From 6b9a3afd3d9f2d2d048007d6c8166b880ffc66cc Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Thu, 3 Nov 2022 10:03:18 -0500
Subject: [PATCH 1/8] PYTHON-3501 Ensure Auth Environment Variables are Always
 Dynamic

---
 test/auth_aws/test_auth_aws.py | 61 ++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/test/auth_aws/test_auth_aws.py b/test/auth_aws/test_auth_aws.py
index 372806bd24..f4e8303482 100644
--- a/test/auth_aws/test_auth_aws.py
+++ b/test/auth_aws/test_auth_aws.py
@@ -111,6 +111,67 @@ def test_poisoned_cache(self):
         client.get_database().test.find_one()
         self.assertNotEqual(auth.get_cached_credentials(), None)
 
+    def test_environment_variables_ignored(self):
+        creds = self.setup_cache()
+        self.assertIsNotNone(creds)
+        prev = os.environ.copy()
+
+        client = MongoClient(self.uri)
+        self.addCleanup(client.close)
+
+        client.get_database().test.find_one()
+
+        self.assertIsNotNone(auth.get_cached_credentials())
+
+        os.environ["AWS_ACCESS_KEY_ID"] = "foo"
+        os.environ["AWS_ACCESS_KEY_ID"] = "bar"
+        os.environ["AWS_SECRET_KEY"] = "baz"
+
+        client.get_database().test.find_one()
+
+        auth.set_cached_credentials(None)
+
+        client2 = MongoClient(self.uri)
+        self.addCleanup(client2.close)
+        with self.assertRaises(OperationFailure):
+            client2.get_database().test.find_one()
+
+        for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_KEY"]:
+            if key not in prev:
+                del os.environ[key]
+            else:
+                os.environ[key] = prev[key]
+
+    def test_no_cache_environment_variables(self):
+        creds = self.setup_cache()
+        self.assertIsNotNone(creds)
+        prev = os.environ.copy()
+        os.environ["AWS_ACCESS_KEY_ID"] = creds.username
+        os.environ["AWS_SECRET_KEY"] = creds.password
+        if creds.token:
+            os.environ["AWS_SESSION_TOKEN"] = creds.token
+        auth.set_cached_credentials(None)
+
+        client = MongoClient(self.uri)
+        self.addCleanup(client.close)
+
+        client.get_database().test.find_one()
+
+        self.assertIsNone(auth.get_cached_credentials())
+
+        os.environ["AWS_ACCESS_KEY_ID"] = "foo"
+
+        client2 = MongoClient(self.uri)
+        self.addCleanup(client2.close)
+        with self.assertRaises(OperationFailure):
+            client2.get_database().test.find_one()
+
+        for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_KEY"]:
+            if key not in prev:
+                del os.environ[key]
+            else:
+                os.environ[key] = prev[key]
+
 
 class TestAWSLambdaExamples(unittest.TestCase):
     def test_shared_client(self):

From 3f422a8cc75a3166d00665abd4e5c17e43533517 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Thu, 3 Nov 2022 10:34:18 -0500
Subject: [PATCH 2/8] try again

---
 test/auth_aws/test_auth_aws.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/auth_aws/test_auth_aws.py b/test/auth_aws/test_auth_aws.py
index f4e8303482..1ceea4f81c 100644
--- a/test/auth_aws/test_auth_aws.py
+++ b/test/auth_aws/test_auth_aws.py
@@ -125,7 +125,7 @@ def test_environment_variables_ignored(self):
 
         os.environ["AWS_ACCESS_KEY_ID"] = "foo"
         os.environ["AWS_ACCESS_KEY_ID"] = "bar"
-        os.environ["AWS_SECRET_KEY"] = "baz"
+        os.environ["AWS_SESSION_TOKEN"] = "baz"
 
         client.get_database().test.find_one()
 
@@ -167,7 +167,7 @@ def test_no_cache_environment_variables(self):
             client2.get_database().test.find_one()
 
         for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_KEY"]:
-            if key not in prev:
+            if key not in prev and key in os.environ:
                 del os.environ[key]
             else:
                 os.environ[key] = prev[key]

From 75ee7b8cf8a1c359052de9fe3f0ee9de875e0e16 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Thu, 3 Nov 2022 10:40:40 -0500
Subject: [PATCH 3/8] try again

---
 test/auth_aws/test_auth_aws.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/auth_aws/test_auth_aws.py b/test/auth_aws/test_auth_aws.py
index 1ceea4f81c..05135d59d3 100644
--- a/test/auth_aws/test_auth_aws.py
+++ b/test/auth_aws/test_auth_aws.py
@@ -124,7 +124,7 @@ def test_environment_variables_ignored(self):
         self.assertIsNotNone(auth.get_cached_credentials())
 
         os.environ["AWS_ACCESS_KEY_ID"] = "foo"
-        os.environ["AWS_ACCESS_KEY_ID"] = "bar"
+        os.environ["AWS_SECRET_KEY"] = "bar"
         os.environ["AWS_SESSION_TOKEN"] = "baz"
 
         client.get_database().test.find_one()
@@ -137,7 +137,7 @@ def test_environment_variables_ignored(self):
             client2.get_database().test.find_one()
 
         for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_KEY"]:
-            if key not in prev:
+            if key not in prev and key in os.environ:
                 del os.environ[key]
             else:
                 os.environ[key] = prev[key]

From 328dc95b79f78fcc727173bfeb7da32eb2944074 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Thu, 3 Nov 2022 10:51:00 -0500
Subject: [PATCH 4/8] try again

---
 test/auth_aws/test_auth_aws.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/test/auth_aws/test_auth_aws.py b/test/auth_aws/test_auth_aws.py
index 05135d59d3..e19979faeb 100644
--- a/test/auth_aws/test_auth_aws.py
+++ b/test/auth_aws/test_auth_aws.py
@@ -124,7 +124,7 @@ def test_environment_variables_ignored(self):
         self.assertIsNotNone(auth.get_cached_credentials())
 
         os.environ["AWS_ACCESS_KEY_ID"] = "foo"
-        os.environ["AWS_SECRET_KEY"] = "bar"
+        os.environ["AWS_SECRET_ACCESS_KEY"] = "bar"
         os.environ["AWS_SESSION_TOKEN"] = "baz"
 
         client.get_database().test.find_one()
@@ -136,7 +136,7 @@ def test_environment_variables_ignored(self):
         with self.assertRaises(OperationFailure):
             client2.get_database().test.find_one()
 
-        for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_KEY"]:
+        for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_ACCESS_KEY"]:
             if key not in prev and key in os.environ:
                 del os.environ[key]
             else:
@@ -147,7 +147,7 @@ def test_no_cache_environment_variables(self):
         self.assertIsNotNone(creds)
         prev = os.environ.copy()
         os.environ["AWS_ACCESS_KEY_ID"] = creds.username
-        os.environ["AWS_SECRET_KEY"] = creds.password
+        os.environ["AWS_SECRET_ACCESS_KEY"] = creds.password
         if creds.token:
             os.environ["AWS_SESSION_TOKEN"] = creds.token
         auth.set_cached_credentials(None)
@@ -166,7 +166,7 @@ def test_no_cache_environment_variables(self):
         with self.assertRaises(OperationFailure):
             client2.get_database().test.find_one()
 
-        for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_KEY"]:
+        for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_ACCESS_KEY"]:
             if key not in prev and key in os.environ:
                 del os.environ[key]
             else:

From eb64ee29100c327d507c0088115757da929b4d46 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Fri, 4 Nov 2022 07:56:58 -0500
Subject: [PATCH 5/8] use mock os.environ

---
 test/auth_aws/test_auth_aws.py | 39 +++++++++++++---------------------
 1 file changed, 15 insertions(+), 24 deletions(-)

diff --git a/test/auth_aws/test_auth_aws.py b/test/auth_aws/test_auth_aws.py
index e19979faeb..9e2cf544e0 100644
--- a/test/auth_aws/test_auth_aws.py
+++ b/test/auth_aws/test_auth_aws.py
@@ -17,6 +17,7 @@
 import os
 import sys
 import unittest
+from unittest.mock import patch
 
 sys.path[0:0] = [""]
 
@@ -123,11 +124,12 @@ def test_environment_variables_ignored(self):
 
         self.assertIsNotNone(auth.get_cached_credentials())
 
-        os.environ["AWS_ACCESS_KEY_ID"] = "foo"
-        os.environ["AWS_SECRET_ACCESS_KEY"] = "bar"
-        os.environ["AWS_SESSION_TOKEN"] = "baz"
+        mock_env = dict(
+            AWS_ACCESS_KEY_ID="foo", AWS_SECRET_ACCESS_KEY="bar", AWS_SESSION_TOKEN="baz"
+        )
 
-        client.get_database().test.find_one()
+        with patch.dict(os.environ, mock_env):
+            client.get_database().test.find_one()
 
         auth.set_cached_credentials(None)
 
@@ -136,41 +138,30 @@ def test_environment_variables_ignored(self):
         with self.assertRaises(OperationFailure):
             client2.get_database().test.find_one()
 
-        for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_ACCESS_KEY"]:
-            if key not in prev and key in os.environ:
-                del os.environ[key]
-            else:
-                os.environ[key] = prev[key]
-
     def test_no_cache_environment_variables(self):
         creds = self.setup_cache()
         self.assertIsNotNone(creds)
-        prev = os.environ.copy()
-        os.environ["AWS_ACCESS_KEY_ID"] = creds.username
-        os.environ["AWS_SECRET_ACCESS_KEY"] = creds.password
-        if creds.token:
-            os.environ["AWS_SESSION_TOKEN"] = creds.token
         auth.set_cached_credentials(None)
 
+        mock_env = dict(AWS_ACCESS_KEY_ID=creds.username, AWS_SECRET_ACCESS_KEY=creds.password)
+        if creds.token:
+            mock_env["AWS_SESSION_TOKEN"] = creds.token
+
         client = MongoClient(self.uri)
         self.addCleanup(client.close)
 
-        client.get_database().test.find_one()
+        with patch.dict(os.environ, mock_env):
+            client.get_database().test.find_one()
 
         self.assertIsNone(auth.get_cached_credentials())
 
-        os.environ["AWS_ACCESS_KEY_ID"] = "foo"
+        mock_env["AWS_ACCESS_KEY_ID"] = "foo"
 
         client2 = MongoClient(self.uri)
         self.addCleanup(client2.close)
-        with self.assertRaises(OperationFailure):
-            client2.get_database().test.find_one()
 
-        for key in ["AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN", "AWS_SECRET_ACCESS_KEY"]:
-            if key not in prev and key in os.environ:
-                del os.environ[key]
-            else:
-                os.environ[key] = prev[key]
+        with patch.dict(os.environ, mock_env), self.assertRaises(OperationFailure):
+            client2.get_database().test.find_one()
 
 
 class TestAWSLambdaExamples(unittest.TestCase):

From 17ca4c562ab1f7bb88eb87f79dc683a00e66f376 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Fri, 4 Nov 2022 09:22:41 -0500
Subject: [PATCH 6/8] try again

---
 test/auth_aws/test_auth_aws.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/test/auth_aws/test_auth_aws.py b/test/auth_aws/test_auth_aws.py
index 9e2cf544e0..51f0d6ba5b 100644
--- a/test/auth_aws/test_auth_aws.py
+++ b/test/auth_aws/test_auth_aws.py
@@ -160,8 +160,9 @@ def test_no_cache_environment_variables(self):
         client2 = MongoClient(self.uri)
         self.addCleanup(client2.close)
 
-        with patch.dict(os.environ, mock_env), self.assertRaises(OperationFailure):
-            client2.get_database().test.find_one()
+        with patch.dict(os.environ, mock_env):
+            with self.assertRaises(OperationFailure):
+                client2.get_database().test.find_one()
 
 
 class TestAWSLambdaExamples(unittest.TestCase):

From 8a07332b041f02ea0b3a794203157b8a33ef8602 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Fri, 4 Nov 2022 09:34:33 -0500
Subject: [PATCH 7/8] try again

---
 test/auth_aws/test_auth_aws.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/test/auth_aws/test_auth_aws.py b/test/auth_aws/test_auth_aws.py
index 51f0d6ba5b..24dbfe6a29 100644
--- a/test/auth_aws/test_auth_aws.py
+++ b/test/auth_aws/test_auth_aws.py
@@ -128,7 +128,8 @@ def test_environment_variables_ignored(self):
             AWS_ACCESS_KEY_ID="foo", AWS_SECRET_ACCESS_KEY="bar", AWS_SESSION_TOKEN="baz"
         )
 
-        with patch.dict(os.environ, mock_env):
+        with patch.dict("os.environ", mock_env):
+            self.assertEqual(os.environ["AWS_ACCESS_KEY_ID"], "foo")
             client.get_database().test.find_one()
 
         auth.set_cached_credentials(None)
@@ -151,6 +152,7 @@ def test_no_cache_environment_variables(self):
         self.addCleanup(client.close)
 
         with patch.dict(os.environ, mock_env):
+            self.assertEqual(os.environ["AWS_ACCESS_KEY_ID"], creds.username)
             client.get_database().test.find_one()
 
         self.assertIsNone(auth.get_cached_credentials())
@@ -160,9 +162,9 @@ def test_no_cache_environment_variables(self):
         client2 = MongoClient(self.uri)
         self.addCleanup(client2.close)
 
-        with patch.dict(os.environ, mock_env):
-            with self.assertRaises(OperationFailure):
-                client2.get_database().test.find_one()
+        with patch.dict("os.environ", mock_env), self.assertRaises(OperationFailure):
+            self.assertEqual(os.environ["AWS_ACCESS_KEY_ID"], "foo")
+            client2.get_database().test.find_one()
 
 
 class TestAWSLambdaExamples(unittest.TestCase):

From e2fa50c2f974d990e04b153da11256594f207ee2 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Fri, 4 Nov 2022 09:39:42 -0500
Subject: [PATCH 8/8] try again

---
 test/auth_aws/test_auth_aws.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/test/auth_aws/test_auth_aws.py b/test/auth_aws/test_auth_aws.py
index 24dbfe6a29..e0329a783e 100644
--- a/test/auth_aws/test_auth_aws.py
+++ b/test/auth_aws/test_auth_aws.py
@@ -136,8 +136,11 @@ def test_environment_variables_ignored(self):
 
         client2 = MongoClient(self.uri)
         self.addCleanup(client2.close)
-        with self.assertRaises(OperationFailure):
-            client2.get_database().test.find_one()
+
+        with patch.dict("os.environ", mock_env):
+            self.assertEqual(os.environ["AWS_ACCESS_KEY_ID"], "foo")
+            with self.assertRaises(OperationFailure):
+                client2.get_database().test.find_one()
 
     def test_no_cache_environment_variables(self):
         creds = self.setup_cache()