diff options
author | Tim Smith <tsmith@chef.io> | 2018-11-24 14:19:07 -0800 |
---|---|---|
committer | Tim Smith <tsmith@chef.io> | 2018-11-24 14:19:07 -0800 |
commit | 726899b3d95755de4ab557c79e1347b4ee22d8d7 (patch) | |
tree | d3683909595bb6f4e6cc40771f5ffafb93e1e782 | |
parent | 63f35470d70930b3d98acb7058d4584178f98246 (diff) | |
download | ohai-726899b3d95755de4ab557c79e1347b4ee22d8d7.tar.gz |
Revert "Remove the Ruby < 2.5 logic from the FIPS plugins"
This reverts commit 63f35470d70930b3d98acb7058d4584178f98246.
-rw-r--r-- | lib/ohai/plugins/windows/fips.rb | 23 | ||||
-rw-r--r-- | spec/unit/plugins/linux/fips_spec.rb | 48 | ||||
-rw-r--r-- | spec/unit/plugins/windows/fips_spec.rb | 79 |
3 files changed, 130 insertions, 20 deletions
diff --git a/lib/ohai/plugins/windows/fips.rb b/lib/ohai/plugins/windows/fips.rb index 085c7f2c..56e5cdc7 100644 --- a/lib/ohai/plugins/windows/fips.rb +++ b/lib/ohai/plugins/windows/fips.rb @@ -1,6 +1,6 @@ # # Author:: Matt Wrock (<matt@mattwrock.com>) -# Copyright:: Copyright (c) 2016-2018 Chef Software, Inc. +# Copyright:: Copyright (c) 2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -28,11 +28,30 @@ Ohai.plugin(:Fips) do collect_data(:windows) do fips Mash.new + # Check for new fips_mode method added in Ruby 2.5. After we drop support + # for Ruby 2.4, clean up everything after this and collapse the FIPS plugins. require "openssl" if defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode && !$FIPS_TEST_MODE fips["kernel"] = { "enabled" => true } else - fips["kernel"] = { "enabled" => false } + require "win32/registry" + # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx + if ::RbConfig::CONFIG["target_cpu"] == "i386" + reg_type = Win32::Registry::KEY_READ | 0x100 + elsif ::RbConfig::CONFIG["target_cpu"] == "x86_64" + reg_type = Win32::Registry::KEY_READ | 0x200 + else + reg_type = Win32::Registry::KEY_READ + end + + begin + Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy| + enabled = policy["Enabled"] + fips["kernel"] = { "enabled" => enabled == 0 ? false : true } + end + rescue Win32::Registry::Error + fips["kernel"] = { "enabled" => false } + end end end end diff --git a/spec/unit/plugins/linux/fips_spec.rb b/spec/unit/plugins/linux/fips_spec.rb index a403b02d..570a5e04 100644 --- a/spec/unit/plugins/linux/fips_spec.rb +++ b/spec/unit/plugins/linux/fips_spec.rb @@ -1,6 +1,6 @@ # # Author:: Matt Wrock (<matt@mattwrock.com>) -# Copyright:: Copyright (c) 2016-2018 Chef Software, Inc. +# Copyright:: Copyright (c) 2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,8 @@ require "openssl" describe Ohai::System, "plugin fips" do let(:enabled) { "0" } let(:plugin) { get_plugin("linux/fips") } - let(:openssl_test_mode) { false } + let(:fips_path) { "/proc/sys/crypto/fips_enabled" } + let(:openssl_test_mode) { true } subject do plugin.run @@ -31,6 +32,7 @@ describe Ohai::System, "plugin fips" do before(:each) do allow(plugin).to receive(:collect_os).and_return(:linux) + allow(::File).to receive(:read).with(fips_path).and_return(enabled) end around do |ex| @@ -42,17 +44,47 @@ describe Ohai::System, "plugin fips" do end end - context "with OpenSSL.fips_mode == false" do - before { allow(OpenSSL).to receive(:fips_mode).and_return(false) } + context "fips file is present and contains 1" do + let(:enabled) { "1" } + + it "sets fips plugin" do + expect(subject).to be(true) + end + end + + context "fips file does not contain 1" do + let(:enabled) { "0" } + it "does not set fips plugin" do expect(subject).to be(false) end end - context "with OpenSSL.fips_mode == true" do - before { allow(OpenSSL).to receive(:fips_mode).and_return(true) } - it "sets fips plugin" do - expect(subject).to be(true) + context "fips file is not present" do + before do + allow(::File).to receive(:read).and_raise(Errno::ENOENT, "bibbleboop") + end + + it "does not set fips plugin" do + expect(subject).to be(false) + end + end + + context "with Ruby 2.5 or newer", if: defined?(OpenSSL.fips_mode) do + let(:openssl_test_mode) { false } + + context "with OpenSSL.fips_mode == false" do + before { allow(OpenSSL).to receive(:fips_mode).and_return(false) } + it "does not set fips plugin" do + expect(subject).to be(false) + end + end + + context "with OpenSSL.fips_mode == true" do + before { allow(OpenSSL).to receive(:fips_mode).and_return(true) } + it "sets fips plugin" do + expect(subject).to be(true) + end end end end diff --git a/spec/unit/plugins/windows/fips_spec.rb b/spec/unit/plugins/windows/fips_spec.rb index 7591ffef..b36e4265 100644 --- a/spec/unit/plugins/windows/fips_spec.rb +++ b/spec/unit/plugins/windows/fips_spec.rb @@ -1,6 +1,6 @@ # # Author:: Matt Wrock (<matt@mattwrock.com>) -# Copyright:: Copyright (c) 2016-2018 Chef Software, Inc. +# Copyright:: Copyright (c) 2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,7 +22,9 @@ require "openssl" describe Ohai::System, "plugin fips", :windows_only do let(:enabled) { 0 } let(:plugin) { get_plugin("windows/fips") } - let(:openssl_test_mode) { false } + let(:fips_key) { 'System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' } + let(:win_reg_entry) { { "Enabled" => enabled } } + let(:openssl_test_mode) { true } subject do plugin.run @@ -31,6 +33,7 @@ describe Ohai::System, "plugin fips", :windows_only do before(:each) do allow(plugin).to receive(:collect_os).and_return(:windows) + allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).with(fips_key, arch).and_yield(win_reg_entry) end around do |ex| @@ -42,17 +45,73 @@ describe Ohai::System, "plugin fips", :windows_only do end end - context "with OpenSSL.fips_mode == false" do - before { allow(OpenSSL).to receive(:fips_mode).and_return(false) } - it "does not set fips plugin" do - expect(subject).to be(false) + shared_examples "fips_plugin" do + context "fips enabled key is set to 1" do + let(:enabled) { 1 } + + it "sets fips plugin" do + expect(subject).to be(true) + end + end + + context "fips enabled key is set to 0" do + let(:enabled) { 0 } + + it "does not set fips plugin" do + expect(subject).to be(false) + end end + + context "fips key does not exist" do + before do + allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).and_raise(Win32::Registry::Error, 50) + end + + it "does not set fips plugin" do + expect(subject).to be(false) + end + end + end + + context "on 32 bit ruby" do + let(:arch) { Win32::Registry::KEY_READ | 0x100 } + + before { stub_const("::RbConfig::CONFIG", { "target_cpu" => "i386" } ) } + + it_behaves_like "fips_plugin" end - context "with OpenSSL.fips_mode == true" do - before { allow(OpenSSL).to receive(:fips_mode).and_return(true) } - it "sets fips plugin" do - expect(subject).to be(true) + context "on 64 bit ruby" do + let(:arch) { Win32::Registry::KEY_READ | 0x200 } + + before { stub_const("::RbConfig::CONFIG", { "target_cpu" => "x86_64" } ) } + + it_behaves_like "fips_plugin" + end + + context "on unknown ruby" do + let(:arch) { Win32::Registry::KEY_READ } + + before { stub_const("::RbConfig::CONFIG", { "target_cpu" => nil } ) } + + it_behaves_like "fips_plugin" + end + + context "with Ruby 2.5 or newer", if: defined?(OpenSSL.fips_mode) do + let(:openssl_test_mode) { false } + + context "with OpenSSL.fips_mode == false" do + before { allow(OpenSSL).to receive(:fips_mode).and_return(false) } + it "does not set fips plugin" do + expect(subject).to be(false) + end + end + + context "with OpenSSL.fips_mode == true" do + before { allow(OpenSSL).to receive(:fips_mode).and_return(true) } + it "sets fips plugin" do + expect(subject).to be(true) + end end end end |