PYTHON-4187 Ensure secrets are not logged in Evergreen (#1503)

2024-02-05 12:35:05 -06:00 · 2024-02-05 12:35:05 -06:00 · f052b7e82e
commit f052b7e82e
parent ead6586178
2 changed files with 18 additions and 20 deletions
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@ -369,7 +369,7 @@ functions:
      params:
        working_dir: "src"
        shell: bash
-        include_expansions_in_env: ["test_encryption", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+        include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
        script: |
          ${PREPARE_SHELL}
          if [ -n "${test_encryption}" ]; then
@ -380,6 +380,7 @@ functions:
      params:
        working_dir: "src"
        shell: bash
+        include_expansions_in_env: ["DRIVERS_ATLAS_LAMBDA_USER", "DRIVERS_ATLAS_LAMBDA_PASSWORD"]
        script: |
          # Disable xtrace
          set +x
@ -415,8 +416,6 @@ functions:
          fi
          if [ -n "${test_serverless}" ]; then
            export TEST_SERVERLESS=1
-            export SERVERLESS_ATLAS_USER="${SERVERLESS_ATLAS_USER}"
-            export SERVERLESS_ATLAS_PASSWORD="${SERVERLESS_ATLAS_PASSWORD}"
            export MONGODB_URI="${SERVERLESS_URI}"
            export SINGLE_MONGOS_LB_URI="${MONGODB_URI}"
            export MULTI_MONGOS_LB_URI="${MONGODB_URI}"
@ -424,8 +423,6 @@ functions:
          if [ -n "${TEST_INDEX_MANAGEMENT}" ]; then
            export TEST_INDEX_MANAGEMENT=1
            export MONGODB_URI="${TEST_INDEX_URI}"
-            export DB_USER="${DRIVERS_ATLAS_LAMBDA_USER}"
-            export DB_PASSWORD="${DRIVERS_ATLAS_LAMBDA_PASSWORD}"
          fi

          GREEN_FRAMEWORK=${GREEN_FRAMEWORK} \
@ -447,15 +444,12 @@ functions:
      type: test
      params:
        working_dir: "src"
+        include_expansions_in_env: ["DRIVERS_TOOLS", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
        script: |
          # Disable xtrace for security reasons (just in case it was accidentally set).
          set +x

-          DRIVERS_TOOLS="${DRIVERS_TOOLS}" \
-            AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
-            AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
-            AWS_SESSION_TOKEN="${AWS_SESSION_TOKEN}" \
-            bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m aws-secrets -- drivers/enterprise_auth
+          bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m aws-secrets -- drivers/enterprise_auth

          PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
            PYTHON_BINARY="${PYTHON_BINARY}" \
@ -470,19 +464,13 @@ functions:
    - command: shell.exec
      type: test
      params:
-        include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+        include_expansions_in_env: ["DRIVERS_TOOLS", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
        working_dir: "src"
        script: |
          # Disable xtrace for security reasons (just in case it was accidentally set).
          set +x
          set -o errexit
-
-          DRIVERS_TOOLS="${DRIVERS_TOOLS}" \
-            AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \
-            AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \
-            AWS_SESSION_TOKEN="${AWS_SESSION_TOKEN}" \
-            bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m aws-secrets -- drivers/atlas_connect
-
+          bash ${PROJECT_DIRECTORY}/.evergreen/tox.sh -m aws-secrets -- drivers/atlas_connect
          PROJECT_DIRECTORY="${PROJECT_DIRECTORY}" \
            PYTHON_BINARY="${PYTHON_BINARY}" \
            TEST_ATLAS=1 \
@ -913,15 +901,18 @@ task_groups:
      - command: shell.exec
        params:
          shell: "bash"
+          working_dir: src
          script: |
            ${PREPARE_SHELL}
            bash ${DRIVERS_TOOLS}/.evergreen/serverless/setup-secrets.sh ${VAULT_NAME}
+            cp ${DRIVERS_TOOLS}/.evergreen/serverless/secrets-export.sh .
            bash ${DRIVERS_TOOLS}/.evergreen/serverless/create-instance.sh
      - command: expansions.update
        params:
-          file: serverless-expansion.yml
+          file: src/serverless-expansion.yml
    teardown_task:
      - command: shell.exec
+        working_dir: src
        params:
          script: |
            ${PREPARE_SHELL}
--- a/.evergreen/run-tests.sh
+++ b/.evergreen/run-tests.sh
@ -25,8 +25,9 @@ set -o xtrace
 #  TEST_AUTH_OIDC       If non-empty, test OIDC Auth Mechanism
 #  TEST_PERF            If non-empty, run performance tests
 #  TEST_OCSP            If non-empty, run OCSP tests
+#  TEST_ATLAS           If non-empty, test Atlas connections
+#  TEST_INDEX_MANAGEMENT        If non-empty, run index management tests
 #  TEST_ENCRYPTION_PYOPENSSL    If non-empy, test encryption with PyOpenSSL
-#  TEST_ATLAS   If non-empty, test Atlas connections

 AUTH=${AUTH:-noauth}
 SSL=${SSL:-nossl}
@ -38,7 +39,10 @@ python -c "import sys; sys.exit(sys.prefix == sys.base_prefix)" || (echo "Not in

 # Try to source exported AWS Secrets
 if [ -f ./secrets-export.sh ]; then
+  echo "Sourcing secrets"
  source ./secrets-export.sh
+else
+  echo "Not sourcing secrets"
 fi

 if [ "$AUTH" != "noauth" ]; then
@ -57,6 +61,7 @@ if [ "$AUTH" != "noauth" ]; then
        export DB_USER="bob"
        export DB_PASSWORD="pwd123"
    fi
+    echo "Added auth, DB_USER: $DB_USER"
    set -x
 fi

@ -183,6 +188,8 @@ if [ -n "$TEST_FLE_AZURE_AUTO" ] || [ -n "$TEST_FLE_GCP_AUTO" ]; then
 fi

 if [ -n "$TEST_INDEX_MANAGEMENT" ]; then
+    export DB_USER="${DRIVERS_ATLAS_LAMBDA_USER}"
+    export DB_PASSWORD="${DRIVERS_ATLAS_LAMBDA_PASSWORD}"
    TEST_ARGS="test/test_index_management.py"
 fi