From db656a20e3de33f7cc969a1de76ba402a5afdd62 Mon Sep 17 00:00:00 2001 From: Willem Kaufmann Date: Mon, 16 Sep 2024 13:58:28 -0400 Subject: [PATCH 1/3] `rptest`: move `in_fips_environment()` to `utils/mode_checks` (cherry picked from commit 7550c94a6c232e21fb29e50850ded93e0962ac94) --- tests/rptest/services/redpanda.py | 15 +-------------- tests/rptest/tests/redpanda_startup_test.py | 3 ++- tests/rptest/utils/mode_checks.py | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/tests/rptest/services/redpanda.py b/tests/rptest/services/redpanda.py index eee5db603ca71..3c20a9c8b4f34 100644 --- a/tests/rptest/services/redpanda.py +++ b/tests/rptest/services/redpanda.py @@ -69,6 +69,7 @@ from rptest.services.utils import NodeCrash, LogSearchLocal, LogSearchCloud, Stopwatch from rptest.util import inject_remote_script, ssh_output_stderr, wait_until_result from rptest.utils.allow_logs_on_predicate import AllowLogsOnPredicate +from rptest.utils.mode_checks import in_fips_environment import enum Partition = collections.namedtuple('Partition', @@ -359,20 +360,6 @@ def should_compile(allow_list_element: LogAllowListElem) -> bool: allow_list_element, AllowLogsOnPredicate) -def in_fips_environment() -> bool: - """ - Returns True if the file /proc/sys/crypto/fips_enabled is present and - contains '1', otherwise returns False. - """ - fips_file = "/proc/sys/crypto/fips_enabled" - if os.path.exists(fips_file) and os.path.isfile(fips_file): - with open(fips_file, 'r') as f: - contents = f.read().strip() - return contents == '1' - - return False - - class ResourceSettings: """ Control CPU+memory footprint of Redpanda instances. Pass one diff --git a/tests/rptest/tests/redpanda_startup_test.py b/tests/rptest/tests/redpanda_startup_test.py index 3987e1af215c1..2dd9dd965cf84 100644 --- a/tests/rptest/tests/redpanda_startup_test.py +++ b/tests/rptest/tests/redpanda_startup_test.py @@ -15,8 +15,9 @@ from ducktape.utils.util import wait_until from rptest.services.admin import Admin from rptest.services.cluster import cluster -from rptest.services.redpanda import in_fips_environment, MetricsEndpoint, MetricSamples, RedpandaServiceBase +from rptest.services.redpanda import MetricsEndpoint, MetricSamples, RedpandaServiceBase from rptest.tests.redpanda_test import RedpandaTest +from rptest.utils.mode_checks import in_fips_environment class RedpandaStartupTest(RedpandaTest): diff --git a/tests/rptest/utils/mode_checks.py b/tests/rptest/utils/mode_checks.py index f6a03e08ab832..73394bc834283 100644 --- a/tests/rptest/utils/mode_checks.py +++ b/tests/rptest/utils/mode_checks.py @@ -66,3 +66,17 @@ def the_test(...): return ignore(args, kwargs) else: return args[0] + + +def in_fips_environment() -> bool: + """ + Returns True if the file /proc/sys/crypto/fips_enabled is present and + contains '1', otherwise returns False. + """ + fips_file = "/proc/sys/crypto/fips_enabled" + if os.path.exists(fips_file) and os.path.isfile(fips_file): + with open(fips_file, 'r') as f: + contents = f.read().strip() + return contents == '1' + + return False From 2ee60c6834c40c74e334ddcd38fb6c33f2d76d58 Mon Sep 17 00:00:00 2001 From: Willem Kaufmann Date: Mon, 16 Sep 2024 13:59:06 -0400 Subject: [PATCH 2/3] `rptest`: add `skip_fips_mode()` decorator For use in ducktape tests that should not be ran in a FIPS-enabled environment (i.e, tests that are always expected to fail due to incompatibilities if FIPS mode is enabled). (cherry picked from commit 9ff17c2100063abfb9a8067cf47094636c7ef3c6) --- tests/rptest/utils/mode_checks.py | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/tests/rptest/utils/mode_checks.py b/tests/rptest/utils/mode_checks.py index 73394bc834283..40de4d2f6eced 100644 --- a/tests/rptest/utils/mode_checks.py +++ b/tests/rptest/utils/mode_checks.py @@ -80,3 +80,33 @@ def in_fips_environment() -> bool: return contents == '1' return False + + +def skip_fips_mode(*args, **kwargs): + """ + Test method decorator which signals to the test runner to ignore a given test. + + Example:: + + When no parameters are provided to the @ignore decorator, ignore all parametrizations of the test function + + @skip_fips_mode # Ignore all parametrizations + @parametrize(x=1, y=0) + @parametrize(x=2, y=3) + def the_test(...): + ... + + Example:: + + If parameters are supplied to the @skip_fips_mode decorator, only skip the parametrization with matching parameter(s) + + @skip_fips_mode(x=2, y=3) + @parametrize(x=1, y=0) # This test will run as usual + @parametrize(x=2, y=3) # This test will be ignored + def the_test(...): + ... + """ + if in_fips_environment(): + return ignore(args, kwargs) + else: + return args[0] From bddeec8fbf3a528132e6a4ac26695f5fdbeb5cc9 Mon Sep 17 00:00:00 2001 From: Willem Kaufmann Date: Mon, 16 Sep 2024 14:00:55 -0400 Subject: [PATCH 3/3] `rptest`: change fips decorator in `test_s3_oracle_self_config` This test will ALWAYS fail in fips mode, due to required path-style outcome for OCI self configuration. Change the decorator from `@ok_to_fail_fips` to `@skip_fips_mode` to avoid wasted CI runtime. (cherry picked from commit 6605685a7a6c40caf4526925f40b58bd59ed7172) --- tests/rptest/tests/cluster_self_config_test.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/rptest/tests/cluster_self_config_test.py b/tests/rptest/tests/cluster_self_config_test.py index b4e8bf8cf0def..7278d7b1af99f 100644 --- a/tests/rptest/tests/cluster_self_config_test.py +++ b/tests/rptest/tests/cluster_self_config_test.py @@ -8,13 +8,14 @@ # by the Apache License, Version 2.0 import re -from ducktape.mark import parametrize, matrix, ok_to_fail_fips +from ducktape.mark import parametrize, matrix from rptest.services.admin import Admin from rptest.services.cluster import cluster from rptest.services.redpanda import CloudStorageType, SISettings, get_cloud_storage_type from rptest.tests.end_to_end import EndToEndTest from rptest.services.utils import LogSearchLocal +from rptest.utils.mode_checks import skip_fips_mode class ClusterSelfConfigTest(EndToEndTest): @@ -87,7 +88,7 @@ def test_s3_self_config(self, cloud_storage_type): assert self_config_result and self_config_result in self_config_expected_results # OCI only supports path-style requests, fips mode will always fail. - @ok_to_fail_fips + @skip_fips_mode @cluster(num_nodes=1) @matrix(cloud_storage_type=get_cloud_storage_type( applies_only_on=[CloudStorageType.S3]))