From af9e8c5f255cc1851308b7335afd768936296ed3 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Sat, 18 Jun 2022 00:09:05 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 Gemfile                                       |  2 +-
 Gemfile.lock                                  |  4 +-
 config/initializers/fips.rb                   |  2 +-
 ...move_ci_secure_files_permissions_column.rb | 11 +++++
 db/schema_migrations/20220616222253           |  1 +
 db/structure.sql                              |  1 -
 lib/gitlab/fips.rb                            | 23 +--------
 spec/lib/gitlab/fips_spec.rb                  | 47 -------------------
 8 files changed, 17 insertions(+), 74 deletions(-)
 create mode 100644 db/post_migrate/20220616222253_remove_ci_secure_files_permissions_column.rb
 create mode 100644 db/schema_migrations/20220616222253

diff --git a/Gemfile b/Gemfile
index f04e8ca667f..195a4b2861b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -316,7 +316,7 @@ gem 'pg_query', '~> 2.1.0'
 gem 'premailer-rails', '~> 1.10.3'
 
 # LabKit: Tracing and Correlation
-gem 'gitlab-labkit', '~> 0.22.0'
+gem 'gitlab-labkit', '~> 0.23.0'
 # Thrift is a dependency of gitlab-labkit, we want a version higher than 0.14.0
 # because of https://gitlab.com/gitlab-org/gitlab/-/issues/321900
 gem 'thrift', '>= 0.14.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 9c9be3b63c5..dab51a0803c 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -489,7 +489,7 @@ GEM
       fog-json (~> 1.2.0)
       mime-types
       ms_rest_azure (~> 0.12.0)
-    gitlab-labkit (0.22.0)
+    gitlab-labkit (0.23.0)
       actionpack (>= 5.0.0, < 7.0.0)
       activesupport (>= 5.0.0, < 7.0.0)
       grpc (>= 1.37)
@@ -1537,7 +1537,7 @@ DEPENDENCIES
   gitlab-dangerfiles (~> 3.4.0)
   gitlab-experiment (~> 0.7.1)
   gitlab-fog-azure-rm (~> 1.3.0)
-  gitlab-labkit (~> 0.22.0)
+  gitlab-labkit (~> 0.23.0)
   gitlab-license (~> 2.1.0)
   gitlab-license_finder (~> 6.0)
   gitlab-mail_room (~> 0.0.9)
diff --git a/config/initializers/fips.rb b/config/initializers/fips.rb
index cf9b0ff4e4d..a5b2f324e7f 100644
--- a/config/initializers/fips.rb
+++ b/config/initializers/fips.rb
@@ -1,3 +1,3 @@
 # frozen_string_literal: true
 
-Gitlab::FIPS.enable_fips_mode! if Gitlab::FIPS.enabled?
+Labkit::FIPS.enable_fips_mode! if Gitlab::FIPS.enabled?
diff --git a/db/post_migrate/20220616222253_remove_ci_secure_files_permissions_column.rb b/db/post_migrate/20220616222253_remove_ci_secure_files_permissions_column.rb
new file mode 100644
index 00000000000..31c559a9d44
--- /dev/null
+++ b/db/post_migrate/20220616222253_remove_ci_secure_files_permissions_column.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class RemoveCiSecureFilesPermissionsColumn < Gitlab::Database::Migration[2.0]
+  def up
+    remove_column :ci_secure_files, :permissions
+  end
+
+  def down
+    add_column :ci_secure_files, :permissions, :integer, null: false, default: 0, limit: 2
+  end
+end
diff --git a/db/schema_migrations/20220616222253 b/db/schema_migrations/20220616222253
new file mode 100644
index 00000000000..dbf34a2a8e1
--- /dev/null
+++ b/db/schema_migrations/20220616222253
@@ -0,0 +1 @@
+547c20f7e583e820093a68fa127ea530e6e2e50135e38e72246f4a400e816742
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 13e48ceffa6..4b17fa31b59 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -13126,7 +13126,6 @@ CREATE TABLE ci_secure_files (
     created_at timestamp with time zone NOT NULL,
     updated_at timestamp with time zone NOT NULL,
     file_store smallint DEFAULT 1 NOT NULL,
-    permissions smallint DEFAULT 0 NOT NULL,
     name text NOT NULL,
     file text NOT NULL,
     checksum bytea NOT NULL,
diff --git a/lib/gitlab/fips.rb b/lib/gitlab/fips.rb
index a7106dd70e9..b2c22182d4b 100644
--- a/lib/gitlab/fips.rb
+++ b/lib/gitlab/fips.rb
@@ -23,28 +23,7 @@ module Gitlab
       #
       # @return [Boolean]
       def enabled?
-        # Attempt to auto-detect FIPS mode from OpenSSL
-        return true if OpenSSL.fips_mode
-
-        # Otherwise allow it to be set manually via the env vars
-        return true if ENV["FIPS_MODE"] == "true"
-
-        false
-      end
-
-      # Swap Ruby's Digest::SHAx implementations for OpenSSL::Digest::SHAx.
-      def enable_fips_mode!
-        require 'digest'
-
-        use_openssl_digest(:SHA2, :SHA256)
-        OPENSSL_DIGESTS.each { |alg| use_openssl_digest(alg, alg) }
-      end
-
-      private
-
-      def use_openssl_digest(ruby_algorithm, openssl_algorithm)
-        Digest.send(:remove_const, ruby_algorithm) # rubocop:disable GitlabSecurity/PublicSend
-        Digest.const_set(ruby_algorithm, OpenSSL::Digest.const_get(openssl_algorithm, false))
+        ::Labkit::FIPS.enabled?
       end
     end
   end
diff --git a/spec/lib/gitlab/fips_spec.rb b/spec/lib/gitlab/fips_spec.rb
index a6c9d54c0fb..4d19a44f617 100644
--- a/spec/lib/gitlab/fips_spec.rb
+++ b/spec/lib/gitlab/fips_spec.rb
@@ -48,51 +48,4 @@ RSpec.describe Gitlab::FIPS do
       end
     end
   end
-
-  describe '.enable_fips_mode!' do
-    let(:digests) { {} }
-    let(:test_string) { 'abc' }
-
-    before do
-      described_class::OPENSSL_DIGESTS.each do |digest|
-        digests[digest] = Digest.const_get(digest, false)
-      end
-    end
-
-    after do
-      digests.each do |name, value|
-        Digest.send(:remove_const, name)
-        Digest.const_set(name, value)
-      end
-    end
-
-    it 'assigns OpenSSL digests' do
-      described_class.enable_fips_mode!
-
-      # rubocop:disable Fips/OpenSSL
-      # rubocop:disable Fips/SHA1
-      # rubocop:disable Layout/LineLength
-      expect(Digest::SHA1).to be(OpenSSL::Digest::SHA1)
-      expect(Digest::SHA2).to be(OpenSSL::Digest::SHA256)
-      expect(Digest::SHA256).to be(OpenSSL::Digest::SHA256)
-      expect(Digest::SHA384).to be(OpenSSL::Digest::SHA384)
-      expect(Digest::SHA512).to be(OpenSSL::Digest::SHA512)
-
-      # From https://www.nist.gov/itl/ssd/software-quality-group/nsrl-test-data
-      expect(Digest::SHA1.hexdigest(test_string)).to eq('a9993e364706816aba3e25717850c26c9cd0d89d')
-      expect(Digest::SHA2.hexdigest(test_string)).to eq('ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad')
-      expect(Digest::SHA256.hexdigest(test_string)).to eq('ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad')
-      expect(Digest::SHA384.hexdigest(test_string)).to eq('cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7')
-      expect(Digest::SHA512.hexdigest(test_string)).to eq('ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f')
-
-      expect(Digest::SHA1.base64digest(test_string)).to eq('qZk+NkcGgWq6PiVxeFDCbJzQ2J0=')
-      expect(Digest::SHA2.base64digest(test_string)).to eq('ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=')
-      expect(Digest::SHA256.base64digest(test_string)).to eq('ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=')
-      expect(Digest::SHA384.base64digest(test_string)).to eq('ywB1P0WjXou1oD1pmsZQBycsMqsO3tFjGotgWkP/W+2AhgcroefMI1i67KE0yCWn')
-      expect(Digest::SHA512.base64digest(test_string)).to eq('3a81oZNherrMQXNJriBBMRLm+k6JqX6iCp7u5ktV05ohkpkqJ0/BqDa6PCOj/uu9RU1EI2Q86A4qmslPpUyknw==')
-      # rubocop:enable Fips/OpenSSL
-      # rubocop:enable Fips/SHA1
-      # rubocop:enable Layout/LineLength
-    end
-  end
 end