Add fips mode test

.github/workflows/ci.yml

@@ -96,6 +96,13 @@ jobs:
     with:
       changed-files: ${{ needs.get-changed-files.outputs.changed-files }}
 
+  test-fips:
+    name: Test Fips Mode
+    needs:
+      - build-native
+      - get-changed-files
+    uses: ./.github/workflows/test-fips-action.yml
+
   #build-cross:
   #  name: Python Cross Builds
   #  uses: ./.github/workflows/build-action.yml

.github/workflows/test-fips-action.yml

@@ -0,0 +1,47 @@
+name: Test FIPS Mode
+
+on:
+  workflow_call:
+
+jobs:
+  container-test-job:
+    runs-on: ubuntu-latest
+    container:
+      image: photon:4.0
+
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - 3.10.13
+          - 3.11.5
+        arch:
+          - x86_64
+    env:
+      RELENV_DATA: ${{ github.workspace }}
+
+    steps:
+
+      - name: Install System Dependencies
+        run: |
+          yum install -y openssl-fips-provider python3 python3-virtualenv git gcc
+
+      - uses: actions/checkout@v3
+
+      - name: Download Build Artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ matrix.version }}-${{ matrix.arch }}-linux-gnu.tar.xz
+          path: ./build/
+
+      - name: Create Virtual Environment
+        run: |
+          virtualenv venv
+
+      - name: Install Virtual Environment Dependencies
+        run: |
+          ./venv/bin/pip3 install -r requirements/tests.txt
+
+      - name: Run Fips Tests
+        run: |
+          ./venv/bin/python3 -m pytest -v tests/test_fips_photon.py

tests/conftest.py

@@ -0,0 +1,55 @@
+import os
+import sys
+import platform
+
+import pytest
+
+from relenv.common import list_archived_builds, plat_from_triplet
+from relenv.create import create
+
+
+def get_build_version():
+    if "RELENV_PY_VERSION" in os.environ:
+        return os.environ["RELENV_PY_VERSION"]
+    builds = list(list_archived_builds())
+    versions = []
+    for version, arch, plat in builds:
+        sysplat = plat_from_triplet(plat)
+        if sysplat == sys.platform and arch == platform.machine().lower():
+            versions.append(version)
+    if versions:
+        return versions[0]
+
+
+@pytest.fixture(scope="module")
+def build_version():
+    return get_build_version()
+
+
+@pytest.fixture(scope="module")
+def minor_version():
+    yield get_build_version().rsplit(".", 1)[0]
+
+
+@pytest.fixture
+def build(tmp_path, build_version):
+    create("test", tmp_path, version=build_version)
+    yield tmp_path / "test"
+
+
+@pytest.fixture
+def pipexec(build):
+    if sys.platform == "win32":
+        exc = build / "Scripts" / "pip3.exe"
+    else:
+        exc = build / "bin" / "pip3"
+    yield exc
+
+
+@pytest.fixture
+def pyexec(build):
+    if sys.platform == "win32":
+        exc = build / "Scripts" / "python.exe"
+    else:
+        exc = build / "bin" / "python3"
+    yield exc

tests/test_fips_photon.py

@@ -0,0 +1,52 @@
+import os
+import pathlib
+import platform
+import subprocess
+
+import pytest
+
+from .conftest import get_build_version
+
+
+def check_test_environment():
+    uname = platform.uname()
+    return (
+        "photon" in uname.version
+        and "ph4" in uname.release
+        and pathlib.Path("/etc/ssl/fipsmodule.cnf")
+    )
+
+
+pytestmark = [
+    pytest.mark.skipif(not get_build_version(), reason="Build archive does not exist"),
+    pytest.mark.skipif(
+        not check_test_environment(), reason="Not running on photon 4 with fips enabled"
+    ),
+]
+
+
+def test_fips_mode(pyexec, build):
+    env = os.environ.copy()
+    proc = subprocess.run(
+        [
+            pyexec,
+            "-c",
+            "import hashlib; hashlib.sha256(b'')",
+        ],
+        check=False,
+        env=env,
+        capture_output=True,
+    )
+    assert proc.exitcode == 0
+    assert b"ValueError" not in proc.stderr
+    proc = subprocess.run(
+        [
+            pyexec,
+            "-c",
+            "import hashlib; hashlib.md5(b'')",
+        ],
+        check=False,
+        env=env,
+        capture_output=True,
+    )
+    assert b"ValueError" in proc.stderr

tests/test_verify_build.py

@@ -5,7 +5,6 @@
 """
 import os
 import pathlib
-import platform
 import shutil
 import subprocess
 import sys
@@ -14,63 +13,15 @@
 import packaging
 import pytest
 
-from relenv.common import DATA_DIR, get_triplet, list_archived_builds, plat_from_triplet
-from relenv.create import create
-
-
-def get_build_version():
-    if "RELENV_PY_VERSION" in os.environ:
-        return os.environ["RELENV_PY_VERSION"]
-    builds = list(list_archived_builds())
-    versions = []
-    for version, arch, plat in builds:
-        sysplat = plat_from_triplet(plat)
-        if sysplat == sys.platform and arch == platform.machine().lower():
-            versions.append(version)
-    if versions:
-        return versions[0]
-
-
-@pytest.fixture(scope="module")
-def build_version():
-    version = get_build_version()
-    yield version
-
-
-@pytest.fixture(scope="module")
-def minor_version():
-    yield get_build_version().rsplit(".", 1)[0]
+from relenv.common import DATA_DIR, get_triplet
 
+from .conftest import get_build_version
 
 pytestmark = [
     pytest.mark.skipif(not get_build_version(), reason="Build archive does not exist"),
 ]
 
 
-@pytest.fixture
-def build(tmp_path, build_version):
-    create("test", tmp_path, version=build_version)
-    yield tmp_path / "test"
-
-
-@pytest.fixture
-def pipexec(build):
-    if sys.platform == "win32":
-        exc = build / "Scripts" / "pip3.exe"
-    else:
-        exc = build / "bin" / "pip3"
-    yield exc
-
-
-@pytest.fixture
-def pyexec(build):
-    if sys.platform == "win32":
-        exc = build / "Scripts" / "python.exe"
-    else:
-        exc = build / "bin" / "python3"
-    yield exc
-
-
 @pytest.mark.skip_unless_on_windows
 def test_directories_win(build):
     assert (build / "Scripts").exists()