saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-16 09:40:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix tests undef fips

Browse source
This commit is contained in:
Daniel A. Wozniak 2024-05-26 21:28:55 -07:00 committed by Daniel Wozniak
parent 7322f3796b
commit 7b3a89c821
5 changed files with 81 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
tests/pytests/functional/channel/test_server.py
View file

@ -21,6 +21,7 @@ import salt.master
import salt.utils.platform
import salt.utils.process
import salt.utils.stringutils
from tests.conftest import FIPS_TESTRUN
log = logging.getLogger(__name__)
@ -63,14 +64,32 @@ def transport(request):
@pytest.fixture
def master_config(root_dir, transport):
master_conf = salt.config.master_config("")
master_conf["transport"] = transport
master_conf["id"] = "master"
master_conf["root_dir"] = str(root_dir)
master_conf["sock_dir"] = str(root_dir)
master_conf["interface"] = "127.0.0.1"
master_conf["publish_port"] = ports.get_unused_localhost_port()
master_conf["ret_port"] = ports.get_unused_localhost_port()
master_conf["pki_dir"] = str(root_dir / "pki")
master_conf.update(
transport=transport,
id="master",
root_dir=str(root_dir),
sock_dir=str(root_dir),
interface="127.0.0.1",
publish_port=ports.get_unused_localhost_port(),
ret_port=ports.get_unused_localhost_port(),
pki_dir=str(root_dir / "pki"),
fips_mode=FIPS_TESTRUN,
publish_signing_algorithm=(
"PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
),
)
# master_conf["transport"] = transport
# master_conf["id"] = "master"
# master_conf["root_dir"] = str(root_dir)
# master_conf["sock_dir"] = str(root_dir)
# master_conf["interface"] = "127.0.0.1"
# master_conf["publish_port"] = ports.get_unused_localhost_port()
# master_conf["ret_port"] = ports.get_unused_localhost_port()
# master_conf["pki_dir"] = str(root_dir / "pki")
# "fips_mode": FIPS_TESTRUN,
# "publish_signing_algorithm": (
# "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
# ),
os.makedirs(master_conf["pki_dir"])
salt.crypt.gen_keys(master_conf["pki_dir"], "master", 4096)
minions_keys = os.path.join(master_conf["pki_dir"], "minions")
@ -83,17 +102,22 @@ def minion_config(master_config, channel_minion_id):
minion_conf = salt.config.minion_config(
"", minion_id=channel_minion_id, cache_minion_id=False
)
minion_conf["transport"] = master_config["transport"]
minion_conf["root_dir"] = master_config["root_dir"]
minion_conf["id"] = channel_minion_id
minion_conf["sock_dir"] = master_config["sock_dir"]
minion_conf["ret_port"] = master_config["ret_port"]
minion_conf["interface"] = "127.0.0.1"
minion_conf["pki_dir"] = os.path.join(master_config["root_dir"], "pki_minion")
minion_conf.update(
transport=master_config["transport"],
root_dir=master_config["root_dir"],
id=channel_minion_id,
sock_dir=master_config["sock_dir"],
ret_port=master_config["ret_port"],
interface="127.0.0.1",
pki_dir=os.path.join(master_config["root_dir"], "pki_minion"),
master_port=master_config["ret_port"],
master_ip="127.0.0.1",
master_uri="tcp://127.0.0.1:{}".format(master_config["ret_port"]),
fips_mode=FIPS_TESTRUN,
encryption_algorithm="OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
signing_algorithm="PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
)
os.makedirs(minion_conf["pki_dir"])
minion_conf["master_port"] = master_config["ret_port"]
minion_conf["master_ip"] = "127.0.0.1"
minion_conf["master_uri"] = "tcp://127.0.0.1:{}".format(master_config["ret_port"])
salt.crypt.gen_keys(minion_conf["pki_dir"], "minion", 4096)
minion_pub = os.path.join(minion_conf["pki_dir"], "minion.pub")
pub_on_master = os.path.join(master_config["pki_dir"], "minions", channel_minion_id)

32
tests/pytests/integration/runners/test_vault.py
View file

@ -7,6 +7,8 @@ import shutil
import pytest
from tests.conftest import FIPS_TESTRUN
log = logging.getLogger(__name__)
@ -47,8 +49,16 @@ def pillar_salt_master(salt_factories, pillar_state_tree):
},
"minion_data_cache": False,
}
config_overrides = {
"fips_mode": FIPS_TESTRUN,
"publish_signing_algorithm": (
"PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
),
}
factory = salt_factories.salt_master_daemon(
"vault-policy-int-master-uncached", defaults=config_defaults
"vault-policy-int-master-uncached",
defaults=config_defaults,
overrides=config_overrides,
)
with factory.started():
yield factory
@ -72,8 +82,16 @@ def pillar_caching_salt_master(salt_factories, pillar_state_tree):
},
"minion_data_cache": True,
}
config_overrides = {
"fips_mode": FIPS_TESTRUN,
"publish_signing_algorithm": (
"PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
),
}
factory = salt_factories.salt_master_daemon(
"vault-policy-int-master-cached", defaults=config_defaults
"vault-policy-int-master-cached",
defaults=config_defaults,
overrides=config_overrides,
)
with factory.started():
yield factory
@ -85,6 +103,11 @@ def pillar_salt_minion(pillar_salt_master):
factory = pillar_salt_master.salt_minion_daemon(
"vault-policy-int-minion-uncached-1",
defaults={"open_mode": True, "grains": {"foo": "bar"}},
overrides={
"fips_mode": FIPS_TESTRUN,
"encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
"signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
},
)
with factory.started():
# Sync All
@ -100,6 +123,11 @@ def pillar_caching_salt_minion(pillar_caching_salt_master):
factory = pillar_caching_salt_master.salt_minion_daemon(
"vault-policy-int-minion-cached-1",
defaults={"open_mode": True, "grains": {"foo": "bar"}},
overrides={
"fips_mode": FIPS_TESTRUN,
"encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
"signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
},
)
with factory.started():
# Sync All

3
tests/pytests/unit/crypt/test_crypt.py
View file

@ -12,6 +12,7 @@ import pytest
import salt.crypt
import salt.master
import salt.utils.files
from tests.conftest import FIPS_TESTRUN
PRIV_KEY = """
-----BEGIN RSA PRIVATE KEY-----
@ -152,6 +153,7 @@ def test_cryptical_dumps_invalid_nonce():
assert master_crypt.loads(ret, nonce="abcde")
@pytest.mark.skipif(FIPS_TESTRUN, reason="Legacy key can not be loaded in FIPS mode")
def test_verify_signature(tmp_path):
tmp_path.joinpath("foo.pem").write_text(PRIV_KEY.strip())
tmp_path.joinpath("foo.pub").write_text(PUB_KEY.strip())
@ -162,6 +164,7 @@ def test_verify_signature(tmp_path):
assert salt.crypt.verify_signature(str(tmp_path.joinpath("foo.pub")), msg, sig)
@pytest.mark.skipif(FIPS_TESTRUN, reason="Legacy key can not be loaded in FIPS mode")
def test_verify_signature_bad_sig(tmp_path):
tmp_path.joinpath("foo.pem").write_text(PRIV_KEY.strip())
tmp_path.joinpath("foo.pub").write_text(PUB_KEY.strip())

6
tests/unit/test_config.py
View file

@ -9,6 +9,7 @@ import textwrap
import pytest
import salt.config
import salt.crypt
import salt.minion
import salt.syspaths
import salt.utils.files
@ -1797,6 +1798,11 @@ class ConfigTestCase(TestCase, AdaptedConfigurationTestCaseMixin):
"worker_threads": 5,
"hash_type": "sha256",
"log_file": "foo.log",
# Crypto config for minion
"encryption_algorithm": salt.crypt.OAEP_SHA1,
"signing_algorithm": salt.crypt.PKCS1v15_SHA1,
# Crypto config for master
"publish_signing_algorithm": salt.crypt.PKCS1v15_SHA1,
}
ret.update(kwargs)
return ret

16
tests/unit/test_crypt.py
View file

@ -116,22 +116,6 @@ class TestBadCryptodomePubKey(TestCase):
def tearDown(self):
shutil.rmtree(self.test_dir)
@pytest.mark.skipif(not HAS_M2, reason="Skip when m2crypto is not installed")
def test_m2_bad_key(self):
"""
Load public key with an invalid header using m2crypto and validate it
"""
key = salt.crypt.get_rsa_pub_key(self.key_path)
assert key.check_key() == 1
@pytest.mark.skipif(HAS_M2, reason="Skip when m2crypto is installed")
def test_crypto_bad_key(self):
"""
Load public key with an invalid header and validate it without m2crypto
"""
key = salt.crypt.get_rsa_pub_key(self.key_path)
assert key.can_encrypt()
class TestM2CryptoRegression47124(TestCase):