admin: system api: do not show FIPS status if no valid license (#10091)

* admin: system api: do not show FIPS status if no valid license

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* also for outposts

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* black

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

authentik/admin/api/system.py

@@ -16,6 +16,7 @@ from rest_framework.views import APIView
 
 from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
+from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@@ -32,7 +33,7 @@ class RuntimeDict(TypedDict):
     platform: str
     uname: str
     openssl_version: str
-    openssl_fips_mode: bool
+    openssl_fips_mode: bool | None
     authentik_version: str
 
 
@@ -71,7 +72,9 @@ class SystemInfoSerializer(PassiveSerializer):
             "architecture": platform.machine(),
             "authentik_version": get_full_version(),
             "environment": get_env(),
-            "openssl_fips_enabled": backend._fips_enabled,
+            "openssl_fips_enabled": (
+                backend._fips_enabled if LicenseKey.get_total().is_valid() else None
+            ),
             "openssl_version": OPENSSL_VERSION,
             "platform": platform.platform(),
             "python_version": python_version,

authentik/outposts/api/outposts.py

@@ -6,7 +6,7 @@ from django_filters.filters import ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, DateTimeField
+from rest_framework.fields import BooleanField, CharField, DateTimeField, SerializerMethodField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -18,6 +18,7 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.core.models import Provider
+from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.providers.rac.models import RACProvider
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
 from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
@@ -120,7 +121,7 @@ class OutpostHealthSerializer(PassiveSerializer):
     golang_version = CharField(read_only=True)
     openssl_enabled = BooleanField(read_only=True)
     openssl_version = CharField(read_only=True)
-    fips_enabled = BooleanField(read_only=True)
+    fips_enabled = SerializerMethodField()
 
     version_should = CharField(read_only=True)
     version_outdated = BooleanField(read_only=True)
@@ -130,6 +131,12 @@ class OutpostHealthSerializer(PassiveSerializer):
 
     hostname = CharField(read_only=True, required=False)
 
+    def get_fips_enabled(self, obj: dict) -> bool | None:
+        """Get FIPS enabled"""
+        if not LicenseKey.get_total().is_valid():
+            return None
+        return obj["fips_enabled"]
+
 
 class OutpostFilter(FilterSet):
     """Filter for Outposts"""

schema.yml

@@ -39547,6 +39547,8 @@ components:
           readOnly: true
         fips_enabled:
           type: boolean
+          nullable: true
+          description: Get FIPS enabled
           readOnly: true
         version_should:
           type: string
@@ -47406,6 +47408,7 @@ components:
               type: string
             openssl_fips_mode:
               type: boolean
+              nullable: true
             authentik_version:
               type: string
           required: