Merge pull request #1178 from coderanger/fips-mode

Make the FIPS plugins use the new Ruby 2.5 accessor if present

4 files changed, 107 insertions, 31 deletions

diff --git a/lib/ohai/plugins/linux/fips.rb b/lib/ohai/plugins/linux/fips.rb
index 573746bf..410cc9af 100644
--- a/lib/ohai/plugins/linux/fips.rb
+++ b/lib/ohai/plugins/linux/fips.rb
@@ -28,11 +28,18 @@ Ohai.plugin(:Fips) do
   collect_data(:linux) do
     fips Mash.new
 
-    begin
-      enabled = File.read("/proc/sys/crypto/fips_enabled").chomp
-      fips["kernel"] = { "enabled" => enabled == "0" ? false : true }
-    rescue Errno::ENOENT
-      fips["kernel"] = { "enabled" => false }
+    # Check for new fips_mode method added in Ruby 2.5. After we drop support
+    # for Ruby 2.4, clean up everything after this and collapse the FIPS plugins.
+    require "openssl"
+    if defined?(OpenSSL.fips_mode) && !$FIPS_TEST_MODE
+      fips["kernel"] = { "enabled" => OpenSSL.fips_mode }
+    else
+      begin
+        enabled = File.read("/proc/sys/crypto/fips_enabled").chomp
+        fips["kernel"] = { "enabled" => enabled == "0" ? false : true }
+      rescue Errno::ENOENT
+        fips["kernel"] = { "enabled" => false }
+      end
     end
   end
 end
diff --git a/lib/ohai/plugins/windows/fips.rb b/lib/ohai/plugins/windows/fips.rb
index 904320ac..361a9ed0 100644
--- a/lib/ohai/plugins/windows/fips.rb
+++ b/lib/ohai/plugins/windows/fips.rb
@@ -26,25 +26,32 @@ Ohai.plugin(:Fips) do
   provides "fips"
 
   collect_data(:windows) do
-    require "win32/registry"
     fips Mash.new
 
-    # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx
-    if ::RbConfig::CONFIG["target_cpu"] == "i386"
-      reg_type = Win32::Registry::KEY_READ | 0x100
-    elsif ::RbConfig::CONFIG["target_cpu"] == "x86_64"
-      reg_type = Win32::Registry::KEY_READ | 0x200
+    # Check for new fips_mode method added in Ruby 2.5. After we drop support
+    # for Ruby 2.4, clean up everything after this and collapse the FIPS plugins.
+    require "openssl"
+    if defined?(OpenSSL.fips_mode) && !$FIPS_TEST_MODE
+      fips["kernel"] = { "enabled" => OpenSSL.fips_mode }
     else
-      reg_type = Win32::Registry::KEY_READ
-    end
+      require "win32/registry"
+      # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx
+      if ::RbConfig::CONFIG["target_cpu"] == "i386"
+        reg_type = Win32::Registry::KEY_READ | 0x100
+      elsif ::RbConfig::CONFIG["target_cpu"] == "x86_64"
+        reg_type = Win32::Registry::KEY_READ | 0x200
+      else
+        reg_type = Win32::Registry::KEY_READ
+      end
 
-    begin
-      Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy|
-        enabled = policy["Enabled"]
-        fips["kernel"] = { "enabled" => enabled == 0 ? false : true }
+      begin
+        Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy|
+          enabled = policy["Enabled"]
+          fips["kernel"] = { "enabled" => enabled == 0 ? false : true }
+        end
+      rescue Win32::Registry::Error
+        fips["kernel"] = { "enabled" => false }
       end
-    rescue Win32::Registry::Error
-      fips["kernel"] = { "enabled" => false }
     end
   end
 end
diff --git a/spec/unit/plugins/linux/fips_spec.rb b/spec/unit/plugins/linux/fips_spec.rb
index 79dd2530..570a5e04 100644
--- a/spec/unit/plugins/linux/fips_spec.rb
+++ b/spec/unit/plugins/linux/fips_spec.rb
@@ -17,23 +17,38 @@
 #
 
 require_relative "../../../spec_helper.rb"
+require "openssl"
 
 describe Ohai::System, "plugin fips" do
   let(:enabled) { "0" }
   let(:plugin) { get_plugin("linux/fips") }
   let(:fips_path) { "/proc/sys/crypto/fips_enabled" }
+  let(:openssl_test_mode) { true }
+
+  subject do
+    plugin.run
+    plugin["fips"]["kernel"]["enabled"]
+  end
 
   before(:each) do
     allow(plugin).to receive(:collect_os).and_return(:linux)
     allow(::File).to receive(:read).with(fips_path).and_return(enabled)
   end
 
+  around do |ex|
+    begin
+      $FIPS_TEST_MODE = openssl_test_mode
+      ex.run
+    ensure
+      $FIPS_TEST_MODE = false
+    end
+  end
+
   context "fips file is present and contains 1" do
     let(:enabled) { "1" }
 
     it "sets fips plugin" do
-      plugin.run
-      expect(plugin["fips"]["kernel"]["enabled"]).to be(true)
+      expect(subject).to be(true)
     end
   end
 
@@ -41,8 +56,7 @@ describe Ohai::System, "plugin fips" do
     let(:enabled) { "0" }
 
     it "does not set fips plugin" do
-      plugin.run
-      expect(plugin["fips"]["kernel"]["enabled"]).to be(false)
+      expect(subject).to be(false)
     end
   end
 
@@ -52,8 +66,25 @@ describe Ohai::System, "plugin fips" do
     end
 
     it "does not set fips plugin" do
-      plugin.run
-      expect(plugin["fips"]["kernel"]["enabled"]).to be(false)
+      expect(subject).to be(false)
+    end
+  end
+
+  context "with Ruby 2.5 or newer", if: defined?(OpenSSL.fips_mode) do
+    let(:openssl_test_mode) { false }
+
+    context "with OpenSSL.fips_mode == false" do
+      before { allow(OpenSSL).to receive(:fips_mode).and_return(false) }
+      it "does not set fips plugin" do
+        expect(subject).to be(false)
+      end
+    end
+
+    context "with OpenSSL.fips_mode == true" do
+      before { allow(OpenSSL).to receive(:fips_mode).and_return(true) }
+      it "sets fips plugin" do
+        expect(subject).to be(true)
+      end
     end
   end
 end
diff --git a/spec/unit/plugins/windows/fips_spec.rb b/spec/unit/plugins/windows/fips_spec.rb
index 19482993..b36e4265 100644
--- a/spec/unit/plugins/windows/fips_spec.rb
+++ b/spec/unit/plugins/windows/fips_spec.rb
@@ -17,25 +17,40 @@
 #
 
 require_relative "../../../spec_helper.rb"
+require "openssl"
 
 describe Ohai::System, "plugin fips", :windows_only do
   let(:enabled) { 0 }
   let(:plugin) { get_plugin("windows/fips") }
   let(:fips_key) { 'System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' }
   let(:win_reg_entry) { { "Enabled" => enabled } }
+  let(:openssl_test_mode) { true }
+
+  subject do
+    plugin.run
+    plugin["fips"]["kernel"]["enabled"]
+  end
 
   before(:each) do
     allow(plugin).to receive(:collect_os).and_return(:windows)
     allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).with(fips_key, arch).and_yield(win_reg_entry)
   end
 
+  around do |ex|
+    begin
+      $FIPS_TEST_MODE = openssl_test_mode
+      ex.run
+    ensure
+      $FIPS_TEST_MODE = false
+    end
+  end
+
   shared_examples "fips_plugin" do
     context "fips enabled key is set to 1" do
       let(:enabled) { 1 }
 
       it "sets fips plugin" do
-        plugin.run
-        expect(plugin["fips"]["kernel"]["enabled"]).to be(true)
+        expect(subject).to be(true)
       end
     end
 
@@ -43,8 +58,7 @@ describe Ohai::System, "plugin fips", :windows_only do
       let(:enabled) { 0 }
 
       it "does not set fips plugin" do
-        plugin.run
-        expect(plugin["fips"]["kernel"]["enabled"]).to be(false)
+        expect(subject).to be(false)
       end
     end
 
@@ -54,8 +68,7 @@ describe Ohai::System, "plugin fips", :windows_only do
       end
 
       it "does not set fips plugin" do
-        plugin.run
-        expect(plugin["fips"]["kernel"]["enabled"]).to be(false)
+        expect(subject).to be(false)
       end
     end
   end
@@ -83,4 +96,22 @@ describe Ohai::System, "plugin fips", :windows_only do
 
     it_behaves_like "fips_plugin"
   end
+
+  context "with Ruby 2.5 or newer", if: defined?(OpenSSL.fips_mode) do
+    let(:openssl_test_mode) { false }
+
+    context "with OpenSSL.fips_mode == false" do
+      before { allow(OpenSSL).to receive(:fips_mode).and_return(false) }
+      it "does not set fips plugin" do
+        expect(subject).to be(false)
+      end
+    end
+
+    context "with OpenSSL.fips_mode == true" do
+      before { allow(OpenSSL).to receive(:fips_mode).and_return(true) }
+      it "sets fips plugin" do
+        expect(subject).to be(true)
+      end
+    end
+  end
 end