Fix tests for fips runs

salt/channel/server.py

@@ -53,6 +53,7 @@ class ReqServerChannel:
     def __init__(self, opts, transport):
         self.opts = opts
         self.transport = transport
+        self.event = None
         # self.event = salt.utils.event.get_master_event(
         #     self.opts, self.opts["sock_dir"], listen=False
         # )

tests/pytests/integration/pillar/cache/conftest.py

@@ -2,6 +2,8 @@ import shutil
 
 import pytest
 
+from tests.conftest import FIPS_TESTRUN
+
 
 @pytest.fixture(scope="package")
 def pillar_state_tree(tmp_path_factory):
@@ -22,8 +24,16 @@ def pillar_salt_master(salt_factories, pillar_state_tree):
             {"extra_minion_data_in_pillar": "*"},
         ],
     }
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "publish_signing_algorithm": (
+            "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
+        ),
+    }
     factory = salt_factories.salt_master_daemon(
-        "pillar-cache-functional-master", defaults=config_defaults
+        "pillar-cache-functional-master",
+        defaults=config_defaults,
+        overrides=config_overrides,
     )
     with factory.started():
         yield factory
@@ -32,9 +42,15 @@ def pillar_salt_master(salt_factories, pillar_state_tree):
 @pytest.fixture(scope="package")
 def pillar_salt_minion(pillar_salt_master):
     assert pillar_salt_master.is_running()
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+    }
     factory = pillar_salt_master.salt_minion_daemon(
         "pillar-cache-functional-minion-1",
         defaults={"open_mode": True, "hi": "there", "pass_to_ext_pillars": ["hi"]},
+        overrides=config_overrides,
     )
     with factory.started():
         # Sync All

tests/pytests/integration/states/test_x509_v2.py

@@ -11,6 +11,7 @@ import pytest
 from saltfactories.utils import random_string
 
 import salt.utils.x509 as x509util
+from tests.conftest import FIPS_TESTRUN
 
 try:
     import cryptography
@@ -123,8 +124,14 @@ def x509_data(
 
 @pytest.fixture(scope="module")
 def x509_salt_master(salt_factories, ca_minion_id, x509_master_config):
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "publish_signing_algorithm": (
+            "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
+        ),
+    }
     factory = salt_factories.salt_master_daemon(
-        "x509-master", defaults=x509_master_config
+        "x509-master", defaults=x509_master_config, overrides=config_overrides
     )
     with factory.started():
         yield factory
@@ -184,9 +191,15 @@ def ca_minion_config(x509_minion_id, ca_cert, ca_key_enc, rsa_privkey, ca_new_ce
 @pytest.fixture(scope="module", autouse=True)
 def x509ca_salt_minion(x509_salt_master, ca_minion_id, ca_minion_config):
     assert x509_salt_master.is_running()
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+    }
     factory = x509_salt_master.salt_minion_daemon(
         ca_minion_id,
         defaults=ca_minion_config,
+        overrides=config_overrides,
     )
     with factory.started():
         # Sync All
@@ -199,6 +212,11 @@ def x509ca_salt_minion(x509_salt_master, ca_minion_id, ca_minion_config):
 @pytest.fixture(scope="module")
 def x509_salt_minion(x509_salt_master, x509_minion_id):
     assert x509_salt_master.is_running()
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+    }
     factory = x509_salt_master.salt_minion_daemon(
         x509_minion_id,
         defaults={
@@ -206,6 +224,7 @@ def x509_salt_minion(x509_salt_master, x509_minion_id):
             "features": {"x509_v2": True},
             "grains": {"testgrain": "foo"},
         },
+        overrides=config_overrides,
     )
     with factory.started():
         # Sync All

tests/pytests/scenarios/swarm/conftest.py

@@ -4,12 +4,21 @@ from contextlib import ExitStack
 import pytest
 from saltfactories.utils import random_string
 
+from tests.conftest import FIPS_TESTRUN
+
 
 @pytest.fixture(scope="package")
 def salt_master_factory(salt_factories):
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "publish_signing_algorithm": (
+            "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
+        ),
+    }
     factory = salt_factories.salt_master_daemon(
         random_string("swarm-master-"),
         extra_cli_arguments_after_first_start_failure=["--log-level=info"],
+        overrides=config_overrides,
     )
     return factory
 

tests/pytests/unit/transport/test_zeromq.py

@@ -1061,7 +1061,6 @@ async def test_req_chan_decode_data_dict_entry_v2_bad_key(
         "ver": "2",
         "cmd": "_pillar",
     }
-
     try:
         with pytest.raises(salt.crypt.AuthenticationError) as excinfo:
             await client.crypted_transfer_decode_dictentry(
@@ -1104,8 +1103,12 @@ async def test_req_serv_auth_v1(pki_dir, minion_opts, master_opts):
     }
     master_opts.update(pki_dir=str(pki_dir.joinpath("master")))
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
+
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
 
     pub = salt.crypt.get_rsa_pub_key(str(pki_dir.joinpath("minion", "minion.pub")))
@@ -1163,6 +1166,9 @@ async def test_req_serv_auth_v2(pki_dir, minion_opts, master_opts):
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
 
     pub = salt.crypt.get_rsa_pub_key(str(pki_dir.joinpath("minion", "minion.pub")))
@@ -1224,6 +1230,9 @@ async def test_req_chan_auth_v2(pki_dir, io_loop, minion_opts, master_opts):
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = False
     minion_opts["always_verify_signature"] = False
@@ -1280,6 +1289,9 @@ async def test_req_chan_auth_v2_with_master_signing(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = True
     minion_opts["always_verify_signature"] = True
@@ -1319,6 +1331,9 @@ async def test_req_chan_auth_v2_with_master_signing(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
 
     signin_payload = client.auth.minion_sign_in_payload()
@@ -1374,6 +1389,9 @@ async def test_req_chan_auth_v2_new_minion_with_master_pub(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = False
     minion_opts["always_verify_signature"] = False
@@ -1437,6 +1455,9 @@ async def test_req_chan_auth_v2_new_minion_with_master_pub_bad_sig(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = False
     minion_opts["always_verify_signature"] = False
@@ -1494,6 +1515,9 @@ async def test_req_chan_auth_v2_new_minion_without_master_pub(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = False
     minion_opts["always_verify_signature"] = False