Skip to content

[rhcos-4.18] kola/tests: Add failing test for FIPS & LUKS #4265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: rhcos-4.18
Choose a base branch
from
Open

[rhcos-4.18] kola/tests: Add failing test for FIPS & LUKS #4265

wants to merge 1 commit into from

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #4181

/assign aaradhak

@travier
kola/tests: Add failing test for FIPS & LUKS
8c19b1b 
Ensure that setting up a LUKS device with FIPS incompatible algorithms
will fail when FIPS mode is enabled.

Only run this on QEMU as it should behave the same way on all platforms.
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Aug 14, 2025
Merged
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Aug 14, 2025

Hi @openshift-cherrypick-robot. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Aug 14, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a new test case to verify that cryptsetup fails with non-FIPS-compliant algorithms when FIPS mode is enabled. The overall approach is sound. I've provided a few suggestions to improve code clarity, maintainability, and resource management in the new test file.

mantle/kola/tests/fips/failure.go
Comment on lines +103 to +119
// Read file and verify if it contains a pattern
// 1. Read file, make sure it exists
// 2. regex for pattern
func fileContainsPattern(path string, searchPattern string) (bool, error) {
file, err := os.ReadFile(path)
if err != nil {
return false, err
}
// File has content, but the pattern is not present
match := regexp.MustCompile(searchPattern).Match(file)
if match {
// Pattern found
return true, nil
}
// Pattern not found
return false, nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The comments in this function are either redundant or incorrect (e.g., line 111). The function body can also be simplified for better readability and maintainability.

// fileContainsPattern reads a file and verifies if it contains a pattern.
func fileContainsPattern(path string, searchPattern string) (bool, error) {
	file, err := os.ReadFile(path)
	if err != nil {
		return false, err
	}
	return regexp.Match(searchPattern, file)
}

mantle/kola/tests/fips/failure.go
Comment on lines +174 to +184
failConfig, err := failConfig.Render(conf.FailWarnings)
if err != nil {
return errors.Wrapf(err, "creating invalid FIPS config")
}

// Create a temporary log file
consoleFile := c.H.TempFile("console-")

// Instruct builder to use it
builder.ConsoleFile = consoleFile.Name()
builder.SetConfig(failConfig)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

There are a couple of improvements that can be made here:

  1. The variable failConfig is shadowed on line 174. The global failConfig is of type conf.UserData, while the new local variable is *conf.Conf. This can be confusing. Consider renaming the local variable to something like renderedConfig to improve clarity.
  2. The temporary file created by c.H.TempFile on line 180 is not being closed, which can lead to a resource leak. You should defer its closing right after creation.
	renderedConfig, err := failConfig.Render(conf.FailWarnings)
	if err != nil {
		return errors.Wrapf(err, "creating invalid FIPS config")
	}

	// Create a temporary log file
	consoleFile := c.H.TempFile("console-")
	defer consoleFile.Close()

	// Instruct builder to use it
	builder.ConsoleFile = consoleFile.Name()
	builder.SetConfig(renderedConfig)

@aaradhak
Copy link
Member

/ok-to-test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dustymabe dustymabe Awaiting requested review from dustymabe

@jlebon jlebon Awaiting requested review from jlebon

@mike-nguyen mike-nguyen Awaiting requested review from mike-nguyen

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@aaradhak aaradhak

Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@openshift-cherrypick-robot @aaradhak @travier