Add OpenSSL FIPS mode detection and env var

Detects FIPS mode enablement via OpenSSL or via the FIPS_MODE environment variable Changelog: added

Add OpenSSL FIPS mode detection and env var
Detects FIPS mode enablement via OpenSSL or via the FIPS_MODE environment variable Changelog: added
f3172799 · Robert May · c6f16b9d · c6f16b9d · f3172799 · f3172799
Commit f3172799 authored Mar 02, 2022 by Robert May
Showing with 43 additions and 15 deletions

config/feature_flags/development/fips_mode.yml config/feature_flags/development/fips_mode.yml +0 -8

lib/gitlab/fips.rb lib/gitlab/fips.rb +7 -1

spec/lib/gitlab/fips_spec.rb spec/lib/gitlab/fips_spec.rb +36 -6

No files found.
--- a/config/feature_flags/development/fips_mode.yml
+++ b/config/feature_flags/development/fips_mode.yml
---
-name: fips_mode
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81418/diffs?view=inline
-rollout_issue_url:
-milestone: '14.9'
-type: development
-group: group::source code
-default_enabled: false
--- a/lib/gitlab/fips.rb
+++ b/lib/gitlab/fips.rb
@@ -10,7 +10,13 @@ module Gitlab
      #
      # @return [Boolean]
      def enabled?
-        Feature.enabled?(:fips_mode, default_enabled: :yaml)
+        # Attempt to auto-detect FIPS mode from OpenSSL
+        return true if OpenSSL.fips_mode
+
+        # Otherwise allow it to be set manually via the env vars
+        return true if ENV["FIPS_MODE"] == "true"
+
+        false
      end
    end
  end

--- a/spec/lib/gitlab/fips_spec.rb
+++ b/spec/lib/gitlab/fips_spec.rb
@@ -6,16 +6,46 @@ RSpec.describe Gitlab::FIPS do
  describe ".enabled?" do
    subject { described_class.enabled? }

-    context "feature flag is enabled" do
-      it { is_expected.to be_truthy }
+    let(:openssl_fips_mode) { false }
+    let(:fips_mode_env_var) { nil }
+
+    before do
+      expect(OpenSSL).to receive(:fips_mode).and_return(openssl_fips_mode)
+      stub_env("FIPS_MODE", fips_mode_env_var)
+    end
+
+    describe "OpenSSL auto-detection" do
+      context "OpenSSL is in FIPS mode" do
+        let(:openssl_fips_mode) { true }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context "OpenSSL is not in FIPS mode" do
+        let(:openssl_fips_mode) { false }
+
+        it { is_expected.to be_falsey }
+      end
    end

-    context "feature flag is disabled" do
-      before do
-        stub_feature_flags(fips_mode: false)
+    describe "manual configuration via env var" do
+      context "env var is not set" do
+        let(:fips_mode_env_var) { nil }
+
+        it { is_expected.to be_falsey }
      end

-      it { is_expected.to be_falsey }
+      context "env var is set to true" do
+        let(:fips_mode_env_var) { "true" }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context "env var is set to false" do
+        let(:fips_mode_env_var) { "false" }
+
+        it { is_expected.to be_falsey }
+      end
    end
  end
 end