Fix Maven packages not working on FIPS kernels
What does this MR do and why?
On a FIPS kernel with a non-FIPS GitLab build, Maven package uploads previously would fail with 422 Unprocessible Entity errors. This occurred because Workhorse was generating an MD5 sum for the accelerated upload, but the Rails API rejects any use of MD5 in FIPS mode.
Workhorse was generating an MD5 sum because its on check for FIPS involves more conditions (#380559 (comment 1167645351)):
- The binary has been compiled with the
fips
build tag. - The platform is amd64 running on a Linux runtime.
- The kernel has FIPS enabled (e.g.
/proc/sys/crypto/fips_enabled
is 1). - A system OpenSSL can be dynamically loaded via ldopen().
On a standard GitLab installation, 1 is not true, so Workhorse believed it was working in a standard environment. However, GitLab Rails only checks whether the OpenSSL library is FIPS-enabled.
To resolve this discrepancy, we now:
- Pass
UploadHashFunctions
to indicate which hashes should be used in the Workhorse/authorize
response. - Workhorse will use this list to determine which hashes to compute. If the list is empty, Workhorse will assume all hashes can be used.
Relates to #380559 (closed)
Relates to #380559 (closed)
How to set up and validate locally
- Use a FIPS-enabled kernel (https://docs.gitlab.com/ee/development/fips_compliance.html#setting-up-a-fips-enabled-development-environment).
- Install a standard GitLab EE installation.
- Clone https://gitlab.com/gitlab-com/support/toolbox/gitlab-smoke-tests/.
- Run a pipeline in the repository.
- Manually play
maven-repository
job.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.