diff --git a/.evergreen/config.in.yml b/.evergreen/config.in.yml index b60a72a9b13..a0eacfa2c30 100644 --- a/.evergreen/config.in.yml +++ b/.evergreen/config.in.yml @@ -411,13 +411,7 @@ functions: binary: bash working_dir: src env: - PROJECT_DIRECTORY: ${PROJECT_DIRECTORY} DRIVERS_TOOLS: ${DRIVERS_TOOLS} - KRB5_KEYTAB: ${gssapi_auth_keytab_base64} - KRB5_NEW_KEYTAB: ${gssapi_auth_new_keytab_base64} - KRB5_PRINCIPAL: ${gssapi_auth_principal} - MONGODB_URI: ${gssapi_auth_mongodb_uri} - NODE_LTS_VERSION: ${NODE_LTS_VERSION} args: - .evergreen/run-kerberos-tests.sh diff --git a/.evergreen/config.yml b/.evergreen/config.yml index ac7b533a873..353cf83611b 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -360,13 +360,7 @@ functions: binary: bash working_dir: src env: - PROJECT_DIRECTORY: ${PROJECT_DIRECTORY} DRIVERS_TOOLS: ${DRIVERS_TOOLS} - KRB5_KEYTAB: ${gssapi_auth_keytab_base64} - KRB5_NEW_KEYTAB: ${gssapi_auth_new_keytab_base64} - KRB5_PRINCIPAL: ${gssapi_auth_principal} - MONGODB_URI: ${gssapi_auth_mongodb_uri} - NODE_LTS_VERSION: ${NODE_LTS_VERSION} args: - .evergreen/run-kerberos-tests.sh run ldap tests: diff --git a/.evergreen/run-kerberos-tests.sh b/.evergreen/run-kerberos-tests.sh index 0a398956b9e..cd5bb02e238 100644 --- a/.evergreen/run-kerberos-tests.sh +++ b/.evergreen/run-kerberos-tests.sh @@ -1,9 +1,12 @@ #!/bin/bash -set -o errexit # Exit the script with error if any of the commands fail +set -o errexit # Exit the script with error if any of the commands fail source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh +bash $DRIVERS_TOOLS/.evergreen/secrets_handling/setup-secrets.sh drivers/enterprise_auth +source secrets-export.sh + # set up keytab mkdir -p "$(pwd)/.evergreen" export KRB5_CONFIG="$(pwd)/.evergreen/krb5.conf.empty" @@ -11,14 +14,17 @@ echo "Writing keytab" # DON'T PRINT KEYTAB TO STDOUT set +o verbose if [[ "$OSTYPE" == "darwin"* ]]; then - echo ${KRB5_NEW_KEYTAB} | base64 -D > "$(pwd)/.evergreen/drivers.keytab" + echo ${KEYTAB_BASE64_AES} | base64 -D >"$(pwd)/.evergreen/drivers.keytab" else - echo ${KRB5_NEW_KEYTAB} | base64 -d > "$(pwd)/.evergreen/drivers.keytab" + echo ${KEYTAB_BASE64_AES} | base64 -d >"$(pwd)/.evergreen/drivers.keytab" fi echo "Running kdestroy" kdestroy -A echo "Running kinit" -kinit -k -t "$(pwd)/.evergreen/drivers.keytab" -p ${KRB5_PRINCIPAL} +kinit -k -t "$(pwd)/.evergreen/drivers.keytab" -p ${PRINCIPAL} + +USER=$(node -p "encodeURIComponent(process.env.PRINCIPAL)") +export MONGODB_URI="mongodb://${USER}@${SASL_HOST}/${GSSAPI_DB}?authMechanism=GSSAPI" set -o xtrace npm install kerberos@2.0.1 diff --git a/.gitignore b/.gitignore index 2070e0189c1..f04e671f84f 100644 --- a/.gitignore +++ b/.gitignore @@ -106,3 +106,5 @@ expansions.sh .drivers-tools/ crypt_shared.sh + +*keytab diff --git a/test/manual/kerberos.test.ts b/test/manual/kerberos.test.ts index 45d42543ac4..a78adc72060 100644 --- a/test/manual/kerberos.test.ts +++ b/test/manual/kerberos.test.ts @@ -34,27 +34,14 @@ describe('Kerberos', function () { client = null; }); - if (process.env.MONGODB_URI == null) { - console.error('skipping Kerberos tests, MONGODB_URI environment variable is not defined'); - return; - } - let krb5Uri = process.env.MONGODB_URI; - const parts = krb5Uri.split('@', 2); - const host = parts[1].split('/')[0]; + const krb5Uri = process.env.MONGODB_URI; + const host = process.env.SASL_HOST; - if (!process.env.KRB5_PRINCIPAL) { - console.error('skipping Kerberos tests, KRB5_PRINCIPAL environment variable is not defined'); + if (!process.env.PRINCIPAL) { + console.error('skipping Kerberos tests, PRINCIPAL environment variable is not defined'); return; } - if (process.platform === 'win32') { - console.error('Win32 run detected'); - if (process.env.LDAPTEST_PASSWORD == null) { - throw new Error('The env parameter LDAPTEST_PASSWORD must be set'); - } - krb5Uri = `${parts[0]}:${process.env.LDAPTEST_PASSWORD}@${parts[1]}`; - } - it('should authenticate with original uri', async function () { client = new MongoClient(krb5Uri); await client.connect(); @@ -231,7 +218,9 @@ describe('Kerberos', function () { if (!expectedError) { expect.fail('Expected connect with invalid SERVICE_HOST to fail'); } - expect(expectedError.message).to.match(/GSS failure|UNKNOWN_SERVER/); + expect(expectedError.message).to.match( + /GSS failure|UNKNOWN_SERVER|Server not found in Kerberos database/ + ); }); }); @@ -277,7 +266,7 @@ describe('Kerberos', function () { it('should fail to authenticate with bad credentials', async function () { client = new MongoClient( - krb5Uri.replace(encodeURIComponent(process.env.KRB5_PRINCIPAL), 'bad%40creds.cc') + krb5Uri.replace(encodeURIComponent(process.env.PRINCIPAL), 'bad%40creds.cc') ); const err = await client.connect().catch(e => e); expect(err.message).to.match(/Authentication failed/); diff --git a/test/readme.md b/test/readme.md index 81c2068bd2b..05f86c9febf 100644 --- a/test/readme.md +++ b/test/readme.md @@ -38,6 +38,7 @@ about the types of tests and how to run them. - [Launching an Atlas Cluster](#launching-an-atlas-cluster) - [Search Indexes](#search-indexes) - [Deployed Lambda Tests](#deployed-lambda-tests) + - [Kerberos Tests](#kerberos-tests) - [TODO Special Env Sections](#todo-special-env-sections) - [Testing driver changes with mongosh](#testing-driver-changes-with-mongosh) - [Point mongosh to the driver](#point-mongosh-to-the-driver) @@ -614,9 +615,12 @@ The URI of the cluster is available in the `atlas-expansions.yml` file. TODO(NODE-6698): Update deployed lambda test section. +### Kerberos Tests + +Run `.evergreen/run-kerberos-tests.sh`. + ### TODO Special Env Sections -- Kerberos - AWS Authentication - OCSP - TLS