szaszm commented on code in PR #1950:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1950#discussion_r2014393089
##########
minifi_main/Fips.cpp:
##########
@@ -63,29 +71,39 @@ bool replaceMinifiHomeVariable(const std::filesystem::path&
file_path, const std
output_file.close();
return true;
}
+
+bool generateFipsModuleConfig(const std::filesystem::path& minifi_home, const
std::shared_ptr<core::logging::Logger>& logger) {
+ std::filesystem::path output_file(minifi_home / "fips" / "fipsmodule.cnf");
+ logger->log_info("fipsmodule.cnf was not found, trying to run fipsinstall
command to generate the file");
+
+#ifdef WIN32
+ std::string command = "\"\"" + (minifi_home / "fips" /
"openssl.exe").string() + "\" fipsinstall -out \"" + output_file.string() + "\"
-module \"" + (minifi_home / "fips" / FIPS_LIB).string() + "\"\"";
+#else
+ std::string command = "\"" + (minifi_home / "fips" / "openssl").string() +
"\" fipsinstall -out \"" + output_file.string() + "\" -module \"" +
(minifi_home / "fips" / FIPS_LIB).string() + "\"";
+#endif
+ auto ret = std::system(command.c_str());
+ if (ret != 0) {
+ logger->log_error("Failed to generate fipsmodule.cnf file");
+ return false;
+ }
+ logger->log_info("Successfully generated fipsmodule.cnf file");
+ return true;
+}
} // namespace
void initializeFipsMode(const std::shared_ptr<minifi::Configure>& configure,
const std::filesystem::path& minifi_home, const
std::shared_ptr<core::logging::Logger>& logger) {
if (!(configure->get(minifi::Configure::nifi_openssl_fips_support_enable) |
utils::andThen(utils::string::toBool)).value_or(false)) {
return;
}
-#ifdef WIN32
- static constexpr std::string_view FIPS_LIB = "fips.dll";
-#elif defined(__APPLE__)
- static constexpr std::string_view FIPS_LIB = "fips.dylib";
-#else
- static constexpr std::string_view FIPS_LIB = "fips.so";
-#endif
-
if (!std::filesystem::exists(minifi_home / "fips" / FIPS_LIB)) {
logger->log_error("FIPS mode is enabled, but {} is not available in
MINIFI_HOME/fips directory", FIPS_LIB);
std::exit(1);
}
- if (!std::filesystem::exists(minifi_home / "fips" / "fipsmodule.cnf")) {
- logger->log_error("FIPS mode is enabled, but fipsmodule.cnf is not
available in MINIFI_HOME/fips directory. "
- "Run MINIFI_HOME/fips/openssl fipsinstall -out fipsmodule.cnf -module
MINIFI_HOME/fips/{} command to generate the configuration file", FIPS_LIB);
+ if (!std::filesystem::exists(minifi_home / "fips" / "fipsmodule.cnf") &&
!generateFipsModuleConfig(minifi_home, logger)) {
+ logger->log_error("FIPS mode is enabled, but fipsmodule.cnf is not
available in $MINIFI_HOME/fips directory. "
+ "Run $MINIFI_HOME/fips/openssl fipsinstall -out fipsmodule.cnf -module
$MINIFI_HOME/fips/{} command to generate the configuration file", FIPS_LIB);
Review Comment:
```suggestion
logger->log_error("FIPS mode is enabled, but fipsmodule.cnf is not
available in $MINIFI_HOME/fips directory, and minifi couldn't generate it
automatically. "
"Run $MINIFI_HOME/fips/openssl fipsinstall -out fipsmodule.cnf -module
$MINIFI_HOME/fips/{} command to generate the configuration file", FIPS_LIB);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
