Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-131233 / 25.04 / Update to test for FIPS 3.0.9 #14629

Merged
merged 36 commits into from
Oct 23, 2024
Merged

NAS-131233 / 25.04 / Update to test for FIPS 3.0.9 #14629

merged 36 commits into from
Oct 23, 2024

Conversation

aiden3c
Copy link
Contributor

@aiden3c aiden3c commented Oct 8, 2024

This is the test for verifying our FIPS version, as well as checking that middleware reports the proper reboot reasons upon FIPS being enabled.

Enabling/disabling FIPS takes some time, so I also had to up the SSH command timeout through an optional argument.

This is paired with this PR to actually apply the new FIPS changes.

Passing tests as always

aiden3c added 30 commits October 8, 2024 10:59
@aiden3c
Initial API test
d8d1e8b
@aiden3c
Failover is already enabled at this moment, cool
fe98c38
@aiden3c
Some debugging
ecf9e54
@aiden3c
More debugging
528f629
@aiden3c
Failover sanity check
c3dd577
@aiden3c
Closer than I thought
fbd2e45
@aiden3c
New test method
11e4196
@aiden3c
Proper ssh command
08e71e7
@aiden3c
PROPER ssh command
71e1846
@aiden3c
Added a timeout to SSH, FIPS takes a minute
6fecff2
@aiden3c
Proper file check
16022cf
@aiden3c
Another test, transient errors suck btw
9b6d6eb
@aiden3c
Had a success, asserting
5673bd2
@aiden3c
(maybe) final test
8254f21
@aiden3c
Documentation for test, some just in case sanity checks
ac6d728
@aiden3c
Okay I am sane
5a8ecdc
@aiden3c
Start of reasons check
97270d4
@aiden3c
Retries
72e1f4d
@aiden3c
Make sure reboot state is reset
581375d
@aiden3c
Assert reboot state
fe7286e
@aiden3c
Get reasons diff way
4c7f324
@aiden3c
Type testing
9c1a51e
@aiden3c
Loop restructure
4f32ed5
@aiden3c
Removed annoying print
dfa99ff
@aiden3c
More debugging
f1e2b68
@aiden3c
More more debugging
75685ad
@aiden3c
Extra check, formalization for finishing
e08e6be
@aiden3c
Removed never reached code
aa0f49f
@aiden3c
Comment rewording
13e2614
@aiden3c
Merge remote-tracking branch 'origin/master' into NAS-131233
77a4b93
@aiden3c aiden3c requested a review from a team October 8, 2024 17:39
@bugclerk bugclerk changed the title Update to test for FIPS 3.0.9 NAS-131233 / 25.04 / Update to test for FIPS 3.0.9 Oct 8, 2024
@bugclerk
Copy link
Contributor

bugclerk commented Oct 8, 2024

Jira URL: https://ixsystems.atlassian.net/browse/NAS-131233

@aiden3c aiden3c mentioned this pull request Oct 8, 2024
Merged
@aiden3c aiden3c requested review from sonicaj and a team October 9, 2024 14:58
@aiden3c aiden3c force-pushed the NAS-131233 branch 3 times, most recently from 1d033c5 to 560f799 Compare October 11, 2024 18:09
@aiden3c aiden3c force-pushed the NAS-131233 branch 2 times, most recently from 7e513ee to 6bcd5aa Compare October 14, 2024 11:33
@aiden3c aiden3c requested review from yocalebo and a team October 14, 2024 11:49
@aiden3c
Copy link
Contributor Author

aiden3c commented Oct 14, 2024

@sonicaj just pinging for review's sake

sonicaj
sonicaj reviewed Oct 17, 2024
View reviewed changes
tests/api2/test_openssl.py
@pytest.mark.skipif(not ha, reason='Test only valid for HA')
def test_fips_version():
# The reason we have a set of commands in a payload is because of some annoying FIPS technicalities.
# Basically, when FIPS is enabled, we can't use SSH because the SSH key used by root isn't using a FIPS provided algorithm. (this might need to be investigated further)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw you should be able to pull that off with -c aes128-ctr iirc flag (not saying it's necessary but just sharing here)

tests/api2/test_openssl.py Show resolved Hide resolved
@aiden3c aiden3c merged commit 8007cf9 into master Oct 23, 2024
7 checks passed
@aiden3c aiden3c deleted the NAS-131233 branch October 23, 2024 18:53
@bugclerk
Copy link
Contributor

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators Oct 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sonicaj sonicaj sonicaj approved these changes

@yocalebo yocalebo Awaiting requested review from yocalebo

Assignees
No one assigned
Labels
no-time-tracked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aiden3c @bugclerk @sonicaj @yocalebo