Commit 72ebe0e0 authored by Andy Soiron's avatar Andy Soiron

Merge branch 'autodetect-fips-mode' into 'master'

Add OpenSSL FIPS mode detection

See merge request gitlab-org/gitlab!82004
parents 60fe3a6a f3172799
---
name: fips_mode
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81418/diffs?view=inline
rollout_issue_url:
milestone: '14.9'
type: development
group: group::source code
default_enabled: false
...@@ -10,7 +10,13 @@ module Gitlab ...@@ -10,7 +10,13 @@ module Gitlab
# #
# @return [Boolean] # @return [Boolean]
def enabled? def enabled?
Feature.enabled?(:fips_mode, default_enabled: :yaml) # Attempt to auto-detect FIPS mode from OpenSSL
return true if OpenSSL.fips_mode
# Otherwise allow it to be set manually via the env vars
return true if ENV["FIPS_MODE"] == "true"
false
end end
end end
end end
......
...@@ -6,16 +6,46 @@ RSpec.describe Gitlab::FIPS do ...@@ -6,16 +6,46 @@ RSpec.describe Gitlab::FIPS do
describe ".enabled?" do describe ".enabled?" do
subject { described_class.enabled? } subject { described_class.enabled? }
context "feature flag is enabled" do let(:openssl_fips_mode) { false }
it { is_expected.to be_truthy } let(:fips_mode_env_var) { nil }
before do
expect(OpenSSL).to receive(:fips_mode).and_return(openssl_fips_mode)
stub_env("FIPS_MODE", fips_mode_env_var)
end
describe "OpenSSL auto-detection" do
context "OpenSSL is in FIPS mode" do
let(:openssl_fips_mode) { true }
it { is_expected.to be_truthy }
end
context "OpenSSL is not in FIPS mode" do
let(:openssl_fips_mode) { false }
it { is_expected.to be_falsey }
end
end end
context "feature flag is disabled" do describe "manual configuration via env var" do
before do context "env var is not set" do
stub_feature_flags(fips_mode: false) let(:fips_mode_env_var) { nil }
it { is_expected.to be_falsey }
end end
it { is_expected.to be_falsey } context "env var is set to true" do
let(:fips_mode_env_var) { "true" }
it { is_expected.to be_truthy }
end
context "env var is set to false" do
let(:fips_mode_env_var) { "false" }
it { is_expected.to be_falsey }
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment