From 96395966dad8a1ec8284dbb23703bf6219b81dbd Mon Sep 17 00:00:00 2001 From: "Daniel A. Wozniak" Date: Wed, 29 May 2024 01:40:10 -0700 Subject: [PATCH] Fix scenarios tests under FIPS --- tests/pytests/scenarios/blackout/conftest.py | 26 +++++++++++++++++-- tests/pytests/scenarios/compat/conftest.py | 5 ++++ .../scenarios/compat/test_with_versions.py | 8 ++++++ tests/pytests/scenarios/daemons/conftest.py | 6 +++++ tests/pytests/scenarios/dns/conftest.py | 9 +++++++ .../scenarios/dns/multimaster/conftest.py | 13 ++++++++++ .../failover/multimaster/conftest.py | 15 +++++++++++ .../multimaster/test_failover_master.py | 5 ++++ .../pytests/scenarios/multimaster/conftest.py | 1 - tests/pytests/scenarios/reauth/conftest.py | 13 ++++++++++ tests/pytests/scenarios/swarm/conftest.py | 9 +++++++ 11 files changed, 107 insertions(+), 3 deletions(-) diff --git a/tests/pytests/scenarios/blackout/conftest.py b/tests/pytests/scenarios/blackout/conftest.py index a75c20f30ed..0e872ae34d4 100644 --- a/tests/pytests/scenarios/blackout/conftest.py +++ b/tests/pytests/scenarios/blackout/conftest.py @@ -5,6 +5,8 @@ import time import attr import pytest +from tests.conftest import FIPS_TESTRUN + @attr.s class BlackoutPillar: @@ -126,9 +128,17 @@ def salt_master(salt_factories, pillar_state_tree): "pillar_roots": {"base": [str(pillar_state_tree)]}, "open_mode": True, } + config_overrides = { + "interface": "127.0.0.1", + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), + } factory = salt_factories.salt_master_daemon( "blackout-master", defaults=config_defaults, + overrides=config_overrides, extra_cli_arguments_after_first_start_failure=["--log-level=info"], ) with factory.started(): @@ -138,7 +148,13 @@ def salt_master(salt_factories, pillar_state_tree): @pytest.fixture(scope="package") def salt_minion_1(salt_master): factory = salt_master.salt_minion_daemon( - "blackout-minion-1", defaults={"open_mode": True} + "blackout-minion-1", + defaults={"open_mode": True}, + overrides={ + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", + }, ) with factory.started(): yield factory @@ -147,7 +163,13 @@ def salt_minion_1(salt_master): @pytest.fixture(scope="package") def salt_minion_2(salt_master): factory = salt_master.salt_minion_daemon( - "blackout-minion-2", defaults={"open_mode": True} + "blackout-minion-2", + defaults={"open_mode": True}, + overrides={ + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", + }, ) with factory.started(): yield factory diff --git a/tests/pytests/scenarios/compat/conftest.py b/tests/pytests/scenarios/compat/conftest.py index e42c4c9259a..899f35f2cdf 100644 --- a/tests/pytests/scenarios/compat/conftest.py +++ b/tests/pytests/scenarios/compat/conftest.py @@ -14,6 +14,7 @@ from saltfactories.daemons.container import Container from saltfactories.utils import random_string import salt.utils.path +from tests.conftest import FIPS_TESTRUN from tests.support.runtests import RUNTIME_VARS from tests.support.sminion import create_sminion @@ -135,6 +136,10 @@ def salt_master( "log_level_logfile": "quiet", # We also want to scrutinize the key acceptance "open_mode": False, + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), } # We need to copy the extension modules into the new master root_dir or diff --git a/tests/pytests/scenarios/compat/test_with_versions.py b/tests/pytests/scenarios/compat/test_with_versions.py index cc61a01f509..d79a608e0f5 100644 --- a/tests/pytests/scenarios/compat/test_with_versions.py +++ b/tests/pytests/scenarios/compat/test_with_versions.py @@ -13,6 +13,7 @@ from saltfactories.daemons.container import SaltMinion from saltfactories.utils import random_string import salt.utils.platform +from tests.conftest import FIPS_TESTRUN from tests.support.runtests import RUNTIME_VARS docker = pytest.importorskip("docker") @@ -77,6 +78,9 @@ def salt_minion( }, # We also want to scrutinize the key acceptance "open_mode": False, + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", } factory = salt_master.salt_minion_daemon( minion_id, @@ -148,12 +152,14 @@ def populated_state_tree(minion_id, package_name, state_tree): yield +@pytest.mark.skip_on_fips_enabled_platform def test_ping(salt_cli, salt_minion): ret = salt_cli.run("test.ping", minion_tgt=salt_minion.id) assert ret.returncode == 0, ret assert ret.data is True +@pytest.mark.skip_on_fips_enabled_platform @pytest.mark.usefixtures("populated_state_tree") def test_highstate(salt_cli, salt_minion, package_name): """ @@ -167,6 +173,7 @@ def test_highstate(salt_cli, salt_minion, package_name): assert package_name in state_return["changes"], state_return +@pytest.mark.skip_on_fips_enabled_platform @pytest.fixture def cp_file_source(): source = pathlib.Path(RUNTIME_VARS.BASE_FILES) / "cheese" @@ -175,6 +182,7 @@ def cp_file_source(): yield pathlib.Path(temp_file) +@pytest.mark.skip_on_fips_enabled_platform def test_cp(salt_cp_cli, salt_minion, artifacts_path, cp_file_source): """ Assert proper behaviour for salt-cp with a newer master and older minions. diff --git a/tests/pytests/scenarios/daemons/conftest.py b/tests/pytests/scenarios/daemons/conftest.py index 2433376d34c..94695d73e4a 100644 --- a/tests/pytests/scenarios/daemons/conftest.py +++ b/tests/pytests/scenarios/daemons/conftest.py @@ -1,6 +1,8 @@ import pytest from saltfactories.utils import random_string +from tests.conftest import FIPS_TESTRUN + @pytest.fixture(scope="package") def salt_master_factory(request, salt_factories): @@ -10,6 +12,10 @@ def salt_master_factory(request, salt_factories): } config_overrides = { "interface": "127.0.0.1", + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), } return salt_factories.salt_master_daemon( diff --git a/tests/pytests/scenarios/dns/conftest.py b/tests/pytests/scenarios/dns/conftest.py index 254e8ee9a28..ae3f0f410f5 100644 --- a/tests/pytests/scenarios/dns/conftest.py +++ b/tests/pytests/scenarios/dns/conftest.py @@ -4,6 +4,8 @@ import subprocess import pytest +from tests.conftest import FIPS_TESTRUN + log = logging.getLogger(__name__) @@ -53,6 +55,10 @@ def master(request, salt_factories): } config_overrides = { "interface": "0.0.0.0", + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), } factory = salt_factories.salt_master_daemon( "master", @@ -84,6 +90,9 @@ def minion(master, master_alive_interval): "master": f"master.local:{port}", "publish_port": master.config["publish_port"], "master_alive_interval": master_alive_interval, + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", } factory = master.salt_minion_daemon( "minion", diff --git a/tests/pytests/scenarios/dns/multimaster/conftest.py b/tests/pytests/scenarios/dns/multimaster/conftest.py index 3b50ed65c60..6951e51bf93 100644 --- a/tests/pytests/scenarios/dns/multimaster/conftest.py +++ b/tests/pytests/scenarios/dns/multimaster/conftest.py @@ -5,6 +5,8 @@ import subprocess import pytest +from tests.conftest import FIPS_TESTRUN + log = logging.getLogger(__name__) @@ -20,6 +22,10 @@ def salt_mm_master_1(request, salt_factories): config_overrides = { "interface": "0.0.0.0", "master_sign_pubkey": True, + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), } factory = salt_factories.salt_master_daemon( "mm-master-1", @@ -55,6 +61,10 @@ def salt_mm_master_2(salt_factories, salt_mm_master_1): config_overrides = { "interface": "0.0.0.0", "master_sign_pubkey": True, + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), } # Use the same ports for both masters, they are binding to different interfaces @@ -103,6 +113,9 @@ def salt_mm_minion_1(salt_mm_master_1, salt_mm_master_2, master_alive_interval): "master_tries": -1, "verify_master_pubkey_sign": True, "retry_dns": True, + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", } factory = salt_mm_master_1.salt_minion_daemon( "mm-minion-1", diff --git a/tests/pytests/scenarios/failover/multimaster/conftest.py b/tests/pytests/scenarios/failover/multimaster/conftest.py index 970c1e59137..166e164c13b 100644 --- a/tests/pytests/scenarios/failover/multimaster/conftest.py +++ b/tests/pytests/scenarios/failover/multimaster/conftest.py @@ -8,6 +8,7 @@ import pytest from pytestshellutils.exceptions import FactoryNotStarted, FactoryTimeout import salt.utils.platform +from tests.conftest import FIPS_TESTRUN log = logging.getLogger(__name__) @@ -21,6 +22,10 @@ def salt_mm_failover_master_1(request, salt_factories): config_overrides = { "interface": "127.0.0.1", "master_sign_pubkey": True, + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), } factory = salt_factories.salt_master_daemon( "mm-failover-master-1", @@ -49,6 +54,10 @@ def salt_mm_failover_master_2(salt_factories, salt_mm_failover_master_1): config_overrides = { "interface": "127.0.0.2", "master_sign_pubkey": True, + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), } # Use the same ports for both masters, they are binding to different interfaces @@ -100,6 +109,9 @@ def salt_mm_failover_minion_1(salt_mm_failover_master_1, salt_mm_failover_master "master_tries": -1, "verify_master_pubkey_sign": True, "retry_dns": 1, + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", } factory = salt_mm_failover_master_1.salt_minion_daemon( "mm-failover-minion-1", @@ -138,6 +150,9 @@ def salt_mm_failover_minion_2(salt_mm_failover_master_1, salt_mm_failover_master "master_tries": -1, "verify_master_pubkey_sign": True, "retry_dns": 1, + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", } factory = salt_mm_failover_master_2.salt_minion_daemon( "mm-failover-minion-2", diff --git a/tests/pytests/scenarios/failover/multimaster/test_failover_master.py b/tests/pytests/scenarios/failover/multimaster/test_failover_master.py index 84ab7548ff4..e996469789c 100644 --- a/tests/pytests/scenarios/failover/multimaster/test_failover_master.py +++ b/tests/pytests/scenarios/failover/multimaster/test_failover_master.py @@ -5,6 +5,8 @@ import time import pytest +from tests.conftest import FIPS_TESTRUN + pytestmark = [ pytest.mark.core_test, pytest.mark.skip_on_freebsd(reason="Processes are not properly killed on FreeBSD"), @@ -36,6 +38,9 @@ def test_pki(salt_mm_failover_master_1, salt_mm_failover_master_2, caplog): "master_alive_interval": 5, "master_tries": -1, "verify_master_pubkey_sign": True, + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", } factory = salt_mm_failover_master_1.salt_minion_daemon( "mm-failover-pki-minion-1", diff --git a/tests/pytests/scenarios/multimaster/conftest.py b/tests/pytests/scenarios/multimaster/conftest.py index 5a09a5ecd7b..77654f05460 100644 --- a/tests/pytests/scenarios/multimaster/conftest.py +++ b/tests/pytests/scenarios/multimaster/conftest.py @@ -26,7 +26,6 @@ def salt_mm_master_1(request, salt_factories): "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" ), } - factory = salt_factories.salt_master_daemon( "mm-master-1", defaults=config_defaults, diff --git a/tests/pytests/scenarios/reauth/conftest.py b/tests/pytests/scenarios/reauth/conftest.py index bbefa71e181..35a7003a585 100644 --- a/tests/pytests/scenarios/reauth/conftest.py +++ b/tests/pytests/scenarios/reauth/conftest.py @@ -1,12 +1,20 @@ import pytest from saltfactories.utils import random_string +from tests.conftest import FIPS_TESTRUN + @pytest.fixture(scope="package") def salt_master_factory(salt_factories): factory = salt_factories.salt_master_daemon( random_string("reauth-master-"), extra_cli_arguments_after_first_start_failure=["--log-level=info"], + overrides={ + "fips_mode": FIPS_TESTRUN, + "publish_signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224" + ), + }, ) return factory @@ -22,6 +30,11 @@ def salt_minion_factory(salt_master): factory = salt_master.salt_minion_daemon( random_string("reauth-minion-"), extra_cli_arguments_after_first_start_failure=["--log-level=info"], + overrides={ + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1", + "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1", + }, ) return factory diff --git a/tests/pytests/scenarios/swarm/conftest.py b/tests/pytests/scenarios/swarm/conftest.py index 136bb6735c6..b5a4d473138 100644 --- a/tests/pytests/scenarios/swarm/conftest.py +++ b/tests/pytests/scenarios/swarm/conftest.py @@ -64,6 +64,15 @@ def minion_swarm(salt_master, minion_count): minion_factory = salt_master.salt_minion_daemon( random_string(f"swarm-minion-{idx}-"), extra_cli_arguments_after_first_start_failure=["--log-level=info"], + overrides={ + "fips_mode": FIPS_TESTRUN, + "encryption_algorithm": ( + "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1" + ), + "signing_algorithm": ( + "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1" + ), + }, ) stack.enter_context(minion_factory.started()) minions.append(minion_factory)