From c48923bd95f6faf3173e3a1ca796731fac4e7db0 Mon Sep 17 00:00:00 2001 From: Preston Vasquez Date: Fri, 2 May 2025 10:05:45 -0600 Subject: [PATCH 1/4] GODRIVER-3549 Fix timeouts in CSE custom endpoint test (#2028) (#2031) --- .../client_side_encryption_prose_test.go | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/mongo/integration/client_side_encryption_prose_test.go b/mongo/integration/client_side_encryption_prose_test.go index 3d2b2304a2..f1f7811ba3 100644 --- a/mongo/integration/client_side_encryption_prose_test.go +++ b/mongo/integration/client_side_encryption_prose_test.go @@ -806,7 +806,7 @@ func TestClientSideEncryptionProse(t *testing.T) { "endpoint": "doesnotexist.invalid:443", }, "kmip": { - "endpoint": "doesnotexist.local:5698", + "endpoint": "doesnotexist.invalid:5698", }, } @@ -830,9 +830,8 @@ func TestClientSideEncryptionProse(t *testing.T) { "endpoint": "kms.us-east-1.amazonaws.com:443", } awsFailureConnectionError := map[string]interface{}{ - "region": "us-east-1", - "key": "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", - "endpoint": "kms.us-east-1.amazonaws.com:12345", + "keyId": "1", + "endpoint": "localhost:12345", } awsFailureInvalidEndpoint := map[string]interface{}{ "region": "us-east-1", @@ -871,7 +870,7 @@ func TestClientSideEncryptionProse(t *testing.T) { } kmipFailureInvalidEndpoint := map[string]interface{}{ "keyId": "1", - "endpoint": "doesnotexist.local:5698", + "endpoint": "doesnotexist.invalid:5698", } const ( @@ -917,7 +916,7 @@ func TestClientSideEncryptionProse(t *testing.T) { }, { name: "Case 4: aws failure with connection error", - provider: "aws", + provider: "kmip", masterKey: awsFailureConnectionError, errorSubstring: []string{errConnectionRefused, errWindowsTLSConnectionRefused}, testInvalidClientEncryption: false, @@ -1588,7 +1587,7 @@ func TestClientSideEncryptionProse(t *testing.T) { "endpoint": "127.0.0.1:9001", } azureMasterKey := map[string]interface{}{ - "keyVaultEndpoint": "doesnotexist.local", + "keyVaultEndpoint": "doesnotexist.invalid", "keyName": "foo", } gcpMasterKey := map[string]interface{}{ From 1b0d2691b7deedebeaf1efbbb303aec83086b1b5 Mon Sep 17 00:00:00 2001 From: Preston Vasquez Date: Tue, 3 Jun 2025 15:54:47 -0600 Subject: [PATCH 2/4] GODRIVER-3560 Assume ec2 role explicitly in CI --- .evergreen/config.yml | 115 +++++++++-------------------------------- Makefile | 24 --------- etc/run-awskms-test.sh | 12 +++-- 3 files changed, 31 insertions(+), 120 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index bdb9ecbcd9..324bfcb264 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -26,6 +26,11 @@ timeout: script: | ls -la functions: + assume-test-secrets-ec2-role: + - command: ec2.assume_role + params: + role_arn: ${aws_test_secrets_role} + fetch-source: # Executes clone and applies the submitted patch, if any - command: git.get_project @@ -233,9 +238,13 @@ functions: display_name: "test_suite.tgz" bootstrap-mongohoused: + - command: ec2.assume_role + params: + role_arn: ${aws_test_secrets_role} - command: subprocess.exec params: binary: "bash" + add_expansions_to_env: true args: - ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/pull-mongohouse-image.sh - command: subprocess.exec @@ -580,16 +589,6 @@ functions: MONGO_GO_DRIVER_COMPRESSOR=${MONGO_GO_DRIVER_COMPRESSOR} \ make evg-test-load-balancers - run-serverless-tests: - - command: shell.exec - type: test - params: - shell: "bash" - working_dir: src/go.mongodb.org/mongo-driver - script: | - ${PREPARE_SHELL} - bash etc/run-serverless-test.sh - run-atlas-data-lake-test: - command: shell.exec type: test @@ -1830,14 +1829,6 @@ tasks: AUTH: "noauth" SSL: "nossl" - - name: "test-serverless" - tags: ["serverless"] - commands: - - func: start-cse-servers - - func: "run-serverless-tests" - vars: - MONGO_GO_DRIVER_COMPRESSOR: "snappy" - - name: "testgcpkms-task" commands: - command: shell.exec @@ -1896,10 +1887,12 @@ tasks: - name: "testawskms-task" commands: + - func: assume-test-secrets-ec2-role - command: shell.exec type: test params: shell: "bash" + add_expansions_to_env: true working_dir: src/go.mongodb.org/mongo-driver script: | ${PREPARE_SHELL} @@ -1909,10 +1902,12 @@ tasks: # testawskms-fail-task runs without environment variables. # It is expected to fail to obtain credentials. commands: + - func: assume-test-secrets-ec2-role - command: shell.exec type: test params: shell: "bash" + add_expansions_to_env: true working_dir: src/go.mongodb.org/mongo-driver script: | ${PREPARE_SHELL} @@ -1925,6 +1920,7 @@ tasks: type: test params: shell: "bash" + add_expansions_to_env: true working_dir: src/go.mongodb.org/mongo-driver script: | ${PREPARE_SHELL} @@ -1957,10 +1953,12 @@ tasks: # testazurekms-fail-task runs without environment variables. # It is expected to fail to obtain credentials. commands: + - func: assume-test-secrets-ec2-role - command: shell.exec type: test params: shell: "bash" + add_expansions_to_env: true working_dir: src/go.mongodb.org/mongo-driver script: | ${PREPARE_SHELL} @@ -2219,73 +2217,7 @@ axes: variables: GO_DIST: "/opt/golang/go1.22" - - id: os-serverless - display_name: OS - values: - - id: "rhel87" - display_name: "RHEL 8.7" - run_on: rhel8.7-small - variables: - GO_DIST: "/opt/golang/go1.22" - task_groups: - - name: serverless_task_group - setup_group_can_fail_task: true - setup_group_timeout_secs: 1800 # 30 minutes - setup_group: - - func: fetch-source - - func: prepare-resources - - func: fix-absolute-paths - - func: make-files-executable - - func: start-cse-servers - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - bash ${DRIVERS_TOOLS}/.evergreen/serverless/setup-secrets.sh ${VAULT_NAME} - bash ${DRIVERS_TOOLS}/.evergreen/serverless/create-instance.sh - - command: expansions.update - params: - file: serverless-expansion.yml - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - - # Find the crypt_shared library file in the current directory and set the CRYPT_SHARED_LIB_PATH to - # the path of that file. Only look for .so, .dll, or .dylib files to prevent matching any other - # downloaded files. - CRYPT_SHARED_LIB_PATH="$(find $(pwd) -maxdepth 1 -type f \ - -name 'mongo_crypt_v1.so' -o \ - -name 'mongo_crypt_v1.dll' -o \ - -name 'mongo_crypt_v1.dylib')" - - # If we're on Windows, convert the "cygdrive" path to Windows-style paths. - if [ "Windows_NT" = "$OS" ]; then - CRYPT_SHARED_LIB_PATH=$(cygpath -m $CRYPT_SHARED_LIB_PATH) - fi - - echo "CRYPT_SHARED_LIB_PATH: $CRYPT_SHARED_LIB_PATH" >> crypt-expansion.yml - - # Load the expansion file to make an evergreen variable with the current unique version - - command: expansions.update - params: - file: crypt-expansion.yml - - teardown_group: - - command: shell.exec - params: - shell: "bash" - script: | - ${PREPARE_SHELL} - bash ${DRIVERS_TOOLS}/.evergreen/serverless/delete-instance.sh ${VAULT_NAME} - - func: handle-test-artifacts - - func: cleanup - tasks: - - ".serverless" - - name: testgcpkms_task_group setup_group_can_fail_task: true setup_group_timeout_secs: 1800 # 30 minutes @@ -2294,9 +2226,11 @@ task_groups: - func: prepare-resources - func: fix-absolute-paths - func: make-files-executable + - func: assume-test-secrets-ec2-role - command: shell.exec params: shell: "bash" + add_expansions_to_env: true script: | ${PREPARE_SHELL} $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/setup.sh @@ -2321,9 +2255,11 @@ task_groups: - func: prepare-resources - func: fix-absolute-paths - func: make-files-executable + - func: assume-test-secrets-ec2-role - command: shell.exec params: shell: "bash" + add_expansions_to_env: true script: | ${PREPARE_SHELL} export AZUREKMS_VMNAME_PREFIX="GODRIVER" @@ -2375,9 +2311,11 @@ task_groups: - func: prepare-resources - func: fix-absolute-paths - func: make-files-executable + - func: assume-test-secrets-ec2-role - command: subprocess.exec params: binary: bash + add_expansions_to_env: true env: AZUREOIDC_VMNAME_PREFIX: "GO_DRIVER" args: @@ -2399,9 +2337,11 @@ task_groups: - func: prepare-resources - func: fix-absolute-paths - func: make-files-executable + - func: assume-test-secrets-ec2-role - command: subprocess.exec params: binary: bash + add_expansions_to_env: true env: AZUREOIDC_VMNAME_PREFIX: "GO_DRIVER" args: @@ -2706,13 +2646,6 @@ buildvariants: tasks: - name: ".load-balancer" - - matrix_name: "serverless" - tags: ["pullrequest"] - matrix_spec: { os-serverless: "*" } - display_name: "Serverless ${os-serverless}" - tasks: - - "serverless_task_group" - - matrix_name: "kms-kmip-test" matrix_spec: { version: ["7.0"], os-ssl-40: ["rhel87-64"] } display_name: "KMS KMIP ${os-ssl-40}" diff --git a/Makefile b/Makefile index 1861030527..a3db27e0d1 100644 --- a/Makefile +++ b/Makefile @@ -170,30 +170,6 @@ evg-test-search-index: evg-test-ocsp: go test -v ./mongo -run TestOCSP $(OCSP_TLS_SHOULD_SUCCEED) >> test.suite -.PHONY: evg-test-serverless -evg-test-serverless: - # Serverless should be tested with all unified tests as well as tests in the following components: CRUD, load balancer, - # retryable reads, retryable writes, sessions, transactions and cursor behavior. - go test $(BUILD_TAGS) ./mongo/integration -run TestCrudSpec -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestWriteErrorsWithLabels -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestWriteErrorsDetails -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestHintErrors -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestWriteConcernError -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestErrorsCodeNamePropagated -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestLoadBalancerSupport -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestUnifiedSpecs/retryable-reads -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestRetryableReadsProse -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestRetryableWritesSpec -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestRetryableWritesProse -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestUnifiedSpecs/sessions -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestSessionsProse -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestUnifiedSpecs/transactions/legacy -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestConvenientTransactions -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration -run TestCursor -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test $(BUILD_TAGS) ./mongo/integration/unified -run TestUnifiedSpec -v -timeout $(TEST_TIMEOUT)s >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionSpec >> test.suite - go test -exec "env PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) DYLD_LIBRARY_PATH=$(MACOS_LIBRARY_PATH)" $(BUILD_TAGS) -v -timeout $(TEST_TIMEOUT)s ./mongo/integration -run TestClientSideEncryptionProse >> test.suite - .PHONY: evg-test-versioned-api evg-test-versioned-api: # Versioned API related tests are in the mongo, integration and unified packages. diff --git a/etc/run-awskms-test.sh b/etc/run-awskms-test.sh index d3caef01c7..9130b97f5a 100644 --- a/etc/run-awskms-test.sh +++ b/etc/run-awskms-test.sh @@ -4,17 +4,19 @@ echo "Building build-kms-test ... begin" BUILD_TAGS="-tags=cse" \ - PKG_CONFIG_PATH=$PKG_CONFIG_PATH \ - make build-kms-test + PKG_CONFIG_PATH=$PKG_CONFIG_PATH \ + make build-kms-test echo "Building build-kms-test ... end" . ${DRIVERS_TOOLS}/.evergreen/secrets_handling/setup-secrets.sh drivers/atlas_connect export MONGODB_URI="$ATLAS_FREE" if [ -z "${EXPECT_ERROR:-}" ]; then - . ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh - export AWS_SECRET_ACCESS_KEY=$FLE_AWS_SECRET_ACCESS_KEY - export AWS_ACCESS_KEY_ID=$FLE_AWS_ACCESS_KEY_ID + . ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh + export AWS_SECRET_ACCESS_KEY=$FLE_AWS_SECRET_ACCESS_KEY + export AWS_ACCESS_KEY_ID=$FLE_AWS_ACCESS_KEY_ID fi +unset AWS_SESSION_TOKEN + LD_LIBRARY_PATH=./install/libmongocrypt/lib64 PROVIDER='aws' ./testkms From 71c6815fe8fd23781bb0a5e0ad4c8b78828f5450 Mon Sep 17 00:00:00 2001 From: Preston Vasquez Date: Tue, 3 Jun 2025 16:01:06 -0600 Subject: [PATCH 3/4] GODRIVER-3560 Add comment to unsetting aws session token --- etc/run-awskms-test.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/run-awskms-test.sh b/etc/run-awskms-test.sh index 9130b97f5a..f267325e8d 100644 --- a/etc/run-awskms-test.sh +++ b/etc/run-awskms-test.sh @@ -17,6 +17,8 @@ if [ -z "${EXPECT_ERROR:-}" ]; then export AWS_ACCESS_KEY_ID=$FLE_AWS_ACCESS_KEY_ID fi +# AWS_SESSION_TOKEN is required to get credentials from the drivers/csfle vault +# but interferes with the testkms binary causing UnrecognizedClientException. unset AWS_SESSION_TOKEN LD_LIBRARY_PATH=./install/libmongocrypt/lib64 PROVIDER='aws' ./testkms From 75f9fd44a54f352f081a211981635b798e02bdeb Mon Sep 17 00:00:00 2001 From: Preston Vasquez Date: Tue, 3 Jun 2025 16:35:57 -0600 Subject: [PATCH 4/4] GODRIVER-3560 Add roles to FaaS --- .evergreen/config.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 324bfcb264..e8ebae8bda 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -1983,10 +1983,6 @@ tasks: - name: "test-aws-lambda-deployed" commands: - - command: ec2.assume_role - params: - role_arn: ${LAMBDA_AWS_ROLE_ARN} - duration_seconds: 3600 - command: shell.exec type: test params: @@ -2361,10 +2357,12 @@ task_groups: setup_group: - func: fetch-source - func: prepare-resources + - func: assume-test-secrets-ec2-role - command: subprocess.exec params: working_dir: src/go.mongodb.org/mongo-driver binary: bash + add_expansions_to_env: true env: LAMBDA_STACK_NAME: dbx-go-lambda AWS_REGION: us-east-1