Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
GitLab Bot
parent
3e20234984
commit
af9e8c5f25
2
Gemfile
2
Gemfile
|
|
@ -316,7 +316,7 @@ gem 'pg_query', '~> 2.1.0'
|
|||
gem 'premailer-rails', '~> 1.10.3'
|
||||
|
||||
# LabKit: Tracing and Correlation
|
||||
gem 'gitlab-labkit', '~> 0.22.0'
|
||||
gem 'gitlab-labkit', '~> 0.23.0'
|
||||
# Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
|
||||
# because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
|
||||
gem 'thrift', '>= 0.14.0'
|
||||
|
|
|
|||
|
|
@ -489,7 +489,7 @@ GEM
|
|||
fog-json (~> 1.2.0)
|
||||
mime-types
|
||||
ms_rest_azure (~> 0.12.0)
|
||||
gitlab-labkit (0.22.0)
|
||||
gitlab-labkit (0.23.0)
|
||||
actionpack (>= 5.0.0, < 7.0.0)
|
||||
activesupport (>= 5.0.0, < 7.0.0)
|
||||
grpc (>= 1.37)
|
||||
|
|
@ -1537,7 +1537,7 @@ DEPENDENCIES
|
|||
gitlab-dangerfiles (~> 3.4.0)
|
||||
gitlab-experiment (~> 0.7.1)
|
||||
gitlab-fog-azure-rm (~> 1.3.0)
|
||||
gitlab-labkit (~> 0.22.0)
|
||||
gitlab-labkit (~> 0.23.0)
|
||||
gitlab-license (~> 2.1.0)
|
||||
gitlab-license_finder (~> 6.0)
|
||||
gitlab-mail_room (~> 0.0.9)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
Gitlab::FIPS.enable_fips_mode! if Gitlab::FIPS.enabled?
|
||||
Labkit::FIPS.enable_fips_mode! if Gitlab::FIPS.enabled?
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class RemoveCiSecureFilesPermissionsColumn < Gitlab::Database::Migration[2.0]
|
||||
def up
|
||||
remove_column :ci_secure_files, :permissions
|
||||
end
|
||||
|
||||
def down
|
||||
add_column :ci_secure_files, :permissions, :integer, null: false, default: 0, limit: 2
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1 @@
|
|||
547c20f7e583e820093a68fa127ea530e6e2e50135e38e72246f4a400e816742
|
||||
|
|
@ -13126,7 +13126,6 @@ CREATE TABLE ci_secure_files (
|
|||
created_at timestamp with time zone NOT NULL,
|
||||
updated_at timestamp with time zone NOT NULL,
|
||||
file_store smallint DEFAULT 1 NOT NULL,
|
||||
permissions smallint DEFAULT 0 NOT NULL,
|
||||
name text NOT NULL,
|
||||
file text NOT NULL,
|
||||
checksum bytea NOT NULL,
|
||||
|
|
|
|||
|
|
@ -23,28 +23,7 @@ module Gitlab
|
|||
#
|
||||
# @return [Boolean]
|
||||
def enabled?
|
||||
# Attempt to auto-detect FIPS mode from OpenSSL
|
||||
return true if OpenSSL.fips_mode
|
||||
|
||||
# Otherwise allow it to be set manually via the env vars
|
||||
return true if ENV["FIPS_MODE"] == "true"
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
# Swap Ruby's Digest::SHAx implementations for OpenSSL::Digest::SHAx.
|
||||
def enable_fips_mode!
|
||||
require 'digest'
|
||||
|
||||
use_openssl_digest(:SHA2, :SHA256)
|
||||
OPENSSL_DIGESTS.each { |alg| use_openssl_digest(alg, alg) }
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def use_openssl_digest(ruby_algorithm, openssl_algorithm)
|
||||
Digest.send(:remove_const, ruby_algorithm) # rubocop:disable GitlabSecurity/PublicSend
|
||||
Digest.const_set(ruby_algorithm, OpenSSL::Digest.const_get(openssl_algorithm, false))
|
||||
::Labkit::FIPS.enabled?
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -48,51 +48,4 @@ RSpec.describe Gitlab::FIPS do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '.enable_fips_mode!' do
|
||||
let(:digests) { {} }
|
||||
let(:test_string) { 'abc' }
|
||||
|
||||
before do
|
||||
described_class::OPENSSL_DIGESTS.each do |digest|
|
||||
digests[digest] = Digest.const_get(digest, false)
|
||||
end
|
||||
end
|
||||
|
||||
after do
|
||||
digests.each do |name, value|
|
||||
Digest.send(:remove_const, name)
|
||||
Digest.const_set(name, value)
|
||||
end
|
||||
end
|
||||
|
||||
it 'assigns OpenSSL digests' do
|
||||
described_class.enable_fips_mode!
|
||||
|
||||
# rubocop:disable Fips/OpenSSL
|
||||
# rubocop:disable Fips/SHA1
|
||||
# rubocop:disable Layout/LineLength
|
||||
expect(Digest::SHA1).to be(OpenSSL::Digest::SHA1)
|
||||
expect(Digest::SHA2).to be(OpenSSL::Digest::SHA256)
|
||||
expect(Digest::SHA256).to be(OpenSSL::Digest::SHA256)
|
||||
expect(Digest::SHA384).to be(OpenSSL::Digest::SHA384)
|
||||
expect(Digest::SHA512).to be(OpenSSL::Digest::SHA512)
|
||||
|
||||
# From https://www.nist.gov/itl/ssd/software-quality-group/nsrl-test-data
|
||||
expect(Digest::SHA1.hexdigest(test_string)).to eq('a9993e364706816aba3e25717850c26c9cd0d89d')
|
||||
expect(Digest::SHA2.hexdigest(test_string)).to eq('ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad')
|
||||
expect(Digest::SHA256.hexdigest(test_string)).to eq('ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad')
|
||||
expect(Digest::SHA384.hexdigest(test_string)).to eq('cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7')
|
||||
expect(Digest::SHA512.hexdigest(test_string)).to eq('ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f')
|
||||
|
||||
expect(Digest::SHA1.base64digest(test_string)).to eq('qZk+NkcGgWq6PiVxeFDCbJzQ2J0=')
|
||||
expect(Digest::SHA2.base64digest(test_string)).to eq('ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=')
|
||||
expect(Digest::SHA256.base64digest(test_string)).to eq('ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=')
|
||||
expect(Digest::SHA384.base64digest(test_string)).to eq('ywB1P0WjXou1oD1pmsZQBycsMqsO3tFjGotgWkP/W+2AhgcroefMI1i67KE0yCWn')
|
||||
expect(Digest::SHA512.base64digest(test_string)).to eq('3a81oZNherrMQXNJriBBMRLm+k6JqX6iCp7u5ktV05ohkpkqJ0/BqDa6PCOj/uu9RU1EI2Q86A4qmslPpUyknw==')
|
||||
# rubocop:enable Fips/OpenSSL
|
||||
# rubocop:enable Fips/SHA1
|
||||
# rubocop:enable Layout/LineLength
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue