Fix encryption config for tests

openSUSE · Jan 23, 2025 · 19659aa · 19659aa
1 parent 8190155
commit 19659aa
Show file tree

Hide file tree

Showing 9 changed files with 24 additions and 31 deletions.
diff --git a/doc/ref/configuration/minion.rst b/doc/ref/configuration/minion.rst
@@ -3151,7 +3151,7 @@ constant names without ssl module prefix: ``CERT_REQUIRED`` or ``PROTOCOL_SSLv23
 
 Default: OAEP-SHA1
 
-Then RSA encryption algorithm used by this minion when connecting to the
+The RSA encryption algorithm used by this minion when connecting to the
 master's request channel. Valid values are ``OAEP-SHA1`` and ``OAEP-SHA224``
 
 
@@ -3162,7 +3162,7 @@ master's request channel. Valid values are ``OAEP-SHA1`` and ``OAEP-SHA224``
 
 Default: PKCS1v15-SHA1
 
-Then RSA signing algorithm used by this minion when connecting to the
+The RSA signing algorithm used by this minion when connecting to the
 master's request channel. Valid values are ``PKCS1v15-SHA1`` and
 ``PKCS1v15-SHA224``
 

diff --git a/salt/crypt.py b/salt/crypt.py
@@ -305,21 +305,10 @@ def _get_key_with_evict(path, timestamp, passphrase):
     else:
         password = None
     with salt.utils.files.fopen(path, "rb") as f:
-        try:
-            return serialization.load_pem_private_key(
-                f.read(),
-                password=password,
-            )
-        except BaseException as exc:
-            log.error("Exception is %r", exc)
-            if (
-                exc.__class__.__module__ == "pyo3_runtime"
-                and exc.__class__.__name__ == "PanicException"
-            ):
-                if 'reason: "unsupported"' in exc.args[0]:
-                    log.error("Unsupported key")
-                    raise InvalidKeyError("Unsupported encryption algorithm")
-            raise
+        return serialization.load_pem_private_key(
+            f.read(),
+            password=password,
+        )
 
 
 def get_rsa_key(path, passphrase):

diff --git a/salt/transport/zeromq.py b/salt/transport/zeromq.py
@@ -772,7 +772,6 @@ def on_recv(packages):
             try:
                 for package in packages:
                     payload = salt.payload.loads(package)
-                    log.error("on recv")
                     yield publish_payload(payload)
             except Exception as exc:  # pylint: disable=broad-except
                 log.error(

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -1285,8 +1285,8 @@ def salt_minion_factory(salt_master_factory):
         "file_roots": salt_master_factory.config["file_roots"].copy(),
         "pillar_roots": salt_master_factory.config["pillar_roots"].copy(),
         "fips_mode": FIPS_TESTRUN,
-        "rsa_encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
-        "rsa_signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
     }
 
     virtualenv_binary = get_virtualenv_binary_path()
@@ -1319,8 +1319,8 @@ def salt_sub_minion_factory(salt_master_factory):
         "file_roots": salt_master_factory.config["file_roots"].copy(),
         "pillar_roots": salt_master_factory.config["pillar_roots"].copy(),
         "fips_mode": FIPS_TESTRUN,
-        "rsa_encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
-        "rsa_signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
     }
 
     virtualenv_binary = get_virtualenv_binary_path()

diff --git a/tests/pytests/conftest.py b/tests/pytests/conftest.py
@@ -343,8 +343,8 @@ def salt_minion_factory(salt_master_factory, salt_minion_id, sdb_etcd_port, vaul
         "file_roots": salt_master_factory.config["file_roots"].copy(),
         "pillar_roots": salt_master_factory.config["pillar_roots"].copy(),
         "fips_mode": FIPS_TESTRUN,
-        "rsa_encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
-        "rsa_signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
     }
 
     virtualenv_binary = get_virtualenv_binary_path()
@@ -376,8 +376,8 @@ def salt_sub_minion_factory(salt_master_factory, salt_sub_minion_id):
         "file_roots": salt_master_factory.config["file_roots"].copy(),
         "pillar_roots": salt_master_factory.config["pillar_roots"].copy(),
         "fips_mode": FIPS_TESTRUN,
-        "rsa_encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
-        "rsa_signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
     }
 
     virtualenv_binary = get_virtualenv_binary_path()

diff --git a/tests/pytests/functional/transport/server/conftest.py b/tests/pytests/functional/transport/server/conftest.py
@@ -1,6 +1,8 @@
 import pytest
 from saltfactories.utils import random_string
 
+from tests.conftest import FIPS_TESTRUN
+
 
 def transport_ids(value):
     return "Transport({})".format(value)
@@ -37,6 +39,9 @@ def salt_minion(salt_master, transport):
         "auth_timeout": 5,
         "auth_tries": 1,
         "master_uri": "tcp://127.0.0.1:{}".format(salt_master.config["ret_port"]),
+        "fips_mode": FIPS_TESTRUN,
+        "encryption_algorithm": "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1",
+        "signing_algorithm": "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1",
     }
     factory = salt_master.salt_minion_daemon(
         random_string("server-{}-minion-".format(transport)),

diff --git a/tests/pytests/functional/transport/server/test_req_channel.py b/tests/pytests/functional/transport/server/test_req_channel.py
@@ -29,6 +29,7 @@
 
 
 class ReqServerChannelProcess(salt.utils.process.SignalHandlingProcess):
+
     def __init__(self, config, req_channel_crypt):
         super().__init__()
         self._closing = False
@@ -102,6 +103,7 @@ def _handle_payload(self, payload):
 
 @pytest.fixture
 def req_server_channel(salt_master, req_channel_crypt):
+    print(f"master pub {salt_master.config['publish_signing_algorithm']}")
     req_server_channel_process = ReqServerChannelProcess(
         salt_master.config.copy(), req_channel_crypt
     )
@@ -124,7 +126,8 @@ def req_channel_crypt(request):
 
 
 @pytest.fixture
-def req_channel(req_server_channel, salt_minion, req_channel_crypt):
+def push_channel(req_server_channel, salt_minion, req_channel_crypt):
+    print(f"minion encryption {salt_minion.config['encryption_algorithm']}")
     with salt.channel.client.ReqChannel.factory(
         salt_minion.config, crypt=req_channel_crypt
     ) as _req_channel:

diff --git a/tests/pytests/unit/cloud/clouds/test_ec2.py b/tests/pytests/unit/cloud/clouds/test_ec2.py
@@ -189,9 +189,7 @@ def test__validate_key_path_and_mode():
             ec2._validate_key_path_and_mode("key_file")
 
 
-@pytest.mark.skipif(
-    not salt.crypt.HAS_CRYPTOGRAPHY, reason="Needs crypto library"
-)
+@pytest.mark.skipif(not salt.crypt.HAS_CRYPTOGRAPHY, reason="Needs crypto library")
 def test_get_password_data(tmp_path):
     key_file = str(tmp_path / "keyfile.pem")
 

diff --git a/tests/pytests/unit/conftest.py b/tests/pytests/unit/conftest.py
@@ -10,7 +10,6 @@ def minion_opts(tmp_path):
     """
     Default minion configuration with relative temporary paths to not require root permissions.
     """
-    print(f"WTF {FIPS_TESTRUN}")
     root_dir = tmp_path / "minion"
     opts = salt.config.DEFAULT_MINION_OPTS.copy()
     opts["__role"] = "minion"