feat(NODE-5077): automatic Azure kms credential refresh (#3599)

mongodb · Mar 21, 2023 · 8e87e5c · 8e87e5c
1 parent a41846d
commit 8e87e5c
Show file tree

Hide file tree

Showing 16 changed files with 512 additions and 14 deletions.
diff --git a/.evergreen/config.in.yml b/.evergreen/config.in.yml
@@ -94,6 +94,15 @@ functions:
           - .evergreen/run-kms-servers.sh
         env:
           DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+    - command: subprocess.exec
+      params:
+        background: true
+        working_dir: src
+        binary: bash
+        args:
+          - .evergreen/run-azure-kms-mock-server.sh
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
 
   "bootstrap oidc":
     - command: ec2.assume_role
@@ -1136,6 +1145,46 @@ tasks:
           args:
             - src/.evergreen/run-gcp-kms-tests.sh
 
+
+  - name: "test-azurekms-task"
+    commands:
+      - func: "install dependencies"
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          add_expansions_to_env: true
+          args:
+            - src/.evergreen/copy-driver-to-azure.sh
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src
+          binary: bash
+          add_expansions_to_env: true
+          env:
+            AZUREKMS_CMD: "env EXPECTED_AZUREKMS_OUTCOME=success bash src/.evergreen/run-azure-kms-tests.sh"
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/run-command.sh
+
+  - name: "test-azurekms-fail-task"
+    commands:
+      - func: "install dependencies"
+      - func: bootstrap mongo-orchestration
+        vars:
+          VERSION: latest
+          TOPOLOGY: server
+          AUTH: noauth
+      - command: subprocess.exec
+        type: test
+        params:
+          binary: bash
+          env:
+            EXPECTED_AZUREKMS_OUTCOME: "failure"
+          args:
+            - src/.evergreen/run-azure-kms-tests.sh
+
+
 task_groups:
   - name: serverless_task_group
     setup_group_can_fail_task: true
@@ -1208,6 +1257,33 @@ task_groups:
     tasks:
       - test-gcpkms-task
 
+  - name: test_azurekms_task_group
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800 # 30 minutes
+    setup_group:
+      - func: fetch source
+      - command: subprocess.exec
+        params:
+          working_dir: "src"
+          binary: bash
+          add_expansions_to_env: true
+          args:
+            - .evergreen/setup-azure-vm.sh
+      - command: expansions.update
+        # Load AZUREKMS_VMNAME into the expansions.
+        params:
+          file: src/testazurekms-expansions.yml
+
+    teardown_group:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          add_expansions_to_env: true
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/delete-vm.sh
+    tasks:
+      - test-azurekms-task
+
 pre:
   - func: "fetch source"
   - func: "windows fix"

diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -68,6 +68,15 @@ functions:
           - .evergreen/run-kms-servers.sh
         env:
           DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+    - command: subprocess.exec
+      params:
+        background: true
+        working_dir: src
+        binary: bash
+        args:
+          - .evergreen/run-azure-kms-mock-server.sh
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
   bootstrap oidc:
     - command: ec2.assume_role
       params:
@@ -1067,6 +1076,42 @@ tasks:
             EXPECTED_GCPKMS_OUTCOME: failure
           args:
             - src/.evergreen/run-gcp-kms-tests.sh
+  - name: test-azurekms-task
+    commands:
+      - func: install dependencies
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          add_expansions_to_env: true
+          args:
+            - src/.evergreen/copy-driver-to-azure.sh
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src
+          binary: bash
+          add_expansions_to_env: true
+          env:
+            AZUREKMS_CMD: env EXPECTED_AZUREKMS_OUTCOME=success bash src/.evergreen/run-azure-kms-tests.sh
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/run-command.sh
+  - name: test-azurekms-fail-task
+    commands:
+      - func: install dependencies
+      - func: bootstrap mongo-orchestration
+        vars:
+          VERSION: latest
+          TOPOLOGY: server
+          AUTH: noauth
+      - command: subprocess.exec
+        type: test
+        params:
+          binary: bash
+          env:
+            EXPECTED_AZUREKMS_OUTCOME: failure
+          args:
+            - src/.evergreen/run-azure-kms-tests.sh
   - name: test-latest-server
     tags:
       - latest
@@ -2489,7 +2534,7 @@ tasks:
       - func: bootstrap kms servers
       - func: run custom csfle tests
         vars:
-          CSFLE_GIT_REF: 77b51c00ab4ff58916dd39f55657e1ecc0af281c
+          CSFLE_GIT_REF: cd7e938619aa52ce652d13690780df5f383bbef0
   - name: run-custom-csfle-tests-5.0-master
     tags:
       - run-custom-dependency-tests
@@ -2519,7 +2564,7 @@ tasks:
       - func: bootstrap kms servers
       - func: run custom csfle tests
         vars:
-          CSFLE_GIT_REF: 77b51c00ab4ff58916dd39f55657e1ecc0af281c
+          CSFLE_GIT_REF: cd7e938619aa52ce652d13690780df5f383bbef0
   - name: run-custom-csfle-tests-rapid-master
     tags:
       - run-custom-dependency-tests
@@ -2549,7 +2594,7 @@ tasks:
       - func: bootstrap kms servers
       - func: run custom csfle tests
         vars:
-          CSFLE_GIT_REF: 77b51c00ab4ff58916dd39f55657e1ecc0af281c
+          CSFLE_GIT_REF: cd7e938619aa52ce652d13690780df5f383bbef0
   - name: run-custom-csfle-tests-latest-master
     tags:
       - run-custom-dependency-tests
@@ -3088,6 +3133,30 @@ task_groups:
             - ${DRIVERS_TOOLS}/.evergreen/csfle/gcpkms/delete-instance.sh
     tasks:
       - test-gcpkms-task
+  - name: test_azurekms_task_group
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    setup_group:
+      - func: fetch source
+      - command: subprocess.exec
+        params:
+          working_dir: src
+          binary: bash
+          add_expansions_to_env: true
+          args:
+            - .evergreen/setup-azure-vm.sh
+      - command: expansions.update
+        params:
+          file: src/testazurekms-expansions.yml
+    teardown_group:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          add_expansions_to_env: true
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/delete-vm.sh
+    tasks:
+      - test-azurekms-task
 pre:
   - func: fetch source
   - func: windows fix
@@ -3557,6 +3626,13 @@ buildvariants:
     tasks:
       - test_gcpkms_task_group
       - test-gcpkms-fail-task
+  - name: debian11-test-azure-kms
+    display_name: Azure KMS Test
+    run_on: debian11-small
+    batchtime: 20160
+    tasks:
+      - test_azurekms_task_group
+      - test-azurekms-fail-task
   - name: rhel8-no-auth-tests
     display_name: No Auth Tests
     run_on: rhel80-large

diff --git a/.evergreen/copy-driver-to-azure.sh b/.evergreen/copy-driver-to-azure.sh
@@ -0,0 +1,24 @@
+#! /usr/bin/env bash
+
+set -o errexit
+
+if [ -z ${AZUREKMS_RESOURCEGROUP+omitted} ]; then echo "AZUREKMS_RESOURCEGROUP is unset" && exit 1; fi
+if [ -z ${AZUREKMS_VMNAME+omitted} ]; then echo "AZUREKMS_VMNAME is unset" && exit 1; fi
+if [ -z ${AZUREKMS_PRIVATEKEYPATH+omitted} ]; then echo "AZUREKMS_PRIVATEKEYPATH is unset" && exit 1; fi
+
+source "${PROJECT_DIRECTORY}/.evergreen/init-nvm.sh"
+
+echo "compressing node driver source ... begin"
+tar -czf node-driver-source.tgz src
+echo "compressing node driver source ... end"
+
+export AZUREKMS_SRC=node-driver-source.tgz
+export AZUREKMS_DST="./"
+echo "copying node driver tar ... begin"
+"${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/copy-file.sh"
+echo "copying node driver tar ... end"
+
+echo "decompressing node driver tar on azure ... begin"
+export AZUREKMS_CMD="tar xf node-driver-source.tgz"
+"${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/run-command.sh"
+echo "decompressing node driver tar on azure ... end"
diff --git a/.evergreen/generate_evergreen_tasks.js b/.evergreen/generate_evergreen_tasks.js
@@ -456,9 +456,8 @@ for (const {
 
 BUILD_VARIANTS.push({
   name: 'macos-1100',
-  display_name: `MacOS 11 Node${
-    versions.find(version => version.codeName === LATEST_LTS).versionNumber
-  }`,
+  display_name: `MacOS 11 Node${versions.find(version => version.codeName === LATEST_LTS).versionNumber
+    }`,
   run_on: 'macos-1100',
   expansions: {
     NODE_LTS_NAME: LATEST_LTS,
@@ -596,7 +595,7 @@ BUILD_VARIANTS.push({
 
 const oneOffFuncAsTasks = [];
 
-const FLE_PINNED_COMMIT = '77b51c00ab4ff58916dd39f55657e1ecc0af281c';
+const FLE_PINNED_COMMIT = 'cd7e938619aa52ce652d13690780df5f383bbef0';
 
 for (const version of ['5.0', 'rapid', 'latest']) {
   for (const ref of [FLE_PINNED_COMMIT, 'master']) {
@@ -668,6 +667,14 @@ BUILD_VARIANTS.push({
   tasks: ['test_gcpkms_task_group', 'test-gcpkms-fail-task']
 });
 
+BUILD_VARIANTS.push({
+  name: 'debian11-test-azure-kms',
+  display_name: 'Azure KMS Test',
+  run_on: 'debian11-small',
+  batchtime: 20160,
+  tasks: ['test_azurekms_task_group', 'test-azurekms-fail-task']
+});
+
 BUILD_VARIANTS.push({
   name: 'rhel8-no-auth-tests',
   display_name: 'No Auth Tests',

diff --git a/.evergreen/run-azure-kms-mock-server.sh b/.evergreen/run-azure-kms-mock-server.sh
@@ -0,0 +1,9 @@
+#! /user/bin/env bash
+
+if [ -z ${DRIVERS_TOOLS+omitted} ]; then echo "DRIVERS_TOOLS is unset" && exit 1; fi
+
+set -o errexit
+
+python3 $DRIVERS_TOOLS/.evergreen/csfle/bottle.py fake_azure:imds &
+
+echo "Running Azure KMS idms server on port 8080"
diff --git a/.evergreen/run-azure-kms-tests.sh b/.evergreen/run-azure-kms-tests.sh
@@ -0,0 +1,20 @@
+#! /usr/bin/env bash
+
+set -o errexit
+
+pushd "src"
+PROJECT_DIRECTORY="$(pwd)"
+export PROJECT_DIRECTORY
+source ".evergreen/init-nvm.sh"
+
+set -o xtrace
+
+npm install --force 'mongodb-client-encryption@latest'
+
+export MONGODB_URI="mongodb://localhost:27017"
+
+export EXPECTED_AZUREKMS_OUTCOME=${EXPECTED_AZUREKMS_OUTCOME:-omitted}
+export TEST_CSFLE=true
+export CSFLE_KMS_PROVIDERS='not json'
+
+npx mocha --config test/mocha_mongodb.json test/integration/client-side-encryption/client_side_encryption.prose.19.on_demand_azure.test.ts
diff --git a/.evergreen/run-gcp-kms-tests.sh b/.evergreen/run-gcp-kms-tests.sh
@@ -9,7 +9,7 @@ source ".evergreen/init-nvm.sh"
 
 set -o xtrace
 
-npm install 'mongodb-client-encryption@2.6.0'
+npm install 'mongodb-client-encryption@latest'
 npm install 'gcp-metadata'
 
 export MONGODB_URI="mongodb://localhost:27017"

diff --git a/.evergreen/run-serverless-tests.sh b/.evergreen/run-serverless-tests.sh
@@ -10,7 +10,7 @@ if [ -z ${MONGODB_URI+omitted} ]; then echo "MONGODB_URI is unset" && exit 1; fi
 if [ -z ${SERVERLESS_ATLAS_USER+omitted} ]; then echo "SERVERLESS_ATLAS_USER is unset" && exit 1; fi
 if [ -z ${SERVERLESS_ATLAS_PASSWORD+omitted} ]; then echo "SERVERLESS_ATLAS_PASSWORD is unset" && exit 1; fi
 
-npm install mongodb-client-encryption@"2.6.0"
+npm install 'mongodb-client-encryption@latest'
 
 npx mocha \
   --config test/mocha_mongodb.json \

diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh
@@ -52,7 +52,7 @@ else
   source "$DRIVERS_TOOLS"/.evergreen/csfle/set-temp-creds.sh
 fi
 
-npm install mongodb-client-encryption@"2.6.0"
+npm install 'mongodb-client-encryption@latest'
 npm install @mongodb-js/zstd
 npm install snappy
 

diff --git a/.evergreen/setup-azure-vm.sh b/.evergreen/setup-azure-vm.sh
@@ -0,0 +1,20 @@
+#! /usr/bin/env bash
+
+echo "${testazurekms_publickey}" > /tmp/testazurekms_publickey
+echo "${testazurekms_privatekey}" > /tmp/testazurekms_privatekey
+
+# Set 600 permissions on private key file. Otherwise ssh / scp may error with permissions "are too open".
+chmod 600 /tmp/testazurekms_privatekey
+export AZUREKMS_CLIENTID=${AZUREKMS_CLIENTID}
+export AZUREKMS_TENANTID=${AZUREKMS_TENANTID}
+export AZUREKMS_SECRET=${AZUREKMS_SECRET}
+export AZUREKMS_DRIVERS_TOOLS=$DRIVERS_TOOLS
+export AZUREKMS_RESOURCEGROUP=${AZUREKMS_RESOURCEGROUP}
+export AZUREKMS_PUBLICKEYPATH=/tmp/testazurekms_publickey
+export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms_privatekey
+export AZUREKMS_SCOPE=${AZUREKMS_SCOPE}
+export AZUREKMS_VMNAME_PREFIX=NODEDRIVER
+
+$DRIVERS_TOOLS/.evergreen/csfle/azurekms/create-and-setup-vm.sh
+
+echo "AZUREKMS_PRIVATEKEYPATH: /tmp/testazurekms_privatekey" >> testazurekms-expansions.yml
diff --git a/global.d.ts b/global.d.ts
@@ -11,6 +11,7 @@ declare global {
       clientSideEncryption?: boolean;
       serverless?: 'forbid' | 'allow' | 'require';
       auth?: 'enabled' | 'disabled';
+      idmsMockServer?: true;
     };
 
     sessions?: {

diff --git a/src/deps.ts b/src/deps.ts
@@ -266,7 +266,8 @@ export interface AutoEncryptionOptions {
            * If present, an access token to authenticate with Azure.
            */
           accessToken: string;
-        };
+        }
+      | Record<string, never>;
     /** Configuration options for using 'gcp' as your KMS provider */
     gcp?:
       | {