freeipa/ipatests/test_integration/test_fips.py
Florence Blanc-Renaud b8947b829b ipatests: update the fake fips mode expected message
The test ipatests/test_integration/test_fips.py is faking
FIPS mode and calls "openssl md5" to ensure the algo is
not available in the fake FIPS mode.

The error message has been updated with openssl-3.0.5-5.
In the past the command used to return:
$ openssl md5 /dev/null
Error setting digest
140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147:

And now it returns:
$ openssl md5 /dev/null
Error setting digest
00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties ()
00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252:

To be compatible with all versions, only check the common part:
Error setting digest

Mark the test as xfail since installation is currently not working.

Related: https://pagure.io/freeipa/issue/9002
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-19 15:38:05 +01:00

134 lines
4.1 KiB
Python

#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
"""Smoke tests for FreeIPA installation in (fake) userspace FIPS mode
"""
import pytest
from ipaplatform.osinfo import osinfo
from ipapython.dn import DN
from ipapython.ipautil import ipa_generate_password, realm_to_suffix
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration import fips
from ipatests.test_integration.base import IntegrationTest
from .test_dnssec import (
test_zone,
dnssec_install_master,
dnszone_add_dnssec,
wait_until_record_is_signed,
)
@pytest.mark.xfail(
osinfo.id == 'fedora' and osinfo.version_number > (35,),
reason='freeipa ticket 9002', strict=True)
class TestInstallFIPS(IntegrationTest):
num_replicas = 1
num_clients = 1
fips_mode = True
@classmethod
def install(cls, mh):
super(TestInstallFIPS, cls).install(mh)
# sanity check
for host in cls.get_all_hosts():
assert host.is_fips_mode
assert fips.is_fips_enabled(host)
# patch named-pkcs11 crypto policy
# see RHBZ#1772111
for host in [cls.master] + cls.replicas:
host.run_command(
[
"sed",
"-i",
"-E",
"s/RSAMD5;//g",
"/etc/crypto-policies/back-ends/bind.config",
]
)
# master with CA, KRA, DNS+DNSSEC
tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
# replica with CA, KRA, DNS
tasks.install_replica(
cls.master,
cls.replicas[0],
setup_dns=True,
setup_ca=True,
setup_kra=True,
)
tasks.install_clients([cls.master] + cls.replicas, cls.clients)
def test_basic(self):
client = self.clients[0]
tasks.kinit_admin(client)
client.run_command(["ipa", "ping"])
def test_dnssec(self):
dnssec_install_master(self.master)
# DNSSEC zone
dnszone_add_dnssec(self.master, test_zone)
assert wait_until_record_is_signed(
self.master.ip, test_zone, timeout=100
), ("Zone %s is not signed (master)" % test_zone)
# test replica
assert wait_until_record_is_signed(
self.replicas[0].ip, test_zone, timeout=200
), ("DNS zone %s is not signed (replica)" % test_zone)
def test_vault_basic(self):
vault_name = "testvault"
vault_password = ipa_generate_password()
vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
# create vault
self.master.run_command(
[
"ipa",
"vault-add",
vault_name,
"--password",
vault_password,
"--type",
"symmetric",
]
)
# archive secret
self.master.run_command(
[
"ipa",
"vault-archive",
vault_name,
"--password",
vault_password,
"--data",
vault_data,
]
)
self.master.run_command(
[
"ipa",
"vault-retrieve",
vault_name,
"--password",
vault_password,
]
)
def test_krb_enctypes(self):
realm = self.master.domain.realm
suffix = realm_to_suffix(realm)
dn = DN(("cn", realm), ("cn", "kerberos")) + suffix
args = ["krbSupportedEncSaltTypes", "krbDefaultEncSaltTypes"]
for host in [self.master] + self.replicas:
result = tasks.ldapsearch_dm(host, str(dn), args, scope="base")
assert "camellia" not in result.stdout_text
assert "aes256-cts" in result.stdout_text
assert "aes128-cts" in result.stdout_text
# test that update does not add camellia
self.master.run_command(["ipa-server-upgrade"])
result = tasks.ldapsearch_dm(self.master, str(dn), args, scope="base")
assert "camellia" not in result.stdout_text