chore(ci): add FIPS e2e and smoke tests MONGOSH-1222 (#1298)

Author: addaleax

.evergreen.yml

@@ -798,8 +798,9 @@ tasks:
   ###
   <% for (const { executableOsId, compileBuildVariant } of EXECUTABLE_PKG_INFO) {
     for (const mVersion of ['stable', 'unstable']) {
+      for (const fipsVariant of ['fips', 'nofips']) {
     %>
-  - name: e2e_tests_<% out(executableOsId.replace(/-/g, '_')) %><% out(mVersion === 'stable' ? '' : '_unstable') %>
+  - name: e2e_tests_<% out(executableOsId.replace(/-/g, '_')) %><% out(mVersion === 'stable' ? '' : '_unstable') %><% out(fipsVariant === 'fips' ? '_fips' : '') %>
     tags: ["e2e-test"]
     depends_on:
       - name: compile_artifact
@@ -817,7 +818,8 @@ tasks:
         vars:
           node_js_version: "<% out(NODE_JS_VERSION_16) %>"
           mongosh_server_test_version: "<% out(mVersion) %>"
-  <% } } %>
+          mongosh_test_e2e_force_fips: "<% out(fipsVariant === 'fips' ? '1' : '') %>"
+  <% } } } %>
 
   ###
   # PACKAGING
@@ -1084,6 +1086,7 @@ buildvariants:
     tasks:
       - name: e2e_tests_linux_x64
       - name: e2e_tests_linux_x64_openssl11
+      - name: e2e_tests_linux_x64_openssl11_fips
   - name: e2e_ubuntu1804_x64
     display_name: "Ubuntu 18.04 x64 (E2E Tests)"
     run_on: ubuntu1804-small

.evergreen/evergreen.yml.in

@@ -1,9 +1,10 @@
-/* eslint-disable no-console */
+/* eslint-disable no-console, @typescript-eslint/no-non-null-assertion, chai-friendly/no-unused-expressions */
 import { spawn } from 'child_process';
 import assert from 'assert';
 import { once } from 'events';
 import { redactURICredentials } from '@mongosh/history';
 import fleSmokeTestScript from './smoke-tests-fle';
+import { buildInfo } from './build-info';
 
 /**
  * Run smoke tests on an executable, e.g.
@@ -20,11 +21,23 @@ export async function runSmokeTests(smokeTestServer: string | undefined, executa
     assert(!!smokeTestServer, 'Make sure MONGOSH_SMOKE_TEST_SERVER is set in CI');
   }
 
-  for (const { input, output, testArgs } of [{
+  const skipFipsWithOpenSSL3 = process.env.MONGOSH_SMOKE_TEST_OS_SKIP_FIPS_WITH_OPENSSL3 && buildInfo().opensslVersion.startsWith('3.');
+  const expectFipsSupport = !!process.env.MONGOSH_SMOKE_TEST_OS_HAS_FIPS_SUPPORT && buildInfo().sharedOpenssl;
+  console.log('FIPS support required to pass?', { skipFipsWithOpenSSL3, expectFipsSupport });
+
+  for (const { input, output, testArgs, includeStderr } of [{
     input: 'print("He" + "llo" + " Wor" + "ld!")',
     output: /Hello World!/,
+    includeStderr: false,
     testArgs: ['--nodb'],
-  }].concat(smokeTestServer ? [{
+  }].concat(skipFipsWithOpenSSL3 ? [] : [{
+    input: 'crypto.createHash("md5").update("hello").digest("hex")',
+    output: expectFipsSupport ?
+      /disabled for FIPS/i :
+      /disabled for FIPS|Could not enable FIPS mode/i,
+    includeStderr: true,
+    testArgs: ['--tlsFIPSMode', '--nodb']
+  }]).concat(smokeTestServer ? [{
     input: `
       const dbname = "testdb_simplesmoke" + new Date().getTime();
       use(dbname);
@@ -34,13 +47,15 @@ export async function runSmokeTests(smokeTestServer: string | undefined, executa
       }
       db.dropDatabase();`,
     output: /Test succeeded/,
+    includeStderr: false,
     testArgs: [smokeTestServer as string]
   }, {
     input: fleSmokeTestScript,
     output: /Test succeeded|Test skipped/,
+    includeStderr: false,
     testArgs: [smokeTestServer as string]
   }] : [])) {
-    await runSmokeTest(executable, [...args, ...testArgs], input, output);
+    await runSmokeTest(executable, [...args, ...testArgs], input, output, includeStderr);
   }
   console.log('all tests passed');
 }
@@ -53,16 +68,18 @@ export async function runSmokeTests(smokeTestServer: string | undefined, executa
  * @param input stdin contents of the executable
  * @param output Expected contents of stdout
  */
-async function runSmokeTest(executable: string, args: string[], input: string, output: RegExp): Promise<void> {
+async function runSmokeTest(executable: string, args: string[], input: string, output: RegExp, includeStderr?: boolean): Promise<void> {
   const proc = spawn(executable, [...args], {
-    stdio: ['pipe', 'pipe', 'inherit']
+    stdio: ['pipe', 'pipe', includeStderr ? 'pipe' : 'inherit']
   });
   let stdout = '';
-  proc.stdout.setEncoding('utf8').on('data', (chunk) => { stdout += chunk; });
-  proc.stdin.end(input);
-  await once(proc.stdout, 'end');
+  let stderr = '';
+  proc.stdout!.setEncoding('utf8').on('data', (chunk) => { stdout += chunk; });
+  proc.stderr?.setEncoding('utf8').on('data', (chunk) => { stderr += chunk; });
+  proc.stdin!.end(input);
+  await once(proc.stdout!, 'end');
   try {
-    assert.match(stdout, output);
+    assert.match(includeStderr ? `${stdout}\n${stderr}` : stdout, output);
     console.error({ status: 'success', input, output, stdout, executable, args: args.map(arg => redactURICredentials(arg)) });
   } catch (err: any) {
     console.error({ status: 'failure', input, output, stdout, executable, args: args.map(arg => redactURICredentials(arg)) });

packages/cli-repl/src/smoke-tests.ts

@@ -111,9 +111,6 @@ describe('Auth e2e', function() {
 
     describe('user management', () => {
       describe('createUser', () => {
-        afterEach(async() => {
-          await assertUserAuth();
-        });
         it('all arguments', async() => {
           await shell.executeLine(`use ${dbName}`);
           expect(await shell.executeLine(
@@ -125,6 +122,7 @@ describe('Auth e2e', function() {
             mechanisms: ['SCRAM-SHA-256']
           });
           shell.assertNoErrors();
+          await assertUserAuth();
         });
         it('default arguments', async() => {
           await shell.executeLine(`use ${dbName}`);
@@ -136,8 +134,12 @@ describe('Auth e2e', function() {
             mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']
           });
           shell.assertNoErrors();
+          await assertUserAuth();
         });
-        it('digestPassword', async() => {
+        it('digestPassword', async function() {
+          if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
+            return this.skip(); // No SCRAM-SHA-1 in FIPS mode
+          }
           await shell.executeLine(`use ${dbName}`);
           expect(await shell.executeLine(
             'db.createUser({ user: "anna", pwd: "pwd", roles: [], mechanisms: ["SCRAM-SHA-1"], passwordDigestor: "client"})'
@@ -147,6 +149,7 @@ describe('Auth e2e', function() {
             mechanisms: ['SCRAM-SHA-1']
           });
           shell.assertNoErrors();
+          await assertUserAuth();
         });
       });
       describe('updateUser', () => {
@@ -190,7 +193,10 @@ describe('Auth e2e', function() {
           });
           shell.assertNoErrors();
         });
-        it('digestPassword', async() => {
+        it('digestPassword', async function() {
+          if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
+            return this.skip(); // No SCRAM-SHA-1 in FIPS mode
+          }
           await shell.executeLine(`use ${dbName}`);
           expect(await shell.executeLine(
             'db.updateUser("anna", { pwd: "pwd3", passwordDigestor: "client", mechanisms: ["SCRAM-SHA-1"]})'
@@ -825,7 +831,10 @@ describe('Auth e2e', function() {
       shell.assertNoErrors();
     });
     context('with specific auth mechanisms', () => {
-      it('can auth with SCRAM-SHA-1', async() => {
+      it('can auth with SCRAM-SHA-1', async function() {
+        if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
+          return this.skip(); // No SCRAM-SHA-1 in FIPS mode
+        }
         const connectionString = await testServer.connectionString();
         shell = TestShell.start({ args: [
           connectionString,

packages/cli-repl/test/e2e-auth.spec.ts

@@ -424,7 +424,10 @@ describe('e2e TLS', () => {
         shell.assertContainsOutput('MongoServerSelectionError');
       });
 
-      it('works with valid cert (with tlsCertificateSelector)', async() => {
+      it('works with valid cert (with tlsCertificateSelector)', async function() {
+        if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
+          return this.skip(); // No tlsCertificateSelector support in FIPS mode
+        }
         const fakeOsCaModule = path.resolve(tmpdir.path, 'fake-ca.js');
         await fs.writeFile(fakeOsCaModule, `
         const fs = require('fs');

packages/cli-repl/test/e2e-tls.spec.ts

@@ -35,8 +35,13 @@ export class TestShell {
       env = { ...env, MONGOSH_FORCE_TERMINAL: '1' };
     }
 
+    const args = [...options.args];
+    if (process.env.MONGOSH_TEST_E2E_FORCE_FIPS) {
+      args.push('--tlsFIPSMode');
+    }
+
     if (process.env.MONGOSH_TEST_EXECUTABLE_PATH) {
-      shellProcess = spawn(process.env.MONGOSH_TEST_EXECUTABLE_PATH, [...options.args], {
+      shellProcess = spawn(process.env.MONGOSH_TEST_EXECUTABLE_PATH, args, {
         stdio: [ 'pipe', 'pipe', 'pipe' ],
         env: env,
         cwd: options.cwd
@@ -52,7 +57,7 @@ export class TestShell {
         env = { ...env, CLEAR_SIGINT_LISTENERS: '1' };
       }
 
-      shellProcess = spawn('node', [path.resolve(__dirname, '..', 'bin', 'mongosh.js'), ...options.args], {
+      shellProcess = spawn('node', [path.resolve(__dirname, '..', 'bin', 'mongosh.js'), ...args], {
         stdio: [ 'pipe', 'pipe', 'pipe' ],
         env: env,
         cwd: options.cwd

packages/cli-repl/test/test-shell.ts

@@ -5,6 +5,6 @@ ADD ${artifact_url} /tmp
 ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
 RUN yum repolist
 RUN yum install -y /tmp/*mongosh*.rpm
-RUN /usr/bin/mongosh --version
+RUN /usr/bin/mongosh --build-info
 RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
 ENTRYPOINT [ "mongosh" ]

scripts/docker/amazonlinux1-rpm.Dockerfile

@@ -5,6 +5,6 @@ ADD ${artifact_url} /tmp
 ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
 RUN yum repolist
 RUN yum install -y /tmp/*mongosh*.rpm
-RUN /usr/bin/mongosh --version
+RUN /usr/bin/mongosh --build-info
 RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
 ENTRYPOINT [ "mongosh" ]

scripts/docker/amazonlinux2-rpm.Dockerfile

@@ -8,6 +8,6 @@ RUN yum repolist
 RUN yum install -y epel-release
 RUN yum repolist
 RUN yum install -y /tmp/*mongosh*.rpm
-RUN /usr/bin/mongosh --version
+RUN /usr/bin/mongosh --build-info
 RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
 ENTRYPOINT [ "mongosh" ]

scripts/docker/centos7-epel-rpm.Dockerfile

@@ -5,6 +5,6 @@ ADD ${artifact_url} /tmp
 ADD node_modules /usr/share/mongodb-crypt-library-version/node_modules
 RUN yum repolist
 RUN yum install -y /tmp/*mongosh*.rpm
-RUN /usr/bin/mongosh --version
+RUN /usr/bin/mongosh --build-info
 RUN env MONGOSH_RUN_NODE_SCRIPT=1 mongosh /usr/share/mongodb-crypt-library-version/node_modules/.bin/mongodb-crypt-library-version /usr/lib64/mongosh_crypt_v1.so | grep -Eq '^mongo_(crypt|csfle)_v1-'
 ENTRYPOINT [ "mongosh" ]