PYTHON-2608 Test that KMS TLS connections verify peer certificates (mongodb#667)

Use bash for all evergreen scripts.

Author: ShaneHarvey

.evergreen/config.yml

@@ -292,7 +292,7 @@ functions:
  DISABLE_TEST_COMMANDS=${DISABLE_TEST_COMMANDS} \
  ORCHESTRATION_FILE=${ORCHESTRATION_FILE} \
  REQUIRE_API_VERSION=${REQUIRE_API_VERSION} \
- sh ${DRIVERS_TOOLS}/.evergreen/run-orchestration.sh
+ bash ${DRIVERS_TOOLS}/.evergreen/run-orchestration.sh
  # run-orchestration generates expansion file with the MONGODB_URI for the cluster
  - command: expansions.update
  params:
@@ -310,23 +310,23 @@ functions:
  script: |
  set -o xtrace
  ${PREPARE_SHELL}
- sh ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/build-mongohouse-local.sh
+ bash ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/build-mongohouse-local.sh
  - command: shell.exec
  type: setup
  params:
  background: true
  script: |
  set -o xtrace
  ${PREPARE_SHELL}
- sh ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/run-mongohouse-local.sh
+ bash ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/run-mongohouse-local.sh
 
  "stop mongo-orchestration":
  - command: shell.exec
  params:
  script: |
  set -o xtrace
  ${PREPARE_SHELL}
- sh ${DRIVERS_TOOLS}/.evergreen/stop-orchestration.sh
+ bash ${DRIVERS_TOOLS}/.evergreen/stop-orchestration.sh
 
  "run mod_wsgi tests":
  - command: shell.exec
@@ -336,7 +336,7 @@ functions:
  script: |
  set -o xtrace
  ${PREPARE_SHELL}
- PYTHON_BINARY=${PYTHON_BINARY} MOD_WSGI_VERSION=${MOD_WSGI_VERSION} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} sh ${PROJECT_DIRECTORY}/.evergreen/run-mod-wsgi-tests.sh
+ PYTHON_BINARY=${PYTHON_BINARY} MOD_WSGI_VERSION=${MOD_WSGI_VERSION} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} bash ${PROJECT_DIRECTORY}/.evergreen/run-mod-wsgi-tests.sh
 
  "run mockupdb tests":
  - command: shell.exec
@@ -346,7 +346,7 @@ functions:
  script: |
  set -o xtrace
  ${PREPARE_SHELL}
- PYTHON_BINARY=${PYTHON_BINARY} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} sh ${PROJECT_DIRECTORY}/.evergreen/run-mockupdb-tests.sh
+ PYTHON_BINARY=${PYTHON_BINARY} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} bash ${PROJECT_DIRECTORY}/.evergreen/run-mockupdb-tests.sh
 
  "run doctests":
  - command: shell.exec
@@ -356,7 +356,7 @@ functions:
  script: |
  set -o xtrace
  ${PREPARE_SHELL}
- PYTHON_BINARY=${PYTHON_BINARY} sh ${PROJECT_DIRECTORY}/.evergreen/run-doctests.sh
+ PYTHON_BINARY=${PYTHON_BINARY} bash ${PROJECT_DIRECTORY}/.evergreen/run-doctests.sh
 
  "run tests":
  - command: shell.exec
@@ -425,7 +425,7 @@ functions:
  SSL=${SSL} \
  DATA_LAKE=${DATA_LAKE} \
  MONGODB_API_VERSION=${MONGODB_API_VERSION} \
- sh ${PROJECT_DIRECTORY}/.evergreen/run-tests.sh
+ bash ${PROJECT_DIRECTORY}/.evergreen/run-tests.sh
 
  "run enterprise auth tests":
  - command: shell.exec
@@ -435,7 +435,7 @@ functions:
  working_dir: "src"
  script: |
  # DO NOT ECHO WITH XTRACE (which PREPARE_SHELL does)
- PYTHON_BINARY=${PYTHON_BINARY} SASL_HOST=${sasl_host} SASL_PORT=${sasl_port} SASL_USER=${sasl_user} SASL_PASS=${sasl_pass} SASL_DB=${sasl_db} PRINCIPAL=${principal} GSSAPI_DB=${gssapi_db} KEYTAB_BASE64=${keytab_base64} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} sh ${PROJECT_DIRECTORY}/.evergreen/run-enterprise-auth-tests.sh
+ PYTHON_BINARY=${PYTHON_BINARY} SASL_HOST=${sasl_host} SASL_PORT=${sasl_port} SASL_USER=${sasl_user} SASL_PASS=${sasl_pass} SASL_DB=${sasl_db} PRINCIPAL=${principal} GSSAPI_DB=${gssapi_db} KEYTAB_BASE64=${keytab_base64} PROJECT_DIRECTORY=${PROJECT_DIRECTORY} bash ${PROJECT_DIRECTORY}/.evergreen/run-enterprise-auth-tests.sh
 
  "run atlas tests":
  - command: shell.exec
@@ -705,7 +705,7 @@ functions:
  ${PREPARE_SHELL}
  file="${PROJECT_DIRECTORY}/.evergreen/install-dependencies.sh"
  # Don't use ${file} syntax here because evergreen treats it as an empty expansion.
- [ -f "$file" ] && sh $file || echo "$file not available, skipping"
+ [ -f "$file" ] && bash $file || echo "$file not available, skipping"
 
  "run-ocsp-test":
  - command: shell.exec
@@ -717,7 +717,7 @@ functions:
  PYTHON_BINARY=${PYTHON_BINARY} \
  CA_FILE="$DRIVERS_TOOLS/.evergreen/ocsp/${OCSP_ALGORITHM}/ca.pem" \
  OCSP_TLS_SHOULD_SUCCEED="${OCSP_TLS_SHOULD_SUCCEED}" \
- sh ${PROJECT_DIRECTORY}/.evergreen/run-ocsp-tests.sh
+ bash ${PROJECT_DIRECTORY}/.evergreen/run-ocsp-tests.sh
 
  run-valid-ocsp-server:
  - command: shell.exec

.evergreen/install-dependencies.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -o xtrace # Write all commands first to stderr
 set -o errexit # Exit the script with error if any of the commands fail
 

.evergreen/run-mod-wsgi-tests.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -o xtrace
 set -o errexit
 

.evergreen/run-tests.sh

@@ -144,6 +144,15 @@ if [ -n "$TEST_ENCRYPTION" ]; then
  # Get access to the AWS temporary credentials:
  # CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN
  . $DRIVERS_TOOLS/.evergreen/csfle/set-temp-creds.sh
+
+ # Start the mock KMS servers.
+ if [ "$OS" != "Windows_NT" ]; then
+ pushd ${DRIVERS_TOOLS}/.evergreen/csfle
+ python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 &
+ python -u lib/kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 &
+ trap 'kill $(jobs -p)' EXIT HUP
+ popd
+ fi
 fi
 
 if [ -z "$DATA_LAKE" ]; then

test/test_encryption.py

@@ -19,6 +19,7 @@
 import os
 import traceback
 import socket
+import ssl
 import sys
 import textwrap
 import uuid
@@ -49,6 +50,7 @@
  WriteError)
 from pymongo.mongo_client import MongoClient
 from pymongo.operations import InsertOne
+from pymongo.ssl_support import _ssl
 from pymongo.write_concern import WriteConcern
 
 from test import unittest, IntegrationTest, PyMongoTestCase, client_context
@@ -60,6 +62,7 @@
  rs_or_single_client,
  wait_until)
 from test.utils_spec_runner import SpecRunner
+from test.test_ssl import CA_PEM
 
 
 def get_client_opts(client):
@@ -1624,5 +1627,59 @@ def test_bypassAutoEncryption(self):
  mongocryptd_client.admin.command('ping')
 
 
+# https://github.com/mongodb/specifications/tree/master/source/client-side-encryption/tests#kms-tls-tests
+class TestKmsTLSProse(EncryptionIntegrationTest):
+ @unittest.skipIf(sys.platform == 'win32',
+ "Can't test system ca certs on Windows")
+ @unittest.skipIf(ssl.OPENSSL_VERSION.lower().startswith('libressl') and
+ sys.platform == 'darwin' and not _ssl.IS_PYOPENSSL,
+ "LibreSSL on OSX doesn't support setting CA certificates "
+ "using SSL_CERT_FILE environment variable.")
+ @unittest.skipUnless(any(AWS_CREDS.values()),
+ 'AWS environment credentials are not set')
+ def setUp(self):
+ self.original_certs = os.environ.get('SSL_CERT_FILE')
+ def restore_certs():
+ if self.original_certs is None:
+ os.environ.pop('SSL_CERT_FILE')
+ else:
+ os.environ['SSL_CERT_FILE'] = self.original_certs
+ # Tell OpenSSL where CA certificates live.
+ os.environ['SSL_CERT_FILE'] = CA_PEM
+ self.addCleanup(restore_certs)
+
+ self.client_encrypted = ClientEncryption(
+ {'aws': AWS_CREDS}, 'keyvault.datakeys', self.client, OPTS)
+ self.addCleanup(self.client_encrypted.close)
+
+ def test_invalid_kms_certificate_expired(self):
+ key = {
+ "region": "us-east-1",
+ "key": "arn:aws:kms:us-east-1:579766882180:key/"
+ "89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+ "endpoint": "mongodb://127.0.0.1:8000",
+ }
+ # Some examples:
+ # certificate verify failed: certificate has expired (_ssl.c:1129)
+ # amazon1-2018 Python 3.6: certificate verify failed (_ssl.c:852)
+ with self.assertRaisesRegex(
+ EncryptionError, 'expired|certificate verify failed'):
+ self.client_encrypted.create_data_key('aws', master_key=key)
+
+ def test_invalid_hostname_in_kms_certificate(self):
+ key = {
+ "region": "us-east-1",
+ "key": "arn:aws:kms:us-east-1:579766882180:key/"
+ "89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+ "endpoint": "mongodb://127.0.0.1:8001",
+ }
+ # Some examples:
+ # certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1129)"
+ # hostname '127.0.0.1' doesn't match 'wronghost.com'
+ with self.assertRaisesRegex(
+ EncryptionError, 'IP address mismatch|wronghost'):
+ self.client_encrypted.create_data_key('aws', master_key=key)
+
+
 if __name__ == "__main__":
  unittest.main()