allow fips-compliance enforcement when building

.github/workflows/cd.yml

@@ -19,7 +19,7 @@ jobs:
           - 6379:6379
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -77,7 +77,7 @@ jobs:
           password: ${{ secrets.ARTIFACTORY_DOCKER_PASS }}
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get version
         run: echo "VERSION=$(awk '/^const Version/{gsub(/"/, "", $4); print $4}' splitio/version.go)" >> $GITHUB_ENV

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
           - 6379:6379
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -54,34 +54,37 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        mode: [synchronizer, proxy]
+        app: [synchronizer, proxy]
+        fips-mode: [enabled, disabled]
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
 
       - name: Docker Build and Push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
-          file: docker/Dockerfile.${{ matrix.mode }}
+          file: docker/Dockerfile.${{ matrix.app }}
           push: false
-          tags: splitio-docker.jfrog.io/split-${{ matrix.mode }}:latest
+          tags: splitio-docker.jfrog.io/split-${{ matrix.app }}:latest
+          build-args: |
+            FIPS_MODE=${{ matrix.fips-mode }}
 
       - name: Scan container using Lacework
-        uses: lacework/lw-scanner-action@v1.3.2
+        uses: lacework/lw-scanner-action@v1.4.0
         with:
           LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
           LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
-          IMAGE_NAME: splitio-docker.jfrog.io/split-${{ matrix.mode }}
+          IMAGE_NAME: splitio-docker.jfrog.io/split-${{ matrix.app }}
           IMAGE_TAG: latest
           SAVE_RESULTS_IN_LACEWORK: true
           SAVE_BUILD_REPORT: true
-          BUILD_REPORT_FILE_NAME: split-${{ matrix.mode }}.html
+          BUILD_REPORT_FILE_NAME: split-${{ matrix.app }}.html
 
       - name: Save vulnerability report
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: vulnerability_report
-          path: split-${{ matrix.mode }}.html
+          path: split-${{ matrix.app }}.html
           retention-days: 7

.github/workflows/unstable.yml

@@ -20,13 +20,13 @@ jobs:
           password: ${{ secrets.ARTIFACTORY_DOCKER_PASS }}
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get short hash
         run: echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
 
       - name: Docker Build and Push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: docker/Dockerfile.${{ matrix.mode }}

.github/workflows/update-license-year.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

.gitignore

@@ -1,7 +1,8 @@
 #Project files
-split-synchronizer
 split-sync
 split-proxy
+split-sync-fips
+split-proxy-fips
 proxy-opts.md
 sync-opts.md
 
@@ -70,3 +71,7 @@ build/*
 split-proxy
 split-sync
 /clilist
+
+windows/downloads
+windows/unpacked
+windows/build

CHANGES.txt

@@ -1,3 +1,6 @@
+5.6.0 (TD)
+ - Add support for FIPS-compliant binaries & docker images
+
 5.5.0 (Dec 12, 2023)
  - Added support for Flag Sets on Split Proxy and Synchronizer, which enables SDKs to interacting with the flag sets features (more details in our documentation):
     - Updated Proxy endpoints used by SDKs to fetch flags have been updated to handle any SDKs downloading flags in certain flag sets.

Makefile

@@ -1,19 +1,24 @@
 # Setup defaults
 GO ?= go
+MAKE ?= make
 ZIP ?= zip
 ARCH ?= amd64
 PYTHON ?= python3
 DOCKER ?= docker
 BUILD ?= build
+BUILD_FIPS ?= $(BUILD)/fips
+BUILD_FIPS_WIN_TMP ?= windows/build
 SHELL = /usr/bin/env bash -o pipefail
+ENFORCE_FIPS := -tags enforce_fips
+CURRENT_OS = $(shell uname -a | awk '{print $$1}')
 PLATFORM ?=
 
 # Extra arguments
 EXTRA_BUILD_ARGS ?=
 
 # don't depend on commit version, to avoid rebuilding unnecessarily
-sources			:= $(shell find . -name *.go -not -name "commitversion.go")
-version			:= $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"')
+sources				:= $(shell find . -name *.go -not -name "commitversion.go")
+version				:= $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"')
 commit_version		:= $(shell git rev-parse --short HEAD)
 installer_tpl		:= ./release/install_script_template
 installer_tpl_lines	:= $(shell echo $$(( $$(wc -l $(installer_tpl) | awk '{print $$1}') +1 )))
@@ -51,6 +56,14 @@ split-sync: $(sources) go.sum
 split-proxy: $(sources) go.sum
 	$(GO) build $(EXTRA_BUILD_ARGS) -o $@ cmd/proxy/main.go
 
+## Build the split-sync executable
+split-sync-fips: $(sources) go.sum
+	GOEXPERIMENT=boringcrypto $(GO) build $(EXTRA_BUILD_ARGS) -o $@ $(ENFORCE_FIPS) cmd/synchronizer/main.go
+
+## Build the split-proxy executable
+split-proxy-fips: $(sources) go.sum
+	GOEXPERIMENT=boringcrypto $(GO) build $(EXTRA_BUILD_ARGS) -o $@ $(ENFORCE_FIPS) cmd/proxy/main.go
+
 ## Run the unit tests
 test: $(sources) go.sum
 	$(GO) test ./... -count=1 -race $(ARGS)
@@ -92,13 +105,29 @@ entrypoints: entrypoint.synchronizer.sh entrypoint.proxy.sh
 
 ## Build release-ready docker images with proper tags and output push commands in stdout
 images_release: # entrypoints
-	$(DOCKER) build $(platform_str) -t splitsoftware/split-synchronizer:latest -t splitsoftware/split-synchronizer:$(version) -f docker/Dockerfile.synchronizer .
-	$(DOCKER) build $(platform_str) -t splitsoftware/split-proxy:latest -t splitsoftware/split-proxy:$(version) -f docker/Dockerfile.proxy .
+	$(DOCKER) build $(platform_str) \
+		-t splitsoftware/split-synchronizer:latest -t splitsoftware/split-synchronizer:$(version) \
+		-f docker/Dockerfile.synchronizer .
+	$(DOCKER) build $(platform_str) \
+		-t splitsoftware/split-proxy:latest -t splitsoftware/split-proxy:$(version) \
+		-f docker/Dockerfile.proxy .
+	$(DOCKER) build $(platform_str) \
+		-t splitsoftware/split-synchronizer-fips:latest -t splitsoftware/split-synchronizer-fips:$(version) \
+		--build-arg FIPS_MODE=1 \
+		-f docker/Dockerfile.synchronizer .
+	$(DOCKER) build $(platform_str) \
+		-t splitsoftware/split-proxy-fips:latest -t splitsoftware/split-proxy-fips:$(version) \
+		--build-arg FIPS_MODE=1 \
+		-f docker/Dockerfile.proxy .
 	@echo "Images created. Make sure everything works ok, and then run the following commands to push them."
 	@echo "$(DOCKER) push splitsoftware/split-synchronizer:$(version)"
 	@echo "$(DOCKER) push splitsoftware/split-synchronizer:latest"
 	@echo "$(DOCKER) push splitsoftware/split-proxy:$(version)"
 	@echo "$(DOCKER) push splitsoftware/split-proxy:latest"
+	@echo "$(DOCKER) push splitsoftware/split-synchronizer-fips:$(version)"
+	@echo "$(DOCKER) push splitsoftware/split-synchronizer-fips:latest"
+	@echo "$(DOCKER) push splitsoftware/split-proxy-fips:$(version)"
+	@echo "$(DOCKER) push splitsoftware/split-proxy-fips:latest"
 
 # --------------------------------------------------------------------------
 #
@@ -114,11 +143,14 @@ coverage.out: test_coverage
 
 # because of windows .exe suffix, we need a macro on the right side, which needs to be executed
 # after the `%` evaluation, therefore, in a second expansion
+
 .SECONDEXPANSION:
-$(BUILD)/split_%.zip: $(BUILD)/split_$$(call make_exec,%)
+%.zip: $$(call mkexec,%)
 	$(ZIP) -9 --junk-paths $@ $<
 
-$(BUILD)/install_split_%.bin: $(BUILD)/split_%.zip
+# factorized installer creation since it cannot be combined into a single
+# target for both std & fips-compliant builds
+define make-installer
 	cat  $(installer_tpl) \
 	    | sed -e "s/AUTO_REPLACE_APP_NAME/$(call apptitle_from_zip,$<)/" \
 	    | sed -e "s/AUTO_REPLACE_INSTALL_NAME/$(call installed_from_zip,$<)/" \
@@ -133,12 +165,44 @@ $(BUILD)/install_split_%.bin: $(BUILD)/split_%.zip
 	chmod 755 $@
 	rm [email protected]
 	rm $<
+endef
 
-execs := split_sync_linux split_sync_osx split_sync_windows.exe split_proxy_linux split_proxy_osx split_proxy_windows.exe
-.INTERMEDIATE: $(addprefix $(BUILD)/,$(execs))
+$(BUILD)/install_split_%.bin: $(BUILD)/split_%.zip
+	$(make-installer)
+
+$(BUILD_FIPS)/install_split_%.bin: $(BUILD_FIPS)/split_%.zip
+	$(make-installer)
+
+# Recipes to build main binaries (both std & fips-compliant)
+# @{
+posix_execs := split_sync_linux split_sync_osx split_proxy_linux split_proxy_osx_fips
+windows_execs := split_sync_windows.exe split_proxy_windows.exe
+execs := $(posix_execs) $(windows_execs)
+.INTERMEDIATE: $(addprefix $(BUILD)/,$(execs)) 
+
+# regular binaries recipe
 $(addprefix $(BUILD)/,$(execs)): $(BUILD)/split_%: $(sources) go.sum
 	CGO_ENABLED=0 GOARCH=$(ARCH) GOOS=$(call parse_os,$@) $(GO) build -o $@ cmd/$(call cmdfolder_from_bin,$@)/main.go
 
+# fips-compliant posix binaries recipe
+$(addprefix $(BUILD_FIPS)/,$(posix_execs)): $(BUILD_FIPS)/split_%: $(sources) go.sum
+	mkdir -p $(BUILD_FIPS)
+	GOEXPERIMENT=boringcrypto CGO_ENABLED=0 GOARCH=$(ARCH) GOOS=$(call parse_os,$@) $(GO) build $(ENFORCE_FIPS) -o $@ cmd/$(call cmdfolder_from_bin,$@)/main.go
+
+# fips-compliant windows binaries recipe
+ifeq ($(CURRENT_OS),Darwin) # we're on macos, we need to build using a dockerized linux
+$(addprefix $(BUILD_FIPS)/,$(windows_execs)): $(BUILD_FIPS)/split_%: $(sources) go.sum
+	mkdir -p $(BUILD_FIPS)
+	bash -c 'pushd windows && ./build_from_mac.sh'
+	cp $(BUILD_FIPS_WIN_TMP)/* $(BUILD_FIPS)
+else
+$(addprefix $(BUILD_FIPS)/,$(windows_execs)): $(BUILD_FIPS)/split_%: $(sources) go.sum
+	mkdir -p $(BUILD_FIPS) # we're on linux, we can build natively
+	$(MAKE) -f Makefile -C ./windows setup_ms_go binaries
+	cp $(BUILD_FIPS_WIN_TMP)/* $(BUILD_FIPS)
+endif
+# @}
+
 entrypoint.%.sh: clilist
 	cat docker/entrypoint.sh.tpl \
 	    | sed 's/{{ARGS}}/$(shell ./clilist -target=$*)/' \
@@ -201,12 +265,12 @@ help:
 to_uppercase		= $(shell echo '$1' | tr a-z A-Z)
 remove_ext_path		= $(basename $(notdir $1))
 normalize_os		= $(if $(subst osx,,$1),$1,darwin)
-parse_os		= $(call normalize_os,$(word 3,$(subst _, ,$(call remove_ext_path,$1))))
-make_exec		= $(if $(findstring windows,$1),$1.exe,$1)
-installed_from_zip 	= $(if $(findstring split_sync,$1),split-sync,split-proxy)
+parse_os			= $(call normalize_os,$(word 3,$(subst _, ,$(call remove_ext_path,$1))))
+mkexec				= $(if $(findstring windows,$1),$1.exe,$1)
+installed_from_zip	= $(if $(findstring split_sync,$1),split-sync,split-proxy)
 apptitle_from_zip	= $(if $(findstring split_sync,$1),Synchronizer,Proxy)
 cmdfolder_from_bin	= $(if $(findstring split_sync,$1),synchronizer,proxy)
-platform_str = $(if $(PLATFORM),--platform=$(PLATFORM),)
+platform_str		= $(if $(PLATFORM),--platform=$(PLATFORM),)
 
 # "constants"
 null  :=

docker/Dockerfile.proxy

@@ -2,6 +2,7 @@
 FROM golang:1.21.3-alpine3.18 AS builder
 
 ARG EXTRA_BUILD_ARGS
+ARG FIPS_MODE
 
 RUN apk add \
     bash \
@@ -13,7 +14,10 @@ WORKDIR /code
 
 COPY . .
 
-RUN make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"
+RUN if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in standard mode"; make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    else echo "building in fips mode"; make clean split-proxy-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-proxy-fips split-proxy; \
+    fi
 
 # Runner stage
 FROM alpine:3.18.4 AS runner

docker/Dockerfile.synchronizer

@@ -2,6 +2,7 @@
 FROM golang:1.21.3-alpine3.18 AS builder
 
 ARG EXTRA_BUILD_ARGS
+ARG FIPS_MODE
 
 RUN apk add \
     bash \
@@ -13,7 +14,10 @@ WORKDIR /code
 
 COPY . .
 
-RUN make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"
+RUN if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in standard mode"; make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    else echo "building in fips mode"; make clean split-sync-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \
+    fi
 
 # Runner stage
 FROM alpine:3.18.4 AS runner

splitio/commitversion.go

@@ -5,4 +5,4 @@ This file is created automatically, please do not edit
 */
 
 // CommitVersion is the version of the last commit previous to release
-const CommitVersion = "5ed4245"
+const CommitVersion = "fe6882b"

splitio/enforce_fips.go

@@ -0,0 +1,8 @@
+//go:build enforce_fips
+// +build enforce_fips
+
+package splitio
+
+import (
+	_ "crypto/tls/fipsonly"
+)