Fips compliance #4850
Draft
Fips compliance #4850
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…vvar flag that could be set manually or passed to docker to conditionally choose between 'start' and 'start:fips' Signed-off-by: Amndeep Singh Mann <[email protected]>
… set it to be scram-sha-256 instead. this overcomes the bootloop that the dockercompose was running into where nodepg would crash while trying to connect to the db due to trying to use md5 in fips land" Signed-off-by: Amndeep Singh Mann <[email protected]>
|
Kudos, SonarCloud Quality Gate passed!
|
Signed-off-by: George Dias <[email protected]>
Signed-off-by: George Dias <[email protected]>
Signed-off-by: George Dias <[email protected]>
Signed-off-by: George Dias <[email protected]>
Signed-off-by: George Dias <[email protected]>
|
SonarCloud Quality Gate failed.
|
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.1481.0 to 2.1482.0. - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Commits](aws/aws-sdk-js@v2.1481.0...v2.1482.0) --- updated-dependencies: - dependency-name: aws-sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@types/passport-jwt](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/passport-jwt) from 3.0.11 to 3.0.12. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/passport-jwt) --- updated-dependencies: - dependency-name: "@types/passport-jwt" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [browserify-sign](https://github.com/crypto-browserify/browserify-sign) from 4.2.1 to 4.2.2. - [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md) - [Commits](browserify/browserify-sign@v4.2.1...v4.2.2) --- updated-dependencies: - dependency-name: browserify-sign dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) from 7.1.2 to 7.1.3. - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Changelog](https://github.com/express-rate-limit/express-rate-limit/blob/main/changelog.md) - [Commits](express-rate-limit/express-rate-limit@v7.1.2...v7.1.3) --- updated-dependencies: - dependency-name: express-rate-limit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [axios](https://github.com/axios/axios) from 1.5.1 to 1.6.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.5.1...v1.6.0) --- updated-dependencies: - dependency-name: axios dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint-plugin-vue](https://github.com/vuejs/eslint-plugin-vue) from 9.18.0 to 9.18.1. - [Release notes](https://github.com/vuejs/eslint-plugin-vue/releases) - [Commits](vuejs/eslint-plugin-vue@v9.18.0...v9.18.1) --- updated-dependencies: - dependency-name: eslint-plugin-vue dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.1482.0 to 2.1483.0. - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Commits](aws/aws-sdk-js@v2.1482.0...v2.1483.0) --- updated-dependencies: - dependency-name: aws-sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@nestjs/schematics](https://github.com/nestjs/schematics) from 10.0.2 to 10.0.3. - [Release notes](https://github.com/nestjs/schematics/releases) - [Changelog](https://github.com/nestjs/schematics/blob/master/.release-it.json) - [Commits](nestjs/schematics@10.0.2...10.0.3) --- updated-dependencies: - dependency-name: "@nestjs/schematics" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [core-js](https://github.com/zloirock/core-js/tree/HEAD/packages/core-js) from 3.33.1 to 3.33.2. - [Release notes](https://github.com/zloirock/core-js/releases) - [Changelog](https://github.com/zloirock/core-js/blob/master/CHANGELOG.md) - [Commits](https://github.com/zloirock/core-js/commits/v3.33.2/packages/core-js) --- updated-dependencies: - dependency-name: core-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [cypress](https://github.com/cypress-io/cypress) from 13.3.3 to 13.4.0. - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](cypress-io/cypress@v13.3.3...v13.4.0) --- updated-dependencies: - dependency-name: cypress dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.1483.0 to 2.1484.0. - [Release notes](https://github.com/aws/aws-sdk-js/releases) - [Commits](aws/aws-sdk-js@v2.1483.0...v2.1484.0) --- updated-dependencies: - dependency-name: aws-sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@nestjs/cli](https://github.com/nestjs/nest-cli) from 10.2.0 to 10.2.1. - [Release notes](https://github.com/nestjs/nest-cli/releases) - [Changelog](https://github.com/nestjs/nest-cli/blob/master/.release-it.json) - [Commits](nestjs/nest-cli@10.2.0...10.2.1) --- updated-dependencies: - dependency-name: "@nestjs/cli" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [typedoc](https://github.com/TypeStrong/TypeDoc) from 0.25.2 to 0.25.3. - [Release notes](https://github.com/TypeStrong/TypeDoc/releases) - [Changelog](https://github.com/TypeStrong/typedoc/blob/master/CHANGELOG.md) - [Commits](TypeStrong/typedoc@v0.25.2...v0.25.3) --- updated-dependencies: - dependency-name: typedoc dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [oauth2-mock-server](https://github.com/axa-group/oauth2-mock-server) from 7.0.0 to 7.1.1. - [Release notes](https://github.com/axa-group/oauth2-mock-server/releases) - [Changelog](https://github.com/axa-group/oauth2-mock-server/blob/master/CHANGELOG.md) - [Commits](axa-group/oauth2-mock-server@v7.0.0...v7.1.1) --- updated-dependencies: - dependency-name: oauth2-mock-server dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
* Updated documentation to include all of the existing envvars, re-ordered them a bit, and included some more information like which have default values. Also already updated the wiki page. Signed-off-by: Amndeep Singh Mann <[email protected]> * added support for LDAPS and appropriate envvars Signed-off-by: Amndeep Singh Mann <[email protected]> * after doing further research, I think you're only supposed to pass the ca certs and not any of the rest. also simplified the sslconfig function to hopefully appease sonarqube Signed-off-by: Amndeep Singh Mann <[email protected]> * moved the external_url variable to a better section Signed-off-by: Amndeep Singh Mann <[email protected]> * fixed bug where if you provided the raw cert, it would still check to see if it was a path to a file and then fail due to it being a cert instead Signed-off-by: Amndeep Singh Mann <[email protected]> * protocol name changes when using ldaps Signed-off-by: Amndeep Singh Mann <[email protected]> * sonarqube said to use nullish coalescing operator but that wouldn't make sense since we want the empty string to be replaced by the default value of 389. swapping it to be a string as well should help. Signed-off-by: Amndeep Singh Mann <[email protected]> --------- Signed-off-by: Amndeep Singh Mann <[email protected]> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Signed-off-by: Amndeep Singh Mann <[email protected]>
Signed-off-by: Amndeep Singh Mann <[email protected]>
Signed-off-by: Amndeep Singh Mann <[email protected]>
|
This pull request has a conflict. Could you fix it @Amndeep7? |
Signed-off-by: Amndeep Singh Mann <[email protected]>
Signed-off-by: Amndeep Singh Mann <[email protected]>
…ng it so i'd rather just explicitly check for both Signed-off-by: Amndeep Singh Mann <[email protected]>
|
|
This pull request has a conflict. Could you fix it @Amndeep7? |
1 similar comment
|
This pull request has a conflict. Could you fix it @Amndeep7? |
… supplies types by itself Signed-off-by: Amndeep Singh Mann <[email protected]>
Signed-off-by: Amndeep Singh Mann <[email protected]>
|
Signed-off-by: Amndeep Singh Mann <[email protected]>
|
This pull request has a conflict. Could you fix it @Amndeep7? |
Amndeep7
added a commit
that referenced
this pull request
Sep 30, 2024
Signed-off-by: Amndeep Singh Mann <[email protected]>
Amndeep7
added a commit
that referenced
this pull request
Sep 30, 2024
Signed-off-by: Amndeep Singh Mann <[email protected]>
Signed-off-by: Amndeep Singh Mann <[email protected]>
Amndeep7
added a commit
that referenced
this pull request
Sep 30, 2024
6e4acd4 in #4850 Signed-off-by: Amndeep Singh Mann <[email protected]>
Amndeep7
added a commit
that referenced
this pull request
Sep 30, 2024
* Backend changes excluding the @heimdall/common and crypto changes as of 6e4acd4 in #4850 Signed-off-by: Amndeep Singh Mann <[email protected]> * lint Signed-off-by: Amndeep Singh Mann <[email protected]> --------- Signed-off-by: Amndeep Singh Mann <[email protected]>
Signed-off-by: Amndeep Singh Mann <[email protected]>
|
Amndeep7
added a commit
that referenced
this pull request
Oct 1, 2024
… of 683b822 in #4850 Signed-off-by: Amndeep Singh Mann <[email protected]>
aaronlippold
pushed a commit
that referenced
this pull request
Nov 20, 2024
Signed-off-by: Amndeep Singh Mann <[email protected]>
aaronlippold
pushed a commit
that referenced
this pull request
Nov 20, 2024
* Backend changes excluding the @heimdall/common and crypto changes as of 6e4acd4 in #4850 Signed-off-by: Amndeep Singh Mann <[email protected]> * lint Signed-off-by: Amndeep Singh Mann <[email protected]> --------- Signed-off-by: Amndeep Singh Mann <[email protected]>
|
This pull request has a conflict. Could you fix it @Amndeep7? |
em-c-rod
reviewed
Jan 17, 2025
| @@ -14,6 +14,8 @@ services: | |||
| - POSTGRES_DB=heimdall-server-production | |||
| - POSTGRES_PASSWORD=${DATABASE_PASSWORD} | |||
| - PGDATA=/var/lib/postgresql/data/pgdata | |||
| - POSTGRES_HOST_AUTH_METHOD="scram-sha-256" | |||
| - POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 | |||
There was a problem hiding this comment.
Is this sufficient for having "FIPS enabled Postgres"?
Communicate this in the helm chart and the docs.
Action item here:
- Add an issue to Heimdall-helm to make sure these variable is passed through as options for the helm chart
- Add some documentation for Heimdall users about needing to use a FIPs enabled database.
em-c-rod
reviewed
Jan 17, 2025
| @@ -20,6 +20,7 @@ | |||
| "start": "node dist/src/main", | |||
| "start:debug": "nest start --debug --watch", | |||
| "start:dev": "nest start --watch", | |||
| "start:fips": "node --force-fips dist/src/main", | |||
There was a problem hiding this comment.
Forcing node to use fips compliant algorithms will cause nodejs to use the system provided cryptography module, in this case openssl because that is the fips approved module on the image used to build Heimdall, in this case ubi8. This requires the use of native api
em-c-rod
reviewed
Jan 17, 2025
| newApiKey.apiKey = await hashAndSaltPassword( | ||
| JWTSignature, | ||
| !( | ||
| this.configService.get('USE_NEW_ENCRYPTION_STRATEGY')?.toLowerCase() === |
There was a problem hiding this comment.
USE_NEW_ENCRYPTION_STRATEGY can be renamed, but is the concept of setting Heimdall to be FIPS enabled
em-c-rod
reviewed
Jan 17, 2025
| @@ -1,11 +1,11 @@ | |||
| 'use strict'; | |||
There was a problem hiding this comment.
Can rename this file for the appropriate date
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #4145