Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fips compliance #4850

Draft
wants to merge 232 commits into
base: master
Choose a base branch
from
Draft

Fips compliance #4850

wants to merge 232 commits into from

Conversation

Amndeep7
Copy link
Contributor

@Amndeep7 Amndeep7 commented Aug 22, 2023
edited

Resolves #4145

  • OS is FIPS compliant: RHEL's UBI8 docker container satisfies this and is accredited
  • Node is FIPS compliant: The UBI8 container variant that we're using built node with the options required to be fips compliant
  • Run Node in FIPS compliant mode: You can pass in the flag to enable or force FIPS compliance. Using force to avoid the possibility of FIPS mode being disabled
  • Connect to the Postgres DB using a FIPS compliant algorithm: Postgres v<=13 by default uses a password authentication method (https://www.postgresql.org/docs/13/auth-password.html ; https://hub.docker.com/_/postgres then look for POSTGRES_HOST_AUTH_METHOD) that uses md5. MD5 is not a FIPS compliant algorithm. Force Postgres to start up in and use SHA256 instead.
  • (Optional) Swap out the Postgres in the docker-compose to be a variant that is FIPS compliant: Marked as optional since the user ought to supply a FIPS compliant Postgres, but would be useful for testing.
  • Replace usages of the bcrypt algorithm (i.e. what is used by bcryptjs, which is the cryptography library we're currently using) or any other non-FIPS approved algorithm with FIPS approved algorithms via a wrapper library around approved sources like the built-in crypto library and WebCryptoAPI: The higher numbered SHA family is usually recommended (https://csrc.nist.gov/projects/cryptographic-module-validation-program/sp-800-140-series-supplemental-information/sp800-140c); WebCryptoAPI may only be able to be used on TLS connections so that might impact ex. the fingerprinted autoconvert functionality
  • (Optional) Swap out the NGINX in the docker-compose to be a variant that is FIPS compliant: Marked as optional since the user ought to supply a FIPS compliant reverse proxy, but would be useful for testing.
  • Exhaustively test to make sure that we don't run into any issues: there doesn't seem to be a way to statically check that we're FIPS compliant, so need to address runtime issues as they show up.
    • Test components as per Utilize FIPS-validated cryptographic modules #4145 (comment) - probably will break this subtask out into more subtasks
    • Set up FIPS compliant testing VM (so that the host, applications, and browser are all running in FIPS compliant mode)
    • Automate testing: Cypress sucks, let's do the swap to Playwright
  • Update docs
  • Create transition process for moving passwords hashed with bcrypt to passwords hashed with sha256 (and also salted with something? https://stackoverflow.com/questions/59777670/how-can-i-hash-a-string-with-sha256-in-js) (or just make the admin do some db fun to update the admin's password and then force reset everyone's passwords): https://stackoverflow.com/questions/1533744/how-to-upgrade-a-password-storage-scheme-change-hashing-algorithm
  • Create transition process for moving apikeys hashed with bcrypt to apikeys hashed with sha256 (and also salted with something?) (or just cull them all and force the users to regen all of them)
  • Validate that JWS is using SHA256 underneath the hood

@Amndeep7
forcing node to boot in fips compliant mode - need to make this an en…
b384fd3 
…vvar flag that could be set manually or passed to docker to conditionally choose between 'start' and 'start:fips'

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
postgres <=13 boots using md5 as the password auth strategy. manually…
310c24a 
… set it to be scram-sha-256 instead. this overcomes the bootloop that the dockercompose was running into where nodepg would crash while trying to connect to the db due to trying to use md5 in fips land"

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@sonarcloud
Copy link

sonarcloud bot commented Aug 22, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

Amndeep7 and others added 6 commits October 26, 2023 13:23
@Amndeep7
Merge branch 'master' into fips_compliance
2259fc6
@georgedias
added windows setup-dev-env.bat
3efabca 
Signed-off-by: George Dias <gdias@mitre.org>
@georgedias
fips initial work
581c964 
Signed-off-by: George Dias <gdias@mitre.org>
@georgedias
Preparation for replacing bcryptjs with WebCryptoAPI
2fce723 
Signed-off-by: George Dias <gdias@mitre.org>
@georgedias
README updates
681e70c 
Signed-off-by: George Dias <gdias@mitre.org>
@georgedias
README updates
29afd2b 
Signed-off-by: George Dias <gdias@mitre.org>
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 1, 2023
edited

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 2 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

dependabot bot and others added 17 commits December 24, 2023 23:45
@dependabot @Amndeep7
Bump aws-sdk from 2.1481.0 to 2.1482.0
7337ffd 
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.1481.0 to 2.1482.0.
- [Release notes](https://github.com/aws/aws-sdk-js/releases)
- [Commits](aws/aws-sdk-js@v2.1481.0...v2.1482.0)

---
updated-dependencies:
- dependency-name: aws-sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump @types/passport-jwt from 3.0.11 to 3.0.12
d388298 
Bumps [@types/passport-jwt](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/passport-jwt) from 3.0.11 to 3.0.12.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/passport-jwt)

---
updated-dependencies:
- dependency-name: "@types/passport-jwt"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump browserify-sign from 4.2.1 to 4.2.2
8a06a57 
Bumps [browserify-sign](https://github.com/crypto-browserify/browserify-sign) from 4.2.1 to 4.2.2.
- [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md)
- [Commits](browserify/browserify-sign@v4.2.1...v4.2.2)

---
updated-dependencies:
- dependency-name: browserify-sign
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump express-rate-limit from 7.1.2 to 7.1.3
345d26b 
Bumps [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) from 7.1.2 to 7.1.3.
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Changelog](https://github.com/express-rate-limit/express-rate-limit/blob/main/changelog.md)
- [Commits](express-rate-limit/express-rate-limit@v7.1.2...v7.1.3)

---
updated-dependencies:
- dependency-name: express-rate-limit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump axios from 1.5.1 to 1.6.0
b8a01c6 
Bumps [axios](https://github.com/axios/axios) from 1.5.1 to 1.6.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.5.1...v1.6.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump eslint-plugin-vue from 9.18.0 to 9.18.1
4ec370d 
Bumps [eslint-plugin-vue](https://github.com/vuejs/eslint-plugin-vue) from 9.18.0 to 9.18.1.
- [Release notes](https://github.com/vuejs/eslint-plugin-vue/releases)
- [Commits](vuejs/eslint-plugin-vue@v9.18.0...v9.18.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-vue
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump aws-sdk from 2.1482.0 to 2.1483.0
30ef522 
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.1482.0 to 2.1483.0.
- [Release notes](https://github.com/aws/aws-sdk-js/releases)
- [Commits](aws/aws-sdk-js@v2.1482.0...v2.1483.0)

---
updated-dependencies:
- dependency-name: aws-sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump @nestjs/schematics from 10.0.2 to 10.0.3
c8f9ff8 
Bumps [@nestjs/schematics](https://github.com/nestjs/schematics) from 10.0.2 to 10.0.3.
- [Release notes](https://github.com/nestjs/schematics/releases)
- [Changelog](https://github.com/nestjs/schematics/blob/master/.release-it.json)
- [Commits](nestjs/schematics@10.0.2...10.0.3)

---
updated-dependencies:
- dependency-name: "@nestjs/schematics"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump core-js from 3.33.1 to 3.33.2
e5f8843 
Bumps [core-js](https://github.com/zloirock/core-js/tree/HEAD/packages/core-js) from 3.33.1 to 3.33.2.
- [Release notes](https://github.com/zloirock/core-js/releases)
- [Changelog](https://github.com/zloirock/core-js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/zloirock/core-js/commits/v3.33.2/packages/core-js)

---
updated-dependencies:
- dependency-name: core-js
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump cypress from 13.3.3 to 13.4.0
4438b63 
Bumps [cypress](https://github.com/cypress-io/cypress) from 13.3.3 to 13.4.0.
- [Release notes](https://github.com/cypress-io/cypress/releases)
- [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md)
- [Commits](cypress-io/cypress@v13.3.3...v13.4.0)

---
updated-dependencies:
- dependency-name: cypress
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump aws-sdk from 2.1483.0 to 2.1484.0
6df0569 
Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.1483.0 to 2.1484.0.
- [Release notes](https://github.com/aws/aws-sdk-js/releases)
- [Commits](aws/aws-sdk-js@v2.1483.0...v2.1484.0)

---
updated-dependencies:
- dependency-name: aws-sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump @nestjs/cli from 10.2.0 to 10.2.1
eb0dc99 
Bumps [@nestjs/cli](https://github.com/nestjs/nest-cli) from 10.2.0 to 10.2.1.
- [Release notes](https://github.com/nestjs/nest-cli/releases)
- [Changelog](https://github.com/nestjs/nest-cli/blob/master/.release-it.json)
- [Commits](nestjs/nest-cli@10.2.0...10.2.1)

---
updated-dependencies:
- dependency-name: "@nestjs/cli"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump typedoc from 0.25.2 to 0.25.3
d2da3b3 
Bumps [typedoc](https://github.com/TypeStrong/TypeDoc) from 0.25.2 to 0.25.3.
- [Release notes](https://github.com/TypeStrong/TypeDoc/releases)
- [Changelog](https://github.com/TypeStrong/typedoc/blob/master/CHANGELOG.md)
- [Commits](TypeStrong/typedoc@v0.25.2...v0.25.3)

---
updated-dependencies:
- dependency-name: typedoc
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @Amndeep7
Bump oauth2-mock-server from 7.0.0 to 7.1.1
fbf3264 
Bumps [oauth2-mock-server](https://github.com/axa-group/oauth2-mock-server) from 7.0.0 to 7.1.1.
- [Release notes](https://github.com/axa-group/oauth2-mock-server/releases)
- [Changelog](https://github.com/axa-group/oauth2-mock-server/blob/master/CHANGELOG.md)
- [Commits](axa-group/oauth2-mock-server@v7.0.0...v7.1.1)

---
updated-dependencies:
- dependency-name: oauth2-mock-server
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@Amndeep7 @mergify
LDAPS (#5146)
fdc5a06 
* Updated documentation to include all of the existing envvars, re-ordered them a bit, and included some more information like which have default values.  Also already updated the wiki page.

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>

* added support for LDAPS and appropriate envvars

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>

* after doing further research, I think you're only supposed to pass the ca certs and not any of the rest.  also simplified the sslconfig function to hopefully appease sonarqube

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>

* moved the external_url variable to a better section

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>

* fixed bug where if you provided the raw cert, it would still check to see if it was a path to a file and then fail due to it being a cert instead

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>

* protocol name changes when using ldaps

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>

* sonarqube said to use nullish coalescing operator but that wouldn't make sense since we want the empty string to be replaced by the default value of 389.  swapping it to be a string as well should help.

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>

---------

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
@Amndeep7
use const and let instead of var in server.js
8821ca0 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
prep for 2.8.8
bb0392b 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
use chown and chmod flags on COPY commands in dockerfile in order to …
c7a3838 
…save a lot of space

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
most of the changes required to target node16 for tsconfig's module/m…
7c5702f 
…oduleresolution attributes

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
fixed more node target version stuff (this time with the sequelize mo…
cbfa409 
…dels), reorganized the common repo to do submodules properly, and wrote the crypto code

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@mergify Mergify
Copy link
Contributor

mergify bot commented Dec 29, 2023

This pull request has a conflict. Could you fix it @Amndeep7?

@Amndeep7
Merge branch 'master' into fips_compliance
f52643e 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
explicitly readd esmoduleinterop to the tsconfig even though it
9eadb52 
apparently was supposed to be set implicitly via the
module/moduleresolution attributes

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
linting
69ad1cf 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@mergify Mergify
Copy link
Contributor

mergify bot commented Dec 30, 2023

This pull request has a conflict. Could you fix it @Amndeep7?

@Amndeep7
forgot to add all the tsconfigs for the common package
0704c5e 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
Merge branch 'master' into fips_compliance
9aaced0 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
missed moving this import to the new location in the merge
fdbe06f 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
don't re-export from the top level
d9e135d 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
try reordering the modulenamemapper
51067fd 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
use package path as opposed to direct path across packages
abe994a 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
linter
ba3581b 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
duplicate option from top level tsconfig
8f10b93 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
'importhelpers' brings in tslib which is causing what might be circul…
345dde3 
…ar dependecy issues - we're not targetting old versions of js anymore so doesn't seem to be necessary as an option

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 11, 2024

This pull request has a conflict. Could you fix it @Amndeep7?

@Amndeep7
fix issue with file loading by using better supported syntax
15df3a4 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
convert passwords and api keys to the new style
9cae086 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
Merge branch 'master' into fips_compliance
d6f99a1 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
added configservice as a provider to these tests
6241b06 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 18, 2024

This pull request has a conflict. Could you fix it @Amndeep7?

@Amndeep7
fixed 'should test the update function with a valid update dto' test
32bca4b 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
Merge branch 'master' into fips_compliance
81f2e56 
Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@Amndeep7
double eq checks for both null and undefined it seems but i hate seei…
eb2ed14 
…ng it so i'd rather just explicitly check for both

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jan 19, 2024

Quality Gate Failed Quality Gate failed

Failed conditions

8 New Code Smells (required ≤ 0)

See analysis details on SonarCloud

idea Catch issues before they fail your Quality Gate with our IDE extension SonarLint SonarLint

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 20, 2024

This pull request has a conflict. Could you fix it @Amndeep7?

1 similar comment
@mergify Mergify
Copy link
Contributor

mergify bot commented Feb 6, 2024

This pull request has a conflict. Could you fix it @Amndeep7?

@Amndeep7 Amndeep7 marked this pull request as draft February 26, 2024 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Amndeep7 Amndeep7

@em-c-rod em-c-rod

@wdower wdower

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Utilize FIPS-validated cryptographic modules
6 participants
@Amndeep7 @em-c-rod @wdower @georgedias @hstefan2200 @ChrisHinchey