Make VaultEditor Tests compatible with FIPS mode

Migrate one test to vault-1.1.  Skip the two other vault 1.0 tests if
running on a FIPS enabled system
This commit is contained in:
Toshio Kuratomi 2014-11-12 12:05:25 -08:00
parent e05b22e0d1
commit 44eb19d553
3 changed files with 27 additions and 12 deletions

View file

@ -37,6 +37,15 @@ except ImportError:
class TestVaultEditor(TestCase):
def _is_fips(self):
try:
data = open('/proc/sys/crypto/fips_enabled').read().strip()
except:
return False
if data != '1':
return False
return True
def test_methods_exist(self):
v = VaultEditor(None, None, None)
slots = ['create_file',
@ -51,6 +60,8 @@ class TestVaultEditor(TestCase):
assert hasattr(v, slot), "VaultLib is missing the %s method" % slot
def test_decrypt_1_0(self):
if self._is_fips():
raise SkipTest('Vault-1.0 will not function on FIPS enabled systems')
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
dirpath = tempfile.mkdtemp()
@ -75,18 +86,18 @@ class TestVaultEditor(TestCase):
assert error_hit == False, "error decrypting 1.0 file"
assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip()
def test_decrypt_1_0_newline(self):
def test_decrypt_1_1_newline(self):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
dirpath = tempfile.mkdtemp()
filename = os.path.join(dirpath, "foo-ansible-1.0-ansible-newline-ansible.yml")
filename = os.path.join(dirpath, "foo-ansible-1.1-ansible-newline-ansible.yml")
shutil.rmtree(dirpath)
shutil.copytree("vault_test_data", dirpath)
ve = VaultEditor(None, "ansible\nansible\n", filename)
# make sure the password functions for the cipher
error_hit = False
try:
try:
ve.decrypt_file()
except errors.AnsibleError, e:
error_hit = True
@ -97,8 +108,8 @@ class TestVaultEditor(TestCase):
f.close()
shutil.rmtree(dirpath)
assert error_hit == False, "error decrypting 1.0 file with newline in password"
#assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip()
assert error_hit == False, "error decrypting 1.1 file with newline in password"
#assert fdata.strip() == "foo", "incorrect decryption of 1.1 file: %s" % fdata.strip()
def test_decrypt_1_1(self):
@ -112,7 +123,7 @@ class TestVaultEditor(TestCase):
# make sure the password functions for the cipher
error_hit = False
try:
try:
ve.decrypt_file()
except errors.AnsibleError, e:
error_hit = True
@ -123,11 +134,13 @@ class TestVaultEditor(TestCase):
f.close()
shutil.rmtree(dirpath)
assert error_hit == False, "error decrypting 1.0 file"
assert fdata.strip() == "foo", "incorrect decryption of 1.0 file: %s" % fdata.strip()
assert error_hit == False, "error decrypting 1.1 file"
assert fdata.strip() == "foo", "incorrect decryption of 1.1 file: %s" % fdata.strip()
def test_rekey_migration(self):
if self._is_fips():
raise SkipTest('Vault-1.0 will not function on FIPS enabled systems')
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
raise SkipTest
dirpath = tempfile.mkdtemp()

View file

@ -1,4 +0,0 @@
$ANSIBLE_VAULT;1.0;AES
53616c7465645f5ff0442ae8b08e2ff316d0d6512013185df7aded44f3c0eeef1b7544d078be1fe7
ed88d0fedcb11928df45558f4b7f80fce627fbb08c5288885ab053f4129175779a8f24f5c1113731
7d22cee14284670953c140612edf62f92485123fc4f15099ffe776e906e08145

View file

@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
61333063333663376535373431643063613232393438623732643966613962363563383132363631
3235363730623635323039623439343561313566313361630a313632643338613636303637623765
64356531643630303636323064336439393335313836366235336464633635376339663830333232
6338353337663139320a646632386131646431656165656338633535386535623236393265373634
37656134633661333935346434363237613435323865356234323264663838643931