diff --git a/omnibus/verification/component_test.rb b/omnibus/verification/component_test.rb index f07cd7497..9420698a8 100644 --- a/omnibus/verification/component_test.rb +++ b/omnibus/verification/component_test.rb @@ -91,6 +91,33 @@ def embedded_bin(binary) File.join(omnibus_embedded_bin_dir, binary) end + # Check if the current platform is a FIPS-enabled platform based on + # BUILDKITE_LABEL and the fips-platforms configuration in .expeditor/release.omnibus.yml + # + # FIPS platforms are: + # - el-*-x86_64 (RHEL/CentOS/AlmaLinux/etc) + # - ubuntu-*-x86_64 (Ubuntu) + # - windows-* (Windows) + # + # Returns true if running on a FIPS platform, false otherwise. + # If BUILDKITE_LABEL is not set (e.g., local development), returns false. + def fips_platform? + buildkite_label = ENV["BUILDKITE_LABEL"] + return false unless buildkite_label + + # FIPS platforms from .expeditor/release.omnibus.yml: + # - el-*-x86_64 + # - ubuntu-*-x86_64 + # - windows-* + fips_patterns = [ + / el-.*-x86_64/, + / ubuntu-.*-x86_64/, + / windows-.*/ + ] + + fips_patterns.any? { |pattern| buildkite_label.match?(pattern) } + end + def sh(command, options = {}) puts command combined_opts = default_command_options.merge(options) diff --git a/omnibus/verification/verify.rb b/omnibus/verification/verify.rb index f8ac8b27c..bc1296131 100644 --- a/omnibus/verification/verify.rb +++ b/omnibus/verification/verify.rb @@ -305,7 +305,7 @@ def components # https://github.com/chef/chef-cli/issues/420 c.gem_base_dir = "chef" - test = <<-EOF.gsub(/^\s+/, "") + ssl_connectivity_test = <<-EOF.gsub(/^\s+/, "") require "net/http" unless defined?(Net::HTTP) uris = %w{https://www.google.com https://chef.io/ https://ec2.amazonaws.com} @@ -316,13 +316,105 @@ def components end EOF + openssl_version_test = <<-EOF.gsub(/^\s+/, "") + require "openssl" + + # Test that Ruby's OpenSSL library version matches 3.2.4 + puts "OpenSSL library version: \#{OpenSSL::OPENSSL_LIBRARY_VERSION}" + expected_version = "3.2.4" + unless OpenSSL::OPENSSL_LIBRARY_VERSION.include?(expected_version) + raise "Expected OpenSSL library version to include \#{expected_version}, got: \#{OpenSSL::OPENSSL_LIBRARY_VERSION}" + end + puts "✓ OpenSSL library version check passed" + EOF + + # Only test FIPS mode on FIPS-enabled platforms + openssl_fips_test = <<-EOF.gsub(/^\s+/, "") + require "openssl" + + # Test that FIPS mode can be activated (only on FIPS platforms) + begin + # Check if FIPS mode can be enabled (this will fail if FIPS provider is not available) + original_fips_mode = OpenSSL.fips_mode + puts "Original FIPS mode: \#{original_fips_mode}" + + # Try to enable FIPS mode + OpenSSL.fips_mode = true + puts "FIPS mode enabled: \#{OpenSSL.fips_mode}" + + # Try to disable FIPS mode + OpenSSL.fips_mode = false + puts "FIPS mode disabled: \#{OpenSSL.fips_mode}" + + puts "✓ FIPS mode activation/deactivation test passed" + rescue => e + raise "FIPS mode test failed: \#{e.message}" + end + EOF + c.unit_test do + last_result = nil tmpdir do |cwd| - with_file(File.join(cwd, "openssl.rb")) do |f| - f.write test + with_file(File.join(cwd, "openssl_connectivity.rb")) do |f| + f.write ssl_connectivity_test + end + last_result = sh!("#{Gem.ruby} openssl_connectivity.rb", cwd: cwd) + + with_file(File.join(cwd, "openssl_version.rb")) do |f| + f.write openssl_version_test + end + last_result = sh!("#{Gem.ruby} openssl_version.rb", cwd: cwd) + + # Only test FIPS mode on FIPS-enabled platforms + if fips_platform? + with_file(File.join(cwd, "openssl_fips.rb")) do |f| + f.write openssl_fips_test + end + last_result = sh!("#{Gem.ruby} openssl_fips.rb", cwd: cwd) + else + puts "ℹ FIPS mode test skipped (non-FIPS platform)" + end + end + last_result + end + + c.smoke_test do + # Test OpenSSL executable version and providers + result = sh!("#{embedded_bin("openssl")} version") + puts "OpenSSL executable version: #{result.stdout.strip}" + + unless result.stdout.include?("3.2.4") + raise "Expected OpenSSL executable version to include 3.2.4, got: #{result.stdout.strip}" + end + puts "✓ OpenSSL executable version check passed" + + # Test that providers are available + providers_result = sh!("#{embedded_bin("openssl")} list -providers") + puts "Available providers:" + puts providers_result.stdout + + # Check for default provider (3.2.4) + unless providers_result.stdout.include?("default") + raise "Default provider not found in OpenSSL providers list" + end + puts "✓ Default provider found" + + # Check for legacy provider (3.2.4) + unless providers_result.stdout.include?("legacy") + raise "Legacy provider not found in OpenSSL providers list" + end + puts "✓ Legacy provider found" + + # Check for FIPS provider (3.0.9) only on FIPS-enabled platforms + if fips_platform? + unless providers_result.stdout.include?("fips") + raise "FIPS provider not found in OpenSSL providers list on FIPS platform" end - sh!("#{Gem.ruby} openssl.rb", cwd: cwd) + puts "✓ FIPS provider found (FIPS platform detected)" + else + puts "ℹ FIPS provider check skipped (non-FIPS platform)" end + providers_result end end