CSHARP-3936: Support KMIP in client side field level encryption. (#675)

CSHARP-3936: Support KMIP in client side field level encryption.

Author: DmitryLukyanov

build.cake

@@ -403,7 +403,7 @@ Task("TestLoadBalanced")
 Task("TestLoadBalancedNetStandard20").IsDependentOn("TestLoadBalanced");
 Task("TestLoadBalancedNetStandard21").IsDependentOn("TestLoadBalanced");
 
-Task("TestCsfleKmsTls")
+Task("TestCsfleWithMockedKms")
     .IsDependentOn("Build")
     .DoesForEach(
         GetFiles("./**/*.Tests.csproj"),
@@ -416,13 +416,14 @@ Task("TestCsfleKmsTls")
             Configuration = configuration,
             Loggers = CreateLoggers(),
             ArgumentCustomization = args => args.Append("-- RunConfiguration.TargetPlatform=x64"),
-            Filter = "Category=\"CsfleKmsTls\""
+            Filter = "Category=\"CSFLE\""
         };
 
         switch (target.ToLowerInvariant()) // target can be not only moniker related
         {
-            case "testcsflekmstlsnetstandard20": settings.Framework = "netcoreapp2.1"; break;
-            case "testcsflekmstlsnetstandard21": settings.Framework = "netcoreapp3.1"; break;
+            case "testcsflewithmockedkmsnet472": settings.Framework = "net472"; break;
+            case "testcsflewithmockedkmsnetstandard20": settings.Framework = "netcoreapp2.1"; break;
+            case "testcsflewithmockedkmsnetstandard21": settings.Framework = "netcoreapp3.1"; break;
         }
 
         DotNetCoreTest(
@@ -431,8 +432,9 @@ Task("TestCsfleKmsTls")
         );
     });
 
-Task("TestCsfleKmsTlsNetStandard20").IsDependentOn("TestCsfleKmsTls");
-Task("TestCsfleKmsTlsNetStandard21").IsDependentOn("TestCsfleKmsTls");
+Task("TestCsfleWithMockedKmsnet472").IsDependentOn("TestCsfleWithMockedKms");
+Task("TestCsfleWithMockedKmsNetStandard20").IsDependentOn("TestCsfleWithMockedKms");
+Task("TestCsfleWithMockedKmsNetStandard21").IsDependentOn("TestCsfleWithMockedKms");
 
 Task("Docs")
     .IsDependentOn("ApiDocs")

evergreen/add-certs-if-needed.sh renamed to evergreen/add-ca-certs.sh

@@ -4,19 +4,13 @@ set -o xtrace   # Write all commands first to stderr
 set -o errexit  # Exit the script with an error if any of the commands fail
 
 # Supported/used environment variables:
-#     SSL                     Set to enable SSL. Values are "ssl" / "nossl" (default)
 #     OCSP_TLS_SHOULD_SUCCEED Set to test OCSP. Values are true/false/nil
 #     OCSP_ALGORITHM          Set to test OCSP. Values are rsa/ecdsa/nil
 #     OS                      Set to access operating system
 
-SSL=${SSL:-nossl}
 OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED:-nil}
 OCSP_ALGORITHM=${OCSP_ALGORITHM:-nil}
 
-if [[ "$SSL" != "ssl" ]]; then
-  exit 0
-fi
-
 function make_trusted() {
   echo "CA.pem certificate $1"
   if [[ "$OS" =~ Windows|windows ]]; then

evergreen/cleanup-test-resources.sh

@@ -3,8 +3,8 @@ set -o xtrace   # Write all commands first to stderr
 # Environment variables used as input:
 #   OS                                               The current operating system
 
-echo "Attempt to kill mongocryptd process if presented"
-if [ "Windows_NT" = "$OS" ]; then
+echo "Attempt to kill mongocryptd process if presented on ${OS}"
+if [[ "$OS" =~ Windows|windows ]]; then
   tasklist -FI "IMAGENAME eq mongocryptd.exe"
   taskkill -F -FI "IMAGENAME eq mongocryptd.exe"
   # check that it's actually killed

evergreen/evergreen.yml

@@ -259,7 +259,7 @@ functions:
         working_dir: "mongo-csharp-driver"
         script: |
           ${PREPARE_SHELL}
-          SSL=${SSL} OS=${OS} evergreen/add-certs-if-needed.sh
+          OS=${OS} evergreen/add-ca-certs.sh
           AUTH="${AUTH}" SSL="${SSL}" \
           FRAMEWORK=${FRAMEWORK} \
           OS=${OS} \
@@ -291,9 +291,8 @@ functions:
           . ./evergreen/set-virtualenv.sh
           . ./evergreen/set-temp-fle-aws-creds.sh
           ${PREPARE_SHELL}
-          SSL=${SSL} \
           OS=${OS} \
-            evergreen/add-certs-if-needed.sh
+            evergreen/add-ca-certs.sh
           AUTH=${AUTH} \
           SSL=${SSL} \
           MONGODB_URI="${MONGODB_URI}" \
@@ -305,6 +304,38 @@ functions:
           FRAMEWORK=${FRAMEWORK} \
             evergreen/run-tests.sh
           echo "Skipping certificate removal..."
+          OS=${OS} \
+            evergreen/cleanup-test-resources.sh
+
+  run-csfle-tests-with-mocked-kms:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "mongo-csharp-driver"
+        script: |
+          set +x
+          export FLE_AWS_ACCESS_KEY_ID=${FLE_AWS_ACCESS_KEY_ID}
+          export FLE_AWS_SECRET_ACCESS_KEY=${FLE_AWS_SECRET_ACCESS_KEY}
+          export FLE_AZURE_TENANT_ID=${FLE_AZURE_TENANT_ID}
+          export FLE_AZURE_CLIENT_ID=${FLE_AZURE_CLIENT_ID}
+          export FLE_AZURE_CLIENT_SECRET=${FLE_AZURE_CLIENT_SECRET}
+          export FLE_GCP_EMAIL=${FLE_GCP_EMAIL}
+          export FLE_GCP_PRIVATE_KEY=${FLE_GCP_PRIVATE_KEY}
+          export KMS_MOCK_SERVERS_ENABLED=true
+          ${PREPARE_SHELL}
+          set +o xtrace
+          OS=${OS} \
+            evergreen/add-ca-certs.sh
+          AUTH=${AUTH} \
+          SSL=${SSL} \
+          MONGODB_URI="${MONGODB_URI}" \
+          TOPOLOGY=${TOPOLOGY} \
+          OS=${OS} \
+          CLIENT_PEM=${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem \
+          FRAMEWORK=${FRAMEWORK} \
+          TARGET="TestCsfleWithMockedKms" \
+            evergreen/run-tests.sh
+          OS=${OS} \
             evergreen/cleanup-test-resources.sh
 
   run-atlas-connectivity-tests:
@@ -507,8 +538,7 @@ functions:
           ${PREPARE_SHELL}
           OCSP_TLS_SHOULD_SUCCEED="${OCSP_TLS_SHOULD_SUCCEED}" \
             OCSP_ALGORITHM=${OCSP_ALGORITHM} \
-            SSL="ssl" \
-            evergreen/add-certs-if-needed.sh
+            evergreen/add-ca-certs.sh
           set +o xtrace
           AUTH="${AUTH}" \
             SSL="ssl" \
@@ -642,28 +672,39 @@ functions:
               bash ${DRIVERS_TOOLS}/.evergreen/serverless/delete-instance.sh
           fi
 
-  run-kms-tls-test:
+  start-kms-mock-servers:
     - command: shell.exec
-      type: test
       params:
-        working_dir: "mongo-csharp-driver"
         script: |
           ${PREPARE_SHELL}
-          set +o xtrace
-          # technically FLE_* vars are not needed, added just to reduce a number of changes in the code
-          export FLE_AWS_ACCESS_KEY_ID=${FLE_AWS_ACCESS_KEY_ID}
-          export FLE_AWS_SECRET_ACCESS_KEY=${FLE_AWS_SECRET_ACCESS_KEY}
-          export FLE_AZURE_TENANT_ID=${FLE_AZURE_TENANT_ID}
-          export FLE_AZURE_CLIENT_ID=${FLE_AZURE_CLIENT_ID}
-          export FLE_AZURE_CLIENT_SECRET=${FLE_AZURE_CLIENT_SECRET}
-          export FLE_GCP_EMAIL=${FLE_GCP_EMAIL}
-          export FLE_GCP_PRIVATE_KEY=${FLE_GCP_PRIVATE_KEY}
-          KMS_TLS_ERROR_TYPE="${KMS_TLS_ERROR_TYPE}" \
-          MONGODB_URI="${MONGODB_URI}" \
-          FRAMEWORK=${FRAMEWORK} \
-            evergreen/run-kms-tls-tests.sh
+          cd ${DRIVERS_TOOLS}/.evergreen/csfle
+          . ./activate_venv.sh
+    - command: shell.exec
+      params:
+        background: true
+        script: |
+          #expired client cert
+          PYTHON=$(Venv="${DRIVERS_TOOLS}/.evergreen/csfle/kmstlsvenv" OS=${OS} ${PROJECT_DIRECTORY}/evergreen/get-python-path.sh);
+          cd ${DRIVERS_TOOLS}/.evergreen/csfle
+          $PYTHON -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000
+    - command: shell.exec
+      params:
+        background: true
+        script: |
+          #wrong-host client cert
+          PYTHON=$(Venv="${DRIVERS_TOOLS}/.evergreen/csfle/kmstlsvenv" OS=${OS} ${PROJECT_DIRECTORY}/evergreen/get-python-path.sh);
+          cd ${DRIVERS_TOOLS}/.evergreen/csfle
+          $PYTHON -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001
+    - command: shell.exec
+      params:
+        background: true
+        script: |
+          #server.pem client cert
+          PYTHON=$(Venv="${DRIVERS_TOOLS}/.evergreen/csfle/kmstlsvenv" OS=${OS} ${PROJECT_DIRECTORY}/evergreen/get-python-path.sh);
+          cd ${DRIVERS_TOOLS}/.evergreen/csfle
+          $PYTHON -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 8002 --require_client_cert
 
-  start-kms-mock-server:
+  start-kms-kmip-server:
     - command: shell.exec
       params:
         script: |
@@ -674,8 +715,9 @@ functions:
       params:
         background: true
         script: |
+          PYTHON=$(Venv="${DRIVERS_TOOLS}/.evergreen/csfle/kmstlsvenv" OS=${OS} ${PROJECT_DIRECTORY}/evergreen/get-python-path.sh);
           cd ${DRIVERS_TOOLS}/.evergreen/csfle
-          ./kmstlsvenv/bin/python3 -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/${BROKEN_CERT} --port 8000
+          $PYTHON -u kms_kmip_server.py
 
   publish-snapshot:
     - command: shell.exec
@@ -793,6 +835,33 @@ tasks:
           vars:
             FRAMEWORK: netstandard21
 
+    - name: test-kms-tls-mocked-net472
+      commands:
+        - func: start-kms-mock-servers
+        - func: start-kms-kmip-server
+        - func: bootstrap-mongo-orchestration
+        - func: run-csfle-tests-with-mocked-kms
+          vars:
+            FRAMEWORK: net472
+
+    - name: test-kms-tls-mocked-netstandard20
+      commands:
+        - func: start-kms-mock-servers
+        - func: start-kms-kmip-server
+        - func: bootstrap-mongo-orchestration
+        - func: run-csfle-tests-with-mocked-kms
+          vars:
+            FRAMEWORK: netstandard20
+
+    - name: test-kms-tls-mocked-netstandard21
+      commands:
+        - func: start-kms-mock-servers
+        - func: start-kms-kmip-server
+        - func: bootstrap-mongo-orchestration
+        - func: run-csfle-tests-with-mocked-kms
+          vars:
+            FRAMEWORK: netstandard21
+
     - name: test-load-balancer-netstandard20
       commands:
         - func: bootstrap-mongo-orchestration
@@ -922,44 +991,6 @@ tasks:
           vars:
             FRAMEWORK: netstandard21
 
-    - name: test-kms-tls-expired-certificate-netstandard21
-      tags: ["kms-tls"]
-      commands:
-        - func: bootstrap-mongo-orchestration
-          vars:
-            TOPOLOGY: "server"
-            AUTH: "noauth"
-            SSL: "nossl"
-        - func: start-kms-mock-server
-          vars:
-            BROKEN_CERT: "expired.pem"
-        - func: run-kms-tls-test
-          vars:
-            TOPOLOGY: "server"
-            AUTH: "noauth"
-            SSL: "nossl"
-            FRAMEWORK: netstandard21
-            KMS_TLS_ERROR_TYPE: "expiredCertificate"
-            
-    - name: test-kms-tls-invalid-host-netstandard21
-      tags: ["kms-tls"]
-      commands:
-        - func: bootstrap-mongo-orchestration
-          vars:
-            TOPOLOGY: "server"
-            AUTH: "noauth"
-            SSL: "nossl"
-        - func: start-kms-mock-server
-          vars:
-           BROKEN_CERT: "wrong-host.pem"
-        - func: run-kms-tls-test
-          vars:
-            TOPOLOGY: "server"
-            AUTH: "noauth"
-            SSL: "nossl"
-            FRAMEWORK: netstandard21
-            KMS_TLS_ERROR_TYPE: "invalidHostname"
-
     - name: test-ocsp-rsa-valid-cert-server-staples-ca-responder
       tags: ["ocsp"]
       commands:
@@ -1616,8 +1647,23 @@ buildvariants:
     - name: test-gssapi-netstandard20
     - name: test-gssapi-netstandard21
 
-- matrix_name: "kms-tls-tests-linux"
-  matrix_spec: { os: "ubuntu-1804", version: [ "5.0" ], topology: ["standalone"] }
-  display_name: "CSFLE KMS TLS ${os}"
+- matrix_name: "csfle-with-mocked-kms-tests-windows"
+  matrix_spec: { os: "windows-64", ssl: "nossl", version: [ "5.0" ], topology: ["standalone"] }
+  display_name: "CSFLE Mocked KMS ${os}"
+  tasks:
+    - name: test-kms-tls-mocked-net472
+    - name: test-kms-tls-mocked-netstandard20
+    - name: test-kms-tls-mocked-netstandard21  
+
+- matrix_name: "csfle-with-mocked-kms-tests-linux"
+  matrix_spec: { os: "ubuntu-1804", ssl: "nossl", version: [ "5.0" ], topology: ["standalone"] }
+  display_name: "CSFLE Mocked KMS ${os}"
+  tasks:
+    - name: test-kms-tls-mocked-netstandard20
+    - name: test-kms-tls-mocked-netstandard21
+
+- matrix_name: "csfle-with-mocked-kms-tests-macOS"
+  matrix_spec: { os: "macos-1014", ssl: "nossl", version: [ "5.0" ], topology: ["standalone"] }
+  display_name: "CSFLE Mocked KMS ${os}"
   tasks:
-    - name: ".kms-tls"   
+    - name: test-kms-tls-mocked-netstandard21

evergreen/get-python-path.sh

@@ -0,0 +1,27 @@
+# Find the version of python on the system.
+#
+# Environment variables used as input:
+#   Venv                                             Venv path
+#   OS                                               The current operating system
+#
+# Environment variables produced as output:
+#   PYTHON                                           The python path
+
+# Don't write anything to output
+if [ -z "$Venv" ]; then
+    if [ -e "/cygdrive/c/python/Python39/python" ]; then
+        echo "/cygdrive/c/python/Python39/python"
+    elif [ -e "/opt/mongodbtoolchain/v3/bin/python3" ]; then
+        echo "/opt/mongodbtoolchain/v3/bin/python3"
+    elif python3 --version >/dev/null 2>&1; then
+        echo python3
+    else
+        echo python
+    fi
+else
+    if [[ "$OS" =~ Windows|windows ]]; then
+        echo "${Venv}/Scripts/python"
+    else
+        echo "${Venv}/bin/python"
+    fi
+fi