CDRIVER-3927 add KMS TLS tests for client side encryption (#879)

* Support detailed certificate verify failure errors with OpenSSL
* Support detailed certificate verify failure errors with Secure Channel
* Move CSE tests into conditional compilation under MONGOC_ENABLE_SSL
* Add Client Side Encryption KMS TLS tests
* Fix CA certificate registration failure on Windows
* Fix CA certificate registration failure on Red Hat
* Add mock KMS servers to Evergreen
* Document mock KMS server requirements for CSFLE tests
* Disable CSE tests on RHEL until resolution of BUILD-14068

Author: eramongodb

.evergreen/config.yml

@@ -31,12 +31,35 @@ fi
 if [ "$SSL" != "nossl" ]; then
    export MONGOC_TEST_SSL_WEAK_CERT_VALIDATION="off"
    export MONGOC_TEST_SSL_PEM_FILE="src/libmongoc/tests/x509gen/client.pem"
-   sudo cp src/libmongoc/tests/x509gen/ca.pem /usr/local/share/ca-certificates/cdriver.crt || true
-   if [ -f /usr/local/share/ca-certificates/cdriver.crt ]; then
-      sudo update-ca-certificates
-   else
-      export MONGOC_TEST_SSL_CA_FILE="src/libmongoc/tests/x509gen/ca.pem"
-   fi
+
+   case "$OS" in
+      cygwin*)
+         certutil.exe -addstore "Root" "src\libmongoc\tests\x509gen\ca.pem"
+         ;;
+      *)
+         if [ -f /etc/redhat-release ]; then
+            echo "Copying CA certificate to /usr/share/pki/ca-trust-source/anchors..."
+            sudo cp -v src/libmongoc/tests/x509gen/ca.pem /usr/share/pki/ca-trust-source/anchors/cdriver.crt || true
+            if [ -f /usr/share/pki/ca-trust-source/anchors/cdriver.crt ]; then
+               echo "Copying CA certificate to /usr/share/pki/ca-trust-source/anchors... done."
+               sudo update-ca-trust extract --verbose
+            else
+               echo "Copying CA certificate to /usr/share/pki/ca-trust-source/anchors... failed."
+               export MONGOC_TEST_SSL_CA_FILE="src/libmongoc/tests/x509gen/ca.pem"
+            fi
+         else
+            echo "Copying CA certificate to /usr/local/share/ca-certificates..."
+            sudo cp -v src/libmongoc/tests/x509gen/ca.pem /usr/local/share/ca-certificates/cdriver.crt || true
+            if [ -f /usr/local/share/ca-certificates/cdriver.crt ]; then
+               echo "Copying CA certificate to /usr/local/share/ca-certificates... done."
+               sudo update-ca-certificates --verbose
+            else
+               echo "Copying CA certificate to /usr/local/share/ca-certificates... failed."
+               export MONGOC_TEST_SSL_CA_FILE="src/libmongoc/tests/x509gen/ca.pem"
+            fi
+         fi
+         ;;
+   esac
 fi
 
 export MONGOC_ENABLE_MAJORITY_READ_CONCERN=on

.evergreen/run-tests.sh

@@ -251,6 +251,15 @@ start mongocryptd on port 27020 and set the following:
 
 * `MONGOC_TEST_MONGOCRYPTD_BYPASS_SPAWN=on`
 
+KMS TLS tests for Client-Side Field Level Encryption require mock KMS servers to be running in the background according to the instructions given in the Client Side Encryption Tests specification.
+The set of mock KMS servers running in the background and their corresponding port number, CA file, and cert file must be as follows:
+
+| Port | CA File | Cert File |
+| --- | --- | --- |
+| 7999 | ca.pem | server.pem |
+| 8000 | ca.pem | expired.pem |
+| 8001 | ca.pem | wrong-host.pem |
+
 Specification tests may be filtered by their description:
 
 * `MONGOC_JSON_SUBTEST=<string>`

CONTRIBUTING.md

@@ -556,6 +556,15 @@
         fi
         ''', test=False)
     )),
+    ('run kms servers', Function(
+        shell_exec(r'''
+        cd ./drivers-evergreen-tools/.evergreen/csfle
+        . ./activate_venv.sh
+        python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 7999 &
+        python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 &
+        python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 &
+        ''', test=False, background=True),
+    )),
     ('start load balancer', Function(
         shell_exec(r'''
         export DRIVERS_TOOLS=./drivers-evergreen-tools

build/evergreen_config_lib/functions.py

@@ -548,6 +548,8 @@ def to_dict(self):
         extra = {}
         if self.cse:
             extra["CLIENT_SIDE_ENCRYPTION"] = "on"
+            commands.append(func('clone drivers-evergreen-tools'))
+            commands.append(func('run kms servers'))
         commands.append(run_tests(VALGRIND=self.on_off('valgrind'),
                                   ASAN='on' if self.sanitizer == 'asan' else 'off',
                                   AUTH=self.display('auth'),

build/evergreen_config_lib/tasks.py

@@ -226,8 +226,8 @@ def days(n):
              '.debug-compile !.sspi .openssl',
              '.debug-compile !.sspi .nossl',
              '.authentication-tests .openssl',
-             '.latest .openssl !.nosasl .server',
-             '.latest .nossl'],
+             '.latest .openssl !.nosasl .server !.client-side-encryption',
+             '.latest .nossl !.client-side-encryption'],
             {'CC': 'gcc'}),
     Variant('gcc48rhel',
             'GCC 4.8 (RHEL 7.0)',
@@ -241,14 +241,14 @@ def days(n):
              '.authentication-tests .openssl',
              '.latest .openssl !.nosasl .server',
              '.latest .nossl',
-             '.5.0 .openssl !.nosasl .server',
-             '.4.4 .openssl !.nosasl .server',
-             '.4.2 .openssl !.nosasl .server',
-             '.4.0 .openssl !.nosasl .server',
-             '.3.6 .openssl !.nosasl .server',
-             '.3.4 .openssl !.nosasl .server',
-             '.3.2 .openssl !.nosasl .server',
-             '.3.0 .openssl !.nosasl !.auth'],
+             '.5.0 .openssl !.nosasl .server !.client-side-encryption',
+             '.4.4 .openssl !.nosasl .server !.client-side-encryption',
+             '.4.2 .openssl !.nosasl .server !.client-side-encryption',
+             '.4.0 .openssl !.nosasl .server !.client-side-encryption',
+             '.3.6 .openssl !.nosasl .server !.client-side-encryption',
+             '.3.4 .openssl !.nosasl .server !.client-side-encryption',
+             '.3.2 .openssl !.nosasl .server !.client-side-encryption',
+             '.3.0 .openssl !.nosasl !.auth !.client-side-encryption'],
             {'CC': 'gcc'}),
     Variant('gcc49',
             'GCC 4.9 (Debian 8.1)',
@@ -499,12 +499,12 @@ def days(n):
              '.debug-compile !.sspi .openssl',
              '.debug-compile !.sspi .openssl-static',
              '.debug-compile !.sspi .nossl',
-             '.latest .openssl !.nosasl .server',
-             '.latest .openssl-static !.nosasl .server',
+             '.latest .openssl !.nosasl .server !.client-side-encryption',
+             '.latest .openssl-static !.nosasl .server !.client-side-encryption',
              '.latest .nossl',
-             '.5.0 .openssl !.nosasl .server',
-             '.4.4 .openssl !.nosasl .server',
-             '.4.2 .openssl !.nosasl .server',
+             '.5.0 .openssl !.nosasl .server !.client-side-encryption',
+             '.4.4 .openssl !.nosasl .server !.client-side-encryption',
+             '.4.2 .openssl !.nosasl .server !.client-side-encryption',
              'test-dns-openssl'],
             {'CC': 'gcc'},
             batchtime=days(1)),
@@ -552,12 +552,12 @@ def days(n):
              '.debug-compile !.sspi .openssl',
              '.debug-compile !.sspi .nossl',
              '.authentication-tests .openssl',
-             '.latest .openssl !.nosasl .server',
+             '.latest .openssl !.nosasl .server !.client-side-encryption',
              '.latest .nossl',
-             '.5.0 .openssl !.nosasl .server',
-             '.4.4 .openssl !.nosasl .server',
-             '.4.2 .openssl !.nosasl .server',
-             '.4.0 .openssl !.nosasl .server'],
+             '.5.0 .openssl !.nosasl .server !.client-side-encryption',
+             '.4.4 .openssl !.nosasl .server !.client-side-encryption',
+             '.4.2 .openssl !.nosasl .server !.client-side-encryption',
+             '.4.0 .openssl !.nosasl .server !.client-side-encryption'],
             {'CC': 'gcc'},
             batchtime=days(1)),
     # Note, do not use Ubuntu 16.04 for valgrind, as the system valgrind

build/evergreen_config_lib/variants.py

@@ -939,7 +939,6 @@ set (test-libmongoc-sources
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-change-stream.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-client-pool.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-client-session.c
-   ${PROJECT_SOURCE_DIR}/tests/test-mongoc-client-side-encryption.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-client.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-cluster.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-cmd.c
@@ -1024,6 +1023,7 @@ set (test-libmongoc-sources
 if (MONGOC_ENABLE_SSL)
    set (test-libmongoc-sources ${test-libmongoc-sources}
       ${PROJECT_SOURCE_DIR}/tests/ssl-test.c
+      ${PROJECT_SOURCE_DIR}/tests/test-mongoc-client-side-encryption.c
       ${PROJECT_SOURCE_DIR}/tests/test-mongoc-stream-tls-error.c
       ${PROJECT_SOURCE_DIR}/tests/test-mongoc-stream-tls.c
       ${PROJECT_SOURCE_DIR}/tests/test-mongoc-x509.c

src/libmongoc/CMakeLists.txt

@@ -74,13 +74,16 @@ mongoc_secure_channel_realloc_buf (size_t *size,
 
 bool
 mongoc_secure_channel_handshake_step_1 (mongoc_stream_tls_t *tls,
-                                        char *hostname);
+                                        char *hostname,
+                                        bson_error_t *error);
 bool
 mongoc_secure_channel_handshake_step_2 (mongoc_stream_tls_t *tls,
-                                        char *hostname);
+                                        char *hostname,
+                                        bson_error_t *error);
 bool
 mongoc_secure_channel_handshake_step_3 (mongoc_stream_tls_t *tls,
-                                        char *hostname);
+                                        char *hostname,
+                                        bson_error_t *error);
 
 
 BSON_END_DECLS