mongodb · vbabanin · Apr 9, 2026 · Apr 9, 2026 · Copilot · Apr 9, 2026
@@ -1740,6 +1740,12 @@ axes:
         display_name: "8.0"
         variables:
           VERSION: "8.0"
+      # 8.2 is used solely for Windows testing. MongoDB 8.0 binaries are affected by SERVER-116018 on Windows,
+      # and the fix is only available starting from 8.2.
+      - id: "8.2"
+        display_name: "8.2"
+        variables:
+          VERSION: "8.2"
       - id: "7.0"
         display_name: "7.0"
         variables:
@@ -1770,6 +1776,9 @@ axes:
       - id: "ubuntu"
         display_name: "Ubuntu"
         run_on: "ubuntu2004-small"
+      - id: "windows"
+        display_name: "Windows"
+        run_on: "windows-2022-latest-small"
 
   - id: "topology"
     display_name: "Topology"
@@ -2403,6 +2412,22 @@ buildvariants:
       - name: "test-core-task"
       - name: "test-legacy-task"
 
+  - matrix_name: "tests-jdk-secure-windows"
+    matrix_spec: { auth: "auth", ssl: "ssl", jdk: "jdk17",
+                   version: [ "8.2" ],
+                   topology: "*", os: "windows" }
+    display_name: "${os}: ${version} ${topology} ${auth} ${ssl} ${jdk}"
+    tags: [ "tests-variant" ]
+    tasks:
+      - name: "test-sync-task"
+        exec_timeout_secs: 7200
+      - name: "test-reactive-task"
+        exec_timeout_secs: 7200
+      - name: "test-core-task"
+        exec_timeout_secs: 7200
+      - name: "test-legacy-task"
+        exec_timeout_secs: 7200
+
   - matrix_name: "tests-require-api-version"
     matrix_spec: { api-version: "required", auth: "auth", ssl: "nossl", jdk: [ "jdk21" ], version: [ "5.0", "6.0", "7.0", "8.0", "latest" ],
                    topology: "standalone", os: "linux" }
@@ -2540,6 +2565,15 @@ buildvariants:
     tasks:
       - name: "csfle-tests-with-mongocryptd-task"
 
+  - matrix_name: "csfle-tests-with-mongocryptd-windows"
+    matrix_spec: { os: "windows",
+                   version: [ "8.0", "latest" ],
+                   topology: [ "replicaset" ] }
+    display_name: "${os} CSFLE with mongocryptd: ${version}"
+    tasks:
+      - name: "csfle-tests-with-mongocryptd-task"
+        exec_timeout_secs: 7200
+
   - matrix_name: "socks5-tests"
     matrix_spec: { os: "linux", ssl: [ "nossl", "ssl" ], version: [ "latest" ], topology: [ "replicaset" ], socks-auth: [ "auth", "noauth" ] }
     display_name: "SOCKS5 proxy ${socks-auth} : ${version} ${topology} ${ssl} ${jdk} ${os}"

@@ -39,8 +39,16 @@ provision_ssl () {
   cp ${JAVA_HOME}/lib/security/cacerts mongo-truststore
   ${JAVA_HOME}/bin/keytool -importcert -trustcacerts -file ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem -keystore mongo-truststore -storepass changeit -storetype JKS -noprompt
 
+  # Use native paths on Windows (cygwin paths like /cygdrive/c/... are not understood by the JDK)
+  local CURRENT_DIR
+  if [ "Windows_NT" == "$OS" ]; then
+    CURRENT_DIR=$(cygpath -m "$(pwd)")
+  else
+    CURRENT_DIR=$(pwd)
+  fi
+
   # We add extra gradle arguments for SSL
-  export GRADLE_EXTRA_VARS="-Pssl.enabled=true -Pssl.keyStoreType=pkcs12 -Pssl.keyStore=`pwd`/client.pkc -Pssl.keyStorePassword=bithere -Pssl.trustStoreType=jks -Pssl.trustStore=`pwd`/mongo-truststore -Pssl.trustStorePassword=changeit"
+  export GRADLE_EXTRA_VARS="-Pssl.enabled=true -Pssl.keyStoreType=pkcs12 -Pssl.keyStore=${CURRENT_DIR}/client.pkc -Pssl.keyStorePassword=bithere -Pssl.trustStoreType=jks -Pssl.trustStore=${CURRENT_DIR}/mongo-truststore -Pssl.trustStorePassword=changeit"
 }
 
 ############################################

@@ -62,8 +62,16 @@ provision_ssl () {
   cp ${JAVA_HOME}/lib/security/cacerts mongo-truststore
   ${JAVA_HOME}/bin/keytool -importcert -trustcacerts -file ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem -keystore mongo-truststore -storepass changeit -storetype JKS -noprompt
 
+  # Use native paths on Windows (cygwin paths like /cygdrive/c/... are not understood by the JDK)
+  local CURRENT_DIR
+  if [ "Windows_NT" == "$OS" ]; then
+    CURRENT_DIR=$(cygpath -m "$(pwd)")
+  else
+    CURRENT_DIR=$(pwd)
+  fi
+
   # We add extra gradle arguments for SSL
-  export GRADLE_EXTRA_VARS="-Pssl.enabled=true -Pssl.keyStoreType=pkcs12 -Pssl.keyStore=`pwd`/client.pkc -Pssl.keyStorePassword=bithere -Pssl.trustStoreType=jks -Pssl.trustStore=`pwd`/mongo-truststore -Pssl.trustStorePassword=changeit"
+  export GRADLE_EXTRA_VARS="-Pssl.enabled=true -Pssl.keyStoreType=pkcs12 -Pssl.keyStore=${CURRENT_DIR}/client.pkc -Pssl.keyStorePassword=bithere -Pssl.trustStoreType=jks -Pssl.trustStore=${CURRENT_DIR}/mongo-truststore -Pssl.trustStorePassword=changeit"
 }
 
 provision_multi_mongos_uri_for_ssl () {
@@ -124,6 +132,12 @@ if [ ! -z "$REQUIRE_API_VERSION" ]; then
   export API_VERSION="-Dorg.mongodb.test.api.version=1"
 fi
 
+# Log Windows version info for diagnostics
+if [ "Windows_NT" == "$OS" ]; then
+  echo "Windows build info:"
+  cmd /c ver
+fi
+
 echo "Running $AUTH tests over $SSL for $TOPOLOGY and connecting to $MONGODB_URI"
 
 echo "Running tests with Java ${JAVA_VERSION}"

@@ -1,9 +1,16 @@
 # Java configurations for evergreen
 
-export JDK8="/opt/java/jdk8"
-export JDK11="/opt/java/jdk11"
-export JDK17="/opt/java/jdk17"
-export JDK21="/opt/java/jdk21"
+if [ "Windows_NT" == "$OS" ]; then
+  export JDK8="/cygdrive/c/java/jdk8"
+  export JDK11="/cygdrive/c/java/jdk11"
+  export JDK17="/cygdrive/c/java/jdk17"
+  export JDK21="/cygdrive/c/java/jdk21"
+else
+  export JDK8="/opt/java/jdk8"
+  export JDK11="/opt/java/jdk11"
+  export JDK17="/opt/java/jdk17"
+  export JDK21="/opt/java/jdk21"
+fi
 # note that `JDK21_GRAALVM` is used in `run-graalvm-native-image-app.sh`
 # by dynamically constructing the variable name
 export JDK21_GRAALVM="/opt/java/jdk21-graalce"
-else
-  export JDK8="/opt/java/jdk8"
-  export JDK11="/opt/java/jdk11"
-  export JDK17="/opt/java/jdk17"
-  export JDK21="/opt/java/jdk21"
-fi
-# note that `JDK21_GRAALVM` is used in `run-graalvm-native-image-app.sh`
-# by dynamically constructing the variable name
-export JDK21_GRAALVM="/opt/java/jdk21-graalce"
+  # note that `JDK21_GRAALVM` is used in `run-graalvm-native-image-app.sh`
+  # by dynamically constructing the variable name
+  export JDK21_GRAALVM="/cygdrive/c/java/jdk21-graalce"
+else
+  export JDK8="/opt/java/jdk8"
+  export JDK11="/opt/java/jdk11"
+  export JDK17="/opt/java/jdk17"
+  export JDK21="/opt/java/jdk21"
+  # note that `JDK21_GRAALVM` is used in `run-graalvm-native-image-app.sh`
+  # by dynamically constructing the variable name
+  export JDK21_GRAALVM="/opt/java/jdk21-graalce"
+fi
-else
-  export JDK8="/opt/java/jdk8"
-  export JDK11="/opt/java/jdk11"
-  export JDK17="/opt/java/jdk17"
-  export JDK21="/opt/java/jdk21"
-fi
-# note that `JDK21_GRAALVM` is used in `run-graalvm-native-image-app.sh`
-# by dynamically constructing the variable name
-export JDK21_GRAALVM="/opt/java/jdk21-graalce"
+  # note that `JDK21_GRAALVM` is used in `run-graalvm-native-image-app.sh`
+  # by dynamically constructing the variable name
+  export JDK21_GRAALVM="/cygdrive/c/java/jdk21-graalce"
+else
+  export JDK8="/opt/java/jdk8"
+  export JDK11="/opt/java/jdk11"
+  export JDK17="/opt/java/jdk17"
+  export JDK21="/opt/java/jdk21"
+  # note that `JDK21_GRAALVM` is used in `run-graalvm-native-image-app.sh`
+  # by dynamically constructing the variable name
+  export JDK21_GRAALVM="/opt/java/jdk21-graalce"
+fi

@@ -86,7 +86,8 @@ public static List<BsonDocument> getTestDocuments(final String resourcePath) {
                     public FileVisitResult visitFile(final Path filePath, final BasicFileAttributes attrs) throws IOException {
                         if (filePath.toString().endsWith(".json")) {
                             if (fileSystem == null) {
-                                files.add(getTestDocumentWithMetaData(filePath.toString().substring(filePath.toString().lastIndexOf(resourcePath))));
+                                String filePathStr = filePath.toString().replace('\\', '/');
+                                files.add(getTestDocumentWithMetaData(filePathStr.substring(filePathStr.lastIndexOf(resourcePath))));
                             } else {
                                 files.add(getTestDocumentWithMetaData(filePath.toString()));
                             }

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2008-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.mongodb.internal;
+
+import com.mongodb.lang.Nullable;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.function.UnaryOperator;
+
+/**
+ * Centralized access to environment variables. All production code should use
+ * this class instead of calling {@link System#getenv(String)} directly.
- * Centralized access to environment variables. All production code should use
- * this class instead of calling {@link System#getenv(String)} directly.
+ * Centralized access to environment variables for driver-core production code.
+ * Production code in this module should use this class instead of calling
+ * {@link System#getenv(String)} directly.
- * Centralized access to environment variables. All production code should use
- * this class instead of calling {@link System#getenv(String)} directly.
+ * Centralized access to environment variables for driver-core production code.
+ * Production code in this module should use this class instead of calling
+ * {@link System#getenv(String)} directly.
+ *
+ * <p>Tests can override values via {@link #envOverride()}.</p>
+ */
+public final class EnvironmentProvider {
+    private static UnaryOperator<String> envLookup = System::getenv;
+
+    private EnvironmentProvider() {
+    }
+
+    @Nullable
+    public static String getEnv(final String key) {
+        return envLookup.apply(key);
+    }
+
+    /** Exists only for testing **/
+    public static EnvironmentOverride envOverride() {
+        return new EnvironmentOverride();
+    }
+
+    public static final class EnvironmentOverride implements AutoCloseable {
+        private final Map<String, String> overrides = new HashMap<>();
+        private final UnaryOperator<String> original;
+
+        private EnvironmentOverride() {
+            original = envLookup;
+            envLookup = key -> overrides.containsKey(key)
+                    ? overrides.get(key)
+                    : original.apply(key);
+        }
+
+        public EnvironmentOverride set(final String key, @Nullable final String value) {
+            overrides.put(key, value);
+            return this;
+        }
+
+        @Override
+        public void close() {
+            envLookup = original;
+        }
+    }
+}
@@ -17,6 +17,7 @@
 package com.mongodb.internal.authentication;
 
 import com.mongodb.AwsCredential;
+import com.mongodb.internal.EnvironmentProvider;
 import org.bson.BsonDocument;
 
 import java.util.HashMap;
@@ -29,7 +30,7 @@ class BuiltInAwsCredentialSupplier implements Supplier<AwsCredential> {
 
     @Override
     public AwsCredential get() {
-        if (System.getenv("AWS_ACCESS_KEY_ID") != null) {
+        if (EnvironmentProvider.getEnv("AWS_ACCESS_KEY_ID") != null) {
             return obtainFromEnvironmentVariables();
         } else {
             return obtainFromEc2OrEcsResponse();
@@ -38,13 +39,13 @@ public AwsCredential get() {
 
     private static AwsCredential obtainFromEnvironmentVariables() {
         return new AwsCredential(
-                System.getenv("AWS_ACCESS_KEY_ID"),
-                System.getenv("AWS_SECRET_ACCESS_KEY"),
-                System.getenv("AWS_SESSION_TOKEN"));
+                EnvironmentProvider.getEnv("AWS_ACCESS_KEY_ID"),
+                EnvironmentProvider.getEnv("AWS_SECRET_ACCESS_KEY"),
+                EnvironmentProvider.getEnv("AWS_SESSION_TOKEN"));
     }
 
     private static AwsCredential obtainFromEc2OrEcsResponse() {
-        String path = System.getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
+        String path = EnvironmentProvider.getEnv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
         BsonDocument ec2OrEcsResponse = path == null ? BsonDocument.parse(getEc2Response()) : BsonDocument.parse(getEcsResponse(path));
 
         return new AwsCredential(

@@ -16,13 +16,12 @@
 
 package com.mongodb.internal.connection;
 
+import com.mongodb.internal.EnvironmentProvider;
 import com.mongodb.lang.Nullable;
 
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 
 enum FaasEnvironment {
     AWS_LAMBDA("aws.lambda"),
@@ -31,8 +30,6 @@ enum FaasEnvironment {
     VERCEL("vercel"),
     UNKNOWN(null);
 
-    static final Map<String, String> ENV_OVERRIDES_FOR_TESTING = new HashMap<>();
-
     static FaasEnvironment getFaasEnvironment() {
         List<FaasEnvironment> result = new ArrayList<>();
         String awsExecutionEnv = getEnv("AWS_EXECUTION_ENV");
@@ -62,10 +59,7 @@ static FaasEnvironment getFaasEnvironment() {
 
     @Nullable
     public static String getEnv(final String key) {
-        if (ENV_OVERRIDES_FOR_TESTING.containsKey(key)) {
-            return ENV_OVERRIDES_FOR_TESTING.get(key);
-        }
-        return System.getenv(key);
+        return EnvironmentProvider.getEnv(key);
     }
 
     @Nullable

@@ -17,6 +17,7 @@
 package com.mongodb.internal.connection;
 
 import com.mongodb.AuthenticationMechanism;
+import com.mongodb.internal.EnvironmentProvider;
 import com.mongodb.MongoClientException;
 import com.mongodb.MongoCommandException;
 import com.mongodb.MongoConfigurationException;
@@ -235,8 +236,8 @@ private static OidcCallback getTestCallback() {
     @VisibleForTesting(otherwise = VisibleForTesting.AccessModifier.PRIVATE)
     static OidcCallback getK8sCallback() {
         return (context) -> {
-            String azure = System.getenv(K8S_AZURE_FILE);
-            String aws = System.getenv(K8S_AWS_FILE);
+            String azure = EnvironmentProvider.getEnv(K8S_AZURE_FILE);
+            String aws = EnvironmentProvider.getEnv(K8S_AWS_FILE);
             String path;
             if (azure != null) {
                 path = azure;
@@ -542,7 +543,7 @@ public boolean isComplete() {
     }
 
     private static String readTokenFromFile() {
-        String path = System.getenv(OIDC_TOKEN_FILE);
+        String path = EnvironmentProvider.getEnv(OIDC_TOKEN_FILE);
         if (path == null) {
             throw new MongoClientException(
                     format("Environment variable must be specified: %s", OIDC_TOKEN_FILE));

@@ -38,7 +38,7 @@
 import static com.mongodb.internal.observability.micrometer.MongodbObservation.LowCardinalityKeyNames.EXCEPTION_TYPE;
 import static com.mongodb.internal.observability.micrometer.MongodbObservation.MONGODB_OBSERVATION;
 import static com.mongodb.internal.observability.micrometer.TracingManager.ENV_OBSERVABILITY_QUERY_TEXT_MAX_LENGTH;
-import static java.lang.System.getenv;
+import static com.mongodb.internal.EnvironmentProvider.getEnv;
 import static java.util.Optional.ofNullable;
 
 
@@ -75,7 +75,7 @@ public MicrometerTracer(final ObservationRegistry observationRegistry) {
     public MicrometerTracer(final ObservationRegistry observationRegistry, final boolean allowCommandPayload, final int textMaxLength) {
         this.allowCommandPayload = allowCommandPayload;
         this.observationRegistry = observationRegistry;
-        this.textMaxLength = ofNullable(getenv(ENV_OBSERVABILITY_QUERY_TEXT_MAX_LENGTH))
+        this.textMaxLength = ofNullable(getEnv(ENV_OBSERVABILITY_QUERY_TEXT_MAX_LENGTH))
                 .map(Integer::parseInt)
                 .orElse(textMaxLength);
     }

@@ -49,7 +49,7 @@
 import static com.mongodb.internal.observability.micrometer.MongodbObservation.LowCardinalityKeyNames.SYSTEM;
 import static com.mongodb.internal.observability.micrometer.MongodbObservation.LowCardinalityKeyNames.TRANSACTION_NUMBER;
 import static com.mongodb.internal.observability.micrometer.MongodbObservation.LowCardinalityKeyNames.CURSOR_ID;
-import static java.lang.System.getenv;
+import static com.mongodb.internal.EnvironmentProvider.getEnv;
 
 /**
  * Manages tracing spans for MongoDB driver activities.
@@ -93,7 +93,7 @@ public TracingManager(@Nullable final ObservabilitySettings observabilitySetting
                 throw new IllegalArgumentException("Only Micrometer based observability is currently supported");
             }
 
-            String envOtelInstrumentationEnabled = getenv(ENV_OBSERVABILITY_ENABLED);
+            String envOtelInstrumentationEnabled = getEnv(ENV_OBSERVABILITY_ENABLED);
             boolean enableTracing = true;
             if (envOtelInstrumentationEnabled != null) {
                 enableTracing = Boolean.parseBoolean(envOtelInstrumentationEnabled);

@@ -16,11 +16,9 @@
 
 package com.mongodb.client;
 
-import com.mongodb.internal.connection.FaasEnvironmentAccessor;
+import com.mongodb.internal.EnvironmentProvider;
 import com.mongodb.lang.Nullable;
 
-import java.util.Map;
-
 @FunctionalInterface
 public interface WithWrapper {
 
@@ -32,22 +30,12 @@ static WithWrapper withWrapper() {
 
     default WithWrapper withEnvironmentVariable(final String name, @Nullable final String value) {
         return runnable -> {
-            Map<String, String> innerMap = FaasEnvironmentAccessor.getFaasEnvMap();
-            String original = innerMap.get(name);
-            if (value == null) {
-                innerMap.remove(name);
-            } else {
-                innerMap.put(name, value);
-            }
-            try {
-                this.run(runnable);
-            } finally {
-                if (original == null) {
-                    innerMap.remove(name);
-                } else {
-                    innerMap.put(name, original);
+            this.run(() -> {
+                try (EnvironmentProvider.EnvironmentOverride env = EnvironmentProvider.envOverride()) {
+                    env.set(name, value);
+                    runnable.run();
                 }
-            }
+            });
         };
     }
 

@@ -234,7 +234,7 @@ void testDockerMetadataIncluded() {
     @Test
     void testDockerAndKubernetesMetadataIncluded() {
         try (MockedStatic<Files> pathsMockedStatic = Mockito.mockStatic(Files.class)) {
-            Path path = Paths.get(File.separator + "/.dockerenv");
+            Path path = Paths.get(File.separator + ".dockerenv");
             pathsMockedStatic.when(() -> Files.exists(path)).thenReturn(true);
 
             withWrapper()