From 0f13754f84919ce095cd6962e4b369c926738b77 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 10 May 2021 20:50:29 -0400
Subject: [PATCH] Add fips check jobs

Some jobs have been modified to run to confirm that functionality is
still working when FIPS is enabled on the nodes.

As the FIPS tests currently run on centos nodes, code is added
to the test-setup script to set up the databases correctly.  Also had
to increase the swap space on the nodes; see [0] for an explanation.

The current FIPS jobs run using python 3.6 on centos-8-stream.  We will
modify these to run on centos-9-stream and python 3.9 in a
subsequent patch.

[0] https://review.opendev.org/c/openstack/devstack/+/803706

Change-Id: I060d8247c7b09f63990ea411e6c6a056bb50410d
---
 .zuul.yaml                 | 17 +++++++++++++----
 playbooks/enable-fips.yaml |  3 +++
 tools/test-setup.sh        | 28 ++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 4 deletions(-)
 create mode 100644 playbooks/enable-fips.yaml

diff --git a/.zuul.yaml b/.zuul.yaml
index 80d690c3e9..e600925f85 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -256,16 +256,25 @@
               output_format: raw
 
 - job:
-    name: glance-multistore-cinder-import
+    name: glance-multistore-cinder-import-fips
     parent: tempest-integrated-storage-import
     description: |
-      The regular import workflow job to test with multiple cinder stores
+      The regular import workflow job to test with multiple cinder stores with
+      fips enabled
+    nodeset: devstack-single-node-centos-8-stream
+    pre-run: playbooks/enable-fips.yaml
     vars:
+      configure_swap_size: 4096
       devstack_localrc:
         USE_CINDER_FOR_GLANCE: True
         GLANCE_ENABLE_MULTIPLE_STORES: True
         CINDER_ENABLED_BACKENDS: lvm:lvmdriver-1,lvm:lvmdriver-2
         GLANCE_CINDER_DEFAULT_BACKEND: lvmdriver-1
+      devstack_local_conf:
+        test-config:
+          "$TEMPEST_CONFIG":
+            validation:
+              ssh_key_type: 'ecdsa'
 
 - job:
     name: tempest-integrated-storage-import-standalone
@@ -303,7 +312,7 @@
       - release-notes-jobs-python3
     check:
       jobs:
-        - openstack-tox-functional-py36
+        - openstack-tox-functional-py36-fips
         - openstack-tox-functional-py39
         - glance-tox-functional-py39-rbac-defaults
         - glance-code-constants-check
@@ -327,7 +336,7 @@
             irrelevant-files: *tempest-irrelevant-files
         - tempest-integrated-storage-import-standalone:
             irrelevant-files: *tempest-irrelevant-files
-        - glance-multistore-cinder-import:
+        - glance-multistore-cinder-import-fips:
             irrelevant-files: *tempest-irrelevant-files
         - grenade:
             irrelevant-files: *tempest-irrelevant-files
diff --git a/playbooks/enable-fips.yaml b/playbooks/enable-fips.yaml
new file mode 100644
index 0000000000..bc1dc04ea8
--- /dev/null
+++ b/playbooks/enable-fips.yaml
@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+    - enable-fips
diff --git a/tools/test-setup.sh b/tools/test-setup.sh
index 505a58cb70..2d8ed73c10 100755
--- a/tools/test-setup.sh
+++ b/tools/test-setup.sh
@@ -15,6 +15,34 @@ DB_ROOT_PW=${MYSQL_ROOT_PW:-insecure_slave}
 DB_USER=openstack_citest
 DB_PW=openstack_citest
 
+function set_conf_line {
+    # parameters: file regex value
+    # check if the regex occurs in the file
+    # If so, replace with the value.
+    # If not, append the value to the end of the file.
+    sudo sh -c "grep -q -e '$2' $1 && \
+            sed -i 's|$2|$3|g' $1 || \
+            echo '$3' >> $1"
+}
+
+if $(egrep -q "^.*(centos:centos:|cloudlinux:cloudlinux:|redhat:enterprise_linux:)[78].*$" /etc/*release); then
+    # mysql needs to be started on centos/rhel
+    sudo systemctl restart mariadb.service
+
+    # postgres setup for centos
+    # make sure to use scram-sha-256 instead of md5 for fips!
+    sudo postgresql-setup --initdb
+    PG_CONF=/var/lib/pgsql/data/postgresql.conf
+    set_conf_line $PG_CONF '^password_encryption =.*' 'password_encryption = scram-sha-256'
+
+    PG_HBA=/var/lib/pgsql/data/pg_hba.conf
+    set_conf_line $PG_HBA '^local[ \t]*all[ \t]*all.*' 'local all all peer'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*127.0.0.1\/32.*' 'host all all 127.0.0.1/32 scram-sha-256'
+    set_conf_line $PG_HBA '^host[ \t]*all[ \t]*all[ \t]*::1\/128.*' 'host all all ::1/128 scram-sha-256'
+
+    sudo systemctl restart postgresql.service
+fi
+
 sudo -H mysqladmin -u root password $DB_ROOT_PW
 
 # It's best practice to remove anonymous users from the database.  If