Pages returns 503 when access control is enabled in FIPS mode

Summary

While testing in FIPS mode, Pages return a 503 when the access control feature is enabled

Steps to reproduce

  • Setup FIPS Pages as described in #718 (comment 897887902)
  • Enable Access Control and Run Pages
  • Create a simple pages repository with pages setup
  • Modify Visibility of Pages for the repository
    • Browse Repository > Settings > General > Visibility, project features, permissions
      • Set Project Visibility to Private
      • Set Pages to Only Project Members
  • Browse Pages URL

What is the current bug behavior?

Browser return a 503

What is the expected correct behavior?

Browser should render the HTML

Relevant logs and/or screenshots

{"correlation_id":"01FZJZV5Y7JYH8AX6G4Q6E89MW","host":"root.pages.gdk.test:3010","level":"debug","msg":"Authenticate request","path":"/fips-test","state":"","time":"2022-04-01T16:37:56Z"}
{"correlation_id":"01FZJZV5Y7JYH8AX6G4Q6E89MW","host":"root.pages.gdk.test:3010","level":"debug","msg":"No access token exists, redirecting user to OAuth2 login","path":"/fips-test","state":"","time":"2022-04-01T16:37:56Z"}
{"content_type":"text/html; charset=utf-8","correlation_id":"01FZJZV5Y7JYH8AX6G4Q6E89MW","duration_ms":0,"host":"root.pages.gdk.test:3010","level":"info","method":"GET","msg":"access","pages_host":"root.pages.gdk.test:3010","pages_https":false,"proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:33326","remote_ip":"127.0.0.1","status":302,"system":"http","time":"2022-04-01T16:37:56Z","ttfb_ms":0,"uri":"/fips-test","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","written_bytes":128}
{"correlation_id":"01FZJZV64DN03E3DQEY3BJ5N1Z","host":"pages.gdk.test:3010","level":"info","msg":"Receive OAuth authentication callback","path":"/auth","state":"RSvMn-5sJmH9mnGQ4STegw==","time":"2022-04-01T16:37:56Z"}
{"correlation_id":"01FZJZV64DN03E3DQEY3BJ5N1Z","domain":"http://root.pages.gdk.test:3010","host":"pages.gdk.test:3010","level":"info","msg":"User is authenticating via domain","path":"/auth","state":"RSvMn-5sJmH9mnGQ4STegw==","time":"2022-04-01T16:37:56Z"}
{"correlation_id":"01FZJZV64DN03E3DQEY3BJ5N1Z","host":"pages.gdk.test:3010","level":"info","msg":"Redirecting user to gitlab for oauth","pages_domain":"http://root.pages.gdk.test:3010","path":"/auth","public_gitlab_server":"http://gdk.test:3000","state":"RSvMn-5sJmH9mnGQ4STegw==","time":"2022-04-01T16:37:56Z"}
{"content_type":"text/html; charset=utf-8","correlation_id":"01FZJZV64DN03E3DQEY3BJ5N1Z","duration_ms":0,"host":"pages.gdk.test:3010","level":"info","method":"GET","msg":"access","pages_host":"pages.gdk.test:3010","pages_https":false,"proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:33332","remote_ip":"127.0.0.1","status":302,"system":"http","time":"2022-04-01T16:37:56Z","ttfb_ms":0,"uri":"/auth?domain=http://root.pages.gdk.test:3010\u0026state=RSvMn-5sJmH9mnGQ4STegw==","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","written_bytes":255}
{"correlation_id":"01FZJZV6N2W42F576JFNC2397B","host":"pages.gdk.test:3010","level":"info","msg":"Receive OAuth authentication callback","path":"/auth","state":"RSvMn-5sJmH9mnGQ4STegw==","time":"2022-04-01T16:37:57Z"}
{"correlation_id":"01FZJZV6N2W42F576JFNC2397B","domain":"http://root.pages.gdk.test:3010","host":"pages.gdk.test:3010","level":"info","msg":"Redirecting auth callback to custom domain","path":"/auth","state":"RSvMn-5sJmH9mnGQ4STegw==","time":"2022-04-01T16:37:57Z"}
{"correlation_id":"01FZJZV6N2W42F576JFNC2397B","error":"crypto/aes: GCM nonce size can't be non-standard","host":"pages.gdk.test:3010","level":"error","msg":"failed to save the session","path":"/auth","state":"RSvMn-5sJmH9mnGQ4STegw==","time":"2022-04-01T16:37:57Z"}
{"content_type":"text/html; charset=utf-8","correlation_id":"01FZJZV6N2W42F576JFNC2397B","duration_ms":0,"host":"pages.gdk.test:3010","level":"info","method":"GET","msg":"access","pages_host":"pages.gdk.test:3010","pages_https":false,"proto":"HTTP/1.1","referrer":"http://gdk.test:3000/","remote_addr":"127.0.0.1:33332","remote_ip":"127.0.0.1","status":503,"system":"http","time":"2022-04-01T16:37:57Z","ttfb_ms":0,"uri":"/auth?code=fad9bfdd2283746bc74d78cab3d526d641b7e7ce9fa93bea496277a852430992\u0026state=RSvMn-5sJmH9mnGQ4STegw%3D%3D","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","written_bytes":2904}
{"correlation_id":"01FZJZV5Y7JYH8AX6G4Q6E89MW","host":"root.pages.gdk.test:3010","level":

Possible problematic code

https://gitlab.com/gitlab-org/gitlab-pages/-/blob/master/internal/auth/auth_code.go#L33

Error Originating from - https://github.com/golang-fips/go/blob/go1.17-openssl-fips/src/crypto/internal/boring/aes.go#L336

Edited by Vishal Tak