root: add configuration option to enable fips (#10088)

authentik/lib/default.yml

@@ -116,6 +116,9 @@ events:
   context_processors:
     geoip: "/geoip/GeoLite2-City.mmdb"
     asn: "/geoip/GeoLite2-ASN.mmdb"
+compliance:
+  fips:
+    enabled: false
 
 cert_discovery_dir: /certs
 

lifecycle/gunicorn.conf.py

@@ -7,7 +7,6 @@ from pathlib import Path
 from tempfile import gettempdir
 from typing import TYPE_CHECKING
 
-from cryptography.exceptions import InternalError
 from cryptography.hazmat.backends.openssl.backend import backend
 from defusedxml import defuse_stdlib
 from prometheus_client.values import MultiProcessValue
@@ -30,10 +29,8 @@ if TYPE_CHECKING:
 
 defuse_stdlib()
 
-try:
+if CONFIG.get_bool("compliance.fips.enabled", False):
     backend._enable_fips()
-except InternalError:
-    pass
 
 wait_for_db()
 

manage.py

@@ -4,7 +4,7 @@ import os
 import sys
 import warnings
 
-from cryptography.exceptions import InternalError
+from authentik.lib.config import CONFIG
 from cryptography.hazmat.backends.openssl.backend import backend
 from defusedxml import defuse_stdlib
 from django.utils.autoreload import DJANGO_AUTORELOAD_ENV
@@ -24,10 +24,8 @@ warnings.filterwarnings(
 
 defuse_stdlib()
 
-try:
+if CONFIG.get_bool("compliance.fips.enabled", False):
     backend._enable_fips()
-except InternalError:
-    pass
 
 
 if __name__ == "__main__":