diff options
author | Thom May <thom@may.lt> | 2018-05-03 10:38:27 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-03 10:38:27 +0100 |
commit | 2b7d307d5ddab2047c2d9cf6bd3d44b2477c9490 (patch) | |
tree | 4f962a4625ccd6ae5fb77c855933d9523213ae93 | |
parent | c864281c31a44292be25d5983af0fc1b7e80a1d0 (diff) | |
parent | 891d2ff6500c395cad500860834c5e1289535fb1 (diff) | |
download | ohai-2b7d307d5ddab2047c2d9cf6bd3d44b2477c9490.tar.gz |
Merge pull request #1175 from coderanger/shard-less-optional
Make the shard plugin work under FIPS by using SHA2 instead of MD5
-rw-r--r-- | lib/ohai/plugins/shard.rb | 60 | ||||
-rw-r--r-- | spec/unit/plugins/shard_spec.rb | 80 |
2 files changed, 124 insertions, 16 deletions
diff --git a/lib/ohai/plugins/shard.rb b/lib/ohai/plugins/shard.rb index 7e5d97b0..9820c9c7 100644 --- a/lib/ohai/plugins/shard.rb +++ b/lib/ohai/plugins/shard.rb @@ -17,10 +17,8 @@ # Ohai.plugin(:ShardSeed) do - require "digest/md5" - depends "hostname", "dmi", "machine_id", "machinename" + depends "hostname", "dmi", "machine_id", "machinename", "fips", "hardware", "kernel" provides "shard_seed" - optional true def get_dmi_property(dmi, thing) %w{system base_board chassis}.each do |section| @@ -31,7 +29,33 @@ Ohai.plugin(:ShardSeed) do end def default_sources - [:machinename, :serial, :uuid] + case collect_os + when :linux, :darwin, :windows + [:machinename, :serial, :uuid] + else + [:machinename] + end + end + + def default_digest_algorithm + if fips["kernel"]["enabled"] + # Even though it is being used safely, FIPS-mode will still blow up on + # any use of MD5 so default to SHA2 instead. + "sha256" + else + "md5" + end + end + + def digest_algorithm + case Ohai.config[:plugin][:shard_seed][:digest_algorithm] || default_digest_algorithm + when "md5" + require "digest/md5" + Digest::MD5 + when "sha256" + require "digest/sha2" + Digest::SHA256 + end end # Common sources go here. Put sources that need to be different per-platform @@ -53,7 +77,31 @@ Ohai.plugin(:ShardSeed) do yield(src) end end - shard_seed Digest::MD5.hexdigest(data)[0...7].to_i(16) + shard_seed digest_algorithm.hexdigest(data)[0...7].to_i(16) + end + + collect_data do + create_seed do |src| + raise "No such shard_seed source: #{src}" + end + end + + collect_data(:windows) do + require "wmi-lite/wmi" + wmi = WmiLite::Wmi.new + + create_seed do |src| + case src + when :serial + wmi.first_of("Win32_BIOS")["SerialNumber"] + when :os_serial + kernel["os_info"]["serial_number"] + when :uuid + wmi.first_of("Win32_ComputerSystemProduct")["UUID"] + else + raise "No such shard_seed source: #{src}" + end + end end collect_data(:darwin) do @@ -63,6 +111,8 @@ Ohai.plugin(:ShardSeed) do hardware["serial_number"] when :uuid hardware["platform_UUID"] + else + raise "No such shard_seed source: #{src}" end end end diff --git a/spec/unit/plugins/shard_spec.rb b/spec/unit/plugins/shard_spec.rb index b8945660..852c82f1 100644 --- a/spec/unit/plugins/shard_spec.rb +++ b/spec/unit/plugins/shard_spec.rb @@ -26,35 +26,93 @@ describe Ohai::System, "shard plugin" do let(:serial) { "234du3m4i498xdjr2" } let(:machine_id) { "0a1f869f457a4c8080ab19faf80af9cc" } let(:machinename) { "somehost004" } + let(:fips) { false } + let(:os) { :linux } + + subject do + plugin.run + plugin[:shard_seed] + end before(:each) do - allow(plugin).to receive(:collect_os).and_return(:linux) plugin["machinename"] = machinename plugin["machine_id"] = machine_id plugin["fqdn"] = fqdn plugin["dmi"] = { "system" => {} } plugin["dmi"]["system"]["uuid"] = uuid plugin["dmi"]["system"]["serial_number"] = serial - allow(plugin).to receive(:collect_os).and_return(:linux) + plugin["fips"] = { "kernel" => { "enabled" => fips } } + allow(plugin).to receive(:collect_os).and_return(os) end it "should provide a shard with a default-safe set of sources" do - plugin.run - result = Digest::MD5.hexdigest( - "#{machinename}#{serial}#{uuid}" - )[0...7].to_i(16) - expect(plugin[:shard_seed]).to eq(result) + expect(subject).to eq(27767217) end it "should provide a shard with a configured source" do Ohai.config[:plugin][:shard_seed][:sources] = [:fqdn] - plugin.run - result = Digest::MD5.hexdigest(fqdn)[0...7].to_i(16) - expect(plugin[:shard_seed]).to eq(result) + expect(subject).to eq(203669792) end it "fails on an unrecognized source" do Ohai.config[:plugin][:shard_seed][:sources] = [:GreatGooglyMoogly] - expect { plugin.run }.to raise_error(RuntimeError) + expect { subject }.to raise_error(RuntimeError) + end + + it "should provide a shard with a configured algorithm" do + Ohai.config[:plugin][:shard_seed][:digest_algorithm] = "sha256" + expect(Digest::MD5).to_not receive(:new) + expect(subject).to eq(117055036) + end + + context "with Darwin OS" do + let(:os) { :darwin } + before do + plugin["hardware"] = { "serial_number" => serial, "platform_UUID" => uuid } + end + + it "should provide a shard with a default-safe set of sources" do + expect(subject).to eq(27767217) + end + end + + context "with Windows OS" do + let(:os) { :windows } + before do + wmi = double("WmiLite::Wmi") + allow(WmiLite::Wmi).to receive(:new).and_return(wmi) + allow(wmi).to receive(:first_of).with("Win32_BIOS").and_return("SerialNumber" => serial) + allow(wmi).to receive(:first_of).with("Win32_ComputerSystemProduct").and_return("UUID" => uuid) + plugin["kernel"] = { "os_info" => { "serial_number" => serial + "0" } } + plugin.data.delete("dmi") # To make sure we aren't using the wrong data. + end + + it "should provide a shard with a default-safe set of sources" do + expect(subject).to eq(27767217) + end + + it "should allow os_serial source" do + Ohai.config[:plugin][:shard_seed][:sources] = [:machinename, :os_serial, :uuid] + # Different from above. + expect(subject).to eq(178738102) + end + end + + context "with a weird OS" do + let(:os) { :aix } + + it "should provide a shard with a default-safe set of sources" do + # Note: this is different than the other defaults. + expect(subject).to eq(253499154) + end + end + + context "with FIPS mode enabled" do + let(:fips) { true } + + it "should use SHA2" do + expect(Digest::MD5).to_not receive(:hexdigest) + expect(subject).to eq(117055036) + end end end |