NAS-131233 / 25.04 / Update to test for FIPS 3.0.9 (#14629)

truenas · Oct 23, 2024 · 8007cf9 · 8007cf9
1 parent 6c0a081
commit 8007cf9
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/src/middlewared/middlewared/test/integration/utils/ssh.py b/src/middlewared/middlewared/test/integration/utils/ssh.py
@@ -13,8 +13,8 @@
 __all__ = ["ssh"]
 
 
-def ssh(command, check=True, complete_response=False, *, user=default_user, password=default_password, ip=None):
-    result = SSH_TEST(command, user, password, ip)
+def ssh(command, check=True, complete_response=False, *, user=default_user, password=default_password, ip=None, timeout=120):
+    result = SSH_TEST(command, user, password, ip, timeout=timeout)
     if check:
         assert result["result"], result["output"]
     return result if complete_response else result["stdout"]
diff --git a/tests/api2/test_openssl.py b/tests/api2/test_openssl.py
@@ -0,0 +1,28 @@
+import pytest
+
+from middlewared.test.integration.utils import call, ssh
+from auto_config import ha
+
+retry = 5
+fips_version = "3.0.9"
+
+
+# Sometimes this test fails because the testing environment has broken failover (randomly. Fun transient error. Reports a failed heartbeat).
+@pytest.mark.flaky(reruns=retry, reruns_delay=5)
+@pytest.mark.skipif(not ha, reason='Test only valid for HA')
+def test_fips_version():
+    # The reason we have a set of commands in a payload is because of some annoying FIPS technicalities.
+    # Basically, when FIPS is enabled, we can't use SSH because the SSH key used by root isn't using a FIPS provided algorithm. (this might need to be investigated further)
+    # To allow testing, we write our FIPS information to a file during this phase, and then go disable FIPS to get SSH back all in one joint command.
+    payload = """midclt call --job system.security.update '{"enable_fips": true}' && openssl list -providers > /root/osslproviders && midclt call system.reboot.info >> /root/osslproviders && midclt call --job system.security.update '{"enable_fips": false}'"""
+
+    ssh(payload, complete_response=True, timeout=300)
+
+    # Check that things are what we expect when FIPS was enabled
+    enabled_info = ssh("cat /root/osslproviders")
+    assert fips_version in enabled_info
+    assert "FIPS configuration was changed." in enabled_info
+
+    # Check that we no longer have FIPS enabled
+    assert fips_version not in ssh("openssl list -providers")
+    assert call("system.reboot.info")["reboot_required_reasons"] == []
diff --git a/tests/functions.py b/tests/functions.py
@@ -114,7 +114,7 @@ def DELETE(testpath, payload=None, controller_a=False, **optional):
     return deleteit
 
 
-def SSH_TEST(command, username, passwrd, host=None):
+def SSH_TEST(command, username, passwrd, host=None, timeout=120):
     target = host or get_host_ip(SRVTarget.DEFAULT)
 
     cmd = [] if passwrd is None else ["sshpass", "-p", passwrd]
@@ -131,7 +131,7 @@ def SSH_TEST(command, username, passwrd, host=None):
     ]
     # 120 second timeout, to make sure no SSH connection hang.
     process = run(cmd, stdout=PIPE, stderr=PIPE, universal_newlines=True,
-                  timeout=120)
+                  timeout=timeout)
     stdout = process.stdout
     stderr = process.stderr
     return {'stdout': stdout, 'stderr': stderr, 'output': stdout + stderr, 'returncode': process.returncode,