diff --git a/.github/workflows/experimental.yml b/.github/workflows/experimental.yml index d4c296a69fdd2..00830fb0d5d22 100644 --- a/.github/workflows/experimental.yml +++ b/.github/workflows/experimental.yml @@ -219,6 +219,6 @@ jobs: $env:OPENSSL_MODULES = "$(pwd)\ossl-modules" .\openssl.exe list -providers .\openssl.exe md5 - ddev test --cov --junit datadog_checks_base -- -k before_fips - ddev test --cov --junit datadog_checks_base -- -k after_fips + ddev test --cov --junit datadog_checks_base -- -m fips_off + ddev test --cov --junit datadog_checks_base -- -m fips_on python -c "import ssl; ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT).set_ciphers('MD5')" diff --git a/datadog_checks_base/tests/fips/test_md5_after_fips.py b/datadog_checks_base/tests/fips/test_fips.py similarity index 54% rename from datadog_checks_base/tests/fips/test_md5_after_fips.py rename to datadog_checks_base/tests/fips/test_fips.py index be6d41f9ad358..426e5e0861265 100644 --- a/datadog_checks_base/tests/fips/test_md5_after_fips.py +++ b/datadog_checks_base/tests/fips/test_fips.py @@ -1,9 +1,9 @@ # (C) Datadog, Inc. 2024-present # All rights reserved # Licensed under a 3-clause BSD style license (see LICENSE) -import os from typing import Any # noqa: F401 +import os import pytest from datadog_checks.base.utils.fips import enable_fips @@ -13,14 +13,40 @@ @pytest.fixture(scope="function") -def clean_environment(): - os.environ["GOFIPS"] = "0" - os.environ["OPENSSL_CONF"] = "" - os.environ["OPENSSL_MODULES"] = "" +def clean_environment(monkeypatch): + monkeypatch.setenv("GOFIPS", "0") + monkeypatch.setenv("OPENSSL_CONF", "") + monkeypatch.setenv("OPENSSL_MODULES", "") yield +@pytest.mark.fips_off +def test_ssl_md5_before_fips(clean_environment): + """ + MD5 cipher should be available through ssl before enabling FIPS mode. + """ + import ssl + + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + ctx.set_ciphers("MD5") + assert True + + +@pytest.mark.fips_off +def test_cryptography_md5_before_fips(clean_environment): + """ + MD5 cipher should be available through cryptography before enabling FIPS mode. + """ + from cryptography.hazmat.primitives import hashes + + assert hashes.Hash(hashes.MD5()) + + +@pytest.mark.fips_on def test_ssl_md5_after_fips(clean_environment): + """ + MD5 cipher should not be available through ssl after enabling FIPS mode. + """ import ssl enable_fips(path_to_openssl_conf=PATH_TO_OPENSSL_CONF, path_to_openssl_modules=PATH_TO_OPENSSL_MODULES) @@ -29,7 +55,11 @@ def test_ssl_md5_after_fips(clean_environment): ctx.set_ciphers("MD5") +@pytest.mark.fips_on def test_cryptography_md5_after_fips(clean_environment): + """ + MD5 cipher should not be available through cryptography after enabling FIPS mode. + """ from cryptography.exceptions import InternalError from cryptography.hazmat.primitives import hashes diff --git a/datadog_checks_base/tests/fips/test_md5_before_fips.py b/datadog_checks_base/tests/fips/test_md5_before_fips.py deleted file mode 100644 index da35054d170b6..0000000000000 --- a/datadog_checks_base/tests/fips/test_md5_before_fips.py +++ /dev/null @@ -1,30 +0,0 @@ -# (C) Datadog, Inc. 2024-present -# All rights reserved -# Licensed under a 3-clause BSD style license (see LICENSE) -import os -from typing import Any # noqa: F401 - -import pytest - - -@pytest.fixture(scope="function") -def clean_environment(): - os.environ["GOFIPS"] = "0" - os.environ["OPENSSL_CONF"] = "" - os.environ["OPENSSL_MODULES"] = "" - yield - - -def test_ssl_md5_before_fips(clean_environment): - import ssl - - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - ctx.set_ciphers("MD5") - assert True - - -def test_cryptography_md5_before_fips(clean_environment): - from cryptography.hazmat.primitives import hashes - - hashes.Hash(hashes.MD5()) - assert True