mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Make VaultEditor Tests compatible with FIPS mode
Migrate one test to vault-1.1. Skip the two other vault 1.0 tests if running on a FIPS enabled system
This commit is contained in:
parent
e05b22e0d1
commit
44eb19d553
3 changed files with 27 additions and 12 deletions
|
@ -37,6 +37,15 @@ except ImportError:
|
|||
|
||||
class TestVaultEditor(TestCase):
|
||||
|
||||
def _is_fips(self):
|
||||
try:
|
||||
data = open('/proc/sys/crypto/fips_enabled').read().strip()
|
||||
except:
|
||||
return False
|
||||
if data != '1':
|
||||
return False
|
||||
return True
|
||||
|
||||
def test_methods_exist(self):
|
||||
v = VaultEditor(None, None, None)
|
||||
slots = ['create_file',
|
||||
|
@ -51,6 +60,8 @@ class TestVaultEditor(TestCase):
|
|||
assert hasattr(v, slot), "VaultLib is missing the %s method" % slot
|
||||
|
||||
def test_decrypt_1_0(self):
|
||||
if self._is_fips():
|
||||
raise SkipTest('Vault-1.0 will not function on FIPS enabled systems')
|
||||
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
|
||||
raise SkipTest
|
||||
dirpath = tempfile.mkdtemp()
|
||||
|
@ -75,11 +86,11 @@ class TestVaultEditor(TestCase):
|
|||
assert error_hit == False, "error decrypting 1.0 file"
|
||||
assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip()
|
||||
|
||||
def test_decrypt_1_0_newline(self):
|
||||
def test_decrypt_1_1_newline(self):
|
||||
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
|
||||
raise SkipTest
|
||||
dirpath = tempfile.mkdtemp()
|
||||
filename = os.path.join(dirpath, "foo-ansible-1.0-ansible-newline-ansible.yml")
|
||||
filename = os.path.join(dirpath, "foo-ansible-1.1-ansible-newline-ansible.yml")
|
||||
shutil.rmtree(dirpath)
|
||||
shutil.copytree("vault_test_data", dirpath)
|
||||
ve = VaultEditor(None, "ansible\nansible\n", filename)
|
||||
|
@ -97,8 +108,8 @@ class TestVaultEditor(TestCase):
|
|||
f.close()
|
||||
|
||||
shutil.rmtree(dirpath)
|
||||
assert error_hit == False, "error decrypting 1.0 file with newline in password"
|
||||
#assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip()
|
||||
assert error_hit == False, "error decrypting 1.1 file with newline in password"
|
||||
#assert fdata.strip() == "foo", "incorrect decryption of 1.1 file: %s" % fdata.strip()
|
||||
|
||||
|
||||
def test_decrypt_1_1(self):
|
||||
|
@ -123,11 +134,13 @@ class TestVaultEditor(TestCase):
|
|||
f.close()
|
||||
|
||||
shutil.rmtree(dirpath)
|
||||
assert error_hit == False, "error decrypting 1.0 file"
|
||||
assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip()
|
||||
assert error_hit == False, "error decrypting 1.1 file"
|
||||
assert fdata.strip() == "foo", "incorrect decryption of 1.1 file: %s" % fdata.strip()
|
||||
|
||||
|
||||
def test_rekey_migration(self):
|
||||
if self._is_fips():
|
||||
raise SkipTest('Vault-1.0 will not function on FIPS enabled systems')
|
||||
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
|
||||
raise SkipTest
|
||||
dirpath = tempfile.mkdtemp()
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
$ANSIBLE_VAULT;1.0;AES
|
||||
53616c7465645f5ff0442ae8b08e2ff316d0d6512013185df7aded44f3c0eeef1b7544d078be1fe7
|
||||
ed88d0fedcb11928df45558f4b7f80fce627fbb08c5288885ab053f4129175779a8f24f5c1113731
|
||||
7d22cee14284670953c140612edf62f92485123fc4f15099ffe776e906e08145
|
|
@ -0,0 +1,6 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
61333063333663376535373431643063613232393438623732643966613962363563383132363631
|
||||
3235363730623635323039623439343561313566313361630a313632643338613636303637623765
|
||||
64356531643630303636323064336439393335313836366235336464633635376339663830333232
|
||||
6338353337663139320a646632386131646431656165656338633535386535623236393265373634
|
||||
37656134633661333935346434363237613435323865356234323264663838643931
|
Loading…
Reference in a new issue