tests(fips): fix the issue where FIPS mode was not enabled in the FIP…

…S test (#10031) KAG-5187
Kong · Sep 24, 2024 · 764d74d · 764d74d
1 parent 0751591
commit 764d74d
Show file tree

Hide file tree

Showing 14 changed files with 282 additions and 217 deletions.
diff --git a/.ci/run_tests_github.sh b/.ci/run_tests_github.sh
@@ -90,7 +90,7 @@ if [ "$TEST_SUITE" == "plugins-ee" ]; then
         ["third"]="kafka-log oas-validation saml vault-auth"
         ["fourth"]="upstream-oauth mtls-auth header-cert-auth request-validator kafka-upstream konnect-application-auth opa"
         ["fips-first"]="openid-connect"
-        ["fips-second"]="mtls-auth saml header-cert-auth"
+        ["fips-second"]="mtls-auth saml header-cert-auth upstream-oauth"
     )
 
     plugins=${plugins_to_test["$TEST_SPLIT"]}

diff --git a/.ci/test_suites.json b/.ci/test_suites.json
@@ -33,7 +33,8 @@
     "exclude_tags": "flaky,ipv6,ce,off",
     "venv_script": "kong-dev-fips-venv.sh",
     "environment": {
-      "KONG_TEST_DATABASE": "postgres"
+      "KONG_TEST_DATABASE": "postgres",
+      "KONG_TEST_FIPS": "on"
     },
     "specs": [
       "spec-ee/05-fips",

diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -997,6 +997,14 @@ jobs:
         echo "/usr/local/openresty/nginx/sbin/" >> $GITHUB_PATH
         echo SPEC_ERRLOG_CACHE_DIR=/tmp/${{ github.run_id }}/plugins_ee_test/${{ matrix.label }}_${{ matrix.split }} >> $GITHUB_ENV
 
+    - name: Set FIPS environment variable
+      run: |
+        if [[ "${{ matrix.label }}" == "fips" ]]; then
+          echo "KONG_TEST_FIPS=on" >> $GITHUB_ENV
+        else
+          echo "KONG_TEST_FIPS=off" >> $GITHUB_ENV
+        fi
+
     - name: Checkout Kong source code
       uses: actions/checkout@v3
       with:
@@ -1008,7 +1016,7 @@ jobs:
       with:
         repository: Kong/kong-pongo
         path: kong-pongo
-        ref: 2.13.0
+        ref: kag5187_add_fips_env
         submodules: recursive
         token: ${{ secrets.GHA_KONG_BOT_READ_TOKEN }}
 

diff --git a/spec-ee/02-integration/01-rbac/02-rbac_api_spec.lua b/spec-ee/02-integration/01-rbac/02-rbac_api_spec.lua
@@ -18,6 +18,7 @@ local get_portal_and_vitals_key = require("spec-ee.helpers").get_portal_and_vita
 
 local PORTAL_PREFIX = constants.PORTAL_PREFIX
 local null = ngx.null
+local is_fips = os.getenv("KONG_FIPS")
 
 
 local compare_no_order = require "pl.tablex".compare_no_order
@@ -202,7 +203,11 @@ describe("Admin API RBAC with #" .. strategy, function()
         local json = cjson.decode(body)
 
         assert.equal("bob", json.name)
-        assert.matches("%$2b%$09%$", json.user_token)
+        if is_fips then
+          assert.matches("%$pbkdf2%-sha512%$i%=10000,l%=32%$", json.user_token)
+        else
+          assert.matches("%$2b%$09%$", json.user_token)
+        end
         assert.equal("bar", json.comment)
         assert.is_true(utils.is_valid_uuid(json.id))
         assert.is_true(json.enabled)
@@ -225,7 +230,11 @@ describe("Admin API RBAC with #" .. strategy, function()
         local json = cjson.decode(body)
 
         assert.equal("fubar", json.name)
-        assert.matches("%$2b%$09%$", json.user_token)
+        if is_fips then
+          assert.matches("%$pbkdf2%-sha512%$i%=10000,l%=32%$", json.user_token)
+        else
+          assert.matches("%$2b%$09%$", json.user_token)
+        end
 
         -- what I really want to do here is :find_all({ name = "fubar" }),
         -- but that doesn't return any results
@@ -385,7 +394,11 @@ describe("Admin API RBAC with #" .. strategy, function()
         local json = cjson.decode(body)
 
         assert.equal("alice", json.name)
-        assert.matches("%$2b%$09%$", json.user_token)
+        if is_fips then
+          assert.matches("%$pbkdf2%-sha512%$i%=10000,l%=32%$", json.user_token)
+        else
+          assert.matches("%$2b%$09%$", json.user_token)
+        end
         assert.is_true(utils.is_valid_uuid(json.id))
         assert.is_false(json.enabled)
       end)
@@ -694,7 +707,11 @@ describe("Admin API RBAC with #" .. strategy, function()
         body = assert.res_status(200, res)
         local json = cjson.decode(body)
 
-        assert.matches("%$2b%$09%$", json.user_token)
+        if is_fips then
+          assert.matches("%$pbkdf2%-sha512%$i%=10000,l%=32%$", json.user_token)
+        else
+          assert.matches("%$2b%$09%$", json.user_token)
+        end
         assert.not_equal(rbac_user.user_token, json.user_token)
       end)
 

diff --git a/spec-ee/02-integration/03-vitals/02-vitals_spec.lua b/spec-ee/02-integration/03-vitals/02-vitals_spec.lua
@@ -779,8 +779,10 @@ for _, strategy in helpers.each_strategy() do
         assert.spy(s_strategy).was_called(1)
       end)
       it("doesn't initialize strategy when license is free and returns message", function()
+        local fips = os.getenv("KONG_FIPS")
         kong.configuration.vitals = false
         helpers.unsetenv("KONG_LICENSE_DATA")
+        helpers.unsetenv("KONG_FIPS")
 
         local vitals = kong_vitals.new { db = db }
         vitals:reset_counters()
@@ -791,6 +793,10 @@ for _, strategy in helpers.each_strategy() do
 
         assert.spy(s_strategy).was_called(0)
         assert.same(expected, res)
+
+        if fips then
+          helpers.setenv("KONG_FIPS", fips)
+        end
       end)
     end)
 

diff --git a/spec-ee/02-integration/05-admin-gui/01-admins_spec.lua b/spec-ee/02-integration/05-admin-gui/01-admins_spec.lua
@@ -1218,6 +1218,7 @@ for _, strategy in helpers.each_strategy() do
 
         local config = {
           admin_invitation_expiry = 600,
+          fips = os.getenv("KONG_FIPS"),
         }
 
         if _G.kong then

diff --git a/spec-ee/02-integration/16-plugins-ordering/02-plugins-ordering_validation_spec.lua b/spec-ee/02-integration/16-plugins-ordering/02-plugins-ordering_validation_spec.lua
@@ -8,10 +8,9 @@
 local helpers = require "spec.helpers"
 local cjson = require "cjson"
 
+local client
 
 for _, strategy in helpers.all_strategies({"postgres", "off"}) do
-
-  local client
   describe("validate plugin ordering schemas", function()
     lazy_setup(function()
       helpers.get_db_utils(nil, {})
@@ -225,6 +224,7 @@ end
 
 for _, strategy in helpers.each_strategy() do
   describe("Dynamic Plugin Ordering - Free License #" .. strategy, function()
+    local fips_flag = os.getenv("KONG_FIPS")
 
     lazy_setup(function()
       helpers.stop_kong()
@@ -233,6 +233,7 @@ for _, strategy in helpers.each_strategy() do
 
       -- No license is present
       helpers.unsetenv("KONG_LICENSE_DATA")
+      helpers.unsetenv("KONG_FIPS")
 
       assert(helpers.start_kong({
         database  = strategy,
@@ -245,6 +246,9 @@ for _, strategy in helpers.each_strategy() do
       if client then
         client:close()
       end
+      if fips_flag then
+        helpers.setenv("KONG_FIPS", fips_flag)
+      end
     end)
 
     it("POST to setup a plugin with ordering but Kong is in free-mode", function()

diff --git a/spec-ee/02-integration/19-vaults/01-free_vaults_spec.lua b/spec-ee/02-integration/19-vaults/01-free_vaults_spec.lua
@@ -17,6 +17,7 @@ describe("License restrictions in \"free\" mode", function()
       helpers.get_db_utils()
       helpers.unsetenv("KONG_LICENSE_DATA")
       helpers.unsetenv("KONG_TEST_LICENSE_DATA")
+      helpers.unsetenv("KONG_FIPS")
       assert(helpers.start_kong({
         license_path = license_path,
         vaults = "bundled",

diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
@@ -1055,7 +1055,8 @@ describe("Configuration loader", function()
         it("requires SSL DH param file to exist", function()
           local conf, _, errors = conf_loader(nil, {
             ssl_cipher_suite = "custom",
-            ssl_dhparam = "/path/dhparam.pem"
+            ssl_dhparam = "/path/dhparam.pem",
+            fips = false,
           })
           assert.equal(1, #errors)
           assert.contains("ssl_dhparam: failed loading certificate from /path/dhparam.pem", errors)
@@ -1065,6 +1066,7 @@ describe("Configuration loader", function()
             ssl_cipher_suite = "custom",
             nginx_http_ssl_dhparam = "/path/dhparam-http.pem",
             nginx_stream_ssl_dhparam = "/path/dhparam-stream.pem",
+            fips = false,
           })
           assert.equal(2, #errors)
           assert.contains("nginx_http_ssl_dhparam: no such file at /path/dhparam-http.pem", errors)
@@ -1391,7 +1393,8 @@ describe("Configuration loader", function()
         end)
         it("errors on invalid ssl_cipher_suite", function()
           local conf, _, errors = conf_loader(nil, {
-            ssl_cipher_suite = "foo"
+            ssl_cipher_suite = "foo",
+            fips = false,
           })
           assert.is_nil(conf)
           assert.equal(1, #errors)
@@ -1401,13 +1404,15 @@ describe("Configuration loader", function()
           local conf, err = conf_loader(nil, {
             ssl_cipher_suite = "custom",
             ssl_ciphers      = "foo:bar",
+            fips             = false
           })
           assert.is_nil(err)
           assert.equals("foo:bar", conf.ssl_ciphers)
         end)
         it("doesn't override ssl_ciphers when undefined", function()
           local conf, err = conf_loader(nil, {
             ssl_cipher_suite = "custom",
+            fips             = false
           })
           assert.is_nil(err)
           assert.same(nil, conf.ssl_ciphers)

diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua
@@ -1504,6 +1504,7 @@ describe("NGINX conf compiler", function()
           local params = {
             ssl_cipher_suite = "old",
             prefix = tmp_config.prefix,
+            fips = false,
           }
           local ssl_params = {
             ssl_cert = cert,