-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
230 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,214 @@ | ||
name: Test FIPS | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
platform: | ||
required: true | ||
type: string | ||
runner: | ||
required: true | ||
type: string | ||
zip_url: | ||
required: true | ||
type: string | ||
|
||
defaults: | ||
run: | ||
shell: bash | ||
|
||
jobs: | ||
run: | ||
name: FIPS test on "${{ inputs.platform }}" | ||
runs-on: ${{ fromJson(inputs.runner) }} | ||
|
||
env: | ||
FORCE_COLOR: "1" | ||
DEBIAN_FRONTEND: "noninteractive" | ||
OPENSSL_FIPS: 1 | ||
PYTHON_VERSION: "3.12" | ||
OPENSSL_VERSION: "3.0.15" | ||
FIPS_MODULE_VERSION: "3.0.9" | ||
|
||
steps: | ||
|
||
- uses: actions/checkout@v4 | ||
|
||
- name: Install System Dependencies | ||
if: runner.os == 'Linux' | ||
run: | | ||
sudo apt update | ||
sudo apt install -y --no-install-recommends \ | ||
wget \ | ||
build-essential \ | ||
gcc \ | ||
make \ | ||
perl \ | ||
libc6-dev | ||
- name: Build FIPS Module | ||
if: runner.os == 'Linux' | ||
run: | | ||
wget https://www.openssl.org/source/openssl-${{ env.FIPS_MODULE_VERSION }}.tar.gz \ | ||
&& tar -xvzf openssl-${{ env.FIPS_MODULE_VERSION }}.tar.gz \ | ||
&& cd openssl-${{ env.FIPS_MODULE_VERSION }} \ | ||
&& ./Configure enable-fips \ | ||
&& make \ | ||
&& sudo make install | ||
- name: Build OpenSSL | ||
if: runner.os == 'Linux' | ||
run: | | ||
wget https://www.openssl.org/source/openssl-${{ env.OPENSSL_VERSION }}.tar.gz \ | ||
&& tar -xvzf openssl-${{ env.OPENSSL_VERSION }}.tar.gz \ | ||
&& cd openssl-${{ env.OPENSSL_VERSION }} \ | ||
&& ./Configure enable-fips \ | ||
&& make \ | ||
&& sudo make install | ||
- name: Build Python from Source with Custom OpenSSL | ||
if: runner.os == 'Linux' | ||
run: | | ||
# Install dependencies for building Python | ||
sudo apt-get update && sudo apt-get install -y \ | ||
build-essential \ | ||
zlib1g-dev \ | ||
libffi-dev \ | ||
libssl-dev \ | ||
libncurses5-dev \ | ||
libsqlite3-dev \ | ||
libreadline-dev \ | ||
libbz2-dev \ | ||
liblzma-dev \ | ||
tk-dev \ | ||
uuid-dev \ | ||
libgdbm-dev \ | ||
wget | ||
# Download and extract Python source | ||
wget https://www.python.org/ftp/python/${{ env.PYTHON_VERSION }}/Python-${{ env.PYTHON_VERSION }}.tgz | ||
tar -xvzf Python-${{ env.PYTHON_VERSION }}.tgz -C python_dir | ||
cd python_dir | ||
# Configure and build Python with custom OpenSSL | ||
./configure --enable-optimizations --with-openssl=$(pwd)/../openssl-${{ env.OPENSSL_VERSION }} | ||
make -j$(nproc) | ||
sudo make altinstall | ||
- name: Download python-windows-combined | ||
if: runner.os == 'Windows' | ||
shell: powershell | ||
run: | | ||
Invoke-WebRequest -Uri '${{ inputs.zip_url }}' -OutFile 'python_combined.zip' | ||
- name: Unzip python_combined.zip | ||
if: runner.os == 'Windows' | ||
shell: powershell | ||
run: | | ||
Expand-Archive -Path python_combined.zip -DestinationPath .\python_dir | ||
- name: Run fipsintall.exe | ||
if: runner.os == 'Windows' | ||
working-directory: .\python_dir | ||
shell: powershell | ||
run: | | ||
.\openssl.exe fipsinstall -module .\ossl-modules\fips.dll -out fipsmodule.cnf | ||
- name: Configure OpenSSL for FIPS | ||
if: runner.os == 'Windows' | ||
working-directory: .\python_dir | ||
shell: powershell | ||
run: | | ||
# Create openssl.cnf to enable FIPS mode | ||
$OpenSSLConf = @" | ||
config_diagnostics = 1 | ||
openssl_conf = openssl_init | ||
.include fipsmodule.cnf | ||
[openssl_init] | ||
providers = provider_sect | ||
alg_section = algorithm_sect | ||
[provider_sect] | ||
fips = fips_sect | ||
base = base_sect | ||
[base_sect] | ||
activate = 1 | ||
[algorithm_sect] | ||
default_properties = fips=yes | ||
"@ | ||
$OpenSSLConf | Set-Content -Path ".\openssl.cnf" | ||
- name: Verify OpenSSL | ||
if: runner.os == 'Windows' | ||
working-directory: .\python_dir | ||
shell: powershell | ||
run: | | ||
.\openssl.exe version -a | ||
.\openssl.exe list -providers | ||
- name: Verify OpenSSL with FIPS ENV vars | ||
if: runner.os == 'Windows' | ||
working-directory: .\python_dir | ||
shell: powershell | ||
run: | | ||
$env:OPENSSL_MODULES = ".\ossl-modules" | ||
$env:OPENSSL_CONF = ".\openssl.cnf" | ||
.\openssl.exe list -providers | ||
- name: Add Python to PATH Windows | ||
if: runner.os == 'Windows' | ||
shell: powershell | ||
run: | | ||
Add-Content -Path $env:GITHUB_ENV -Value "PATH=.\python_dir;.\python_dir\Scripts;$env:PATH" | ||
- name: Add Python to PATH Linux | ||
if: runner.os == 'Linux' | ||
run: | | ||
echo "PATH=./python_dir:$PATH" >> $GITHUB_ENV | ||
- name: Install pip | ||
run: | | ||
python -m ensurepip | ||
- name: Restore cache | ||
uses: actions/cache/restore@v4 | ||
with: | ||
path: ${{ runner.os == 'Windows' && '~\AppData\Local\pip\Cache' || '~/.cache/pip' }} | ||
key: >- | ||
${{ format( | ||
'v01-python-{0}-{1}-{2}-{3}', | ||
env.pythonLocation, | ||
hashFiles('datadog_checks_base/pyproject.toml'), | ||
hashFiles('datadog_checks_dev/pyproject.toml'), | ||
hashFiles('ddev/pyproject.toml') | ||
)}} | ||
restore-keys: |- | ||
v01-python-${{ env.pythonLocation }} | ||
- name: Install ddev from local folder | ||
run: | | ||
python -m pip install -e ./datadog_checks_dev[cli] | ||
python -m pip install -e ./ddev | ||
- name: Configure ddev | ||
shell: powershell | ||
run: | | ||
ddev config set repos.core . | ||
ddev config set repo core | ||
- name: Test | ||
if: runner.os == 'Windows' | ||
working-directory: .\python_dir | ||
shell: powershell | ||
run: | | ||
$env:PATH_TO_OPENSSL_CONF = "$(pwd)\openssl.cnf" | ||
$env:PATH_TO_OPENSSL_MODULES = "$(pwd)\ossl-modules" | ||
$env:OPENSSL_CONF = "$(pwd)\openssl.cnf" | ||
$env:OPENSSL_MODULES = "$(pwd)\ossl-modules" | ||
.\openssl.exe list -providers | ||
ddev test datadog_checks_base -- -k fips |