test: use openssl_is_fips instead of hasFipsCrypto

danbev · targos · commit d3f51457af3e · 2019-07-20T11:13:05.000+02:00
Currently, when dynamically linking against a FIPS enabled OpenSSL library test-process-env-allowed-flags-are-documented will fail with the following error: assert.js:89 throw new AssertionError(obj); ^ AssertionError [ERR_ASSERTION]: The following options are not documented as allowed in NODE_OPTIONS in /root/node/doc/api/cli.md: --enable-fips --force-fips at Object.<anonymous> (/test/parallel/test-process-env-allowed-flags-are-documented.js:82:8) at Module._compile (internal/modules/cjs/loader.js:779:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:790:10) at Module.load (internal/modules/cjs/loader.js:642:32) at Function.Module._load (internal/modules/cjs/loader.js:555:12) at Function.Module.runMain (internal/modules/cjs/loader.js:842:10) at internal/main/run_main_module.js:17:11 { generatedMessage: false, code: 'ERR_ASSERTION', actual: 2, expected: 0, operator: 'strictEqual' } This commit updates the test to use process.config.variables.openssl_is_fips instead of common.hasFipsCrypto as hasFipsCrypto only returns true if the OpenSSL library that is shipped with node was configured with FIPS enabled. PR-URL: #28507 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
@@ -46,7 +46,14 @@ const conditionalOpts = [
       return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
               '--use-openssl-ca' ].includes(opt);
     } },
-  { include: common.hasFipsCrypto,
+  {
+    // We are using openssl_is_fips from the configuration because it could be
+    // the case that OpenSSL is FIPS compatible but fips has not been enabled
+    // (starting node with --enable-fips). If we use common.hasFipsCrypto
+    // that would only tells us if fips has been enabled, but in this case we
+    // want to check options which will be available regardless of whether fips
+    // is enabled at runtime or not.
+    include: process.config.variables.openssl_is_fips,
     filter: (opt) => opt.includes('-fips') },
   { include: common.hasIntl,
     filter: (opt) => opt === '--icu-data-dir' },
