Merge pull request #4481 from chef/jdm/fips-58

Allow use of command line fips switch for knife

4 files changed, 95 insertions, 2 deletions

diff --git a/spec/unit/application/knife_spec.rb b/spec/unit/application/knife_spec.rb
index 14b02a1d09..416dba4233 100644
--- a/spec/unit/application/knife_spec.rb
+++ b/spec/unit/application/knife_spec.rb
@@ -82,6 +82,58 @@ describe Chef::Application::Knife do
     end
   end
 
+  context "when given fips flags" do
+    context "when Chef::Config[:fips]=false" do
+      before do
+        # This is required because the chef-fips pipeline does
+        # has a default value of true for fips
+        Chef::Config[:fips] = false
+      end
+
+      it "does not initialize fips mode when no flags are passed" do
+        with_argv(*%w{noop knife command}) do
+          expect(@knife).to receive(:exit).with(0)
+          expect(Chef::Config).not_to receive(:enable_fips_mode)
+          @knife.run
+          expect(Chef::Config[:fips]).to eq(false)
+        end
+      end
+
+      it "overwrites the Chef::Config value when passed --fips" do
+        with_argv(*%w{noop knife command --fips}) do
+          expect(@knife).to receive(:exit).with(0)
+          expect(Chef::Config).to receive(:enable_fips_mode)
+          @knife.run
+          expect(Chef::Config[:fips]).to eq(true)
+        end
+      end
+    end
+
+    context "when Chef::Config[:fips]=true" do
+      before do
+        Chef::Config[:fips] = true
+      end
+
+      it "initializes fips mode when passed --fips" do
+        with_argv(*%w{noop knife command --fips}) do
+          expect(@knife).to receive(:exit).with(0)
+          expect(Chef::Config).to receive(:enable_fips_mode)
+          @knife.run
+          expect(Chef::Config[:fips]).to eq(true)
+        end
+      end
+
+      it "overwrites the Chef::Config value when passed --no-fips" do
+        with_argv(*%w{noop knife command --no-fips}) do
+          expect(@knife).to receive(:exit).with(0)
+          expect(Chef::Config).not_to receive(:enable_fips_mode)
+          @knife.run
+          expect(Chef::Config[:fips]).to eq(false)
+        end
+      end
+    end
+  end
+
   describe "when given a path to the client key" do
     it "expands a relative path relative to the CWD" do
       relative_path = ".chef/client.pem"
diff --git a/spec/unit/application_spec.rb b/spec/unit/application_spec.rb
index 6f9719ebd6..1b91aafe8d 100644
--- a/spec/unit/application_spec.rb
+++ b/spec/unit/application_spec.rb
@@ -148,7 +148,7 @@ describe Chef::Application do
           end
 
           it "sets openssl in fips mode" do
-            expect(OpenSSL).to receive(:'fips_mode=').with(true)
+            expect(Chef::Config).to receive(:enable_fips_mode)
             @app.configure_chef
           end
         end
diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb
index 5556cfab97..e6a78df8ba 100644
--- a/spec/unit/knife/bootstrap_spec.rb
+++ b/spec/unit/knife/bootstrap_spec.rb
@@ -422,6 +422,42 @@ describe Chef::Knife::Bootstrap do
     end
   end
 
+  context "when doing fips things" do
+    let(:template_file) { File.expand_path(File.join(CHEF_SPEC_DATA, "bootstrap", "no_proxy.erb")) }
+    let(:trusted_certs_dir) { Chef::Util::PathHelper.cleanpath(File.join(File.dirname(__FILE__), "../../data/trusted_certs")) }
+
+    before do
+      Chef::Config[:knife][:bootstrap_template] = template_file
+    end
+
+    let(:rendered_template) do
+      knife.render_template
+    end
+
+    context "when knife is in fips mode" do
+      before do
+        Chef::Config[:fips] = true
+      end
+
+      it "renders 'fips true'" do
+        Chef::Config[:fips] = true
+        expect(rendered_template).to match("fips")
+      end
+    end
+
+    context "when knife is not in fips mode" do
+      before do
+        # This is required because the chef-fips pipeline does
+        # has a default value of true for fips
+        Chef::Config[:fips] = false
+      end
+
+      it "does not render anything about fips" do
+        expect(rendered_template).not_to match("fips")
+      end
+    end
+  end
+
   describe "handling policyfile options" do
 
     context "when only policy_name is given" do
@@ -735,5 +771,4 @@ describe Chef::Knife::Bootstrap do
   describe "specifying ssl verification" do
 
   end
-
 end
diff --git a/spec/unit/knife/core/bootstrap_context_spec.rb b/spec/unit/knife/core/bootstrap_context_spec.rb
index 1acb1661de..16c0867610 100644
--- a/spec/unit/knife/core/bootstrap_context_spec.rb
+++ b/spec/unit/knife/core/bootstrap_context_spec.rb
@@ -20,6 +20,12 @@ require "spec_helper"
 require "chef/knife/core/bootstrap_context"
 
 describe Chef::Knife::Core::BootstrapContext do
+  before do
+    # This is required because the chef-fips pipeline does
+    # has a default value of true for fips
+    Chef::Config[:fips] = false
+  end
+
   let(:config) { {:foo => :bar, :color => true} }
   let(:run_list) { Chef::RunList.new("recipe[tmux]", "role[base]") }
   let(:chef_config) do