Enable FIPS tests

Make it possible to test if system FIPS mode has been enabled in the resulting images by running the scripts with a FIPS="true" environment variable Signed-off-by: Miguel Martín <mmartinv@redhat.com>
2023-11-16 16:35:46 +01:00 · 2023-11-16 16:35:46 +01:00 · a0d357c66b
commit a0d357c66b
parent 10ccb3b385
5 changed files with 101 additions and 4 deletions
--- a/test/cases/ostree-ami-image.sh
+++ b/test/cases/ostree-ami-image.sh
@ -79,6 +79,9 @@ SSH_KEY=${SSH_DATA_DIR}/id_rsa
 SSH_KEY_PUB=$(cat "${SSH_KEY}".pub)
 IGNITION_USER=core

+# Set FIPS variable default
+FIPS="${FIPS:-false}"
+
 case "${ID}-${VERSION_ID}" in
    "rhel-9."*)
        OSTREE_REF="rhel/9/${ARCH}/edge"
@ -575,7 +578,16 @@ description = "A rhel-edge ami"
 version = "0.0.1"
 modules = []
 groups = []
+EOF

+if [ "${FIPS}" == "true" ]; then
+    tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
+[customizations]
+fips = ${FIPS}
+EOF
+fi
+
+tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
@ -856,6 +868,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-ami-image \
    -e ostree_commit="${INSTALL_HASH}" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

@ -1033,6 +1046,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-ami-image \
    -e ostree_commit="${UPGRADE_HASH}" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

--- a/test/cases/ostree-ng.sh
+++ b/test/cases/ostree-ng.sh
@ -111,6 +111,9 @@ KERNEL_RT_PKG="kernel-rt"
 # Set up variables.
 SYSROOT_RO="false"

+# Set FIPS variable default
+FIPS="${FIPS:-false}"
+
 case "${ID}-${VERSION_ID}" in
    fedora-*)
        CONTAINER_TYPE=iot-container
@ -499,7 +502,16 @@ description = "A rhel-edge installer image"
 version = "0.0.1"
 modules = []
 groups = []
+EOF

+if [ "${FIPS}" == "true" ]; then
+    tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
+[customizations]
+fips = ${FIPS}
+EOF
+fi
+
+tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
 [[customizations.user]]
 name = "installeruser"
 description = "Added by installer blueprint"
@ -628,6 +640,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e embeded_container="${EMBEDED_CONTAINER}" \
    -e test_custom_dirs_files="${DIRS_FILES_CUSTOMIZATION}" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

@ -717,6 +730,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e embeded_container="${EMBEDED_CONTAINER}" \
    -e test_custom_dirs_files="${DIRS_FILES_CUSTOMIZATION}" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0

 # Check image installation result
@ -901,6 +915,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e embeded_container="${EMBEDED_CONTAINER}" \
    -e test_custom_dirs_files="${DIRS_FILES_CUSTOMIZATION}" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

--- a/test/cases/ostree-raw-image.sh
+++ b/test/cases/ostree-raw-image.sh
@ -104,6 +104,9 @@ KERNEL_RT_PKG="kernel-rt"
 SYSROOT_RO="false"
 CUSTOM_DIRS_FILES="false"

+# Set FIPS variable default
+FIPS="${FIPS:-false}"
+
 case "${ID}-${VERSION_ID}" in
    "rhel-8"* )
        OSTREE_REF="rhel/8/${ARCH}/edge"
@ -418,6 +421,13 @@ modules = []
 groups = []
 EOF

+if [ "${FIPS}" == "true" ]; then
+    tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
+[customizations]
+fips = ${FIPS}
+EOF
+fi
+
 # User in raw image blueprint is not for RHEL 9.1 and 8.7
 # Workaround for RHEL 9.1 and 8.7 nightly test
 if [[ "$USER_IN_RAW" == "true" ]]; then
@ -573,6 +583,7 @@ EOF
        -e ostree_commit="${INSTALL_HASH}" \
        -e sysroot_ro="$SYSROOT_RO" \
        -e test_custom_dirs_files="$CUSTOM_DIRS_FILES" \
+        -e fips="${FIPS}" \
        /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
    check_result

@ -740,6 +751,7 @@ EOF
        -e ostree_commit="${REBASE_HASH}" \
        -e sysroot_ro="$SYSROOT_RO" \
        -e test_custom_dirs_files="$CUSTOM_DIRS_FILES" \
+        -e fips="${FIPS}" \
        /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0

    check_result
@ -845,6 +857,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e ostree_commit="${INSTALL_HASH}" \
    -e sysroot_ro="$SYSROOT_RO" \
    -e test_custom_dirs_files="$CUSTOM_DIRS_FILES" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

@ -1036,6 +1049,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e ostree_commit="${UPGRADE_HASH}" \
    -e sysroot_ro="$SYSROOT_RO" \
    -e test_custom_dirs_files="$CUSTOM_DIRS_FILES" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

--- a/test/cases/ostree-simplified-installer.sh
+++ b/test/cases/ostree-simplified-installer.sh
@ -1,4 +1,5 @@
 #!/bin/bash
+
 set -euo pipefail

 # Provision the software under test.
@ -125,6 +126,9 @@ SYSROOT_RO="false"
 ANSIBLE_USER="admin"
 FDO_USER_ONBOARDING="false"

+# Set FIPS variable default
+FIPS="${FIPS:-false}"
+
 case "${ID}-${VERSION_ID}" in
    "rhel-8"* )
        OSTREE_REF="rhel/8/${ARCH}/edge"
@ -445,6 +449,12 @@ groups = ["wheel"]
 installation_device = "/dev/vda"
 EOF

+if [ "${FIPS}" == "true" ]; then
+    tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
+fips = ${FIPS}
+EOF
+fi
+
 greenprint "📄 simplified_iso_without_fdo blueprint"
 cat "$BLUEPRINT_FILE"

@ -547,6 +557,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-simplified-installer \
    -e fdo_credential="false" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

@ -569,10 +580,17 @@ description = "A rhel-edge simplified-installer image"
 version = "0.0.1"
 modules = []
 groups = []
-
 [customizations]
 installation_device = "/dev/vda"
+EOF

+if [ "${FIPS}" == "true" ]; then
+    tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
+fips = ${FIPS}
+EOF
+fi
+
+tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
 [[customizations.user]]
 name = "simple"
 description = "Administrator account"
@ -706,7 +724,7 @@ ansible_python_interpreter=/usr/bin/python3
 ansible_user=simple
 ansible_private_key_file=${SSH_KEY}
 ansible_ssh_common_args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-ansible_become=yes 
+ansible_become=yes
 ansible_become_method=sudo
 ansible_become_pass=${EDGE_USER_PASSWORD}
 EOF
@ -719,6 +737,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-simplified-installer \
    -e fdo_credential="true" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

@ -748,7 +767,15 @@ groups = []

 [customizations]
 installation_device = "/dev/vda"
+EOF

+if [ "${FIPS}" == "true" ]; then
+    tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
+fips = ${FIPS}
+EOF
+fi
+
+tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
 [customizations.fdo]
 manufacturing_server_url="http://${FDO_SERVER_ADDRESS}:8080"
 diun_pub_key_hash="${DIUN_PUB_KEY_HASH}"
@ -871,7 +898,7 @@ ansible_python_interpreter=/usr/bin/python3
 ansible_user=${ANSIBLE_USER}
 ansible_private_key_file=${SSH_KEY}
 ansible_ssh_common_args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-ansible_become=yes 
+ansible_become=yes
 ansible_become_method=sudo
 ansible_become_pass=${EDGE_USER_PASSWORD}
 EOF
@ -889,6 +916,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-simplified-installer \
    -e fdo_credential="true" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

@ -1026,6 +1054,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-simplified-installer \
    -e fdo_credential="true" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0

 check_result
@ -1062,7 +1091,15 @@ groups = []

 [customizations]
 installation_device = "/dev/vda"
+EOF

+if [ "${FIPS}" == "true" ]; then
+    tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
+fips = ${FIPS}
+EOF
+fi
+
+tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
 [customizations.fdo]
 manufacturing_server_url="http://${FDO_SERVER_ADDRESS}:8080"
 diun_pub_key_root_certs="""
@ -1172,7 +1209,7 @@ ansible_python_interpreter=/usr/bin/python3
 ansible_user=admin
 ansible_private_key_file=${SSH_KEY}
 ansible_ssh_common_args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
-ansible_become=yes 
+ansible_become=yes
 ansible_become_method=sudo
 ansible_become_pass=${EDGE_USER_PASSWORD}
 EOF
@ -1185,6 +1222,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-simplified-installer \
    -e fdo_credential="true" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

@ -1326,6 +1364,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-simplified-installer \
    -e fdo_credential="true" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0

 check_result
--- a/test/cases/ostree-vsphere.sh
+++ b/test/cases/ostree-vsphere.sh
@ -91,8 +91,12 @@ IGNITION_SERVER_URL=http://${HOST_IP_ADDRESS}/ignition
 IGNITION_USER=core
 IGNITION_USER_PASSWORD=foobar

+# Set up variables.
 SYSROOT_RO="true"

+# Set FIPS variable default
+FIPS="${FIPS:-false}"
+
 DATACENTER_70="Datacenter7.0"
 DATASTORE_70="datastore-80"
 DATACENTER_70_POOL="/Datacenter7.0/host/Automation/Resources"
@ -420,7 +424,16 @@ description = "A rhel-edge vmdk image"
 version = "0.0.1"
 modules = []
 groups = []
+EOF

+if [ "${FIPS}" == "true" ]; then
+    tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
+[customizations]
+fips = ${FIPS}
+EOF
+fi
+
+tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
@ -520,6 +533,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-vsphere \
    -e fdo_credential="false" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
 check_result

@ -653,6 +667,7 @@ sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \
    -e edge_type=edge-vsphere \
    -e fdo_credential="false" \
    -e sysroot_ro="$SYSROOT_RO" \
+    -e fips="${FIPS}" \
    /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0

 check_result