mongodb/mongo-python-driver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PYTHON-3644 Test encryption KMS connections with stdlib ssl, not just pyopenssl (#1178)

Browse Source
This commit is contained in:
Steven Silvester 2023-04-03 17:13:23 -05:00 committed by GitHub
parent 9bc7093355
commit 148f7877cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 54 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
.evergreen/config.yml
View File

@ -457,6 +457,9 @@ functions:
rm -f ./fle_creds.sh
export LIBMONGOCRYPT_URL="${libmongocrypt_url}"
export TEST_ENCRYPTION=1
if [ -n "${test_encryption_pyopenssl}" ]; then
export TEST_ENCRYPTION_PYOPENSSL=1
fi
fi
if [ -n "${test_crypt_shared}" ]; then
export TEST_CRYPT_SHARED=1
@ -2507,6 +2510,13 @@ axes:
variables:
test_encryption: true
batchtime: 10080 # 7 days
- id: "encryption_pyopenssl"
display_name: "Encryption PyOpenSSL"
tags: ["encryption_tag"]
variables:
test_encryption: true
test_encryption_pyopenssl: true
batchtime: 10080 # 7 days
# The path to crypt_shared is stored in the $CRYPT_SHARED_LIB_PATH expansion.
- id: "encryption_crypt_shared"
display_name: "Encryption shared lib"
@ -2637,14 +2647,22 @@ buildvariants:
ssl: "nossl"
encryption: "*"
display_name: "${encryption} ${platform} ${auth} ${ssl}"
tasks: &encryption-server-versions
- ".rapid"
- ".latest"
- ".6.0"
- ".5.0"
- ".4.4"
- ".4.2"
- ".4.0"
tasks: "test-latest-replica_set"
rules:
- if:
encryption: ["encryption", "encryption_crypt_shared"]
platform: macos-1100
auth: "auth"
ssl: "nossl"
then:
add_tasks: &encryption-server-versions
- ".rapid"
- ".latest"
- ".6.0"
- ".5.0"
- ".4.4"
- ".4.2"
- ".4.0"
# Test one server version with zSeries, POWER8, and ARM.
- matrix_name: "test-different-cpu-architectures"
@ -2726,8 +2744,15 @@ buildvariants:
# coverage: "*"
encryption: "*"
display_name: "${encryption} ${python-version} ${platform} ${auth-ssl}"
tasks: *encryption-server-versions
tasks: "test-latest-replica_set"
rules:
- if:
encryption: ["encryption", "encryption_crypt_shared"]
platform: ubuntu-18.04
auth-ssl: noauth-nossl
python-version: "*"
then:
add_tasks: *encryption-server-versions
- matrix_name: "tests-python-version-ubuntu18-without-c-extensions"
matrix_spec:
@ -2837,7 +2862,15 @@ buildvariants:
auth-ssl: "*"
encryption: "*"
display_name: "${encryption} ${platform} ${python-version-windows} ${auth-ssl}"
tasks: *encryption-server-versions
tasks: "test-latest-replica_set"
rules:
- if:
encryption: ["encryption", "encryption_crypt_shared"]
platform: windows-64-vsMulti-small
python-version-windows: "*"
auth-ssl: "*"
then:
add_tasks: *encryption-server-versions
# Storage engine tests on Ubuntu 18.04 (x86_64) with Python 3.7.
- matrix_name: "tests-storage-engines"

7
.evergreen/run-tests.sh
View File

@ -151,8 +151,11 @@ fi
if [ -n "$TEST_ENCRYPTION" ]; then
# Need aws dependency for On-Demand KMS Credentials.
# Need OSCP dependency to verify OCSP TSL args.
python -m pip install '.[aws,ocsp]'
if [ -n "$TEST_ENCRYPTION_PYOPENSSL" ]; then
python -m pip install '.[aws,ocsp]'
else
python -m pip install '.[aws]'
fi
# Get access to the AWS temporary credentials:
# CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN

7
test/test_encryption.py
View File

@ -2159,8 +2159,11 @@ class TestKmsTLSOptions(EncryptionIntegrationTest):
encryption = ClientEncryption(
providers, "keyvault.datakeys", self.client, OPTS, kms_tls_options=options
)
self.assertFalse(encryption._io_callbacks.opts._kms_ssl_contexts["aws"].check_ocsp_endpoint)
encryption.close()
self.addCleanup(encryption.close)
ctx = encryption._io_callbacks.opts._kms_ssl_contexts["aws"]
if not hasattr(ctx, "check_ocsp_endpoint"):
raise self.skipTest("OCSP not enabled") # type:ignore
self.assertFalse(ctx.check_ocsp_endpoint)
# https://github.com/mongodb/specifications/blob/50e26fe/source/client-side-encryption/tests/README.rst#unique-index-on-keyaltnames