[MONGOCRYPT-350] Add integration tests with CSFLE CLI to Evergreen Created: 18/Oct/21  Updated: 03/Aug/22

Status: Backlog
Project: Libmongocrypt
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Unknown
Reporter: Kevin Albertson Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to MONGOCRYPT-465 Investigate running driver integratio... Backlog
is related to MONGOCRYPT-268 Add a CLI for testing and development Closed
Binding Changes: Not Needed

 Description   

Background & Motivation
MONGOCRYPT-268 introduced a test utility csfle. It requires an additional dependency of libmongoc. It does not build by default in Evergreen since libmongoc is not built as part of tests. It allows running the main functions of CSFLE from a command line utility against live services, similar to a driver.

I use csfle during development to validate changes in libmongocrypt. Here is an example of a test with the KMIP provider:

set -o errexit
export KMIP_CLIENT_CERTIFICATE="/Users/kevin.albertson/code/drivers-evergreen-tools/.evergreen/x509gen/client.pem"
export KMIP_CA_CERTIFICATE="/Users/kevin.albertson/code/drivers-evergreen-tools/.evergreen/x509gen/ca.pem"
 
DATAKEY=$(./cmake-build/csfle create_datakey --kms_provider kmip --tls_ca_file $KMIP_CA_CERTIFICATE --tls_certificate_key_file $KMIP_CLIENT_CERTIFICATE)
echo "DATAKEY=$DATAKEY"
KEYID=$(echo $DATAKEY | jq -r  '._id."$binary".base64')
echo "KEYID=$KEYID"
ENCRYPTION_RESULT=$(./cmake-build/csfle explicit_encrypt --value '{"v": "test"}' --algorithm "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" --key_id "$KEYID" --tls_ca_file $KMIP_CA_CERTIFICATE --tls_certificate_key_file $KMIP_CLIENT_CERTIFICATE)
echo "ENCRYPTION_RESULT=$ENCRYPTION_RESULT"
DECRYPTION_RESULT=$(./cmake-build/csfle explicit_decrypt --value "$ENCRYPTION_RESULT" --tls_ca_file $KMIP_CA_CERTIFICATE --tls_certificate_key_file $KMIP_CLIENT_CERTIFICATE)
echo "DECRYPTION_RESULT=$DECRYPTION_RESULT"

Using csfle to test libmongocrypt gives confidence in changes without updating bindings in downstream drivers.

Scope

  • Build csfle as part of the Evergreen build tasks
  • Run a test with each KMIP provider (aws, azure, gcp, local, kmip) using the csfle utility to test each of the five functions (create_datakey, auto_encrypt, auto_decrypt, explicit_encrypt, explicit_decrypt)

Generated at Thu Feb 08 09:08:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.