openstack
/
oslo.cache
Code Issues Proposed changes

Add a new option to enforce the OpenSSL FIPS mode 

This option ``enforce_fips_mode`` allow us to enforce the FIPS mode
if supported by the version of python in use.

https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards

Change-Id: I220012094d2be3c2c47a444260bc42fb53aaf6bc
This commit is contained in:
Hervé Beraud 2021-06-24 14:57:12 +02:00 committed by damani42
parent a977dd9109
commit f438770767
4 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
oslo_cache/_opts.py
View File

@ -217,6 +217,15 @@ FILE_OPTIONS = {
default=60,
help='Time in seconds before attempting to add a node '
'back in the pool in the HashClient\'s internal mechanisms.'),
cfg.BoolOpt('enforce_fips_mode',
default=False,
help='Global toggle for enforcing the OpenSSL FIPS mode. '
'This feature requires Python support. '
'This is available in Python 3.9 in all '
'environments and may have been backported to older '
'Python versions on select environments. If the Python '
'executable used does not support OpenSSL FIPS mode, '
'an exception will be raised.'),
],
}

12
oslo_cache/core.py
View File

@ -172,6 +172,18 @@ def _build_cache_config(conf):
_LOG.debug('Oslo Cache TLS - CA: %s', conf.cache.tls_cafile)
tls_context = ssl.create_default_context(cafile=conf.cache.tls_cafile)
if conf.cache.enforce_fips_mode:
if hasattr(ssl, 'FIPS_mode'):
_LOG.info("Enforcing the use of the OpenSSL FIPS mode")
ssl.FIPS_mode_set(1)
else:
raise exception.ConfigurationError(
"OpenSSL FIPS mode is not supported by your Python "
"version. You must either change the Python executable "
"used to a version with FIPS mode support or disable "
"FIPS mode by setting the '[cache] enforce_fips_mode' "
"configuration option to 'False'.")
if conf.cache.tls_certfile is not None:
_LOG.debug('Oslo Cache TLS - cert: %s', conf.cache.tls_certfile)
_LOG.debug('Oslo Cache TLS - key: %s', conf.cache.tls_keyfile)

39
oslo_cache/tests/unit/test_cache_basics.py
View File

@ -318,6 +318,45 @@ class CacheRegionTest(test_cache.BaseTestCase):
config_dict['test_prefix.arguments.tls_context'],
)
@mock.patch('oslo_cache.core._LOG')
def test_cache_dictionary_config_builder_fips_mode_supported(self, log):
"""Validate the FIPS mode is supported."""
self.config_fixture.config(group='cache',
enabled=True,
config_prefix='test_prefix',
backend='oslo_cache.dict',
tls_enabled=True,
enforce_fips_mode=True)
# Ensure that we emulate FIPS_mode even if it doesn't exist
with mock.patch.object(ssl, 'FIPS_mode',
create=True, return_value=True):
# Ensure that we are able to set FIPS_mode
with mock.patch.object(ssl, 'FIPS_mode_set', create=True):
cache._build_cache_config(self.config_fixture.conf)
log.info.assert_called_once_with(
"Enforcing the use of the OpenSSL FIPS mode")
@mock.patch('oslo_cache.core._LOG')
def test_cache_dictionary_config_builder_fips_mode_unsupported(self, log):
"""Validate the FIPS mode is not supported."""
self.config_fixture.config(group='cache',
enabled=True,
config_prefix='test_prefix',
backend='oslo_cache.dict',
tls_enabled=True,
enforce_fips_mode=True)
with mock.patch.object(cache, 'ssl') as ssl_:
del ssl_.FIPS_mode
# We do this test only if FIPS mode is not supported to
# ensure that we hard fail.
self.assertRaises(exception.ConfigurationError,
cache._build_cache_config,
self.config_fixture.conf,)
def test_cache_dictionary_config_builder_tls_enabled_with_config(self):
"""Validate the backend is reset to default if caching is disabled."""
self.config_fixture.config(group='cache',

9
releasenotes/notes/enforce_fips_mode-c3296a0cc1fb7ad9.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- |
Adding a new option, ``[cache] enforce_fips_mode``, to the rabbitmq driver
to enforce the OpenSSL FIPS mode if supported by the version of Python.
security:
- |
We are now able to enforce the OpenSSL FIPS mode by using
``[cache] enforce_fips_mode``.