test(NODE-6941): run x509 tests against cloud-dev (#4568)

Author: baileympearson

.evergreen/config.in.yml

@@ -697,10 +697,12 @@ functions:
       type: test
       params:
         working_dir: "src"
-        env:
-          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
-          MONGODB_URI: ${MONGODB_URI}
-          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+        include_expansions_in_env:
+          - AWS_ACCESS_KEY_ID
+          - AWS_SECRET_ACCESS_KEY
+          - AWS_SESSION_TOKEN
+          - PROJECT_DIRECTORY
+          - DRIVERS_TOOLS
         binary: bash
         args:
           - ${PROJECT_DIRECTORY}/.evergreen/run-x509-tests.sh

.evergreen/config.yml

@@ -632,10 +632,12 @@ functions:
       type: test
       params:
         working_dir: src
-        env:
-          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
-          MONGODB_URI: ${MONGODB_URI}
-          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+        include_expansions_in_env:
+          - AWS_ACCESS_KEY_ID
+          - AWS_SECRET_ACCESS_KEY
+          - AWS_SESSION_TOKEN
+          - PROJECT_DIRECTORY
+          - DRIVERS_TOOLS
         binary: bash
         args:
           - ${PROJECT_DIRECTORY}/.evergreen/run-x509-tests.sh
@@ -1544,16 +1546,8 @@ tasks:
       - auth
       - x509
     commands:
-      - command: expansions.update
-        type: setup
-        params:
-          updates:
-            - {key: VERSION, value: latest}
-            - {key: TOPOLOGY, value: server}
-            - {key: AUTH, value: noauth}
-            - {key: SSL, value: ssl}
       - func: install dependencies
-      - func: bootstrap mongo-orchestration
+      - func: assume secrets manager role
       - func: run x509 auth tests
   - name: test-atlas-connectivity
     tags:

.evergreen/generate_evergreen_tasks.js

@@ -118,14 +118,8 @@ BASE_TASKS.push({
   name: `test-x509-authentication`,
   tags: ['latest', 'auth', 'x509'],
   commands: [
-    updateExpansions({
-      VERSION: 'latest',
-      TOPOLOGY: 'server',
-      AUTH: 'noauth',
-      SSL: 'ssl'
-    }),
     { func: 'install dependencies' },
-    { func: 'bootstrap mongo-orchestration' },
+    { func: 'assume secrets manager role' },
     { func: 'run x509 auth tests' }
   ]
 });

.evergreen/run-x509-tests.sh

@@ -4,19 +4,18 @@ source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh
 
 set -o errexit
 
-export SSL_KEY_FILE=$DRIVERS_TOOLS/.evergreen/x509gen/client.pem
-export SSL_CA_FILE=$DRIVERS_TOOLS/.evergreen/x509gen/ca.pem
-export SSL_KEY_FILE_EXPIRED=$DRIVERS_TOOLS/.evergreen/x509gen/expired.pem
-export SSL_KEY_NO_USER=$DRIVERS_TOOLS/.evergreen/x509gen/crl.pem
+bash drivers-evergreen-tools/.evergreen/secrets_handling/setup-secrets.sh drivers/atlas_connect
+source secrets-export.sh
 
-SUBJECT=$(openssl x509 -subject -nameopt RFC2253 -noout -inform PEM -in $SSL_KEY_FILE)
+echo "${ATLAS_X509_DEV_CERT_BASE64}" | base64 --decode >clientcert.pem
+echo "${ATLAS_X509_DEV_CERT_NOUSER_BASE64}" | base64 --decode >nouser.pem
 
-# Strip `subject=` prefix from the subject
-SUBJECT=${SUBJECT#"subject="}
+SSL_KEY_FILE_EXPIRED=$DRIVERS_TOOLS/.evergreen/x509gen/expired.pem
+MONGODB_URI="$ATLAS_X509_DEV"
 
-# Remove any leading or trailing whitespace
-SUBJECT=$(echo "$SUBJECT" | awk '{$1=$1;print}')
-
-export SUBJECT
+export MONGODB_URI
+export SSL_KEY_FILE_EXPIRED
+export SSL_KEY_FILE_NO_USER="nouser.pem"
+export SSL_KEY_FILE="clientcert.pem"
 
 npm run check:x509

test/manual/x509_auth.test.ts

@@ -14,21 +14,14 @@ const connectionString = new ConnectionString(process.env.MONGODB_URI!);
 describe('x509 Authentication', function () {
   let client: MongoClient;
   const validOptions: MongoClientOptions = {
-    tls: true,
-    tlsCertificateKeyFile: process.env.SSL_KEY_FILE,
-    tlsCAFile: process.env.SSL_CA_FILE,
-    authMechanism: 'MONGODB-X509' as const,
-    authSource: '$external'
+    tlsCertificateKeyFile: process.env.SSL_KEY_FILE
   };
 
   this.afterEach(() => {
     return client?.close();
   });
 
   context('When the user provides a valid certificate', function () {
-    before('create x509 user', createX509User);
-    after('drop x509 user', dropX509User);
-
     it('successfully authenticates using x509', async function () {
       client = new MongoClient(connectionString.toString(), validOptions);
       const result = await client
@@ -64,9 +57,7 @@ describe('x509 Authentication', function () {
       const invalidOptions: MongoClientOptions = {
         // use an expired key file
         tlsCertificateKeyFile: process.env.SSL_KEY_FILE_EXPIRED,
-        tlsCAFile: process.env.SSL_CA_FILE,
-        authMechanism: 'MONGODB-X509' as const,
-        authSource: '$external'
+        serverSelectionTimeoutMS: 2000
       };
       client = new MongoClient(connectionString.toString(), {
         ...invalidOptions,
@@ -82,7 +73,10 @@ describe('x509 Authentication', function () {
     'when a valid cert is provided but the certificate does not correspond to a user',
     function () {
       it('fails to authenticate', async function () {
-        client = new MongoClient(connectionString.toString(), validOptions);
+        client = new MongoClient(connectionString.toString(), {
+          tlsCertificateKeyFile: process.env.SSL_KEY_FILE_NO_USER,
+          serverSelectionTimeoutMS: 2000
+        });
         const error = await client.connect().catch(error => error);
 
         expect(error).to.be.instanceOf(MongoServerError);
@@ -91,42 +85,3 @@ describe('x509 Authentication', function () {
     }
   );
 });
-
-async function createX509User() {
-  const utilClient = new MongoClient(connectionString.toString(), {
-    tls: true,
-    tlsCertificateKeyFile: process.env.SSL_KEY_FILE,
-    tlsCAFile: process.env.SSL_CA_FILE,
-    serverSelectionTimeoutMS: 2000
-  });
-
-  try {
-    await utilClient.connect();
-    await utilClient.db('$external').command({
-      createUser: process.env.SUBJECT,
-      roles: [
-        { role: 'readWrite', db: 'test' },
-        { role: 'userAdminAnyDatabase', db: 'admin' }
-      ]
-    });
-  } finally {
-    await utilClient.close();
-  }
-}
-
-async function dropX509User() {
-  const utilClient = new MongoClient(connectionString.toString(), {
-    tls: true,
-    tlsCertificateKeyFile: process.env.SSL_KEY_FILE,
-    tlsCAFile: process.env.SSL_CA_FILE,
-    serverSelectionTimeoutMS: 2000
-  });
-  try {
-    await utilClient.connect();
-    await utilClient.db('$external').command({
-      dropUser: process.env.SUBJECT
-    });
-  } finally {
-    await utilClient.close();
-  }
-}