Merge pull request #4841 from chef/fipfop

Run in fips mode if node is fips enabled
author: Matt Wrock <matt@mattwrock.com> 2016-04-25 14:01:51 -0700
committer: Matt Wrock <matt@mattwrock.com> 2016-04-25 14:01:51 -0700
commit: c05e43b0d7a1b594843fda9296bd494b302fd184 (patch)
tree: 7e4a7ec9e736e13eb355c0aad2878776b0da150d
parent: 7edd6a4aec64ea23fc01cd711a537aab4b6eaad7 (diff)
parent: de243172e1b47afbc0873769d637caf7d4199114 (diff)
download: chef-c05e43b0d7a1b594843fda9296bd494b302fd184.tar.gz
7 files changed, 94 insertions, 6 deletions
diff --git a/Gemfile.lock b/Gemfile.lock
index 9833cb3ee1..8987ff0681 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -33,7 +33,7 @@ PATH
       net-sftp (~> 2.1, >= 2.1.2)
       net-ssh (>= 2.9, < 4.0)
       net-ssh-multi (~> 1.1)
-      ohai (>= 8.6.0.alpha.1, < 9)
+      ohai (~> 8.15)
       plist (~> 3.2)
       proxifier (~> 1.0)
       rspec-core (~> 3.4)
@@ -60,7 +60,7 @@ PATH
       net-sftp (~> 2.1, >= 2.1.2)
       net-ssh (>= 2.9, < 4.0)
       net-ssh-multi (~> 1.1)
-      ohai (>= 8.6.0.alpha.1, < 9)
+      ohai (~> 8.15)
       plist (~> 3.2)
       proxifier (~> 1.0)
       rspec-core (~> 3.4)
diff --git a/chef-config/Gemfile b/chef-config/Gemfile
index 96ab544690..8f10ee91e6 100644
--- a/chef-config/Gemfile
+++ b/chef-config/Gemfile
@@ -2,3 +2,5 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in chef-config.gemspec
 gemspec
+
+gem "ohai", "~> 8.15"
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index bea357dad6..bbdfdd74dc 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -38,6 +38,8 @@ module ChefConfig
     extend Mixlib::Config
     extend ChefConfig::Mixin::FuzzyHostnameMatcher
 
+    @ohai_mutex = Mutex.new
+
     # Evaluates the given string as config.
     #
     # +filename+ is used for context in stacktraces, but doesn't need to be the name of an actual file.
@@ -513,7 +515,31 @@ module ChefConfig
     default :recipe_url, nil
 
     # Set to true if Chef is to set OpenSSL to run in FIPS mode
-    default(:fips) { ENV["CHEF_FIPS"] == "1" }
+    default(:fips) do
+      !ENV["CHEF_FIPS"].nil? || check_fips_via_ohai
+    end
+
+    # we want to synchronize this ohai call because ohai is not thread safe
+    # if this gets called in a mulithreaded context, each thread's ohai instance
+    # will call reset_system while other threads are loading plugins
+    # the destructive power of reset_system is scoped to the module and not to the instance
+    def self.check_fips_via_ohai
+      return @sync_value if defined?(@sync_value)
+
+      @ohai_mutex.synchronize do
+        return @sync_value if defined?(@sync_value)
+        require "ohai"
+        o = Ohai::System.new
+        o.load_plugins
+        begin
+          o.require_plugin "fips"
+          @sync_value = o[:fips][:kernel][:enabled]
+        rescue Ohai::Exceptions::DependencyNotFound
+          @sync_value = false
+        end
+      end
+      @sync_value
+    end
 
     # Initialize openssl
     def self.init_openssl
@@ -962,6 +988,7 @@ module ChefConfig
       require "digest/md5"
       Digest.const_set("SHA1", OpenSSL::Digest::SHA1)
       OpenSSL::Digest.const_set("MD5", Digest::MD5)
+      ChefConfig.logger.debug "FIPS mode is enabled."
     end
   end
 end
diff --git a/chef-config/spec/unit/config_spec.rb b/chef-config/spec/unit/config_spec.rb
index 72c0981eca..8d0bc8f203 100644
--- a/chef-config/spec/unit/config_spec.rb
+++ b/chef-config/spec/unit/config_spec.rb
@@ -19,6 +19,7 @@
 
 require "spec_helper"
 require "chef-config/config"
+require "ohai"
 
 RSpec.describe ChefConfig::Config do
   before(:each) do
@@ -165,6 +166,57 @@ RSpec.describe ChefConfig::Config do
           allow(ChefConfig::Config).to receive(:path_accessible?).and_return(false)
         end
 
+        describe "ChefConfig::Config[:fips]" do
+          let(:fips_ohai) { double("Ohai::System", load_plugins: nil, require_plugin: nil) }
+          let(:fips_ohai_data) do
+            {
+              kernel: {
+                enabled: fips_ohai_value,
+              },
+            }
+          end
+          let(:fips_ohai_value) { false }
+
+          before(:all) do
+            @original_env = ENV.to_hash
+          end
+
+          after(:all) do
+            ENV.clear
+            ENV.update(@original_env)
+          end
+
+          before(:each) do
+            ENV["CHEF_FIPS"] = nil
+            allow(Ohai::System).to receive(:new).and_return(fips_ohai)
+            allow(fips_ohai).to receive(:[]).with(:fips).and_return(fips_ohai_data)
+          end
+
+          it "returns false when no environment is set and ohai flag is disabled" do
+            expect(ChefConfig::Config[:fips]).to eq(false)
+            ChefConfig::Config.instance_eval { remove_instance_variable(:@sync_value) }
+          end
+
+          context "when ENV['CHEF_FIPS'] is set" do
+            before do
+              ENV["CHEF_FIPS"] = "1"
+            end
+
+            it "returns true" do
+              expect(ChefConfig::Config[:fips]).to eq(true)
+            end
+          end
+
+          context "when fips is enabled in ohai data" do
+            let(:fips_ohai_value) { true }
+
+            it "returns true" do
+              expect(ChefConfig::Config[:fips]).to eq(true)
+              ChefConfig::Config.instance_eval { remove_instance_variable(:@sync_value) }
+            end
+          end
+        end
+
         describe "ChefConfig::Config[:chef_server_root]" do
           context "when chef_server_url isn't set manually" do
             it "returns the default of 'https://localhost:443'" do
diff --git a/chef.gemspec b/chef.gemspec
index 59367b00f8..5dfc2aab49 100644
--- a/chef.gemspec
+++ b/chef.gemspec
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
   s.add_dependency "mixlib-log", "~> 1.3"
   s.add_dependency "mixlib-authentication", "~> 1.4"
   s.add_dependency "mixlib-shellout", "~> 2.0"
-  s.add_dependency "ohai", ">= 8.6.0.alpha.1", "< 9"
+  s.add_dependency "ohai", "~> 8.15"
 
   s.add_dependency "ffi-yajl", "~> 2.2"
   s.add_dependency "net-ssh", ">= 2.9", "< 4.0"
diff --git a/lib/chef/application/client.rb b/lib/chef/application/client.rb
index ac46e533dd..d42ab20033 100644
--- a/lib/chef/application/client.rb
+++ b/lib/chef/application/client.rb
@@ -280,7 +280,7 @@ class Chef::Application::Client < Chef::Application
     :boolean        => true
 
   option :fips,
-    :long         => "--fips",
+    :long         => "--[no-]fips",
     :description  => "Enable fips mode",
     :boolean      => true
 
diff --git a/spec/support/shared/context/client.rb b/spec/support/shared/context/client.rb
index d8676ef168..2f127c5cbd 100644
--- a/spec/support/shared/context/client.rb
+++ b/spec/support/shared/context/client.rb
@@ -16,11 +16,18 @@ shared_context "client" do
       :machinename =>      machinename,
       :platform =>         platform,
       :platform_version => platform_version,
+      :fips => { :kernel => { :enabled => false } },
     }
   end
 
   let(:ohai_system) do
-    ohai = instance_double("Ohai::System", :all_plugins => true, :data => ohai_data)
+    ohai = instance_double(
+      "Ohai::System",
+      :all_plugins => true,
+      :data => ohai_data,
+      :load_plugins => nil,
+      :require_plugin => nil
+    )
     allow(ohai).to receive(:[]) do |k|
       ohai_data[k]
     end
author	Matt Wrock <matt@mattwrock.com>	2016-04-25 14:01:51 -0700
committer	Matt Wrock <matt@mattwrock.com>	2016-04-25 14:01:51 -0700
commit	c05e43b0d7a1b594843fda9296bd494b302fd184 (patch)
tree	7e4a7ec9e736e13eb355c0aad2878776b0da150d
parent	7edd6a4aec64ea23fc01cd711a537aab4b6eaad7 (diff)
parent	de243172e1b47afbc0873769d637caf7d4199114 (diff)
download	chef-c05e43b0d7a1b594843fda9296bd494b302fd184.tar.gz