run in fips mode if node is fips enabledfipfop

1 files changed, 27 insertions, 1 deletions

diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index bea357dad6..1bd6077f60 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -513,7 +513,32 @@ module ChefConfig
     default :recipe_url, nil
 
     # Set to true if Chef is to set OpenSSL to run in FIPS mode
-    default(:fips) { ENV["CHEF_FIPS"] == "1" }
+    default(:fips) do
+      !ENV["CHEF_FIPS"].nil? || check_fips_via_ohai
+    end
+
+    # we want to synchronize this ohai call because ohai is not thread safe
+    # if this gets called in a mulithreaded context, each thread's ohai instance
+    # will call reset_system while other threads are loading plugins
+    # the destructive power of reset_system is scoped to the module and not to the instance
+    def self.check_fips_via_ohai
+      @@sync ||= Mutex.new
+      return @@sync_value if defined?(@@sync_value)
+
+      @@sync.synchronize do
+        return @@sync_value if defined?(@@sync_value)
+        require "ohai"
+        o = Ohai::System.new
+        o.load_plugins
+        begin
+          o.require_plugin "fips"
+          @@sync_value = o[:fips][:kernel][:enabled]
+        rescue Ohai::Exceptions::DependencyNotFound
+          @@sync_value = false
+        end
+      end
+      @@sync_value
+    end
 
     # Initialize openssl
     def self.init_openssl
@@ -962,6 +987,7 @@ module ChefConfig
       require "digest/md5"
       Digest.const_set("SHA1", OpenSSL::Digest::SHA1)
       OpenSSL::Digest.const_set("MD5", Digest::MD5)
+      ChefConfig.logger.debug "FIPS mode is enabled."
     end
   end
 end