-
Notifications
You must be signed in to change notification settings - Fork 453
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make the shard plugin work under FIPS by using SHA2 instead of MD5 #1175
Conversation
…y default if needed. This makes life easier for most users since there is no reason to disable this plugin by default other than FIPS. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
Fixes #1174 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think shard is just as niche, and that we should behave consistently across the board. It's much better for everyone to know that shard is an optional plugin and they need to enable it.
I disagree that the level of niche-ness is anywhere close, FIPS-mode is used by only places that actually require it, while shard_seed has been an advertised feature for a long time now. And the improved UX for almost everyone seems like it's worth the minor confusion for the tiny subset of FIPS users. |
Summary of a chat on Slack, in an effort to reduce special-case-iness, I'm going to rework this so the plugin isn't disabled for any users, but will switch to SHA2 (or Adler?) if FIPS-mode is active. This means that enabling or disabling FIPS-mode will change the shard seed on all nodes, but since that is expected to happen approximately never, it's the least edge case approach. |
I made this configurable for the potential edge case of actually needing to turn FIPS on and off, if you reeeeeally want to, you can force it to SHA2 even without FIPS. Also leaves room to add new stuff if needed. |
@coderanger You're missing a DCO signoff on a commit here |
lib/ohai/plugins/shard.rb
Outdated
@@ -34,6 +33,27 @@ def default_sources | |||
[:machinename, :serial, :uuid] | |||
end | |||
|
|||
def default_digest_algorithm | |||
if defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason you're not just using the data we already gather from the FIPS plugin? We gather data in very specific ways within that plugin per platform.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No specific reason, this seemed more accurate. It was only added in Ruby 2.5 which is why I'm checking defined?
and probably why we didn't use it before :)
…-mode. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
5a938bc
to
b198b77
Compare
Fixed DCO, my script apparently forgot my name and email ¯\_(ツ)_/¯ |
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
bb81323
to
3564dc7
Compare
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
28309b3
to
b22c6ad
Compare
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
This makes things work basically the same on all platforms, as much as possible. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
By the power of scope creep, this now adds support for Windows to the Shard plugin, as well as best-effort support for all other OSes. |
… number on Windows. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
|
||
it "should provide a shard with a default-safe set of sources" do | ||
# Note: this is different than the other defaults. | ||
expect(subject).to eq(253499154) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
above you raise
an error in the default case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, nevermind, only if it's not one of the default ones.
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
Thanks for keeping the defaults compatible @coderanger ! |
@jaymzh With the current defaults baked down to actual ints in the tests now, we should very very notice if we ever break compat :) |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
This makes life easier for most users since there is no reason to disable this plugin by default other than FIPS, and having to set
optional_plugins
is more of a barrier than I think we planned (I couldn't find an implementation of the cookbook-metadata-driven path we had talked about).