PYTHON-3256 Obtain AWS credentials for CSFLE in the same way as for MONGODB-AWS (#1035)

2022-10-24 14:55:58 -05:00 · 2022-10-24 14:55:58 -05:00 · 3fc301cd22
commit 3fc301cd22
parent 228edd21f8
6 changed files with 45 additions and 6 deletions
--- a/.evergreen/run-tests.sh
+++ b/.evergreen/run-tests.sh
@ -147,6 +147,9 @@ if [ -n "$TEST_ENCRYPTION" ]; then
    python -c "import pymongocrypt; print('libmongocrypt version: '+pymongocrypt.libmongocrypt_version())"
    # PATH is updated by PREPARE_SHELL for access to mongocryptd.

+    # Need aws dependency for On-Demand KMS Credentials.
+    python -m pip install '.[aws]'
+
    # Get access to the AWS temporary credentials:
    # CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN
    . $DRIVERS_TOOLS/.evergreen/csfle/set-temp-creds.sh
--- a/README.rst
+++ b/README.rst
@ -130,7 +130,8 @@ Wire protocol compression with zstandard requires `zstandard
  $ python -m pip install "pymongo[zstd]"

 Client-Side Field Level Encryption requires `pymongocrypt
-<https://pypi.org/project/pymongocrypt/>`_::
+<https://pypi.org/project/pymongocrypt/>`_ and
+`pymongo-auth-aws <https://pypi.org/project/pymongo-auth-aws/>`_::

  $ python -m pip install "pymongo[encryption]"

--- a/doc/examples/encryption.rst
+++ b/doc/examples/encryption.rst
@ -23,9 +23,10 @@ Dependencies

 To get started using client-side field level encryption in your project,
 you will need to install the
-`pymongocrypt <https://pypi.org/project/pymongocrypt/>`_ library
+`pymongocrypt <https://pypi.org/project/pymongocrypt/>`_ and
+`pymongo-auth-aws <https://pypi.org/project/pymongo-auth-aws/>`_ libraries
 as well as the driver itself. Install both the driver and a compatible
-version of pymongocrypt like this::
+version of the dependencies like this::

  $ python -m pip install 'pymongo[encryption]'

--- a/doc/installation.rst
+++ b/doc/installation.rst
@ -70,7 +70,8 @@ Wire protocol compression with zstandard requires `zstandard
  $ python3 -m pip install "pymongo[zstd]"

 :ref:`Client-Side Field Level Encryption` requires `pymongocrypt
-<https://pypi.org/project/pymongocrypt/>`_::
+<https://pypi.org/project/pymongocrypt/>`_ and
+`pymongo-auth-aws <https://pypi.org/project/pymongo-auth-aws/>`_::

  $ python3 -m pip install "pymongo[encryption]"

--- a/setup.py
+++ b/setup.py
@ -278,12 +278,14 @@ if sys.platform in ("win32", "darwin"):
    # https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_default_verify_paths
    pyopenssl_reqs.append("certifi")

+aws_reqs = ["pymongo-auth-aws<2.0.0"]
+
 extras_require = {
-    "encryption": ["pymongocrypt>=1.3.0,<2.0.0"],
+    "encryption": ["pymongocrypt>=1.3.0,<2.0.0"] + aws_reqs,
    "ocsp": pyopenssl_reqs,
    "snappy": ["python-snappy"],
    "zstd": ["zstandard"],
-    "aws": ["pymongo-auth-aws<2.0.0"],
+    "aws": aws_reqs,
    "srv": [],  # PYTHON-3423 Removed in 4.3 but kept here to avoid pip warnings.
    "tls": [],  # PYTHON-2133 Removed in 4.0 but kept here to avoid pip warnings.
 }
--- a/test/test_encryption.py
+++ b/test/test_encryption.py
@ -2304,6 +2304,37 @@ class TestRewrapWithSeparateClientEncryption(EncryptionIntegrationTest):
        self.assertEqual(decrypt_result2, "test")


+# https://github.com/mongodb/specifications/blob/5cf3ed/source/client-side-encryption/tests/README.rst#on-demand-aws-credentials
+class TestOnDemandAWSCredentials(EncryptionIntegrationTest):
+    def setUp(self):
+        super(TestOnDemandAWSCredentials, self).setUp()
+        self.master_key = {
+            "region": "us-east-1",
+            "key": ("arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"),
+        }
+
+    @unittest.skipIf(any(AWS_CREDS.values()), "AWS environment credentials are set")
+    def test_01_failure(self):
+        self.client_encryption = ClientEncryption(
+            kms_providers={"aws": {}},
+            key_vault_namespace="keyvault.datakeys",
+            key_vault_client=client_context.client,
+            codec_options=OPTS,
+        )
+        with self.assertRaises(EncryptionError):
+            self.client_encryption.create_data_key("aws", self.master_key)
+
+    @unittest.skipUnless(any(AWS_CREDS.values()), "AWS environment credentials are not set")
+    def test_02_success(self):
+        self.client_encryption = ClientEncryption(
+            kms_providers={"aws": {}},
+            key_vault_namespace="keyvault.datakeys",
+            key_vault_client=client_context.client,
+            codec_options=OPTS,
+        )
+        self.client_encryption.create_data_key("aws", self.master_key)
+
+
 class TestQueryableEncryptionDocsExample(EncryptionIntegrationTest):
    # Queryable Encryption is not supported on Standalone topology.
    @client_context.require_no_standalone