Merge pull request #561 from chef/jdm/fips

Configure the new chef-fips pipeline to build using Jay's assets.

5 files changed, 56 insertions, 25 deletions

diff --git a/Gemfile.lock b/Gemfile.lock
index 43bd7a7f3b..56011237d1 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,12 +1,12 @@
 GIT
   remote: git://github.com/chef/omnibus-software.git
-  revision: f71279049f48ba6e1e50ec746f04d6ea8cdad361
+  revision: 6f395a4eaf9dea8f74d1bbb822829f7380f50672
   specs:
     omnibus-software (4.0.0)
 
 GIT
   remote: git://github.com/chef/omnibus.git
-  revision: 57b23680d9a006b56ad637bf45bf4e9c69a0e764
+  revision: 58f4b2622adc524aa7bd8a369938a0ea44aaf3aa
   specs:
     omnibus (5.0.0)
       aws-sdk (~> 2)
@@ -22,12 +22,12 @@ GEM
   remote: https://rubygems.org/
   specs:
     addressable (2.3.8)
-    aws-sdk (2.2.5)
-      aws-sdk-resources (= 2.2.5)
-    aws-sdk-core (2.2.5)
+    aws-sdk (2.2.6)
+      aws-sdk-resources (= 2.2.6)
+    aws-sdk-core (2.2.6)
       jmespath (~> 1.0)
-    aws-sdk-resources (2.2.5)
-      aws-sdk-core (= 2.2.5)
+    aws-sdk-resources (2.2.6)
+      aws-sdk-core (= 2.2.6)
     berkshelf (3.2.4)
       addressable (~> 2.3.4)
       berkshelf-api-client (~> 1.2)
@@ -171,7 +171,7 @@ GEM
     varia_model (0.4.0)
       buff-extensions (~> 1.0)
       hashie (>= 2.0.2, < 3.0.0)
-    win32-process (0.8.2)
+    win32-process (0.8.3)
       ffi (>= 1.0.0)
     winrm (1.3.3)
       builder (>= 2.1.2)
diff --git a/config/projects/chef-fips.rb b/config/projects/chef-fips.rb
index 6461a79ae5..32bbbc9c48 100644
--- a/config/projects/chef-fips.rb
+++ b/config/projects/chef-fips.rb
@@ -22,7 +22,7 @@ chef_project_contents = IO.read(File.expand_path('../chef.rb', __FILE__))
 self.instance_eval chef_project_contents
 
 name "chef-fips"
-friendly_name "Chef Client with FIPS"
+friendly_name "Chef Client with FIPS OpenSSL"
 
 if windows?
   # NOTE: Ruby DevKit fundamentally CANNOT be installed into "Program Files"
@@ -34,6 +34,13 @@ else
   install_dir "#{default_root}/#{name}"
 end
 
+# Global FIPS override flag.
+override :fips, enabled: true
+override :'ruby-windows', version: "2.0.0-p647"
+
+override :chef, version: "jdm/1.3-fips"
+override :ohai, version: "master"
+
 msi_upgrade_code = "819F5DB3-B818-4358-BB2B-54B8171D0A26"
 project_location_dir = "chef-fips"
 
diff --git a/config/projects/chef.rb b/config/projects/chef.rb
index 449fcf0aac..c1d1dd2c40 100644
--- a/config/projects/chef.rb
+++ b/config/projects/chef.rb
@@ -32,7 +32,7 @@ else
   install_dir "#{default_root}/#{name}"
 end
 
-override :bundler,        version: "1.10.7.depsolverfix.0"
+override :bundler,        version: "1.10.6"
 override :ruby,           version: "2.1.6"
 
 override :'ruby-windows', version: "2.0.0-p645"
diff --git a/config/software/openssl-customization.rb b/config/software/openssl-customization.rb
index bda1bcc38c..8af23e12fd 100644
--- a/config/software/openssl-customization.rb
+++ b/config/software/openssl-customization.rb
@@ -29,25 +29,39 @@ else
   dependency "rubygems"
 end
 
-build do
-  if windows?
-    block "Add OpenSSL customization file" do
-      # gets directories for RbConfig::CONFIG and sanitizes them.
-      def get_sanitized_rbconfig(config)
-        ruby = windows_safe_path("#{install_dir}/embedded/bin/ruby")
+fips_enabled = (project.overrides[:fips] && project.overrides[:fips][:enabled]) || false
 
-        config_dir = Bundler.with_clean_env do
-          command_output = %x|#{ruby} -rrbconfig -e "puts RbConfig::CONFIG['#{config}']"|.strip
-          windows_safe_path(command_output)
-        end
+build do
+  block "Add OpenSSL customization file" do
+    # gets directories for RbConfig::CONFIG and sanitizes them.
+    def get_sanitized_rbconfig(config)
+      ruby = windows_safe_path("#{install_dir}/embedded/bin/ruby")
 
-        if config_dir.nil? || config_dir.empty?
-          raise "could not determine embedded ruby's RbConfig::CONFIG['#{config}']"
-        end
+      config_dir = Bundler.with_clean_env do
+        command_output = %x|#{ruby} -rrbconfig -e "puts RbConfig::CONFIG['#{config}']"|.strip
+        windows_safe_path(command_output)
+      end
 
-        config_dir
+      if config_dir.nil? || config_dir.empty?
+        raise "could not determine embedded ruby's RbConfig::CONFIG['#{config}']"
       end
 
+      config_dir
+    end
+
+    fips_additions = [
+      "OpenSSL.fips_mode = true",
+      "require 'digest'",
+      "require 'digest/sha1'",
+      "Digest::SHA1 = OpenSSL::Digest::SHA1",
+
+      "require 'digest/md5'",
+      "# We're going to use the ruby md5 implementation for now",
+      "# This will be removed once all our MD5 uses are removed",
+      "OpenSSL::Digest::MD5 = Digest::MD5",
+    ].join("\n")
+
+    if windows?
       embedded_ruby_site_dir = get_sanitized_rbconfig('sitelibdir')
       embedded_ruby_lib_dir  = get_sanitized_rbconfig('rubylibdir')
 
@@ -65,6 +79,16 @@ build do
         f.rewind
         f.write("\nrequire 'ssl_env_hack'\n")
         f.write(unpatched_openssl_rb)
+        f.write(fips_additions) if fips_enabled
+      end
+    else
+      embedded_ruby_lib_dir  = get_sanitized_rbconfig('rubylibdir')
+      source_openssl_rb = File.join(embedded_ruby_lib_dir, "openssl.rb")
+      File.open(source_openssl_rb, "r+") do |f|
+        unpatched_openssl_rb = f.read
+        f.rewind
+        f.write(unpatched_openssl_rb)
+        f.write(fips_additions) if fips_enabled
       end
     end
   end
diff --git a/jenkins/verify-chef.bat b/jenkins/verify-chef.bat
index dae00208e6..1c159f0668 100755
--- a/jenkins/verify-chef.bat
+++ b/jenkins/verify-chef.bat
@@ -52,5 +52,5 @@ IF "%PIPELINE_NAME%" == "chef-13" (
   call bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o %WORKSPACE%\test.xml -f documentation spec/unit spec/functional
 ) ELSE (
   REM ; Running unit tests
-  call bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o %WORKSPACE%\test.xml -f documentation spec/unit
+  call bundle exec rspec -r rspec_junit_formatter -f RspecJunitFormatter -o %WORKSPACE%\test.xml -f documentation spec/unit spec/functional
 )