Make the shard plugin work under FIPS by using SHA2 instead of MD5 #1175
Conversation
…y default if needed. This makes life easier for most users since there is no reason to disable this plugin by default other than FIPS. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
|
Fixes #1174 |
|
I disagree that the level of niche-ness is anywhere close, FIPS-mode is used by only places that actually require it, while shard_seed has been an advertised feature for a long time now. And the improved UX for almost everyone seems like it's worth the minor confusion for the tiny subset of FIPS users. |
|
Summary of a chat on Slack, in an effort to reduce special-case-iness, I'm going to rework this so the plugin isn't disabled for any users, but will switch to SHA2 (or Adler?) if FIPS-mode is active. This means that enabling or disabling FIPS-mode will change the shard seed on all nodes, but since that is expected to happen approximately never, it's the least edge case approach. |
|
I made this configurable for the potential edge case of actually needing to turn FIPS on and off, if you reeeeeally want to, you can force it to SHA2 even without FIPS. Also leaves room to add new stuff if needed. |
coderanger
changed the title
|
@coderanger You're missing a DCO signoff on a commit here |
lib/ohai/plugins/shard.rb
Outdated
| @@ -34,6 +33,27 @@ def default_sources | |||
| [:machinename, :serial, :uuid] | |||
| end | |||
|
|
|||
| def default_digest_algorithm | |||
| if defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode | |||
There was a problem hiding this comment.
Is there a reason you're not just using the data we already gather from the FIPS plugin? We gather data in very specific ways within that plugin per platform.
There was a problem hiding this comment.
No specific reason, this seemed more accurate. It was only added in Ruby 2.5 which is why I'm checking defined? and probably why we didn't use it before :)
…-mode. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
coderanger
force-pushed
the
shard-less-optional
branch
from
5a938bc
to
b198b77
Compare
|
Fixed DCO, my script apparently forgot my name and email ¯\_(ツ)_/¯ |
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
coderanger
force-pushed
the
shard-less-optional
branch
from
bb81323
to
3564dc7
Compare
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
coderanger
force-pushed
the
shard-less-optional
branch
from
28309b3
to
b22c6ad
Compare
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
This makes things work basically the same on all platforms, as much as possible. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
|
By the power of scope creep, this now adds support for Windows to the Shard plugin, as well as best-effort support for all other OSes. |
… number on Windows. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
|
|
||
| it "should provide a shard with a default-safe set of sources" do | ||
| # Note: this is different than the other defaults. | ||
| expect(subject).to eq(253499154) |
There was a problem hiding this comment.
above you raise an error in the default case
There was a problem hiding this comment.
Oh, nevermind, only if it's not one of the default ones.
Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
|
Thanks for keeping the defaults compatible @coderanger ! |
|
@jaymzh With the current defaults baked down to actual ints in the tests now, we should very very notice if we ever break compat :) |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
This makes life easier for most users since there is no reason to disable this plugin by default other than FIPS, and having to set
optional_pluginsis more of a barrier than I think we planned (I couldn't find an implementation of the cookbook-metadata-driven path we had talked about).