feat(account-service): fips

cardoso · cardoso · commit a245a9b97a71 · 2026-03-10T15:45:25.000-03:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ env:
   DOCKER_BUILD_ARCHES_JSON: '["arm64","amd64"]'
   DOCKER_BUILD_SERVICES_JSON: '["authorization-service","queue-worker-service","ddp-streamer-service","account-service","presence-service","omnichannel-transcript-service","rocketchat"]'
   DOCKER_BUILD_EXTRA_COVERAGE_JSON: '[{"arch":"amd64","service":"rocketchat","type":"coverage"},{"arch":"arm64","service":"rocketchat","type":"coverage"}]'
-  DOCKER_BUILD_FIPS_SERVICES_JSON: '["authorization-service","queue-worker-service","ddp-streamer-service","presence-service"]'
+  DOCKER_BUILD_FIPS_SERVICES_JSON: '["authorization-service","queue-worker-service","ddp-streamer-service","account-service","presence-service"]'
 
 jobs:
   release-versions:
diff --git a/docker-compose-ci.fips.yml b/docker-compose-ci.fips.yml
@@ -1,4 +1,9 @@
 services:
+  account-service:
+    build:
+      target: release-fips
+    image: ghcr.io/${LOWERCASE_REPOSITORY}/account-service:${DOCKER_TAG}-fips
+
   authorization-service:
     build:
       target: release-fips
diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml
@@ -69,6 +69,7 @@ services:
     build:
       dockerfile: ee/apps/account-service/Dockerfile
       context: .
+      target: release-standard
       x-bake:
         platforms:
           - linux/amd64
diff --git a/ee/apps/account-service/Dockerfile b/ee/apps/account-service/Dockerfile
@@ -88,7 +88,7 @@ WORKDIR /app/ee/apps/${SERVICE}
 
 RUN yarn workspaces focus --production
 
-FROM node:22.16.0-alpine3.21
+FROM node:22.16.0-alpine3.21 AS release-standard
 
 ARG SERVICE
 
@@ -114,3 +114,14 @@ USER rocketchat
 EXPOSE 3000 9458
 
 CMD ["node", "src/service.js"]
+
+# FIPS RELEASE STAGE
+FROM rocketchatfips140/dhi-node:22-fips AS release-fips
+ARG SERVICE
+ENV NODE_ENV=production \
+    PORT=3000
+COPY --chown=node:node --from=builder /app /app
+WORKDIR /app/ee/apps/${SERVICE}
+USER node
+EXPOSE 3000 9458
+CMD ["node", "--require", "./src/fips.js", "src/service.js"]
diff --git a/ee/apps/account-service/src/fips.ts b/ee/apps/account-service/src/fips.ts
@@ -0,0 +1,11 @@
+import crypto from 'crypto';
+
+crypto.setFips(true);
+
+if (!crypto.getFips()) {
+	throw new Error('FIPS mode was not enabled after crypto.setFips(true)');
+}
+
+console.log('=========================================');
+console.log('FIPS COMPLIANCE CHECK: YES');
+console.log('=========================================');
