CDRIVER-4183 re-enable CSE tests on RHEL (#882)

* Enable skipping of KMS TLS tests via MONGOC_TEST_SKIP_KMS_TLS_TESTS
* Add condition for skipping KMS TLS tests on CA cert register failure
* Add CA certificate registration routines for MacOS
* Add routine to wait for mock KMS server startup completion
* Re-enable CSE tests on RHEL variants

Author: eramongodb

.evergreen/config.yml

@@ -775,11 +775,13 @@ functions:
       shell: bash
       script: |-
         set -o errexit
+        echo "Starting mock KMS servers..."
         cd ./drivers-evergreen-tools/.evergreen/csfle
         . ./activate_venv.sh
         python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 7999 &
         python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 &
         python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 &
+        echo "Starting mock KMS servers... done."
   start load balancer:
   - command: shell.exec
     params:
@@ -26982,8 +26984,8 @@ buildvariants:
   - .debug-compile !.sspi .openssl
   - .debug-compile !.sspi .nossl
   - .authentication-tests .openssl
-  - .latest .openssl !.nosasl .server !.client-side-encryption
-  - .latest .nossl !.client-side-encryption
+  - .latest .openssl !.nosasl .server
+  - .latest .nossl
 - name: gcc48rhel
   display_name: GCC 4.8 (RHEL 7.0)
   expansions:
@@ -26999,14 +27001,14 @@ buildvariants:
   - .authentication-tests .openssl
   - .latest .openssl !.nosasl .server
   - .latest .nossl
-  - .5.0 .openssl !.nosasl .server !.client-side-encryption
-  - .4.4 .openssl !.nosasl .server !.client-side-encryption
-  - .4.2 .openssl !.nosasl .server !.client-side-encryption
-  - .4.0 .openssl !.nosasl .server !.client-side-encryption
-  - .3.6 .openssl !.nosasl .server !.client-side-encryption
-  - .3.4 .openssl !.nosasl .server !.client-side-encryption
-  - .3.2 .openssl !.nosasl .server !.client-side-encryption
-  - .3.0 .openssl !.nosasl !.auth !.client-side-encryption
+  - .5.0 .openssl !.nosasl .server
+  - .4.4 .openssl !.nosasl .server
+  - .4.2 .openssl !.nosasl .server
+  - .4.0 .openssl !.nosasl .server
+  - .3.6 .openssl !.nosasl .server
+  - .3.4 .openssl !.nosasl .server
+  - .3.2 .openssl !.nosasl .server
+  - .3.0 .openssl !.nosasl !.auth
 - name: gcc49
   display_name: GCC 4.9 (Debian 8.1)
   expansions:
@@ -27283,12 +27285,12 @@ buildvariants:
   - .debug-compile !.sspi .openssl
   - .debug-compile !.sspi .openssl-static
   - .debug-compile !.sspi .nossl
-  - .latest .openssl !.nosasl .server !.client-side-encryption
-  - .latest .openssl-static !.nosasl .server !.client-side-encryption
+  - .latest .openssl !.nosasl .server
+  - .latest .openssl-static !.nosasl .server
   - .latest .nossl
-  - .5.0 .openssl !.nosasl .server !.client-side-encryption
-  - .4.4 .openssl !.nosasl .server !.client-side-encryption
-  - .4.2 .openssl !.nosasl .server !.client-side-encryption
+  - .5.0 .openssl !.nosasl .server
+  - .4.4 .openssl !.nosasl .server
+  - .4.2 .openssl !.nosasl .server
   - test-dns-openssl
   batchtime: 1440
 - name: arm-ubuntu1804
@@ -27341,12 +27343,12 @@ buildvariants:
   - .debug-compile !.sspi .openssl
   - .debug-compile !.sspi .nossl
   - .authentication-tests .openssl
-  - .latest .openssl !.nosasl .server !.client-side-encryption
+  - .latest .openssl !.nosasl .server
   - .latest .nossl
-  - .5.0 .openssl !.nosasl .server !.client-side-encryption
-  - .4.4 .openssl !.nosasl .server !.client-side-encryption
-  - .4.2 .openssl !.nosasl .server !.client-side-encryption
-  - .4.0 .openssl !.nosasl .server !.client-side-encryption
+  - .5.0 .openssl !.nosasl .server
+  - .4.4 .openssl !.nosasl .server
+  - .4.2 .openssl !.nosasl .server
+  - .4.0 .openssl !.nosasl .server
   batchtime: 1440
 - name: valgrind-ubuntu
   display_name: Valgrind Tests (Ubuntu 18.04)

.evergreen/run-tests.sh

@@ -36,6 +36,9 @@ if [ "$SSL" != "nossl" ]; then
       cygwin*)
          certutil.exe -addstore "Root" "src\libmongoc\tests\x509gen\ca.pem"
          ;;
+      darwin*)
+         sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain src/libmongoc/tests/x509gen/ca.pem
+         ;;
       *)
          if [ -f /etc/redhat-release ]; then
             echo "Copying CA certificate to /usr/share/pki/ca-trust-source/anchors..."
@@ -45,6 +48,7 @@ if [ "$SSL" != "nossl" ]; then
                sudo update-ca-trust extract --verbose
             else
                echo "Copying CA certificate to /usr/share/pki/ca-trust-source/anchors... failed."
+               export MONGOC_TEST_SKIP_KMS_TLS_TESTS=on
                export MONGOC_TEST_SSL_CA_FILE="src/libmongoc/tests/x509gen/ca.pem"
             fi
          else
@@ -55,6 +59,7 @@ if [ "$SSL" != "nossl" ]; then
                sudo update-ca-certificates --verbose
             else
                echo "Copying CA certificate to /usr/local/share/ca-certificates... failed."
+               export MONGOC_TEST_SKIP_KMS_TLS_TESTS=on
                export MONGOC_TEST_SSL_CA_FILE="src/libmongoc/tests/x509gen/ca.pem"
             fi
          fi
@@ -115,6 +120,27 @@ check_mongocryptd() {
 
 export MONGOC_TEST_MONITORING_VERBOSE=on
 
+# Ensure mock KMS servers are running before starting tests.
+if [ "$CLIENT_SIDE_ENCRYPTION" = "on" ]; then
+   echo "Waiting for mock KMS servers to start..."
+   wait_for_kms_server() {
+      for i in $(seq 60); do
+         # Exit code 7: "Failed to connect to host".
+         if curl -s "localhost:$1"; test $? -ne 7; then
+            return 0
+         else
+            sleep 1
+         fi
+      done
+      echo "Could not detect mock KMS server on port $1"
+      return 1
+   }
+   wait_for_kms_server 7999
+   wait_for_kms_server 8000
+   wait_for_kms_server 8001
+   echo "Waiting for mock KMS servers to start... done."
+fi
+
 if [ "$LOADBALANCED" != "noloadbalanced" ]; then
    if [ -z "$SINGLE_MONGOS_LB_URI" -o -z "$MULTI_MONGOS_LB_URI" ]; then
       echo "SINGLE_MONGOS_LB_URI and MULTI_MONGOS_LB_URI environment variables required."

CONTRIBUTING.md

@@ -260,6 +260,10 @@ The set of mock KMS servers running in the background and their corresponding po
 | 8000 | ca.pem | expired.pem |
 | 8001 | ca.pem | wrong-host.pem |
 
+KMS TLS tests for Client-Side Field Level Encryption can be skipped by defining:
+
+* `MONGOC_TEST_SKIP_KMS_TLS_TESTS=on`
+
 Specification tests may be filtered by their description:
 
 * `MONGOC_JSON_SUBTEST=<string>`

build/evergreen_config_lib/functions.py

@@ -558,11 +558,13 @@
     )),
     ('run kms servers', Function(
         shell_exec(r'''
+        echo "Starting mock KMS servers..."
         cd ./drivers-evergreen-tools/.evergreen/csfle
         . ./activate_venv.sh
         python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 7999 &
         python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 &
         python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 &
+        echo "Starting mock KMS servers... done."
         ''', test=False, background=True),
     )),
     ('start load balancer', Function(

build/evergreen_config_lib/variants.py

@@ -226,8 +226,8 @@ def days(n):
              '.debug-compile !.sspi .openssl',
              '.debug-compile !.sspi .nossl',
              '.authentication-tests .openssl',
-             '.latest .openssl !.nosasl .server !.client-side-encryption',
-             '.latest .nossl !.client-side-encryption'],
+             '.latest .openssl !.nosasl .server',
+             '.latest .nossl'],
             {'CC': 'gcc'}),
     Variant('gcc48rhel',
             'GCC 4.8 (RHEL 7.0)',
@@ -241,14 +241,14 @@ def days(n):
              '.authentication-tests .openssl',
              '.latest .openssl !.nosasl .server',
              '.latest .nossl',
-             '.5.0 .openssl !.nosasl .server !.client-side-encryption',
-             '.4.4 .openssl !.nosasl .server !.client-side-encryption',
-             '.4.2 .openssl !.nosasl .server !.client-side-encryption',
-             '.4.0 .openssl !.nosasl .server !.client-side-encryption',
-             '.3.6 .openssl !.nosasl .server !.client-side-encryption',
-             '.3.4 .openssl !.nosasl .server !.client-side-encryption',
-             '.3.2 .openssl !.nosasl .server !.client-side-encryption',
-             '.3.0 .openssl !.nosasl !.auth !.client-side-encryption'],
+             '.5.0 .openssl !.nosasl .server',
+             '.4.4 .openssl !.nosasl .server',
+             '.4.2 .openssl !.nosasl .server',
+             '.4.0 .openssl !.nosasl .server',
+             '.3.6 .openssl !.nosasl .server',
+             '.3.4 .openssl !.nosasl .server',
+             '.3.2 .openssl !.nosasl .server',
+             '.3.0 .openssl !.nosasl !.auth'],
             {'CC': 'gcc'}),
     Variant('gcc49',
             'GCC 4.9 (Debian 8.1)',
@@ -499,12 +499,12 @@ def days(n):
              '.debug-compile !.sspi .openssl',
              '.debug-compile !.sspi .openssl-static',
              '.debug-compile !.sspi .nossl',
-             '.latest .openssl !.nosasl .server !.client-side-encryption',
-             '.latest .openssl-static !.nosasl .server !.client-side-encryption',
+             '.latest .openssl !.nosasl .server',
+             '.latest .openssl-static !.nosasl .server',
              '.latest .nossl',
-             '.5.0 .openssl !.nosasl .server !.client-side-encryption',
-             '.4.4 .openssl !.nosasl .server !.client-side-encryption',
-             '.4.2 .openssl !.nosasl .server !.client-side-encryption',
+             '.5.0 .openssl !.nosasl .server',
+             '.4.4 .openssl !.nosasl .server',
+             '.4.2 .openssl !.nosasl .server',
              'test-dns-openssl'],
             {'CC': 'gcc'},
             batchtime=days(1)),
@@ -552,12 +552,12 @@ def days(n):
              '.debug-compile !.sspi .openssl',
              '.debug-compile !.sspi .nossl',
              '.authentication-tests .openssl',
-             '.latest .openssl !.nosasl .server !.client-side-encryption',
+             '.latest .openssl !.nosasl .server',
              '.latest .nossl',
-             '.5.0 .openssl !.nosasl .server !.client-side-encryption',
-             '.4.4 .openssl !.nosasl .server !.client-side-encryption',
-             '.4.2 .openssl !.nosasl .server !.client-side-encryption',
-             '.4.0 .openssl !.nosasl .server !.client-side-encryption'],
+             '.5.0 .openssl !.nosasl .server',
+             '.4.4 .openssl !.nosasl .server',
+             '.4.2 .openssl !.nosasl .server',
+             '.4.0 .openssl !.nosasl .server'],
             {'CC': 'gcc'},
             batchtime=days(1)),
     # Note, do not use Ubuntu 16.04 for valgrind, as the system valgrind

src/libmongoc/tests/test-mongoc-client-side-encryption.c

@@ -2416,6 +2416,13 @@ test_kms_tls_cert_wrong_host (void *unused)
    mongoc_client_destroy (client);
 }
 
+/* Required CA certificates may not be registered on system. See BUILD-14068. */
+int
+test_framework_skip_kms_tls_tests (void)
+{
+   return test_framework_getenv_bool ("MONGOC_TEST_SKIP_KMS_TLS_TESTS") ? 0 : 1;
+}
+
 void
 test_client_side_encryption_install (TestSuite *suite)
 {
@@ -2499,20 +2506,23 @@ test_client_side_encryption_install (TestSuite *suite)
                       NULL,
                       NULL,
                       test_framework_skip_if_no_client_side_encryption,
+                      test_framework_skip_kms_tls_tests,
                       test_framework_skip_if_max_wire_version_less_than_8);
    TestSuite_AddFull (suite,
                       "/client_side_encryption/kms_tls/expired",
                       test_kms_tls_cert_expired,
                       NULL,
                       NULL,
                       test_framework_skip_if_no_client_side_encryption,
+                      test_framework_skip_kms_tls_tests,
                       test_framework_skip_if_max_wire_version_less_than_8);
    TestSuite_AddFull (suite,
                       "/client_side_encryption/kms_tls/wrong_host",
                       test_kms_tls_cert_wrong_host,
                       NULL,
                       NULL,
                       test_framework_skip_if_no_client_side_encryption,
+                      test_framework_skip_kms_tls_tests,
                       test_framework_skip_if_max_wire_version_less_than_8);
 
    /* Other, C driver specific, tests. */