summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorJay Mundrawala <jdmundrawala@gmail.com>2016-01-26 14:04:59 -0800
committerJay Mundrawala <jdmundrawala@gmail.com>2016-01-26 14:04:59 -0800
commit58112e1210cac991e7a9cf434c74ece0aa97414d (patch)
treed4a83406aadb8a756ab80f5c1660891ce33842f4 /spec
parent92de2b34aa48daa878e47db2b00d4c669ada1d96 (diff)
parent15ee9bd1b9ff3332d2197e29fffdffff82dda06f (diff)
downloadchef-58112e1210cac991e7a9cf434c74ece0aa97414d.tar.gz
Merge pull request #4287 from chef/jdm/1.3-fips
Default Chef with FIPS OpenSSL to use sign v1.3
Diffstat (limited to 'spec')
-rw-r--r--spec/spec_helper.rb5
-rw-r--r--spec/support/chef_helpers.rb2
-rw-r--r--spec/support/platform_helpers.rb4
-rw-r--r--spec/unit/api_client/registration_spec.rb12
-rw-r--r--spec/unit/application_spec.rb10
-rw-r--r--spec/unit/client_spec.rb23
-rw-r--r--spec/unit/encrypted_data_bag_item_spec.rb2
-rw-r--r--spec/unit/http/authenticator_spec.rb4
-rw-r--r--spec/unit/http/ssl_policies_spec.rb2
-rw-r--r--spec/unit/rest/auth_credentials_spec.rb33
10 files changed, 53 insertions, 44 deletions
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index e69d61a7b3..34716e5fd8 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -67,6 +67,10 @@ require "chef/util/file_edit"
require "chef/config"
+if ENV["CHEF_FIPS"] == "1"
+ Chef::Config.init_openssl
+end
+
# If you want to load anything into the testing environment
# without versioning it, add it to spec/support/local_gems.rb
require "spec/support/local_gems.rb" if File.exists?(File.join(File.dirname(__FILE__), "support", "local_gems.rb"))
@@ -165,6 +169,7 @@ RSpec.configure do |config|
config.filter_run_excluding :aes_256_gcm_only => true unless aes_256_gcm?
config.filter_run_excluding :broken => true
config.filter_run_excluding :not_wpar => true unless wpar?
+ config.filter_run_excluding :not_fips => true unless fips?
running_platform_arch = `uname -m`.strip unless windows?
diff --git a/spec/support/chef_helpers.rb b/spec/support/chef_helpers.rb
index a792cd3c5f..cfc876ffd3 100644
--- a/spec/support/chef_helpers.rb
+++ b/spec/support/chef_helpers.rb
@@ -27,7 +27,7 @@ Chef::Config.solo(false)
def sha256_checksum(path)
- Digest::SHA256.hexdigest(File.read(path))
+ OpenSSL::Digest::SHA256.hexdigest(File.read(path))
end
# From Ruby 1.9.2+
diff --git a/spec/support/platform_helpers.rb b/spec/support/platform_helpers.rb
index 0259dc6dfb..a29cb61d00 100644
--- a/spec/support/platform_helpers.rb
+++ b/spec/support/platform_helpers.rb
@@ -204,6 +204,10 @@ def aes_256_gcm?
OpenSSL::Cipher.ciphers.include?("aes-256-gcm")
end
+def fips?
+ ENV["CHEF_FIPS"] == "1"
+end
+
class GCEDetector
extend Ohai::Mixin::GCEMetadata
end
diff --git a/spec/unit/api_client/registration_spec.rb b/spec/unit/api_client/registration_spec.rb
index bddb33fa0d..97ed1c719c 100644
--- a/spec/unit/api_client/registration_spec.rb
+++ b/spec/unit/api_client/registration_spec.rb
@@ -113,7 +113,7 @@ describe Chef::ApiClient::Registration do
with("clients", expected_post_data).
and_return(create_with_pkey_response)
expect(registration.run.public_key).to eq(create_with_pkey_response["chef_key"]["public_key"])
- expect(registration.private_key).to eq(generated_private_key_pem)
+ expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s)
end
it "puts a locally generated public key to the server to update a client" do
@@ -124,7 +124,7 @@ describe Chef::ApiClient::Registration do
with("clients/#{client_name}", expected_put_data).
and_return(update_with_pkey_response)
expect(registration.run.public_key).to eq(update_with_pkey_response["public_key"].to_pem)
- expect(registration.private_key).to eq(generated_private_key_pem)
+ expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s)
end
it "writes the generated private key to disk" do
@@ -132,7 +132,7 @@ describe Chef::ApiClient::Registration do
with("clients", expected_post_data).
and_return(create_with_pkey_response)
registration.run
- expect(IO.read(key_location)).to eq(generated_private_key_pem)
+ expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s)
end
context "and the client already exists on a Chef 11 server" do
@@ -142,7 +142,7 @@ describe Chef::ApiClient::Registration do
with("clients/#{client_name}", expected_put_data).
and_return(update_with_pkey_response)
expect(registration.run.public_key).to eq(update_with_pkey_response["public_key"].to_pem)
- expect(registration.private_key).to eq(generated_private_key_pem)
+ expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s)
end
end
@@ -247,7 +247,7 @@ describe Chef::ApiClient::Registration do
it "creates the client on the server and writes the key" do
expect(http_mock).to receive(:post).ordered.and_return(server_v10_response)
registration.run
- expect(IO.read(key_location)).to eq(generated_private_key_pem)
+ expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s)
end
it "retries up to 5 times" do
@@ -262,7 +262,7 @@ describe Chef::ApiClient::Registration do
expect(http_mock).to receive(:post).ordered.and_return(server_v10_response)
registration.run
- expect(IO.read(key_location)).to eq(generated_private_key_pem)
+ expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s)
end
it "gives up retrying after the max attempts" do
diff --git a/spec/unit/application_spec.rb b/spec/unit/application_spec.rb
index 6a78e5c827..d66cc26927 100644
--- a/spec/unit/application_spec.rb
+++ b/spec/unit/application_spec.rb
@@ -136,6 +136,16 @@ describe Chef::Application do
expect(Chef::Config.rspec_ran).to eq("true")
end
+ context "when openssl fips" do
+ before do
+ allow(Chef::Config).to receive(:fips).and_return(true)
+ end
+
+ it "sets openssl in fips mode" do
+ expect(OpenSSL).to receive(:'fips_mode=').with(true)
+ @app.configure_chef
+ end
+ end
end
describe "when there is no config_file defined" do
diff --git a/spec/unit/client_spec.rb b/spec/unit/client_spec.rb
index 3b4d23da6e..60b274a774 100644
--- a/spec/unit/client_spec.rb
+++ b/spec/unit/client_spec.rb
@@ -45,8 +45,27 @@ describe Chef::Client do
end
describe "authentication protocol selection" do
- it "defaults to 1.1" do
- expect(Chef::Config[:authentication_protocol_version]).to eq("1.1")
+ context "when FIPS is disabled" do
+ before do
+ Chef::Config[:fips] = false
+ end
+
+ it "defaults to 1.1" do
+ expect(Chef::Config[:authentication_protocol_version]).to eq("1.1")
+ end
+ end
+ context "when FIPS is enabled" do
+ before do
+ Chef::Config[:fips] = true
+ end
+
+ it "defaults to 1.3" do
+ expect(Chef::Config[:authentication_protocol_version]).to eq("1.3")
+ end
+
+ after do
+ Chef::Config[:fips] = false
+ end
end
end
diff --git a/spec/unit/encrypted_data_bag_item_spec.rb b/spec/unit/encrypted_data_bag_item_spec.rb
index 796ad8ff5b..ee69ecfddc 100644
--- a/spec/unit/encrypted_data_bag_item_spec.rb
+++ b/spec/unit/encrypted_data_bag_item_spec.rb
@@ -290,7 +290,7 @@ describe Chef::EncryptedDataBagItem::Decryptor do
end
- context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do
+ context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value", :not_fips do
let(:encrypted_value) do
Version0Encryptor.encrypt_value(plaintext_data, encryption_key)
end
diff --git a/spec/unit/http/authenticator_spec.rb b/spec/unit/http/authenticator_spec.rb
index 1289ebb61e..031a483fe9 100644
--- a/spec/unit/http/authenticator_spec.rb
+++ b/spec/unit/http/authenticator_spec.rb
@@ -70,7 +70,9 @@ describe Chef::HTTP::Authenticator do
it_behaves_like "merging the server API version into the headers"
it "calls authentication_headers with the proper input" do
- expect(class_instance).to receive(:authentication_headers).with(method, url, data).and_return({})
+ expect(class_instance).to receive(:authentication_headers).with(
+ method, url, data,
+ {"X-Ops-Server-API-Version" => Chef::HTTP::Authenticator::DEFAULT_SERVER_API_VERSION}).and_return({})
class_instance.handle_request(method, url, headers, data)
end
end
diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb
index 98f1fa9c37..510a1a66bc 100644
--- a/spec/unit/http/ssl_policies_spec.rb
+++ b/spec/unit/http/ssl_policies_spec.rb
@@ -109,7 +109,7 @@ describe "HTTP SSL Policy" do
Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/chef-rspec.cert"
Chef::Config[:ssl_client_key] = CHEF_SPEC_DATA + "/ssl/chef-rspec.key"
expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s)
- expect(http_client.key.to_s).to eq(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key"))
+ expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s)
end
end
diff --git a/spec/unit/rest/auth_credentials_spec.rb b/spec/unit/rest/auth_credentials_spec.rb
index 88da44319b..c3ce695387 100644
--- a/spec/unit/rest/auth_credentials_spec.rb
+++ b/spec/unit/rest/auth_credentials_spec.rb
@@ -23,37 +23,6 @@ require "spec_helper"
require "uri"
require "net/https"
-KEY_DOT_PEM=<<-END_RSA_KEY
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA49TA0y81ps0zxkOpmf5V4/c4IeR5yVyQFpX3JpxO4TquwnRh
-8VSUhrw8kkTLmB3cS39Db+3HadvhoqCEbqPE6915kXSuk/cWIcNozujLK7tkuPEy
-YVsyTioQAddSdfe+8EhQVf3oHxaKmUd6waXrWqYCnhxgOjxocenREYNhZ/OETIei
-PbOku47vB4nJK/0GhKBytL2XnsRgfKgDxf42BqAi1jglIdeq8lAWZNF9TbNBU21A
-O1iuT7Pm6LyQujhggPznR5FJhXKRUARXBJZawxpGV4dGtdcahwXNE4601aXPra+x
-PcRd2puCNoEDBzgVuTSsLYeKBDMSfs173W1QYwIDAQABAoIBAGF05q7vqOGbMaSD
-2Q7YbuE/JTHKTBZIlBI1QC2x+0P5GDxyEFttNMOVzcs7xmNhkpRw8eX1LrInrpMk
-WsIBKAFFEfWYlf0RWtRChJjNl+szE9jQxB5FJnWtJH/FHa78tR6PsF24aQyzVcJP
-g0FGujBihwgfV0JSCNOBkz8MliQihjQA2i8PGGmo4R4RVzGfxYKTIq9vvRq/+QEa
-Q4lpVLoBqnENpnY/9PTl6JMMjW2b0spbLjOPVwDaIzXJ0dChjNXo15K5SHI5mALJ
-I5gN7ODGb8PKUf4619ez194FXq+eob5YJdilTFKensIUvt3YhP1ilGMM+Chi5Vi/
-/RCTw3ECgYEA9jTw4wv9pCswZ9wbzTaBj9yZS3YXspGg26y6Ohq3ZmvHz4jlT6uR
-xK+DDcUiK4072gci8S4Np0fIVS7q6ivqcOdzXPrTF5/j+MufS32UrBbUTPiM1yoO
-ECcy+1szl/KoLEV09bghPbvC58PFSXV71evkaTETYnA/F6RK12lEepcCgYEA7OSy
-bsMrGDVU/MKJtwqyGP9ubA53BorM4Pp9VVVSCrGGVhb9G/XNsjO5wJC8J30QAo4A
-s59ZzCpyNRy046AB8jwRQuSwEQbejSdeNgQGXhZ7aIVUtuDeFFdaIz/zjVgxsfj4
-DPOuzieMmJ2MLR4F71ocboxNoDI7xruPSE8dDhUCgYA3vx732cQxgtHwAkeNPJUz
-dLiE/JU7CnxIoSB9fYUfPLI+THnXgzp7NV5QJN2qzMzLfigsQcg3oyo6F2h7Yzwv
-GkjlualIRRzCPaCw4Btkp7qkPvbs1QngIHALt8fD1N69P3DPHkTwjG4COjKWgnJq
-qoHKS6Fe/ZlbigikI6KsuwKBgQCTlSLoyGRHr6oj0hqz01EDK9ciMJzMkZp0Kvn8
-OKxlBxYW+jlzut4MQBdgNYtS2qInxUoAnaz2+hauqhSzntK3k955GznpUatCqx0R
-b857vWviwPX2/P6+E3GPdl8IVsKXCvGWOBZWTuNTjQtwbDzsUepWoMgXnlQJSn5I
-YSlLxQKBgQD16Gw9kajpKlzsPa6XoQeGmZALT6aKWJQlrKtUQIrsIWM0Z6eFtX12
-2jjHZ0awuCQ4ldqwl8IfRogWMBkHOXjTPVK0YKWWlxMpD/5+bGPARa5fir8O1Zpo
-Y6S6MeZ69Rp89ma4ttMZ+kwi1+XyHqC/dlcVRW42Zl5Dc7BALRlJjQ==
------END RSA PRIVATE KEY-----
- END_RSA_KEY
-
-
describe Chef::REST::AuthCredentials do
before do
@key_file_fixture = CHEF_SPEC_DATA + "/ssl/private_key.pem"
@@ -67,7 +36,7 @@ describe Chef::REST::AuthCredentials do
it "loads the private key when initialized with the path to the key" do
expect(@auth_credentials.key).to respond_to(:private_encrypt)
- expect(@auth_credentials.key.to_s).to eq(KEY_DOT_PEM)
+ expect(@auth_credentials.key).to eq(@key)
end
describe "when loading the private key" do