generated from cyberark/conjur-template
-
Notifications
You must be signed in to change notification settings - Fork 5
/
test-ubuntu-ruby-fips.yml
108 lines (108 loc) · 3.75 KB
/
test-ubuntu-ruby-fips.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
schemaVersion: 2.0.0
commandTests:
# OS version test
- name: "Operating system version"
command: "bash"
args:
- -c
- cat /etc/os-release | grep 'VERSION_ID='
expectedOutput: ["^VERSION_ID=\"22.04\"\n$"]
- name: "FIPS toggle enabled by default"
command: "bash"
args: [ "fips_mode" ]
expectedOutput: [ "^FIPS mode is enabled\n$" ]
# OpenSSL tests
- name: "OpenSSL version"
command: "openssl"
args: ["version"]
expectedOutput: ["^OpenSSL 3.[0-9].[0-9] [0-9A-Za-z ]+ \\(Library: OpenSSL 3.[0-9].[0-9] [0-9A-Za-z ]+\\)\n$"]
- name: "libssl.so linked with valid libcrypto.so version"
command: "bash"
args:
- -c
- find / -type f -name libssl.so* | xargs ldd | grep "libcrypto.so" | cut -d' ' -f3
expectedOutput: ["^/lib/x86_64-linux-gnu/libcrypto.so.3\n$"]
- name: "libcrypto.so version"
setup: [["apt-get", "update"], ["apt-get", "install", "-y", "binutils"]]
command: "bash"
args:
- -c
- find / -type f -name libcrypto.so* -exec strings {} \; | grep "^OpenSSL\s\([0-9]\.\)\{2\}[0-9]" | tr -d '\n'
expectedOutput: ["^OpenSSL 3.[0-9].[0-9] [0-9A-Za-z ]+$"]
- name: "OpenSSL accepts FIPS compliant algorithms"
command: "openssl"
args:
- sha256
- /etc/passwd
- name: "OpenSSL denies non FIPS compliant algorithms"
command: "openssl"
args:
- md5
- /etc/passwd
exitCode: 1
expectedError: [".*Error setting digest.*"]
# holded packages
- name: "packages are on hold"
command: "apt-mark"
args:
- "showhold"
expectedOutput:
- ".*ruby.*"
# ruby tests
- name: "Ruby version"
command: "ruby"
args: ["--version"]
expectedOutput: ["^ruby 3.2.2 \\(2023-03-30 revision e51014f9c0\\) \\[x86_64-linux\\]\n$"]
- name: "Ruby linked with valid libcrypto.so version"
setup: [["apt-get", "update"], ["apt-get", "install", "-y", "binutils"]]
command: "bash"
args:
- -c
- find / -name *ssl*.*so* | grep ruby | xargs ldd | grep "libcrypto.so" | cut -d' ' -f3 | xargs strings | grep "^OpenSSL\s\([0-9]\.\)\{2\}[0-9]" | tr -d '\n'
expectedOutput: ["^OpenSSL 3.[0-9].[0-9] [0-9A-Za-z ]+$"]
- name: "Ruby linked with valid libssl.so version"
command: "bash"
args:
- -c
- find / -name *ssl*.*so* | grep ruby | xargs ldd | grep "libssl.so" | cut -d' ' -f3
expectedOutput: ["^/lib/x86_64-linux-gnu/libssl.so.3\n$"]
- name: "Ruby sees valid OpenSSL version"
command: "ruby"
args:
- -ropenssl
- -e
- 'puts OpenSSL::OPENSSL_LIBRARY_VERSION'
expectedOutput: ["^OpenSSL 3.[0-9].[0-9] [0-9A-Za-z ]+\n$"]
- name: "Ruby accepts FIPS compliant algorithms"
command: "ruby"
args:
- -ropenssl
- -e
- 'puts(OpenSSL::Digest::SHA256.new)'
- name: "Ruby denies non FIPS compliant algorithms"
command: "ruby"
args:
- -ropenssl
- -e
- 'puts(OpenSSL::Digest::MD5.new)'
exitCode: 1
expectedError: [".*Digest initialization failed.*"]
# postgres lib tests
- name: "libpq linked with valid libcrypto.so version"
setup: [["apt-get", "update"], ["apt-get", "install", "-y", "binutils"]]
command: "bash"
args:
- -c
- find / -type f -name libpq.so* | xargs ldd | grep "libcrypto.so" | cut -d' ' -f3 | xargs strings | grep "^OpenSSL\s\([0-9]\.\)\{2\}[0-9]" | tr -d '\n'
expectedOutput: ["^OpenSSL 3.[0-9].[0-9] [0-9A-Za-z ]+$"]
- name: "libpq linked with valid libssl.so version"
command: "bash"
args:
- -c
- find / -type f -name libpq.so* | xargs ldd | grep "libssl.so" | cut -d' ' -f3
expectedOutput: ["^/lib/x86_64-linux-gnu/libssl.so.3\n$"]
# bundler tests
- name: "bundler version"
command: "bundler"
args: ["--version"]
expectedOutput: ["^Bundler version 2.4.14\n$"]