FIPS Django now manually patch when using pulp_devel

fixes: #8258
pulp · Mar 8, 2021 · ae47f49 · ae47f49
1 parent 9305663
commit ae47f49
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 31 deletions.
diff --git a/CHANGES/8258.dev b/CHANGES/8258.dev
@@ -0,0 +1 @@
+The dev role patches Django to allow continued FIPS compatibility development within Pulp in preparation for Django to add FIPS support at some point.
diff --git a/CHANGES/8258.removal b/CHANGES/8258.removal
@@ -0,0 +1 @@
+FIPS support is removed due to Django (a dependency of Pulp) not being FIPS compatible.
diff --git a/docs/fips.md b/docs/fips.md
diff --git a/roles/pulp_common/tasks/install_pip.yml b/roles/pulp_common/tasks/install_pip.yml
@@ -194,14 +194,6 @@
         virtualenv_command: '{{ pulp_python_interpreter }} -m venv'
       when: prereq_pip_packages | length > 0
 
-    - name: Install patched versions of dependencies (FIPS only)
-      pip:
-        name:
-          - git+https://github.com/pulp/django.git@fips
-        virtualenv: '{{ pulp_install_dir }}'
-        virtualenv_command: '{{ pulp_python_interpreter }} -m venv'
-      when: ansible_fips
-
     - name: Install pulpcore via PyPI
       pip:
         name: pulpcore
@@ -250,6 +242,16 @@
         clients: "{{ pulp_install_dir }}/bin/pip"
       register: pip_pkgs
 
+    - name: Patch md5usedforsecurity in Django (devel only)
+      shell: |
+        django_location=$({{ pulp_install_dir }}/bin/pip3 show Django | grep Location | cut -d' ' -f2)
+        sed -i 's/hashlib.md5()/hashlib.md5(usedforsecurity=False)/' "$django_location/django/db/backends/utils.py"
+      when:
+        - "'pulp_devel' in role_names"
+        - ansible_facts.distribution in ['RedHat', 'CentOS'] or ansible_facts.python_version is version('3.9', '>=')
+      check_mode: false
+      changed_when: false
+
     # Needed because dynaconf bundles box, but dynaconf<3.1.1 conflicts with normally installed
     # box.
     - name: Upgrade dynaconf to 3.1.1rc2 pre-release if it is older than 3.1.1

diff --git a/roles/pulp_common/tasks/main.yml b/roles/pulp_common/tasks/main.yml
@@ -32,6 +32,15 @@
   loop_control:
     loop_var: __pulp_common_req_var
 
+- name: Check required roles if FIPS detected
+  assert:
+    that:
+      - "'pulp_devel' in role_names"
+    fail_msg: >
+      Pulp cannot run in a FIPS environment because Django (a dependency) is not FIPS
+      compatible
+  when: ansible_facts.fips
+
 - name: Load OS specific variables
   include_vars: "{{ lookup('first_found', params) }}"
   vars:

diff --git a/roles/pulp_common/templates/pip_constraints_for_plugins.txt.j2 b/roles/pulp_common/templates/pip_constraints_for_plugins.txt.j2
@@ -1,4 +1 @@
-{% if ansible_fips -%}
-Django=={{ pip_pkgs.packages[pulp_install_dir + '/bin/pip'].Django[0].version }}
-{% endif %}
 pulpcore=={{ pip_pkgs.packages[pulp_install_dir + '/bin/pip'].pulpcore[0].version }}
diff --git a/roles/pulp_common/vars/main.yml b/roles/pulp_common/vars/main.yml
@@ -33,14 +33,8 @@ __pulp_common_pulp_settings_defaults:
   public_key_path: "{{ pulp_certs_dir }}/token_public_key.pem"
   token_server: "{{ pulp_webserver_disable_https | default(false) | ternary('http', 'https') }}://{{ ansible_facts.fqdn }}/token"
   token_signature_algorithm: ES256
-__pulp_common_pulp_settings_fips_defaults:
-  allowed_content_checksums:
-    - sha1
-    - sha224
-    - sha256
-    - sha384
-    - sha512
-__pulp_common_merged_pulp_settings: "{{ __pulp_common_pulp_settings_defaults | combine(ansible_fips | ternary(__pulp_common_pulp_settings_fips_defaults, {}), pulp_settings, recursive=True) }}"
+
+__pulp_common_merged_pulp_settings: "{{ __pulp_common_pulp_settings_defaults | combine(pulp_settings, recursive=True) }}"
 
 __pulp_version: '{{ pulpcore_version | default("3.10.0") }}'