Add nodejs fips test and a simple fips app for veriifcation

Add test that verifies that if:
	Container is in fips mode, node is also using fips mode.

	Container isnt in fips mode, node also isnt using fips mode.

Add simple Fips application which in the context of server verifies:
*	That FIPS allows the generation  of only secure hash algorithms and ciphers.
*	Should allow: SHA256, AES. Should Fail: MLD, 2Key 3DES.

Author: tjuhaszrh

test/run

@@ -61,6 +61,9 @@ test_node_cmd_development_init_wrapper_true
 test_init_wrapper_false_development
 "
 
+TEST_LIST_FIPS="\
+test_nodejs_fips_mode
+"
 source "${THISDIR}/test-lib.sh"
 source "${THISDIR}/test-lib-nodejs.sh"
 
@@ -160,3 +163,12 @@ evaluate_build_result $? "proxy"
 TEST_SET=${TESTS:-$TEST_LIST_HW} ct_run_tests_from_testset "hw"
 
 cleanup
+
+echo "Testing fips mode"
+prepare fips
+check_prep_result $? fips || exit
+echo "Testing the production image build"
+run_s2i_fips
+evaluate_build_result $? "default"
+
+TEST_SET=${TESTS:-$TEST_LIST_FIPS} ct_run_tests_from_testset "fips"

test/test-fips/README.md

@@ -0,0 +1,4 @@
+node-echo
+=========
+
+node.js echo server, tests fips functionality.

test/test-fips/iisnode.yml

@@ -0,0 +1,27 @@
+# For documentation see https://github.com/tjanczuk/iisnode/blob/master/src/samples/configuration/iisnode.yml
+
+# loggingEnabled: false
+# debuggingEnabled: false
+# devErrorsEnabled: false
+node_env: production
+# nodeProcessCountPerApplication: 1
+# maxConcurrentRequestsPerProcess: 1024
+# maxNamedPipeConnectionRetry: 24
+# namedPipeConnectionRetryDelay: 250
+# maxNamedPipeConnectionPoolSize: 512
+# maxNamedPipePooledConnectionAge: 30000
+# asyncCompletionThreadCount: 0
+# initialRequestBufferSize: 4096
+# maxRequestBufferSize: 65536
+watchedFiles: iisnode.yml;node_modules\*;*.js
+# uncFileChangesPollingInterval: 5000
+# gracefulShutdownTimeout: 60000
+# logDirectoryNameSuffix: logs
+# debuggerPortRange: 5058-6058
+# debuggerPathSegment: debug
+# maxLogFileSizeInKB: 128
+# appendToExistingLog: false
+# logFileFlushInterval: 5000
+# flushResponse: false
+# enableXFF: false
+# promoteServerVars:  

test/test-fips/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "node-echo",
+  "version": "0.0.1",
+  "description": "node-echo",
+  "main": "server.js",
+  "dependencies": {
+  },
+  "devDependencies": {
+    "nodemon": "*"
+  },
+  "engine": {
+    "node": "*",
+    "npm": "*"
+  },
+  "scripts": {
+    "dev": "nodemon --ignore node_modules/ server.js",
+    "start": "node server.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "http://github.com/bettiolo/node-echo.git"
+  },
+  "keywords": [
+    "Echo"
+  ],
+  "author": "Marco Bettiolo <[email protected]>",
+  "license": "",
+  "bugs": {
+    "url": "http://github.com/bettiolo/node-echo/issues"
+  },
+  "homepage": "http://apilb.com"
+}

test/test-fips/server.js

@@ -0,0 +1,88 @@
+const crypto = require('crypto');
+var http = require('http');
+var port = process.env.PORT || process.env.port || process.env.OPENSHIFT_NODEJS_PORT || 8080;
+var ip = process.env.OPENSHIFT_NODEJS_IP || '0.0.0.0';
+var server = http.createServer(function (req, res) {
+    const fipsMode = getFipsMode();
+
+	res.writeHead(200, {'Content-Type': 'text/plain'});
+    verifySupportedHash(fipsMode);
+	res.write('Hash generation succesfully verified\n');
+    verifySupportedCiphers(fipsMode);
+	res.write('Cipher generation succesfully verified\n');
+	res.end('\n');
+
+});
+server.listen(port);
+console.log('Server running on ' + ip + ':' + port);
+
+/*
+    * Return boolean value 
+    * True if FIPS is enabled
+    * False if Disabled
+*/
+function getFipsMode () {
+    return !!crypto.getFips();
+}
+
+/*
+    * Verify usage of FIPS supported hash algs
+    * sha256 is FIPS supported
+    * MLD isn't FIPS supported
+*/
+function verifySupportedHash(fipsMode) {
+    try {
+        const hashSha256 = crypto.createHash('sha256').update('FIPS test').digest('hex');
+    } catch (e) {
+        console.error("Error: SHA256 generation should be supported with FIPS.");
+        exit.process(1);
+    }
+    try {
+        crypto.createHash('md5').update('MD5 test').digest('hex');
+        if (fipsMode) {
+            console.error('Error: MD5 generation should not be suscessfull with FIPS enabled.');
+            exit.process(1);
+        }
+    } catch (e) {
+        if (!fipsMode) {
+            console.error('Error: MD5 generation should pass without FIPS mode.');
+            exit.process(1);
+        }
+    }
+}
+
+/*
+    * Verify usage of FIPS supported ciphers
+    * AES is FIPS supported
+    * 3DES with only two keys isn't FIPS supported
+*/
+function verifySupportedCiphers(fipsMode) {
+    try {
+        const key = crypto.randomBytes(32); 
+        const iv = crypto.randomBytes(16);  
+        const plaintext = 'Test of AES encryption.';
+        const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
+        let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+    } catch (e) {
+        console.error('Error: AES-256 generation should be supported with FIPS');
+        process.exit(1);
+    }
+    try {
+        const key = crypto.randomBytes(16); 
+        const iv = crypto.randomBytes(8); 
+        crypto.createCipheriv('des-ede-cbc', key, iv);
+
+        if (fipsMode) {
+            console.error("Error: 3DES generation shoud not be succesfull with FIPS mode.")
+            process.exit(1);
+        }
+    } catch (e) {
+        if (!fipsMode) {
+            console.error('Error: 3DES generation should be successfull without FIPS mode.',e.message);
+            process.exit(1);
+        }
+    }
+
+
+}

test/test-fips/web.config

@@ -0,0 +1,17 @@
+<configuration>
+    <system.webServer>
+        <handlers>
+            <add name="iisnode" path="server.js" verb="*" modules="iisnode" />
+        </handlers>
+        <iisnode loggingEnabled="false" />
+
+        <rewrite>
+            <rules>
+                <rule name="myapp">
+                    <match url="/*" />
+                    <action type="Rewrite" url="server.js" />
+                </rule>
+            </rules>
+        </rewrite>
+    </system.webServer>
+</configuration>

test/test-lib-nodejs.sh

@@ -45,6 +45,10 @@ run_s2i_build() {
   ct_s2i_build_as_df file://${test_dir}/test-app ${IMAGE_NAME} ${IMAGE_NAME}-testapp ${s2i_args} $(ct_build_s2i_npm_variables) $1
 }
 
+run_s2i_fips() {
+  ct_s2i_build_as_df file://${test_dir}/test-fips${IMAGE_NAME} ${IMAGE_NAME}-testfips ${s2i_args} $(ct_build_s2i_npm_variables) $1
+}
+
 run_s2i_build_proxy() {
   ct_s2i_build_as_df file://${test_dir}/test-hw ${IMAGE_NAME} ${IMAGE_NAME}-testhw ${s2i_args} $(ct_build_s2i_npm_variables) -e HTTP_PROXY=$1 -e http_proxy=$1 -e HTTPS_PROXY=$2 -e https_proxy=$2
 }
@@ -130,7 +134,7 @@ prepare() {
   case "$1" in
     # TODO: STI build require the application is a valid 'GIT' repository, we
     # should remove this restriction in the future when a file:// is used.
-    app|hw|express-webapp|binary)
+    app|hw|fips|express-webapp|binary)
       pushd "${test_dir}/test-${1}" >/dev/null
       prepare_dummy_git_repo
       popd >/dev/null
@@ -478,6 +482,29 @@ function test_nodemon_present() {
   ct_check_testcase_result "$?"
 }
 
+function test_nodejs_fips_mode() {
+  # Test that nodejs behaves as expected in fips mode
+  local is_fips_enabled
+
+  # Read fips mode from host in case exists
+  if [[ -f /proc/sys/crypto/fips_enabled ]]; then
+    is_fips_enabled=$(cat /proc/sys/crypto/fips_enabled)
+  else
+    is_fips_enabled="0"
+  fi
+  if [[ "$is_fips_enabled" == "0" ]]; then
+    # FIPS disabled -- crypto.getFips() should return 0
+    echo "Fips should be disabled"
+    docker run --rm ${IMAGE_NAME}-testapp /bin/bash -c "node -e 'const crypto = require(\"crypto\"); process.exit(crypto.getFips());'"
+    ct_check_testcase_result "$?"
+  else
+    # FIPS enabled -- crypto.getFips() should return 1
+    echo "Fips should be enabled"
+    docker run --rm ${IMAGE_NAME}-testapp /bin/bash -c "! node -e 'const crypto = require(\"crypto\"); process.exit(crypto.getFips());'"
+    ct_check_testcase_result "$?"
+  fi
+}
+
 function test_npm_cache_cleared() {
   # Test that the npm cache has been cleared
   cache_loc=$(docker run --rm ${IMAGE_NAME}-testapp /bin/bash -c "npm config get cache")