RUST-359 Implement MONGODB-AWS auth support (#202)

Author: saghm

.evergreen/aws-ecs-test/.gitignore

@@ -0,0 +1,2 @@
+Cargo.lock
+target

.evergreen/aws-ecs-test/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "aws-ecs-test"
+version = "0.1.0"
+authors = ["Saghm Rossi <[email protected]>"]
+edition = "2018"
+
+[dependencies]
+tokio = "0.2.21"
+
+[dependencies.mongodb]
+path = "../.."

.evergreen/aws-ecs-test/src/main.rs

@@ -0,0 +1,14 @@
+use mongodb::Client;
+
+#[tokio::main]
+async fn main() {
+    let uri = std::env::var("MONGODB_URI").expect("no URI given!");
+    let client = Client::with_uri_str(&uri).await.unwrap();
+    
+    client
+        .database("aws")
+        .collection("somecoll")
+        .find_one(None, None)
+        .await
+        .unwrap();
+}

.evergreen/config.yml

@@ -76,7 +76,7 @@ functions:
               export TMPDIR="$MONGO_ORCHESTRATION_HOME/db"
               export PATH="$MONGODB_BINARIES:$PATH"
               export PROJECT="${project}"
-              
+
               export AUTH=${AUTH}
               export SSL=${SSL}
               export TOPOLOGY=${TOPOLOGY}
@@ -90,6 +90,194 @@ functions:
       params:
         file: src/expansion.yml
 
+  "add aws auth variables to file":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          cat <<EOF > ${DRIVERS_TOOLS}/.evergreen/auth_aws/aws_e2e_setup.json
+          {
+              "iam_auth_ecs_account" : "${iam_auth_ecs_account}",
+              "iam_auth_ecs_secret_access_key" : "${iam_auth_ecs_secret_access_key}",
+              "iam_auth_ecs_account_arn": "arn:aws:iam::557821124784:user/authtest_fargate_user",
+              "iam_auth_ecs_cluster": "${iam_auth_ecs_cluster}",
+              "iam_auth_ecs_task_definition": "${iam_auth_ecs_task_definition}",
+              "iam_auth_ecs_subnet_a": "${iam_auth_ecs_subnet_a}",
+              "iam_auth_ecs_subnet_b": "${iam_auth_ecs_subnet_b}",
+              "iam_auth_ecs_security_group": "${iam_auth_ecs_security_group}",
+              "iam_auth_assume_aws_account" : "${iam_auth_assume_aws_account}",
+              "iam_auth_assume_aws_secret_access_key" : "${iam_auth_assume_aws_secret_access_key}",
+              "iam_auth_assume_role_name" : "${iam_auth_assume_role_name}",
+              "iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}",
+              "iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}",
+              "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}"
+          }
+          EOF
+
+  "run aws auth test with regular aws credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          # The aws_e2e_assume_role script requires python3 with boto3.
+          pip install boto3
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+          mongo aws_e2e_regular_aws.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            alias urlencode='python -c "import sys, urllib as ul; sys.stdout.write(ul.quote_plus(sys.argv[1]))"'
+            USER=$(urlencode ${iam_auth_ecs_account})
+            PASS=$(urlencode ${iam_auth_ecs_secret_access_key})
+            MONGODB_URI="mongodb://$USER:$PASS@localhost"
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          ASYNC_RUNTIME=${ASYNC_RUNTIME} .evergreen/run-aws-tests.sh
+
+  "run aws auth test with assume role credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+          # The aws_e2e_assume_role script requires python3 with boto3.
+          pip install boto3
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+          mongo aws_e2e_assume_role.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+              alias urlencode='python -c "import sys, urllib as ul; sys.stdout.write(ul.quote_plus(sys.argv[1]))"'
+              alias jsonkey='python -c "import json,sys;sys.stdout.write(json.load(sys.stdin)[sys.argv[1]])" < ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json'
+              USER=$(jsonkey AccessKeyId)
+              USER=$(urlencode $USER)
+              PASS=$(jsonkey SecretAccessKey)
+              PASS=$(urlencode $PASS)
+              SESSION_TOKEN=$(jsonkey SessionToken)
+              SESSION_TOKEN=$(urlencode $SESSION_TOKEN)
+              MONGODB_URI="mongodb://$USER:$PASS@localhost"
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          ASYNC_RUNTIME=${ASYNC_RUNTIME} .evergreen/run-aws-tests.sh
+
+  "run aws auth test with aws EC2 credentials":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/auth_aws
+          mongo aws_e2e_ec2.js
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          ASYNC_RUNTIME=${ASYNC_RUNTIME} .evergreen/run-aws-tests.sh
+
+  "run aws auth test with aws credentials as environment variables":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            export AWS_ACCESS_KEY_ID=${iam_auth_ecs_account}
+            export AWS_SECRET_ACCESS_KEY=${iam_auth_ecs_secret_access_key}
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          ASYNC_RUNTIME=${ASYNC_RUNTIME} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} .evergreen/run-aws-tests.sh
+
+  "run aws auth test with aws credentials and session token as environment variables":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        silent: true
+        script: |
+          # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
+          cat <<'EOF' > "${PROJECT_DIRECTORY}/prepare_mongodb_aws.sh"
+            alias jsonkey='python -c "import json,sys;sys.stdout.write(json.load(sys.stdin)[sys.argv[1]])" < ${DRIVERS_TOOLS}/.evergreen/auth_aws/creds.json'
+            export AWS_ACCESS_KEY_ID=$(jsonkey AccessKeyId)
+            export AWS_SECRET_ACCESS_KEY=$(jsonkey SecretAccessKey)
+            export AWS_SESSION_TOKEN=$(jsonkey SessionToken)
+          EOF
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          ASYNC_RUNTIME=${ASYNC_RUNTIME} .evergreen/run-aws-tests.sh
+
+  "run aws ECS auth test":
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          AUTH_AWS_DIR=${DRIVERS_TOOLS}/.evergreen/auth_aws
+          ECS_SRC_DIR=$AUTH_AWS_DIR/src
+
+          mkdir -p $ECS_SRC_DIR/.evergreen
+          
+          # fix issue with `TestData` in SERVER-46340
+          sed -i '1s+^+TestData = {};\n+' $AUTH_AWS_DIR/lib/ecs_hosted_test.js
+
+          # compile mini test project
+          cd $PROJECT_DIRECTORY/.evergreen/aws-ecs-test
+          . ~/.cargo/env
+          cargo build
+          cd -
+
+          # copy mini test binary
+          cp $PROJECT_DIRECTORY/.evergreen/run-mongodb-aws-ecs-test.sh $ECS_SRC_DIR/.evergreen
+          cp $PROJECT_DIRECTORY/.evergreen/aws-ecs-test/target/debug/aws-ecs-test $ECS_SRC_DIR
+
+          cd $AUTH_AWS_DIR
+          cat <<EOF > setup.js
+            const mongo_binaries = "$MONGODB_BINARIES";
+            const project_dir = "$ECS_SRC_DIR";
+          EOF
+
+          cat setup.js
+          mongo --nodb setup.js aws_e2e_ecs.js
+            
   "prepare resources":
     - command: shell.exec
       params:
@@ -112,7 +300,12 @@ functions:
       params:
         script: |
           ${PREPARE_SHELL}
-          MONGODB_VERSION=${MONGODB_VERSION} TOPOLOGY=${TOPOLOGY} AUTH=${AUTH} SSL=${SSL} sh ${DRIVERS_TOOLS}/.evergreen/run-orchestration.sh
+          ORCHESTRATION_FILE=${ORCHESTRATION_FILE} \
+            MONGODB_VERSION=${MONGODB_VERSION} \
+            TOPOLOGY=${TOPOLOGY} \
+            AUTH=${AUTH} \
+            SSL=${SSL} \
+            sh ${DRIVERS_TOOLS}/.evergreen/run-orchestration.sh
     # run-orchestration generates expansion file with the MONGODB_URI for the cluster
     - command: expansions.update
       params:
@@ -141,7 +334,7 @@ functions:
         working_dir: "src"
         script: |
           # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
-          export MONGO_ATLAS_TESTS=1 
+          export MONGO_ATLAS_TESTS=1
           export MONGO_ATLAS_FREE_TIER_REPL_URI='${MONGO_ATLAS_FREE_TIER_REPL_URI}'
           export MONGO_ATLAS_FREE_TIER_REPL_URI_SRV='${MONGO_ATLAS_FREE_TIER_REPL_URI_SRV}'
           ASYNC_RUNTIME=${ASYNC_RUNTIME} .evergreen/run-atlas-tests.sh
@@ -313,7 +506,7 @@ tasks:
           MONGODB_VERSION: "4.0"
           TOPOLOGY: "sharded_cluster"
       - func: "run tests"
-          
+
   - name: "test-4.2-standalone"
     tags: ["4.2", "standalone"]
     commands:
@@ -341,6 +534,51 @@ tasks:
           TOPOLOGY: "sharded_cluster"
       - func: "run tests"
 
+  - name: "test-4.4-standalone"
+    tags: ["4.4", "standalone"]
+    commands:
+      - func: "bootstrap mongo-orchestration"
+        vars:
+          MONGODB_VERSION: "4.4"
+          TOPOLOGY: "server"
+      - func: "run tests"
+
+  - name: "test-4.4-replica_set"
+    tags: ["4.4", "replica_set"]
+    commands:
+      - func: "bootstrap mongo-orchestration"
+        vars:
+          MONGODB_VERSION: "4.4"
+          TOPOLOGY: "replica_set"
+      - func: "run tests"
+
+  - name: "test-4.4-sharded_cluster"
+    tags: ["4.4", "sharded_cluster"]
+    commands:
+      - func: "bootstrap mongo-orchestration"
+        vars:
+          MONGODB_VERSION: "4.4"
+          TOPOLOGY: "sharded_cluster"
+      - func: "run tests"
+
+  - name: "test-4.4-aws-auth"
+    # "4.4" explicitly left off to keep this out of the generic matrix
+    tags: ["aws-auth"]
+    commands:
+      - func: "bootstrap mongo-orchestration"
+        vars:
+          ORCHESTRATION_FILE: "auth-aws.json"
+          MONGODB_VERSION: "4.4"
+          AUTH: "auth"
+          TOPOLOGY: "server"
+      - func: "add aws auth variables to file"
+      - func: "run aws auth test with regular aws credentials"
+      - func: "run aws auth test with assume role credentials"
+      - func: "run aws auth test with aws credentials as environment variables"
+      - func: "run aws auth test with aws credentials and session token as environment variables"
+      - func: "run aws auth test with aws EC2 credentials"
+      - func: "run aws ECS auth test"
+
   - name: "test-latest-standalone"
     tags: ["latest", "standalone"]
     commands:
@@ -368,6 +606,24 @@ tasks:
           TOPOLOGY: "sharded_cluster"
       - func: "run tests"
 
+  - name: "test-latest-aws-auth"
+    # "latest" explicitly left off to keep this out of the generic matrix
+    tags: ["aws-auth"]
+    commands:
+      - func: "bootstrap mongo-orchestration"
+        vars:
+          ORCHESTRATION_FILE: "auth-aws.json"
+          MONGODB_VERSION: "latest"
+          AUTH: "auth"
+          TOPOLOGY: "server"
+      - func: "add aws auth variables to file"
+      - func: "run aws auth test with regular aws credentials"
+      - func: "run aws auth test with assume role credentials"
+      - func: "run aws auth test with aws credentials as environment variables"
+      - func: "run aws auth test with aws credentials and session token as environment variables"
+      - func: "run aws auth test with aws EC2 credentials"
+      - func: "run aws ECS auth test"
+
   - name: "test-atlas-connectivity"
     tags: ["atlas-connect"]
     commands:
@@ -453,6 +709,9 @@ axes:
   - id: "os"
     display_name: OS
     values:
+      - id: ubuntu-18.04
+        display_name: "Ubuntu 18.04"
+        run_on: ubuntu1804-test
       - id: ubuntu-16.04
         display_name: "Ubuntu 16.04"
         run_on: ubuntu1604-test
@@ -469,12 +728,15 @@ buildvariants:
 -
   matrix_name: "tests"
   matrix_spec:
-    os: "*"
+    os:
+      - ubuntu-16.04
+      - macos-10.14
     auth-and-tls: "*"
     async-runtime: "*"
   display_name: "${os} ${auth-and-tls} with ${async-runtime}"
   tasks:
      - ".latest"
+     - ".4.4"
      - ".4.2"
      - ".4.0"
      - ".3.6"
@@ -487,6 +749,14 @@ buildvariants:
   display_name: "Atlas Connectivity ${os} with ${async-runtime}"
   tasks:
     - ".atlas-connect"
+- matrix_name: "aws-auth"
+  matrix_spec:
+    os:
+      - ubuntu-18.04
+    async-runtime: "tokio"
+  display_name: "AWS Auth ${os} with ${async-runtime}"
+  tasks:
+    - ".aws-auth"
 
 -
   name: "lint"