diff options
author | Tim Smith <tsmith@chef.io> | 2018-05-02 11:54:56 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-02 11:54:56 -0700 |
commit | 3a086e05de1442057e2d74236c1e04cefc6bd0d2 (patch) | |
tree | 2f98fd57261be1f1151dd7152eb780f9b7273f09 | |
parent | a007742eb897423efbaacc799dc07a8901a77273 (diff) | |
parent | 4d55f96051a637a512a1ec2f6a57dbac62dd59b4 (diff) | |
download | ohai-3a086e05de1442057e2d74236c1e04cefc6bd0d2.tar.gz |
Merge pull request #1178 from coderanger/fips-mode
Make the FIPS plugins use the new Ruby 2.5 accessor if present
-rw-r--r-- | lib/ohai/plugins/linux/fips.rb | 17 | ||||
-rw-r--r-- | lib/ohai/plugins/windows/fips.rb | 35 | ||||
-rw-r--r-- | spec/unit/plugins/linux/fips_spec.rb | 43 | ||||
-rw-r--r-- | spec/unit/plugins/windows/fips_spec.rb | 43 |
4 files changed, 107 insertions, 31 deletions
diff --git a/lib/ohai/plugins/linux/fips.rb b/lib/ohai/plugins/linux/fips.rb index 573746bf..410cc9af 100644 --- a/lib/ohai/plugins/linux/fips.rb +++ b/lib/ohai/plugins/linux/fips.rb @@ -28,11 +28,18 @@ Ohai.plugin(:Fips) do collect_data(:linux) do fips Mash.new - begin - enabled = File.read("/proc/sys/crypto/fips_enabled").chomp - fips["kernel"] = { "enabled" => enabled == "0" ? false : true } - rescue Errno::ENOENT - fips["kernel"] = { "enabled" => false } + # Check for new fips_mode method added in Ruby 2.5. After we drop support + # for Ruby 2.4, clean up everything after this and collapse the FIPS plugins. + require "openssl" + if defined?(OpenSSL.fips_mode) && !$FIPS_TEST_MODE + fips["kernel"] = { "enabled" => OpenSSL.fips_mode } + else + begin + enabled = File.read("/proc/sys/crypto/fips_enabled").chomp + fips["kernel"] = { "enabled" => enabled == "0" ? false : true } + rescue Errno::ENOENT + fips["kernel"] = { "enabled" => false } + end end end end diff --git a/lib/ohai/plugins/windows/fips.rb b/lib/ohai/plugins/windows/fips.rb index 904320ac..361a9ed0 100644 --- a/lib/ohai/plugins/windows/fips.rb +++ b/lib/ohai/plugins/windows/fips.rb @@ -26,25 +26,32 @@ Ohai.plugin(:Fips) do provides "fips" collect_data(:windows) do - require "win32/registry" fips Mash.new - # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx - if ::RbConfig::CONFIG["target_cpu"] == "i386" - reg_type = Win32::Registry::KEY_READ | 0x100 - elsif ::RbConfig::CONFIG["target_cpu"] == "x86_64" - reg_type = Win32::Registry::KEY_READ | 0x200 + # Check for new fips_mode method added in Ruby 2.5. After we drop support + # for Ruby 2.4, clean up everything after this and collapse the FIPS plugins. + require "openssl" + if defined?(OpenSSL.fips_mode) && !$FIPS_TEST_MODE + fips["kernel"] = { "enabled" => OpenSSL.fips_mode } else - reg_type = Win32::Registry::KEY_READ - end + require "win32/registry" + # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx + if ::RbConfig::CONFIG["target_cpu"] == "i386" + reg_type = Win32::Registry::KEY_READ | 0x100 + elsif ::RbConfig::CONFIG["target_cpu"] == "x86_64" + reg_type = Win32::Registry::KEY_READ | 0x200 + else + reg_type = Win32::Registry::KEY_READ + end - begin - Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy| - enabled = policy["Enabled"] - fips["kernel"] = { "enabled" => enabled == 0 ? false : true } + begin + Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy| + enabled = policy["Enabled"] + fips["kernel"] = { "enabled" => enabled == 0 ? false : true } + end + rescue Win32::Registry::Error + fips["kernel"] = { "enabled" => false } end - rescue Win32::Registry::Error - fips["kernel"] = { "enabled" => false } end end end diff --git a/spec/unit/plugins/linux/fips_spec.rb b/spec/unit/plugins/linux/fips_spec.rb index 79dd2530..570a5e04 100644 --- a/spec/unit/plugins/linux/fips_spec.rb +++ b/spec/unit/plugins/linux/fips_spec.rb @@ -17,23 +17,38 @@ # require_relative "../../../spec_helper.rb" +require "openssl" describe Ohai::System, "plugin fips" do let(:enabled) { "0" } let(:plugin) { get_plugin("linux/fips") } let(:fips_path) { "/proc/sys/crypto/fips_enabled" } + let(:openssl_test_mode) { true } + + subject do + plugin.run + plugin["fips"]["kernel"]["enabled"] + end before(:each) do allow(plugin).to receive(:collect_os).and_return(:linux) allow(::File).to receive(:read).with(fips_path).and_return(enabled) end + around do |ex| + begin + $FIPS_TEST_MODE = openssl_test_mode + ex.run + ensure + $FIPS_TEST_MODE = false + end + end + context "fips file is present and contains 1" do let(:enabled) { "1" } it "sets fips plugin" do - plugin.run - expect(plugin["fips"]["kernel"]["enabled"]).to be(true) + expect(subject).to be(true) end end @@ -41,8 +56,7 @@ describe Ohai::System, "plugin fips" do let(:enabled) { "0" } it "does not set fips plugin" do - plugin.run - expect(plugin["fips"]["kernel"]["enabled"]).to be(false) + expect(subject).to be(false) end end @@ -52,8 +66,25 @@ describe Ohai::System, "plugin fips" do end it "does not set fips plugin" do - plugin.run - expect(plugin["fips"]["kernel"]["enabled"]).to be(false) + expect(subject).to be(false) + end + end + + context "with Ruby 2.5 or newer", if: defined?(OpenSSL.fips_mode) do + let(:openssl_test_mode) { false } + + context "with OpenSSL.fips_mode == false" do + before { allow(OpenSSL).to receive(:fips_mode).and_return(false) } + it "does not set fips plugin" do + expect(subject).to be(false) + end + end + + context "with OpenSSL.fips_mode == true" do + before { allow(OpenSSL).to receive(:fips_mode).and_return(true) } + it "sets fips plugin" do + expect(subject).to be(true) + end end end end diff --git a/spec/unit/plugins/windows/fips_spec.rb b/spec/unit/plugins/windows/fips_spec.rb index 19482993..b36e4265 100644 --- a/spec/unit/plugins/windows/fips_spec.rb +++ b/spec/unit/plugins/windows/fips_spec.rb @@ -17,25 +17,40 @@ # require_relative "../../../spec_helper.rb" +require "openssl" describe Ohai::System, "plugin fips", :windows_only do let(:enabled) { 0 } let(:plugin) { get_plugin("windows/fips") } let(:fips_key) { 'System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' } let(:win_reg_entry) { { "Enabled" => enabled } } + let(:openssl_test_mode) { true } + + subject do + plugin.run + plugin["fips"]["kernel"]["enabled"] + end before(:each) do allow(plugin).to receive(:collect_os).and_return(:windows) allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).with(fips_key, arch).and_yield(win_reg_entry) end + around do |ex| + begin + $FIPS_TEST_MODE = openssl_test_mode + ex.run + ensure + $FIPS_TEST_MODE = false + end + end + shared_examples "fips_plugin" do context "fips enabled key is set to 1" do let(:enabled) { 1 } it "sets fips plugin" do - plugin.run - expect(plugin["fips"]["kernel"]["enabled"]).to be(true) + expect(subject).to be(true) end end @@ -43,8 +58,7 @@ describe Ohai::System, "plugin fips", :windows_only do let(:enabled) { 0 } it "does not set fips plugin" do - plugin.run - expect(plugin["fips"]["kernel"]["enabled"]).to be(false) + expect(subject).to be(false) end end @@ -54,8 +68,7 @@ describe Ohai::System, "plugin fips", :windows_only do end it "does not set fips plugin" do - plugin.run - expect(plugin["fips"]["kernel"]["enabled"]).to be(false) + expect(subject).to be(false) end end end @@ -83,4 +96,22 @@ describe Ohai::System, "plugin fips", :windows_only do it_behaves_like "fips_plugin" end + + context "with Ruby 2.5 or newer", if: defined?(OpenSSL.fips_mode) do + let(:openssl_test_mode) { false } + + context "with OpenSSL.fips_mode == false" do + before { allow(OpenSSL).to receive(:fips_mode).and_return(false) } + it "does not set fips plugin" do + expect(subject).to be(false) + end + end + + context "with OpenSSL.fips_mode == true" do + before { allow(OpenSSL).to receive(:fips_mode).and_return(true) } + it "sets fips plugin" do + expect(subject).to be(true) + end + end + end end |