[#1060] Fix test failures when FIPS mode is enabled

artemiscloud · Dec 4, 2024 · 4a9f087 · 4a9f087
1 parent 46d529c
commit 4a9f087
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 13 deletions.
diff --git a/controllers/activemqartemis_controller_cert_manager_test.go b/controllers/activemqartemis_controller_cert_manager_test.go
@@ -188,6 +188,10 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 		})
 
 		It("test configured with cert secret as legacy one", func() {
+			if isFIPSEnabled {
+				Skip("Legacy PKCS12 key stores with PBEWithSHA1AndRC2_40 are not supported when FIPS mode is enabled")
+			}
+
 			if os.Getenv("USE_EXISTING_CLUSTER") == "true" {
 				By("deploying the broker")
 				_, brokerCr := DeployCustomBroker(defaultNamespace, func(candidate *brokerv1beta1.ActiveMQArtemis) {
@@ -414,7 +418,7 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 			podName := activeMQArtemis.Name + "-ss-0"
 			trustStorePath := "/amq/extra/secrets/" + issuerCertSecretName + "/tls.crt"
 			checkCommandBeforeUpdating := []string{"/home/jboss/amq-broker/bin/artemis", "check", "node", "--up", "--url",
-				"tcp://" + podName + ":61617?sslEnabled=true&sniHost=" + ingressHost + "&trustStoreType=PEM&trustStorePath=" + trustStorePath}
+				"tcp://" + podName + ":61617?sslEnabled=true&forceSSLParameters=true&sniHost=" + ingressHost + "&trustStoreType=PEM&trustStorePath=" + trustStorePath}
 			Eventually(func(g Gomega) {
 				stdOutContent := ExecOnPod(podName, activeMQArtemis.Name, defaultNamespace, checkCommandBeforeUpdating, g)
 				g.Expect(stdOutContent).Should(ContainSubstring("Checks run: 1"))
@@ -544,7 +548,7 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 
 			By("Checking tls-acceptor before updating")
 			checkCommandBeforeUpdating := []string{"/home/jboss/amq-broker/bin/artemis", "check", "node", "--up", "--url",
-				"tcp://" + podName + ":61617?sslEnabled=true&sniHost=before.artemiscloud.io&trustStoreType=PEM&trustStorePath=" + trustStorePath}
+				"tcp://" + podName + ":61617?sslEnabled=true&forceSSLParameters=true&sniHost=before.artemiscloud.io&trustStoreType=PEM&trustStorePath=" + trustStorePath}
 			Eventually(func(g Gomega) {
 				stdOutContent := ExecOnPod(podName, activeMQArtemis.Name, defaultNamespace, checkCommandBeforeUpdating, g)
 				g.Expect(stdOutContent).Should(ContainSubstring("Checks run: 1"))
@@ -574,7 +578,7 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 
 			By("Checking tls-acceptor after updating")
 			checkCommandAfterUpdating := []string{"/home/jboss/amq-broker/bin/artemis", "check", "node", "--up", "--url",
-				"tcp://" + podName + ":61617?sslEnabled=true&sniHost=after.artemiscloud.io&trustStoreType=PEM&trustStorePath=" + trustStorePath}
+				"tcp://" + podName + ":61617?sslEnabled=true&forceSSLParameters=true&sniHost=after.artemiscloud.io&trustStoreType=PEM&trustStorePath=" + trustStorePath}
 			Eventually(func(g Gomega) {
 				stdOutContent := ExecOnPod(podName, activeMQArtemis.Name, defaultNamespace, checkCommandAfterUpdating, g)
 				g.Expect(stdOutContent).Should(ContainSubstring("Checks run: 1"))
@@ -751,7 +755,7 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 			trustStorePath := "/amq/extra/secrets/" + bundleName + "/root-certs.pem"
 			certDumpCommand := []string{"cat", "/etc/" + certSecretName + "-volume/tls.crt"}
 			checkCommand := []string{"/home/jboss/amq-broker/bin/artemis", "check", "node", "--up", "--url",
-				"tcp://" + podName + ":61617?sslEnabled=true&sniHost=broker.artemiscloud.io&trustStoreType=PEMCA&trustStorePath=" + trustStorePath}
+				"tcp://" + podName + ":61617?sslEnabled=true&forceSSLParameters=true&sniHost=broker.artemiscloud.io&trustStoreType=PEMCA&trustStorePath=" + trustStorePath}
 
 			By("Checking tls-acceptor before updating")
 			Eventually(func(g Gomega) {
@@ -1046,7 +1050,7 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 			Eventually(func(g Gomega) {
 				keyStorePath := "/amq/extra/secrets/" + clientKeyStoreSecretName + "/client-foo.pemcfg"
 				checkCommand := []string{"/home/jboss/amq-broker/bin/artemis", "check", "node", "--up", "--url",
-					"tcp://" + podName + ":61617?sslEnabled=true&sniHost=broker.artemiscloud.io&keyStoreType=PEMCFG&keyStorePath=" + keyStorePath + "&trustStoreType=PEM&trustStorePath=" + trustStorePath}
+					"tcp://" + podName + ":61617?sslEnabled=true&forceSSLParameters=true&sniHost=broker.artemiscloud.io&keyStoreType=PEMCFG&keyStorePath=" + keyStorePath + "&trustStoreType=PEM&trustStorePath=" + trustStorePath}
 
 				stdOutContent := ExecOnPod(podName, activeMQArtemis.Name, defaultNamespace, checkCommand, g)
 				g.Expect(stdOutContent).Should(ContainSubstring("Checks run: 1"))
@@ -1056,7 +1060,7 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 			Eventually(func(g Gomega) {
 				keyStorePath := "/amq/extra/secrets/" + clientKeyStoreSecretName + "/client-bar.pemcfg"
 				checkCommand := []string{"/home/jboss/amq-broker/bin/artemis", "check", "node", "--up", "--url",
-					"tcp://" + podName + ":61617?sslEnabled=true&sniHost=broker.artemiscloud.io&keyStoreType=PEMCFG&keyStorePath=" + keyStorePath + "&trustStoreType=PEM&trustStorePath=" + trustStorePath}
+					"tcp://" + podName + ":61617?sslEnabled=true&forceSSLParameters=true&sniHost=broker.artemiscloud.io&keyStoreType=PEMCFG&keyStorePath=" + keyStorePath + "&trustStoreType=PEM&trustStorePath=" + trustStorePath}
 
 				stdOutContent := ExecOnPod(podName, activeMQArtemis.Name, defaultNamespace, checkCommand, g)
 				g.Expect(stdOutContent).Should(ContainSubstring("Checks run: 1"))
@@ -1128,7 +1132,7 @@ func CheckAcceptorStarted(podName string, crName string, acceptorName string, g
 }
 
 func checkMessagingInPodWithJavaStore(podName string, crName string, portNumber string, trustStoreLoc string, trustStorePassword string, keyStoreLoc *string, keyStorePassword *string, g Gomega) {
-	tcpUrl := "tcp://" + podName + ":" + portNumber + "?sslEnabled=true&trustStorePath=" + trustStoreLoc + "&trustStorePassword=" + trustStorePassword
+	tcpUrl := "tcp://" + podName + ":" + portNumber + "?sslEnabled=true&forceSSLParameters=true&trustStorePath=" + trustStoreLoc + "&trustStorePassword=" + trustStorePassword
 	if keyStoreLoc != nil {
 		tcpUrl += "&keyStorePath=" + *keyStoreLoc + "&keyStorePassword=" + *keyStorePassword
 	}
@@ -1141,7 +1145,7 @@ func checkMessagingInPodWithJavaStore(podName string, crName string, portNumber
 }
 
 func checkMessagingInPod(podName string, crName string, portNumber string, trustStoreLoc string, g Gomega) {
-	tcpUrl := "tcp://" + podName + ":" + portNumber + "?sslEnabled=true&trustStorePath=" + trustStoreLoc + "&trustStoreType=PEM"
+	tcpUrl := "tcp://" + podName + ":" + portNumber + "?sslEnabled=true&forceSSLParameters=true&trustStorePath=" + trustStoreLoc + "&trustStoreType=PEM"
 	sendCommand := []string{"amq-broker/bin/artemis", "producer", "--user", "testuser", "--password", "testpassword", "--url", tcpUrl, "--message-count", "1", "--destination", "queue://DLQ", "--verbose"}
 	result := ExecOnPod(podName, crName, defaultNamespace, sendCommand, g)
 	g.Expect(result).To(ContainSubstring("Produced: 1 messages"))

diff --git a/controllers/activemqartemis_controller_test.go b/controllers/activemqartemis_controller_test.go
@@ -10323,6 +10323,7 @@ var _ = Describe("artemis controller", func() {
 
 				crd.Spec.BrokerProperties = []string{
 					"connectorConfigurations.artemis.params.sslEnabled=true",
+					"connectorConfigurations.artemis.params.forceSSLParameters=true",
 					"connectorConfigurations.artemis.params.trustStorePath=/etc/" + tlsSecretName + "-volume/broker.ks",
 					"connectorConfigurations.artemis.params.trustStorePassword=" + defaultPassword,
 				}
@@ -10360,6 +10361,7 @@ var _ = Describe("artemis controller", func() {
 
 				crd.Spec.BrokerProperties = []string{
 					"connectorConfigurations.artemis.params.sslEnabled=true",
+					"connectorConfigurations.artemis.params.forceSSLParameters=true",
 					"connectorConfigurations.artemis.params.trustStorePath=/etc/" + tlsSecretName + "-volume/tls.crt",
 					"connectorConfigurations.artemis.params.trustStoreType=PEM",
 				}
@@ -10415,6 +10417,7 @@ var _ = Describe("artemis controller", func() {
 
 				crd.Spec.BrokerProperties = []string{
 					"connectorConfigurations.artemis.params.sslEnabled=true",
+					"connectorConfigurations.artemis.params.forceSSLParameters=true",
 					"connectorConfigurations.artemis.params.trustStorePath=/etc/" + tlsSecretName + "-volume/broker.ks",
 					"connectorConfigurations.artemis.params.trustStorePassword=" + defaultPassword,
 				}
@@ -10456,6 +10459,7 @@ var _ = Describe("artemis controller", func() {
 
 				crd.Spec.BrokerProperties = []string{
 					"connectorConfigurations.artemis.params.sslEnabled=true",
+					"connectorConfigurations.artemis.params.forceSSLParameters=true",
 					"connectorConfigurations.artemis.params.trustStorePath=/etc/" + tlsSecretName + "-volume/broker.ks",
 					"connectorConfigurations.artemis.params.trustStorePassword=" + defaultPassword,
 					"connectorConfigurations.artemis.params.verifyHost=false",

diff --git a/controllers/common_util_test.go b/controllers/common_util_test.go
@@ -700,7 +700,7 @@ func GenerateKeystore(password string, dnsNames []string) ([]byte, error) {
 		return nil, err
 	}
 
-	ksBytes, err := pkcs12.Encode(crand.Reader, caPrivKey, cert, []*x509.Certificate{}, password)
+	ksBytes, err := pkcs12.Modern.Encode(caPrivKey, cert, []*x509.Certificate{}, password)
 	if err != nil {
 		return nil, err
 	}
@@ -716,7 +716,7 @@ func GenerateTrustStoreFromKeyStore(ksBytes []byte, password string) ([]byte, er
 		return nil, err
 	}
 
-	pfxBytes, err := pkcs12.EncodeTrustStore(crand.Reader, []*x509.Certificate{cert}, password)
+	pfxBytes, err := pkcs12.Modern.EncodeTrustStore([]*x509.Certificate{cert}, password)
 
 	if err != nil {
 		return nil, err

diff --git a/controllers/suite_test.go b/controllers/suite_test.go
@@ -143,6 +143,7 @@ var (
 
 	artemisGvk = schema.GroupVersionKind{Group: "broker", Version: "v1beta1", Kind: "ActiveMQArtemis"}
 
+	isFIPSEnabled                             = false
 	isOpenshift                               = false
 	isIngressSSLPassthroughEnabled            = false
 	verbose                                   = false
@@ -202,6 +203,15 @@ func setUpEnvTest() {
 		kubeTool = "oc"
 	}
 
+	if isOpenshift {
+		clusterConfig := &corev1.ConfigMap{}
+		clusterConfigKey := types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"}
+		clusterConfigErr := k8sClient.Get(ctx, clusterConfigKey, clusterConfig)
+		if clusterConfigErr == nil {
+			isFIPSEnabled = strings.Contains(clusterConfig.Data["install-config"], "fips: true")
+		}
+	}
+
 	setUpIngress()
 
 	setUpNamespace()

diff --git a/go.mod b/go.mod
@@ -20,7 +20,7 @@ require (
 	k8s.io/apimachinery v0.28.3
 	k8s.io/client-go v0.28.3
 	sigs.k8s.io/controller-runtime v0.16.3
-	software.sslmate.com/src/go-pkcs12 v0.2.1
+	software.sslmate.com/src/go-pkcs12 v0.5.0
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -340,5 +340,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kF
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
-software.sslmate.com/src/go-pkcs12 v0.2.1 h1:tbT1jjaeFOF230tzOIRJ6U5S1jNqpsSyNjzDd58H3J8=
-software.sslmate.com/src/go-pkcs12 v0.2.1/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
+software.sslmate.com/src/go-pkcs12 v0.5.0 h1:EC6R394xgENTpZ4RltKydeDUjtlM5drOYIG9c6TVj2M=
+software.sslmate.com/src/go-pkcs12 v0.5.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=