Logic for checksums on a file with http(s) source can attempt to use MD5 on a FIPS system

[griggi-ws]

Describe the Bug

For `http(s)` sources, Puppet uses the
first HTTP header it recognizes out of the following list:
`X-Checksum-Sha256`, `X-Checksum-Sha1`, `X-Checksum-Md5` or `Content-MD5`.

The behavior as described in lib/puppet/type/file/source.rb selects a checksum method based on available headers, and does not have any provisions to use an alternative checksum if the only option is an MD5 header. On a FIPS system, this results in the error from lib/puppet/type/file/checksum.rb that MD5 is not supported in FIPS mode and the catalog application fails.

This is of course heavily dependent on the source, meaning that all http(s) source files must define checksum as mtime to ensure consistent behavior.

Expected Behavior

A file with an http(s) source on a FIPS-enabled system would successfully download without manual intervention, regardless of checksum headers provided by the source.

Steps to Reproduce

Steps to reproduce the behavior:
On a FIPS-enabled system, include a file resource with an http source defined that provides an MD5 checksum header (e.g. a github release link), without defining checksum. The example with which I encountered this was the voxpupuli/webhook-go release downloaded by the r10k::webhook class from module puppet/r10k:

class { 'r10k::webhook':
    ensure => true,
}

Applying the above on a FIPS-enabled system should result in the following:

Error: /Stage[main]/R10k::Webhook::Package/File[/tmp/webhook-go.deb]: Could not evaluate: Parameter checksum failed on File[/tmp/webhook-go.deb]: MD5 is not supported in FIPS mode (file: /etc/puppetlabs/code/environments/prod/modules/r10k/manifests/webhook/package.pp, line: 23)

Swapping in my fork of the module which sets the checksum to mtime results in a successful apply.

Environment

• Ubuntu Pro 20.04 (FIPS-enabled)
• Puppetserver 7.17.0
• Puppet agent 7.30.0

[github-actions]

Migrated issue to PUP-12047

[joshcooper]

A file with an http(s) source on a FIPS-enabled system would successfully download ... regardless of checksum headers provided by the source.

Puppet needs some mechanism to determine if the file content on disk matches the desired state on the http server. If the server only provides an MD5 checksum, then what should a FIPS agent do?

[griggi-ws]

It already defaults to using mtime if there is no available checksum header, and using MD5 is not an option - if on a FIPS system and the only header provided is MD5, it should fallback to mtime as though there was no header at all.

Adding some logic to lib/puppet/file_serving/http_metadata.rb to not include content-md5 or X-Checksum-Md5 based on Puppet::Util::Platform.fips_enabled? should be all it takes.

[joshcooper]

Ah gotcha. I was confused by your earlier comment "if the only option is an MD5 header" But you're saying the problem is puppet prefers MD5 over the default mtime and since MD5 is a hard failure on FIPS, we never fallback to mtime. Excluding MD5 related checksums when fips_enabled? seems like an easy fix.

[joshcooper]

Fixed in #9405