From f98c4d1478278a3c2fdbde2d45a8348fe8b6d24b Mon Sep 17 00:00:00 2001
From: David Kirov <david.kirov@datadoghq.com>
Date: Wed, 18 Dec 2024 10:44:01 +0100
Subject: [PATCH] Rework enable_fips for user env var overwrite

---
 .github/workflows/test-target.yml             |  2 +-
 .../datadog_checks/base/utils/fips.py         | 54 ++++++++-----------
 2 files changed, 22 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/test-target.yml b/.github/workflows/test-target.yml
index 4aa4eb5289a62..5d098900471a2 100644
--- a/.github/workflows/test-target.yml
+++ b/.github/workflows/test-target.yml
@@ -134,7 +134,7 @@ jobs:
         echo "TEST_RESULTS_DIR=$TEST_RESULTS_BASE_DIR/$JOB_NAME" >> $GITHUB_ENV
         echo "TRACE_CAPTURE_FILE=$TRACE_CAPTURE_BASE_DIR/$JOB_NAME" >> $GITHUB_ENV
 
-    - name:
+    - name: Dynamically construct environment variables
       run: |
         for key in $(echo '${{ toJSON(fromJSON(inputs.e2e-env-vars)) }}' | jq -r 'keys[]'); do
           value=$(echo '${{ toJSON(fromJSON(inputs.e2e-env-vars)) }}' | jq -r --arg k "$key" '.[$k]')
diff --git a/datadog_checks_base/datadog_checks/base/utils/fips.py b/datadog_checks_base/datadog_checks/base/utils/fips.py
index de24f60b578d8..36de6c1e3038c 100644
--- a/datadog_checks_base/datadog_checks/base/utils/fips.py
+++ b/datadog_checks_base/datadog_checks/base/utils/fips.py
@@ -3,42 +3,30 @@
 # Licensed under a 3-clause BSD style license (see LICENSE)
 
 import os
-import sys
-import logging
 
 
-def enable_fips(path_to_openssl_conf: str, path_to_openssl_modules: str):
-    os.environ["OPENSSL_CONF"] = path_to_openssl_conf
-    os.environ["OPENSSL_MODULES"] = path_to_openssl_modules
+def enable_fips(path_to_openssl_conf=None, path_to_openssl_modules=None):
+    path_to_embedded = None
+    if os.getenv("OPENSSL_CONF") is None:
+        if path_to_openssl_conf is None:
+            path_to_embedded = _get_embedded_path() if path_to_embedded is None else path_to_embedded
+            path_to_openssl_conf = path_to_embedded / "ssl" / "openssl.cnf"
+            if not path_to_openssl_conf.exists():
+                raise RuntimeError(f'The configuration file "{path_to_openssl_conf}" does not exist')
+        os.environ["OPENSSL_CONF"] = str(path_to_openssl_conf)
 
+    if os.getenv("OPENSSL_MODULES") is None:
+        if path_to_openssl_modules is None:
+            path_to_embedded = _get_embedded_path() if path_to_embedded is None else path_to_embedded
+            path_to_openssl_modules = path_to_embedded / "lib" / "ossl-modules"
+            if not path_to_openssl_conf.exists():
+                raise RuntimeError(f'The directory "{path_to_openssl_modules}" does not exist')
+        os.environ["OPENSSL_MODULES"] = str(path_to_openssl_modules)
 
-def _enable_openssl_fips():
-    from cffi import FFI
 
-    ffi = FFI()
-    libcrypto = ffi.dlopen("libcrypto-3.dll" if sys.platform == "win32" else "libcrypto.so")
-    ffi.cdef( """
-        int EVP_default_properties_enable_fips(void *ctx, int enable);
-    """
-    )
+def _get_embedded_path():
+    import sys
+    from pathlib import Path
 
-    if not libcrypto.EVP_default_properties_enable_fips(ffi.NULL, 1):
-        raise RuntimeError("Failed to enable FIPS mode in OpenSSL")
-    else:
-        logging.info("OpenSSL FIPS mode enabled successfully.")
-
-
-def _enable_cryptography_fips():
-    from cryptography.exceptions import InternalError
-    from cryptography.hazmat.backends import default_backend
-
-    cryptography_backend = default_backend()
-    try:
-        cryptography_backend._enable_fips()
-        pass
-    except InternalError as e:
-        logging.error("FIPS mode could not be enabled.")
-        raise e
-    if not cryptography_backend._fips_enabled:
-        logging.error("FIPS mode was not enabled successfully.")
-        raise RuntimeError("FIPS is not enabled.")
+    embedded_dir = "embedded3" if os.name == 'nt' else "embedded"
+    return Path(sys.executable.split("embedded")[0] + embedded_dir)