mongodb/motor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MOTOR-1246 Get CSFLE Secrets from the Vault (#257)

Browse Source 
* use csfle scripts

* fix expansion

* fix invocation

* fix server start
This commit is contained in:
Steven Silvester 2024-02-05 15:20:31 -06:00 committed by GitHub
parent ba756ca62c
commit bdf8a31f55
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 21 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
.evergreen/config.yml
View File

@ -334,73 +334,35 @@ functions:
bash ${DRIVERS_TOOLS}/.evergreen/stop-orchestration.sh
"run tox":
# If testing FLE, start the KMS mock servers, first create the virtualenv.
- command: shell.exec
- command: ec2.assume_role
params:
script: |
${PREPARE_SHELL}
cd ${DRIVERS_TOOLS}/.evergreen/csfle
. ./activate-kmstlsvenv.sh
# Run in the background so the mock servers don't block the EVG task.
- command: shell.exec
role_arn: ${aws_test_secrets_role}
- command: subprocess.exec
params:
working_dir: "src"
binary: bash
include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
args:
- ${DRIVERS_TOOLS}/.evergreen/csfle/setup_secrets.sh
- command: subprocess.exec
params:
working_dir: "src"
binary: bash
background: true
script: |
${PREPARE_SHELL}
cd ${DRIVERS_TOOLS}/.evergreen/csfle
. ./activate-kmstlsvenv.sh
# The -u options forces the stdout and stderr streams to be unbuffered.
# TMPDIR is required to avoid "AF_UNIX path too long" errors.
TMPDIR="$(dirname $DRIVERS_TOOLS)" python -u kms_kmip_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 5698 &
python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 &
python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 &
python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 8002 --require_client_cert &
# Wait up to 10 seconds for the KMIP server to start.
- command: shell.exec
args:
- ${DRIVERS_TOOLS}/.evergreen/csfle/start_servers.sh
- command: subprocess.exec
params:
script: |
${PREPARE_SHELL}
cd ${DRIVERS_TOOLS}/.evergreen/csfle
. ./activate-kmstlsvenv.sh
for i in $(seq 1 1 10); do
sleep 1
if python -u kms_kmip_client.py; then
echo 'KMS KMIP server started!'
exit 0
fi
done
echo 'Failed to start KMIP server!'
exit 1
- command: shell.exec
type: test
params:
silent: true
working_dir: "src"
script: |
cat <<EOT > fle_creds.sh
export FLE_AWS_KEY="${fle_aws_key}"
export FLE_AWS_SECRET="${fle_aws_secret}"
export FLE_AZURE_CLIENTID="${fle_azure_clientid}"
export FLE_AZURE_TENANTID="${fle_azure_tenantid}"
export FLE_AZURE_CLIENTSECRET="${fle_azure_clientsecret}"
export FLE_GCP_EMAIL="${fle_gcp_email}"
export FLE_GCP_PRIVATEKEY="${fle_gcp_privatekey}"
# Needed for generating temporary aws credentials.
export AWS_ACCESS_KEY_ID="${fle_aws_key}"
export AWS_SECRET_ACCESS_KEY="${fle_aws_secret}"
export AWS_DEFAULT_REGION=us-east-1
EOT
binary: bash
args:
- ${DRIVERS_TOOLS}/.evergreen/csfle/await_servers.sh
- command: shell.exec
type: test
params:
working_dir: "src"
script: |
${PREPARE_SHELL}
# Disable xtrace (just in case it was accidentally set).
set +x
. ./fle_creds.sh
rm -f ./fle_creds.sh
set -x
LIBMONGOCRYPT_URL="${libmongocrypt_url}" \
TEST_ENCRYPTION=1 \
PYTHON_BINARY="${PYTHON_BINARY}" \

3
.evergreen/run-tox.sh
View File

@ -31,6 +31,9 @@ if [ "$SSL" != "nossl" ]; then
export CA_PEM="$DRIVERS_TOOLS/.evergreen/x509gen/ca.pem"
fi
if [ -f secrets-export.sh ]; then
source secrets-export.sh
fi
# Usage:
# createvirtualenv /path/to/python /output/path/for/venv