From 10b129a02ea7cc9eb27a180c6365993eaba5a6d1 Mon Sep 17 00:00:00 2001 From: andres-portainer <91705312+andres-portainer@users.noreply.github.com> Date: Thu, 14 Aug 2025 19:36:15 -0300 Subject: [PATCH] fix(crypto): replace fips140 calls with fips calls BE-11979 (#1033) --- api/crypto/tls.go | 11 ++++------- api/docker/client/client_test.go | 4 ++++ api/git/azure_test.go | 5 +++++ api/hostmanagement/openamt/openamt_test.go | 4 ++++ api/http/client/client_test.go | 3 +++ api/http/handler/helm/helm_repo_search_test.go | 1 + api/http/handler/websocket/initdial_test.go | 3 +++ .../proxy/factory/kubernetes/local_transport_test.go | 4 ++++ api/ldap/ldap_test.go | 3 +++ api/stacks/deployments/deploy_test.go | 3 +++ pkg/networking/diagnostics_test.go | 4 ++++ 11 files changed, 38 insertions(+), 7 deletions(-) diff --git a/api/crypto/tls.go b/api/crypto/tls.go index d6b7c3b09..4006d7783 100644 --- a/api/crypto/tls.go +++ b/api/crypto/tls.go @@ -1,18 +1,17 @@ package crypto import ( - "crypto/fips140" "crypto/tls" "crypto/x509" "os" portainer "github.com/portainer/portainer/api" + "github.com/portainer/portainer/pkg/fips" ) // CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings func CreateTLSConfiguration(insecureSkipVerify bool) *tls.Config { //nolint:forbidigo - // TODO: use fips.FIPSMode() instead - return createTLSConfiguration(fips140.Enabled(), insecureSkipVerify) + return createTLSConfiguration(fips.FIPSMode(), insecureSkipVerify) } func createTLSConfiguration(fipsEnabled bool, insecureSkipVerify bool) *tls.Config { //nolint:forbidigo @@ -58,8 +57,7 @@ func createTLSConfiguration(fipsEnabled bool, insecureSkipVerify bool) *tls.Conf // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key // loaded from memory. func CreateTLSConfigurationFromBytes(useTLS bool, caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { //nolint:forbidigo - // TODO: use fips.FIPSMode() instead - return createTLSConfigurationFromBytes(fips140.Enabled(), useTLS, caCert, cert, key, skipClientVerification, skipServerVerification) + return createTLSConfigurationFromBytes(fips.FIPSMode(), useTLS, caCert, cert, key, skipClientVerification, skipServerVerification) } func createTLSConfigurationFromBytes(fipsEnabled, useTLS bool, caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { //nolint:forbidigo @@ -90,8 +88,7 @@ func createTLSConfigurationFromBytes(fipsEnabled, useTLS bool, caCert, cert, key // CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key // loaded from disk. func CreateTLSConfigurationFromDisk(config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo - // TODO: use fips.FIPSMode() instead - return createTLSConfigurationFromDisk(fips140.Enabled(), config) + return createTLSConfigurationFromDisk(fips.FIPSMode(), config) } func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo diff --git a/api/docker/client/client_test.go b/api/docker/client/client_test.go index 4d7f767e0..ff0de82d1 100644 --- a/api/docker/client/client_test.go +++ b/api/docker/client/client_test.go @@ -4,10 +4,14 @@ import ( "testing" portainer "github.com/portainer/portainer/api" + "github.com/portainer/portainer/pkg/fips" + "github.com/stretchr/testify/require" ) func TestHttpClient(t *testing.T) { + fips.InitFIPS(false) + // Valid TLS configuration endpoint := &portainer.Endpoint{} endpoint.TLSConfig = portainer.TLSConfiguration{TLS: true} diff --git a/api/git/azure_test.go b/api/git/azure_test.go index 2cb073c59..0280cf2df 100644 --- a/api/git/azure_test.go +++ b/api/git/azure_test.go @@ -8,6 +8,7 @@ import ( "testing" gittypes "github.com/portainer/portainer/api/git/types" + "github.com/portainer/portainer/pkg/fips" "github.com/stretchr/testify/assert" ) @@ -234,6 +235,8 @@ func Test_isAzureUrl(t *testing.T) { } func Test_azureDownloader_downloadZipFromAzureDevOps(t *testing.T) { + fips.InitFIPS(false) + type args struct { options baseOption } @@ -308,6 +311,8 @@ func Test_azureDownloader_downloadZipFromAzureDevOps(t *testing.T) { } func Test_azureDownloader_latestCommitID(t *testing.T) { + fips.InitFIPS(false) + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { response := `{ "count": 1, diff --git a/api/hostmanagement/openamt/openamt_test.go b/api/hostmanagement/openamt/openamt_test.go index a3bfad49d..d3c006018 100644 --- a/api/hostmanagement/openamt/openamt_test.go +++ b/api/hostmanagement/openamt/openamt_test.go @@ -4,10 +4,14 @@ import ( "net/http" "testing" + "github.com/portainer/portainer/pkg/fips" + "github.com/stretchr/testify/require" ) func TestNewService(t *testing.T) { + fips.InitFIPS(false) + service := NewService(true) require.NotNil(t, service) require.True(t, service.httpsClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify) //nolint:forbidigo diff --git a/api/http/client/client_test.go b/api/http/client/client_test.go index fcdfef2e2..728ece8f2 100644 --- a/api/http/client/client_test.go +++ b/api/http/client/client_test.go @@ -6,11 +6,14 @@ import ( "testing" portainer "github.com/portainer/portainer/api" + "github.com/portainer/portainer/pkg/fips" "github.com/stretchr/testify/require" ) func TestExecutePingOperationFailure(t *testing.T) { + fips.InitFIPS(false) + host := "http://localhost:1" config := portainer.TLSConfiguration{ TLS: true, diff --git a/api/http/handler/helm/helm_repo_search_test.go b/api/http/handler/helm/helm_repo_search_test.go index aec355e23..e2815e1a4 100644 --- a/api/http/handler/helm/helm_repo_search_test.go +++ b/api/http/handler/helm/helm_repo_search_test.go @@ -9,6 +9,7 @@ import ( "github.com/portainer/portainer/api/internal/testhelpers" "github.com/portainer/portainer/pkg/libhelm/test" + "github.com/stretchr/testify/assert" ) diff --git a/api/http/handler/websocket/initdial_test.go b/api/http/handler/websocket/initdial_test.go index 7cf34ba39..68569958e 100644 --- a/api/http/handler/websocket/initdial_test.go +++ b/api/http/handler/websocket/initdial_test.go @@ -7,11 +7,14 @@ import ( "testing" portainer "github.com/portainer/portainer/api" + "github.com/portainer/portainer/pkg/fips" "github.com/stretchr/testify/require" ) func TestInitDial(t *testing.T) { + fips.InitFIPS(false) + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})) defer srv.Close() diff --git a/api/http/proxy/factory/kubernetes/local_transport_test.go b/api/http/proxy/factory/kubernetes/local_transport_test.go index c39288b17..855300b98 100644 --- a/api/http/proxy/factory/kubernetes/local_transport_test.go +++ b/api/http/proxy/factory/kubernetes/local_transport_test.go @@ -3,10 +3,14 @@ package kubernetes import ( "testing" + "github.com/portainer/portainer/pkg/fips" + "github.com/stretchr/testify/require" ) func TestNewLocalTransport(t *testing.T) { + fips.InitFIPS(false) + transport, err := NewLocalTransport(nil, nil, nil, nil, nil) require.NoError(t, err) require.True(t, transport.httpTransport.TLSClientConfig.InsecureSkipVerify) //nolint:forbidigo diff --git a/api/ldap/ldap_test.go b/api/ldap/ldap_test.go index e815c0780..1e791f351 100644 --- a/api/ldap/ldap_test.go +++ b/api/ldap/ldap_test.go @@ -7,11 +7,14 @@ import ( "testing" portainer "github.com/portainer/portainer/api" + "github.com/portainer/portainer/pkg/fips" "github.com/stretchr/testify/require" ) func TestCreateConnectionForURL(t *testing.T) { + fips.InitFIPS(false) + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})) defer srv.Close() diff --git a/api/stacks/deployments/deploy_test.go b/api/stacks/deployments/deploy_test.go index 4518a8a82..b7015be01 100644 --- a/api/stacks/deployments/deploy_test.go +++ b/api/stacks/deployments/deploy_test.go @@ -14,6 +14,7 @@ import ( "github.com/portainer/portainer/api/datastore" gittypes "github.com/portainer/portainer/api/git/types" "github.com/portainer/portainer/api/internal/testhelpers" + "github.com/portainer/portainer/pkg/fips" "github.com/portainer/portainer/pkg/libhttp/response" "github.com/stretchr/testify/assert" @@ -203,6 +204,8 @@ func Test_redeployWhenChanged_DoesNothingWhenNoGitChanges(t *testing.T) { } func Test_redeployWhenChanged_FailsWhenCannotClone(t *testing.T) { + fips.InitFIPS(false) + cloneErr := errors.New("failed to clone") _, store := datastore.MustNewTestStore(t, true, true) diff --git a/pkg/networking/diagnostics_test.go b/pkg/networking/diagnostics_test.go index 33c270be4..24963b554 100644 --- a/pkg/networking/diagnostics_test.go +++ b/pkg/networking/diagnostics_test.go @@ -5,6 +5,8 @@ import ( "strings" "testing" "time" + + "github.com/portainer/portainer/pkg/fips" ) // Response structs for each function @@ -110,6 +112,8 @@ func TestProbeTelnetConnection(t *testing.T) { } func TestDetectProxy(t *testing.T) { + fips.InitFIPS(false) + tests := []struct { name string url string