Add a new option to enforce the OpenSSL FIPS mode
This option ``enforce_fips_mode`` allow us to enforce the FIPS mode if supported by the version of python in use. https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards Change-Id: I220012094d2be3c2c47a444260bc42fb53aaf6bc
This commit is contained in:
parent
a977dd9109
commit
f438770767
|
@ -217,6 +217,15 @@ FILE_OPTIONS = {
|
|||
default=60,
|
||||
help='Time in seconds before attempting to add a node '
|
||||
'back in the pool in the HashClient\'s internal mechanisms.'),
|
||||
cfg.BoolOpt('enforce_fips_mode',
|
||||
default=False,
|
||||
help='Global toggle for enforcing the OpenSSL FIPS mode. '
|
||||
'This feature requires Python support. '
|
||||
'This is available in Python 3.9 in all '
|
||||
'environments and may have been backported to older '
|
||||
'Python versions on select environments. If the Python '
|
||||
'executable used does not support OpenSSL FIPS mode, '
|
||||
'an exception will be raised.'),
|
||||
],
|
||||
}
|
||||
|
||||
|
|
|
@ -172,6 +172,18 @@ def _build_cache_config(conf):
|
|||
_LOG.debug('Oslo Cache TLS - CA: %s', conf.cache.tls_cafile)
|
||||
tls_context = ssl.create_default_context(cafile=conf.cache.tls_cafile)
|
||||
|
||||
if conf.cache.enforce_fips_mode:
|
||||
if hasattr(ssl, 'FIPS_mode'):
|
||||
_LOG.info("Enforcing the use of the OpenSSL FIPS mode")
|
||||
ssl.FIPS_mode_set(1)
|
||||
else:
|
||||
raise exception.ConfigurationError(
|
||||
"OpenSSL FIPS mode is not supported by your Python "
|
||||
"version. You must either change the Python executable "
|
||||
"used to a version with FIPS mode support or disable "
|
||||
"FIPS mode by setting the '[cache] enforce_fips_mode' "
|
||||
"configuration option to 'False'.")
|
||||
|
||||
if conf.cache.tls_certfile is not None:
|
||||
_LOG.debug('Oslo Cache TLS - cert: %s', conf.cache.tls_certfile)
|
||||
_LOG.debug('Oslo Cache TLS - key: %s', conf.cache.tls_keyfile)
|
||||
|
|
|
@ -318,6 +318,45 @@ class CacheRegionTest(test_cache.BaseTestCase):
|
|||
config_dict['test_prefix.arguments.tls_context'],
|
||||
)
|
||||
|
||||
@mock.patch('oslo_cache.core._LOG')
|
||||
def test_cache_dictionary_config_builder_fips_mode_supported(self, log):
|
||||
"""Validate the FIPS mode is supported."""
|
||||
self.config_fixture.config(group='cache',
|
||||
enabled=True,
|
||||
config_prefix='test_prefix',
|
||||
backend='oslo_cache.dict',
|
||||
tls_enabled=True,
|
||||
enforce_fips_mode=True)
|
||||
|
||||
# Ensure that we emulate FIPS_mode even if it doesn't exist
|
||||
with mock.patch.object(ssl, 'FIPS_mode',
|
||||
create=True, return_value=True):
|
||||
# Ensure that we are able to set FIPS_mode
|
||||
with mock.patch.object(ssl, 'FIPS_mode_set', create=True):
|
||||
|
||||
cache._build_cache_config(self.config_fixture.conf)
|
||||
log.info.assert_called_once_with(
|
||||
"Enforcing the use of the OpenSSL FIPS mode")
|
||||
|
||||
@mock.patch('oslo_cache.core._LOG')
|
||||
def test_cache_dictionary_config_builder_fips_mode_unsupported(self, log):
|
||||
"""Validate the FIPS mode is not supported."""
|
||||
self.config_fixture.config(group='cache',
|
||||
enabled=True,
|
||||
config_prefix='test_prefix',
|
||||
backend='oslo_cache.dict',
|
||||
tls_enabled=True,
|
||||
enforce_fips_mode=True)
|
||||
|
||||
with mock.patch.object(cache, 'ssl') as ssl_:
|
||||
del ssl_.FIPS_mode
|
||||
|
||||
# We do this test only if FIPS mode is not supported to
|
||||
# ensure that we hard fail.
|
||||
self.assertRaises(exception.ConfigurationError,
|
||||
cache._build_cache_config,
|
||||
self.config_fixture.conf,)
|
||||
|
||||
def test_cache_dictionary_config_builder_tls_enabled_with_config(self):
|
||||
"""Validate the backend is reset to default if caching is disabled."""
|
||||
self.config_fixture.config(group='cache',
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Adding a new option, ``[cache] enforce_fips_mode``, to the rabbitmq driver
|
||||
to enforce the OpenSSL FIPS mode if supported by the version of Python.
|
||||
security:
|
||||
- |
|
||||
We are now able to enforce the OpenSSL FIPS mode by using
|
||||
``[cache] enforce_fips_mode``.
|
Loading…
Reference in New Issue