config: Convert fips_mode to fips_mode_flag

Signed-off-by: Michael Boquard <michael@redpanda.com>
redpanda-data · Jun 4, 2024 · b150e14 · b150e14
1 parent cfbb182
commit b150e14
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 16 deletions.
diff --git a/src/v/cloud_storage/types.cc b/src/v/cloud_storage/types.cc
@@ -14,6 +14,7 @@
 #include "cloud_storage/configuration.h"
 #include "cloud_storage/logger.h"
 #include "config/node_config.h"
+#include "config/types.h"
 
 #include <absl/container/node_hash_set.h>
 
@@ -428,7 +429,7 @@ ss::future<configuration> configuration::get_s3_config() {
         region,
         bucket_name,
         cloud_storage_clients::from_config(url_style),
-        config::node().fips_mode.value(),
+        config::fips_mode_enabled(config::node().fips_mode.value()),
         get_default_overrides(),
         disable_metrics,
         disable_public_metrics);

diff --git a/src/v/cloud_storage_clients/s3_client.cc b/src/v/cloud_storage_clients/s3_client.cc
@@ -19,6 +19,7 @@
 #include "cloud_storage_clients/xml_sax_parser.h"
 #include "config/configuration.h"
 #include "config/node_config.h"
+#include "config/types.h"
 #include "hashing/secure.h"
 #include "http/client.h"
 #include "net/types.h"
@@ -602,7 +603,7 @@ s3_client::self_configure() {
     // fips mode can only work in virtual_host mode, so if the above test failed
     // the TS service is likely misconfigured
     vassert(
-      !config::node().fips_mode.value(),
+      !config::fips_mode_enabled(config::node().fips_mode.value()),
       "fips_mode requires the bucket to configured in virtual_host mode, but "
       "the connectivity test failed");
 

diff --git a/src/v/cluster/cluster_utils.cc b/src/v/cluster/cluster_utils.cc
@@ -83,7 +83,7 @@ model::broker make_self_broker(const config::node_config& node_cfg) {
         .available_memory_gb = total_mem_gb,
         .available_disk_gb = disk_gb,
         .available_memory_bytes = total_mem,
-        .in_fips_mode = node_cfg.fips_mode()});
+        .in_fips_mode = config::fips_mode_enabled(node_cfg.fips_mode())});
 }
 
 bool are_replica_sets_equal(

diff --git a/src/v/config/node_config.cc b/src/v/config/node_config.cc
@@ -10,6 +10,7 @@
 #include "node_config.h"
 
 #include "config/configuration.h"
+#include "config/types.h"
 #include "utils/unresolved_address.h"
 
 namespace config {
@@ -193,19 +194,26 @@ node_config::node_config() noexcept
   , fips_mode(
       *this,
       "fips_mode",
-      "Controls whether or not Redpanda starts in FIPS mode.  In the FIPS "
-      "mode of operation, Redpanda first verifies that the operating system "
+      "Controls whether or not Redpanda starts in FIPS mode.  This property "
+      "allows for three values: 'disabled', 'enabled', and 'permissive'.  When "
+      "'enabled' is selected, Redpanda first verifies that the operating "
+      "system "
       "is enabled for FIPS by checking /proc/sys/crypto/fips_enabled.  If the "
       "file does not exist or does not return '1', Redpanda immediately "
-      "exits.  After the check is complete, Redpanda loads the "
+      "exits.  If 'permissive' is selected, the same check is performed "
+      "however a WARNING is logged and Redpanda will continue to run.  After "
+      "the check is complete, Redpanda loads the "
       "OpenSSL FIPS provider into the OpenSSL library.  After this is "
       "complete, Redpanda is operating in FIPS mode, which means that the "
       "TLS cipher suites available to users are limited to TLSv1.2 "
       "and TLSv1.3, and of those, only the ones that use NIST-approved "
       "cryptographic methods.  For more information about FIPS, refer to "
       "Redpanda documentation.",
       {.visibility = visibility::user},
-      false)
+      fips_mode_flag::disabled,
+      {fips_mode_flag::disabled,
+       fips_mode_flag::enabled,
+       fips_mode_flag::permissive})
   , openssl_config_file(
       *this,
       "openssl_config_file",

diff --git a/src/v/config/node_config.h b/src/v/config/node_config.h
@@ -88,7 +88,7 @@ struct node_config final : public config_store {
       verbose_logging_timeout_sec_max;
 
     // Flag indicating whether or not Redpanda will start in FIPS mode
-    property<bool> fips_mode;
+    enum_property<fips_mode_flag> fips_mode;
 
     // Path to the OpenSSL config file
     property<std::optional<std::filesystem::path>> openssl_config_file;

diff --git a/src/v/redpanda/application.cc b/src/v/redpanda/application.cc
@@ -76,6 +76,7 @@
 #include "config/endpoint_tls_config.h"
 #include "config/node_config.h"
 #include "config/seed_server.h"
+#include "config/types.h"
 #include "crypto/ossl_context_service.h"
 #include "features/feature_table_snapshot.h"
 #include "features/fwd.h"
@@ -887,7 +888,7 @@ void application::check_environment() {
         }
     }
 
-    if (config::node().fips_mode()) {
+    if (config::fips_mode_enabled(config::node().fips_mode())) {
         if (!ss::file_exists(fips_enabled_file).get()) {
             throw std::runtime_error(fmt::format(
               "File '{}' does not exist.  Redpanda cannot start in FIPS mode",
@@ -898,10 +899,23 @@ void application::check_environment() {
         char buf[1];
         fd.read(buf, 1);
         if (buf[0] != '1') {
-            throw std::runtime_error(fmt::format(
+            auto msg = fmt::format(
               "File '{}' not reporting '1'.  Redpanda cannot start in FIPS "
               "mode",
-              fips_enabled_file));
+              fips_enabled_file);
+            if (config::node().fips_mode() == config::fips_mode_flag::enabled) {
+                throw std::runtime_error(msg);
+            } else if (
+              config::node().fips_mode()
+              == config::fips_mode_flag::permissive) {
+                vlog(_log.warn, "{}", msg);
+            } else {
+                vassert(
+                  false,
+                  "Should not be performing environment check for FIPS when "
+                  "fips mode is {}",
+                  config::node().fips_mode());
+            }
         }
         syschecks::systemd_message("Starting Redpanda in FIPS mode").get();
     }
@@ -2136,15 +2150,17 @@ void application::wire_up_and_start_crypto_services() {
       std::ref(*thread_worker),
       ss::sstring{config::node().openssl_config_file().value_or("")},
       ss::sstring{config::node().openssl_module_directory().value_or("")},
-      config::node().fips_mode() ? crypto::is_fips_mode::yes
-                                 : crypto::is_fips_mode::no)
+      config::fips_mode_enabled(config::node().fips_mode())
+        ? crypto::is_fips_mode::yes
+        : crypto::is_fips_mode::no)
       .get();
     ossl_context_service.invoke_on_all(&crypto::ossl_context_service::start)
       .get();
     ossl_context_service.map([](auto& s) { return s.fips_mode(); })
       .then([](auto fips_mode_vals) {
-          auto expected = config::node().fips_mode() ? crypto::is_fips_mode::yes
-                                                     : crypto::is_fips_mode::no;
+          auto expected = config::fips_mode_enabled(config::node().fips_mode())
+                            ? crypto::is_fips_mode::yes
+                            : crypto::is_fips_mode::no;
           for (auto fips_mode : fips_mode_vals) {
               vassert(
                 fips_mode == expected,

diff --git a/tests/rptest/services/redpanda.py b/tests/rptest/services/redpanda.py
@@ -3959,7 +3959,7 @@ def is_fips_capable(node) -> bool:
             )
             doc = yaml.full_load(conf)
             doc["redpanda"].update(
-                dict(fips_mode=True,
+                dict(fips_mode="enabled",
                      openssl_config_file=RedpandaService.OPENSSL_CONFIG_FILE,
                      openssl_module_directory=RedpandaService.
                      OPENSSL_MODULES_PATH))