diff --git a/lib/ohai/plugins/linux/fips.rb b/lib/ohai/plugins/linux/fips.rb new file mode 100644 index 000000000..573746bf7 --- /dev/null +++ b/lib/ohai/plugins/linux/fips.rb @@ -0,0 +1,38 @@ +# +# Author:: Matt Wrock () +# Copyright:: Copyright (c) 2016 Chef Software, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# After long discussion in IRC the "powers that be" have come to a concensus +# that there is no other Windows platforms exist that were not based on the +# Windows_NT kernel, so we herby decree that "windows" will refer to all +# platforms built upon the Windows_NT kernel and have access to win32 or win64 +# subsystems. + +Ohai.plugin(:Fips) do + provides "fips" + + collect_data(:linux) do + fips Mash.new + + begin + enabled = File.read("/proc/sys/crypto/fips_enabled").chomp + fips["kernel"] = { "enabled" => enabled == "0" ? false : true } + rescue Errno::ENOENT + fips["kernel"] = { "enabled" => false } + end + end +end diff --git a/lib/ohai/plugins/windows/fips.rb b/lib/ohai/plugins/windows/fips.rb new file mode 100644 index 000000000..904320ac8 --- /dev/null +++ b/lib/ohai/plugins/windows/fips.rb @@ -0,0 +1,50 @@ +# +# Author:: Matt Wrock () +# Copyright:: Copyright (c) 2016 Chef Software, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# After long discussion in IRC the "powers that be" have come to a concensus +# that there is no other Windows platforms exist that were not based on the +# Windows_NT kernel, so we herby decree that "windows" will refer to all +# platforms built upon the Windows_NT kernel and have access to win32 or win64 +# subsystems. + +Ohai.plugin(:Fips) do + provides "fips" + + collect_data(:windows) do + require "win32/registry" + fips Mash.new + + # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx + if ::RbConfig::CONFIG["target_cpu"] == "i386" + reg_type = Win32::Registry::KEY_READ | 0x100 + elsif ::RbConfig::CONFIG["target_cpu"] == "x86_64" + reg_type = Win32::Registry::KEY_READ | 0x200 + else + reg_type = Win32::Registry::KEY_READ + end + + begin + Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy| + enabled = policy["Enabled"] + fips["kernel"] = { "enabled" => enabled == 0 ? false : true } + end + rescue Win32::Registry::Error + fips["kernel"] = { "enabled" => false } + end + end +end diff --git a/spec/unit/plugins/linux/fips_spec.rb b/spec/unit/plugins/linux/fips_spec.rb new file mode 100644 index 000000000..30d70c17b --- /dev/null +++ b/spec/unit/plugins/linux/fips_spec.rb @@ -0,0 +1,59 @@ +# +# Author:: Matt Wrock () +# Copyright:: Copyright (c) 2016 Chef Software, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require File.expand_path(File.dirname(__FILE__) + "/../../../spec_helper.rb") + +describe Ohai::System, "plugin fips" do + let(:enabled) { "0" } + let(:plugin) { get_plugin("linux/fips") } + let(:fips_path) { "/proc/sys/crypto/fips_enabled" } + + before(:each) do + allow(plugin).to receive(:collect_os).and_return(:linux) + allow(::File).to receive(:read).with(fips_path).and_return(enabled) + end + + context "fips file is present and contains 1" do + let(:enabled) { "1" } + + it "sets fips plugin" do + plugin.run + expect(plugin["fips"]["kernel"]["enabled"]).to be(true) + end + end + + context "fips file does not contain 1" do + let(:enabled) { "0" } + + it "does not set fips plugin" do + plugin.run + expect(plugin["fips"]["kernel"]["enabled"]).to be(false) + end + end + + context "fips file is not present" do + before do + allow(::File).to receive(:read).and_raise(Errno::ENOENT, "bibbleboop") + end + + it "does not set fips plugin" do + plugin.run + expect(plugin["fips"]["kernel"]["enabled"]).to be(false) + end + end +end diff --git a/spec/unit/plugins/windows/fips_spec.rb b/spec/unit/plugins/windows/fips_spec.rb new file mode 100644 index 000000000..291380826 --- /dev/null +++ b/spec/unit/plugins/windows/fips_spec.rb @@ -0,0 +1,86 @@ +# +# Author:: Matt Wrock () +# Copyright:: Copyright (c) 2016 Chef Software, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require File.expand_path(File.dirname(__FILE__) + "/../../../spec_helper.rb") + +describe Ohai::System, "plugin fips", :windows_only do + let(:enabled) { 0 } + let(:plugin) { get_plugin("windows/fips") } + let(:fips_key) { 'System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' } + let(:win_reg_entry) { { "Enabled" => enabled } } + + before(:each) do + allow(plugin).to receive(:collect_os).and_return(:windows) + allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).with(fips_key, arch).and_yield(win_reg_entry) + end + + shared_examples "fips_plugin" do + context "fips enabled key is set to 1" do + let(:enabled) { 1 } + + it "sets fips plugin" do + plugin.run + expect(plugin["fips"]["kernel"]["enabled"]).to be(true) + end + end + + context "fips enabled key is set to 0" do + let(:enabled) { 0 } + + it "does not set fips plugin" do + plugin.run + expect(plugin["fips"]["kernel"]["enabled"]).to be(false) + end + end + + context "fips key does not exist" do + before do + allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).and_raise(Win32::Registry::Error, 50) + end + + it "does not set fips plugin" do + plugin.run + expect(plugin["fips"]["kernel"]["enabled"]).to be(false) + end + end + end + + context "on 32 bit ruby" do + let(:arch) { Win32::Registry::KEY_READ | 0x100 } + + before { stub_const("::RbConfig::CONFIG", { "target_cpu" => "i386" } ) } + + it_behaves_like "fips_plugin" + end + + context "on 64 bit ruby" do + let(:arch) { Win32::Registry::KEY_READ | 0x200 } + + before { stub_const("::RbConfig::CONFIG", { "target_cpu" => "x86_64" } ) } + + it_behaves_like "fips_plugin" + end + + context "on unknown ruby" do + let(:arch) { Win32::Registry::KEY_READ } + + before { stub_const("::RbConfig::CONFIG", { "target_cpu" => nil } ) } + + it_behaves_like "fips_plugin" + end +end