CSHARP-3031:Fix AUTH testing so that it uses x.509 certificate authentication

Author: vincentkam

build.cake

@@ -125,6 +125,16 @@ Task("Test")
         {
             Console.WriteLine($"TEST_WITH_DEFAULT_GUID_REPRESENTATION={testWithDefaultGuidRepresentation}");
         }
+        var mongoX509ClientCertificatePath = Environment.GetEnvironmentVariable("MONGO_X509_CLIENT_CERTIFICATE_PATH");
+        if (mongoX509ClientCertificatePath != null)
+        {
+            Console.WriteLine($"MONGO_X509_CLIENT_CERTIFICATE_PATH={mongoX509ClientCertificatePath}");
+        }
+        var mongoX509ClientCertificatePassword = Environment.GetEnvironmentVariable("MONGO_X509_CLIENT_CERTIFICATE_PASSWORD");
+        if (mongoX509ClientCertificatePassword != null)
+        {
+            Console.WriteLine($"MONGO_X509_CLIENT_CERTIFICATE_PASSWORD={mongoX509ClientCertificatePassword}");
+        }
 
         var settings = new DotNetCoreTestSettings
         {

build.ps1

@@ -275,6 +275,11 @@ if ($Experimental) { $cakeArguments += "-experimental" }
 if ($Mono) { $cakeArguments += "-mono" }
 $cakeArguments += $ScriptArgs
 
+# Verify that the environment variables we care about have been passed in from bash
+Write-Host "Verifying environment variables values..."
+Write-Host "MONGO_X509_CLIENT_CERTIFICATE_PATH = " $env:MONGO_X509_CLIENT_CERTIFICATE_PATH
+Write-Host "MONGO_X509_CLIENT_CERTIFICATE_PASSWORD = " $env:MONGO_X509_CLIENT_CERTIFICATE_PASSWORD
+
 # Start Cake
 Write-Host "Running build script..."
 echo $CAKE_EXE $cakeArguments

evergreen/convert-client-cert-to-pkcs12.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+set -o xtrace   # Write all commands first to stderr
+set -o errexit  # Exit the script with an error if any of the commands fail
+
+# Environment variables used as input:
+#   CLIENT_PEM                      Path to mongo -orchestration's client.pem: must be set.
+#   MONGO_X509_CLIENT_P12           Filename for client certificate in p12 format
+#
+# Environment variables produced as output:
+#   MONGODB_X509_CLIENT_P12_PATH            Absolute path to client certificate in p12 format
+#   MONGO_X509_CLIENT_CERTIFICATE_PASSWORD  Password for client certificate
+
+
+CLIENT_PEM=${CLIENT_PEM:-nil}
+MONGO_X509_CLIENT_P12=${MONGO_X509_CLIENT_P12:-client.p12}
+MONGO_X509_CLIENT_CERTIFICATE_PASSWORD=${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD:-Picard-Alpha-Alpha-3-0-5}
+
+if [[ "$CLIENT_PEM" == "nil" ]]; then
+  exit 1
+fi
+
+openssl pkcs12 -export -in "${CLIENT_PEM}" \
+  -out "${MONGO_X509_CLIENT_P12}" \
+  -name "Drivers Client Certificate" \
+  -password "pass:${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD}"
+
+MONGO_X509_CLIENT_CERTIFICATE_PATH=$(realpath "${MONGO_X509_CLIENT_P12}")
+
+if [[ "$OS" =~ Windows|windows ]]; then
+  MONGO_X509_CLIENT_CERTIFICATE_PATH=$(cygpath -w "${MONGO_X509_CLIENT_CERTIFICATE_PATH}")
+fi
+
+export MONGO_X509_CLIENT_CERTIFICATE_PATH
+export MONGO_X509_CLIENT_CERTIFICATE_PASSWORD

evergreen/evergreen.yml

@@ -240,7 +240,14 @@ functions:
           export FLE_AWS_SECRET_ACCESS_KEY=${FLE_AWS_SECRET_ACCESS_KEY}
           ${PREPARE_SHELL}
           SSL=${SSL} evergreen/add-certs-if-needed.sh
-          AUTH=${AUTH} SSL=${SSL} MONGODB_URI="${MONGODB_URI}" TOPOLOGY=${TOPOLOGY} OS=${OS} COMPRESSOR=${COMPRESSOR} evergreen/run-tests.sh
+          AUTH=${AUTH} \
+            SSL=${SSL} \
+            MONGODB_URI="${MONGODB_URI}" \
+            TOPOLOGY=${TOPOLOGY} \
+            OS=${OS} \
+            COMPRESSOR=${COMPRESSOR} \
+            CLIENT_PEM=${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem \
+            evergreen/run-tests.sh
           echo "Skipping certificate removal..."
 
   run-atlas-connectivity-tests:

evergreen/run-tests.sh

@@ -3,20 +3,27 @@
 set -o xtrace   # Write all commands first to stderr
 set -o errexit  # Exit the script with error if any of the commands fail
 
-# Supported/used environment variables:
-#       AUTH                    Set to enable authentication. Values are: "auth" / "noauth" (default)
-#       SSL                     Set to enable SSL. Values are "ssl" / "nossl" (default)
-#       MONGODB_URI             Set the suggested connection MONGODB_URI (including credentials and topology info)
-#       TOPOLOGY                Allows you to modify variables and the MONGODB_URI based on test topology
-#                               Supported values: "server", "replica_set", "sharded_cluster"
-#       OCSP_TLS_SHOULD_SUCCEED Set to test OCSP. Values are true/false/nil
+# Environment variables used as input:
+#   AUTH                            Set to enable authentication. Values are: "auth" / "noauth" (default)
+#   SSL                             Set to enable SSL. Values are "ssl" / "nossl" (default)
+#   MONGODB_URI                     Set the suggested connection MONGODB_URI (including credentials and topology info)
+#   TOPOLOGY                        Allows you to modify variables and the MONGODB_URI based on test topology
+#                                   Supported values: "server", "replica_set", "sharded_cluster"
+#   OCSP_TLS_SHOULD_SUCCEED         Set to test OCSP. Values are true/false/nil
+#   MONGODB_X509_CLIENT_P12_PATH    Absolute path to client certificate in p12 format
+#   MONGO_X509_CLIENT_CERTIFICATE_PASSWORD  password for client certificate
+#
+# Environment variables produced as output:
+#   MONGODB_X509_CLIENT_P12_PATH            Absolute path to client certificate in p12 format
+#   MONGO_X509_CLIENT_CERTIFICATE_PASSWORD  Password for client certificate
 
 AUTH=${AUTH:-noauth}
 SSL=${SSL:-nossl}
 MONGODB_URI=${MONGODB_URI:-}
 TOPOLOGY=${TOPOLOGY:-server}
 COMPRESSOR=${COMPRESSOR:-none}
 OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED:-nil}
+CLIENT_PEM=${CLIENT_PEM:-nil}
 
 ############################################
 #            Functions                     #
@@ -97,4 +104,16 @@ fi
 for var in TMP TEMP NUGET_PACKAGES NUGET_HTTP_CACHE_PATH APPDATA; do
   export $var=z:\\data\\tmp;
 done
-powershell.exe .\\build.ps1 -target ${TARGET}
+
+if [[ "$CLIENT_PEM" != "nil" ]]; then
+  CLIENT_PEM=${CLIENT_PEM} source evergreen/convert-client-cert-to-pkcs12.sh
+fi
+
+if [[ -z "$MONGO_X509_CLIENT_CERTIFICATE_PATH" && -z "$MONGO_X509_CLIENT_CERTIFICATE_PASSWORD" ]]; then
+  powershell.exe '.\build.ps1 -target' $TARGET
+else
+  powershell.exe \
+    '$env:MONGO_X509_CLIENT_CERTIFICATE_PATH="'${MONGO_X509_CLIENT_CERTIFICATE_PATH}'";'\
+    '$env:MONGO_X509_CLIENT_CERTIFICATE_PASSWORD="'${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD}'";'\
+    '.\build.ps1 -target' $TARGET
+fi

tests/MongoDB.Driver.Core.TestHelpers/CoreTestConfiguration.cs

@@ -24,6 +24,7 @@
 using MongoDB.Bson;
 using MongoDB.Bson.Serialization.Serializers;
 using MongoDB.Driver.Core;
+using MongoDB.Driver.Core.Authentication;
 using MongoDB.Driver.Core.Bindings;
 using MongoDB.Driver.Core.Clusters;
 using MongoDB.Driver.Core.Clusters.ServerSelectors;
@@ -107,14 +108,17 @@ public static ClusterBuilder ConfigureCluster(ClusterBuilder builder)
                 .ConfigureWithConnectionString(__connectionString.Value)
                 .ConfigureCluster(c => c.With(serverSelectionTimeout: TimeSpan.FromMilliseconds(int.Parse(serverSelectionTimeoutString))));
 
-            if (__connectionString.Value.Tls.HasValue && __connectionString.Value.Tls.Value)
+            if (__connectionString.Value.Tls.HasValue &&
+                __connectionString.Value.Tls.Value &&
+                __connectionString.Value.AuthMechanism != null &&
+                __connectionString.Value.AuthMechanism == MongoDBX509Authenticator.MechanismName)
             {
-                var certificateFilename = Environment.GetEnvironmentVariable("MONGO_SSL_CERT_FILE");
+                var certificateFilename = Environment.GetEnvironmentVariable("MONGO_X509_CLIENT_CERTIFICATE_PATH");
                 if (certificateFilename != null)
                 {
                     builder.ConfigureSsl(ssl =>
                     {
-                        var password = Environment.GetEnvironmentVariable("MONGO_SSL_CERT_PASS");
+                        var password = Environment.GetEnvironmentVariable("MONGO_X509_CLIENT_CERTIFICATE_PASSWORD");
                         X509Certificate cert;
                         if (password == null)
                         {

tests/MongoDB.Driver.Core.TestHelpers/XunitExtensions/RequireServer.cs

@@ -162,6 +162,18 @@ public RequireServer StorageEngines(params string[] storageEngines)
             throw new SkipException($"Test skipped because storage engine is \"{actualStorageEngine}\" and not one of ({storageEnginesString}).");
         }
 
+        public RequireServer Tls(bool required = true)
+        {
+            var usingTls = CoreTestConfiguration.ConnectionString.Tls;
+            if (usingTls == required)
+            {
+                return this;
+            }
+            throw new SkipException(
+                $"Test skipped because the connection string specifies TLS={usingTls} " +
+                $"and this test requires TLS={required}.");
+        }
+
         public RequireServer VersionGreaterThanOrEqualTo(SemanticVersion version)
         {
             var actualVersion = CoreTestConfiguration.ServerVersion;

tests/MongoDB.Driver.TestHelpers/DriverTestConfiguration.cs

@@ -120,7 +120,7 @@ public static DisposableMongoClient CreateDisposableClient(
                 useMultipleShardRouters = false;
             }
 
-            var connectionString = useMultipleShardRouters 
+            var connectionString = useMultipleShardRouters
                 ? CoreTestConfiguration.ConnectionStringWithMultipleShardRouters.ToString()
                 : CoreTestConfiguration.ConnectionString.ToString();
             var clientSettings = MongoClientSettings.FromUrl(new MongoUrl(connectionString));
@@ -134,6 +134,11 @@ public static DisposableMongoClient CreateDisposableClient(EventCapturer capture
             return CreateDisposableClient((ClusterBuilder c) => c.Subscribe(capturer));
         }
 
+        public static DisposableMongoClient CreateDisposableclient(MongoClientSettings settings)
+        {
+            return new DisposableMongoClient(new MongoClient(settings));
+        }
+
         public static MongoClientSettings GetClientSettings()
         {
             var connectionString = CoreTestConfiguration.ConnectionString.ToString();