adding a fips plugin to detect if fips is enabled

4 files changed, 233 insertions, 0 deletions

diff --git a/lib/ohai/plugins/linux/fips.rb b/lib/ohai/plugins/linux/fips.rb
new file mode 100644
index 00000000..573746bf
--- /dev/null
+++ b/lib/ohai/plugins/linux/fips.rb
@@ -0,0 +1,38 @@
+#
+# Author:: Matt Wrock (<matt@mattwrock.com>)
+# Copyright:: Copyright (c) 2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# After long discussion in IRC the "powers that be" have come to a concensus
+# that there is no other Windows platforms exist that were not based on the
+# Windows_NT kernel, so we herby decree that "windows" will refer to all
+# platforms built upon the Windows_NT kernel and have access to win32 or win64
+# subsystems.
+
+Ohai.plugin(:Fips) do
+  provides "fips"
+
+  collect_data(:linux) do
+    fips Mash.new
+
+    begin
+      enabled = File.read("/proc/sys/crypto/fips_enabled").chomp
+      fips["kernel"] = { "enabled" => enabled == "0" ? false : true }
+    rescue Errno::ENOENT
+      fips["kernel"] = { "enabled" => false }
+    end
+  end
+end
diff --git a/lib/ohai/plugins/windows/fips.rb b/lib/ohai/plugins/windows/fips.rb
new file mode 100644
index 00000000..904320ac
--- /dev/null
+++ b/lib/ohai/plugins/windows/fips.rb
@@ -0,0 +1,50 @@
+#
+# Author:: Matt Wrock (<matt@mattwrock.com>)
+# Copyright:: Copyright (c) 2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# After long discussion in IRC the "powers that be" have come to a concensus
+# that there is no other Windows platforms exist that were not based on the
+# Windows_NT kernel, so we herby decree that "windows" will refer to all
+# platforms built upon the Windows_NT kernel and have access to win32 or win64
+# subsystems.
+
+Ohai.plugin(:Fips) do
+  provides "fips"
+
+  collect_data(:windows) do
+    require "win32/registry"
+    fips Mash.new
+
+    # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx
+    if ::RbConfig::CONFIG["target_cpu"] == "i386"
+      reg_type = Win32::Registry::KEY_READ | 0x100
+    elsif ::RbConfig::CONFIG["target_cpu"] == "x86_64"
+      reg_type = Win32::Registry::KEY_READ | 0x200
+    else
+      reg_type = Win32::Registry::KEY_READ
+    end
+
+    begin
+      Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy|
+        enabled = policy["Enabled"]
+        fips["kernel"] = { "enabled" => enabled == 0 ? false : true }
+      end
+    rescue Win32::Registry::Error
+      fips["kernel"] = { "enabled" => false }
+    end
+  end
+end
diff --git a/spec/unit/plugins/linux/fips_spec.rb b/spec/unit/plugins/linux/fips_spec.rb
new file mode 100644
index 00000000..30d70c17
--- /dev/null
+++ b/spec/unit/plugins/linux/fips_spec.rb
@@ -0,0 +1,59 @@
+#
+# Author:: Matt Wrock (<matt@mattwrock.com>)
+# Copyright:: Copyright (c) 2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require File.expand_path(File.dirname(__FILE__) + "/../../../spec_helper.rb")
+
+describe Ohai::System, "plugin fips" do
+  let(:enabled) { "0" }
+  let(:plugin) { get_plugin("linux/fips") }
+  let(:fips_path) { "/proc/sys/crypto/fips_enabled" }
+
+  before(:each) do
+    allow(plugin).to receive(:collect_os).and_return(:linux)
+    allow(::File).to receive(:read).with(fips_path).and_return(enabled)
+  end
+
+  context "fips file is present and contains 1" do
+    let(:enabled) { "1" }
+
+    it "sets fips plugin" do
+      plugin.run
+      expect(plugin["fips"]["kernel"]["enabled"]).to be(true)
+    end
+  end
+
+  context "fips file does not contain 1" do
+    let(:enabled) { "0" }
+
+    it "does not set fips plugin" do
+      plugin.run
+      expect(plugin["fips"]["kernel"]["enabled"]).to be(false)
+    end
+  end
+
+  context "fips file is not present" do
+    before do
+      allow(::File).to receive(:read).and_raise(Errno::ENOENT, "bibbleboop")
+    end
+
+    it "does not set fips plugin" do
+      plugin.run
+      expect(plugin["fips"]["kernel"]["enabled"]).to be(false)
+    end
+  end
+end
diff --git a/spec/unit/plugins/windows/fips_spec.rb b/spec/unit/plugins/windows/fips_spec.rb
new file mode 100644
index 00000000..29138082
--- /dev/null
+++ b/spec/unit/plugins/windows/fips_spec.rb
@@ -0,0 +1,86 @@
+#
+# Author:: Matt Wrock (<matt@mattwrock.com>)
+# Copyright:: Copyright (c) 2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require File.expand_path(File.dirname(__FILE__) + "/../../../spec_helper.rb")
+
+describe Ohai::System, "plugin fips", :windows_only do
+  let(:enabled) { 0 }
+  let(:plugin) { get_plugin("windows/fips") }
+  let(:fips_key) { 'System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' }
+  let(:win_reg_entry) { { "Enabled" => enabled } }
+
+  before(:each) do
+    allow(plugin).to receive(:collect_os).and_return(:windows)
+    allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).with(fips_key, arch).and_yield(win_reg_entry)
+  end
+
+  shared_examples "fips_plugin" do
+    context "fips enabled key is set to 1" do
+      let(:enabled) { 1 }
+
+      it "sets fips plugin" do
+        plugin.run
+        expect(plugin["fips"]["kernel"]["enabled"]).to be(true)
+      end
+    end
+
+    context "fips enabled key is set to 0" do
+      let(:enabled) { 0 }
+
+      it "does not set fips plugin" do
+        plugin.run
+        expect(plugin["fips"]["kernel"]["enabled"]).to be(false)
+      end
+    end
+
+    context "fips key does not exist" do
+      before do
+        allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).and_raise(Win32::Registry::Error, 50)
+      end
+
+      it "does not set fips plugin" do
+        plugin.run
+        expect(plugin["fips"]["kernel"]["enabled"]).to be(false)
+      end
+    end
+  end
+
+  context "on 32 bit ruby" do
+    let(:arch) { Win32::Registry::KEY_READ | 0x100 }
+
+    before { stub_const("::RbConfig::CONFIG", { "target_cpu" => "i386" } ) }
+
+    it_behaves_like "fips_plugin"
+  end
+
+  context "on 64 bit ruby" do
+    let(:arch) { Win32::Registry::KEY_READ | 0x200 }
+
+    before { stub_const("::RbConfig::CONFIG", { "target_cpu" => "x86_64" } ) }
+
+    it_behaves_like "fips_plugin"
+  end
+
+  context "on unknown ruby" do
+    let(:arch) { Win32::Registry::KEY_READ }
+
+    before { stub_const("::RbConfig::CONFIG", { "target_cpu" => nil } ) }
+
+    it_behaves_like "fips_plugin"
+  end
+end