PYTHON-4509 [v4.8] Update to FIPS host with Python 3.8 binary (#1689)

blink1073 · web-flow · commit 255d1906d21f · 2024-06-17T13:37:13.000-05:00
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -962,7 +962,7 @@ task_groups:
             - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/delete-vm.sh
       - func: "upload test results"
     setup_group_can_fail_task: true
-    teardown_group_can_fail_task: true
+    teardown_task_can_fail_task: true
     setup_group_timeout_secs: 1800
     tasks:
     - testazurekms-task
@@ -2220,9 +2220,9 @@ axes:
         display_name: "RHEL 8.x"
         run_on: rhel87-small
         batchtime: 10080  # 7 days
-      - id: rhel80-fips
-        display_name: "RHEL 8.0 FIPS"
-        run_on: rhel80-fips
+      - id: rhel92-fips
+        display_name: "RHEL 9.2 FIPS"
+        run_on: rhel92-fips
         batchtime: 10080  # 7 days
       - id: ubuntu-22.04
         display_name: "Ubuntu 22.04"
@@ -2596,7 +2596,7 @@ buildvariants:
 - matrix_name: "tests-fips"
   matrix_spec:
     platform:
-      - rhel80-fips
+      - rhel92-fips
     auth: "auth"
     ssl: "ssl"
   display_name: "${platform} ${auth} ${ssl}"
diff --git a/test/__init__.py b/test/__init__.py
@@ -277,6 +277,7 @@ def __init__(self):
         self.is_data_lake = False
         self.load_balancer = TEST_LOADBALANCER
         self.serverless = TEST_SERVERLESS
+        self._fips_enabled = None
         if self.load_balancer or self.serverless:
             self.default_client_options["loadBalanced"] = True
         if COMPRESSORS:
@@ -523,6 +524,17 @@ def storage_engine(self):
             # Raised if self.server_status is None.
             return None
 
+    @property
+    def fips_enabled(self):
+        if self._fips_enabled is not None:
+            return self._fips_enabled
+        try:
+            subprocess.check_call(["fips-mode-setup", "--is-enabled"])
+            self._fips_enabled = True
+        except (subprocess.SubprocessError, FileNotFoundError):
+            self._fips_enabled = False
+        return self._fips_enabled
+
     def check_auth_type(self, auth_type):
         auth_mechs = self.server_parameters.get("authenticationMechanisms", [])
         return auth_type in auth_mechs
@@ -670,6 +682,12 @@ def require_auth(self, func):
             lambda: self.auth_enabled, "Authentication is not enabled on the server", func=func
         )
 
+    def require_no_fips(self, func):
+        """Run a test only if the host does not have FIPS enabled."""
+        return self._require(
+            lambda: not self.fips_enabled, "Test cannot run on a FIPS-enabled host", func=func
+        )
+
     def require_no_auth(self, func):
         """Run a test only if the server is running without auth enabled."""
         return self._require(
diff --git a/test/test_auth.py b/test/test_auth.py
@@ -343,6 +343,7 @@ def tearDown(self):
         client_context.drop_user("pymongo_test", "user")
         super().tearDown()
 
+    @client_context.require_no_fips
     def test_scram_sha1(self):
         host, port = client_context.host, client_context.port
 
@@ -404,6 +405,7 @@ def test_scram_skip_empty_exchange(self):
         else:
             self.assertEqual(started, ["saslStart", "saslContinue", "saslContinue"])
 
+    @client_context.require_no_fips
     def test_scram(self):
         # Step 1: create users
         client_context.create_user(
diff --git a/test/test_client.py b/test/test_client.py
@@ -1016,6 +1016,7 @@ def test_bad_uri(self):
             MongoClient("http://localhost")
 
     @client_context.require_auth
+    @client_context.require_no_fips
     def test_auth_from_uri(self):
         host, port = client_context.host, client_context.port
         client_context.create_user("admin", "admin", "pass")
@@ -1072,6 +1073,7 @@ def test_username_and_password(self):
             rs_or_single_client_noauth(username="ad min", password="foo").server_info()
 
     @client_context.require_auth
+    @client_context.require_no_fips
     def test_lazy_auth_raises_operation_failure(self):
         lazy_client = rs_or_single_client_noauth(
             f"mongodb://user:wrong@{client_context.host}/pymongo_test", connect=False
diff --git a/test/test_connection_monitoring.py b/test/test_connection_monitoring.py
@@ -400,6 +400,7 @@ def mock_connect(*args, **kwargs):
         failed_event = listener.events[3]
         self.assertEqual(failed_event.reason, ConnectionCheckOutFailedReason.CONN_ERROR)
 
+    @client_context.require_no_fips
     def test_5_check_out_fails_auth_error(self):
         listener = CMAPListener()
         client = single_client_noauth(
diff --git a/test/test_database.py b/test/test_database.py
@@ -431,6 +431,7 @@ def test_cursor_command(self):
     def test_cursor_command_invalid(self):
         self.assertRaises(InvalidOperation, self.db.cursor_command, "usersInfo", "test")
 
+    @client_context.require_no_fips
     def test_password_digest(self):
         self.assertRaises(TypeError, auth._password_digest, 5)
         self.assertRaises(TypeError, auth._password_digest, True)
