chef-config 12.10.24 → 12.11.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b5b64a0c2aac9ccfc6649cd21d890a0775b1d6dd
-  data.tar.gz: 800cb887bb4a949bf25daf837411088df9a8a541
+  metadata.gz: cc2f06a43b5fc09bba3685a683e0927527edee48
+  data.tar.gz: 8bbc83bbf7138e6a249e92c8ca1941ef90b65412
 SHA512:
-  metadata.gz: dbcd7333d54a04a30926516fce8aa52f1f07b025bfc5d151c715dc973aa8cf452ac2b0ac80c43e68219fd46c4c5ef90ed92c9aef946f9e0f76315b3c8ea456a9
-  data.tar.gz: 1d53ca040924063afd9528b6f8516f336d8d3df27eac0538167a88a6cc48af5c57b44f9dbde1fb0c34a1ae206cd6aeec8e57ae322affb755284347a5a2d91612
+  metadata.gz: ebccfbbbd37b448df12fccaacc9b3cd1d9ffca51a4595e4ebd79b5893da599bc0851c0be5eecdaa930b2ff433a7748a35a3ee074e03466764ba65df7ef059e74
+  data.tar.gz: 8106a58ccb358ed032c401c058ef05d4e0e67e9b38b9c51e1ec35dad8afe96ee971abc4da9732fae65ab36e8bca9790c7bf0ef0153706fddeef239767371328a

data/lib/chef-config/config.rb

@@ -22,6 +22,7 @@
 require "mixlib/config"
 require "pathname"
 
+require "chef-config/fips"
 require "chef-config/logger"
 require "chef-config/windows"
 require "chef-config/path_helper"
@@ -391,7 +392,11 @@ module ChefConfig
     default :rest_timeout, 300
     default :yum_timeout, 900
     default :yum_lock_timeout, 30
-    default :solo,  false
+    default :solo, false
+
+    # Are we running in old Chef Solo legacy mode?
+    default :solo_legacy_mode, false
+
     default :splay, nil
     default :why_run, false
     default :color, false
@@ -513,7 +518,9 @@ module ChefConfig
     default :recipe_url, nil
 
     # Set to true if Chef is to set OpenSSL to run in FIPS mode
-    default(:fips) { ENV["CHEF_FIPS"] == "1" }
+    default(:fips) do
+      !ENV["CHEF_FIPS"].nil? || ChefConfig.fips?
+    end
 
     # Initialize openssl
     def self.init_openssl
@@ -789,6 +796,43 @@ module ChefConfig
     config_context :chefdk do
     end
 
+    # Configuration options for Data Collector reporting. These settings allow
+    # the user to configure where to send their Data Collector data, what token
+    # to send, and whether Data Collector should report its findings in client
+    # mode vs. solo mode.
+    config_context :data_collector do
+      # Full URL to the endpoint that will receive our data. If nil, the
+      # data collector will not run.
+      # Ex: http://my-data-collector.mycompany.com/ingest
+      default :server_url,       nil
+
+      # An optional pre-shared token to pass as an HTTP header (x-data-collector-token)
+      # that can be used to determine whether or not the poster of this
+      # run data should be trusted.
+      # Ex: some-uuid-here
+      default :token,            nil
+
+      # The Chef mode during which Data Collector is allowed to function. This
+      # can be used to run Data Collector only when running as Chef Solo but
+      # not when using Chef Client.
+      # Options: :solo (for both Solo Legacy Mode and Client Local Mode), :client, :both
+      default :mode,             :both
+
+      # When the Data Collector cannot send the "starting a run" message to
+      # the Data Collector server, the Data Collector will be disabled for that
+      # run. In some situations, such as highly-regulated environments, it
+      # may be more reasonable to prevent Chef from performing the actual run.
+      # In these situations, setting this value to true will cause the Chef
+      # run to raise an exception before starting any converge activities.
+      default :raise_on_failure, false
+
+      # A user-supplied Organization string that can be sent in payloads
+      # generated by the DataCollector when Chef is run in Solo mode. This
+      # allows users to associate their Solo nodes with faux organizations
+      # without the nodes being connected to an actual Chef Server.
+      default :organization, nil
+    end
+
     configurable(:http_proxy)
     configurable(:http_proxy_user)
     configurable(:http_proxy_pass)
@@ -966,6 +1010,7 @@ module ChefConfig
       Digest.const_set("SHA1", OpenSSL::Digest::SHA1)
       OpenSSL::Digest.send(:remove_const, "MD5") if OpenSSL::Digest.const_defined?("MD5")
       OpenSSL::Digest.const_set("MD5", Digest::MD5)
+      ChefConfig.logger.debug "FIPS mode is enabled."
     end
   end
 end

data/lib/chef-config/fips.rb

@@ -0,0 +1,51 @@
+#
+# Author:: Matt Wrock (<matt@mattwrock.com>)
+# Copyright:: Copyright (c) 2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module ChefConfig
+
+  def self.fips?
+    if ChefConfig.windows?
+      begin
+        require "win32/registry"
+      rescue LoadError
+        return false
+      end
+
+      # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx
+      reg_type =
+        case ::RbConfig::CONFIG["target_cpu"]
+        when "i386"
+          Win32::Registry::KEY_READ | 0x100
+        when "x86_64"
+          Win32::Registry::KEY_READ | 0x200
+        else
+          Win32::Registry::KEY_READ
+        end
+      begin
+        Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy|
+          policy["Enabled"] != 0
+        end
+      rescue Win32::Registry::Error
+        false
+      end
+    else
+      fips_path = "/proc/sys/crypto/fips_enabled"
+      File.exist?(fips_path) && File.read(fips_path).chomp != "0"
+    end
+  end
+end

data/lib/chef-config/version.rb

@@ -21,7 +21,7 @@
 
 module ChefConfig
   CHEFCONFIG_ROOT = File.expand_path("../..", __FILE__)
-  VERSION = "12.10.24"
+  VERSION = "12.11.18"
 end
 
 #

data/spec/unit/config_spec.rb

@@ -165,6 +165,46 @@ RSpec.describe ChefConfig::Config do
           allow(ChefConfig::Config).to receive(:path_accessible?).and_return(false)
         end
 
+        describe "ChefConfig::Config[:fips]" do
+          let(:fips_enabled) { false }
+
+          before(:all) do
+            @original_env = ENV.to_hash
+          end
+
+          after(:all) do
+            ENV.clear
+            ENV.update(@original_env)
+          end
+
+          before(:each) do
+            ENV["CHEF_FIPS"] = nil
+            allow(ChefConfig).to receive(:fips?).and_return(fips_enabled)
+          end
+
+          it "returns false when no environment is set and not enabled on system" do
+            expect(ChefConfig::Config[:fips]).to eq(false)
+          end
+
+          context "when ENV['CHEF_FIPS'] is set" do
+            before do
+              ENV["CHEF_FIPS"] = "1"
+            end
+
+            it "returns true" do
+              expect(ChefConfig::Config[:fips]).to eq(true)
+            end
+          end
+
+          context "when fips is enabled on system" do
+            let(:fips_enabled) { true }
+
+            it "returns true" do
+              expect(ChefConfig::Config[:fips]).to eq(true)
+            end
+          end
+        end
+
         describe "ChefConfig::Config[:chef_server_root]" do
           context "when chef_server_url isn't set manually" do
             it "returns the default of 'https://localhost:443'" do

data/spec/unit/fips_spec.rb

@@ -0,0 +1,122 @@
+#
+# Author:: Matt Wrock (<matt@mattwrock.com>)
+# Copyright:: Copyright (c) 2016 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef-config/fips"
+require "spec_helper"
+
+RSpec.describe "ChefConfig.fips?" do
+  let(:enabled) { "0" }
+
+  context "on *nix" do
+    let(:fips_path) { "/proc/sys/crypto/fips_enabled" }
+
+    before(:each) do
+      allow(ChefConfig).to receive(:windows?).and_return(false)
+      allow(::File).to receive(:exist?).with(fips_path).and_return(true)
+      allow(::File).to receive(:read).with(fips_path).and_return(enabled)
+    end
+
+    context "fips file is present and contains 1" do
+      let(:enabled) { "1" }
+
+      it "returns true" do
+        expect(ChefConfig.fips?).to be(true)
+      end
+    end
+
+    context "fips file does not contain 1" do
+      let(:enabled) { "0" }
+
+      it "returns false" do
+        expect(ChefConfig.fips?).to be(false)
+      end
+    end
+
+    context "fips file is not present" do
+      before do
+        allow(::File).to receive(:exist?).with(fips_path).and_return(false)
+      end
+
+      it "returns false" do
+        expect(ChefConfig.fips?).to be(false)
+      end
+    end
+  end
+
+  context "on windows", :windows_only do
+    let(:fips_key) { 'System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy' }
+    let(:win_reg_entry) { { "Enabled" => enabled } }
+
+    before(:each) do
+      allow(ChefConfig).to receive(:windows?).and_return(true)
+      allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).with(fips_key, arch).and_yield(win_reg_entry)
+    end
+
+    shared_examples "fips_detection" do
+      context "fips enabled key is set to 1" do
+        let(:enabled) { 1 }
+
+        it "returns true" do
+          expect(ChefConfig.fips?).to be(true)
+        end
+      end
+
+      context "fips enabled key is set to 0" do
+        let(:enabled) { 0 }
+
+        it "returns false" do
+          expect(ChefConfig.fips?).to be(false)
+        end
+      end
+
+      context "fips key does not exist" do
+        before do
+          allow(Win32::Registry::HKEY_LOCAL_MACHINE).to receive(:open).and_raise(Win32::Registry::Error, 50)
+        end
+
+        it "returns false" do
+          expect(ChefConfig.fips?).to be(false)
+        end
+      end
+    end
+
+    context "on 32 bit ruby" do
+      let(:arch) { Win32::Registry::KEY_READ | 0x100 }
+
+      before { stub_const("::RbConfig::CONFIG", { "target_cpu" => "i386" } ) }
+
+      it_behaves_like "fips_detection"
+    end
+
+    context "on 64 bit ruby" do
+      let(:arch) { Win32::Registry::KEY_READ | 0x200 }
+
+      before { stub_const("::RbConfig::CONFIG", { "target_cpu" => "x86_64" } ) }
+
+      it_behaves_like "fips_detection"
+    end
+
+    context "on unknown ruby" do
+      let(:arch) { Win32::Registry::KEY_READ }
+
+      before { stub_const("::RbConfig::CONFIG", { "target_cpu" => nil } ) }
+
+      it_behaves_like "fips_detection"
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef-config
 version: !ruby/object:Gem::Version
-  version: 12.10.24
+  version: 12.11.18
 platform: ruby
 authors:
 - Adam Jacob
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-05-16 00:00:00.000000000 Z
+date: 2016-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mixlib-shellout
@@ -122,6 +122,7 @@ files:
 - lib/chef-config.rb
 - lib/chef-config/config.rb
 - lib/chef-config/exceptions.rb
+- lib/chef-config/fips.rb
 - lib/chef-config/logger.rb
 - lib/chef-config/mixin/dot_d.rb
 - lib/chef-config/mixin/fuzzy_hostname_matcher.rb
@@ -132,6 +133,7 @@ files:
 - lib/chef-config/workstation_config_loader.rb
 - spec/spec_helper.rb
 - spec/unit/config_spec.rb
+- spec/unit/fips_spec.rb
 - spec/unit/path_helper_spec.rb
 - spec/unit/workstation_config_loader_spec.rb
 homepage: https://github.com/chef/chef
@@ -154,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.4
 signing_key: 
 specification_version: 4
 summary: Chef's default configuration and config loading