summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorJay Mundrawala <jdmundrawala@gmail.com>2016-01-27 17:44:12 -0800
committerJay Mundrawala <jdmundrawala@gmail.com>2016-01-28 15:28:33 -0800
commited44d58632c02744ce02bcc6af504e4e3c802f1f (patch)
treede5dac9d7bccf99a010e97e7ecaad8b8bfd34e86 /spec
parent97e3ae9540c5c663af2575c579c6e9a445848489 (diff)
downloadchef-ed44d58632c02744ce02bcc6af504e4e3c802f1f.tar.gz
Allow use of command line fips switch for knife
This somewhat worked before. However, it was just for knife bootstrap. It also didn't support --no-fips in the case where it was in your knife.rb and you decided that you didn't want to use fips for that one call. The assumption here is fips mode you run knife with is the fips mode the node will get. This has the nice property that validatorless bootstraps will talk to the chef server in fips mode if the node is requested to be in fips mode.
Diffstat (limited to 'spec')
-rw-r--r--spec/unit/application/knife_spec.rb52
-rw-r--r--spec/unit/knife/bootstrap_spec.rb37
-rw-r--r--spec/unit/knife/core/bootstrap_context_spec.rb6
3 files changed, 94 insertions, 1 deletions
diff --git a/spec/unit/application/knife_spec.rb b/spec/unit/application/knife_spec.rb
index 163489110f..c6c3c4d12c 100644
--- a/spec/unit/application/knife_spec.rb
+++ b/spec/unit/application/knife_spec.rb
@@ -82,6 +82,58 @@ describe Chef::Application::Knife do
end
end
+ context "when given fips flags" do
+ context "when Chef::Config[:fips]=false" do
+ before do
+ # This is required because the chef-fips pipeline does
+ # has a default value of true for fips
+ Chef::Config[:fips] = false
+ end
+
+ it "does not initialize fips mode when no flags are passed" do
+ with_argv(*%w{noop knife command}) do
+ expect(@knife).to receive(:exit).with(0)
+ expect(OpenSSL).not_to receive(:'fips_mode=')
+ @knife.run
+ expect(Chef::Config[:fips]).to eq(false)
+ end
+ end
+
+ it "overwrites the Chef::Config value when passed --fips" do
+ with_argv(*%w{noop knife command --fips}) do
+ expect(@knife).to receive(:exit).with(0)
+ expect(OpenSSL).to receive(:'fips_mode=').with(true)
+ @knife.run
+ expect(Chef::Config[:fips]).to eq(true)
+ end
+ end
+ end
+
+ context "when Chef::Config[:fips]=true" do
+ before do
+ Chef::Config[:fips] = true
+ end
+
+ it "initializes fips mode when passed --fips" do
+ with_argv(*%w{noop knife command --fips}) do
+ expect(@knife).to receive(:exit).with(0)
+ expect(OpenSSL).to receive(:'fips_mode=').with(true)
+ @knife.run
+ expect(Chef::Config[:fips]).to eq(true)
+ end
+ end
+
+ it "overwrites the Chef::Config value when passed --no-fips" do
+ with_argv(*%w{noop knife command --no-fips}) do
+ expect(@knife).to receive(:exit).with(0)
+ expect(OpenSSL).not_to receive(:'fips_mode=')
+ @knife.run
+ expect(Chef::Config[:fips]).to eq(false)
+ end
+ end
+ end
+ end
+
describe "when given a path to the client key" do
it "expands a relative path relative to the CWD" do
relative_path = ".chef/client.pem"
diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb
index 0f9e6e3c39..29e3623d73 100644
--- a/spec/unit/knife/bootstrap_spec.rb
+++ b/spec/unit/knife/bootstrap_spec.rb
@@ -422,6 +422,42 @@ describe Chef::Knife::Bootstrap do
end
end
+ context "when doing fips things" do
+ let(:template_file) { File.expand_path(File.join(CHEF_SPEC_DATA, "bootstrap", "no_proxy.erb")) }
+ let(:trusted_certs_dir) { Chef::Util::PathHelper.cleanpath(File.join(File.dirname(__FILE__), "../../data/trusted_certs")) }
+
+ before do
+ Chef::Config[:knife][:bootstrap_template] = template_file
+ end
+
+ let(:rendered_template) do
+ knife.render_template
+ end
+
+ context "when knife is in fips mode" do
+ before do
+ Chef::Config[:fips] = true
+ end
+
+ it "renders 'fips true'" do
+ Chef::Config[:fips] = true
+ expect(rendered_template).to match("fips")
+ end
+ end
+
+ context "when knife is not in fips mode" do
+ before do
+ # This is required because the chef-fips pipeline does
+ # has a default value of true for fips
+ Chef::Config[:fips] = false
+ end
+
+ it "does not render anything about fips" do
+ expect(rendered_template).not_to match("fips")
+ end
+ end
+ end
+
describe "handling policyfile options" do
context "when only policy_name is given" do
@@ -735,5 +771,4 @@ describe Chef::Knife::Bootstrap do
describe "specifying ssl verification" do
end
-
end
diff --git a/spec/unit/knife/core/bootstrap_context_spec.rb b/spec/unit/knife/core/bootstrap_context_spec.rb
index 7ecade338a..a582f16983 100644
--- a/spec/unit/knife/core/bootstrap_context_spec.rb
+++ b/spec/unit/knife/core/bootstrap_context_spec.rb
@@ -20,6 +20,12 @@ require "spec_helper"
require "chef/knife/core/bootstrap_context"
describe Chef::Knife::Core::BootstrapContext do
+ before do
+ # This is required because the chef-fips pipeline does
+ # has a default value of true for fips
+ Chef::Config[:fips] = false
+ end
+
let(:config) { {:foo => :bar, :color => true} }
let(:run_list) { Chef::RunList.new("recipe[tmux]", "role[base]") }
let(:chef_config) do