feat: keycloak fips mode

[slaskawi]

Description

This Pull Request introduces Keycloak FIPS mode into the UDS Core.

Related Issue

Relates to defenseunicorns/uds-identity-config#36

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Steps to Validate

N/A

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide followed

[mjnagel]

Pending CI testing I think this is fine, just would want to make sure that dropping this/changing the effect of fips value doesn't have any backwards incompatible effects on FIPS or non-fips hosts.

[slaskawi]

It took me a while but I think I have the answer!

The Red Hat Build of OpenJDK contains OpenJDK bits with an additional FIPS patch. You can download the source from the Red Hat Customer Portal (from here).

The code haven't changed much since JDK11, it looks very similar to this:

+        if (systemSecPropsEnabled) {
+            boolean shouldEnable;
+            String sysProp = System.getProperty("com.redhat.fips");
+            if (sysProp == null) {
+                shouldEnable = true;
+                if (sdebug != null) {
+                    sdebug.println("com.redhat.fips unset, using default value of true");
+                }
+            } else {
+                shouldEnable = Boolean.valueOf(sysProp);
+                if (sdebug != null) {
+                    sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
+                }
+            }
+            if (shouldEnable) {
+                boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+                if (sdebug != null) {
+                    if (fipsEnabled) {
+                        sdebug.println("FIPS mode support configured and enabled.");
+                    } else {
+                        sdebug.println("FIPS mode support disabled.");
+                    }

Note, that in the absence of com.redhat.fips, the OpenJDK (at least the Red Hat's build of it) tries to enable the FIPS mode by default. The SystemConfigurator.configureFIPS is a JNI (Java Native Interface - calling C from Java).

The other important thing from our angle is the SystemConfigurator.enableFips method that has the following JavaDoc:

+     * OpenJDK FIPS mode will be enabled only if the system is in
+     * FIPS mode.
+     *
+     * Calls to this method only occur if the system property
+     * com.redhat.fips is not set to false.
+     *
+     * There are 2 possible ways in which OpenJDK detects that the system
+     * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+     * available at OpenJDK's built-time, it is called; 2) otherwise, the
+     * /proc/sys/crypto/fips_enabled file is read.

The NSS is shipped as part of SSSD, which is part of the RHEL authentication stack and is present in the Keycloak image. According to BZ852023, NSS brokers to /proc/sys/crypto/fips_enabled, which is usually what happens in container world (if the host OS uses FIPS mode it sets /proc/sys/crypto/fips_enabled to all containers it runs based on BZ1957310).

To sum it up - I believe it's safe to remove this property and let the Red Hat Build of OpenJDK do the default thing - try to enable FIPS. This will succeed if the underlying Host has FIPS turned on regardless to the distro (although UBI are expected to be more tested than anything else).

[chance-coleman]

just a general questions regarding fips, is there any kind of tests that we should implement to "show/prove" that fips is enabled and working? I don't know what this would look like..but using tests, where we can, to show proof of compliance seems like a good idea to me.

[slaskawi]

just a general questions regarding fips, is there any kind of tests that we should implement to "show/prove" that fips is enabled and working? I don't know what this would look like..but using tests, where we can, to show proof of compliance seems like a good idea to me.

@UnicornChance Once this (and it's UDS Identity Config counterpart) gets merged, I plan to modify pull-request-conditionals.yaml and introduce "keycloak_fips" parameter to the testing matrix. This way we'll be testing all flavors with and without Keycloak FIPS (cc @mjnagel)

As for the test itself, I have three ideas. One is to scan the logs and ensure we emit the KC(BCFIPS version 2.0 Approved Mode string. This one is emitted when Keycloak finishes FIPS configuration. The other one is to check supported certs and cryptographic keys. FIPS installations should use an approved subset of these. The final idea is to use the Keycloak Admin API and get Credentials for the Admin user. The default "argon2" shall not be used there (as it's not approved).

[chance-coleman]

@mjnagel and I were chatting about the testing approach. Adding fips/non-fips to the matrix in uds-core will mean at least 6 new jobs that need to run in our already super long testing pipeline. Micah suggested, and i agree, we should implement a fips/non-fips test in identity-config rather than core for this as it shouldn't impact other uds-core integrations. Especially if we make FIPS default.