ci(NODE-6694): kerberos tests use secrets manager (#4396)

Author: baileympearson

.evergreen/config.in.yml

@@ -411,13 +411,7 @@ functions:
         binary: bash
         working_dir: src
         env:
-          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
           DRIVERS_TOOLS: ${DRIVERS_TOOLS}
-          KRB5_KEYTAB: ${gssapi_auth_keytab_base64}
-          KRB5_NEW_KEYTAB: ${gssapi_auth_new_keytab_base64}
-          KRB5_PRINCIPAL: ${gssapi_auth_principal}
-          MONGODB_URI: ${gssapi_auth_mongodb_uri}
-          NODE_LTS_VERSION: ${NODE_LTS_VERSION}
         args:
           - .evergreen/run-kerberos-tests.sh
 

.evergreen/config.yml

@@ -360,13 +360,7 @@ functions:
         binary: bash
         working_dir: src
         env:
-          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
           DRIVERS_TOOLS: ${DRIVERS_TOOLS}
-          KRB5_KEYTAB: ${gssapi_auth_keytab_base64}
-          KRB5_NEW_KEYTAB: ${gssapi_auth_new_keytab_base64}
-          KRB5_PRINCIPAL: ${gssapi_auth_principal}
-          MONGODB_URI: ${gssapi_auth_mongodb_uri}
-          NODE_LTS_VERSION: ${NODE_LTS_VERSION}
         args:
           - .evergreen/run-kerberos-tests.sh
   run ldap tests:

.evergreen/run-kerberos-tests.sh

@@ -1,24 +1,30 @@
 #!/bin/bash
 
-set -o errexit  # Exit the script with error if any of the commands fail
+set -o errexit # Exit the script with error if any of the commands fail
 
 source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh
 
+bash $DRIVERS_TOOLS/.evergreen/secrets_handling/setup-secrets.sh drivers/enterprise_auth
+source secrets-export.sh
+
 # set up keytab
 mkdir -p "$(pwd)/.evergreen"
 export KRB5_CONFIG="$(pwd)/.evergreen/krb5.conf.empty"
 echo "Writing keytab"
 # DON'T PRINT KEYTAB TO STDOUT
 set +o verbose
 if [[ "$OSTYPE" == "darwin"* ]]; then
-    echo ${KRB5_NEW_KEYTAB} | base64 -D > "$(pwd)/.evergreen/drivers.keytab"
+    echo ${KEYTAB_BASE64_AES} | base64 -D >"$(pwd)/.evergreen/drivers.keytab"
 else
-    echo ${KRB5_NEW_KEYTAB} | base64 -d > "$(pwd)/.evergreen/drivers.keytab"
+    echo ${KEYTAB_BASE64_AES} | base64 -d >"$(pwd)/.evergreen/drivers.keytab"
 fi
 echo "Running kdestroy"
 kdestroy -A
 echo "Running kinit"
-kinit -k -t "$(pwd)/.evergreen/drivers.keytab" -p ${KRB5_PRINCIPAL}
+kinit -k -t "$(pwd)/.evergreen/drivers.keytab" -p ${PRINCIPAL}
+
+USER=$(node -p "encodeURIComponent(process.env.PRINCIPAL)")
+export MONGODB_URI="mongodb://${USER}@${SASL_HOST}/${GSSAPI_DB}?authMechanism=GSSAPI"
 
 set -o xtrace
 npm install [email protected]

.gitignore

@@ -106,3 +106,5 @@ expansions.sh
 .drivers-tools/
 
 crypt_shared.sh
+
+*keytab

test/manual/kerberos.test.ts

@@ -34,27 +34,14 @@ describe('Kerberos', function () {
     client = null;
   });
 
-  if (process.env.MONGODB_URI == null) {
-    console.error('skipping Kerberos tests, MONGODB_URI environment variable is not defined');
-    return;
-  }
-  let krb5Uri = process.env.MONGODB_URI;
-  const parts = krb5Uri.split('@', 2);
-  const host = parts[1].split('/')[0];
+  const krb5Uri = process.env.MONGODB_URI;
+  const host = process.env.SASL_HOST;
 
-  if (!process.env.KRB5_PRINCIPAL) {
-    console.error('skipping Kerberos tests, KRB5_PRINCIPAL environment variable is not defined');
+  if (!process.env.PRINCIPAL) {
+    console.error('skipping Kerberos tests, PRINCIPAL environment variable is not defined');
     return;
   }
 
-  if (process.platform === 'win32') {
-    console.error('Win32 run detected');
-    if (process.env.LDAPTEST_PASSWORD == null) {
-      throw new Error('The env parameter LDAPTEST_PASSWORD must be set');
-    }
-    krb5Uri = `${parts[0]}:${process.env.LDAPTEST_PASSWORD}@${parts[1]}`;
-  }
-
   it('should authenticate with original uri', async function () {
     client = new MongoClient(krb5Uri);
     await client.connect();
@@ -231,7 +218,9 @@ describe('Kerberos', function () {
         if (!expectedError) {
           expect.fail('Expected connect with invalid SERVICE_HOST to fail');
         }
-        expect(expectedError.message).to.match(/GSS failure|UNKNOWN_SERVER/);
+        expect(expectedError.message).to.match(
+          /GSS failure|UNKNOWN_SERVER|Server not found in Kerberos database/
+        );
       });
     });
 
@@ -277,7 +266,7 @@ describe('Kerberos', function () {
 
   it('should fail to authenticate with bad credentials', async function () {
     client = new MongoClient(
-      krb5Uri.replace(encodeURIComponent(process.env.KRB5_PRINCIPAL), 'bad%40creds.cc')
+      krb5Uri.replace(encodeURIComponent(process.env.PRINCIPAL), 'bad%40creds.cc')
     );
     const err = await client.connect().catch(e => e);
     expect(err.message).to.match(/Authentication failed/);

test/readme.md

@@ -38,6 +38,7 @@ about the types of tests and how to run them.
       - [Launching an Atlas Cluster](#launching-an-atlas-cluster)
       - [Search Indexes](#search-indexes)
       - [Deployed Lambda Tests](#deployed-lambda-tests)
+    - [Kerberos Tests](#kerberos-tests)
     - [TODO Special Env Sections](#todo-special-env-sections)
   - [Testing driver changes with mongosh](#testing-driver-changes-with-mongosh)
     - [Point mongosh to the driver](#point-mongosh-to-the-driver)
@@ -614,9 +615,12 @@ The URI of the cluster is available in the `atlas-expansions.yml` file.
 
 TODO(NODE-6698): Update deployed lambda test section.
 
+### Kerberos Tests
+
+Run `.evergreen/run-kerberos-tests.sh`.
+
 ### TODO Special Env Sections
 
-- Kerberos
 - AWS Authentication
 - TLS
 - Atlas Data Lake