Fix tests for fips runs

openSUSE · Jan 23, 2025 · 721a44e · 721a44e
1 parent 3a6a535
commit 721a44e
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 4 deletions.
diff --git a/salt/channel/server.py b/salt/channel/server.py
@@ -43,6 +43,7 @@ def factory(cls, opts, **kwargs):
     def __init__(self, opts, transport):
         self.opts = opts
         self.transport = transport
+        self.event = None
         # self.event = salt.utils.event.get_master_event(
         #     self.opts, self.opts["sock_dir"], listen=False
         # )

diff --git a/tests/pytests/integration/pillar/cache/conftest.py b/tests/pytests/integration/pillar/cache/conftest.py
@@ -2,6 +2,8 @@
 
 import pytest
 
+from tests.conftest import FIPS_TESTRUN
+
 
 @pytest.fixture(scope="package")
 def pillar_state_tree(tmp_path_factory):
@@ -22,8 +24,16 @@ def pillar_salt_master(salt_factories, pillar_state_tree):
             {"extra_minion_data_in_pillar": "*"},
         ],
     }
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "publish_signing_algorithm": (
+            "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
+        ),
+    }
     factory = salt_factories.salt_master_daemon(
-        "pillar-cache-functional-master", defaults=config_defaults
+        "pillar-cache-functional-master",
+        defaults=config_defaults,
+        overrides=config_overrides,
     )
     with factory.started():
         yield factory
@@ -32,9 +42,15 @@ def pillar_salt_master(salt_factories, pillar_state_tree):
 @pytest.fixture(scope="package")
 def pillar_salt_minion(pillar_salt_master):
     assert pillar_salt_master.is_running()
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+    }
     factory = pillar_salt_master.salt_minion_daemon(
         "pillar-cache-functional-minion-1",
         defaults={"open_mode": True, "hi": "there", "pass_to_ext_pillars": ["hi"]},
+        overrides=config_overrides,
     )
     with factory.started():
         # Sync All

diff --git a/tests/pytests/integration/states/test_x509_v2.py b/tests/pytests/integration/states/test_x509_v2.py
@@ -10,7 +10,8 @@
 import pytest
 from saltfactories.utils import random_string
 
-x509util = pytest.importorskip("salt.utils.x509")
+import salt.utils.x509 as x509util
+from tests.conftest import FIPS_TESTRUN
 
 try:
     import cryptography
@@ -63,8 +64,14 @@ def x509_data(
 
 @pytest.fixture(scope="module")
 def x509_salt_master(salt_factories, ca_minion_id, x509_master_config):
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "publish_signing_algorithm": (
+            "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
+        ),
+    }
     factory = salt_factories.salt_master_daemon(
-        "x509-master", defaults=x509_master_config
+        "x509-master", defaults=x509_master_config, overrides=config_overrides
     )
     with factory.started():
         yield factory
@@ -124,9 +131,15 @@ def ca_minion_config(x509_minion_id, ca_cert, ca_key_enc, rsa_privkey, ca_new_ce
 @pytest.fixture(scope="module", autouse=True)
 def x509ca_salt_minion(x509_salt_master, ca_minion_id, ca_minion_config):
     assert x509_salt_master.is_running()
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+    }
     factory = x509_salt_master.salt_minion_daemon(
         ca_minion_id,
         defaults=ca_minion_config,
+        overrides=config_overrides,
     )
     with factory.started():
         # Sync All
@@ -139,13 +152,19 @@ def x509ca_salt_minion(x509_salt_master, ca_minion_id, ca_minion_config):
 @pytest.fixture(scope="module")
 def x509_salt_minion(x509_salt_master, x509_minion_id):
     assert x509_salt_master.is_running()
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+    }
     factory = x509_salt_master.salt_minion_daemon(
         x509_minion_id,
         defaults={
             "open_mode": True,
             "features": {"x509_v2": True},
             "grains": {"testgrain": "foo"},
         },
+        overrides=config_overrides,
     )
     with factory.started():
         # Sync All

diff --git a/tests/pytests/scenarios/swarm/conftest.py b/tests/pytests/scenarios/swarm/conftest.py
@@ -4,12 +4,21 @@
 import pytest
 from saltfactories.utils import random_string
 
+from tests.conftest import FIPS_TESTRUN
+
 
 @pytest.fixture(scope="package")
 def salt_master_factory(salt_factories):
+    config_overrides = {
+        "fips_mode": FIPS_TESTRUN,
+        "publish_signing_algorithm": (
+            "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA224"
+        ),
+    }
     factory = salt_factories.salt_master_daemon(
         random_string("swarm-master-"),
         extra_cli_arguments_after_first_start_failure=["--log-level=info"],
+        overrides=config_overrides,
     )
     return factory
 

diff --git a/tests/pytests/unit/transport/test_zeromq.py b/tests/pytests/unit/transport/test_zeromq.py
@@ -1042,7 +1042,6 @@ def mocksend(msg, timeout=60, tries=3):
         "ver": "2",
         "cmd": "_pillar",
     }
-
     try:
         with pytest.raises(salt.crypt.AuthenticationError) as excinfo:
             await client.crypted_transfer_decode_dictentry(
@@ -1085,8 +1084,12 @@ async def test_req_serv_auth_v1(pki_dir, minion_opts, master_opts):
     }
     master_opts.update(pki_dir=str(pki_dir.joinpath("master")))
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
+
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
 
     pub = salt.crypt.get_rsa_pub_key(str(pki_dir.joinpath("minion", "minion.pub")))
@@ -1144,6 +1147,9 @@ async def test_req_serv_auth_v2(pki_dir, minion_opts, master_opts):
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
 
     pub = salt.crypt.get_rsa_pub_key(str(pki_dir.joinpath("minion", "minion.pub")))
@@ -1205,6 +1211,9 @@ async def test_req_chan_auth_v2(pki_dir, io_loop, minion_opts, master_opts):
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = False
     minion_opts["always_verify_signature"] = False
@@ -1261,6 +1270,9 @@ async def test_req_chan_auth_v2_with_master_signing(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = True
     minion_opts["always_verify_signature"] = True
@@ -1300,6 +1312,9 @@ async def test_req_chan_auth_v2_with_master_signing(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
 
     signin_payload = client.auth.minion_sign_in_payload()
@@ -1355,6 +1370,9 @@ async def test_req_chan_auth_v2_new_minion_with_master_pub(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = False
     minion_opts["always_verify_signature"] = False
@@ -1418,6 +1436,9 @@ async def test_req_chan_auth_v2_new_minion_with_master_pub_bad_sig(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = False
     minion_opts["always_verify_signature"] = False
@@ -1475,6 +1496,9 @@ async def test_req_chan_auth_v2_new_minion_without_master_pub(
     server = salt.channel.server.ReqServerChannel.factory(master_opts)
     server.auto_key = salt.daemons.masterapi.AutoKey(server.opts)
     server.cache_cli = False
+    server.event = salt.utils.event.get_master_event(
+        master_opts, master_opts["sock_dir"], listen=False
+    )
     server.master_key = salt.crypt.MasterKeys(server.opts)
     minion_opts["verify_master_pubkey_sign"] = False
     minion_opts["always_verify_signature"] = False