chore(ci): add FIPS e2e and smoke tests MONGOSH-1222 #1298
Conversation
| tasks: | ||
| - name: e2e_tests_linux_x64 | ||
| - name: e2e_tests_linux_x64_openssl11 | ||
| - name: e2e_tests_linux_x64_openssl11_fips |
There was a problem hiding this comment.
This is the only variant where FIPS support worked out of the box. For other OSes, I guess the docker tests have to be enough (although I was pleasantly surprised to see that FIPS support works even for their docker images).
| RUN yum repolist | ||
| RUN yum install -y /tmp/*mongosh*.rpm | ||
| RUN /usr/bin/mongosh --version | ||
| RUN /usr/bin/mongosh --build-info |
There was a problem hiding this comment.
This is just so that we can see the openssl config values more easily for debugging
| 4. Create a bundle with client key and certificate to use for connecting: | ||
| 4. Create an encrypted client key file from the existing unencrypted one: | ||
| ``` | ||
| openssl pkcs8 -topk8 -in client.key -v2 aes-256-cbc -out client.encrypted.key -passout pass:p4ssw0rd |
There was a problem hiding this comment.
We need to use the openssl pkcs8 command here, because it gives a different format than openssl rsa, and in particular the password derviation algorithm used by the latter isn’t FIPS-compatible (you can tell the difference by the different section names in the client.bundle.encrypted.pem file)
There was a problem hiding this comment.
Would have never figured this one
There was a problem hiding this comment.
@mcasimir To be clear, my knowledge here also only comes from StackOverflow 😉 https://superuser.com/questions/1664393/are-private-keys-generated-by-openssl-when-fips-mode-is-disabled-usable-when-fip
| @@ -0,0 +1,111 @@ | |||
| Certificate: | |||
There was a problem hiding this comment.
This file is not used by tests, but it’s part of the setup described in the README. It should either be included or in the .gitignore list, no strong preference, for now I just decided to include it.
| } | ||
|
|
||
| for (const { input, output, testArgs } of [{ | ||
| const skipFipsWithOpenSSL3 = process.env.MONGOSH_SMOKE_TEST_OS_SKIP_FIPS_WITH_OPENSSL3 && buildInfo().opensslVersion.startsWith('3.'); |
There was a problem hiding this comment.
Had to add this option since the docker images that provide a OpenSSL-3-capable OS don’t provide FIPS support in a usable way. That’s okay – we are being clear here about the fact that what we provide is shared OpenSSL support and the ability to put OpenSSL in FIPS mode. Making sure that their local OpenSSL works in FIPS mode is the user’s responsibility.
| 4. Create a bundle with client key and certificate to use for connecting: | ||
| 4. Create an encrypted client key file from the existing unencrypted one: | ||
| ``` | ||
| openssl pkcs8 -topk8 -in client.key -v2 aes-256-cbc -out client.encrypted.key -passout pass:p4ssw0rd |
There was a problem hiding this comment.
Would have never figured this one
2 participants
No description provided.