new FIPS check

Makefile

@@ -210,7 +210,7 @@ validate-go-action:
 	@sha256sum --quiet -c .sha256sum || (echo error: client library is stale, please run make client; exit 1)
 
 validate-fips:
-	hack/fips/validate-fips.sh
+	hack/fips/validate-fips.sh ./aro
 
 unit-test-go:
 	go run gotest.tools/[email protected] --format pkgname --junitfile report.xml -- -coverprofile=cover.out ./...

hack/fips/validate-fips.sh

@@ -1,24 +1,19 @@
 #!/bin/bash
 
-# The small go program below will validate that a 
-# FIPS validated crypto lib
-cat > ./hack/fips/main.go << 'EOF'
-package main
+set -xe
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the Apache License 2.0.
+# check if we can build and have built a valid FIPS-compatible binary
+res=$(go run github.com/acardace/[email protected] ${1} -j)
 
-import (
-	_ "crypto/tls/fipsonly"
+binary=$(echo $res | jq -r '.goBinaryFips.value')
+lib=$(echo $res | jq -r '.cryptoLibFips.value')
 
-	utillog "github.com/Azure/ARO-RP/pkg/util/log"
-)
+if [[ $binary == "false" ]]; then
+	echo "binary is not FIPS compatible"
+	exit 1
+fi
 
-func main() {
-	log := utillog.GetLogger()
-	log.Println("FIPS mode enabled")
-}
-EOF
-trap "rm ./hack/fips/main.go" EXIT
-echo "Attempting to run program that requires FIPS crypto"
-go run ./hack/fips/main.go
+if [[ $lib == "false" ]]; then
+	echo "lib is not FIPS compatible"
+	exit 1
+fi