "gcp", gcpSuccess, "", true, "no such host"}, - {"Case 9: gcp failure", "gcp", gcpFailure, "Invalid KMS response", false, ""}, - {"Case 10: kmip success without endpoint", "kmip", kmipSuccessWithoutEndpoint, "", true, "no such host"}, - {"Case 11: kmip success with endpoint", "kmip", kmipSuccessWithEndpoint, "", false, ""}, - {"Case 12: kmip failure with invalid endpoint", "kmip", kmipFailureInvalidEndpoint, "no such host", false, ""}, + { + name: "Case 1: aws success without endpoint", + provider: "aws", + masterKey: awsSuccessWithoutEndpoint, + errorSubstring: []string{}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, + { + name: "Case 2: aws success with endpoint", + provider: "aws", + masterKey: awsSuccessWithEndpoint, + errorSubstring: []string{}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, + { + name: "Case 3: aws success with https endpoint", + provider: "aws", + masterKey: awsSuccessWithHTTPSEndpoint, + errorSubstring: []string{}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, + { + name: "Case 4: aws failure with connection error", + provider: "aws", + masterKey: awsFailureConnectionError, + errorSubstring: []string{errConnectionRefused, errWindowsTLSConnectionRefused}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, + { + name: "Case 5: aws failure with wrong endpoint", + provider: "aws", + masterKey: awsFailureInvalidEndpoint, + errorSubstring: []string{errMongocryptError}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, + { + name: "Case 6: aws failure with parse error", + provider: "aws", + masterKey: awsFailureParseError, + errorSubstring: []string{errNoSuchHost, errServerMisbehaving}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, + { + name: "Case 7: azure success", + provider: "azure", + masterKey: azure, + errorSubstring: []string{}, + testInvalidClientEncryption: true, + invalidClientEncryptionErrorSubstring: []string{errNoSuchHost, errServerMisbehaving}, + }, + { + name: "Case 8: gcp success", + provider: "gcp", + masterKey: gcpSuccess, + errorSubstring: []string{}, + testInvalidClientEncryption: true, + invalidClientEncryptionErrorSubstring: []string{errNoSuchHost, errServerMisbehaving}, + }, + { + name: "Case 9: gcp failure", + provider: "gcp", + masterKey: gcpFailure, + errorSubstring: []string{errInvalidKMSResponse}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, + { + name: "Case 10: kmip success without endpoint", + provider: "kmip", + masterKey: kmipSuccessWithoutEndpoint, + errorSubstring: []string{}, + testInvalidClientEncryption: true, + invalidClientEncryptionErrorSubstring: []string{errNoSuchHost, errServerMisbehaving}, + }, + { + name: "Case 11: kmip success with endpoint", + provider: "kmip", + masterKey: kmipSuccessWithEndpoint, + errorSubstring: []string{}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, + { + name: "Case 12: kmip failure with invalid endpoint", + provider: "kmip", + masterKey: kmipFailureInvalidEndpoint, + errorSubstring: []string{errNoSuchHost, errServerMisbehaving}, + testInvalidClientEncryption: false, + invalidClientEncryptionErrorSubstring: []string{}, + }, } for _, tc := range testCases { mt.Run(tc.name, func(mt *mtest.T) { @@ -897,16 +999,12 @@ func TestClientSideEncryptionProse(t *testing.T) { dkOpts := options.DataKey().SetMasterKey(tc.masterKey) createdKey, err := cpt.clientEnc.CreateDataKey(context.Background(), tc.provider, dkOpts) - if tc.errorSubstring != "" { + if len(tc.errorSubstring) > 0 { assert.NotNil(mt, err, "expected error, got nil") - errSubstr := tc.errorSubstring - if runtime.GOOS == "windows" && errSubstr == "connection refused" { - // tls.Dial returns an error that does not contain the substring "connection refused" - // on Windows machines - errSubstr = "No connection could be made because the target machine actively refused it" - } - assert.True(mt, strings.Contains(err.Error(), errSubstr), - "expected error '%s' to contain '%s'", err.Error(), errSubstr) + + assert.True(t, containsSubstring(tc.errorSubstring, err.Error()), + "expected tc.errorSubstring=%v to contain %v, but it didn't", tc.errorSubstring, err.Error()) + return } assert.Nil(mt, err, "CreateDataKey error: %v", err) @@ -933,8 +1031,10 @@ func TestClientSideEncryptionProse(t *testing.T) { invalidKeyOpts := options.DataKey().SetMasterKey(tc.masterKey) _, err = invalidClientEncryption.CreateDataKey(context.Background(), tc.provider, invalidKeyOpts) assert.NotNil(mt, err, "expected CreateDataKey error, got nil") - assert.True(mt, strings.Contains(err.Error(), tc.invalidClientEncryptionErrorSubstring), - "expected error %v to contain substring '%v'", err, tc.invalidClientEncryptionErrorSubstring) + + assert.True(t, containsSubstring(tc.invalidClientEncryptionErrorSubstring, err.Error()), + "expected tc.invalidClientEncryptionErrorSubstring=%v to contain %v, but it didn't", + tc.invalidClientEncryptionErrorSubstring, err.Error()) }) } })