fix tests

Author: qingyang-hu

.evergreen/config.yml

@@ -554,9 +554,15 @@ functions:
         args: [*task-runner, evg-test-kmip]
 
   start-kms-failpoint-server:
-    - command: ec2.assume_role
+    - command: subprocess.exec
       params:
-        role_arn: ${aws_test_secrets_role}
+        binary: python3
+        env:
+          KMS_FAILPOINT_SERVERS_RUNNING: "true"
+        background: true
+        args: ["-u", "${DRIVERS_TOOLS}/.evergreen/csfle/kms_failpoint_server.py", "--port", "9003"]
+
+  run-retry-kms-requests:
     - command: subprocess.exec
       params:
         working_dir: src/go.mongodb.org/mongo-driver
@@ -565,28 +571,20 @@ functions:
         include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "DRIVERS_TOOLS"]
         # This cannot use task because it will hang on Windows.
         args: [etc/setup-encryption.sh]
-    - command: subprocess.exec
-      params:
-        binary: python3
-        background: true
-        args: ["-u", "${DRIVERS_TOOLS}/.evergreen/csfle/kms_failpoint_server.py", "--port", "9003"]
-
-  run-retry-kms-requests:
     - command: subprocess.exec
       type: test
       params:
         binary: "bash"
         env: 
           GO_BUILD_TAGS: cse
-        include_expansions_in_env: [AUTH, SSL, MONGODB_URI, TOPOLOGY, 
-          MONGO_GO_DRIVER_COMPRESSOR]
+        include_expansions_in_env: [AUTH, SSL, MONGODB_URI, TOPOLOGY, MONGO_GO_DRIVER_COMPRESSOR]
         args: [*task-runner, setup-test]
     - command: subprocess.exec
       type: test
       params:
         binary: "bash"
         env:
-          KMS_FAILPOINT_SERVERS_RUNNING: "true"
+          CSFLE_TLS_CA_FILE: "${PARENT_DIR}/x509gen/ca.pem"
         args: [*task-runner, evg-test-retry-kms-requests]
 
   run-fuzz-tests:
@@ -1532,10 +1530,6 @@ tasks:
           SSL: "nossl"
       - func: start-kms-failpoint-server
       - func: run-retry-kms-requests
-        vars:
-          TOPOLOGY: "server"
-          AUTH: "noauth"
-          SSL: "nossl"
 
   - name: "test-serverless"
     tags: ["serverless"]

internal/integration/client_side_encryption_prose_test.go

@@ -2988,8 +2988,16 @@ func TestClientSideEncryptionProse(t *testing.T) {
 			mt.Skipf("Skipping test as KMS_FAILPOINT_SERVERS_RUNNING is not set")
 		}
 
-		tlsCfg := &tls.Config{
-			InsecureSkipVerify: true,
+		mt.Parallel()
+
+		var tlsCfg *tls.Config
+		if tlsCAFileKMIP != "" {
+			var err error
+			clientAndCATlsMap := map[string]interface{}{
+				"tlsCAFile": tlsCAFileKMIP,
+			}
+			tlsCfg, err = options.BuildTLSConfig(clientAndCATlsMap)
+			require.Nil(mt, err, "BuildTLSConfig error: %v", err)
 		}
 
 		setFailPoint := func(failure string, count int) error {
@@ -3012,39 +3020,69 @@ func TestClientSideEncryptionProse(t *testing.T) {
 			return res.Body.Close()
 		}
 
-		keyVaultClient, err := mongo.Connect(options.Client().ApplyURI(mtest.ClusterURI()))
-		require.NoError(mt, err, "error on Connect: %v", err)
-
-		ceo := options.ClientEncryption().
-			SetKeyVaultNamespace("keyvault.datakeys").
-			SetKmsProviders(fullKmsProvidersMap).
-			SetTLSConfig(map[string]*tls.Config{"aws": tlsCfg})
-		clientEncryption, err := mongo.NewClientEncryption(keyVaultClient, ceo)
-		require.NoError(mt, err, "error on NewClientEncryption: %v", err)
-
-		err = setFailPoint("network", 1)
-		require.NoError(mt, err, "mock server error: %v", err)
-
-		dkOpts := options.DataKey().SetMasterKey(
-			bson.D{
+		dataKeys := []struct {
+			provider  string
+			masterKey interface{}
+		}{
+			{"aws", bson.D{
 				{"region", "foo"},
 				{"key", "bar"},
 				{"endpoint", "127.0.0.1:9003"},
-			},
-		)
-		var keyID bson.Binary
-		keyID, err = clientEncryption.CreateDataKey(context.Background(), "aws", dkOpts)
-		require.NoError(mt, err, "error in CreateDataKey: %v", err)
+			}},
+			{"azure", bson.D{
+				{"keyVaultEndpoint", "127.0.0.1:9003"},
+				{"keyName", "foo"},
+			}},
+			{"gcp", bson.D{
+				{"projectId", "foo"},
+				{"location", "bar"},
+				{"keyRing", "baz"},
+				{"keyName", "qux"},
+				{"endpoint", "127.0.0.1:9003"},
+			}},
+		}
 
-		err = setFailPoint("network", 1)
-		require.NoError(mt, err, "mock server error: %v", err)
+		testCases := []struct {
+			name    string
+			failure string
+		}{
+			{"Case 1: createDataKey and encrypt with TCP retry", "network"},
+			{"Case 2: createDataKey and encrypt with HTTP retry", "http"},
+		}
 
-		testVal := bson.RawValue{Type: bson.TypeInt32, Value: bsoncore.AppendInt32(nil, 123)}
-		eo := options.Encrypt().
-			SetKeyID(keyID).
-			SetAlgorithm("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic")
-		_, err = clientEncryption.Encrypt(context.Background(), testVal, eo)
-		assert.NoError(mt, err, "error in Encrypt: %v", err)
+		for _, tc := range testCases {
+			mt.Run(tc.name, func(mt *mtest.T) {
+				for _, dataKey := range dataKeys {
+					keyVaultClient, err := mongo.Connect(options.Client().ApplyURI(mtest.ClusterURI()))
+					require.NoError(mt, err, "error on Connect: %v", err)
+
+					ceo := options.ClientEncryption().
+						SetKeyVaultNamespace(kvNamespace).
+						SetKmsProviders(fullKmsProvidersMap).
+						SetTLSConfig(map[string]*tls.Config{dataKey.provider: tlsCfg})
+					clientEncryption, err := mongo.NewClientEncryption(keyVaultClient, ceo)
+					require.NoError(mt, err, "error on NewClientEncryption: %v", err)
+
+					err = setFailPoint(tc.failure, 1)
+					require.NoError(mt, err, "mock server error: %v", err)
+
+					dkOpts := options.DataKey().SetMasterKey(dataKey.masterKey)
+					var keyID bson.Binary
+					keyID, err = clientEncryption.CreateDataKey(context.Background(), dataKey.provider, dkOpts)
+					require.NoError(mt, err, "error in CreateDataKey: %v", err)
+
+					err = setFailPoint(tc.failure, 1)
+					require.NoError(mt, err, "mock server error: %v", err)
+
+					testVal := bson.RawValue{Type: bson.TypeInt32, Value: bsoncore.AppendInt32(nil, 123)}
+					eo := options.Encrypt().
+						SetKeyID(keyID).
+						SetAlgorithm("AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic")
+					_, err = clientEncryption.Encrypt(context.Background(), testVal, eo)
+					assert.NoError(mt, err, "error in Encrypt: %v", err)
+				}
+			})
+		}
 	})
 }