add fips validation scripts and ci step

Azure · Feb 14, 2022 · d3ced97 · d3ced97
1 parent c235d34
commit d3ced97
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/.pipelines/ci.yml b/.pipelines/ci.yml
@@ -70,6 +70,11 @@ jobs:
       make unit-test-go
     displayName: 🧪 Run Golang unit tests
 
+  - script: |
+      set -xe
+      make validate-fips
+    displayName: 🕵️ Validate FIPS
+
   - task: PublishTestResults@2
     displayName: 📊 Publish tests results
     inputs:

diff --git a/Makefile b/Makefile
@@ -161,6 +161,9 @@ validate-go:
 	go vet ./...
 	go test -tags e2e -run ^$$ ./test/e2e/...
 
+validate-fips:
+	hack/fips/validate-fips.sh
+
 unit-test-go:
 	go run ./vendor/gotest.tools/gotestsum/main.go --format pkgname --junitfile report.xml -- -tags=aro -coverprofile=cover.out ./...
 
@@ -180,4 +183,4 @@ vendor:
 	# See comments in the script for background on why we need it
 	hack/update-go-module-dependencies.sh
 
-.PHONY: admin.kubeconfig aro az clean client deploy dev-config.yaml discoverycache generate image-aro image-aro-multistage image-fluentbit image-proxy lint-go runlocal-rp proxy publish-image-aro publish-image-aro-multistage publish-image-fluentbit publish-image-proxy secrets secrets-update e2e.test tunnel test-e2e test-go test-python vendor build-all validate-go  unit-test-go coverage-go
+.PHONY: admin.kubeconfig aro az clean client deploy dev-config.yaml discoverycache generate image-aro image-aro-multistage image-fluentbit image-proxy lint-go runlocal-rp proxy publish-image-aro publish-image-aro-multistage publish-image-fluentbit publish-image-proxy secrets secrets-update e2e.test tunnel test-e2e test-go test-python vendor build-all validate-go  unit-test-go coverage-go validate-fips
diff --git a/hack/fips/validate-fips.sh b/hack/fips/validate-fips.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# The small go program below will validate that a 
+# FIPS validated crypto lib
+cat > ./hack/fips/main.go << 'EOF'
+package main
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	_ "crypto/tls/fipsonly"
+
+	utillog "github.com/Azure/ARO-RP/pkg/util/log"
+)
+
+func main() {
+	log := utillog.GetLogger()
+	log.Println("FIPS mode enabled")
+}
+EOF
+trap "rm ./hack/fips/main.go" EXIT
+echo "Attempting to run program that requires FIPS crypto"
+go run ./hack/fips/main.go