Add FIPS validation

Check if the system has FIPS enabled.

Change-Id: I9c83d226ff840d6f317a3b0906ead7888fa9342e

doc/source/roles/role-fips_enabled.rst

@@ -0,0 +1,49 @@
+============
+fips_enabled
+============
+
+--------------
+About The Role
+--------------
+
+This role will check if system has turned on FIPS.
+This validation can be enabled or disabled within the variable:
+`enforce_fips_validation`, setting it to `true` will
+enable the validation, setting to `false` will disable it.
+
+Requirements
+============
+
+Turned on FIPS.
+
+Dependencies
+============
+
+No dependencies.
+
+Example Playbook
+================
+
+.. code-block:: yaml
+
+    - hosts: localhost
+      gather_facts: false
+      roles:
+        - { role: fips_enabled }
+
+Licence
+=======
+
+Apache
+
+Author Information
+==================
+
+**Red Hat TripleO DFG:Security Squad:OG**
+
+----------------
+Full Description
+----------------
+
+.. ansibleautoplugin::
+  :role: roles/fips_enabled

playbooks/fips-enabled.yaml

@@ -0,0 +1,19 @@
+---
+- hosts: all
+  gather_facts: false
+  vars:
+    metadata:
+      name: Confirm that undercloud has fips enabled
+      description: |
+        Check if the undercloud is ready to deploy an environment
+        using fips.
+      groups:
+        - prep
+        - post-deployment
+      categories:
+        - security
+        - fips
+      products:
+        - tripleo
+  roles:
+    - fips_enabled

roles/fips_enabled/molecule/default/converge.yml

@@ -0,0 +1,60 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Converge
+  hosts: all
+  vars:
+    fips_enabled_path: /proc/sys/crypto/fips_enabled
+  tasks:
+    - name: FIPS enabled
+      copy:
+        dest: fips_enabled_path
+        mode: 0755
+        content: "1"
+
+    - name: Test FIPS Enabled
+      vars:
+        enforce_fips_validation: false
+      include_role:
+        name: "fips_enabled"
+
+    - name: FIPS disabled
+      copy:
+        dest: fips_enabled_path
+        mode: 0755
+        content: "0"
+
+    - name: Test FIPS disabled fails
+      vars:
+        enforce_fips_validation: true
+      block:
+        - name: Load role with failure
+          include_role:
+            name: "fips_enabled"
+      rescue:
+        - name: Clear host error
+          meta: clear_host_errors
+
+        - name: Status message
+          debug:
+            msg: 'Successfully detected FIPS is disabled!'
+
+        - name: End play
+          meta: end_play
+
+    - name: Fail if we get to this place
+      fail:
+        msg: 'Unit test failed: Did not detect that FIPS is disabled!'

roles/fips_enabled/molecule/default/molecule.yml

@@ -0,0 +1,3 @@
+---
+# inherits tripleo-validations/.config/molecule/config.yml
+# To override default values, please take a look at the config.yml.

roles/fips_enabled/molecule/default/prepare.yml

@@ -0,0 +1,19 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Prepare
+  hosts: all
+  gather_facts: false

roles/fips_enabled/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# "fips_enabled" tasks
+
+- name: Read FIPS status in /proc/sys/crypto/fips_enabled
+  slurp:
+    src: "{{ fips_status_path }}"
+  register: fips_status
+
+- name: Fail when FIPS is not enabled
+  fail:
+    msg: "Fips is disabled"
+  when:
+    - fips_status != 1
+    - enforce_fips_validation == true

roles/fips_enabled/vars/main.yml

@@ -0,0 +1,29 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# While options found within the vars/ path can be overridden using extra
+# vars, items within this path are considered part of the role and not
+# intended to be modified.
+
+# All variables within this role should have a prefix of "tripleo_check_fips_status"
+
+# !!!! IMPORTANT !!!!
+# Add a comment above every variables describing them.
+# This will be included in the sphinx role documentation
+# !!!! IMPORTANT !!!!
+fips_status_path: /proc/sys/crypto/fips_enabled
+enforce_fips_validation: false

zuul.d/molecule.yaml

@@ -5,6 +5,7 @@
     check:
       jobs:
       - tripleo-validations-centos-8-molecule-ceph
+      - tripleo-validations-centos-8-molecule-check_fips_status
       - tripleo-validations-centos-8-molecule-check_for_dangling_images
       - tripleo-validations-centos-8-molecule-check_kernel_version
       - tripleo-validations-centos-8-molecule-check_network_gateway
@@ -35,6 +36,7 @@
     gate:
       jobs:
       - tripleo-validations-centos-8-molecule-ceph
+      - tripleo-validations-centos-8-molecule-check_fips_status
       - tripleo-validations-centos-8-molecule-check_for_dangling_images
       - tripleo-validations-centos-8-molecule-check_kernel_version
       - tripleo-validations-centos-8-molecule-check_network_gateway
@@ -73,6 +75,17 @@
     parent: tripleo-validations-centos-8-base
     vars:
       tripleo_validations_role_name: ceph
+- job:
+    files:
+    - ^roles/fips_enabled/.*
+    - ^tests/prepare-test-host.yml
+    - ^ci/playbooks/pre.yml
+    - ^ci/playbooks/run.yml
+    - ^molecule-requirements.txt
+    name: tripleo-validations-centos-8-molecule-check_fips_status
+    parent: tripleo-validations-centos-8-base
+    vars:
+      tripleo_validations_role_name: fips_enabled
 - job:
     files:
     - ^roles/check_for_dangling_images/.*