From a3ed14290a53adf88afa3cc88ecf703d8caf01ca Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 3 Oct 2024 05:41:32 -0500 Subject: [PATCH 1/5] use ocsp helper scripts --- .evergreen/config.yml | 123 +++++++++++++++++------------------------- 1 file changed, 48 insertions(+), 75 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 14e3426b32..18079d4c4b 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -58,7 +58,7 @@ functions: # If this was a patch build, doing a fresh clone would not actually test the patch cp -R ${PROJECT_DIRECTORY}/ ${DRIVERS_TOOLS} else - git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git ${DRIVERS_TOOLS} + git clone --branch ocsp-helpers https://github.com/blink1073/drivers-evergreen-tools.git ${DRIVERS_TOOLS} fi echo "{ \"releases\": { \"default\": \"$MONGODB_BINARIES\" }}" > $MONGO_ORCHESTRATION_HOME/orchestration.config @@ -651,63 +651,16 @@ functions: CA_FILE="${DRIVERS_TOOLS}/.evergreen/ocsp/${OCSP_ALGORITHM}/ca.pem" \ OCSP_TLS_SHOULD_SUCCEED="${OCSP_TLS_SHOULD_SUCCEED}" \ bash ${PROJECT_DIRECTORY}/.evergreen/hatch.sh test:test-eg + bash ${DRIVERS_TOOLS}/.evergreen/ocsp/teardown.sh - run-valid-ocsp-server: - - command: shell.exec - params: - background: true - script: | - . src/.evergreen/scripts/env.sh - cd ${DRIVERS_TOOLS}/.evergreen/ocsp - . ./activate-ocspvenv.sh - python ocsp_mock.py \ - --ca_file ${OCSP_ALGORITHM}/ca.pem \ - --ocsp_responder_cert ${OCSP_ALGORITHM}/ca.crt \ - --ocsp_responder_key ${OCSP_ALGORITHM}/ca.key \ - -p 8100 -v - run-revoked-ocsp-server: - - command: shell.exec - params: - background: true - script: | - . src/.evergreen/scripts/env.sh - cd ${DRIVERS_TOOLS}/.evergreen/ocsp - . ./activate-ocspvenv.sh - python ocsp_mock.py \ - --ca_file ${OCSP_ALGORITHM}/ca.pem \ - --ocsp_responder_cert ${OCSP_ALGORITHM}/ca.crt \ - --ocsp_responder_key ${OCSP_ALGORITHM}/ca.key \ - -p 8100 \ - -v \ - --fault revoked - run-valid-delegate-ocsp-server: - - command: shell.exec - params: - background: true - script: | - . src/.evergreen/scripts/env.sh - cd ${DRIVERS_TOOLS}/.evergreen/ocsp - . ./activate-ocspvenv.sh - python ocsp_mock.py \ - --ca_file ${OCSP_ALGORITHM}/ca.pem \ - --ocsp_responder_cert ${OCSP_ALGORITHM}/ocsp-responder.crt \ - --ocsp_responder_key ${OCSP_ALGORITHM}/ocsp-responder.key \ - -p 8100 -v - run-revoked-delegate-ocsp-server: - - command: shell.exec + "run-ocsp-server": + - command: subprocess.exec params: background: true - script: | - . src/.evergreen/scripts/env.sh - cd ${DRIVERS_TOOLS}/.evergreen/ocsp - . ./activate-ocspvenv.sh - python ocsp_mock.py \ - --ca_file ${OCSP_ALGORITHM}/ca.pem \ - --ocsp_responder_cert ${OCSP_ALGORITHM}/ocsp-responder.crt \ - --ocsp_responder_key ${OCSP_ALGORITHM}/ocsp-responder.key \ - -p 8100 \ - -v \ - --fault revoked + binary: bash + include_expansions_in_env: [SERVER_TYPE, OCSP_ALGORITHM] + args: + - ${DRIVERS_TOOLS}/.evergreen/ocsp/setup.sh "run load-balancer": - command: shell.exec @@ -1387,9 +1340,10 @@ tasks: - name: test-ocsp-rsa-valid-cert-server-staples tags: ["ocsp", "ocsp-rsa", "ocsp-staple"] commands: - - func: run-valid-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: "valid" - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple.json" @@ -1401,9 +1355,10 @@ tasks: - name: test-ocsp-rsa-invalid-cert-server-staples tags: ["ocsp", "ocsp-rsa", "ocsp-staple"] commands: - - func: run-revoked-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: "revoked" - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple.json" @@ -1415,9 +1370,10 @@ tasks: - name: test-ocsp-rsa-valid-cert-server-does-not-staple tags: ["ocsp", "ocsp-rsa"] commands: - - func: run-valid-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: valid - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-disableStapling.json" @@ -1429,9 +1385,10 @@ tasks: - name: test-ocsp-rsa-invalid-cert-server-does-not-staple tags: ["ocsp", "ocsp-rsa"] commands: - - func: run-revoked-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: revoked - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-disableStapling.json" @@ -1454,9 +1411,10 @@ tasks: - name: test-ocsp-rsa-malicious-invalid-cert-mustStaple-server-does-not-staple tags: ["ocsp", "ocsp-rsa"] commands: - - func: run-revoked-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: revoked - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple-disableStapling.json" @@ -1479,9 +1437,10 @@ tasks: - name: test-ocsp-rsa-delegate-valid-cert-server-staples tags: ["ocsp", "ocsp-rsa", "ocsp-staple"] commands: - - func: run-valid-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: valid-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple.json" @@ -1493,9 +1452,10 @@ tasks: - name: test-ocsp-rsa-delegate-invalid-cert-server-staples tags: ["ocsp", "ocsp-rsa", "ocsp-staple"] commands: - - func: run-revoked-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: revoked-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple.json" @@ -1507,9 +1467,10 @@ tasks: - name: test-ocsp-rsa-delegate-valid-cert-server-does-not-staple tags: ["ocsp", "ocsp-rsa"] commands: - - func: run-valid-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: valid-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-disableStapling.json" @@ -1521,9 +1482,10 @@ tasks: - name: test-ocsp-rsa-delegate-invalid-cert-server-does-not-staple tags: ["ocsp", "ocsp-rsa"] commands: - - func: run-revoked-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: revoked-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-disableStapling.json" @@ -1535,9 +1497,10 @@ tasks: - name: test-ocsp-rsa-delegate-malicious-invalid-cert-mustStaple-server-does-not-staple tags: ["ocsp", "ocsp-rsa"] commands: - - func: run-revoked-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "rsa" + SERVER_TYPE: revoked-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "rsa-basic-tls-ocsp-mustStaple-disableStapling.json" @@ -1549,9 +1512,10 @@ tasks: - name: test-ocsp-ecdsa-valid-cert-server-staples tags: ["ocsp", "ocsp-ecdsa", "ocsp-staple"] commands: - - func: run-valid-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: valid - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple.json" @@ -1563,9 +1527,10 @@ tasks: - name: test-ocsp-ecdsa-invalid-cert-server-staples tags: ["ocsp", "ocsp-ecdsa", "ocsp-staple"] commands: - - func: run-revoked-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: revoked - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple.json" @@ -1577,9 +1542,10 @@ tasks: - name: test-ocsp-ecdsa-valid-cert-server-does-not-staple tags: ["ocsp", "ocsp-ecdsa"] commands: - - func: run-valid-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: valid - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-disableStapling.json" @@ -1591,9 +1557,10 @@ tasks: - name: test-ocsp-ecdsa-invalid-cert-server-does-not-staple tags: ["ocsp", "ocsp-ecdsa"] commands: - - func: run-revoked-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: revoked - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-disableStapling.json" @@ -1616,9 +1583,10 @@ tasks: - name: test-ocsp-ecdsa-malicious-invalid-cert-mustStaple-server-does-not-staple tags: ["ocsp", "ocsp-ecdsa"] commands: - - func: run-revoked-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: revoked - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple-disableStapling.json" @@ -1641,9 +1609,10 @@ tasks: - name: test-ocsp-ecdsa-delegate-valid-cert-server-staples tags: ["ocsp", "ocsp-ecdsa", "ocsp-staple"] commands: - - func: run-valid-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple.json" @@ -1655,9 +1624,10 @@ tasks: - name: test-ocsp-ecdsa-delegate-invalid-cert-server-staples tags: ["ocsp", "ocsp-ecdsa", "ocsp-staple"] commands: - - func: run-revoked-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple.json" @@ -1669,9 +1639,10 @@ tasks: - name: test-ocsp-ecdsa-delegate-valid-cert-server-does-not-staple tags: ["ocsp", "ocsp-ecdsa"] commands: - - func: run-valid-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-disableStapling.json" @@ -1683,9 +1654,10 @@ tasks: - name: test-ocsp-ecdsa-delegate-invalid-cert-server-does-not-staple tags: ["ocsp", "ocsp-ecdsa"] commands: - - func: run-revoked-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-disableStapling.json" @@ -1697,9 +1669,10 @@ tasks: - name: test-ocsp-ecdsa-delegate-malicious-invalid-cert-mustStaple-server-does-not-staple tags: ["ocsp", "ocsp-ecdsa"] commands: - - func: run-revoked-delegate-ocsp-server + - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" + SERVER_TYPE: delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple-disableStapling.json" From 60e122b3aefd1ebda447b8b16a3247d9f51eb224 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 3 Oct 2024 07:03:53 -0500 Subject: [PATCH 2/5] fix test --- .evergreen/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 18079d4c4b..88f7d9189f 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -1657,7 +1657,7 @@ tasks: - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" - SERVER_TYPE: delegate + SERVER_TYPE: revoked-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-disableStapling.json" From 3551d798c62f25964d170c6386de18600eff3378 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 3 Oct 2024 10:26:50 -0500 Subject: [PATCH 3/5] fix tests --- .evergreen/config.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 88f7d9189f..bb0ccb7cdb 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -1612,7 +1612,7 @@ tasks: - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" - SERVER_TYPE: delegate + SERVER_TYPE: valid-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple.json" @@ -1627,7 +1627,7 @@ tasks: - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" - SERVER_TYPE: delegate + SERVER_TYPE: valid-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple.json" @@ -1642,7 +1642,7 @@ tasks: - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" - SERVER_TYPE: delegate + SERVER_TYPE: valid-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-disableStapling.json" @@ -1672,7 +1672,7 @@ tasks: - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" - SERVER_TYPE: delegate + SERVER_TYPE: valid-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple-disableStapling.json" From 04fd05a196d1cf6f1180bb6ca466f756586100f5 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 3 Oct 2024 10:48:39 -0500 Subject: [PATCH 4/5] fix tests --- .evergreen/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index bb0ccb7cdb..32ffe4c0f4 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -1627,7 +1627,7 @@ tasks: - func: run-ocsp-server vars: OCSP_ALGORITHM: "ecdsa" - SERVER_TYPE: valid-delegate + SERVER_TYPE: revoked-delegate - func: "bootstrap mongo-orchestration" vars: ORCHESTRATION_FILE: "ecdsa-basic-tls-ocsp-mustStaple.json" From f6ae2f1888eb0d96e786aa3e4ce1b911bdb1515b Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 8 Oct 2024 19:18:30 -0500 Subject: [PATCH 5/5] use upstream --- .evergreen/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 32ffe4c0f4..531fa5f2be 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -58,7 +58,7 @@ functions: # If this was a patch build, doing a fresh clone would not actually test the patch cp -R ${PROJECT_DIRECTORY}/ ${DRIVERS_TOOLS} else - git clone --branch ocsp-helpers https://github.com/blink1073/drivers-evergreen-tools.git ${DRIVERS_TOOLS} + git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git ${DRIVERS_TOOLS} fi echo "{ \"releases\": { \"default\": \"$MONGODB_BINARIES\" }}" > $MONGO_ORCHESTRATION_HOME/orchestration.config