Add testing against fips docker image (#2209)

* Add testing against fips docker image

Schedule a weekly run for running a portion of the test suite inside a
fips enabled container image.

Co-authored-by: Trent Mick <[email protected]>

---------

Co-authored-by: Trent Mick <[email protected]>

Author: xrmx

.ci/.matrix_framework_fips.yml

@@ -0,0 +1,23 @@
+# this is a limited list of matrix builds to be used for PRs
+# see .matrix_framework_full.yml for a full list
+FRAMEWORK:
+  - none
+  - django-5.0
+  - flask-3.0
+  - jinja2-3
+  - opentelemetry-newest
+  - opentracing-newest
+  - twisted-newest
+  - celery-5-flask-2
+  - celery-5-django-5
+  - requests-newest
+  - psutil-newest
+  - gevent-newest
+  - aiohttp-newest
+  - tornado-newest
+  - starlette-newest
+  - graphene-2
+  - httpx-newest
+  - httplib2-newest
+  - prometheus_client-newest
+  - sanic-newest

.ci/.matrix_python_fips.yml

@@ -0,0 +1,2 @@
+VERSION:
+  - python-3.12

.github/workflows/test-fips.yml

@@ -0,0 +1,69 @@
+
+# run test suite inside a FIPS 140 container
+name: test-fips
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 4 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  create-matrix:
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: generate
+        uses: elastic/oblt-actions/version-framework@v1
+        with:
+          versions-file: .ci/.matrix_python_fips.yml
+          frameworks-file: .ci/.matrix_framework_fips.yml
+
+  test-fips:
+    needs: create-matrix
+    runs-on: ubuntu-24.04
+    # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container
+    # docker run -it --rm --name fipsy docker.elastic.co/wolfi/python-fips:3.12
+    container:
+      image: docker.elastic.co/wolfi/python-fips:3.12-dev
+      options: --user root
+      credentials:
+        username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
+        password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      max-parallel: 10
+      matrix: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: check that python has fips mode enabled
+        run: |
+          python3 -c 'import _hashlib; assert _hashlib.get_fips_mode() == 1'
+      - name: install run_tests.sh requirements
+        run: apk add netcat-openbsd tzdata
+      - name: Run tests
+        run: ./tests/scripts/run_tests.sh
+        env:
+          FRAMEWORK: ${{ matrix.framework }}
+
+  notify-on-failure:
+    if: always()
+    runs-on: ubuntu-24.04
+    needs: test-fips
+    steps:
+      - id: check
+        uses: elastic/oblt-actions/check-dependent-jobs@v1
+        with:
+          jobs: ${{ toJSON(needs) }}
+      - name: Notify in Slack
+        if: steps.check.outputs.status == 'failure'
+        uses: elastic/oblt-actions/slack/notify-result@v1
+        with:
+          bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          status: ${{ steps.check.outputs.status }}
+          channel-id: "#apm-agent-python"

tests/config/tests.py

@@ -278,7 +278,10 @@ def test_file_is_readable_validator_not_a_file(tmpdir):
     assert "is not a file" in e.value.args[0]
 
 
-@pytest.mark.skipif(platform.system() == "Windows", reason="os.access() doesn't seem to work as we expect on Windows")
+@pytest.mark.skipif(
+    platform.system() == "Windows" or os.getuid() == 0,
+    reason="os.access() doesn't seem to work as we expect on Windows and test will fail as root user",
+)
 def test_file_is_readable_validator_not_readable(tmpdir):
     p = tmpdir.join("nonreadable")
     p.write("")