Skip to content

Added check for GNUtls in FIPS140 mode #2869

Added check for GNUtls in FIPS140 mode

Added check for GNUtls in FIPS140 mode #2869

Workflow file for this run

---
name: CI
on:
schedule:
- cron: "44 4 */2 * *"
pull_request:
workflow_dispatch:
concurrency:
group: integration-tests-${{ github.ref_name }}
cancel-in-progress: true
jobs:
format:
name: Ensure code is formatted
runs-on: ubuntu-latest
steps:
- name: checkout source code
uses: actions/checkout@v4
- name: Install necessary software
run: |
set -e
sudo apt update
sudo apt -y install jo tox
- name: Test formatting with ruff
run: tox -e format -- --check
gentestmatrix:
name: Generate test matrix
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.setmatrix.outputs.matrix }}
steps:
- name: checkout source code
uses: actions/checkout@v4
- name: get the current PR
uses: 8BitJonny/[email protected]
id: pr
with:
github-token: ${{ github.token }}
# Verbose setting SHA when using Pull_Request event trigger to fix #16
sha: ${{ github.event.pull_request.head.sha }}
filterOutClosed: true
# jo is used only to generate matrix using json easily
- name: Install necessary software
run: sudo apt update && sudo apt install jo tox fish
- id: setmatrix
run: |
set stringified_matrix (tox -l | sed -e '/unit/d' -e '/get_urls/d' -e '/doc/d' -e '/lint/d' -e '/fips/d' -e '/ai/d' | jo -a)
# grep the [CI:TOXENVS] line and print everything after it.
# the sed call removes additional whitespace after a comma as
# otherwise awk only prints the toxenvs until the whitespace
set users_envs (echo $PR_BODY | sed 's|,\s*|,|g' | awk -F' ' '/^\[CI:TOXENVS\]/ { print $2 }')
if [ -n "$users_envs" ]
set stringified_matrix (echo "$users_envs,all,repository,metadata,multistage" | tr ',' '\n' | sort | uniq | jo -a)
end
echo "matrix=$stringified_matrix" >> $GITHUB_OUTPUT
shell: fish {0}
env:
PR_BODY: ${{ steps.pr.outputs.pr_body || '' }}
unit-tests:
name: Unit tests
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
# 3.6: SLE15
# 3.9: RHEL/Centos/Liberty 9
# 3.11: Tumbleweed
# 3.12: Ubuntu 24.04
# 3.13: Future Tumbleweed
python_version: ["3.6", "3.9", "3.11", "3.12"]
container:
image: registry.suse.com/bci/python:${{ matrix.python_version }}
steps:
- name: checkout source code
uses: actions/checkout@v4
- name: Install tox
run: |
python3 --version
python3 -m ensurepip
python3 -m pip install tox
- run: "tox -e py$(echo $PY_VER | tr -d . )-unit -- -n auto --durations=25 --durations-min=600.0"
env:
SETUPTOOLS_SCM_PRETEND_VERSION: 1.2.3
PY_VER: ${{ matrix.python_version }}
documentation:
name: Build documentation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Install tox
run: sudo apt update && sudo apt install tox
- run: tox -e doc
lint:
name: Lint source code
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Install tox
run: sudo apt update && sudo apt install tox
- run: tox -e lint
test-containers:
name: tox
runs-on: ubuntu-latest
needs: gentestmatrix
strategy:
fail-fast: false
matrix:
toxenv: ${{fromJson(needs.gentestmatrix.outputs.matrix)}}
os_version:
- 15.5
- 15.6
- "tumbleweed"
include:
- toxenv: fips
testing_target: ibs-released
os_version: 15.3
- toxenv: fips
testing_target: ibs-released
os_version: 15.4
- toxenv: repository
testing_target: ibs-released
os_version: 15.5
- toxenv: all
testing_target: ibs-released
os_version: 15.3
- toxenv: base
testing_target: ibs-released
os_version: 15.3
- toxenv: all
testing_target: ibs-released
os_version: 15.4
- toxenv: base
testing_target: ibs-released
os_version: 15.4
- toxenv: metadata
testing_target: ibs-released
os_version: 15.4
- toxenv: all
os_version: 15.3
- toxenv: base
os_version: 15.3
- toxenv: metadata
os_version: 15.3
- toxenv: all
os_version: 15.4
- toxenv: base
os_version: 15.4
- toxenv: metadata
os_version: 15.4
- toxenv: all
os_version: "15.7"
- toxenv: base
os_version: "15.7"
- toxenv: minimal
os_version: "15.7"
- toxenv: metadata
os_version: "15.7"
- toxenv: python
os_version: "15.7"
- toxenv: repository
os_version: "15.7"
- toxenv: all
os_version: "16.0"
- toxenv: base
os_version: "16.0"
- toxenv: minimal
os_version: "16.0"
- toxenv: metadata
os_version: "16.0"
- toxenv: kernel_module
os_version: "16.0"
- toxenv: kiwi
os_version: "16.0"
steps:
- name: Clean up disk space to maximize available space
run: sudo rm -rf /usr/local/lib/android /usr/share/dotnet /opt/ghc /opt/hostedtoolcache/CodeQL && sudo docker image prune --all --force
- name: checkout source code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Install tox
run: |
sudo apt-get install python3-pip
python3 --version
python3 -m pip install tox
sudo python3 -m pip install tox
- name: Install ldap-utils to have ldapwhoami for the 389ds tests
run: |
sudo apt-get update
sudo apt-get install ldap-utils
command -v ldapwhoami
if: ${{ matrix.toxenv == '389ds' }}
- name: Install new podman from OBS
if: false
run: |
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download-repositories.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/Release.key \
| gpg --dearmor \
| sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
https://download-repositories.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/ /" \
| sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
sudo apt-get update -qq
sudo apt-get -qq -y install podman buildah
sudo mkdir -p /etc/containers/registries.d/
- name: configure podman to use sigstore attachments
run: |
sudo install -d -m 755 /etc/containers/registries.d/
cat << EOF | sudo tee /etc/containers/registries.d/opensuse.yaml
docker:
registry.suse.de:
use-sigstore-attachments: true
registry.suse.com:
use-sigstore-attachments: true
registry.opensuse.org:
sigstore: https://registry.opensuse.org/sigstore
EOF
- name: configure podman to enforce signature checks
if: false
run: |
policy_json=$(cat /etc/containers/policy.json)
echo $policy_json | jq '.transports += { "docker": {"registry.opensuse.org": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/containers/devel_bci.key", "/etc/containers/opensuse_container-2023.key", "/etc/containers/opensuse_container.key"]}]}}' | sudo tee /etc/containers/policy.json
cat << EOF | sudo tee /etc/containers/devel_bci.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQa2Y4BEAC+VBw/6hJCCd+JlrngmHvAS2dbzz0dk0dh6rK7mhuuQTmTbJex
eY2tmFfcg3wp78P586H7WwE+0fLf7KEuIsWK8/YCpe7Ld/WycQkkJiW7EhbW4+uu
6EKBw1B7ZFDaJJ71UDaXbMECepV/YEnsZgu38vGWZPUfOHbIDS5M0j9Xo7COG7/I
jzs0Ml+G8hAk1cJ5AxjLycyINKHnglrx855/AW1xjO04Da6/NZ5grvCQBNcpLaH5
Y8eUvNVQ6SdBwo9xR8hCTsUe5TpB5Gf4CXNPMdG6f1wDbmRw6hYw4Tbvjjlg8yhO
XS76OURH3AiYTrP7SDVrgOy8tsVtSk1+1zvJ5VFjKbS8N3//XOkSJYSD/MxjN+bb
jwsqK6FEYBS1MiIX/6bYo5j/bVDzp/jZ9ocPB623E9CGwgH0NDrs+5M3la/j+vIq
wjwXpWuwdefVjhvIDYgSZQQRx880RLo31Zr6Vfpas1JXIzDq6uSWAyx23rKmQr9N
ctU1qHNB5CdKDR/zAMjuFvy1o13zTmfo1CrRn9J//Kiy2EnfsKOFssfYs9TgL22k
qdsCXNa0xvXbeLDehQwQvxeWTLyGMJGwPqoTXVv3EhEhrLClB5FOJurwfArd24ze
qvVsKJrADEWvO3a1KHkX4h82qBDGJdQDK5iMajLJeQciYVhT5pHHMdMbmQARAQAB
tDRkZXZlbDpCQ0kgT0JTIFByb2plY3QgPGRldmVsOkJDSUBidWlsZC5vcGVuc3Vz
ZS5vcmc+iQJUBBMBCAA+FiEE4t9p2tF8+S+4jG5wMG+YHbRrR8MFAmQa2Y4CGwMF
CQQesAAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQMG+YHbRrR8NWlRAAmPQ6
0Ac1LDrAD+NJ/Z/7TzLg6dpkC5JNDkwNSoSyfKiN3ow8265mF8XM7502ZCDeOr0p
GDisbOTSdOWI981TQ0MRtRWsBzjHkkl4CuxoGHC0X0Q1wjbKy8BfnfAlmNF/l8PL
Ykm15xndHzE1oIxJ0V5KKA0v4vKJkSNsZ9Ye0IyzICpkWoUfqeg3rnSpwV/MvQTf
2as9mXj8TSAuR47rsWtivljhGnFpTyvvWw30bDItpB5EYlCVjPlj1t2wX/fHkNX6
0Gdkrwhml67pk7v03+ngbKDAPGrcq5EKLaNfL5T5cOx5GzUrjOH7OpqdnR9Lg5Ix
IpcfAfkeY+E+ALMvfyhVmhMRhGMgiv0wTL/H11/K1rvXaVYznoKG0G/7cCuorDBf
ind5PkGJTu+3Fs7N6eQZntVwXoBxkGWb8b6voFv22u55svToTX28pkDVm5EJNZnv
xfFUhX6m+CFdh138aX2LFYQCsF/T8jM4j+ukHTQ+m8F+eRrhqoBjWkvHZ3EionpL
F+1LGdEn25qMej++OkAm6D5dV/yQaP1rjpdHwQEZ6GntVl2ngagoF8zQIJ6rXe15
FvZ9AvL+gta8vxluDTPUK3DIg4jdwFb8WT2R0rOPUaItheOaCXxxcr6wPbHHLHC1
LKPO+oy9938+sUaaC/DEO+vwPOkSwrBw/0htilmJAjMEEwEIAB0WIQTMNcw9NeWj
ZD5UWkPPC5KM3tZPOwUCZBrZkQAKCRDPC5KM3tZPO3QbD/4kEsEW2tBxus+AfT/P
r9B1iiHgOu9e6ixvmEcqF4bU3ykAmo7DH/E+oqW6vx97DnYgKleJJ9IVD6gTyhYJ
7Z+uPoJOWNND94Afiq+R1lobPs9rOpSVT34NmNzNgxdmmz6+z1GLrrVGUihdYSDc
1DmdIu90IFtuaSW8+UaCg41awVtVOOYnPaCoDncbuZD0MDaVDsaN0G9Xj81NFZJu
DG7ljqxg24LC9+iw3LRqaOkWX7SbS0s+PdLTPgnUBfivpOi0rKbB06WsCsigV24B
lyj11nkuOdYAUa48Q3U1yfxIiecYto0O+VPq/M0ICAzTqUg2Bh4Du98EmS+zBhbM
vjAcqC2TRBjyVAtsvWJ0O51d0iWUWsOBVwSoMRWq2iPxh4qRBNFQGLUWtrkNSKh/
ex2LgWbLGZY8XHWUwK2GoHN/uNywqYd/4PgDewDJYWnGB33EaucKkMuBJkoYK2mG
fGkSHjKUHfUp+FWM8QlgxlavNob7ltvTEV8kp88w9MfSfdy6Z9MQ63Z/DvU1KLhO
llCkXgpMXn2dPPjcsE/OWVIVk833q0gWzf3touFhQSHMKtcdXl3bBj/vvzAkE0QV
9vVS3rgOtcGCbAdfdEf+/mpukHkhZGVKMlipnDM/Rd2GZYckP/5UZ/9/CKIS69B5
hLNKnq/uYWnF2uUesgKloRegdg==
=L0Kw
-----END PGP PUBLIC KEY BLOCK-----
EOF
cat << EOF | sudo tee /etc/containers/opensuse_container-2023.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQ5DP8BEADAlEiR9CAOaEjUlwrSlVmdqeqbMOXSDMq5+u/fIFdP4iAc9r5H
6hz/f4Yv/2rBByo6JCZC7xCxPBHNiaNd1DK0WdVbpWGB9n4vH9zzT8Dxf45WK7QN
9l5f+KfSRDnv7e/n32ru2AVlqa9Io7/Ch9IXVeGStjl/6o+Y/7ZinQUnQkGHWK6j
+sjgIxTYesIBcYSXxpdjdw0XHHyyKQiqtDy8oXALWGPJYRwCsTiEECVYzM+a5+6e
d/zRxOKpfF2V+Q1K2mG5LQ+rxGrL3VWNcg3jZjPMQbC4QM8cr2b3mrE2eBEhStF0
iRS5quMLMGzNxocMBJlOz6snSLGvi8Xr3UzMkenufuxotHA/7lcNmo2E2HArR4iP
zLkZe14vLvsMXgM29PkXNgEh+L0QSFapTRUb7ZewBpN1b7P+G4gcYUymMvwaY9XH
AI3jhWKzlyq9uIJINdTTTBB1R6e6CQpeiya371AUCNGCZDqhL63gHVvVgZVMQpf8
NjYuN2m3SOK6SSq1nnMkWE3k2RWc5qHlg38HOoWq4G+SCMSWyC4iff+Ob8rVWuUt
miExYtLOk/hdNH7lRtUdjwKCSIOlYeAK/e7/9GB/fKlu0ZNFBrwpyGVMgfPmCDbX
ZiQhkhE8Bti3btL5HBxYmNljz1nMbECgtEQv6Pgs1bxgDaNaGVslYv723wARAQAB
tERvcGVuU1VTRSBDb250YWluZXIgU2lnbmluZyBLZXkgPGJ1aWxkLWNvbnRhaW5l
ci0yMDIzMDRAb3BlbnN1c2Uub3JnPokCVAQTAQgAPhYhBPmGHzlqIRNKhVSYBPxr
ygbWhK/sBQJkOQz/AhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
EPxrygbWhK/sAwUP/A803yOTrsE5ppcEAp3yGSeXR3HQo0fIqh+QFJO76W7vF/Ar
eZnxPWL3AOOB+wNccdklZXhQKL4eQ29Ggekp2/RWTyx4BBM//SID+td7KZjZH/KC
Z6kBBy+IzSBQCCIrdDm83agob/Kcp9RJX5A06dgGyGhMxXYpld3mcCjFETHXIb5U
JvsSC+06eEsbwNqH0se2T/5zJ8v9xjcMDC+otLmh3+SjyC/7t8YaKxyqobf2f5nl
GM3ts7UDBQdqxBb0ZRxXsLCdiRrOt6l5imczczi1GA/Dce3KE/V9A2LNifns4eQI
GLVrZ36litKC1+b5AXblLU5ZmJN24IEQj699GCYiPGaZS64IE1eVD8WX+N6vgI+c
BqthN/Z4B3iJ9dBviXvK098/bXjzUVjQubvfT827tO2xnbNE5gzUA5bAZjQLVJm/
b9mZJuKLOJePoqGYvmMVBtLz5xZYH68dncZAf+OQNZ5T7F+M1gfsq8W+FYvm6ILN
Xyh29fY+29H25A7v8WITT/SzpxYJrNRHck8Ua9M0foj2GLIf6FEROJHEZ4+xvu11
XaABkqvjdNluflDP0PXP5fcY9QkMvtlW6cQNzMYZnn7MTb7dxow5ysEGcE0rrKrC
F9zTwOvctMqlu0dndhntKRhdNgm8lKrg1xTJg7EOWQFKeQiWQKdY0Qk9vi3/
=sRjv
-----END PGP PUBLIC KEY BLOCK-----
EOF
cat << EOF | sudo tee /etc/containers/opensuse_container.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.15 (GNU/Linux)
mQENBFrjEWoBCADEJttox1LVpcP2YIsLIO5qKmwfMhyjSQ+L4ETztnFRLKFIlin4
19Tic/llF9ymQr2MxlKlRgdzFZ9ScH1rg52bmWdxy+2TZ8JIsSV4XyfSTZJvM+nX
YGxEQBJrYlcRfC5he0tBGTEwG+hp6kXH563F+XU4uzGUmh1rBhavDsWjeMo9sjaf
sqn66JAJnxJrQOcqjNvazYjppEjFzye/Haqu2r5cnD/bPnMvQEZtpN1jznWkIha2
DdapVZq2b/SmdTMV7zHRqQvhERU2uS4SFLNopyt/cwujj3XTWqCArvQgRTaiHAiL
4HY3lUpDWH9pmxT+yu5f7FINc+prRmvnQ1YpABEBAAG0PW9wZW5TVVNFIENvbnRh
aW5lciBTaWduaW5nIEtleSA8YnVpbGQtY29udGFpbmVyQG9wZW5zdXNlLm9yZz6J
AT4EEwECACgFAlrjEWoCGwMFCRLMAwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
AAoJENdUaU+atIzpdt0H/A5j9B7feqTRK49TWIsgKTELG+6ac4WL+uvZs4HmUPgO
Me9fkQvmJtPMGQT3awCSejEHuvq7sMsOOAXJ3loVDNkJWOtkohRyJf6++lvzL24v
ApbzSLfxa1intscyoJ0g8A2V+NzG428cMAzL5Rnf1ckimDkwOgjFBTDqwq1nPFDQ
+01wAenDPLduLAS65+urmMEOIhoBB3Opc5fqPKWU+w8qav8YfYUjaQcAfGeswt+6
m54VXYk8prmCuSfFHq9Yi8T2+VMcIEdHQYOn4nVhzNY9mTzJ4CCGYdLhap4/P8/x
HuiUuVrARHeCoTiQSc1FwjT1QXaU+yYk1SLFi0LaPgQ=
=Klfs
-----END PGP PUBLIC KEY BLOCK-----
EOF
policy_json=$(cat /etc/containers/policy.json)
echo $policy_json | jq '.transports.docker += {"registry.suse.com": [{ "type": "sigstoreSigned", "signedIdentity": {"type": "matchRepository"}, "keyPath": "/etc/containers/suse_container.pem"}]}' | sudo tee /etc/containers/policy.json
cat << EOF | sudo tee /etc/containers/suse_container.pem
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxfZssLE2jeY1swPb5WGe
8C/FWKmIxlGLm9amCNdgheAn8RzuM8slA+TJefAQnrUnC4Qn9ykjQZjH6o2e2ueA
KFdgOdHnlS2d6lETB8dd4O8HYDJx0CEk2SCbAKVuzLbcbP4ug/QDc+Bm8ldxfc+D
GnLVRAt85brSTnfgOHY1PbQ1JAV+ByibbjCZuFmw4gIkMzeiy3M4wJZwblFM4a3s
X2bW/6GWaGz6AMOjCyAPI6shyG5wHZM7OvJJ8lfhXRTZo4Cc5qC0Nyq9Xu3O6DmV
opIajhHc36kdcetmd7TB5OSbQZCLyReAF75LV74y8960+44NptR62hdw1ovCJMfV
mU6m+k/MsN8AIyRFR6dNF9wTOKi67OpPtybiRufCfMvD4VEeoINzEJytToq2XGSc
+hIxtmPOhqDKHH0As113sjTqqo20Ik233x9FFeTFD8Or7ahpqjiv5YCufk9AoQbC
xMIjrK9RkQYgW4RycgvXGASobwN8EE+OsMcyMUER/pdCtQhTQCc1jYLt85VhfEkC
4k9szMB8eZrdV9re/Ku6vnCeXRR5yn2NWKO88U4HfxEpJv5s2uFJi37+x/v9w7Uh
+864W/9NexXg/JFNsvh0Kmxsbi3ZegaouLyrMCHwSA3ByBZ2yCf2VuFPyUCNEZOH
Owi0oc9TgY1yopjsTneyGaMCAwEAAQ==
-----END PUBLIC KEY-----
EOF
- name: Login to registry.suse.com as CI user
run: |
if [ -n "${REGISTRY_LOGIN_PASSWORD}" ]; then
echo $REGISTRY_LOGIN_PASSWORD | docker login -u $REGISTRY_LOGIN_USERNAME --password-stdin registry.suse.com
echo $REGISTRY_LOGIN_PASSWORD | podman login -u $REGISTRY_LOGIN_USERNAME --password-stdin registry.suse.com
fi
env:
REGISTRY_LOGIN_USERNAME: ${{ secrets.REGISTRY_LOGIN_USERNAME }}
REGISTRY_LOGIN_PASSWORD: ${{ secrets.REGISTRY_LOGIN_PASSWORD }}
- name: setup SCC credentials
run: |
sudo install -d -m 755 /etc/zypp/credentials.d
cat << EOF | sudo tee /etc/zypp/credentials.d/SCCcredentials
username=$SCC_SYSTEM_USERNAME
password=$SCC_SYSTEM_PASSWORD
EOF
if: ${{ matrix.testing_target == 'ibs-released' }}
env:
SCC_SYSTEM_USERNAME: ${{ secrets.SCC_SYSTEM_USERNAME }}
SCC_SYSTEM_PASSWORD: ${{ secrets.SCC_SYSTEM_PASSWORD }}
- name: Add /etc/host entries
run: |
# precache dns entries to avoid timeouts in the runs later
for host in index.crates.io proxy.golang.org updates.suse.com registry.suse.com registry.opensuse.org download.opensuse.org cdn.opensuse.org packages.microsoft.com; do
echo -e "$(getent ahostsv4 $host | grep STREAM | cut -d' ' -f1 | head -n 1)\t$host" | sudo tee -a /etc/hosts
done
- name: Run the tests for docker
run: python3 -m tox -e ${{ matrix.toxenv }} -- -n 3 --reruns 3 --durations=25 --durations-min=600.0 --pytest-container-log-level=debug
env:
CONTAINER_RUNTIME: docker
OS_VERSION: ${{ matrix.os_version }}
TARGET: ${{ matrix.testing_target != '' && matrix.testing_target || 'obs' }}
PULL_ALWAYS: 0
- name: Run tests as root for podman
run: |
sudo --preserve-env=CONTAINER_RUNTIME,OS_VERSION,TARGET,PULL_ALWAYS -H $(type -p python3) -m tox -e ${{ matrix.toxenv }} -- -n 3 --reruns 3 --durations=25 --durations-min=600.0 --pytest-container-log-level=debug
env:
CONTAINER_RUNTIME: podman
OS_VERSION: ${{ matrix.os_version }}
TARGET: ${{ matrix.testing_target != '' && matrix.testing_target || 'obs' }}
PULL_ALWAYS: 0