diff --git a/.ci/.matrix_framework_fips.yml b/.ci/.matrix_framework_fips.yml new file mode 100644 index 000000000..6bbc9cd3e --- /dev/null +++ b/.ci/.matrix_framework_fips.yml @@ -0,0 +1,23 @@ +# this is a limited list of matrix builds to be used for PRs +# see .matrix_framework_full.yml for a full list +FRAMEWORK: + - none + - django-5.0 + - flask-3.0 + - jinja2-3 + - opentelemetry-newest + - opentracing-newest + - twisted-newest + - celery-5-flask-2 + - celery-5-django-5 + - requests-newest + - psutil-newest + - gevent-newest + - aiohttp-newest + - tornado-newest + - starlette-newest + - graphene-2 + - httpx-newest + - httplib2-newest + - prometheus_client-newest + - sanic-newest diff --git a/.ci/.matrix_python_fips.yml b/.ci/.matrix_python_fips.yml new file mode 100644 index 000000000..01cf811ac --- /dev/null +++ b/.ci/.matrix_python_fips.yml @@ -0,0 +1,2 @@ +VERSION: + - python-3.12 diff --git a/.github/workflows/test-fips.yml b/.github/workflows/test-fips.yml new file mode 100644 index 000000000..3712f00d0 --- /dev/null +++ b/.github/workflows/test-fips.yml @@ -0,0 +1,69 @@ + +# run test suite inside a FIPS 140 container +name: test-fips + +on: + workflow_dispatch: + schedule: + - cron: '0 4 * * 1' + +permissions: + contents: read + +jobs: + create-matrix: + runs-on: ubuntu-24.04 + outputs: + matrix: ${{ steps.generate.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + - id: generate + uses: elastic/oblt-actions/version-framework@v1 + with: + versions-file: .ci/.matrix_python_fips.yml + frameworks-file: .ci/.matrix_framework_fips.yml + + test-fips: + needs: create-matrix + runs-on: ubuntu-24.04 + # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container + # docker run -it --rm --name fipsy docker.elastic.co/wolfi/python-fips:3.12 + container: + image: docker.elastic.co/wolfi/python-fips:3.12-dev + options: --user root + credentials: + username: ${{ secrets.ELASTIC_DOCKER_USERNAME }} + password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }} + timeout-minutes: 30 + strategy: + fail-fast: false + max-parallel: 10 + matrix: ${{ fromJSON(needs.create-matrix.outputs.matrix) }} + steps: + - uses: actions/checkout@v4 + - name: check that python has fips mode enabled + run: | + python3 -c 'import _hashlib; assert _hashlib.get_fips_mode() == 1' + - name: install run_tests.sh requirements + run: apk add netcat-openbsd tzdata + - name: Run tests + run: ./tests/scripts/run_tests.sh + env: + FRAMEWORK: ${{ matrix.framework }} + + notify-on-failure: + if: always() + runs-on: ubuntu-24.04 + needs: test-fips + steps: + - id: check + uses: elastic/oblt-actions/check-dependent-jobs@v1 + with: + jobs: ${{ toJSON(needs) }} + - name: Notify in Slack + if: steps.check.outputs.status == 'failure' + uses: elastic/oblt-actions/slack/notify-result@v1 + with: + bot-token: ${{ secrets.SLACK_BOT_TOKEN }} + status: ${{ steps.check.outputs.status }} + channel-id: "#apm-agent-python" diff --git a/tests/config/tests.py b/tests/config/tests.py index c0d6820c4..5fb9848be 100644 --- a/tests/config/tests.py +++ b/tests/config/tests.py @@ -278,7 +278,10 @@ def test_file_is_readable_validator_not_a_file(tmpdir): assert "is not a file" in e.value.args[0] -@pytest.mark.skipif(platform.system() == "Windows", reason="os.access() doesn't seem to work as we expect on Windows") +@pytest.mark.skipif( + platform.system() == "Windows" or os.getuid() == 0, + reason="os.access() doesn't seem to work as we expect on Windows and test will fail as root user", +) def test_file_is_readable_validator_not_readable(tmpdir): p = tmpdir.join("nonreadable") p.write("")