This is an automated email from the ASF dual-hosted git repository.
martinzink pushed a commit to branch MINIFICPP-2584-apache
in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git
The following commit(s) were added to refs/heads/MINIFICPP-2584-apache by this
push:
new 57d762d6a fips
57d762d6a is described below
commit 57d762d6a648a383707f96da61dc433546591407
Author: Martin Zink <[email protected]>
AuthorDate: Wed Jun 25 15:00:21 2025 +0200
fips
---
fips/openssl.cnf | 2 +-
libminifi/include/properties/LocationsImpl.h | 28 ++++++++++++++----
.../include/minifi-cpp/properties/Locations.h | 3 +-
minifi_main/Fips.cpp | 34 ++++++++++++----------
minifi_main/Fips.h | 3 +-
minifi_main/MiNiFiMain.cpp | 2 +-
6 files changed, 46 insertions(+), 26 deletions(-)
diff --git a/fips/openssl.cnf b/fips/openssl.cnf
index e96c522c6..8779438cb 100644
--- a/fips/openssl.cnf
+++ b/fips/openssl.cnf
@@ -1,6 +1,6 @@
openssl_conf = openssl_init
-.include ${FIPS_DIR}/fipsmodule.cnf
+.include ${FIPS_CONF_DIR}/fipsmodule.cnf
[openssl_init]
providers = prov
diff --git a/libminifi/include/properties/LocationsImpl.h
b/libminifi/include/properties/LocationsImpl.h
index ed2b6935a..e6a537260 100644
--- a/libminifi/include/properties/LocationsImpl.h
+++ b/libminifi/include/properties/LocationsImpl.h
@@ -29,7 +29,8 @@ class LocationsImpl final : public Locations {
std::filesystem::path uid_properties_path_;
std::filesystem::path properties_path_;
std::filesystem::path logs_dir_;
- std::filesystem::path fips_path_;
+ std::filesystem::path fips_bin_path_;
+ std::filesystem::path fips_conf_path_;
std::string extensions_pattern_;
} m;
@@ -44,7 +45,8 @@ class LocationsImpl final : public Locations {
.uid_properties_path_ = minifi_home / DEFAULT_UID_PROPERTIES_FILE,
.properties_path_ = minifi_home / DEFAULT_NIFI_PROPERTIES_FILE,
.logs_dir_ = minifi_home / "logs",
- .fips_path_ = minifi_home / "fips",
+ .fips_bin_path_ = minifi_home / "fips",
+ .fips_conf_path_ = minifi_home / "fips",
.extensions_pattern_ = "../extensions/*"
}));
}
@@ -57,7 +59,8 @@ class LocationsImpl final : public Locations {
.uid_properties_path_ = "/etc/nifi-minifi-cpp/minifi-uid.properties",
.properties_path_ = "/etc/nifi-minifi-cpp/minifi.properties",
.logs_dir_ = "/var/log/nifi-minifi-cpp",
- .fips_path_ = "/usr/lib64/nifi-minifi-cpp/fips",
+ .fips_bin_path_ = "/usr/lib64/nifi-minifi-cpp/fips",
+ .fips_conf_path_ = "/etc/nifi-minifi-cpp/fips",
.extensions_pattern_ = "/usr/lib64/nifi-minifi-cpp/extensions/*"
}));
}
@@ -67,19 +70,32 @@ class LocationsImpl final : public Locations {
[[nodiscard]] std::filesystem::path getLogPropertiesPath() const override {
return m.log_properties_path_; }
[[nodiscard]] std::filesystem::path getUidPropertiesPath() const override {
return m.uid_properties_path_; }
[[nodiscard]] std::filesystem::path getPropertiesPath() const override {
return m.properties_path_; }
- [[nodiscard]] std::filesystem::path getFipsPath() const override { return
m.fips_path_; }
+ [[nodiscard]] std::filesystem::path getFipsBinPath() const override { return
m.fips_bin_path_; }
+ [[nodiscard]] std::filesystem::path getFipsConfPath() const override {
return m.fips_conf_path_; }
[[nodiscard]] std::filesystem::path getLogsDirs() const override { return
m.logs_dir_; }
[[nodiscard]] std::string_view getDefaultExtensionsPattern() const override
{ return m.extensions_pattern_; }
[[nodiscard]] std::string toString() const override {
return fmt::format(
- R"(Locations {{ working dir: "{}", lock path: "{}", log properties path:
"{}", uid properties path: "{}", properties path: "{}", fips path: "{}", logs
dir: "{}", extensions pattern: "{}" }})",
+ R"(
+Locations {{
+ working dir: "{}",
+ lock path: "{}",
+ log properties path: "{}",
+ uid properties path: "{}",
+ properties path: "{}",
+ fips bin path: "{}",
+ fips conf path: "{}",
+ logs dir: "{}",
+ extensions pattern: "{}"
+}})",
getWorkingDir().string(),
getLockPath().string(),
getLogPropertiesPath().string(),
getUidPropertiesPath().string(),
getPropertiesPath().string(),
- getFipsPath().string(),
+ getFipsBinPath().string(),
+ getFipsConfPath().string(),
getLogsDirs().string(),
getDefaultExtensionsPattern());
}
diff --git a/minifi-api/include/minifi-cpp/properties/Locations.h
b/minifi-api/include/minifi-cpp/properties/Locations.h
index 3e9b869f7..1fc7c76ba 100644
--- a/minifi-api/include/minifi-cpp/properties/Locations.h
+++ b/minifi-api/include/minifi-cpp/properties/Locations.h
@@ -27,7 +27,8 @@ public:
[[nodiscard]] virtual std::filesystem::path getLogPropertiesPath() const = 0;
[[nodiscard]] virtual std::filesystem::path getUidPropertiesPath() const = 0;
[[nodiscard]] virtual std::filesystem::path getPropertiesPath() const = 0;
- [[nodiscard]] virtual std::filesystem::path getFipsPath() const = 0;
+ [[nodiscard]] virtual std::filesystem::path getFipsBinPath() const = 0;
+ [[nodiscard]] virtual std::filesystem::path getFipsConfPath() const = 0;
[[nodiscard]] virtual std::filesystem::path getLogsDirs() const = 0;
[[nodiscard]] virtual std::string_view getDefaultExtensionsPattern() const =
0;
diff --git a/minifi_main/Fips.cpp b/minifi_main/Fips.cpp
index 6d08908d6..d0cbd4b90 100644
--- a/minifi_main/Fips.cpp
+++ b/minifi_main/Fips.cpp
@@ -37,7 +37,7 @@ constexpr std::string_view FIPS_LIB = "fips.dylib";
constexpr std::string_view FIPS_LIB = "fips.so";
#endif
-bool substituteFipsDirVariable(const std::filesystem::path& file_path, const
std::filesystem::path& fips_dir_path, const
std::shared_ptr<core::logging::Logger>& logger) {
+bool substituteFipsDirVariable(const std::filesystem::path& file_path, const
std::filesystem::path& fips_conf_dir, const
std::shared_ptr<core::logging::Logger>& logger) {
std::ifstream input_file(file_path);
if (!input_file) {
logger->log_error("Failed to open file: {}", file_path.string());
@@ -49,13 +49,13 @@ bool substituteFipsDirVariable(const std::filesystem::path&
file_path, const std
std::string content = buffer.str();
input_file.close();
- const std::string placeholder = "${FIPS_DIR}";
+ const std::string placeholder = "${FIPS_CONF_DIR}";
size_t pos = content.find(placeholder, 0);
if (pos == std::string::npos) {
return true;
}
- auto fips_dir_str = fips_dir_path.generic_string();
+ auto fips_dir_str = fips_conf_dir.generic_string();
do {
content.replace(pos, placeholder.length(), fips_dir_str);
pos += fips_dir_str.length();
@@ -91,37 +91,39 @@ bool generateFipsModuleConfig(const std::filesystem::path&
fips_dir, const std::
}
} // namespace
-void initializeFipsMode(const std::shared_ptr<minifi::Configure>& configure,
const std::filesystem::path& fips_dir, const
std::shared_ptr<core::logging::Logger>& logger) {
+void initializeFipsMode(const std::shared_ptr<minifi::Configure>& configure,
const Locations& locations, const std::shared_ptr<core::logging::Logger>&
logger) {
+ const auto fips_bin_path = locations.getFipsBinPath();
+ const auto fips_conf_path = locations.getFipsConfPath();
if (!(configure->get(minifi::Configure::nifi_openssl_fips_support_enable) |
utils::andThen(utils::string::toBool)).value_or(false)) {
logger->log_info("FIPS mode is disabled. FIPS configs and modules will NOT
be loaded.");
return;
}
- if (!std::filesystem::exists(fips_dir / FIPS_LIB)) {
- logger->log_error("FIPS mode is enabled, but {} is not available in {}
directory", FIPS_LIB, fips_dir);
+ if (!std::filesystem::exists(fips_bin_path / FIPS_LIB)) {
+ logger->log_error("FIPS mode is enabled, but {} is not available in {}
directory", FIPS_LIB, fips_bin_path);
std::exit(1);
}
- if (!std::filesystem::exists(fips_dir / "fipsmodule.cnf") &&
!generateFipsModuleConfig(fips_dir, logger)) {
- logger->log_error("FIPS mode is enabled, but fipsmodule.cnf is not
available in {} directory, and minifi couldn't generate it automatically. "
- "Run {}/openssl fipsinstall -out fipsmodule.cnf -module {}/{} command to
generate the configuration file", fips_dir, fips_dir, fips_dir, FIPS_LIB);
+ if (!std::filesystem::exists(fips_conf_path / "fipsmodule.cnf") &&
!generateFipsModuleConfig(fips_conf_path, logger)) {
+ logger->log_error("FIPS mode is enabled, but fipsmodule.cnf is not
available in {fips_conf_dir} directory, and minifi couldn't generate it
automatically. "
+ "Run {fips_bin_dir}/openssl fipsinstall -out
{fips_conf_dir}/fipsmodule.cnf -module {fips_bin_dir}/{fips_lib_name} command
to generate the configuration file", fmt::arg("fips_conf_dir", fips_conf_path),
fmt::arg("fips_bin_dir", fips_bin_path), fmt::arg("fips_lib_name", FIPS_LIB));
std::exit(1);
}
- if (!std::filesystem::exists(fips_dir / "openssl.cnf")) {
- logger->log_error("FIPS mode is enabled, but openssl.cnf is not available
in {} directory", fips_dir);
+ if (!std::filesystem::exists(fips_conf_path / "openssl.cnf")) {
+ logger->log_error("FIPS mode is enabled, but openssl.cnf is not available
in {} directory", fips_conf_path);
std::exit(1);
}
- if (!substituteFipsDirVariable(fips_dir / "openssl.cnf", fips_dir, logger)) {
- logger->log_error("Failed to replace FIPS_DIR variable in openssl.cnf");
+ if (!substituteFipsDirVariable(fips_conf_path / "openssl.cnf",
fips_conf_path, logger)) {
+ logger->log_error("Failed to replace FIPS_CONF_DIR variable in
openssl.cnf");
std::exit(1);
}
- utils::Environment::setEnvironmentVariable("OPENSSL_CONF", (fips_dir /
"openssl.cnf").string().c_str(), true);
+ utils::Environment::setEnvironmentVariable("OPENSSL_CONF", (fips_conf_path /
"openssl.cnf").string().c_str(), true);
- if (!OSSL_PROVIDER_set_default_search_path(nullptr,
(fips_dir).string().c_str())) {
- logger->log_error("Failed to set FIPS module path: {}",
(fips_dir).string());
+ if (!OSSL_PROVIDER_set_default_search_path(nullptr, fips_bin_path.c_str())) {
+ logger->log_error("Failed to set FIPS module path: {}",
fips_bin_path.string());
ERR_print_errors_fp(stderr);
std::exit(1);
}
diff --git a/minifi_main/Fips.h b/minifi_main/Fips.h
index 70fb3cdf0..e4a560c81 100644
--- a/minifi_main/Fips.h
+++ b/minifi_main/Fips.h
@@ -20,9 +20,10 @@
#include <memory>
#include "core/logging/Logger.h"
#include "minifi-cpp/properties/Configure.h"
+#include "minifi-cpp/properties/Locations.h"
namespace org::apache::nifi::minifi::fips {
-void initializeFipsMode(const std::shared_ptr<Configure>& configure, const
std::filesystem::path& fips_dir, const std::shared_ptr<core::logging::Logger>&
logger);
+void initializeFipsMode(const std::shared_ptr<Configure>& configure, const
Locations& locations, const std::shared_ptr<core::logging::Logger>& logger);
} // namespace org::apache::nifi::minifi::utils::fips
diff --git a/minifi_main/MiNiFiMain.cpp b/minifi_main/MiNiFiMain.cpp
index 9941c4a6e..9d19527cb 100644
--- a/minifi_main/MiNiFiMain.cpp
+++ b/minifi_main/MiNiFiMain.cpp
@@ -334,7 +334,7 @@ int main(int argc, char **argv) {
configure->loadConfigureFile(locations->getPropertiesPath());
overridePropertiesFromCommandLine(argument_parser, configure);
- minifi::fips::initializeFipsMode(configure, locations->getFipsPath(),
logger);
+ minifi::fips::initializeFipsMode(configure, *locations, logger);
minifi::core::extension::ExtensionManagerImpl::get().initialize(configure);
