Skip to content

Fix deploy keys breaking protected branch dropdown in FIPS mode

Stan Hu requested to merge sh-fix-deploy-key-fips into master

What does this MR do and why?

In FIPS mode, if a deploy key were present, clicking on the "Allowed to push" dropdown would fail with a "Failed to load groups, users and deploy keys" message. This occurred because the JavaScript attempted to use the fingerprint attribute of the key. However, on a FIPS system, the MD5 fingerprint is not available, and the null value breaks the dropdown.

To fix this, we use the fingerprint_sha256 attribute instead. This commit also puts the SHA256 fingerprint first in the HTML views to avoid confusion.

Relates to #364562 (closed)

Screenshots or screen recordings

Protected branch dropdown

image

Project deploy key list

image

Edit project deploy key list

image

Admin deploy key list (/admin/deploy_keys)

image

How to set up and validate locally

This was first identified via this test:

FIPS_MODE=true bundle exec rspec ee/spec/features/protected_branches_spec.rb

To test this locally:

  1. In your GDK's Procfile, add FIPS_MODE=true after the rails-web: exec /usr/bin/env entry.
  2. gdk restart rails
  3. Go to a project's Settings -> Respository.
  4. Scroll down to Deploy keys.
  5. Add a deploy key with write access.
  6. Make sure the deploy key is enabled for the project.
  7. Go to Settings -> Repository -> Protected Branches.
  8. Click on Allowed to push and ensure it loads with users and deploy keys.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports