Merge pull request #4872 from chef/revert-4841-fipfop

Revert "Run in fips mode if node is fips enabled"
author: Lamont Granquist <lamont@scriptkiddie.org> 2016-04-27 10:56:40 -0700
committer: Lamont Granquist <lamont@scriptkiddie.org> 2016-04-27 10:56:40 -0700
commit: ff3a167bc41163f976ac9244cb60c8c2f6adb9be (patch)
tree: af8aac7006160c4782246e1ba9b5a2ea5e2a3a1e
parent: 68c9cbc93ed0d7dd995ae7240c1a8075c7d4387a (diff)
parent: fae30e6a075977bfad381a22dd979601e350258d (diff)
download: chef-ff3a167bc41163f976ac9244cb60c8c2f6adb9be.tar.gz
7 files changed, 6 insertions, 94 deletions
diff --git a/Gemfile.lock b/Gemfile.lock
index f00bf01242..9bdfcb8068 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -33,7 +33,7 @@ PATH
       net-sftp (~> 2.1, >= 2.1.2)
       net-ssh (>= 2.9, < 4.0)
       net-ssh-multi (~> 1.1)
-      ohai (~> 8.15)
+      ohai (>= 8.6.0.alpha.1, < 9)
       plist (~> 3.2)
       proxifier (~> 1.0)
       rspec-core (~> 3.4)
@@ -60,7 +60,7 @@ PATH
       net-sftp (~> 2.1, >= 2.1.2)
       net-ssh (>= 2.9, < 4.0)
       net-ssh-multi (~> 1.1)
-      ohai (~> 8.15)
+      ohai (>= 8.6.0.alpha.1, < 9)
       plist (~> 3.2)
       proxifier (~> 1.0)
       rspec-core (~> 3.4)
diff --git a/chef-config/Gemfile b/chef-config/Gemfile
index 8f10ee91e6..96ab544690 100644
--- a/chef-config/Gemfile
+++ b/chef-config/Gemfile
@@ -2,5 +2,3 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in chef-config.gemspec
 gemspec
-
-gem "ohai", "~> 8.15"
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index e5260e4633..e6192c22cb 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -38,8 +38,6 @@ module ChefConfig
     extend Mixlib::Config
     extend ChefConfig::Mixin::FuzzyHostnameMatcher
 
-    @ohai_mutex = Mutex.new
-
     # Evaluates the given string as config.
     #
     # +filename+ is used for context in stacktraces, but doesn't need to be the name of an actual file.
@@ -515,31 +513,7 @@ module ChefConfig
     default :recipe_url, nil
 
     # Set to true if Chef is to set OpenSSL to run in FIPS mode
-    default(:fips) do
-      !ENV["CHEF_FIPS"].nil? || check_fips_via_ohai
-    end
-
-    # we want to synchronize this ohai call because ohai is not thread safe
-    # if this gets called in a mulithreaded context, each thread's ohai instance
-    # will call reset_system while other threads are loading plugins
-    # the destructive power of reset_system is scoped to the module and not to the instance
-    def self.check_fips_via_ohai
-      return @sync_value if defined?(@sync_value)
-
-      @ohai_mutex.synchronize do
-        return @sync_value if defined?(@sync_value)
-        require "ohai"
-        o = Ohai::System.new
-        o.load_plugins
-        begin
-          o.require_plugin "fips"
-          @sync_value = o[:fips][:kernel][:enabled]
-        rescue Ohai::Exceptions::DependencyNotFound
-          @sync_value = false
-        end
-      end
-      @sync_value
-    end
+    default(:fips) { ENV["CHEF_FIPS"] == "1" }
 
     # Initialize openssl
     def self.init_openssl
@@ -992,7 +966,6 @@ module ChefConfig
       Digest.const_set("SHA1", OpenSSL::Digest::SHA1)
       OpenSSL::Digest.send(:remove_const, "MD5") if OpenSSL::Digest.const_defined?("MD5")
       OpenSSL::Digest.const_set("MD5", Digest::MD5)
-      ChefConfig.logger.debug "FIPS mode is enabled."
     end
   end
 end
diff --git a/chef-config/spec/unit/config_spec.rb b/chef-config/spec/unit/config_spec.rb
index 8d0bc8f203..72c0981eca 100644
--- a/chef-config/spec/unit/config_spec.rb
+++ b/chef-config/spec/unit/config_spec.rb
@@ -19,7 +19,6 @@
 
 require "spec_helper"
 require "chef-config/config"
-require "ohai"
 
 RSpec.describe ChefConfig::Config do
   before(:each) do
@@ -166,57 +165,6 @@ RSpec.describe ChefConfig::Config do
           allow(ChefConfig::Config).to receive(:path_accessible?).and_return(false)
         end
 
-        describe "ChefConfig::Config[:fips]" do
-          let(:fips_ohai) { double("Ohai::System", load_plugins: nil, require_plugin: nil) }
-          let(:fips_ohai_data) do
-            {
-              kernel: {
-                enabled: fips_ohai_value,
-              },
-            }
-          end
-          let(:fips_ohai_value) { false }
-
-          before(:all) do
-            @original_env = ENV.to_hash
-          end
-
-          after(:all) do
-            ENV.clear
-            ENV.update(@original_env)
-          end
-
-          before(:each) do
-            ENV["CHEF_FIPS"] = nil
-            allow(Ohai::System).to receive(:new).and_return(fips_ohai)
-            allow(fips_ohai).to receive(:[]).with(:fips).and_return(fips_ohai_data)
-          end
-
-          it "returns false when no environment is set and ohai flag is disabled" do
-            expect(ChefConfig::Config[:fips]).to eq(false)
-            ChefConfig::Config.instance_eval { remove_instance_variable(:@sync_value) }
-          end
-
-          context "when ENV['CHEF_FIPS'] is set" do
-            before do
-              ENV["CHEF_FIPS"] = "1"
-            end
-
-            it "returns true" do
-              expect(ChefConfig::Config[:fips]).to eq(true)
-            end
-          end
-
-          context "when fips is enabled in ohai data" do
-            let(:fips_ohai_value) { true }
-
-            it "returns true" do
-              expect(ChefConfig::Config[:fips]).to eq(true)
-              ChefConfig::Config.instance_eval { remove_instance_variable(:@sync_value) }
-            end
-          end
-        end
-
         describe "ChefConfig::Config[:chef_server_root]" do
           context "when chef_server_url isn't set manually" do
             it "returns the default of 'https://localhost:443'" do
diff --git a/chef.gemspec b/chef.gemspec
index 5dfc2aab49..59367b00f8 100644
--- a/chef.gemspec
+++ b/chef.gemspec
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
   s.add_dependency "mixlib-log", "~> 1.3"
   s.add_dependency "mixlib-authentication", "~> 1.4"
   s.add_dependency "mixlib-shellout", "~> 2.0"
-  s.add_dependency "ohai", "~> 8.15"
+  s.add_dependency "ohai", ">= 8.6.0.alpha.1", "< 9"
 
   s.add_dependency "ffi-yajl", "~> 2.2"
   s.add_dependency "net-ssh", ">= 2.9", "< 4.0"
diff --git a/lib/chef/application/client.rb b/lib/chef/application/client.rb
index d42ab20033..ac46e533dd 100644
--- a/lib/chef/application/client.rb
+++ b/lib/chef/application/client.rb
@@ -280,7 +280,7 @@ class Chef::Application::Client < Chef::Application
     :boolean        => true
 
   option :fips,
-    :long         => "--[no-]fips",
+    :long         => "--fips",
     :description  => "Enable fips mode",
     :boolean      => true
 
diff --git a/spec/support/shared/context/client.rb b/spec/support/shared/context/client.rb
index 2f127c5cbd..d8676ef168 100644
--- a/spec/support/shared/context/client.rb
+++ b/spec/support/shared/context/client.rb
@@ -16,18 +16,11 @@ shared_context "client" do
       :machinename =>      machinename,
       :platform =>         platform,
       :platform_version => platform_version,
-      :fips => { :kernel => { :enabled => false } },
     }
   end
 
   let(:ohai_system) do
-    ohai = instance_double(
-      "Ohai::System",
-      :all_plugins => true,
-      :data => ohai_data,
-      :load_plugins => nil,
-      :require_plugin => nil
-    )
+    ohai = instance_double("Ohai::System", :all_plugins => true, :data => ohai_data)
     allow(ohai).to receive(:[]) do |k|
       ohai_data[k]
     end
author	Lamont Granquist <lamont@scriptkiddie.org>	2016-04-27 10:56:40 -0700
committer	Lamont Granquist <lamont@scriptkiddie.org>	2016-04-27 10:56:40 -0700
commit	ff3a167bc41163f976ac9244cb60c8c2f6adb9be (patch)
tree	af8aac7006160c4782246e1ba9b5a2ea5e2a3a1e
parent	68c9cbc93ed0d7dd995ae7240c1a8075c7d4387a (diff)
parent	fae30e6a075977bfad381a22dd979601e350258d (diff)
download	chef-ff3a167bc41163f976ac9244cb60c8c2f6adb9be.tar.gz