Install fips compatible version of django

fixes #6988
https://pulp.plan.io/issues/6988

Co-authored-by: bmbouter <bmbouter@gmail.com>

CHANGES/6988.feature

@@ -0,0 +1 @@
+Install patched dependencies that are modified for FIPS compatibility on Red Hat based operating systems. Additionally remove ``md5`` from the ``ALLOWED_CONTENT_CHECKSUMS`` setting. Users can override the ``ALLOWED_CONTENT_CHECKSUMS`` if a new value is provided.

docs/fips.md

@@ -0,0 +1,12 @@
+FIPS
+====
+
+When `ansible` detects that the target node to run in a FIPS enviroment, the installer will adjust
+some aspects of the installation:
+
+1. If installing from `PyPi`, the installer will fetch a specially patched version of `django`.
+  The same version will be provided packaged as rpm.
+
+2. A default for `allowed_content_checksums` will be set that does not include `MD5`. You might
+  consider adjusting that value to the site specific recommendations in your playbooks variable
+  `pulp_settings`.

mkdocs.yml

@@ -11,6 +11,7 @@ nav:
   - Getting started: quickstart.md
   - contributing.md
   - Let's Encrypt: letsencrypt.md
+  - FIPS: fips.md
   - Changelog: CHANGES.md
   - Roles:
       - Pulp Common: roles/pulp_common.md

roles/pulp_common/tasks/install_pip.yml

@@ -132,6 +132,14 @@
         virtualenv_command: '{{ pulp_python_interpreter }} -m venv'
       when: prereq_pip_packages | length > 0
 
+    - name: Install patched versions of dependencies (FIPS only)
+      pip:
+        name:
+          - git+https://github.com/mdellweg/django.git@fips
+        virtualenv: '{{ pulp_install_dir }}'
+        virtualenv_command: '{{ pulp_python_interpreter }} -m venv'
+      when: ansible_fips
+
     - name: Install pulpcore via PyPI
       pip:
         name: pulpcore
@@ -191,9 +199,9 @@
         virtualenv_command: '{{ pulp_python_interpreter }} -m venv'
       when: pip_pkgs.packages[pulp_install_dir + '/bin/pip'].dynaconf[0].version is version("3.1.1", "<")
 
-    - name: Create constraints file to lock the pulpcore version when plugins are installed
-      copy:
-        content: "pulpcore=={{ pip_pkgs.packages[pulp_install_dir + '/bin/pip'].pulpcore[0].version }}\n"
+    - name: Create constraints file to lock the django and pulpcore version when plugins are installed
+      template:
+        src: "pip_constraints_for_plugins.txt.j2"
         dest: "{{ pulp_install_dir }}/pip_constraints_for_plugins.txt"
 
     - name: Install Pulp plugins via PyPI

roles/pulp_common/templates/pip_constraints_for_plugins.txt.j2

@@ -0,0 +1,4 @@
+{% if ansible_fips -%}
+Django=={{ pip_pkgs.packages[pulp_install_dir + '/bin/pip'].Django[0].version }}
+{% endif %}
+pulpcore=={{ pip_pkgs.packages[pulp_install_dir + '/bin/pip'].pulpcore[0].version }}

roles/pulp_common/vars/main.yml

@@ -11,7 +11,7 @@ pulp_install_plugins_normalized_yml: |-
 # pip/PyPI only uses dashes, not underscores.
 pulp_install_plugins_normalized: "{{ pulp_install_plugins_normalized_yml | from_yaml }}"
 pulp_certs_dir: "{{ pulp_config_dir }}/certs"
-# Users should not set this variable, instead using `pulp_settings`
+# Users should not set these variables, but instead use `pulp_settings`
 __pulp_common_pulp_settings_defaults:
   databases:
     default:
@@ -24,4 +24,11 @@ __pulp_common_pulp_settings_defaults:
   public_key_path: "{{ pulp_certs_dir }}/token_public_key.pem"
   token_server: "https://{{ ansible_facts.fqdn }}/token"
   token_signature_algorithm: ES256
-__pulp_common_merged_pulp_settings: "{{ __pulp_common_pulp_settings_defaults|combine(pulp_settings, recursive=True) }}"
+__pulp_common_pulp_settings_fips_defaults:
+  allowed_content_checksums:
+    - sha1
+    - sha224
+    - sha256
+    - sha384
+    - sha512
+__pulp_common_merged_pulp_settings: "{{ __pulp_common_pulp_settings_defaults | combine(ansible_fips | ternary(__pulp_common_pulp_settings_fips_defaults, {}), pulp_settings, recursive=True) }}"