PYTHON-2034 Support MONGODB-AWS authentication mechanism

Use botocore to perform the manual Signature Version 4 Signing Process.
Test MONGODB-AWS in Evergreen.
Properly unquote URI option values in authMechanismProperties and
readPreferenceTags.

Author: ShaneHarvey

.evergreen/config.yml

@@ -429,6 +429,172 @@ functions:
           # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
           PYTHON_BINARY=${PYTHON_BINARY} ATLAS_REPL='${atlas_repl}' ATLAS_SHRD='${atlas_shrd}' ATLAS_FREE='${atlas_free}' ATLAS_TLS11='${atlas_tls11}' ATLAS_TLS12='${atlas_tls12}'  sh ${PROJECT_DIRECTORY}/.evergreen/run-atlas-tests.sh
 
+  "add aws auth variables to file":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          cat <<EOF > ${DRIVERS_TOOLS}/.evergreen/auth_aws/aws_e2e_setup.json
+          {
+              "iam_auth_ecs_account" : "${iam_auth_ecs_account}",
+              "iam_auth_ecs_secret_access_key" : "${iam_auth_ecs_secret_access_key}",
+              "iam_auth_ecs_account_arn": "arn:aws:iam::557821124784:user/authtest_fargate_user",
+              "iam_auth_ecs_cluster": "${iam_auth_ecs_cluster}",
+              "iam_auth_ecs_task_definition": "${iam_auth_ecs_task_definition}",
+              "iam_auth_ecs_subnet_a": "${iam_auth_ecs_subnet_a}",
+              "iam_auth_ecs_subnet_b": "${iam_auth_ecs_subnet_b}",
+              "iam_auth_ecs_security_group": "${iam_auth_ecs_security_group}",
+
+              "iam_auth_assume_aws_account" : "${iam_auth_assume_aws_account}",
+              "iam_auth_assume_aws_secret_access_key" : "${iam_auth_assume_aws_secret_access_key}",
+              "iam_auth_assume_role_name" : "${iam_auth_assume_role_name}",
+
+              "iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}",
+              "iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}",
+              "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}"
+          }
+          EOF
+
+  "run aws auth test with regular aws credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+          mongo aws_e2e_regular_aws.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            alias urlencode='python -c "import sys, urllib as ul; print ul.quote_plus(sys.argv[1])"'
+            USER=$(urlencode ${iam_auth_ecs_account})
+            PASS=$(urlencode ${iam_auth_ecs_secret_access_key})
+            MONGODB_URI="mongodb://$USER:$PASS@localhost"
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          .evergreen/run-mongodb-aws-test.sh
+
+  "run aws auth test with assume role credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+          mongo aws_e2e_assume_role.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            alias urlencode='python -c "import sys, urllib as ul; print ul.quote_plus(sys.argv[1])"'
+            USER=$(jq -r '.AccessKeyId' ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json)
+            USER=$(urlencode $USER)
+            PASS=$(jq -r '.SecretAccessKey' ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json)
+            PASS=$(urlencode $PASS)
+            SESSION_TOKEN=$(jq -r '.SessionToken' ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json)
+            SESSION_TOKEN=$(urlencode $SESSION_TOKEN)
+            MONGODB_URI="mongodb://$USER:$PASS@localhost"
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          .evergreen/run-mongodb-aws-test.sh
+
+  "run aws auth test with aws EC2 credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+          mongo aws_e2e_ec2.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          .evergreen/run-mongodb-aws-test.sh
+
+  "run aws auth test with aws credentials as environment variables":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            export AWS_ACCESS_KEY_ID=${iam_auth_ecs_account}
+            export AWS_SECRET_ACCESS_KEY=${iam_auth_ecs_secret_access_key}
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          PROJECT_DIRECTORY=${PROJECT_DIRECTORY} .evergreen/run-mongodb-aws-test.sh
+
+  "run aws auth test with aws credentials and session token as environment variables":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            export AWS_ACCESS_KEY_ID=$(jq -r '.AccessKeyId' ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json)
+            export AWS_SECRET_ACCESS_KEY=$(jq -r '.SecretAccessKey' ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json)
+            export AWS_SESSION_TOKEN=$(jq -r '.SessionToken' ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json)
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          .evergreen/run-mongodb-aws-test.sh
+
+  "run aws ECS auth test":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+
+          cat <<EOF > setup.js
+          const mongo_binaries = "$MONGODB_BINARIES";
+          const project_dir = "$PROJECT_DIRECTORY";
+          EOF
+
+          mongo --nodb setup.js aws_e2e_ecs.js
+          cd -
+
   "cleanup":
     - command: shell.exec
       params:
@@ -968,6 +1134,22 @@ tasks:
           vars:
             OCSP_TLS_SHOULD_SUCCEED: "0"
 
+    - name: "aws-auth-test"
+      commands:
+        - func: "bootstrap mongo-orchestration"
+          vars:
+            AUTH: "auth"
+            # TODO: SSL??
+            ORCHESTRATION_FILE: "auth-aws.json"
+            TOPOLOGY: "server"
+        - func: "add aws auth variables to file"
+        - func: "run aws auth test with regular aws credentials"
+        - func: "run aws auth test with assume role credentials"
+        - func: "run aws auth test with aws credentials as environment variables"
+        - func: "run aws auth test with aws credentials and session token as environment variables"
+        - func: "run aws auth test with aws EC2 credentials"
+        - func: "run aws ECS auth test"
+
 # }}}
     - name: "coverage-report"
       tags: ["coverage"]
@@ -1064,6 +1246,10 @@ axes:
         batchtime: 10080  # 7 days
         variables:
           libmongocrypt_url: https://s3.amazonaws.com/mciuploads/libmongocrypt/ubuntu1604/master/latest/libmongocrypt.tar.gz
+      - id: ubuntu-18.04
+        display_name: "Ubuntu 18.04"
+        run_on: ubuntu1804-test
+        batchtime: 10080  # 7 days
       - id: ubuntu1604-arm64-small
         display_name: "Ubuntu 16.04 (ARM64)"
         run_on: ubuntu1604-arm64-small
@@ -1920,6 +2106,14 @@ buildvariants:
   tasks:
     - name: ".ocsp"
 
+- matrix_name: "aws-auth-test"
+  matrix_spec:
+    platform: ubuntu-18.04
+  display_name: "MONGODB-AWS Auth test"
+  run_on: ubuntu1804-test
+  tasks:
+    - name: "aws-auth-test"
+
       # Platform notes
       # i386 builds of OpenSSL or Cyrus SASL are not available
       # Ubuntu16.04 ppc64le is only supported by MongoDB 3.4+

.evergreen/run-mongodb-aws-ecs-test.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Don't trace since the URI contains a password that shouldn't show up in the logs
+set -o errexit  # Exit the script with error if any of the commands fail
+
+############################################
+#            Main Program                  #
+############################################
+
+if [[ -z "$1" ]]; then
+    echo "usage: $0 <MONGODB_URI>"
+    exit 1
+fi
+export MONGODB_URI="$1"
+
+if echo "$MONGODB_URI" | grep -q "@"; then
+  echo "MONGODB_URI unexpectedly contains user credentials in ECS test!";
+  exit 1
+fi
+# Now we can safely enable xtrace
+set -o xtrace
+
+if command -v virtualenv ; then
+    VIRTUALENV=$(command -v virtualenv)
+else
+    echo "Installing virtualenv..."
+    apt install python3-pip -y
+    pip3 install --user virtualenv
+    VIRTUALENV='python3 -m virtualenv'
+fi
+
+authtest () {
+    echo "Running MONGODB-AWS ECS authentication tests with $PYTHON"
+    $PYTHON --version
+
+    $VIRTUALENV -p $PYTHON --system-site-packages --never-download venvaws
+    . venvaws/bin/activate
+    pip install requests botocore
+
+    cd src
+    python test/auth_aws/test_auth_aws.py
+    cd -
+    deactivate
+    rm -rf venvaws
+}
+
+PYTHON=$(command -v python) authtest
+PYTHON=$(command -v python3) authtest

.evergreen/run-mongodb-aws-test.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -o xtrace
+set -o errexit  # Exit the script with error if any of the commands fail
+
+############################################
+#            Main Program                  #
+############################################
+
+echo "Running MONGODB-AWS authentication tests"
+# ensure no secrets are printed in log files
+set +x
+
+# load the script
+shopt -s expand_aliases # needed for `urlencode` alias
+[ -s "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh" ] && source "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+
+MONGODB_URI=${MONGODB_URI:-"mongodb://localhost"}
+MONGODB_URI="${MONGODB_URI}/aws?authMechanism=MONGODB-AWS"
+if [[ -n ${SESSION_TOKEN} ]]; then
+    MONGODB_URI="${MONGODB_URI}&authMechanismProperties=AWS_SESSION_TOKEN:${SESSION_TOKEN}"
+fi
+
+export MONGODB_URI="$MONGODB_URI"
+
+# show test output
+set -x
+
+VIRTUALENV=$(command -v virtualenv)
+
+authtest () {
+    echo "Running MONGODB-AWS authentication tests with $PYTHON"
+    $PYTHON --version
+
+    $VIRTUALENV -p $PYTHON --system-site-packages --never-download venvaws
+    . venvaws/bin/activate
+    pip install requests botocore
+
+    python test/auth_aws/test_auth_aws.py
+    deactivate
+    rm -rf venvaws
+}
+
+PYTHON=$(command -v python) authtest
+PYTHON=$(command -v python3) authtest

README.rst

@@ -99,6 +99,12 @@ dependency can be installed automatically along with PyMongo::
 
   $ python -m pip install pymongo[gssapi]
 
+MONGODB-AWS authentication requires `botocore
+<https://pypi.org/project/botocore/>`_ and `requests
+<https://pypi.org/project/requests/>`_::
+
+  $ python -m pip install pymongo[aws]
+
 Support for mongodb+srv:// URIs requires `dnspython
 <https://pypi.python.org/pypi/dnspython>`_::
 
@@ -116,7 +122,7 @@ PyMongo::
 .. note:: Users of Python versions older than 2.7.9 will also
   receive the dependencies for OCSP when using the tls extra.
 
-:ref:`OCSP` requires `PyOpenSSL
+OCSP (Online Certificate Status Protocol) requires `PyOpenSSL
 <https://pypi.org/project/pyOpenSSL/>`_, `requests
 <https://pypi.org/project/requests/>`_ and `service_identity
 <https://pypi.org/project/service_identity/>`_::
@@ -133,10 +139,15 @@ Wire protocol compression with zstandard requires `zstandard
 
   $ python -m pip install pymongo[zstd]
 
+Client-Side Field Level Encryption requires `pymongocrypt
+<https://pypi.org/project/pymongocrypt/>`_::
+
+  $ python -m pip install pymongo[encryption]
+
 You can install all dependencies automatically with the following
 command::
 
-  $ python -m pip install pymongo[gssapi,ocsp,snappy,srv,tls,zstd]
+  $ python -m pip install pymongo[gssapi,aws,ocsp,snappy,srv,tls,zstd,encryption]
 
 Other optional packages:
 

doc/changelog.rst

@@ -6,16 +6,17 @@ Changes in Version 3.11.0
 
 Version 3.11 adds support for MongoDB 4.4. Highlights include:
 
-- Added the ``allow_disk_use`` parameters to
-  :meth:`pymongo.collection.Collection.find`.
 - Support for :ref:`OCSP` (Online Certificate Status Protocol)
 - Support for `PyOpenSSL <https://pypi.org/project/pyOpenSSL/>`_ as an
   alternative TLS implementation. PyOpenSSL is required for :ref:`OCSP`
   support. It will also be installed when using the "tls" extra if the
   version of Python in use is older than 2.7.9.
+- Support for the :ref:`MONGODB-AWS` authentication mechanism.
 - Added the ``background`` parameter to
   :meth:`pymongo.database.Database.validate_collection`. For a description
   of this parameter see the MongoDB documentation for the `validate command`_.
+- Added the ``allow_disk_use`` parameters to
+  :meth:`pymongo.collection.Collection.find`.
 
 .. _validate command: https://docs.mongodb.com/manual/reference/command/validate/