diff options
author | Kartik Null Cating-Subramanian <ksubramanian@chef.io> | 2015-12-17 18:19:31 -0500 |
---|---|---|
committer | Kartik Null Cating-Subramanian <ksubramanian@chef.io> | 2015-12-17 18:19:31 -0500 |
commit | d4b0d6dacba258595b85ea0e8f3b194abd471f23 (patch) | |
tree | f7fb0ccc5c857b453be42f19b43b8b6ae9b67f70 | |
parent | 84a1f4e7732342a48a4452dcd50e583713922f9e (diff) | |
parent | 436963262fe55ca41cc44845262f735f67e4d573 (diff) | |
download | chef-d4b0d6dacba258595b85ea0e8f3b194abd471f23.tar.gz |
Merge pull request #561 from chef/jdm/fips
Configure the new chef-fips pipeline to build using Jay's assets.
-rw-r--r-- | Gemfile.lock | 16 | ||||
-rw-r--r-- | config/projects/chef-fips.rb | 9 | ||||
-rw-r--r-- | config/projects/chef.rb | 2 | ||||
-rw-r--r-- | config/software/openssl-customization.rb | 52 | ||||
-rwxr-xr-x | jenkins/verify-chef.bat | 2 |
5 files changed, 56 insertions, 25 deletions
diff --git a/Gemfile.lock b/Gemfile.lock index 43bd7a7f3b..56011237d1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,12 +1,12 @@ GIT remote: git://github.com/chef/omnibus-software.git - revision: f71279049f48ba6e1e50ec746f04d6ea8cdad361 + revision: 6f395a4eaf9dea8f74d1bbb822829f7380f50672 specs: omnibus-software (4.0.0) GIT remote: git://github.com/chef/omnibus.git - revision: 57b23680d9a006b56ad637bf45bf4e9c69a0e764 + revision: 58f4b2622adc524aa7bd8a369938a0ea44aaf3aa specs: omnibus (5.0.0) aws-sdk (~> 2) @@ -22,12 +22,12 @@ GEM remote: https://rubygems.org/ specs: addressable (2.3.8) - aws-sdk (2.2.5) - aws-sdk-resources (= 2.2.5) - aws-sdk-core (2.2.5) + aws-sdk (2.2.6) + aws-sdk-resources (= 2.2.6) + aws-sdk-core (2.2.6) jmespath (~> 1.0) - aws-sdk-resources (2.2.5) - aws-sdk-core (= 2.2.5) + aws-sdk-resources (2.2.6) + aws-sdk-core (= 2.2.6) berkshelf (3.2.4) addressable (~> 2.3.4) berkshelf-api-client (~> 1.2) @@ -171,7 +171,7 @@ GEM varia_model (0.4.0) buff-extensions (~> 1.0) hashie (>= 2.0.2, < 3.0.0) - win32-process (0.8.2) + win32-process (0.8.3) ffi (>= 1.0.0) winrm (1.3.3) builder (>= 2.1.2) diff --git a/config/projects/chef-fips.rb b/config/projects/chef-fips.rb index 6461a79ae5..32bbbc9c48 100644 --- a/config/projects/chef-fips.rb +++ b/config/projects/chef-fips.rb @@ -22,7 +22,7 @@ chef_project_contents = IO.read(File.expand_path('../chef.rb', __FILE__)) self.instance_eval chef_project_contents name "chef-fips" -friendly_name "Chef Client with FIPS" +friendly_name "Chef Client with FIPS OpenSSL" if windows? # NOTE: Ruby DevKit fundamentally CANNOT be installed into "Program Files" @@ -34,6 +34,13 @@ else install_dir "#{default_root}/#{name}" end +# Global FIPS override flag. +override :fips, enabled: true +override :'ruby-windows', version: "2.0.0-p647" + +override :chef, version: "jdm/1.3-fips" +override :ohai, version: "master" + msi_upgrade_code = "819F5DB3-B818-4358-BB2B-54B8171D0A26" project_location_dir = "chef-fips" diff --git a/config/projects/chef.rb b/config/projects/chef.rb index 449fcf0aac..c1d1dd2c40 100644 --- a/config/projects/chef.rb +++ b/config/projects/chef.rb @@ -32,7 +32,7 @@ else install_dir "#{default_root}/#{name}" end -override :bundler, version: "1.10.7.depsolverfix.0" +override :bundler, version: "1.10.6" override :ruby, version: "2.1.6" override :'ruby-windows', version: "2.0.0-p645" diff --git a/config/software/openssl-customization.rb b/config/software/openssl-customization.rb index bda1bcc38c..8af23e12fd 100644 --- a/config/software/openssl-customization.rb +++ b/config/software/openssl-customization.rb @@ -29,25 +29,39 @@ else dependency "rubygems" end -build do - if windows? - block "Add OpenSSL customization file" do - # gets directories for RbConfig::CONFIG and sanitizes them. - def get_sanitized_rbconfig(config) - ruby = windows_safe_path("#{install_dir}/embedded/bin/ruby") +fips_enabled = (project.overrides[:fips] && project.overrides[:fips][:enabled]) || false - config_dir = Bundler.with_clean_env do - command_output = %x|#{ruby} -rrbconfig -e "puts RbConfig::CONFIG['#{config}']"|.strip - windows_safe_path(command_output) - end +build do + block "Add OpenSSL customization file" do + # gets directories for RbConfig::CONFIG and sanitizes them. + def get_sanitized_rbconfig(config) + ruby = windows_safe_path("#{install_dir}/embedded/bin/ruby") - if config_dir.nil? || config_dir.empty? - raise "could not determine embedded ruby's RbConfig::CONFIG['#{config}']" - end + config_dir = Bundler.with_clean_env do + command_output = %x|#{ruby} -rrbconfig -e "puts RbConfig::CONFIG['#{config}']"|.strip + windows_safe_path(command_output) + end - config_dir + if config_dir.nil? || config_dir.empty? + raise "could not determine embedded ruby's RbConfig::CONFIG['#{config}']" end + config_dir + end + + fips_additions = [ + "OpenSSL.fips_mode = true", + "require 'digest'", + "require 'digest/sha1'", + "Digest::SHA1 = OpenSSL::Digest::SHA1", + + "require 'digest/md5'", + "# We're going to use the ruby md5 implementation for now", + "# This will be removed once all our MD5 uses are removed", + "OpenSSL::Digest::MD5 = Digest::MD5", + ].join("\n") + + if windows? embedded_ruby_site_dir = get_sanitized_rbconfig('sitelibdir') embedded_ruby_lib_dir = get_sanitized_rbconfig('rubylibdir') @@ -65,6 +79,16 @@ build do f.rewind f.write("\nrequire 'ssl_env_hack'\n") f.write(unpatched_openssl_rb) + f.write(fips_additions) if fips_enabled + end + else + embedded_ruby_lib_dir = get_sanitized_rbconfig('rubylibdir') + source_openssl_rb = File.join(embedded_ruby_lib_dir, "openssl.rb") + File.open(source_openssl_rb, "r+") do |f| + unpatched_openssl_rb = f.read + f.rewind + f.write(unpatched_openssl_rb) + f.write(fips_additions) if fips_enabled end end end diff --git a/jenkins/verify-chef.bat b/jenkins/verify-chef.bat index dae00208e6..1c159f0668 100755 --- a/jenkins/verify-chef.bat +++ b/jenkins/verify-chef.bat @@ -52,5 +52,5 @@ IF "%PIPELINE_NAME%" == "chef-13" ( call bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o %WORKSPACE%\test.xml -f documentation spec/unit spec/functional ) ELSE ( REM ; Running unit tests - call bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o %WORKSPACE%\test.xml -f documentation spec/unit + call bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o %WORKSPACE%\test.xml -f documentation spec/unit spec/functional ) |