Ensure application settings in tests adhere to FIPS requirements

When running tests in FIPS mode, `ApplicationSetting` by default has
invalid SSH key size restrictions. We now ensure the FactoryBot
creates a `ApplicationSetting` that conforms to FIPS requirements.

app/models/application_setting_implementation.rb

@@ -510,8 +510,35 @@ def web_ide_clientside_preview_bundler_url
     'https://sandbox-prod.gitlab-static.net'
   end
 
+  def ensure_key_restrictions!
+    return if Gitlab::Database.read_only?
+    return unless Gitlab::FIPS.enabled?
+
+    Gitlab::SSHPublicKey.supported_types.each do |key_type|
+      set_max_key_restriction!(key_type)
+    end
+  end
+
   private
 
+  def set_max_key_restriction!(key_type)
+    attr_name = "#{key_type}_key_restriction"
+    current = self.attributes[attr_name].to_i
+
+    return if current == KeyRestrictionValidator::FORBIDDEN
+
+    min_size = self.class.default_min_key_size(key_type)
+
+    new_value =
+      if min_size == KeyRestrictionValidator::FORBIDDEN
+        min_size
+      else
+        [min_size, current].max
+      end
+
+    self.assign_attributes({ attr_name => new_value })
+  end
+
   def separate_allowlists(string_array)
     string_array.reduce([[], []]) do |(ip_allowlist, domain_allowlist), string|
       address, port = parse_addr_and_port(string)

spec/factories/application_settings.rb

@@ -5,5 +5,9 @@
     default_projects_limit { 42 }
     import_sources { [] }
     restricted_visibility_levels { [] }
+
+    after(:build) do |settings|
+      settings.ensure_key_restrictions!
+    end
   end
 end

spec/models/application_setting_spec.rb

@@ -554,11 +554,45 @@ def expect_invalid
           it { is_expected.to allow_value(*KeyRestrictionValidator.supported_key_restrictions(type)).for(field) }
           it { is_expected.not_to allow_value(128).for(field) }
         end
+      end
+    end
 
-        it_behaves_like 'key validations'
+    describe '#ensure_key_restrictions!' do
+      context 'with non-compliant FIPS settings' do
+        before do
+          setting.update_columns(
+            rsa_key_restriction: 1024,
+            dsa_key_restriction: 0,
+            ecdsa_key_restriction: 521,
+            ed25519_key_restriction: -1,
+            ecdsa_sk_key_restriction: 0,
+            ed25519_sk_key_restriction: 0
+          )
+        end
 
-        context 'FIPS mode', :fips_mode do
-          it_behaves_like 'key validations'
+        context 'in non-FIPS mode', fips_mode: false do
+          it 'keeps existing key restrictions' do
+            expect { setting.ensure_key_restrictions! }.not_to change { setting.valid? }
+            expect(setting).to be_valid
+            expect(setting.rsa_key_restriction).to eq(1024)
+            expect(setting.dsa_key_restriction).to eq(0)
+            expect(setting.ecdsa_key_restriction).to eq(521)
+            expect(setting.ed25519_key_restriction).to eq(-1)
+            expect(setting.ecdsa_sk_key_restriction).to eq(0)
+            expect(setting.ed25519_sk_key_restriction).to eq(0)
+          end
+        end
+
+        context 'in FIPS mode', :fips_mode do
+          it 'updates key restrictions to meet FIPS compliance' do
+            expect { setting.ensure_key_restrictions! }.to change { setting.valid? }.from(false).to(true)
+            expect(setting.rsa_key_restriction).to eq(3072)
+            expect(setting.dsa_key_restriction).to eq(-1)
+            expect(setting.ecdsa_key_restriction).to eq(521)
+            expect(setting.ed25519_key_restriction).to eq(-1)
+            expect(setting.ecdsa_sk_key_restriction).to eq(256)
+            expect(setting.ed25519_sk_key_restriction).to eq(256)
+          end
         end
       end
     end

spec/support/shared_examples/models/application_setting_shared_examples.rb

@@ -238,8 +238,16 @@
   end
 
   describe '#allowed_key_types' do
-    it 'includes all key types by default' do
-      expect(setting.allowed_key_types).to contain_exactly(*Gitlab::SSHPublicKey.supported_types)
+    context 'in non-FIPS mode', fips_mode: false do
+      it 'includes all key types by default' do
+        expect(setting.allowed_key_types).to contain_exactly(*Gitlab::SSHPublicKey.supported_types)
+      end
+    end
+
+    context 'in FIPS mode', :fips_mode do
+      it 'excludes DSA from supported key types' do
+        expect(setting.allowed_key_types).to contain_exactly(*Gitlab::SSHPublicKey.supported_types - %i(dsa))
+      end
     end
 
     it 'excludes disabled key types' do