Add a new option to enforce the OpenSSL FIPS mode
This option ``enforce_fips_mode`` allow us to enforce the FIPS mode if supported by the version of python in use. https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards Change-Id: I220012094d2be3c2c47a444260bc42fb53aaf6bc
This commit is contained in:
parent
a977dd9109
commit
f438770767
|
@ -217,6 +217,15 @@ FILE_OPTIONS = {
|
||||||
default=60,
|
default=60,
|
||||||
help='Time in seconds before attempting to add a node '
|
help='Time in seconds before attempting to add a node '
|
||||||
'back in the pool in the HashClient\'s internal mechanisms.'),
|
'back in the pool in the HashClient\'s internal mechanisms.'),
|
||||||
|
cfg.BoolOpt('enforce_fips_mode',
|
||||||
|
default=False,
|
||||||
|
help='Global toggle for enforcing the OpenSSL FIPS mode. '
|
||||||
|
'This feature requires Python support. '
|
||||||
|
'This is available in Python 3.9 in all '
|
||||||
|
'environments and may have been backported to older '
|
||||||
|
'Python versions on select environments. If the Python '
|
||||||
|
'executable used does not support OpenSSL FIPS mode, '
|
||||||
|
'an exception will be raised.'),
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -172,6 +172,18 @@ def _build_cache_config(conf):
|
||||||
_LOG.debug('Oslo Cache TLS - CA: %s', conf.cache.tls_cafile)
|
_LOG.debug('Oslo Cache TLS - CA: %s', conf.cache.tls_cafile)
|
||||||
tls_context = ssl.create_default_context(cafile=conf.cache.tls_cafile)
|
tls_context = ssl.create_default_context(cafile=conf.cache.tls_cafile)
|
||||||
|
|
||||||
|
if conf.cache.enforce_fips_mode:
|
||||||
|
if hasattr(ssl, 'FIPS_mode'):
|
||||||
|
_LOG.info("Enforcing the use of the OpenSSL FIPS mode")
|
||||||
|
ssl.FIPS_mode_set(1)
|
||||||
|
else:
|
||||||
|
raise exception.ConfigurationError(
|
||||||
|
"OpenSSL FIPS mode is not supported by your Python "
|
||||||
|
"version. You must either change the Python executable "
|
||||||
|
"used to a version with FIPS mode support or disable "
|
||||||
|
"FIPS mode by setting the '[cache] enforce_fips_mode' "
|
||||||
|
"configuration option to 'False'.")
|
||||||
|
|
||||||
if conf.cache.tls_certfile is not None:
|
if conf.cache.tls_certfile is not None:
|
||||||
_LOG.debug('Oslo Cache TLS - cert: %s', conf.cache.tls_certfile)
|
_LOG.debug('Oslo Cache TLS - cert: %s', conf.cache.tls_certfile)
|
||||||
_LOG.debug('Oslo Cache TLS - key: %s', conf.cache.tls_keyfile)
|
_LOG.debug('Oslo Cache TLS - key: %s', conf.cache.tls_keyfile)
|
||||||
|
|
|
@ -318,6 +318,45 @@ class CacheRegionTest(test_cache.BaseTestCase):
|
||||||
config_dict['test_prefix.arguments.tls_context'],
|
config_dict['test_prefix.arguments.tls_context'],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@mock.patch('oslo_cache.core._LOG')
|
||||||
|
def test_cache_dictionary_config_builder_fips_mode_supported(self, log):
|
||||||
|
"""Validate the FIPS mode is supported."""
|
||||||
|
self.config_fixture.config(group='cache',
|
||||||
|
enabled=True,
|
||||||
|
config_prefix='test_prefix',
|
||||||
|
backend='oslo_cache.dict',
|
||||||
|
tls_enabled=True,
|
||||||
|
enforce_fips_mode=True)
|
||||||
|
|
||||||
|
# Ensure that we emulate FIPS_mode even if it doesn't exist
|
||||||
|
with mock.patch.object(ssl, 'FIPS_mode',
|
||||||
|
create=True, return_value=True):
|
||||||
|
# Ensure that we are able to set FIPS_mode
|
||||||
|
with mock.patch.object(ssl, 'FIPS_mode_set', create=True):
|
||||||
|
|
||||||
|
cache._build_cache_config(self.config_fixture.conf)
|
||||||
|
log.info.assert_called_once_with(
|
||||||
|
"Enforcing the use of the OpenSSL FIPS mode")
|
||||||
|
|
||||||
|
@mock.patch('oslo_cache.core._LOG')
|
||||||
|
def test_cache_dictionary_config_builder_fips_mode_unsupported(self, log):
|
||||||
|
"""Validate the FIPS mode is not supported."""
|
||||||
|
self.config_fixture.config(group='cache',
|
||||||
|
enabled=True,
|
||||||
|
config_prefix='test_prefix',
|
||||||
|
backend='oslo_cache.dict',
|
||||||
|
tls_enabled=True,
|
||||||
|
enforce_fips_mode=True)
|
||||||
|
|
||||||
|
with mock.patch.object(cache, 'ssl') as ssl_:
|
||||||
|
del ssl_.FIPS_mode
|
||||||
|
|
||||||
|
# We do this test only if FIPS mode is not supported to
|
||||||
|
# ensure that we hard fail.
|
||||||
|
self.assertRaises(exception.ConfigurationError,
|
||||||
|
cache._build_cache_config,
|
||||||
|
self.config_fixture.conf,)
|
||||||
|
|
||||||
def test_cache_dictionary_config_builder_tls_enabled_with_config(self):
|
def test_cache_dictionary_config_builder_tls_enabled_with_config(self):
|
||||||
"""Validate the backend is reset to default if caching is disabled."""
|
"""Validate the backend is reset to default if caching is disabled."""
|
||||||
self.config_fixture.config(group='cache',
|
self.config_fixture.config(group='cache',
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adding a new option, ``[cache] enforce_fips_mode``, to the rabbitmq driver
|
||||||
|
to enforce the OpenSSL FIPS mode if supported by the version of Python.
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
We are now able to enforce the OpenSSL FIPS mode by using
|
||||||
|
``[cache] enforce_fips_mode``.
|
Loading…
Reference in New Issue