mongodb-labs · blink1073 · Mar 10, 2025 · Mar 7, 2025 · Mar 8, 2025 · Mar 8, 2025
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -559,6 +559,13 @@ functions:
         binary: bash
         args: [src/.evergreen/tests/test-cli.sh]
 
+  "run ocsp test":
+    - command: subprocess.exec
+      type: test
+      params:
+        binary: bash
+        args: [src/.evergreen/tests/test-ocsp.sh]
+
   "teardown assets":
     - command: subprocess.exec
       params:
@@ -1035,6 +1042,10 @@ tasks:
       commands:
         - func: "run cli test full"
 
+    - name: "test-ocsp"
+      commands:
+        - func: "run ocsp test"
+
     - name: "test-cli-partial"
       tags: ["pr"]
       commands:
@@ -1485,6 +1496,7 @@ buildvariants:
           - "test-install-binaries"
           - "test-csfle"
           - "test-cli-full"
+          - "test-ocsp"
           - "test-8.0-standalone-require-api"
 
 - matrix_name: "tests-os-requires-50"

diff --git a/.evergreen/ocsp/mock-ocsp-responder-requirements.txt b/.evergreen/ocsp/mock-ocsp-responder-requirements.txt
@@ -4,5 +4,6 @@ flask==2.2.5
 itsdangerous==2.1.2
 Jinja2==3.1.5
 MarkupSafe==2.1.4
-git+https://github.com/wbond/oscrypto.git@d5f3437
+oscrypto==1.3.0
+waitress==3.0.2
 Werkzeug==3.0.6
diff --git a/.evergreen/ocsp/ocsp_mock.py b/.evergreen/ocsp/ocsp_mock.py
@@ -11,6 +11,7 @@
 sys.path.append(os.path.join(os.getcwd(), "src", "third_party", "mock_ocsp_responder"))
 
 import mock_ocsp_responder
+from waitress import serve
 
 
 def main():
@@ -22,7 +23,7 @@ def main():
     )
 
     parser.add_argument(
-        "-b", "--bind_ip", type=str, default=None, help="IP to listen on"
+        "-b", "--bind_ip", type=str, default="127.0.0.1", help="IP to listen on"
     )
 
     parser.add_argument(
@@ -76,13 +77,7 @@ def main():
         next_update_seconds=args.next_update_seconds,
     )
 
-    mock_ocsp_responder.init(port=args.port, debug=args.verbose, host=args.bind_ip)
-
-    # Write the pid file.
-    with open(os.path.join(os.getcwd(), "ocsp.pid"), "w") as fid:
-        fid.write(str(os.getpid()))
-
-    print("Mock OCSP Responder is running on port %s" % (str(args.port)))
+    serve(mock_ocsp_responder.app, host=args.bind_ip, port=args.port)
 
 
 if __name__ == "__main__":

diff --git a/.evergreen/ocsp/setup.sh b/.evergreen/ocsp/setup.sh
@@ -18,8 +18,12 @@ for VARNAME in "${VARLIST[@]}"; do
   [[ -z "${!VARNAME:-}" ]] && echo "ERROR: $VARNAME not set" && exit 1;
 done
 
+bash teardown.sh
+
 . ./activate-ocspvenv.sh
 
+echo "Starting OCSP server ${OCSP_ALGORITHM}-${SERVER_TYPE}..."
+
 CA_FILE="${OCSP_ALGORITHM}/ca.pem"
 ARGS="-p 8100 -v"
 
@@ -48,8 +52,22 @@ case $SERVER_TYPE in
     ;;
 esac
 
-python ocsp_mock.py \
+COMMAND="python -u"
+if [ "$(uname -s)" != "Darwin" ]; then
+  # On linux and windows host, we need to use nohup to daemonize the process
+  # and prevent the task from hanging.
+  # The macos hosts do not support nohup.
+  COMMAND="nohup $COMMAND"
+fi
+
+$COMMAND ocsp_mock.py \
   --ca_file $CA_FILE \
   --ocsp_responder_cert $CERT \
   --ocsp_responder_key $KEY \
-  $ARGS
+  $ARGS > ocsp_mock_server.log 2>&1 &
+echo "$!" > ocsp.pid
+
+sleep 1
+cat ocsp_mock_server.log
+
+echo "Starting OCSP server ${OCSP_ALGORITHM}-${SERVER_TYPE}... done."
diff --git a/.evergreen/ocsp/teardown.sh b/.evergreen/ocsp/teardown.sh
@@ -7,7 +7,9 @@ SCRIPT_DIR=$(dirname ${BASH_SOURCE[0]})
 . $SCRIPT_DIR/../handle-paths.sh
 pushd $SCRIPT_DIR
 if [ -f "ocsp.pid" ]; then
-  < ocsp.pid xargs kill -9 || true
+  echo "Killing ocsp server..."
+  < ocsp.pid xargs kill -15 || true
   rm ocsp.pid
+  echo "Killing ocsp server...done."
 fi
 popd
diff --git a/.evergreen/tests/test-ocsp.sh b/.evergreen/tests/test-ocsp.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Test aws setup function for different inputs.
+set -eu
+
+SCRIPT_DIR=$(dirname ${BASH_SOURCE[0]})
+. $SCRIPT_DIR/../handle-paths.sh
+
+if [[ $(uname -s) = "Linux" ]]; then
+  ORCHESTRATION_FILE="ecdsa-basic-tls-ocsp-mustStaple.json"
+  OCSP_ALGORITHM="ecdsa"
+  SERVER_TYPE="valid-delegate"
+else
+  ORCHESTRATION_FILE="rsa-basic-tls-ocsp-disableStapling.json"
+  OCSP_ALGORITHM="rsa"
+  SERVER_TYPE="valid"
+fi
+
+export ORCHESTRATION_FILE
+export OCSP_ALGORITHM
+export SERVER_TYPE
+
+# # Start a MongoDB server with ocsp enabled.
+SSL="ssl" make -C ${DRIVERS_TOOLS} run-server
+
+pushd $SCRIPT_DIR/../ocsp
+
+# # Start the ocsp server.
+bash ./setup.sh
+
+# Connect to the MongoDB server.
+echo "Connecting to server..."
+TLS_OPTS=("--tls --tlsCertificateKeyFile \"${DRIVERS_TOOLS}/.evergreen/ocsp/${OCSP_ALGORITHM}/server.pem\"")
+TLS_OPTS+=("--tlsCAFile \"${DRIVERS_TOOLS}/.evergreen/ocsp/${OCSP_ALGORITHM}/ca.pem\"")
+URI="mongodb://localhost/?serverSelectionTimeoutMS=10000"
+# shellcheck disable=SC2068
+$MONGODB_BINARIES/mongosh $URI ${TLS_OPTS[@]} --eval "db.runCommand({\"ping\":1})"
+echo "Connecting to server... done."
+
+bash ./teardown.sh
+
+popd
+
+make -C ${DRIVERS_TOOLS} stop-server
+make -C ${DRIVERS_TOOLS} test