New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipatests: healthcheck: test if system is FIPS enabled #6368
Conversation
assert returncode == 0 | ||
|
||
cmd = self.master.run_command(['fips-mode-setup', '--is-enabled'], | ||
raiseonerr=False) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you pass source ipahealthcheck/meta/core and check MetaCheck to run_healthcheck then it will only run the check that contains the fips output so there will be less to go through and a bit faster.
elif check["kw"]["fips"] == "enabled": | ||
assert returncode == 0 | ||
else: | ||
assert returncode == 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than only executing when fips is a keyword, I'd look for the specific check that should contain this. Otherwise if for some reason ipa-healthcheck is broken and not returning MetaCheck then this test will not catch it.
I think it's worthwhile to also run this with FIPS enabled. There are "fake" enable/disable methods for fips in the TestIntegration class that may be sufficient. They are currently unused AFAICT so no guarantees they will do the right thing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcritten the test is running in true FIPS env[1] with both FIPS enabled and disabled, however, I concur it should run with both in one pass.
The runs are not visible currently, as the CI has an issue with space and doesn't trigger temp commits.
[1] introduced with freeipa/freeipa-pr-ci#452
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I looked but missed that in the test definition. Testing both in the temp commit would be great, just reference the passing tests for both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, see inline comments
returncode = cmd.returncode | ||
|
||
# If this produces KeyError, the check does not exist | ||
if check["kw"]["fips"] == "disabled": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check
is a one element list, therefore to access the dictionary inside, you need to pass an index first, in this case check[0]["kw"]["fips"]
# If this produces KeyError, the check does not exist | ||
if check["kw"]["fips"] == "disabled": | ||
assert returncode == 2 | ||
elif check["kw"]["fips"] == "enabled": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as on line 361
raiseonerr=False) | ||
returncode = cmd.returncode | ||
|
||
# If this produces KeyError, the check does not exist |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accordingly, if the list of the checks is empty (i.e. the MetaCheck
does not exist), this will fail on IndexError
Azure issue caused most probably by #6342 (comment), since the same PR-CI test is running fine, I believe it's fine to ignore the failures as of now. |
@rcritten the fips and non-fips checks passed, ready for a review |
Docs failing to build is due to https://pagure.io/freeipa/issue/9208 |
This change looks fine, nice work. |
Test if FIPS is enabled and the check exists. Related: https://pagure.io/freeipa/issue/8951 Signed-off-by: Erik Belko <ebelko@redhat.com>
master:
|
Test if FIPS is enabled and the check exists.
Related: https://pagure.io/freeipa/issue/8951
Signed-off-by: Erik Belko ebelko@redhat.com