fix(crypto): replace fips140 calls with fips calls BE-11979 (#1033)

2025-08-14 19:36:15 -03:00 · 2025-08-14 19:36:15 -03:00 · 10b129a02e
parent 129b9d5db9
commit 10b129a02e
11 changed files with 38 additions and 7 deletions
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@ -1,18 +1,17 @@
 package crypto

 import (
-	"crypto/fips140"
 	"crypto/tls"
 	"crypto/x509"
 	"os"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/pkg/fips"
 )

 // CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings
 func CreateTLSConfiguration(insecureSkipVerify bool) *tls.Config { //nolint:forbidigo
-	// TODO: use fips.FIPSMode() instead
-	return createTLSConfiguration(fips140.Enabled(), insecureSkipVerify)
+	return createTLSConfiguration(fips.FIPSMode(), insecureSkipVerify)
 }

 func createTLSConfiguration(fipsEnabled bool, insecureSkipVerify bool) *tls.Config { //nolint:forbidigo
@ -58,8 +57,7 @@ func createTLSConfiguration(fipsEnabled bool, insecureSkipVerify bool) *tls.Conf
 // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from memory.
 func CreateTLSConfigurationFromBytes(useTLS bool, caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { //nolint:forbidigo
-	// TODO: use fips.FIPSMode() instead
-	return createTLSConfigurationFromBytes(fips140.Enabled(), useTLS, caCert, cert, key, skipClientVerification, skipServerVerification)
+	return createTLSConfigurationFromBytes(fips.FIPSMode(), useTLS, caCert, cert, key, skipClientVerification, skipServerVerification)
 }

 func createTLSConfigurationFromBytes(fipsEnabled, useTLS bool, caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { //nolint:forbidigo
@ -90,8 +88,7 @@ func createTLSConfigurationFromBytes(fipsEnabled, useTLS bool, caCert, cert, key
 // CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from disk.
 func CreateTLSConfigurationFromDisk(config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
-	// TODO: use fips.FIPSMode() instead
-	return createTLSConfigurationFromDisk(fips140.Enabled(), config)
+	return createTLSConfigurationFromDisk(fips.FIPSMode(), config)
 }

 func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
--- a/api/docker/client/client_test.go
+++ b/api/docker/client/client_test.go
@ -4,10 +4,14 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/pkg/fips"
+
 	"github.com/stretchr/testify/require"
 )

 func TestHttpClient(t *testing.T) {
+	fips.InitFIPS(false)
+
 	// Valid TLS configuration
 	endpoint := &portainer.Endpoint{}
 	endpoint.TLSConfig = portainer.TLSConfiguration{TLS: true}
--- a/api/git/azure_test.go
+++ b/api/git/azure_test.go
@ -8,6 +8,7 @@ import (
 	"testing"

 	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/portainer/portainer/pkg/fips"
 	"github.com/stretchr/testify/assert"
 )

@ -234,6 +235,8 @@ func Test_isAzureUrl(t *testing.T) {
 }

 func Test_azureDownloader_downloadZipFromAzureDevOps(t *testing.T) {
+	fips.InitFIPS(false)
+
 	type args struct {
 		options baseOption
 	}
@ -308,6 +311,8 @@ func Test_azureDownloader_downloadZipFromAzureDevOps(t *testing.T) {
 }

 func Test_azureDownloader_latestCommitID(t *testing.T) {
+	fips.InitFIPS(false)
+
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		response := `{
 		  "count": 1,
--- a/api/hostmanagement/openamt/openamt_test.go
+++ b/api/hostmanagement/openamt/openamt_test.go
@ -4,10 +4,14 @@ import (
 	"net/http"
 	"testing"

+	"github.com/portainer/portainer/pkg/fips"
+
 	"github.com/stretchr/testify/require"
 )

 func TestNewService(t *testing.T) {
+	fips.InitFIPS(false)
+
 	service := NewService(true)
 	require.NotNil(t, service)
 	require.True(t, service.httpsClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify) //nolint:forbidigo
--- a/api/http/client/client_test.go
+++ b/api/http/client/client_test.go
@ -6,11 +6,14 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/pkg/fips"

 	"github.com/stretchr/testify/require"
 )

 func TestExecutePingOperationFailure(t *testing.T) {
+	fips.InitFIPS(false)
+
 	host := "http://localhost:1"
 	config := portainer.TLSConfiguration{
 		TLS:           true,
--- a/api/http/handler/helm/helm_repo_search_test.go
+++ b/api/http/handler/helm/helm_repo_search_test.go
@ -9,6 +9,7 @@ import (

 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/pkg/libhelm/test"
+
 	"github.com/stretchr/testify/assert"
 )

--- a/api/http/handler/websocket/initdial_test.go
+++ b/api/http/handler/websocket/initdial_test.go
@ -7,11 +7,14 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/pkg/fips"

 	"github.com/stretchr/testify/require"
 )

 func TestInitDial(t *testing.T) {
+	fips.InitFIPS(false)
+
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
 	defer srv.Close()

--- a/api/http/proxy/factory/kubernetes/local_transport_test.go
+++ b/api/http/proxy/factory/kubernetes/local_transport_test.go
@ -3,10 +3,14 @@ package kubernetes
 import (
 	"testing"

+	"github.com/portainer/portainer/pkg/fips"
+
 	"github.com/stretchr/testify/require"
 )

 func TestNewLocalTransport(t *testing.T) {
+	fips.InitFIPS(false)
+
 	transport, err := NewLocalTransport(nil, nil, nil, nil, nil)
 	require.NoError(t, err)
 	require.True(t, transport.httpTransport.TLSClientConfig.InsecureSkipVerify) //nolint:forbidigo
--- a/api/ldap/ldap_test.go
+++ b/api/ldap/ldap_test.go
@ -7,11 +7,14 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/pkg/fips"

 	"github.com/stretchr/testify/require"
 )

 func TestCreateConnectionForURL(t *testing.T) {
+	fips.InitFIPS(false)
+
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
 	defer srv.Close()

--- a/api/stacks/deployments/deploy_test.go
+++ b/api/stacks/deployments/deploy_test.go
@ -14,6 +14,7 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/pkg/fips"
 	"github.com/portainer/portainer/pkg/libhttp/response"

 	"github.com/stretchr/testify/assert"
@ -203,6 +204,8 @@ func Test_redeployWhenChanged_DoesNothingWhenNoGitChanges(t *testing.T) {
 }

 func Test_redeployWhenChanged_FailsWhenCannotClone(t *testing.T) {
+	fips.InitFIPS(false)
+
 	cloneErr := errors.New("failed to clone")
 	_, store := datastore.MustNewTestStore(t, true, true)

--- a/pkg/networking/diagnostics_test.go
+++ b/pkg/networking/diagnostics_test.go
@ -5,6 +5,8 @@ import (
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/portainer/portainer/pkg/fips"
 )

 // Response structs for each function
@ -110,6 +112,8 @@ func TestProbeTelnetConnection(t *testing.T) {
 }

 func TestDetectProxy(t *testing.T) {
+	fips.InitFIPS(false)
+
 	tests := []struct {
 		name           string
 		url            string