Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PIE-929) Fix module to work on FIPS servers #159

Merged
merged 1 commit into from
Nov 4, 2021
Merged

(PIE-929) Fix module to work on FIPS servers #159

merged 1 commit into from
Nov 4, 2021

Conversation

RandomNoun7
Copy link
Contributor

Prior to this change, this module could not function on FIPS enabled
host operating systems and FIPS enabled Puppet servers. The reason is
this module consumes the net/http and net/https gems directly. These
gems cannot function in FIPS environments.

This change allows the module to detect when it's running in a FIPS
environment and switch to using Puppet servers build in HTTP object.

Puppet server consumes a java library called Bouncy Castle that is FIPS
compliant. The Puppet server code base uses Clojure code to create an
object that Ruby code running in JRuby can consume. It keeps a pool of
these objects and this module can now grab an instance of one of these
clients to do HTTP calls.

The drawback to this approach for now is that we lose some custom
functionality when using Puppet server's client. We can no longer
support a standalone ca file for SSL authentication, and we cannot set
user customizable timeouts.

In order to add FIPS functionality in backwards compatible way, we
detect when we're in FIPS mode and use the Puppet server client, but the
rest of the time, for all of the existing users, we continue to use the
net/http and net/https gems directly.

Summary

Detailed Description

Checklist

[ ] Draft PR?
[ ] Ensure README is updated
[ ] Any changes to existing documentation
[ ] Anything new added
[ ] Link to external Puppet documentation
[ ] Review Support Playbook for any needed updates
[ ] Tags
[ ] Unit Tests
[ ] Acceptance Tests
[ ] PR title is "(Ticket|Maint) Short Description"
[ ] Commit title matches PR title

@RandomNoun7 RandomNoun7 requested a review from a team as a code owner November 2, 2021 21:39
@puppet-community-rangefinder
Copy link

splunk_hec is a class

that may have no external impact to Forge modules.

This module is declared in 2 of 578 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@RandomNoun7 RandomNoun7 force-pushed the PIE-929-use-fips-http-client branch 2 times, most recently from 88aa982 to 52c2a82 Compare November 3, 2021 18:12
@RandomNoun7
(PIE-929) Fix module to work on FIPS servers
c3e8f76 
Prior to this change, this module could not function on FIPS enabled
host operating systems and FIPS enabled Puppet servers. The reason is
this module consumes the `net/http` and `net/https` gems directly. These
gems cannot function in FIPS environments.

This change allows the module to detect when it's running in a FIPS
environment and switch to using Puppet servers build in HTTP object.

Puppet server consumes a java library called Bouncy Castle that is FIPS
compliant. The Puppet server code base uses Clojure code to create an
object that Ruby code running in JRuby can consume. It keeps a pool of
these objects and this module can now grab an instance of one of these
clients to do HTTP calls.

The drawback to this approach for now is that we lose some custom
functionality when using Puppet server's client. We can no longer
support a standalone ca file for SSL authentication, and we cannot set
user customizable timeouts.

In order to add FIPS functionality in backwards compatible way, we
detect when we're in FIPS mode and use the Puppet server client, but the
rest of the time, for all of the existing users, we continue to use the
`net/http` and `net/https` gems directly.
gsparks
gsparks approved these changes Nov 4, 2021
View reviewed changes
Copy link
Contributor

@gsparks gsparks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@gsparks gsparks merged commit 26f96ab into puppetlabs:main Nov 4, 2021
@RandomNoun7 RandomNoun7 deleted the PIE-929-use-fips-http-client branch November 5, 2021 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gsparks gsparks gsparks approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RandomNoun7 @gsparks