diff options
author | Jay Mundrawala <jdmundrawala@gmail.com> | 2016-01-26 14:04:59 -0800 |
---|---|---|
committer | Jay Mundrawala <jdmundrawala@gmail.com> | 2016-01-26 14:04:59 -0800 |
commit | 58112e1210cac991e7a9cf434c74ece0aa97414d (patch) | |
tree | d4a83406aadb8a756ab80f5c1660891ce33842f4 /spec | |
parent | 92de2b34aa48daa878e47db2b00d4c669ada1d96 (diff) | |
parent | 15ee9bd1b9ff3332d2197e29fffdffff82dda06f (diff) | |
download | chef-58112e1210cac991e7a9cf434c74ece0aa97414d.tar.gz |
Merge pull request #4287 from chef/jdm/1.3-fips
Default Chef with FIPS OpenSSL to use sign v1.3
Diffstat (limited to 'spec')
-rw-r--r-- | spec/spec_helper.rb | 5 | ||||
-rw-r--r-- | spec/support/chef_helpers.rb | 2 | ||||
-rw-r--r-- | spec/support/platform_helpers.rb | 4 | ||||
-rw-r--r-- | spec/unit/api_client/registration_spec.rb | 12 | ||||
-rw-r--r-- | spec/unit/application_spec.rb | 10 | ||||
-rw-r--r-- | spec/unit/client_spec.rb | 23 | ||||
-rw-r--r-- | spec/unit/encrypted_data_bag_item_spec.rb | 2 | ||||
-rw-r--r-- | spec/unit/http/authenticator_spec.rb | 4 | ||||
-rw-r--r-- | spec/unit/http/ssl_policies_spec.rb | 2 | ||||
-rw-r--r-- | spec/unit/rest/auth_credentials_spec.rb | 33 |
10 files changed, 53 insertions, 44 deletions
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index e69d61a7b3..34716e5fd8 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -67,6 +67,10 @@ require "chef/util/file_edit" require "chef/config" +if ENV["CHEF_FIPS"] == "1" + Chef::Config.init_openssl +end + # If you want to load anything into the testing environment # without versioning it, add it to spec/support/local_gems.rb require "spec/support/local_gems.rb" if File.exists?(File.join(File.dirname(__FILE__), "support", "local_gems.rb")) @@ -165,6 +169,7 @@ RSpec.configure do |config| config.filter_run_excluding :aes_256_gcm_only => true unless aes_256_gcm? config.filter_run_excluding :broken => true config.filter_run_excluding :not_wpar => true unless wpar? + config.filter_run_excluding :not_fips => true unless fips? running_platform_arch = `uname -m`.strip unless windows? diff --git a/spec/support/chef_helpers.rb b/spec/support/chef_helpers.rb index a792cd3c5f..cfc876ffd3 100644 --- a/spec/support/chef_helpers.rb +++ b/spec/support/chef_helpers.rb @@ -27,7 +27,7 @@ Chef::Config.solo(false) def sha256_checksum(path) - Digest::SHA256.hexdigest(File.read(path)) + OpenSSL::Digest::SHA256.hexdigest(File.read(path)) end # From Ruby 1.9.2+ diff --git a/spec/support/platform_helpers.rb b/spec/support/platform_helpers.rb index 0259dc6dfb..a29cb61d00 100644 --- a/spec/support/platform_helpers.rb +++ b/spec/support/platform_helpers.rb @@ -204,6 +204,10 @@ def aes_256_gcm? OpenSSL::Cipher.ciphers.include?("aes-256-gcm") end +def fips? + ENV["CHEF_FIPS"] == "1" +end + class GCEDetector extend Ohai::Mixin::GCEMetadata end diff --git a/spec/unit/api_client/registration_spec.rb b/spec/unit/api_client/registration_spec.rb index bddb33fa0d..97ed1c719c 100644 --- a/spec/unit/api_client/registration_spec.rb +++ b/spec/unit/api_client/registration_spec.rb @@ -113,7 +113,7 @@ describe Chef::ApiClient::Registration do with("clients", expected_post_data). and_return(create_with_pkey_response) expect(registration.run.public_key).to eq(create_with_pkey_response["chef_key"]["public_key"]) - expect(registration.private_key).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end it "puts a locally generated public key to the server to update a client" do @@ -124,7 +124,7 @@ describe Chef::ApiClient::Registration do with("clients/#{client_name}", expected_put_data). and_return(update_with_pkey_response) expect(registration.run.public_key).to eq(update_with_pkey_response["public_key"].to_pem) - expect(registration.private_key).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end it "writes the generated private key to disk" do @@ -132,7 +132,7 @@ describe Chef::ApiClient::Registration do with("clients", expected_post_data). and_return(create_with_pkey_response) registration.run - expect(IO.read(key_location)).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end context "and the client already exists on a Chef 11 server" do @@ -142,7 +142,7 @@ describe Chef::ApiClient::Registration do with("clients/#{client_name}", expected_put_data). and_return(update_with_pkey_response) expect(registration.run.public_key).to eq(update_with_pkey_response["public_key"].to_pem) - expect(registration.private_key).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(registration.private_key).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end end @@ -247,7 +247,7 @@ describe Chef::ApiClient::Registration do it "creates the client on the server and writes the key" do expect(http_mock).to receive(:post).ordered.and_return(server_v10_response) registration.run - expect(IO.read(key_location)).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end it "retries up to 5 times" do @@ -262,7 +262,7 @@ describe Chef::ApiClient::Registration do expect(http_mock).to receive(:post).ordered.and_return(server_v10_response) registration.run - expect(IO.read(key_location)).to eq(generated_private_key_pem) + expect(OpenSSL::PKey::RSA.new(IO.read(key_location)).to_s).to eq(OpenSSL::PKey::RSA.new(generated_private_key_pem).to_s) end it "gives up retrying after the max attempts" do diff --git a/spec/unit/application_spec.rb b/spec/unit/application_spec.rb index 6a78e5c827..d66cc26927 100644 --- a/spec/unit/application_spec.rb +++ b/spec/unit/application_spec.rb @@ -136,6 +136,16 @@ describe Chef::Application do expect(Chef::Config.rspec_ran).to eq("true") end + context "when openssl fips" do + before do + allow(Chef::Config).to receive(:fips).and_return(true) + end + + it "sets openssl in fips mode" do + expect(OpenSSL).to receive(:'fips_mode=').with(true) + @app.configure_chef + end + end end describe "when there is no config_file defined" do diff --git a/spec/unit/client_spec.rb b/spec/unit/client_spec.rb index 3b4d23da6e..60b274a774 100644 --- a/spec/unit/client_spec.rb +++ b/spec/unit/client_spec.rb @@ -45,8 +45,27 @@ describe Chef::Client do end describe "authentication protocol selection" do - it "defaults to 1.1" do - expect(Chef::Config[:authentication_protocol_version]).to eq("1.1") + context "when FIPS is disabled" do + before do + Chef::Config[:fips] = false + end + + it "defaults to 1.1" do + expect(Chef::Config[:authentication_protocol_version]).to eq("1.1") + end + end + context "when FIPS is enabled" do + before do + Chef::Config[:fips] = true + end + + it "defaults to 1.3" do + expect(Chef::Config[:authentication_protocol_version]).to eq("1.3") + end + + after do + Chef::Config[:fips] = false + end end end diff --git a/spec/unit/encrypted_data_bag_item_spec.rb b/spec/unit/encrypted_data_bag_item_spec.rb index 796ad8ff5b..ee69ecfddc 100644 --- a/spec/unit/encrypted_data_bag_item_spec.rb +++ b/spec/unit/encrypted_data_bag_item_spec.rb @@ -290,7 +290,7 @@ describe Chef::EncryptedDataBagItem::Decryptor do end - context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do + context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value", :not_fips do let(:encrypted_value) do Version0Encryptor.encrypt_value(plaintext_data, encryption_key) end diff --git a/spec/unit/http/authenticator_spec.rb b/spec/unit/http/authenticator_spec.rb index 1289ebb61e..031a483fe9 100644 --- a/spec/unit/http/authenticator_spec.rb +++ b/spec/unit/http/authenticator_spec.rb @@ -70,7 +70,9 @@ describe Chef::HTTP::Authenticator do it_behaves_like "merging the server API version into the headers" it "calls authentication_headers with the proper input" do - expect(class_instance).to receive(:authentication_headers).with(method, url, data).and_return({}) + expect(class_instance).to receive(:authentication_headers).with( + method, url, data, + {"X-Ops-Server-API-Version" => Chef::HTTP::Authenticator::DEFAULT_SERVER_API_VERSION}).and_return({}) class_instance.handle_request(method, url, headers, data) end end diff --git a/spec/unit/http/ssl_policies_spec.rb b/spec/unit/http/ssl_policies_spec.rb index 98f1fa9c37..510a1a66bc 100644 --- a/spec/unit/http/ssl_policies_spec.rb +++ b/spec/unit/http/ssl_policies_spec.rb @@ -109,7 +109,7 @@ describe "HTTP SSL Policy" do Chef::Config[:ssl_client_cert] = CHEF_SPEC_DATA + "/ssl/chef-rspec.cert" Chef::Config[:ssl_client_key] = CHEF_SPEC_DATA + "/ssl/chef-rspec.key" expect(http_client.cert.to_s).to eq(OpenSSL::X509::Certificate.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.cert")).to_s) - expect(http_client.key.to_s).to eq(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")) + expect(http_client.key.to_s).to eq(OpenSSL::PKey::RSA.new(IO.read(CHEF_SPEC_DATA + "/ssl/chef-rspec.key")).to_s) end end diff --git a/spec/unit/rest/auth_credentials_spec.rb b/spec/unit/rest/auth_credentials_spec.rb index 88da44319b..c3ce695387 100644 --- a/spec/unit/rest/auth_credentials_spec.rb +++ b/spec/unit/rest/auth_credentials_spec.rb @@ -23,37 +23,6 @@ require "spec_helper" require "uri" require "net/https" -KEY_DOT_PEM=<<-END_RSA_KEY ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA49TA0y81ps0zxkOpmf5V4/c4IeR5yVyQFpX3JpxO4TquwnRh -8VSUhrw8kkTLmB3cS39Db+3HadvhoqCEbqPE6915kXSuk/cWIcNozujLK7tkuPEy -YVsyTioQAddSdfe+8EhQVf3oHxaKmUd6waXrWqYCnhxgOjxocenREYNhZ/OETIei -PbOku47vB4nJK/0GhKBytL2XnsRgfKgDxf42BqAi1jglIdeq8lAWZNF9TbNBU21A -O1iuT7Pm6LyQujhggPznR5FJhXKRUARXBJZawxpGV4dGtdcahwXNE4601aXPra+x -PcRd2puCNoEDBzgVuTSsLYeKBDMSfs173W1QYwIDAQABAoIBAGF05q7vqOGbMaSD -2Q7YbuE/JTHKTBZIlBI1QC2x+0P5GDxyEFttNMOVzcs7xmNhkpRw8eX1LrInrpMk -WsIBKAFFEfWYlf0RWtRChJjNl+szE9jQxB5FJnWtJH/FHa78tR6PsF24aQyzVcJP -g0FGujBihwgfV0JSCNOBkz8MliQihjQA2i8PGGmo4R4RVzGfxYKTIq9vvRq/+QEa -Q4lpVLoBqnENpnY/9PTl6JMMjW2b0spbLjOPVwDaIzXJ0dChjNXo15K5SHI5mALJ -I5gN7ODGb8PKUf4619ez194FXq+eob5YJdilTFKensIUvt3YhP1ilGMM+Chi5Vi/ -/RCTw3ECgYEA9jTw4wv9pCswZ9wbzTaBj9yZS3YXspGg26y6Ohq3ZmvHz4jlT6uR -xK+DDcUiK4072gci8S4Np0fIVS7q6ivqcOdzXPrTF5/j+MufS32UrBbUTPiM1yoO -ECcy+1szl/KoLEV09bghPbvC58PFSXV71evkaTETYnA/F6RK12lEepcCgYEA7OSy -bsMrGDVU/MKJtwqyGP9ubA53BorM4Pp9VVVSCrGGVhb9G/XNsjO5wJC8J30QAo4A -s59ZzCpyNRy046AB8jwRQuSwEQbejSdeNgQGXhZ7aIVUtuDeFFdaIz/zjVgxsfj4 -DPOuzieMmJ2MLR4F71ocboxNoDI7xruPSE8dDhUCgYA3vx732cQxgtHwAkeNPJUz -dLiE/JU7CnxIoSB9fYUfPLI+THnXgzp7NV5QJN2qzMzLfigsQcg3oyo6F2h7Yzwv -GkjlualIRRzCPaCw4Btkp7qkPvbs1QngIHALt8fD1N69P3DPHkTwjG4COjKWgnJq -qoHKS6Fe/ZlbigikI6KsuwKBgQCTlSLoyGRHr6oj0hqz01EDK9ciMJzMkZp0Kvn8 -OKxlBxYW+jlzut4MQBdgNYtS2qInxUoAnaz2+hauqhSzntK3k955GznpUatCqx0R -b857vWviwPX2/P6+E3GPdl8IVsKXCvGWOBZWTuNTjQtwbDzsUepWoMgXnlQJSn5I -YSlLxQKBgQD16Gw9kajpKlzsPa6XoQeGmZALT6aKWJQlrKtUQIrsIWM0Z6eFtX12 -2jjHZ0awuCQ4ldqwl8IfRogWMBkHOXjTPVK0YKWWlxMpD/5+bGPARa5fir8O1Zpo -Y6S6MeZ69Rp89ma4ttMZ+kwi1+XyHqC/dlcVRW42Zl5Dc7BALRlJjQ== ------END RSA PRIVATE KEY----- - END_RSA_KEY - - describe Chef::REST::AuthCredentials do before do @key_file_fixture = CHEF_SPEC_DATA + "/ssl/private_key.pem" @@ -67,7 +36,7 @@ describe Chef::REST::AuthCredentials do it "loads the private key when initialized with the path to the key" do expect(@auth_credentials.key).to respond_to(:private_encrypt) - expect(@auth_credentials.key.to_s).to eq(KEY_DOT_PEM) + expect(@auth_credentials.key).to eq(@key) end describe "when loading the private key" do |