Support grpc gems after v1.48.0 for FIPS builds

grpc/grpc#27660 significantly modified the
Ruby extconf.rb for TruffleRuby. Update the system SSL patch to enable
FIPS builds to work for gems after 1.48.0.

Author: stanhu

config/patches/ruby-grpc/grpc-system-ssl.patch renamed to config/patches/ruby-grpc/grpc-system-ssl-1.42.0.patch

@@ -0,0 +1,26 @@
+diff --git a/src/ruby/ext/grpc/extconf.rb b/src/ruby/ext/grpc/extconf.rb
+index e0974c4420..ec51a18bf7 100644
+--- a/src/ruby/ext/grpc/extconf.rb
++++ b/src/ruby/ext/grpc/extconf.rb
+@@ -68,8 +68,12 @@ if apple_toolchain && !cross_compiling
+   ENV['ARFLAGS'] = '-o'
+ end
+ 
++# By default, use the system OpenSSL instead of BoringSSL. This is
++# needed on systems that need to use a FIPS-approved OpenSSL or cannot
++# compile the embedded BoringSSL module (e.g. s390x).
++embed_ssl = ENV['EMBED_OPENSSL'] == 'true'
+ # Don't embed on TruffleRuby (constant-time crypto is unsafe with Sulong, slow build times)
+-ENV['EMBED_OPENSSL'] = (RUBY_ENGINE != 'truffleruby').to_s
++ENV['EMBED_OPENSSL'] = embed_ssl ? 'true' : 'false'
+ # Don't embed on TruffleRuby (the system zlib is already linked for the zlib C extension, slow build times)
+ ENV['EMBED_ZLIB'] = (RUBY_ENGINE != 'truffleruby').to_s
+ 
+@@ -160,6 +164,7 @@ if linux && RUBY_ENGINE != 'truffleruby'
+   $LDFLAGS << ' -static-libgcc -static-libstdc++'
+ end
+ $LDFLAGS << ' -static' if windows
++$LDFLAGS << ' -lssl' unless embed_ssl
+ 
+ $CFLAGS << ' -std=c11 '
+ $CFLAGS << ' -Wall '

config/patches/ruby-grpc/grpc-system-ssl-1.48.0.patch

@@ -26,6 +26,7 @@
 
 build do
   block 're-install grpc gem with system OpenSSL' do
+    env = with_standard_compiler_flags(with_embedded_path)
     gem_bin = embedded_bin('gem')
     command = %(#{embedded_bin('ruby')} -e "puts Gem::Specification.select { |x| x.name == 'grpc' }.map(&:version).uniq.map(&:to_s)")
     grpc_versions = shellout!(command).stdout || ""
@@ -35,20 +36,37 @@
 
     warn "Multiple versions of gRPC found: #{grpc_versions.join(', ')}" if grpc_versions.length > 1
 
-    source = 'grpc-system-ssl.patch'
-    _locations, patch_path = find_file('config/patches', source)
+    patches = {}
 
-    raise "Missing gRPC patch: #{source}" unless patch_path
+    grpc_versions.each do |version|
+      source =
+        # https://github.com/grpc/grpc/pull/27660 significantly changed the extconf.rb for TruffleRuby
+        if Gem::Version.new(version) < Gem::Version.new('1.48.0')
+          'grpc-system-ssl-1.42.0.patch'
+        else
+          'grpc-system-ssl-1.48.0.patch'
+        end
+
+      _locations, patch_path = find_file('config/patches', source)
+      patches[version] = patch_path
+    end
 
     shellout!("#{gem_bin} install --no-document gem-patch -v 0.1.6")
     shellout!("#{gem_bin} uninstall --force --all grpc")
 
+    # This works around an issue with the grpc gem attempting to include
+    # /opt/gitlab/include headers instead of the vendored re2 headers:
+    # https://github.com/grpc/grpc/pull/32580. This can be removed
+    # after grpc is updated with that pull request.
+    env['CPPFLAGS'] = "-Ithird_party/re2 #{env['CPPFLAGS']}"
+
     grpc_versions.each do |version|
+      patch_path = patches[version]
       gemfile = "grpc-#{version}.gem"
       shellout!("rm -f #{gemfile}")
       shellout!("#{gem_bin} fetch grpc -v #{version} --platform ruby")
       shellout!("#{gem_bin} patch -p1 #{gemfile} #{patch_path}")
-      shellout!("#{gem_bin} install --platform ruby --no-document #{gemfile}")
+      shellout!("#{gem_bin} install --platform ruby --no-document #{gemfile}", env: env)
     end
 
     shellout!("#{gem_bin} uninstall gem-patch")