Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use SHA digests for FIPS compliance #1491

Merged
merged 2 commits into from
Apr 20, 2020
Merged

Use SHA digests for FIPS compliance #1491

merged 2 commits into from
Apr 20, 2020

Conversation

jonahx
Copy link
Contributor

@jonahx jonahx commented Apr 9, 2020

What does this PR do?

Configures Rails to use SHA instead of md5

What ticket does this PR close?

#1418

Checklists

Change log

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code changes, or
  • The changes in this PR do not require tests

Follow-on issues

  • Follow-up issue(s) have been logged (and links included below) to update documentation or related projects, or
  • No follow-up issues are required

@jvanderhoof
Copy link
Contributor

@jonahx, mind adding a changelog entry for this? Although it shouldn't change outward behavior, users may be interested in the change.

jtuttle
jtuttle previously approved these changes Apr 14, 2020
View reviewed changes
Copy link
Contributor

@jtuttle jtuttle left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, though I did find this GH issue: rails/rails#38791

We are calling similar functions in a couple of places:

~/work/conjur (ruby-2.5.1@conjur-evoke) $ ag hexdigest .
app/models/policy_version.rb
96:    self.policy_sha256 = Digest::SHA256.hexdigest(policy_text)

app/models/host_factory_token.rb
29:      where(token_sha256: Digest::SHA256.hexdigest(token)).all.find do |hft|
81:    self.token_sha256 = Digest::SHA256.hexdigest(self.token)

We might want to just confirm that these are covered by CI before merging. If not, they're similar enough to what's discussed in that GH issue that I'd be concerned they may error when actually called.

@jtuttle
Copy link
Contributor

jtuttle commented Apr 20, 2020

I just checked CodeClimate's coverage data and it says both of the lines I called out above are covered by tests, so I think we're good.

https://codeclimate.com/github/cyberark/conjur/app/models/policy_version.rb/source?to_sha=0cc77db14d552d396dda55ebf33797e0df80e47d

https://codeclimate.com/github/cyberark/conjur/app/models/host_factory_token.rb/source?to_sha=0cc77db14d552d396dda55ebf33797e0df80e47d

@jonahx jonahx force-pushed the 1418-disable-md5 branch from 0cc77db to 601f3c6 Compare April 20, 2020 18:01
@codeclimate
Copy link

codeclimate bot commented Apr 20, 2020

Code Climate has analyzed commit 601f3c6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 85.4% (0.0% change).

View more on Code Climate.

@jonahx jonahx merged commit 234e77d into master Apr 20, 2020
@jonahx jonahx deleted the 1418-disable-md5 branch April 20, 2020 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtuttle jtuttle jtuttle approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jonahx @jvanderhoof @jtuttle