CSHARP-3299: Enable Secure Tests on Linux. (mongodb#499)

CSHARP-3299: Enable Secure Tests on Linux.

Author: DmitryLukyanov

evergreen/add-certs-if-needed.sh

@@ -7,6 +7,7 @@ set -o errexit  # Exit the script with an error if any of the commands fail
 #     SSL                     Set to enable SSL. Values are "ssl" / "nossl" (default)
 #     OCSP_TLS_SHOULD_SUCCEED Set to test OCSP. Values are true/false/nil
 #     OCSP_ALGORITHM          Set to test OCSP. Values are rsa/ecdsa/nil
+#     OS                      Set to access operating system
 
 SSL=${SSL:-nossl}
 OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED:-nil}
@@ -16,16 +17,28 @@ if [[ "$SSL" != "ssl" ]]; then
   exit 0
 fi
 
-if [[ "$OS" =~ Windows|windows ]]; then
-  certutil.exe -addstore "Root" ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem
-
-  if [[ "$OCSP_TLS_SHOULD_SUCCEED" != "nil" && "$OCSP_ALGORITHM" != "nil" ]]; then
-    certutil.exe -addstore "Root" ${DRIVERS_TOOLS}/.evergreen/ocsp/${OCSP_ALGORITHM}/ca.pem
+function make_trusted() {
+  echo "CA.pem certificate $1"
+  if [[ "$OS" =~ Windows|windows ]]; then
+    # makes the client.pem trusted
+    certutil.exe -addstore "Root" $1
+  elif  [[ "$OS" =~ Ubuntu|ubuntu ]]; then
+    # makes the client.pem trusted
+    # note: .crt is the equivalent format as .pem, but we need to make this renaming because update-ca-certificates supports only .crt
+    sudo cp -f $1 /usr/local/share/ca-certificates/ca.crt
+    sudo update-ca-certificates
+  elif [[ "$OS" =~ macos ]]; then
+    # mac OS, the same trick as for above ubuntu step
+    sudo cp -f $1 ~/ca.crt
+    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/ca.crt
+  else
+    echo "Unsupported OS:${OS}" 1>&2 # write to stderr
+    exit 1
   fi
-else
-  keytool -import -trustcacerts -file ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem -keystore Root -storepass changeit -noprompt -alias x509
+}
 
-  if [[ "$OCSP_TLS_SHOULD_SUCCEED" != "nil" && "$OCSP_ALGORITHM" != "nil" ]]; then
-    keytool -import -trustcacerts -file ${DRIVERS_TOOLS}/.evergreen/ocsp/${OCSP_ALGORITHM}/ca.pem -keystore Root -storepass changeit -noprompt -alias ${OCSP_ALGORITHM}
-  fi
+make_trusted ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem
+
+if [[ "$OCSP_TLS_SHOULD_SUCCEED" != "nil" && "$OCSP_ALGORITHM" != "nil" ]]; then
+  make_trusted ${DRIVERS_TOOLS}/.evergreen/ocsp/${OCSP_ALGORITHM}/ca.pem
 fi

evergreen/evergreen.yml

@@ -259,7 +259,7 @@ functions:
           . ./evergreen/set-virtualenv.sh
           . ./evergreen/set-temp-fle-aws-creds.sh
           ${PREPARE_SHELL}
-          SSL=${SSL} evergreen/add-certs-if-needed.sh
+          SSL=${SSL} OS=${OS} evergreen/add-certs-if-needed.sh
           AUTH=${AUTH} \
             SSL=${SSL} \
             MONGODB_URI="${MONGODB_URI}" \
@@ -1254,7 +1254,17 @@ buildvariants:
      - name: test-netstandard20
      - name: test-netstandard21
 
-- matrix_name: "unsecure-tests-posix"
+  # ubuntu 18 does not support SSL until 4.0
+- matrix_name: "secure-tests-linux"
+  matrix_spec: { version: ["4.0", "4.2", "4.4", "latest"], topology: "*", auth: "auth", ssl: "ssl", os: "ubuntu-1804" }
+  display_name: "${version} ${topology} ${auth} ${ssl} ${os}"
+  tags: ["tests-variant"]
+  tasks:
+     - name: test-netstandard15
+     - name: test-netstandard20
+     - name: test-netstandard21
+
+- matrix_name: "unsecure-tests-linux"
   matrix_spec: { version: "*", topology: "*", auth: "noauth", ssl: "nossl", os: "ubuntu-1804" }
   display_name: "${version} ${topology} ${auth} ${ssl} ${os}"
   tags: ["tests-variant"]
@@ -1263,6 +1273,17 @@ buildvariants:
      - name: test-netstandard20
      - name: test-netstandard21
 
+# macos-1014 does not support SSL until 3.2
+- matrix_name: "secure-tests-macOS"
+  matrix_spec: { version: ["3.2", "3.6", "4.0", "4.2", "4.4", "latest"], topology: "*", auth: "auth", ssl: "ssl", os: "macos-1014" }
+  display_name: "${version} ${topology} ${auth} ${ssl} ${os}"
+  tags: ["tests-variant"]
+  tasks:
+     # - name: test-netstandard15: auth tests fail on macos with test-netstandard15 due to the fact that this TF uses openssl that is missed on the current boxes
+     # Starting in .NET Core 2.0, .NET Core switched to using the default Apple Security Framework on macOS.
+     - name: test-netstandard20
+     - name: test-netstandard21
+
 - matrix_name: "unsecure-tests-macOS"
   matrix_spec: { version: "*", topology: "*", auth: "noauth", ssl: "nossl", os: "macos-1014" }
   display_name: "${version} ${topology} ${auth} ${ssl} ${os}"

evergreen/run-tests.sh

@@ -121,16 +121,16 @@ if [[ "$OS" =~ Windows|windows ]]; then
     powershell.exe '.\build.ps1 -target' $TARGET
   else
     powershell.exe \
-      '$env:MONGO_X509_CLIENT_CERTIFICATE_PATH="'${MONGO_X509_CLIENT_CERTIFICATE_PATH}'";'\
-      '$env:MONGO_X509_CLIENT_CERTIFICATE_PASSWORD="'${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD}'";'\
+      '$env:MONGO_X509_CLIENT_CERTIFICATE_PATH="${MONGO_X509_CLIENT_CERTIFICATE_PATH}";'\
+      '$env:MONGO_X509_CLIENT_CERTIFICATE_PASSWORD="${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD}";'\
       '.\build.ps1 -target' $TARGET
   fi
 else
   if [[ -z "$MONGO_X509_CLIENT_CERTIFICATE_PATH" && -z "$MONGO_X509_CLIENT_CERTIFICATE_PASSWORD" ]]; then
     ./build.sh -target=$TARGET
   else
-    MONGO_X509_CLIENT_CERTIFICATE_PATH="'${MONGO_X509_CLIENT_CERTIFICATE_PATH}'" \
-    MONGO_X509_CLIENT_CERTIFICATE_PASSWORD="'${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD}'" \
+    MONGO_X509_CLIENT_CERTIFICATE_PATH="${MONGO_X509_CLIENT_CERTIFICATE_PATH}" \
+    MONGO_X509_CLIENT_CERTIFICATE_PASSWORD="${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD}" \
     ./build.sh -target=$TARGET
   fi
 fi

tests/MongoDB.Driver.Tests/ClusterTests.cs

@@ -65,12 +65,8 @@ public void SelectServer_loadbalancing_prose_test([Values(false, true)] bool asy
                 .ClusterType(ClusterType.Sharded);
             RequireMultipleShardRouters();
 
-            // temporary disable the test on Win Auth topologies, due to operations timings irregularities
-            if (CoreTestConfiguration.ConnectionString.Tls == true &&
-                RequirePlatform.GetCurrentOperatingSystem() == SupportedOperatingSystem.Windows)
-            {
-                throw new SkipException("Win Auth topologies temporary not supported due to timings irregularities.");
-            }
+            // temporary disable the test on Auth envs due to operations timings irregularities
+            RequireServer.Check().Authentication(false);
 
             const string applicationName = "loadBalancingTest";
             const int threadsCount = 10;