Merge branch 'master' into 3115-remove-serverless

jamis · jamis · commit 16c6307d9928 · 2025-08-19T08:14:11.000-06:00
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -410,7 +410,16 @@ functions:
         working_dir: "src"
         script: |
           ${PREPARE_SHELL}
-          MONGODB_URI="${MONGODB_URI}" .evergreen/run-tests-atlas.sh
+          AUTH=${AUTH} SSL=${SSL} TOPOLOGY=${TOPOLOGY} RVM_RUBY="${RVM_RUBY}" \
+          ATLAS_REPLICA_SET_URI=${atlas_replica_set_uri} ATLAS_SHARDED_URI=${atlas_sharded_uri} \
+          ATLAS_FREE_TIER_URI=${atlas_free_tier_uri} ATLAS_TLS11_URI=${atlas_tls11_uri} \
+          ATLAS_TLS12_URI=${atlas_tls12_uri} ATLAS_SERVERLESS_URI=${atlas_serverless_uri} \
+          ATLAS_SERVERLESS_LB_URI=${atlas_serverless_lb_uri} \
+          ATLAS_X509_CERT_BASE64="${atlas_x509_cert_base64}" \
+          ATLAS_X509_URI="${atlas_x509}" \
+          ATLAS_X509_DEV_CERT_BASE64="${atlas_x509_dev_cert_base64}" \
+          ATLAS_X509_DEV_URI="${atlas_x509_dev}" \
+          .evergreen/run-tests-atlas.sh
 
 pre:
   - func: "fetch source"
@@ -425,56 +434,6 @@ post:
   - func: "upload test results to s3"
 
 task_groups:
-  - name: testatlas_task_group
-    setup_group_can_fail_task: true
-    setup_group_timeout_secs: 1800 # 30 minutes
-    setup_group:
-      - func: fetch source
-      - func: create expansions
-      - command: shell.exec
-        params:
-          shell: "bash"
-          working_dir: "src"
-          script: |
-            ${PREPARE_SHELL}
-
-            echo "Setting up Atlas cluster"
-
-            DRIVERS_ATLAS_PUBLIC_API_KEY="${DRIVERS_ATLAS_PUBLIC_API_KEY}" \
-              DRIVERS_ATLAS_PRIVATE_API_KEY="${DRIVERS_ATLAS_PRIVATE_API_KEY}" \
-              DRIVERS_ATLAS_GROUP_ID="${DRIVERS_ATLAS_GROUP_ID}" \
-              DRIVERS_ATLAS_LAMBDA_USER="${DRIVERS_ATLAS_LAMBDA_USER}" \
-              DRIVERS_ATLAS_LAMBDA_PASSWORD="${DRIVERS_ATLAS_LAMBDA_PASSWORD}" \
-              DRIVERS_ATLAS_BASE_URL="${DRIVERS_ATLAS_BASE_URL}" \
-              LAMBDA_STACK_NAME="dbx-ruby-lambda" \
-              MONGODB_VERSION="7.0" \
-              task_id="${task_id}" \
-              execution="${execution}" \
-              $DRIVERS_TOOLS/.evergreen/atlas/setup-atlas-cluster.sh
-
-              echo "MONGODB_URI=${MONGODB_URI}"
-      - command: expansions.update
-        params:
-          file: src/atlas-expansion.yml
-    teardown_group:
-      - command: shell.exec
-        params:
-          shell: "bash"
-          working_dir: "src"
-          script: |
-            ${PREPARE_SHELL}
-
-            DRIVERS_ATLAS_PUBLIC_API_KEY="${DRIVERS_ATLAS_PUBLIC_API_KEY}" \
-              DRIVERS_ATLAS_PRIVATE_API_KEY="${DRIVERS_ATLAS_PRIVATE_API_KEY}" \
-              DRIVERS_ATLAS_GROUP_ID="${DRIVERS_ATLAS_GROUP_ID}" \
-              DRIVERS_ATLAS_BASE_URL="${DRIVERS_ATLAS_BASE_URL}" \
-              LAMBDA_STACK_NAME="dbx-ruby-lambda" \
-              task_id="${task_id}" \
-              execution="${execution}" \
-              $DRIVERS_TOOLS/.evergreen/atlas/teardown-atlas-cluster.sh
-    tasks:
-      - test-atlas
-
   - name: testatlas_full_task_group
     setup_group_can_fail_task: true
     setup_group_timeout_secs: 1800 # 30 minutes
@@ -1835,9 +1794,9 @@ buildvariants:
     matrix_spec:
       ruby: ["ruby-3.3", "ruby-3.2", "ruby-3.1"]
       os: ubuntu2204
-    display_name: "Atlas tests ${ruby}"
+    display_name: "Atlas  connectivity tests ${ruby}"
     tasks:
-       - name: testatlas_task_group
+       - name: test-atlas
 
   - matrix_name: "aws-lambda"
     matrix_spec:
diff --git a/.evergreen/config/common.yml.erb b/.evergreen/config/common.yml.erb
@@ -407,7 +407,16 @@ functions:
         working_dir: "src"
         script: |
           ${PREPARE_SHELL}
-          MONGODB_URI="${MONGODB_URI}" .evergreen/run-tests-atlas.sh
+          AUTH=${AUTH} SSL=${SSL} TOPOLOGY=${TOPOLOGY} RVM_RUBY="${RVM_RUBY}" \
+          ATLAS_REPLICA_SET_URI=${atlas_replica_set_uri} ATLAS_SHARDED_URI=${atlas_sharded_uri} \
+          ATLAS_FREE_TIER_URI=${atlas_free_tier_uri} ATLAS_TLS11_URI=${atlas_tls11_uri} \
+          ATLAS_TLS12_URI=${atlas_tls12_uri} ATLAS_SERVERLESS_URI=${atlas_serverless_uri} \
+          ATLAS_SERVERLESS_LB_URI=${atlas_serverless_lb_uri} \
+          ATLAS_X509_CERT_BASE64="${atlas_x509_cert_base64}" \
+          ATLAS_X509_URI="${atlas_x509}" \
+          ATLAS_X509_DEV_CERT_BASE64="${atlas_x509_dev_cert_base64}" \
+          ATLAS_X509_DEV_URI="${atlas_x509_dev}" \
+          .evergreen/run-tests-atlas.sh
 
 pre:
   - func: "fetch source"
@@ -422,56 +431,6 @@ post:
   - func: "upload test results to s3"
 
 task_groups:
-  - name: testatlas_task_group
-    setup_group_can_fail_task: true
-    setup_group_timeout_secs: 1800 # 30 minutes
-    setup_group:
-      - func: fetch source
-      - func: create expansions
-      - command: shell.exec
-        params:
-          shell: "bash"
-          working_dir: "src"
-          script: |
-            ${PREPARE_SHELL}
-
-            echo "Setting up Atlas cluster"
-
-            DRIVERS_ATLAS_PUBLIC_API_KEY="${DRIVERS_ATLAS_PUBLIC_API_KEY}" \
-              DRIVERS_ATLAS_PRIVATE_API_KEY="${DRIVERS_ATLAS_PRIVATE_API_KEY}" \
-              DRIVERS_ATLAS_GROUP_ID="${DRIVERS_ATLAS_GROUP_ID}" \
-              DRIVERS_ATLAS_LAMBDA_USER="${DRIVERS_ATLAS_LAMBDA_USER}" \
-              DRIVERS_ATLAS_LAMBDA_PASSWORD="${DRIVERS_ATLAS_LAMBDA_PASSWORD}" \
-              DRIVERS_ATLAS_BASE_URL="${DRIVERS_ATLAS_BASE_URL}" \
-              LAMBDA_STACK_NAME="dbx-ruby-lambda" \
-              MONGODB_VERSION="7.0" \
-              task_id="${task_id}" \
-              execution="${execution}" \
-              $DRIVERS_TOOLS/.evergreen/atlas/setup-atlas-cluster.sh
-
-              echo "MONGODB_URI=${MONGODB_URI}"
-      - command: expansions.update
-        params:
-          file: src/atlas-expansion.yml
-    teardown_group:
-      - command: shell.exec
-        params:
-          shell: "bash"
-          working_dir: "src"
-          script: |
-            ${PREPARE_SHELL}
-
-            DRIVERS_ATLAS_PUBLIC_API_KEY="${DRIVERS_ATLAS_PUBLIC_API_KEY}" \
-              DRIVERS_ATLAS_PRIVATE_API_KEY="${DRIVERS_ATLAS_PRIVATE_API_KEY}" \
-              DRIVERS_ATLAS_GROUP_ID="${DRIVERS_ATLAS_GROUP_ID}" \
-              DRIVERS_ATLAS_BASE_URL="${DRIVERS_ATLAS_BASE_URL}" \
-              LAMBDA_STACK_NAME="dbx-ruby-lambda" \
-              task_id="${task_id}" \
-              execution="${execution}" \
-              $DRIVERS_TOOLS/.evergreen/atlas/teardown-atlas-cluster.sh
-    tasks:
-      - test-atlas
-
   - name: testatlas_full_task_group
     setup_group_can_fail_task: true
     setup_group_timeout_secs: 1800 # 30 minutes
diff --git a/.evergreen/config/standard.yml.erb b/.evergreen/config/standard.yml.erb
@@ -519,9 +519,9 @@ buildvariants:
     matrix_spec:
       ruby: <%= supported_mri_rubies_3_ubuntu %>
       os: ubuntu2204
-    display_name: "Atlas tests ${ruby}"
+    display_name: "Atlas  connectivity tests ${ruby}"
     tasks:
-       - name: testatlas_task_group
+       - name: test-atlas
 
   - matrix_name: "aws-lambda"
     matrix_spec:
diff --git a/.evergreen/run-tests-atlas.sh b/.evergreen/run-tests-atlas.sh
@@ -14,23 +14,6 @@ bundle_install
 
 echo "Running specs"
 
-test_status=0
-export ATLAS_URI=$MONGODB_URI
-
-if test -z "$ATLAS_URI"; then
-	echo "The \$$uri environment variable was not set" 1>&2
-	test_status=1
-fi
+export ATLAS_TESTING=1
 
 bundle exec rspec spec/atlas -fd
-this_test_status=$?
-echo "TEST STATUS"
-echo ${this_test_status}
-
-if test $this_test_status != 0; then
-	test_status=$this_test_status
-fi
-
-kill_jruby
-
-exit ${test_status}
diff --git a/lib/mongo/socket/ssl.rb b/lib/mongo/socket/ssl.rb
@@ -23,6 +23,7 @@ class Socket
     # @since 2.0.0
     class SSL < Socket
       include OpenSSL
+      include Loggable
 
       # Initializes a new TLS socket.
       #
@@ -455,12 +456,15 @@ def verify_certificate!(socket)
       end
 
       def verify_ocsp_endpoint!(socket, timeout = nil)
-        unless verify_ocsp_endpoint?
-          return
-        end
+        return unless verify_ocsp_endpoint?
 
         cert = socket.peer_cert
-        ca_cert = socket.peer_cert_chain.last
+        ca_cert = find_issuer(cert, socket.peer_cert_chain)
+
+        unless ca_cert
+          log_warn("TLS certificate of '#{host_name}' could not be definitively verified via OCSP: issuer certificate not found in the chain.")
+          return
+        end
 
         verifier = OcspVerifier.new(@host_name, cert, ca_cert, context.cert_store,
           **Utils.shallow_symbolize_keys(options).merge(timeout: timeout))
@@ -503,6 +507,11 @@ def extract_certs(text)
           end
         end
       end
+
+      # Find the issuer certificate in the chain.
+      def find_issuer(cert, cert_chain)
+        cert_chain.find { |c| c.subject == cert.issuer }
+      end
     end
   end
 end
diff --git a/spec/atlas/atlas_connectivity_spec.rb b/spec/atlas/atlas_connectivity_spec.rb
@@ -1,27 +1,86 @@
 # frozen_string_literal: true
-# rubocop:todo all
 
 require 'lite_spec_helper'
+require 'base64'
+require 'tempfile'
+
+RSpec.shared_examples 'atlas connectivity test' do
+  after do
+    client.close
+  rescue StandardError
+    # no-op
+  end
+
+  it 'runs hello successfully' do
+    expect { client.database.command(ping: 1) }
+      .not_to raise_error
+  end
+end
 
 describe 'Atlas connectivity' do
-  let(:uri) { ENV['ATLAS_URI'] }
-  let(:client) { Mongo::Client.new(uri) }
+  before do
+    skip 'These tests must be run against a live Atlas cluster' unless ENV['ATLAS_TESTING']
+  end
 
-  require_atlas
+  context 'with regular authentication' do
+    regular_auth_env_vars = %w[
+      ATLAS_REPLICA_SET_URI
+      ATLAS_SHARDED_URI
+      ATLAS_FREE_TIER_URI
+      ATLAS_TLS11_URI
+      ATLAS_TLS12_URI
+    ]
 
-  describe 'connection to Atlas' do
-    after do
-      client.close
-    end
+    regular_auth_env_vars.each do |uri_var|
+      describe "Connecting to #{uri_var}" do
+        before do
+          raise "Environment variable #{uri_var} is not set" unless ENV[uri_var]
+        end
+
+        let(:uri) { ENV[uri_var] }
 
-    it 'runs ismaster successfully' do
-      expect { client.database.command(:hello => 1) }
-        .not_to raise_error
+        let(:client) { Mongo::Client.new(uri) }
+
+        include_examples 'atlas connectivity test'
+      end
     end
+  end
+
+  context 'with X.509 authentication' do
+    x509_auth_env_vars = [
+      %w[ATLAS_X509_URI ATLAS_X509_CERT_BASE64],
+      %w[ATLAS_X509_DEV_URI ATLAS_X509_DEV_CERT_BASE64]
+    ]
+
+    x509_auth_env_vars.each do |uri_var, cert_var|
+      describe "Connecting to #{uri_var} with certificate" do
+        before do
+          raise "Environment variable #{uri_var} is not set" unless ENV[uri_var]
+        end
+
+        let(:client_cert) do
+          decoded = Base64.strict_decode64(ENV[cert_var])
+          cert_file = Tempfile.new([ 'x509-cert', '.pem' ])
+          cert_file.write(decoded)
+          File.chmod(0o600, cert_file.path)
+          cert_file.close
+          cert_file
+        end
+
+        let(:uri) do
+          "#{ENV[uri_var]}&tlsCertificateKeyFile=#{URI::DEFAULT_PARSER.escape(client_cert.path)}"
+        end
+
+        let(:client) do
+          Mongo::Client.new(uri)
+        end
+
+        after do
+          client_cert&.unlink
+        end
 
-    it 'runs findOne successfully' do
-      expect { client.use(:test)['test'].find.to_a }
-        .not_to raise_error
+        include_examples 'atlas connectivity test'
+      end
     end
   end
 end
diff --git a/spec/atlas/operations_spec.rb b/spec/atlas/operations_spec.rb
diff --git a/spec/integration/ocsp_verifier_spec.rb b/spec/integration/ocsp_verifier_spec.rb
