From be0415e556aa183dc425a386cb07e0f681f5ca56 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 29 Apr 2021 10:48:37 -0400
Subject: [PATCH] Add role to enable FIPS on a node

Adds role to be used to enable FIPS on test nodes, so that projects
can create jobs that would test when FIPS is enabled.

This is pretty much copied from the same role in ansible zuul jobs, where
it works well. Thanks to Paul Belanger for pointing it out.
https://github.com/ansible/ansible-zuul-jobs/blob/master/roles/enable-fips-mode/tasks/main.yaml

An example showing how this is can be used is in:
https://review.opendev.org/c/openstack/barbican/+/760665

Change-Id: If07b8ddb77368d591659f3a111e3f5306daf6f06
---
 doc/source/general-roles.rst         |  1 +
 roles/enable-fips/README.rst         |  4 ++
 roles/enable-fips/tasks/main.yaml    | 63 ++++++++++++++++++++++++++++
 zuul-tests.d/general-roles-jobs.yaml | 15 +++++++
 4 files changed, 83 insertions(+)
 create mode 100644 roles/enable-fips/README.rst
 create mode 100644 roles/enable-fips/tasks/main.yaml

diff --git a/doc/source/general-roles.rst b/doc/source/general-roles.rst
index afc009d22..c81eb4efd 100644
--- a/doc/source/general-roles.rst
+++ b/doc/source/general-roles.rst
@@ -13,6 +13,7 @@ General Purpose Roles
 .. zuul:autorole:: download-artifact
 .. zuul:autorole:: dstat-graph
 .. zuul:autorole:: emit-job-header
+.. zuul:autorole:: enable-fips
 .. zuul:autorole:: enable-netconsole
 .. zuul:autorole:: ensure-bazelisk
 .. zuul:autorole:: ensure-dhall
diff --git a/roles/enable-fips/README.rst b/roles/enable-fips/README.rst
new file mode 100644
index 000000000..c84db5ab6
--- /dev/null
+++ b/roles/enable-fips/README.rst
@@ -0,0 +1,4 @@
+Enable FIPS on a node.
+
+Set a node into FIPS mode, to test functionality when crypto
+policies are set to FIPS in RHEL 8/Centos 8.
diff --git a/roles/enable-fips/tasks/main.yaml b/roles/enable-fips/tasks/main.yaml
new file mode 100644
index 000000000..aebdb9497
--- /dev/null
+++ b/roles/enable-fips/tasks/main.yaml
@@ -0,0 +1,63 @@
+---
+- name: Make sure this role is run on RHEL/CentOS 8 systems
+  fail:
+    msg: This role supports RHEL/CentOS 8 systems only
+  when:
+    - (ansible_distribution != 'CentOS' and ansible_distribution != 'Red Hat Enterprise Linux') or
+      ansible_distribution_major_version != '8'
+
+- name: Install fips-mode-setup
+  become: true
+  package:
+    name: crypto-policies-scripts
+    state: present
+
+- name: Enable FIPS mode
+  become: true
+  command: fips-mode-setup --enable
+
+- name: check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub
+  become: true
+  shell: |
+    set -o pipefail
+    grep "GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub
+  register: test_grep
+  failed_when: false
+
+- name: add GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"'
+  when: test_grep.rc != 0
+
+- name: Replace GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    regexp: 'GRUB_CMDLINE_LINUX_DEFAULT="(.*)"'
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 fips=1"'
+    backrefs: true
+  when: test_grep.rc == 0
+
+- name: Rebuild grub.cfg file
+  become: true
+  command: grub2-mkconfig -o /boot/grub2/grub.cfg
+
+- name: Reboot server for FIPS mode
+  become: true
+  reboot:
+    reboot_timeout: 1800
+
+- name: Run start-zuul-console role
+  include_role:
+    name: start-zuul-console
+
+- name: Ensure FIPS mode is enabled
+  become: true
+  command: fips-mode-setup --check
+  register: _result
+
+- name: Assert FIPS is enabled
+  assert:
+    that: _result.stdout == "FIPS mode is enabled."
diff --git a/zuul-tests.d/general-roles-jobs.yaml b/zuul-tests.d/general-roles-jobs.yaml
index 4ff06ac15..766a14f42 100644
--- a/zuul-tests.d/general-roles-jobs.yaml
+++ b/zuul-tests.d/general-roles-jobs.yaml
@@ -368,6 +368,19 @@
     vars:
       role_name: clear-firewall
 
+- job:
+    name: zuul-jobs-test-enable-fips
+    description: Test the enable-fips role
+    files:
+      - roles/enable-fips/.*
+    run: test-playbooks/simple-role-test.yaml
+    vars:
+      role_name: enable-fips
+    nodeset:
+      nodes:
+        - name: centos-8-stream
+          label: centos-8-stream
+
 - job:
     name: zuul-jobs-test-ensure-bazelisk
     description: Test the ensure-bazelisk role
@@ -749,6 +762,7 @@
         - zuul-jobs-test-bindep-ubuntu-xenial
         - zuul-jobs-test-bindep-ubuntu-focal
         - zuul-jobs-test-clear-firewall
+        - zuul-jobs-test-enable-fips
         - zuul-jobs-test-ensure-bazelisk
         - zuul-jobs-test-netconsole
         - zuul-jobs-test-dstat-graph
@@ -798,6 +812,7 @@
         - zuul-jobs-test-bindep-ubuntu-xenial
         - zuul-jobs-test-bindep-ubuntu-focal
         - zuul-jobs-test-clear-firewall
+        - zuul-jobs-test-enable-fips
         - zuul-jobs-test-ensure-bazelisk
         - zuul-jobs-test-netconsole
         - zuul-jobs-test-dstat-graph