Add infrastructure for exposing FIPS status (#14127)

In future Vault Enterprise versions, we'll be building Vault with FIPS-validated cryptography. To help operators understand their environment, we'll want to expose information about their FIPS status when they're running a FIPS version of Vault. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-17 12:03:57 -06:00 · 2022-02-17 12:03:57 -06:00 · ec4deb12ef
parent 797f11b0e5
commit ec4deb12ef
2 changed files with 24 additions and 0 deletions
--- a/command/server.go
+++ b/command/server.go
@ -644,6 +644,12 @@ func (c *ServerCommand) runRecoveryMode() int {
 	infoKeys = append(infoKeys, "go version")
 	info["go version"] = runtime.Version()

+	fipsStatus := getFIPSInfoKey()
+	if fipsStatus != "" {
+		infoKeys = append(infoKeys, "fips")
+		info["fips"] = fipsStatus
+	}
+
 	// Server configuration output
 	padding := 24

@ -1377,6 +1383,12 @@ func (c *ServerCommand) Run(args []string) int {
 	infoKeys = append(infoKeys, "go version")
 	info["go version"] = runtime.Version()

+	fipsStatus := getFIPSInfoKey()
+	if fipsStatus != "" {
+		infoKeys = append(infoKeys, "fips")
+		info["fips"] = fipsStatus
+	}
+
 	sort.Strings(infoKeys)
 	c.UI.Output("==> Vault server configuration:\n")

@ -1800,6 +1812,12 @@ func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info m
 	infoKeys = append(infoKeys, "go version")
 	info["go version"] = runtime.Version()

+	fipsStatus := getFIPSInfoKey()
+	if fipsStatus != "" {
+		infoKeys = append(infoKeys, "fips")
+		info["fips"] = fipsStatus
+	}
+
 	// Server configuration output
 	padding := 24

--- a/command/server_util.go
+++ b/command/server_util.go
@ -9,3 +9,9 @@ var adjustCoreConfigForEnt = adjustCoreConfigForEntNoop

 func adjustCoreConfigForEntNoop(config *server.Config, coreConfig *vault.CoreConfig) {
 }
+
+var getFIPSInfoKey = getFIPSInfoKeyNoop
+
+func getFIPSInfoKeyNoop() string {
+	return ""
+}