Add a FIPS enabled test run under PhotonOS 4 to the CI process

Signed-off-by: Pedro Algarvio <[email protected]>

tests/conftest.py

@@ -66,6 +66,9 @@
         # Flag coverage to track suprocesses by pointing it to the right .coveragerc file
         os.environ["COVERAGE_PROCESS_START"] = str(COVERAGERC_FILE)
 
+# Variable defining a FIPS test run or not
+FIPS_TESTRUN = os.environ.get("FIPS_TESTRUN", "0") == "1"
+
 # Define the pytest plugins we rely on
 pytest_plugins = ["tempdir", "helpers_namespace"]
 
@@ -1051,9 +1054,12 @@ def salt_syndic_master_factory(
     config_overrides = {
         "log_level_logfile": "quiet",
         "fips_mode": FIPS_TESTRUN,
+<<<<<<< HEAD
         "publish_signing_algorithm": (
             "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1"
         ),
+=======
+>>>>>>> 02b147ae59 (Add a FIPS enabled test run under PhotonOS 4 to the CI process)
     }
     ext_pillar = []
     if salt.utils.platform.is_windows():
@@ -1170,9 +1176,12 @@ def salt_master_factory(
     config_overrides = {
         "log_level_logfile": "quiet",
         "fips_mode": FIPS_TESTRUN,
+<<<<<<< HEAD
         "publish_signing_algorithm": (
             "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1"
         ),
+=======
+>>>>>>> 02b147ae59 (Add a FIPS enabled test run under PhotonOS 4 to the CI process)
     }
     ext_pillar = []
     if salt.utils.platform.is_windows():
@@ -1282,8 +1291,11 @@ def salt_minion_factory(salt_master_factory):
         "file_roots": salt_master_factory.config["file_roots"].copy(),
         "pillar_roots": salt_master_factory.config["pillar_roots"].copy(),
         "fips_mode": FIPS_TESTRUN,
+<<<<<<< HEAD
         "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
         "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+=======
+>>>>>>> 02b147ae59 (Add a FIPS enabled test run under PhotonOS 4 to the CI process)
     }
 
     virtualenv_binary = get_virtualenv_binary_path()

tests/pytests/conftest.py

@@ -23,6 +23,7 @@
 import salt.utils.files
 import salt.utils.platform
 from salt.serializers import yaml
+from tests.conftest import FIPS_TESTRUN
 from tests.support.helpers import Webserver, get_virtualenv_binary_path
 from tests.support.pytest.helpers import TestAccount
 from tests.support.runtests import RUNTIME_VARS

tools/pre_commit.py

@@ -81,6 +81,158 @@ def generate_workflows(ctx: Context):
             },
         },
     }
+    test_salt_listing = {
+        "linux": [
+            ("almalinux-8", "Alma Linux 8", "x86_64"),
+            ("almalinux-9", "Alma Linux 9", "x86_64"),
+            ("amazonlinux-2", "Amazon Linux 2", "x86_64"),
+            ("amazonlinux-2-arm64", "Amazon Linux 2 Arm64", "aarch64"),
+            ("amazonlinux-2023", "Amazon Linux 2023", "x86_64"),
+            ("amazonlinux-2023-arm64", "Amazon Linux 2023 Arm64", "aarch64"),
+            ("archlinux-lts", "Arch Linux LTS", "x86_64"),
+            ("centos-7", "CentOS 7", "x86_64"),
+            ("centosstream-8", "CentOS Stream 8", "x86_64"),
+            ("centosstream-9", "CentOS Stream 9", "x86_64"),
+            ("debian-10", "Debian 10", "x86_64"),
+            ("debian-11", "Debian 11", "x86_64"),
+            ("debian-11-arm64", "Debian 11 Arm64", "aarch64"),
+            ("debian-12", "Debian 12", "x86_64"),
+            ("debian-12-arm64", "Debian 12 Arm64", "aarch64"),
+            ("fedora-37", "Fedora 37", "x86_64"),
+            ("fedora-38", "Fedora 38", "x86_64"),
+            ("opensuse-15", "Opensuse 15", "x86_64"),
+            ("photonos-3", "Photon OS 3", "x86_64"),
+            ("photonos-3-arm64", "Photon OS 3 Arm64", "aarch64"),
+            ("photonos-4", "Photon OS 4", "x86_64"),
+            ("photonos-4-arm64", "Photon OS 4 Arm64", "aarch64"),
+            ("photonos-5", "Photon OS 5", "x86_64"),
+            ("photonos-5-arm64", "Photon OS 5 Arm64", "aarch64"),
+            ("ubuntu-20.04", "Ubuntu 20.04", "x86_64"),
+            ("ubuntu-20.04-arm64", "Ubuntu 20.04 Arm64", "aarch64"),
+            ("ubuntu-22.04", "Ubuntu 22.04", "x86_64"),
+            ("ubuntu-22.04-arm64", "Ubuntu 22.04 Arm64", "aarch64"),
+        ],
+        "macos": [
+            ("macos-12", "macOS 12", "x86_64"),
+        ],
+        "windows": [
+            ("windows-2016", "Windows 2016", "amd64"),
+            ("windows-2019", "Windows 2019", "amd64"),
+            ("windows-2022", "Windows 2022", "amd64"),
+        ],
+    }
+    for idx, (slug, display_name, arch) in enumerate(test_salt_listing["linux"][:]):
+        fips = False
+        test_salt_listing["linux"][idx] = (slug, display_name, arch, fips)  # type: ignore[assignment]
+        if slug == "photonos-4":
+            fips = True
+            test_salt_listing["linux"].append((slug, display_name, arch, fips))  # type: ignore[arg-type]
+
+    test_salt_pkg_listing = {
+        "linux": (
+            ("amazonlinux-2", "Amazon Linux 2", "x86_64", "rpm"),
+            ("amazonlinux-2-arm64", "Amazon Linux 2 Arm64", "aarch64", "rpm"),
+            ("amazonlinux-2023", "Amazon Linux 2023", "x86_64", "rpm"),
+            ("amazonlinux-2023-arm64", "Amazon Linux 2023 Arm64", "aarch64", "rpm"),
+            ("centos-7", "CentOS 7", "x86_64", "rpm"),
+            ("centosstream-8", "CentOS Stream 8", "x86_64", "rpm"),
+            ("centosstream-9", "CentOS Stream 9", "x86_64", "rpm"),
+            ("debian-10", "Debian 10", "x86_64", "deb"),
+            ("debian-11", "Debian 11", "x86_64", "deb"),
+            ("debian-11-arm64", "Debian 11 Arm64", "aarch64", "deb"),
+            ("debian-12", "Debian 12", "x86_64", "deb"),
+            ("debian-12-arm64", "Debian 12 Arm64", "aarch64", "deb"),
+            ("photonos-3", "Photon OS 3", "x86_64", "rpm"),
+            ("photonos-3-arm64", "Photon OS 3 Arm64", "aarch64", "rpm"),
+            ("photonos-4", "Photon OS 4", "x86_64", "rpm"),
+            ("photonos-4-arm64", "Photon OS 4 Arm64", "aarch64", "rpm"),
+            ("photonos-5", "Photon OS 5", "x86_64", "rpm"),
+            ("photonos-5-arm64", "Photon OS 5 Arm64", "aarch64", "rpm"),
+            ("ubuntu-20.04", "Ubuntu 20.04", "x86_64", "deb"),
+            ("ubuntu-20.04-arm64", "Ubuntu 20.04 Arm64", "aarch64", "deb"),
+            ("ubuntu-22.04", "Ubuntu 22.04", "x86_64", "deb"),
+            ("ubuntu-22.04-arm64", "Ubuntu 22.04 Arm64", "aarch64", "deb"),
+        ),
+        "macos": (("macos-12", "macOS 12", "x86_64"),),
+        "windows": (
+            ("windows-2016", "Windows 2016", "amd64"),
+            ("windows-2019", "Windows 2019", "amd64"),
+            ("windows-2022", "Windows 2022", "amd64"),
+        ),
+    }
+    build_ci_deps_listing = {
+        "linux": [
+            ("almalinux-8", "Alma Linux 8", "x86_64"),
+            ("almalinux-8-arm64", "Alma Linux 8 Arm64", "aarch64"),
+            ("almalinux-9", "Alma Linux 9", "x86_64"),
+            ("almalinux-9-arm64", "Alma Linux 9 Arm64", "aarch64"),
+            ("amazonlinux-2", "Amazon Linux 2", "x86_64"),
+            ("amazonlinux-2-arm64", "Amazon Linux 2 Arm64", "aarch64"),
+            ("amazonlinux-2023", "Amazon Linux 2023", "x86_64"),
+            ("amazonlinux-2023-arm64", "Amazon Linux 2023 Arm64", "aarch64"),
+            ("archlinux-lts", "Arch Linux LTS", "x86_64"),
+            ("centos-7", "CentOS 7", "x86_64"),
+            ("centos-7-arm64", "CentOS 7 Arm64", "aarch64"),
+            ("centosstream-8", "CentOS Stream 8", "x86_64"),
+            ("centosstream-8-arm64", "CentOS Stream 8 Arm64", "aarch64"),
+            ("centosstream-9", "CentOS Stream 9", "x86_64"),
+            ("centosstream-9-arm64", "CentOS Stream 9 Arm64", "aarch64"),
+            ("debian-10", "Debian 10", "x86_64"),
+            ("debian-11", "Debian 11", "x86_64"),
+            ("debian-11-arm64", "Debian 11 Arm64", "aarch64"),
+            ("debian-12", "Debian 12", "x86_64"),
+            ("debian-12-arm64", "Debian 12 Arm64", "aarch64"),
+            ("fedora-37", "Fedora 37", "x86_64"),
+            ("fedora-37-arm64", "Fedora 37 Arm64", "aarch64"),
+            ("fedora-38", "Fedora 38", "x86_64"),
+            ("fedora-38-arm64", "Fedora 38 Arm64", "aarch64"),
+            ("opensuse-15", "Opensuse 15", "x86_64"),
+            ("photonos-3", "Photon OS 3", "x86_64"),
+            ("photonos-3-arm64", "Photon OS 3 Arm64", "aarch64"),
+            ("photonos-4", "Photon OS 4", "x86_64"),
+            ("photonos-4-arm64", "Photon OS 4 Arm64", "aarch64"),
+            ("photonos-5", "Photon OS 5", "x86_64"),
+            ("photonos-5-arm64", "Photon OS 5 Arm64", "aarch64"),
+            ("ubuntu-20.04", "Ubuntu 20.04", "x86_64"),
+            ("ubuntu-20.04-arm64", "Ubuntu 20.04 Arm64", "aarch64"),
+            ("ubuntu-22.04", "Ubuntu 22.04", "x86_64"),
+            ("ubuntu-22.04-arm64", "Ubuntu 22.04 Arm64", "aarch64"),
+        ],
+        "macos": [
+            ("macos-12", "macOS 12", "x86_64"),
+        ],
+        "windows": [
+            ("windows-2016", "Windows 2016", "amd64"),
+            ("windows-2019", "Windows 2019", "amd64"),
+            ("windows-2022", "Windows 2022", "amd64"),
+        ],
+    }
+    test_salt_pkg_downloads_listing: dict[str, list[tuple[str, str, str]]] = {
+        "linux": [],
+        "macos": [],
+        "windows": [],
+    }
+    for slug, display_name, arch in build_ci_deps_listing["linux"]:
+        if slug in ("archlinux-lts", "opensuse-15"):
+            continue
+        test_salt_pkg_downloads_listing["linux"].append((slug, arch, "package"))
+    for slug, display_name, arch in build_ci_deps_listing["linux"][-2:]:
+        if slug in ("archlinux-lts", "opensuse-15"):
+            continue
+        test_salt_pkg_downloads_listing["linux"].append((slug, arch, "onedir"))
+    for slug, display_name, arch in build_ci_deps_listing["macos"]:
+        test_salt_pkg_downloads_listing["macos"].append((slug, arch, "package"))
+    for slug, display_name, arch in build_ci_deps_listing["macos"][-1:]:
+        test_salt_pkg_downloads_listing["macos"].append((slug, arch, "onedir"))
+    for slug, display_name, arch in build_ci_deps_listing["windows"][-1:]:
+        for pkg_type in ("nsis", "msi", "onedir"):
+            test_salt_pkg_downloads_listing["windows"].append((slug, arch, pkg_type))
+
+    test_salt_pkg_downloads_needs_slugs = set()
+    for platform in test_salt_pkg_downloads_listing:
+        for slug, _, _ in test_salt_pkg_downloads_listing[platform]:
+            test_salt_pkg_downloads_needs_slugs.add(f"{slug.replace('.', '')}-ci-deps")
+
     env = Environment(
         block_start_string="<%",
         block_end_string="%>",

tools/vm.py

@@ -302,6 +302,7 @@ def test(
     print_system_info: bool = False,
     skip_code_coverage: bool = False,
     envvars: list[str] = None,
+    fips: bool = False,
 ):
     """
     Run test in the VM.
@@ -336,6 +337,9 @@ def test(
     if "photonos" in name:
         skip_known_failures = os.environ.get("SKIP_INITIAL_PHOTONOS_FAILURES", "1")
         env["SKIP_INITIAL_PHOTONOS_FAILURES"] = skip_known_failures
+        if fips:
+            env["FIPS_TESTRUN"] = "1"
+            vm.run(["tdnf", "install", "-y", "openssl-fips-provider"], sudo=True)
     if envvars:
         for key in envvars:
             if key not in os.environ:
@@ -670,6 +674,9 @@ def write_ssh_config(self):
             forward_agent = "no"
         else:
             forward_agent = "yes"
+        ciphers = ""
+        if "photonos" in self.name:
+            ciphers = "[email protected],aes256-cbc,aes256-ctr,[email protected],aes128-ctr,aes192-ctr,[email protected]"
         ssh_config = textwrap.dedent(
             f"""\
             Host {self.name}
@@ -681,6 +688,8 @@ def write_ssh_config(self):
               StrictHostKeyChecking=no
               UserKnownHostsFile=/dev/null
               ForwardAgent={forward_agent}
+              PasswordAuthentication=no
+              {ciphers}
             """
         )
         self.ssh_config_file.write_text(ssh_config)