Use another method of FIPS validation (fips-detect) (#3363)

* Use another method of FIPS validation (fips-detect)
Azure · Mar 18, 2024 · 513a1b5 · 513a1b5
1 parent cfd2328
commit 513a1b5
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 36 deletions.
diff --git a/.pipelines/ci.yml b/.pipelines/ci.yml
@@ -22,7 +22,7 @@ pr:
 resources:
   containers:
     - container: golang
-      image: registry.access.redhat.com/ubi8/go-toolset:1.18
+      image: registry.access.redhat.com/ubi8/go-toolset:1.18.10
       options: --user=0
     - container: python
       image: registry.access.redhat.com/ubi8/python-39:latest
@@ -82,12 +82,6 @@ jobs:
         displayName: 🧪 Run Golang unit tests
         target: golang
 
-      - script: |
-          set -xe
-          make validate-fips
-        displayName: 🕵️ Validate FIPS
-        target: golang
-
       - task: PublishTestResults@2
         displayName: 📊 Publish tests results
         inputs:

diff --git a/Dockerfile.aro-e2e b/Dockerfile.aro-e2e
@@ -2,12 +2,14 @@
 #
 ARG REGISTRY
 FROM ${REGISTRY}/ubi8/go-toolset:1.18.10 AS builder
-ENV GOOS=linux \
-    GOPATH=/go/
-WORKDIR ${GOPATH}/src/github.com/Azure/ARO-RP
+
 USER root
-COPY . ${GOPATH}/src/github.com/Azure/ARO-RP/
-RUN make aro RELEASE=${IS_OFFICIAL_RELEASE} -o generate && make e2e.test e2etools
+ENV GOPATH=/root/go
+RUN mkdir -p /app
+WORKDIR /app
+
+COPY . /app
+RUN make aro RELEASE=${IS_OFFICIAL_RELEASE} -o generate && make validate-fips && make e2e.test e2etools
 
 FROM ${REGISTRY}/ubi8/ubi-minimal
 RUN microdnf update && microdnf clean all

diff --git a/Dockerfile.aro-multistage b/Dockerfile.aro-multistage
@@ -2,12 +2,14 @@
 #
 ARG REGISTRY
 FROM ${REGISTRY}/ubi8/go-toolset:1.18.10 AS builder
-ENV GOOS=linux \
-    GOPATH=/go/
-WORKDIR ${GOPATH}/src/github.com/Azure/ARO-RP
+
 USER root
-COPY . ${GOPATH}/src/github.com/Azure/ARO-RP/
-RUN make aro RELEASE=${IS_OFFICIAL_RELEASE} -o generate && make e2e.test
+ENV GOPATH=/root/go
+RUN mkdir -p /app
+WORKDIR /app
+
+COPY . /app
+RUN make aro RELEASE=${IS_OFFICIAL_RELEASE} -o generate && make validate-fips && make e2e.test
 
 FROM ${REGISTRY}/ubi8/ubi-minimal
 RUN microdnf update && microdnf clean all

diff --git a/Makefile b/Makefile
@@ -221,7 +221,7 @@ validate-go-action:
 	@sha256sum --quiet -c .sha256sum || (echo error: client library is stale, please run make client; exit 1)
 
 validate-fips:
-	hack/fips/validate-fips.sh
+	hack/fips/validate-fips.sh ./aro
 
 unit-test-go:
 	go run gotest.tools/[email protected] --format pkgname --junitfile report.xml -- -coverprofile=cover.out ./...

diff --git a/hack/fips/validate-fips.sh b/hack/fips/validate-fips.sh
@@ -1,24 +1,22 @@
 #!/bin/bash
 
-# The small go program below will validate that a 
-# FIPS validated crypto lib
-cat > ./hack/fips/main.go << 'EOF'
-package main
+set -xe
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the Apache License 2.0.
+# check if we can build and have built a valid FIPS-compatible binary
+res=$(go run github.com/acardace/[email protected] ${1} -j)
 
-import (
-	_ "crypto/tls/fipsonly"
+binary=$(echo $res | go run ./hack/jq -r '.goBinaryFips.value')
+lib=$(echo $res | go run ./hack/jq -r '.cryptoLibFips.value')
 
-	utillog "github.com/Azure/ARO-RP/pkg/util/log"
-)
+if [[ $binary == "false" ]]; then
+	echo "binary is not FIPS compatible"
+	exit 1
+fi
 
-func main() {
-	log := utillog.GetLogger()
-	log.Println("FIPS mode enabled")
-}
-EOF
-trap "rm ./hack/fips/main.go" EXIT
-echo "Attempting to run program that requires FIPS crypto"
-go run ./hack/fips/main.go
+if [[ $lib == "false" ]]; then
+	echo "lib is not FIPS compatible"
+	exit 1
+fi
+
+tool=$(go tool nm ${1} | grep FIPS)
+echo $tool