PYTHON-4509 Update to FIPS host with Python 3.8 binary (#1688)

2024-06-17 12:04:12 -05:00 · 2024-06-17 12:04:12 -05:00 · d4b4b740dd
commit d4b4b740dd
parent 76fa4686fd
6 changed files with 29 additions and 5 deletions
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@ -962,7 +962,7 @@ task_groups:
            - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/delete-vm.sh
      - func: "upload test results"
    setup_group_can_fail_task: true
-    teardown_group_can_fail_task: true
+    teardown_task_can_fail_task: true
    setup_group_timeout_secs: 1800
    tasks:
    - testazurekms-task
@ -2220,9 +2220,9 @@ axes:
        display_name: "RHEL 8.x"
        run_on: rhel87-small
        batchtime: 10080  # 7 days
-      - id: rhel80-fips
-        display_name: "RHEL 8.0 FIPS"
-        run_on: rhel80-fips
+      - id: rhel92-fips
+        display_name: "RHEL 9.2 FIPS"
+        run_on: rhel92-fips
        batchtime: 10080  # 7 days
      - id: ubuntu-22.04
        display_name: "Ubuntu 22.04"
@ -2596,7 +2596,7 @@ buildvariants:
 - matrix_name: "tests-fips"
  matrix_spec:
    platform:
-      - rhel80-fips
+      - rhel92-fips
    auth: "auth"
    ssl: "ssl"
  display_name: "${platform} ${auth} ${ssl}"
--- a/test/init.py
+++ b/test/init.py
@ -277,6 +277,7 @@ class ClientContext:
        self.is_data_lake = False
        self.load_balancer = TEST_LOADBALANCER
        self.serverless = TEST_SERVERLESS
+        self._fips_enabled = None
        if self.load_balancer or self.serverless:
            self.default_client_options["loadBalanced"] = True
        if COMPRESSORS:
@ -523,6 +524,17 @@ class ClientContext:
            # Raised if self.server_status is None.
            return None

+    @property
+    def fips_enabled(self):
+        if self._fips_enabled is not None:
+            return self._fips_enabled
+        try:
+            subprocess.check_call(["fips-mode-setup", "--is-enabled"])
+            self._fips_enabled = True
+        except (subprocess.SubprocessError, FileNotFoundError):
+            self._fips_enabled = False
+        return self._fips_enabled
+
    def check_auth_type(self, auth_type):
        auth_mechs = self.server_parameters.get("authenticationMechanisms", [])
        return auth_type in auth_mechs
@ -670,6 +682,12 @@ class ClientContext:
            lambda: self.auth_enabled, "Authentication is not enabled on the server", func=func
        )

+    def require_no_fips(self, func):
+        """Run a test only if the host does not have FIPS enabled."""
+        return self._require(
+            lambda: not self.fips_enabled, "Test cannot run on a FIPS-enabled host", func=func
+        )
+
    def require_no_auth(self, func):
        """Run a test only if the server is running without auth enabled."""
        return self._require(
--- a/test/test_auth.py
+++ b/test/test_auth.py
@ -344,6 +344,7 @@ class TestSCRAMSHA1(IntegrationTest):
        client_context.drop_user("pymongo_test", "user")
        super().tearDown()

+    @client_context.require_no_fips
    def test_scram_sha1(self):
        host, port = client_context.host, client_context.port

@ -405,6 +406,7 @@ class TestSCRAM(IntegrationTest):
        else:
            self.assertEqual(started, ["saslStart", "saslContinue", "saslContinue"])

+    @client_context.require_no_fips
    def test_scram(self):
        # Step 1: create users
        client_context.create_user(
--- a/test/test_client.py
+++ b/test/test_client.py
@ -1021,6 +1021,7 @@ class TestClient(IntegrationTest):
            MongoClient("http://localhost")

    @client_context.require_auth
+    @client_context.require_no_fips
    def test_auth_from_uri(self):
        host, port = client_context.host, client_context.port
        client_context.create_user("admin", "admin", "pass")
@ -1077,6 +1078,7 @@ class TestClient(IntegrationTest):
            rs_or_single_client_noauth(username="ad min", password="foo").server_info()

    @client_context.require_auth
+    @client_context.require_no_fips
    def test_lazy_auth_raises_operation_failure(self):
        lazy_client = rs_or_single_client_noauth(
            f"mongodb://user:wrong@{client_context.host}/pymongo_test", connect=False
--- a/test/test_connection_monitoring.py
+++ b/test/test_connection_monitoring.py
@ -400,6 +400,7 @@ class TestCMAP(IntegrationTest):
        failed_event = listener.events[3]
        self.assertEqual(failed_event.reason, ConnectionCheckOutFailedReason.CONN_ERROR)

+    @client_context.require_no_fips
    def test_5_check_out_fails_auth_error(self):
        listener = CMAPListener()
        client = single_client_noauth(
--- a/test/test_database.py
+++ b/test/test_database.py
@ -432,6 +432,7 @@ class TestDatabase(IntegrationTest):
    def test_cursor_command_invalid(self):
        self.assertRaises(InvalidOperation, self.db.cursor_command, "usersInfo", "test")

+    @client_context.require_no_fips
    def test_password_digest(self):
        self.assertRaises(TypeError, auth._password_digest, 5)
        self.assertRaises(TypeError, auth._password_digest, True)