diff --git a/src/ipahealthcheck/meta/core.py b/src/ipahealthcheck/meta/core.py index 7e6c6ba..6743ab1 100644 --- a/src/ipahealthcheck/meta/core.py +++ b/src/ipahealthcheck/meta/core.py @@ -5,6 +5,7 @@ import logging import os import socket +from pathlib import Path from ipahealthcheck.core import constants from ipahealthcheck.core.exceptions import TimeoutError from ipahealthcheck.core.plugin import Result, duration @@ -13,8 +14,8 @@ from ipapython.version import VERSION, API_VERSION from ipaplatform.paths import paths -if 'FIPS_MODE_SETUP' not in dir(paths): - paths.FIPS_MODE_SETUP = '/usr/bin/fips-mode-setup' +if 'PROC_FIPS_ENABLED' not in dir(paths): + paths.PROC_FIPS_ENABLED = '/proc/sys/crypto/fips_enabled' logger = logging.getLogger() @@ -25,31 +26,30 @@ class MetaCheck(Plugin): def check(self): rval = constants.SUCCESS - if not os.path.exists(paths.FIPS_MODE_SETUP): - fips = "missing {}".format(paths.FIPS_MODE_SETUP) - logger.debug('%s is not installed, skipping', - paths.FIPS_MODE_SETUP) + if not os.path.exists(paths.PROC_FIPS_ENABLED): + fips = "missing {}".format(paths.PROC_FIPS_ENABLED) + logger.debug("Can't find %s, skipping" % + paths.PROC_FIPS_ENABLED) else: try: - result = ipautil.run([paths.FIPS_MODE_SETUP, - '--is-enabled'], - capture_output=True, - raiseonerr=False,) + proc_fips_enable_path = Path(paths.PROC_FIPS_ENABLED) + result_text = proc_fips_enable_path.read_text() + result = int(result_text) except TimeoutError: - logger.debug('fips-mode-setup timed out') + logger.debug('Reading %s timed out' % paths.PROC_FIPS_ENABLED) fips = "check timed out" rval = constants.ERROR except Exception as e: - logger.debug('fips-mode-setup failed: %s', e) + logger.debug('Reading %s failed: %s' % + (paths.PROC_FIPS_ENABLED, e)) fips = "failed to check" rval = constants.ERROR else: - logger.debug(result.raw_output.decode('utf-8')) - if result.returncode == 0: + logger.debug("%s returns %i" % + (paths.PROC_FIPS_ENABLED, result)) + if result == 1: fips = "enabled" - elif result.returncode == 1: - fips = "inconsistent" - elif result.returncode == 2: + elif result == 0: fips = "disabled" else: fips = "unknown" diff --git a/tests/test_meta.py b/tests/test_meta.py index dadb7c7..5cd9bb4 100644 --- a/tests/test_meta.py +++ b/tests/test_meta.py @@ -10,11 +10,10 @@ from ipahealthcheck.core import config, constants from ipahealthcheck.meta.plugin import registry from ipahealthcheck.meta.core import MetaCheck -from ipapython import ipautil from ipaplatform.paths import paths -if 'FIPS_MODE_SETUP' not in dir(paths): - paths.FIPS_MODE_SETUP = '/usr/bin/fips-mode-setup' +if 'PROC_FIPS_ENABLED' not in dir(paths): + paths.PROC_FIPS_ENABLED = '/proc/sys/crypto/fips_enabled' def gen_result(returncode, output='', error=''): @@ -36,7 +35,7 @@ def gen_result(returncode, output='', error=''): class TestMetaFIPS(BaseTest): @patch('os.path.exists') - def test_fips_no_fips_mode_setup(self, mock_exists): + def test_fips_no_fips_enabled(self, mock_exists): mock_exists.return_value = False framework = object() @@ -51,15 +50,16 @@ def test_fips_no_fips_mode_setup(self, mock_exists): assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.meta.core' assert result.check == 'MetaCheck' - assert result.kw.get('fips') == 'missing %s' % paths.FIPS_MODE_SETUP + assert result.kw.get('fips') == 'missing %s' % paths.PROC_FIPS_ENABLED @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_disabled(self, mock_run, mock_exists): + def test_fips_disabled(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '0' mock_run.side_effect = [ - gen_result(2), gen_result(0, output='ACME is disabled'), ] @@ -78,12 +78,13 @@ def test_fips_disabled(self, mock_run, mock_exists): assert result.kw.get('fips') == 'disabled' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_enabled(self, mock_run, mock_exists): + def test_fips_enabled(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '1' mock_run.side_effect = [ - gen_result(0), gen_result(0, output='ACME is disabled'), ] @@ -102,12 +103,13 @@ def test_fips_enabled(self, mock_run, mock_exists): assert result.kw.get('fips') == 'enabled' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_inconsistent(self, mock_run, mock_exists): + def test_fips_unknown(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '2' mock_run.side_effect = [ - gen_result(1), gen_result(0, output='ACME is disabled'), ] @@ -123,15 +125,16 @@ def test_fips_inconsistent(self, mock_run, mock_exists): assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.meta.core' assert result.check == 'MetaCheck' - assert result.kw.get('fips') == 'inconsistent' + assert result.kw.get('fips') == 'unknown' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_unknown(self, mock_run, mock_exists): + def test_fips_non_numeric(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = 'test' mock_run.side_effect = [ - gen_result(103), gen_result(0, output='ACME is disabled'), ] @@ -144,20 +147,22 @@ def test_fips_unknown(self, mock_run, mock_exists): assert len(self.results) == 1 result = self.results.results[0] - assert result.result == constants.SUCCESS + assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.meta.core' assert result.check == 'MetaCheck' - assert result.kw.get('fips') == 'unknown' + assert result.kw.get('fips') == 'failed to check' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_failed(self, mock_run, mock_exists): + def test_fips_failed(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.side_effect = [ + gen_result(constants.ERROR, output="failed to check"), + ] + mock_run.side_effect = [ - ipautil.CalledProcessError( - 1, 'fips-mode-setup', output='execution failed' - ), gen_result(0, output='ACME is disabled'), ] @@ -197,12 +202,13 @@ def test_acme_no_ipa_acme_status(self, mock_exists): 'missing %s' % '/usr/sbin/ipa-acme-manage' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_acme_disabled(self, mock_run, mock_exists): + def test_acme_disabled(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '1' mock_run.side_effect = [ - gen_result(0), gen_result(0, output='ACME is disabled'), ] @@ -221,12 +227,13 @@ def test_acme_disabled(self, mock_run, mock_exists): assert result.kw.get('acme') == 'disabled' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_acme_enabled(self, mock_run, mock_exists): + def test_acme_enabled(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '1' mock_run.side_effect = [ - gen_result(0), gen_result(0, output='ACME is enabled'), ] @@ -250,7 +257,6 @@ def test_acme_unknown(self, mock_run, mock_exists): mock_exists.return_value = True mock_run.side_effect = [ - gen_result(0), gen_result( 0, error="cannot connect to 'https://somewhere/acme/login"