Merge branch 'master' into DRIVERS-2384

mongodb-labs · Aug 10, 2023 · dea5ef4 · dea5ef4
2 parents 24e9e9b + 0361b3f
commit dea5ef4
Show file tree

Hide file tree

Showing 6 changed files with 466 additions and 349 deletions.
diff --git a/.evergreen/atlas_data_lake/config.yml b/.evergreen/atlas_data_lake/config.yml
@@ -11,6 +11,13 @@ billing:
       enabled: false
 showInternalErrors: true
 
+dls:
+  frontend:
+    catalog:
+      disabled: true
+    expirationRules:
+      disabled: true
+
 frontend:
   bindAddr: "localhost:27017"
   cursor:

diff --git a/.evergreen/auth_aws/setup_secrets.py b/.evergreen/auth_aws/setup_secrets.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+"""
+Script for fetching AWS Secrets Vault secrets for use in testing.
+"""
+import argparse
+import json
+import os
+import yaml
+import boto3
+
+
+def get_secrets(vaults, region="us-east-1", profile="default"):
+    """Get the driver secret values."""
+    # Handle local credentials.
+    try:
+        session = boto3.Session(profile_name=profile)
+        client = session.client(service_name='secretsmanager', region_name=region)
+    except Exception:
+        print("Failed to connect using AWS credentials, trying with environment variables")
+        if "AWS_SESSION_TOKEN" not in os.environ:
+            if "AWS_ROLE_ARN" in os.environ:
+                session = boto3.Session(aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'],
+                                        aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'])
+                client = session.client(service_name='sts', region_name=region)
+                creds = client.assume_role(RoleArn=os.environ['AWS_ROLE_ARN'], RoleSessionName='test')['Credentials']
+                os.environ['AWS_ACCESS_KEY_ID'] = creds['AccessKeyId']
+                os.environ['AWS_SECRET_ACCESS_KEY'] = creds['SecretAccessKey']
+                os.environ['AWS_SESSION_TOKEN'] = creds['SessionToken']
+            else:
+                raise ValueError('Missing AWS credentials')
+
+        # Create a session using the given creds
+        session = boto3.Session(aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'],
+                                aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'],
+                                aws_session_token=os.environ['AWS_SESSION_TOKEN'])
+        client = session.client(service_name='secretsmanager', region_name=region)
+
+    secrets = []
+    try:
+        for vault in vaults:
+            secrets.append(client.get_secret_value(
+                SecretId=vault
+            )['SecretString'])
+    except Exception as e:
+        # For a list of exceptions thrown, see
+        # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
+        raise e
+
+    # Decrypts secret using the associated KMS key.
+    return [json.loads(s) for s in secrets]
+
+
+def write_secrets(vaults, region, profile):
+    pairs = {}
+    secrets = get_secrets(vaults, region, profile)
+    for secret in secrets:
+        for key, val in secret.items():
+            pairs[key.upper()] = val
+
+    with open("secrets-expansion.yml", "w") as yaml_out:
+        yaml.dump(pairs, yaml_out, default_flow_style=False, allow_unicode=True, default_style='"')
+
+    with open("secrets-export.sh", "w") as out:
+        # These values are secrets, do not print them
+        out.write("#!/usr/bin/env bash\n\nset +x\n")
+        for key, val in pairs.items():
+            out.write("export " + key + "=" + "\"" + val + "\"\n")
+
+
+def main():
+    parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+                                     description='MongoDB AWS Secrets Vault fetcher. If connecting with the given AWS '
+                                                 'profile fails, will attempt to use local environment variables '
+                                                 'instead.')
+
+    parser.add_argument("-p", "--profile", type=str, metavar="profile", default="default", help="a local AWS profile "
+                                                                                                "to use credentials "
+                                                                                                "from.")
+    parser.add_argument("-r", "--region", type=str, metavar="region", default="us-east-1",
+                        help="the AWS region containing the given vaults.")
+    parser.add_argument("vaults", metavar="V", type=str, nargs="+", help="a vault to fetch secrets from")
+
+    args = parser.parse_args()
+
+    write_secrets(args.vaults, args.region, args.profile)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/.evergreen/auth_oidc/oidc_get_tokens.py b/.evergreen/auth_oidc/oidc_get_tokens.py
@@ -16,7 +16,7 @@ def main():
         'rsa_key': secrets['oidc_rsa_key'],
         'audience': DEFAULT_CLIENT,
         'client_id': DEFAULT_CLIENT,
-        'client_secret':secrets['oidc_client_secret'],
+        'client_secret': secrets['oidc_client_secret'],
         'username': 'test_user1',
         'token_file': os.path.join(token_dir, 'test_user1')
     }