diff options
| author | tpowell-progress <104777878+tpowell-progress@users.noreply.github.com> | 2022-11-28 09:50:38 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-28 09:50:38 -0500 |
| commit | 04176014cf05bd2d0a3670f519ad6d6598eaf533 (patch) | |
| tree | 8e98049e2fae345c238ada5485f92a17e42bd2b8 | |
| parent | f0107b6d084a99c75d7c6d84cfd81cad88c89da3 (diff) | |
| download | chef-04176014cf05bd2d0a3670f519ad6d6598eaf533.tar.gz | |
Update omnibus-software for FIPS issues (#13375)
* Update omnibus-software for FIPS issues
New version of omnibus-software should have disable-dynamicbase
option on for the all DLLs involve with openssl for FIPS build as
well as keying off of mingw64 "platform" argument to ./Configure
script.
Ensure FIPS mode turned off after test
Disable all opensuse fips_mode tags, due to broken FIPS build in rubydistros for OpenSUSE.
Signed-off-by: Thomas Powell <powell@progress.com>
| -rw-r--r-- | omnibus/Gemfile.lock | 4 | ||||
| -rw-r--r-- | spec/integration/client/fips_spec.rb | 20 | ||||
| -rw-r--r-- | spec/spec_helper.rb | 4 | ||||
| -rw-r--r-- | spec/support/platform_helpers.rb | 4 |
4 files changed, 30 insertions, 2 deletions
diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock index 69dbee66d4..79f720cbec 100644 --- a/omnibus/Gemfile.lock +++ b/omnibus/Gemfile.lock @@ -1,9 +1,9 @@ GIT remote: https://github.com/chef/omnibus-software.git - revision: fc901c6446e6354058133b89a29a6ef8e2995b3d + revision: 46eb85278c88c508a3b2b370bd2e46b9fa10748f branch: main specs: - omnibus-software (4.0.0) + omnibus-software (22.11.249) omnibus (>= 9.0.0) GIT diff --git a/spec/integration/client/fips_spec.rb b/spec/integration/client/fips_spec.rb new file mode 100644 index 0000000000..1afb7b2874 --- /dev/null +++ b/spec/integration/client/fips_spec.rb @@ -0,0 +1,20 @@ +require "spec_helper" + +describe "chef-client fips" do + def enable_fips + OpenSSL.fips_mode = true + end + + # All tests assume fips mode is off at present + after { OpenSSL.fips_mode = false } + + # For non-FIPS OSes/builds of Ruby, enabling FIPS should error + example "Error enabling fips_mode if FIPS not linked", fips_mode: false do + expect { enable_fips }.to raise_error(OpenSSL::OpenSSLError) + end + + # For FIPS OSes/builds of Ruby, enabling FIPS should not error + example "Do not error enabling fips_mode if FIPS linked", fips_mode: true do + expect { enable_fips }.not_to raise_error + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index bbf52b95fd..1d040b0f1f 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -138,6 +138,10 @@ RSpec.configure do |config| config.filter_run_excluding skip_buildkite: true if ENV["BUILDKITE"] + config.filter_run_excluding fips_mode: !fips_mode_build? unless opensuse? + # RubyDistros OpenSUSE docker images have a broken fips + config.filter_run_excluding :fips_mode if opensuse? + config.filter_run_excluding windows_only: true unless windows? config.filter_run_excluding not_supported_on_windows: true if windows? config.filter_run_excluding not_supported_on_macos: true if macos? diff --git a/spec/support/platform_helpers.rb b/spec/support/platform_helpers.rb index 6ed0945286..ef7af98bad 100644 --- a/spec/support/platform_helpers.rb +++ b/spec/support/platform_helpers.rb @@ -223,6 +223,10 @@ def aes_256_gcm? OpenSSL::Cipher.ciphers.include?("aes-256-gcm") end +def fips_mode_build? + OpenSSL::OPENSSL_FIPS +end + def fips? ENV["CHEF_FIPS"] == "1" end |