From ff96cb123c885bbac0c8bb9545fb5825dc27f36b Mon Sep 17 00:00:00 2001
From: Maggie Dreyer <maggie@puppet.com>
Date: Wed, 17 Jul 2019 08:54:36 -0700
Subject: [PATCH] (BKR-1604) Add FIPS detection method to Host

This commit adds a method that reports if FIPS mode is enabled for a
host. Currently, we only test on Redhat 7 with FIPS mode, which
indicates its state via a file. If we eventually expand support to
testing with FIPS on more operating systems, those cases and their
detection methods should be added. For now, all other platforms simply
return false.
---
 lib/beaker/host.rb       | 14 ++++++++++++++
 spec/beaker/host_spec.rb | 19 +++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/lib/beaker/host.rb b/lib/beaker/host.rb
index e6827513c6..1536700298 100644
--- a/lib/beaker/host.rb
+++ b/lib/beaker/host.rb
@@ -209,6 +209,20 @@ def graceful_restarts?
       graceful
     end
 
+    # Returns true if the host is running in FIPS mode.
+    #
+    # We currently only test FIPS mode on Redhat 7. Other detection
+    # modes should be added here if we expand FIPS support to other
+    # platforms.
+    def fips_mode?
+      case self['platform']
+      when /el-7/
+        execute("cat /proc/sys/crypto/fips_enabled") == "1"
+      else
+        false
+      end
+    end
+
     # Modifies the host settings to indicate that it will be using passenger service scripts,
     # (apache2) by default.  Does nothing if this is a PE host, since it is already using
     # passenger.
diff --git a/spec/beaker/host_spec.rb b/spec/beaker/host_spec.rb
index 479f6ada1b..f1834c4eb8 100644
--- a/spec/beaker/host_spec.rb
+++ b/spec/beaker/host_spec.rb
@@ -849,5 +849,24 @@ module Beaker
         expect(host.down?).to be true
       end
     end
+
+    describe "#fips_mode?" do
+      it 'returns false on non-el7 hosts' do
+        @platform = 'windows'
+        expect(host.fips_mode?).to be false
+      end
+
+      it 'returns true when the `fips_enabled` file is present and contains "1"' do
+        @platform = 'el-7'
+        expect(host).to receive(:execute).with("cat /proc/sys/crypto/fips_enabled").and_return("1")
+        expect(host.fips_mode?).to be true
+      end
+
+      it 'returns false when the `fips_enabled` file is present and contains "0"' do
+        @platform = 'el-7'
+        expect(host).to receive(:execute).with("cat /proc/sys/crypto/fips_enabled").and_return("0")
+        expect(host.fips_mode?).to be false
+      end
+    end
   end
 end