core: FIPS (#9683)

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

lifecycle/ak

@@ -84,6 +84,7 @@ elif [[ "$1" == "bash" ]]; then
 elif [[ "$1" == "test-all" ]]; then
     prepare_debug
     chmod 777 /root
+    pip install --force-reinstall /wheels/*
     check_if_root "python -m manage test authentik"
 elif [[ "$1" == "healthcheck" ]]; then
     run_authentik healthcheck $(cat $MODE_FILE)

lifecycle/gunicorn.conf.py

@@ -7,6 +7,9 @@ from pathlib import Path
 from tempfile import gettempdir
 from typing import TYPE_CHECKING
 
+from cryptography.exceptions import InternalError
+from cryptography.hazmat.backends.openssl.backend import backend
+from defusedxml import defuse_stdlib
 from prometheus_client.values import MultiProcessValue
 
 from authentik import get_full_version
@@ -25,6 +28,13 @@ if TYPE_CHECKING:
 
     from authentik.root.asgi import AuthentikAsgi
 
+defuse_stdlib()
+
+try:
+    backend._enable_fips()
+except InternalError:
+    pass
+
 wait_for_db()
 
 _tmp = Path(gettempdir())