From dd1591a917063a6aa0d98eb6711adcd9fcaeef22 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Fri, 17 Jun 2022 08:29:42 -0700
Subject: [PATCH] Use Labkit for checking and enabling FIPS

This pulls in the changes in
https://gitlab.com/gitlab-org/labkit-ruby/-/merge_requests/90, since
gitaly-ruby will also need to do something similar to enable FIPS.

This also fixes an issue with custom bit lengths for `Digest::SHA2`
not working.

Relates to https://gitlab.com/gitlab-org/gitaly/-/issues/4269

Changelog: changed
---
 Gemfile                      |  2 +-
 Gemfile.lock                 |  4 +--
 config/initializers/fips.rb  |  2 +-
 lib/gitlab/fips.rb           | 23 +-----------------
 spec/lib/gitlab/fips_spec.rb | 47 ------------------------------------
 5 files changed, 5 insertions(+), 73 deletions(-)

diff --git a/Gemfile b/Gemfile
index e7671cf4006ca..aad6cbc551d71 100644
--- a/Gemfile
+++ b/Gemfile
@@ -316,7 +316,7 @@ gem 'pg_query', '~> 2.1.0'
 gem 'premailer-rails', '~> 1.10.3'
 
 # LabKit: Tracing and Correlation
-gem 'gitlab-labkit', '~> 0.22.0'
+gem 'gitlab-labkit', '~> 0.23.0'
 # Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
 # because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
 gem 'thrift', '>= 0.14.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 563a1d69b0f4c..de2646f7d9c1d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -489,7 +489,7 @@ GEM
       fog-json (~> 1.2.0)
       mime-types
       ms_rest_azure (~> 0.12.0)
-    gitlab-labkit (0.22.0)
+    gitlab-labkit (0.23.0)
       actionpack (>= 5.0.0, < 7.0.0)
       activesupport (>= 5.0.0, < 7.0.0)
       grpc (>= 1.37)
@@ -1537,7 +1537,7 @@ DEPENDENCIES
   gitlab-dangerfiles (~> 3.3.0)
   gitlab-experiment (~> 0.7.1)
   gitlab-fog-azure-rm (~> 1.3.0)
-  gitlab-labkit (~> 0.22.0)
+  gitlab-labkit (~> 0.23.0)
   gitlab-license (~> 2.1.0)
   gitlab-license_finder (~> 6.0)
   gitlab-mail_room (~> 0.0.9)
diff --git a/config/initializers/fips.rb b/config/initializers/fips.rb
index cf9b0ff4e4de8..a5b2f324e7f3a 100644
--- a/config/initializers/fips.rb
+++ b/config/initializers/fips.rb
@@ -1,3 +1,3 @@
 # frozen_string_literal: true
 
-Gitlab::FIPS.enable_fips_mode! if Gitlab::FIPS.enabled?
+Labkit::FIPS.enable_fips_mode! if Gitlab::FIPS.enabled?
diff --git a/lib/gitlab/fips.rb b/lib/gitlab/fips.rb
index a7106dd70e986..b2c22182d4be6 100644
--- a/lib/gitlab/fips.rb
+++ b/lib/gitlab/fips.rb
@@ -23,28 +23,7 @@ class << self
       #
       # @return [Boolean]
       def enabled?
-        # Attempt to auto-detect FIPS mode from OpenSSL
-        return true if OpenSSL.fips_mode
-
-        # Otherwise allow it to be set manually via the env vars
-        return true if ENV["FIPS_MODE"] == "true"
-
-        false
-      end
-
-      # Swap Ruby's Digest::SHAx implementations for OpenSSL::Digest::SHAx.
-      def enable_fips_mode!
-        require 'digest'
-
-        use_openssl_digest(:SHA2, :SHA256)
-        OPENSSL_DIGESTS.each { |alg| use_openssl_digest(alg, alg) }
-      end
-
-      private
-
-      def use_openssl_digest(ruby_algorithm, openssl_algorithm)
-        Digest.send(:remove_const, ruby_algorithm) # rubocop:disable GitlabSecurity/PublicSend
-        Digest.const_set(ruby_algorithm, OpenSSL::Digest.const_get(openssl_algorithm, false))
+        ::Labkit::FIPS.enabled?
       end
     end
   end
diff --git a/spec/lib/gitlab/fips_spec.rb b/spec/lib/gitlab/fips_spec.rb
index a6c9d54c0fb74..4d19a44f6170f 100644
--- a/spec/lib/gitlab/fips_spec.rb
+++ b/spec/lib/gitlab/fips_spec.rb
@@ -48,51 +48,4 @@
       end
     end
   end
-
-  describe '.enable_fips_mode!' do
-    let(:digests) { {} }
-    let(:test_string) { 'abc' }
-
-    before do
-      described_class::OPENSSL_DIGESTS.each do |digest|
-        digests[digest] = Digest.const_get(digest, false)
-      end
-    end
-
-    after do
-      digests.each do |name, value|
-        Digest.send(:remove_const, name)
-        Digest.const_set(name, value)
-      end
-    end
-
-    it 'assigns OpenSSL digests' do
-      described_class.enable_fips_mode!
-
-      # rubocop:disable Fips/OpenSSL
-      # rubocop:disable Fips/SHA1
-      # rubocop:disable Layout/LineLength
-      expect(Digest::SHA1).to be(OpenSSL::Digest::SHA1)
-      expect(Digest::SHA2).to be(OpenSSL::Digest::SHA256)
-      expect(Digest::SHA256).to be(OpenSSL::Digest::SHA256)
-      expect(Digest::SHA384).to be(OpenSSL::Digest::SHA384)
-      expect(Digest::SHA512).to be(OpenSSL::Digest::SHA512)
-
-      # From https://www.nist.gov/itl/ssd/software-quality-group/nsrl-test-data
-      expect(Digest::SHA1.hexdigest(test_string)).to eq('a9993e364706816aba3e25717850c26c9cd0d89d')
-      expect(Digest::SHA2.hexdigest(test_string)).to eq('ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad')
-      expect(Digest::SHA256.hexdigest(test_string)).to eq('ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad')
-      expect(Digest::SHA384.hexdigest(test_string)).to eq('cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7')
-      expect(Digest::SHA512.hexdigest(test_string)).to eq('ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f')
-
-      expect(Digest::SHA1.base64digest(test_string)).to eq('qZk+NkcGgWq6PiVxeFDCbJzQ2J0=')
-      expect(Digest::SHA2.base64digest(test_string)).to eq('ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=')
-      expect(Digest::SHA256.base64digest(test_string)).to eq('ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=')
-      expect(Digest::SHA384.base64digest(test_string)).to eq('ywB1P0WjXou1oD1pmsZQBycsMqsO3tFjGotgWkP/W+2AhgcroefMI1i67KE0yCWn')
-      expect(Digest::SHA512.base64digest(test_string)).to eq('3a81oZNherrMQXNJriBBMRLm+k6JqX6iCp7u5ktV05ohkpkqJ0/BqDa6PCOj/uu9RU1EI2Q86A4qmslPpUyknw==')
-      # rubocop:enable Fips/OpenSSL
-      # rubocop:enable Fips/SHA1
-      # rubocop:enable Layout/LineLength
-    end
-  end
 end
-- 
GitLab