add azure linux-specific fips tests #3688
Conversation
| ).is_false() | ||
|
|
||
|
|
||
| class AzlFips(ABC): |
There was a problem hiding this comment.
It can be implemented by a tool. We have some virtual tools, they are not actually commands, but easy to be abtracted for reusing. In the tool, the create method can replace create_instance. This class can be called as "Fips", and derives a "AzLinuxFips/AzLinuxV2Fips,AzLinuxV3Fips" classes as needed.
| node.reboot() | ||
| azl_fips.assert_fips_disabled() | ||
|
|
||
| log.debug("Successfully disabled FIPS.") |
There was a problem hiding this comment.
It can be info level to output a successful information.
There was a problem hiding this comment.
Restore it to its original status, since the environment may be reused.
| "Error setting digest\r\n.*EVP_DigestInit_ex:disabled for FIPS.*", re.M | ||
| ) | ||
|
|
||
| def assert_fips_enabled(self) -> None: |
There was a problem hiding this comment.
It can provide additional parameters to merge with assert_fips_disabled, like assert_status(self, is_enabled)
There was a problem hiding this comment.
I considered doing that, the code for assert_status would be several
if is_enabled:
# whatever thing for enabled
else:
# whatever disabled thing
It felt better to have them as totally separate functions.
Do you have a strong preference here?
There was a problem hiding this comment.
I prefer it, because 50%+ code are same or similar. If convert true/false to 1/0, most code is the same. So sharing logic is always better.
Add Azure Linux-specific tests around FIPS compliance. Specifically, this change adds:
verify_fips_is_enabled_azl: Verifies that an AZL system is in FIPS mode.verify_fips_is_disabled_azl: Verifies that an AZL system is not in FIPS mode.verify_fips_enable_azl: Verifies that an AZL system can be put into FIPS mode.verify_fips_disable_azl: Verifies that an AZL system can be taken out of FIPS mode.It also removes the AZL code from
verify_fips_enable.Due to the nature of these tests, they only make sense to run if we believe a machine is already in the correct mode. For example,
verify_fips_is_enabled_azlwould make sense on the marketplace imageMicrosoftCBLMariner:azure-linux-3:azure-linux-3-fips:latestbut not onMicrosoftCBLMariner:azure-linux-3:azure-linux-3:latest.To accomplish this, we look at two things (see function
ensure_fips_expectations).First, we see if a variable
testing_fips_imagewas provided to the test case. If so, and if it isyesorno, we respect that.Second, we try to hit the azure metadata endpoint to get the image sku name. If that is a FIPS sku, we consider it to be a FIPS machine.
If neither exist, we skip the test.