From a1f3d81e723bbcf40fd5998a98c6c006d7082d40 Mon Sep 17 00:00:00 2001
From: Milan Zamazal <mzamazal@redhat.com>
Date: Thu, 16 Jun 2022 17:03:32 +0200
Subject: [PATCH] core: Check for real FIPS when adding username to a VNC
 ticket
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

FIPS can be enabled on a host without the corresponding parameter in
the kernel command line.  In such a case, the host expects username in
the VNC display ticket.  But Engine inserts username only when the
FIPS parameter is in the kernel command line and VNC connection
doesn’t work is such a case.

To fix this, let’s check in Engine for what the host says about FIPS
rather than for the kernel command line parameter.
---
 .../engine/core/bll/ConfigureConsoleOptionsQuery.java     | 8 ++++----
 .../engine/core/bll/ConfigureConsoleOptionsQueryTest.java | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQuery.java
index 13586842ea4..dbaf0cc236d 100644
--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQuery.java
+++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQuery.java
@@ -156,7 +156,7 @@ private void fillCommonPart(ConsoleOptions options) {
         options.setSmartcardEnabled(getCachedVm().isSmartcardEnabled());
         if (getParameters().isSetTicket()) {
             options.setTicket(generateTicket());
-            if (isKernelFips()) {
+            if (isFips()) {
                 options.setUsername(ConfigureConsoleOptionsParams.VNC_USERNAME_PREFIX + getCachedVm().getId());
             }
         }
@@ -333,8 +333,8 @@ protected VdsDynamic getHost() {
         return vdsDynamicDao.get(getCachedVm().getRunOnVds());
     }
 
-    protected boolean isKernelFips() {
-        return vdsStaticDao.get(getCachedVm().getRunOnVds()).isKernelCmdlineFips();
+    protected boolean isFips() {
+        return getHost().isFipsEnabled();
     }
 
     protected boolean isVncEncryptionEnabled() {
@@ -397,7 +397,7 @@ private String determineHost() {
                     new IdQueryParameters(getCachedVm().getId()));
             result = returnValue.getReturnValue();
         } else if (getParameters().getOptions().getGraphicsType() == GraphicsType.VNC
-                   && (isKernelFips() || isVncEncryptionEnabled())) {
+                   && (isFips() || isVncEncryptionEnabled())) {
             // If VNC encyption is enabled (at cluster level or because of FIPS mode)
             // the console descriptor must contain host name,
             // to match TLS certificate for connection
diff --git a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQueryTest.java b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQueryTest.java
index 7b5bf02d1c9..ef3b429304c 100644
--- a/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQueryTest.java
+++ b/backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/ConfigureConsoleOptionsQueryTest.java
@@ -133,7 +133,7 @@ public void shouldCallSetTicket() {
         result.setActionReturnValue("nbusr123");
         doReturn(result).when(backend).runAction(eq(ActionType.SetVmTicket), any());
         doReturn(null).when(getQuery()).getHost();
-        doReturn(false).when(getQuery()).isKernelFips();
+        doReturn(false).when(getQuery()).isFips();
         doReturn(false).when(getQuery()).isVncEncryptionEnabled();
 
         getQuery().getQueryReturnValue().setSucceeded(true);
@@ -157,7 +157,7 @@ public void shouldFillUseSsl() {
         VdsDynamic vds = new VdsDynamic();
         vds.setVncEncryptionEnabled(true);
         doReturn(vds).when(getQuery()).getHost();
-        doReturn(false).when(getQuery()).isKernelFips();
+        doReturn(false).when(getQuery()).isFips();
         doReturn(false).when(getQuery()).isVncEncryptionEnabled();
 
         getQuery().getQueryReturnValue().setSucceeded(true);
@@ -188,7 +188,7 @@ public void shouldFillUsernameInFipsMode() {
         VdsDynamic vdsDynamic = new VdsDynamic();
         vdsDynamic.setVncEncryptionEnabled(true);
         doReturn(vdsDynamic).when(getQuery()).getHost();
-        doReturn(true).when(getQuery()).isKernelFips();
+        doReturn(true).when(getQuery()).isFips();
 
         getQuery().getQueryReturnValue().setSucceeded(true);
         getQuery().executeQueryCommand();