Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add FIPS switch #19179

Open
wants to merge 40 commits into
base: master
Choose a base branch
from
Open

Add FIPS switch #19179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
12da4e1
Add FIPS workflow file
dkirov-dd Dec 3, 2024
a815513
Add Windows steps
dkirov-dd Dec 3, 2024
f7d5b4e
Experiment with download from S3 for Windows
dkirov-dd Dec 3, 2024
a441988
Revert to building openssl
dkirov-dd Dec 3, 2024
fa42ba9
Switch Windows steps to download from S3
dkirov-dd Dec 5, 2024
7e0040d
Remove unnecessary steps
dkirov-dd Dec 5, 2024
6dc5ae4
Add FIPS_MODULE_VERSION for Linux
dkirov-dd Dec 5, 2024
ff1b42e
Finish handling Python in setup
dkirov-dd Dec 6, 2024
08942db
Remove unnecessary steps
dkirov-dd Dec 6, 2024
c8393cd
Add md5 tests
dkirov-dd Dec 6, 2024
4a74187
Make md5 tests pass
dkirov-dd Dec 6, 2024
c1ffd27
Try separating FIPS and non-FIPS md5 tests
dkirov-dd Dec 6, 2024
2a85b00
Add e2e tests for TLS FIPS
dkirov-dd Dec 9, 2024
fe18202
Make TLS E2E tests pass
dkirov-dd Dec 10, 2024
470bca7
Switch from env vars to C bindings
dkirov-dd Dec 13, 2024
e7d4f3c
Revert to using env vars
dkirov-dd Dec 16, 2024
413ca9d
Add option for e2e env vars in workflow
dkirov-dd Dec 17, 2024
c624089
Remove unnecessary comments from start-server.sh
dkirov-dd Dec 17, 2024
f98c4d1
Rework enable_fips for user env var overwrite
dkirov-dd Dec 18, 2024
6ceb4d2
Disable FIPS tests by default in master
dkirov-dd Dec 18, 2024
8c2ba4c
Add changelogs
dkirov-dd Dec 18, 2024
944dbd1
Fix license headers
dkirov-dd Dec 18, 2024
e07659e
Remove unfinished tests
dkirov-dd Dec 18, 2024
8837acd
Remove openssl.cnf workaround
dkirov-dd Dec 18, 2024
6ac9008
Remove unused compose file
dkirov-dd Dec 18, 2024
7c62aef
Fix license headers
dkirov-dd Dec 18, 2024
31a90a2
Bring back integration tests
dkirov-dd Dec 18, 2024
2d3b7d2
Experiment with integration tests
dkirov-dd Dec 19, 2024
c2976fa
Remove integration test files
dkirov-dd Dec 20, 2024
efb8109
Restore pr.yml and test-target.yml
dkirov-dd Dec 20, 2024
2ac8ada
Move FIPS workflow to test-fips.yml
dkirov-dd Dec 20, 2024
8cec105
Fix pytest "not fips" args
dkirov-dd Dec 20, 2024
e54f3fa
Update test-fips.yml
dkirov-dd Dec 20, 2024
2594fcd
Fix unvalid workflow
dkirov-dd Dec 20, 2024
db66922
Modify JOB_NAME env var
dkirov-dd Dec 20, 2024
77508be
Re-introduce experimental integration tests
dkirov-dd Dec 20, 2024
a2061aa
Merge e2e tests and clean test-fips workflow
dkirov-dd Dec 20, 2024
285fa3b
Merge integration tests and use monkeypatch in setup fixture
dkirov-dd Dec 20, 2024
7eae96f
Attemp to fix experimental workflow
dkirov-dd Dec 20, 2024
fda181f
Replace ddev with pytest in experimental workflow
dkirov-dd Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
201 changes: 201 additions & 0 deletions .github/workflows/experimental.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
name: Test FIPS experimental

on:
workflow_dispatch:
inputs:
zip_url:
required: true
type: string
default: 'https://agent-ints-python-build-sandbox.s3.eu-north-1.amazonaws.com/python-windows-combined-v3.12.6-openssl-3.0.15-openssl-3.0.9-amd64.zip'
pull_request:
path:
- datadog_checks_base/datadog_checks/**
schedule:
- cron: '0 0,8,16 * * *'

defaults:
run:
shell: bash

jobs:
test:
strategy:
matrix:
include:
- platform: "Windows"
runner: "windows-2022"
zip_url: "https://agent-ints-python-build-sandbox.s3.eu-north-1.amazonaws.com/python-windows-combined-v3.12.6-openssl-3.0.15-openssl-3.0.9-amd64.zip"
- platform: "Linux"
runner: "ubuntu-22.04"
zip_url: ""
name: FIPS test on ${{ matrix.platform }}
runs-on: ${{ matrix.runner }}

env:
FORCE_COLOR: "1"
DEBIAN_FRONTEND: "noninteractive"
OPENSSL_FIPS: "1"
PYTHON_VERSION: "3.12"
OPENSSL_VERSION: "3.0.15"
FIPS_MODULE_VERSION: "3.0.9"

steps:

- uses: actions/checkout@v4

- name: Install System Dependencies
if: runner.os == 'Linux'
run: |
sudo apt update
sudo apt install -y --no-install-recommends \
wget \
build-essential \
gcc \
make \
perl \
libc6-dev

- name: Build FIPS Module
if: runner.os == 'Linux'
run: |
wget https://www.openssl.org/source/openssl-${{ env.FIPS_MODULE_VERSION }}.tar.gz \
&& tar -xvzf openssl-${{ env.FIPS_MODULE_VERSION }}.tar.gz \
&& cd openssl-${{ env.FIPS_MODULE_VERSION }} \
&& ./Configure enable-fips \
&& make \
&& sudo make install

- name: Build OpenSSL
if: runner.os == 'Linux'
run: |
wget https://www.openssl.org/source/openssl-${{ env.OPENSSL_VERSION }}.tar.gz \
&& tar -xvzf openssl-${{ env.OPENSSL_VERSION }}.tar.gz \
&& cd openssl-${{ env.OPENSSL_VERSION }} \
&& ./Configure enable-fips \
&& make \
&& sudo make install

- name: Build Python from Source with Custom OpenSSL
if: runner.os == 'Linux'
run: |

# Install dependencies for building Python
sudo apt-get update && sudo apt-get install -y \
build-essential \
zlib1g-dev \
libffi-dev \
libssl-dev \
libncurses5-dev \
libsqlite3-dev \
libreadline-dev \
libbz2-dev \
liblzma-dev \
tk-dev \
uuid-dev \
libgdbm-dev \
wget

# Download and extract Python source
wget https://www.python.org/ftp/python/${{ env.PYTHON_VERSION }}/Python-${{ env.PYTHON_VERSION }}.tgz
tar -xvzf Python-${{ env.PYTHON_VERSION }}.tgz -C python_dir
cd python_dir

# Configure and build Python with custom OpenSSL
./configure --enable-optimizations --with-openssl=$(pwd)/../openssl-${{ env.OPENSSL_VERSION }}
make -j$(nproc)
sudo make altinstall

- name: Download python-windows-combined
if: runner.os == 'Windows'
shell: powershell
run: |
Invoke-WebRequest -Uri ${{ inputs.zip_url || matrix.zip_url }} -OutFile 'python_combined.zip'

- name: Unzip python_combined.zip
if: runner.os == 'Windows'
shell: powershell
run: |
Expand-Archive -Path python_combined.zip -DestinationPath .\python_dir

- name: Run fipsintall.exe
if: runner.os == 'Windows'
working-directory: .\python_dir
shell: powershell
run: |
.\openssl.exe fipsinstall -module .\ossl-modules\fips.dll -out fipsmodule.cnf

- name: Configure OpenSSL for FIPS
if: runner.os == 'Windows'
working-directory: .\python_dir
shell: powershell
run: |
# Create openssl.cnf to enable FIPS mode
$OpenSSLConf = @"
config_diagnostics = 1
openssl_conf = openssl_init

.include fipsmodule.cnf

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
fips = fips_sect
base = base_sect

[base_sect]
activate = 1

[algorithm_sect]
default_properties = fips=yes
"@
$OpenSSLConf | Set-Content -Path ".\openssl.cnf"

- name: Verify OpenSSL
if: runner.os == 'Windows'
working-directory: .\python_dir
shell: powershell
run: |
.\openssl.exe version -a
.\openssl.exe list -providers

- name: Verify OpenSSL with FIPS ENV vars
if: runner.os == 'Windows'
working-directory: .\python_dir
shell: powershell
run: |
$env:OPENSSL_MODULES = ".\ossl-modules"
$env:OPENSSL_CONF = ".\openssl.cnf"
.\openssl.exe list -providers

- name: Add Python to PATH Windows
if: runner.os == 'Windows'
shell: powershell
run: |
Add-Content -Path $env:GITHUB_ENV -Value "PATH=$(pwd)\python_dir;$(pwd)\python_dir\Scripts;$env:PATH"

- name: Add Python to PATH Linux
if: runner.os == 'Linux'
run: |
echo "PATH=$(pwd)/python_dir:$PATH" >> $GITHUB_ENV

- name: Install pip and pytest
run: |
python -m ensurepip

- name: Test
if: runner.os == 'Windows'
working-directory: .\python_dir
shell: powershell
run: |
$env:PATH_TO_OPENSSL_CONF = "$(pwd)\openssl.cnf"
$env:PATH_TO_OPENSSL_MODULES = "$(pwd)\ossl-modules"
$env:OPENSSL_CONF = "$(pwd)\openssl.cnf"
$env:OPENSSL_MODULES = "$(pwd)\ossl-modules"
.\openssl.exe list -providers
.\openssl.exe md5
python -m pip install pytest
python -m pytest ..\datadog_checks_base -m fips_off
python -m pytest ..\datadog_checks_base -m fips_on
python -c "import ssl; ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT).set_ciphers('MD5')"
151 changes: 151 additions & 0 deletions .github/workflows/test-fips.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
name: Test FIPS E2E

on:
workflow_dispatch:
inputs:
agent-image:
description: "Agent image to use"
required: false
type: string
target:
description: "Target to test"
required: false
type: string
pull_request:
path:
- datadog_checks_base/datadog_checks/**
schedule:
- cron: '0 0,8,16 * * *'

defaults:
run:
shell: bash

jobs:
run:
name: "Test FIPS"
runs-on: ["ubuntu-22.04"]

env:
FORCE_COLOR: "1"
PYTHON_VERSION: "3.12"
DDEV_E2E_AGENT: "${{ inputs.agent-image || 'datadog/agent-dev:master-fips' }}"
# Test results for later processing
TEST_RESULTS_BASE_DIR: "test-results"
# Tracing to monitor our test suite
DD_ENV: "ci"
DD_SERVICE: "ddev-integrations-core"
DD_TAGS: "team:agent-integrations"
DD_TRACE_ANALYTICS_ENABLED: "true"
# Capture traces for a separate job to do the submission
TRACE_CAPTURE_BASE_DIR: "trace-captures"
TRACE_CAPTURE_LOG: "trace-captures/output.log"

steps:

- name: Set environment variables with sanitized paths
run: |
JOB_NAME="test-fips"

echo "TEST_RESULTS_DIR=$TEST_RESULTS_BASE_DIR/$JOB_NAME" >> $GITHUB_ENV
echo "TRACE_CAPTURE_FILE=$TRACE_CAPTURE_BASE_DIR/$JOB_NAME" >> $GITHUB_ENV

- uses: actions/checkout@v4

- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
with:
python-version: "${{ env.PYTHON_VERSION }}"
cache: 'pip'

- name: Restore cache
uses: actions/cache/restore@v4
with:
path: '~/.cache/pip'
key: >-
${{ format(
'v01-python-{0}-{1}-{2}-{3}',
env.pythonLocation,
hashFiles('datadog_checks_base/pyproject.toml'),
hashFiles('datadog_checks_dev/pyproject.toml'),
hashFiles('ddev/pyproject.toml')
)}}
restore-keys: |-
v01-python-${{ env.pythonLocation }}

- name: Install ddev from local folder
run: |-
pip install -e ./datadog_checks_dev[cli]
pip install -e ./ddev

- name: Configure ddev
run: |-
ddev config set repos.core .
ddev config set repo core

- name: Prepare for testing
env:
PYTHONUNBUFFERED: "1"
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}
ORACLE_DOCKER_USERNAME: ${{ secrets.ORACLE_DOCKER_USERNAME }}
ORACLE_DOCKER_PASSWORD: ${{ secrets.ORACLE_DOCKER_PASSWORD }}
SINGLESTORE_LICENSE: ${{ secrets.SINGLESTORE_LICENSE }}
DD_GITHUB_USER: ${{ github.actor }}
DD_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ddev ci setup ${{ inputs.target || 'tls' }}

- name: Set up trace capturing
env:
PYTHONUNBUFFERED: "1"
run: |-
mkdir "${{ env.TRACE_CAPTURE_BASE_DIR }}"
python .ddev/ci/scripts/traces.py capture --port "8126" --record-file "${{ env.TRACE_CAPTURE_FILE }}" > "${{ env.TRACE_CAPTURE_LOG }}" 2>&1 &

- name: Run E2E tests with FIPS disabled
env:
DD_API_KEY: "${{ secrets.DD_API_KEY }}"
run: |
ddev env test -e GOFIPS=0 --new-env --junit ${{ inputs.target || 'tls' }} -- all -m "fips_off"

- name: Run E2E tests with FIPS enabled
env:
DD_API_KEY: "${{ secrets.DD_API_KEY }}"
run: |
ddev env test -e GOFIPS=1 --new-env --junit ${{ inputs.target || 'tls' }} -- all -k "fips_on"

- name: View trace log
if: always()
run: cat "${{ env.TRACE_CAPTURE_LOG }}"

- name: Upload captured traces
if: always()
uses: actions/upload-artifact@v4
with:
name: "traces-${{ inputs.target || 'tls' }}"
path: "${{ env.TRACE_CAPTURE_FILE }}"

- name: Finalize test results
if: always()
run: |-
mkdir -p "${{ env.TEST_RESULTS_DIR }}"
if [[ -d ${{ inputs.target || 'tls' }}/.junit ]]; then
mv ${{ inputs.target || 'tls' }}/.junit/*.xml "${{ env.TEST_RESULTS_DIR }}"
fi

- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: "test-results-${{ inputs.target || 'tls' }}"
path: "${{ env.TEST_RESULTS_BASE_DIR }}"

- name: Upload coverage data
if: >
!github.event.repository.private &&
always()
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: "${{ inputs.target || 'tls' }}/coverage.xml"
flags: "${{ inputs.target || 'tls' }}"
Loading
Loading