diff --git a/.evergreen/config.yml b/.evergreen/config.yml index f8b34384fe..bc2cf0bb40 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -962,7 +962,7 @@ task_groups: - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/delete-vm.sh - func: "upload test results" setup_group_can_fail_task: true - teardown_group_can_fail_task: true + teardown_task_can_fail_task: true setup_group_timeout_secs: 1800 tasks: - testazurekms-task @@ -2220,9 +2220,9 @@ axes: display_name: "RHEL 8.x" run_on: rhel87-small batchtime: 10080 # 7 days - - id: rhel80-fips - display_name: "RHEL 8.0 FIPS" - run_on: rhel80-fips + - id: rhel92-fips + display_name: "RHEL 9.2 FIPS" + run_on: rhel92-fips batchtime: 10080 # 7 days - id: ubuntu-22.04 display_name: "Ubuntu 22.04" @@ -2596,7 +2596,7 @@ buildvariants: - matrix_name: "tests-fips" matrix_spec: platform: - - rhel80-fips + - rhel92-fips auth: "auth" ssl: "ssl" display_name: "${platform} ${auth} ${ssl}" diff --git a/test/__init__.py b/test/__init__.py index e1eba725b0..c516838f47 100644 --- a/test/__init__.py +++ b/test/__init__.py @@ -277,6 +277,7 @@ def __init__(self): self.is_data_lake = False self.load_balancer = TEST_LOADBALANCER self.serverless = TEST_SERVERLESS + self._fips_enabled = None if self.load_balancer or self.serverless: self.default_client_options["loadBalanced"] = True if COMPRESSORS: @@ -523,6 +524,17 @@ def storage_engine(self): # Raised if self.server_status is None. return None + @property + def fips_enabled(self): + if self._fips_enabled is not None: + return self._fips_enabled + try: + subprocess.check_call(["fips-mode-setup", "--is-enabled"]) + self._fips_enabled = True + except (subprocess.SubprocessError, FileNotFoundError): + self._fips_enabled = False + return self._fips_enabled + def check_auth_type(self, auth_type): auth_mechs = self.server_parameters.get("authenticationMechanisms", []) return auth_type in auth_mechs @@ -670,6 +682,12 @@ def require_auth(self, func): lambda: self.auth_enabled, "Authentication is not enabled on the server", func=func ) + def require_no_fips(self, func): + """Run a test only if the host does not have FIPS enabled.""" + return self._require( + lambda: not self.fips_enabled, "Test cannot run on a FIPS-enabled host", func=func + ) + def require_no_auth(self, func): """Run a test only if the server is running without auth enabled.""" return self._require( diff --git a/test/test_auth.py b/test/test_auth.py index 596c94d562..74089bd68e 100644 --- a/test/test_auth.py +++ b/test/test_auth.py @@ -343,6 +343,7 @@ def tearDown(self): client_context.drop_user("pymongo_test", "user") super().tearDown() + @client_context.require_no_fips def test_scram_sha1(self): host, port = client_context.host, client_context.port @@ -404,6 +405,7 @@ def test_scram_skip_empty_exchange(self): else: self.assertEqual(started, ["saslStart", "saslContinue", "saslContinue"]) + @client_context.require_no_fips def test_scram(self): # Step 1: create users client_context.create_user( diff --git a/test/test_client.py b/test/test_client.py index 4377d410a9..a987d62111 100644 --- a/test/test_client.py +++ b/test/test_client.py @@ -1016,6 +1016,7 @@ def test_bad_uri(self): MongoClient("http://localhost") @client_context.require_auth + @client_context.require_no_fips def test_auth_from_uri(self): host, port = client_context.host, client_context.port client_context.create_user("admin", "admin", "pass") @@ -1072,6 +1073,7 @@ def test_username_and_password(self): rs_or_single_client_noauth(username="ad min", password="foo").server_info() @client_context.require_auth + @client_context.require_no_fips def test_lazy_auth_raises_operation_failure(self): lazy_client = rs_or_single_client_noauth( f"mongodb://user:wrong@{client_context.host}/pymongo_test", connect=False diff --git a/test/test_connection_monitoring.py b/test/test_connection_monitoring.py index f021c61f67..8c70c8f9a3 100644 --- a/test/test_connection_monitoring.py +++ b/test/test_connection_monitoring.py @@ -400,6 +400,7 @@ def mock_connect(*args, **kwargs): failed_event = listener.events[3] self.assertEqual(failed_event.reason, ConnectionCheckOutFailedReason.CONN_ERROR) + @client_context.require_no_fips def test_5_check_out_fails_auth_error(self): listener = CMAPListener() client = single_client_noauth( diff --git a/test/test_database.py b/test/test_database.py index 87391312f9..71383d5c63 100644 --- a/test/test_database.py +++ b/test/test_database.py @@ -431,6 +431,7 @@ def test_cursor_command(self): def test_cursor_command_invalid(self): self.assertRaises(InvalidOperation, self.db.cursor_command, "usersInfo", "test") + @client_context.require_no_fips def test_password_digest(self): self.assertRaises(TypeError, auth._password_digest, 5) self.assertRaises(TypeError, auth._password_digest, True)