fips compliant binaries

splitio · Feb 5, 2024 · b49c4cf · b49c4cf
1 parent f91c19d
commit b49c4cf
Show file tree

Hide file tree

Showing 9 changed files with 64 additions and 10 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -3,10 +3,14 @@
 .gitignore
 .netrc
 splitd
+splitd-fips
 splitcli
 shared
 testcfg
 TODO
 
+splitio/commitsha.go
+
 splitd.linux.*
 splitd.darwin.*
+
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -81,6 +81,7 @@ jobs:
           tag_name: v${{ env.VERSION }}
           files: |
             splitd-darwin-amd64-${{ env.VERSION }}.bin
+            splitd-darwin-amd64-fips-${{ env.VERSION }}.bin
             splitd-darwin-arm-${{ env.VERSION }}.bin
             splitd-linux-amd64-${{ env.VERSION }}.bin
             splitd-linux-arm-${{ env.VERSION }}.bin
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -9,6 +9,9 @@ jobs:
   build-docker-image:
     name: Build and push Docker image
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        fips-mode: [enabled, disabled]
     steps:
       - name: Login to Artifactory
         uses: docker/login-action@v2
@@ -29,4 +32,7 @@ jobs:
           context: .
           file: "infra/sidecar.Dockerfile"
           push: true
-          tags: splitio-docker.jfrog.io/splitd/sidecar:latest,splitio-docker.jfrog.io/splitd/sidecar:${{ env.VERSION }}
+          tags: splitio-docker.jfrog.io/splitd/sidecar${{ matrix.fips-mode == "enabled" && "-fips" || ""}}:${{ env.VERSION }}
+          build-args: |
+            FIPS_MODE=${{ matrix.fips-mode }}
+,
diff --git a/.gitignore b/.gitignore
@@ -15,6 +15,7 @@
 # vendor/
 
 /splitd
+/splitd-fips
 /splitcli
 /sdhelper
 /splitd.yaml

diff --git a/Makefile b/Makefile
@@ -10,10 +10,11 @@ PLATFORM ?=
 PLATFORM_STR := $(if $(PLATFORM),--platform=$(PLATFORM),)
 
 VERSION	:= $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"')
-COMMIT_SHA := $(shell bash -c '[ ! -z $${GITHUB_SHA} ] && echo $${GITHUB_SHA:0:7} || git rev-parse --short=7 HEAD')
+COMMIT_SHA := $(shell bash -c '[[ ! -z $${GITHUB_SHA} ]] && echo $${GITHUB_SHA:0:7} || git rev-parse --short=7 HEAD')
 COMMIT_SHA_FILE := splitio/commitsha.go
 
 GO_FILES := $(shell find . -name "*.go" -not -name "$(COMMIT_SHA_FILE)") go.sum
+ENFORCE_FIPS := -tags enforce_fips
 
 CONFIG_TEMPLATE ?= splitd.yaml.tpl
 COVERAGE_FILE ?= coverage.out
@@ -58,9 +59,13 @@ entrypoint-test: splitd # requires splitd binary to generate a config and valida
 	bash infra/test/test_entrypoint.sh
 
 ## build splitd for local machine
-splitd: $(GO_FILES)
+splitd: $(GO_FILES) $(COMMIT_SHA_FILE)
 	go build -o splitd cmd/splitd/main.go
 
+## build splitd for local machine
+splitd-fips: $(GO_FILES) $(COMMIT_SHA_FILE)
+	GOEXPERIMENT=boringcrypto go build -o $@ $(ENFORCE_FIPS) cmd/splitd/main.go
+
 ## build splitcli for local machine
 splitcli: $(GO_FILES)
 	go build -o splitcli cmd/splitcli/main.go
@@ -74,10 +79,18 @@ sdhelper: $(GO_FILES)
 
 ## build docker images for sidecar
 images_release: # entrypoints
-	$(DOCKER) build $(PLATFORM_STR) -t splitsoftware/splitd-sidecar:latest -t splitsoftware/splitd-sidecar:$(VERSION) -f infra/sidecar.Dockerfile .
+	$(DOCKER) build $(PLATFORM_STR) \
+		-t splitsoftware/splitd-sidecar:latest -t splitsoftware/splitd-sidecar:$(VERSION) \
+		--build-arg COMMIT_SHA=$(COMMIT_SHA) \
+		-f infra/sidecar.Dockerfile .
+	$(DOCKER) build $(PLATFORM_STR) -t splitsoftware/splitd-sidecar-fips:latest -t splitsoftware/splitd-sidecar-fips:$(VERSION) \
+		--build-arg FIPS_MODE=1 --build-arg COMMIT_SHA=$(COMMIT_SHA) \
+		-f infra/sidecar.Dockerfile .
 	@echo "Image created. Make sure everything works ok, and then run the following commands to push them."
 	@echo "$(DOCKER) push splitsoftware/splitd-sidecar:latest"
 	@echo "$(DOCKER) push splitsoftware/splitd-sidecar:$(VERSION)"
+	@echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:latest"
+	@echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:$(VERSION)"
 
 ## build release for binaires
 binaries_release: splitd-linux-amd64-$(VERSION).bin splitd-darwin-amd64-$(VERSION).bin splitd-linux-arm-$(VERSION).bin splitd-darwin-arm-$(VERSION).bin
@@ -92,6 +105,9 @@ $(COMMIT_SHA_FILE):
 splitd-linux-amd64-$(VERSION).bin: $(GO_FILES)
 	GOARCH=amd64 GOOS=linux $(GO) build -o $@ cmd/splitd/main.go
 
+splitd-linux-amd64-fips-$(VERSION).bin: $(GO_FILES)
+	GOEXPERIMENT=boringcrypto GOARCH=amd64 GOOS=linux $(GO) build -o $@ $(ENFORCE_FIPS) cmd/splitd/main.go
+
 splitd-darwin-amd64-$(VERSION).bin: $(GO_FILES)
 	GOARCH=amd64 GOOS=darwin $(GO) build -o $@ cmd/splitd/main.go
 

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/splitio/splitd
 
-go 1.20
+go 1.21
 
 require (
 	github.com/splitio/go-split-commons/v5 v5.1.0

diff --git a/go.sum b/go.sum
@@ -1,5 +1,7 @@
 github.com/bits-and-blooms/bitset v1.3.1 h1:y+qrlmq3XsWi+xZqSaueaE8ry8Y127iMxlMfqcK8p0g=
+github.com/bits-and-blooms/bitset v1.3.1/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bits-and-blooms/bloom/v3 v3.3.1 h1:K2+A19bXT8gJR5mU7y+1yW6hsKfNCjcP2uNfLFKncjQ=
+github.com/bits-and-blooms/bloom/v3 v3.3.1/go.mod h1:bhUUknWd5khVbTe4UgMCSiOOVJzr3tMoijSK3WwvW90=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

diff --git a/infra/sidecar.Dockerfile b/infra/sidecar.Dockerfile
@@ -1,16 +1,32 @@
 # ----- Builder image
-FROM golang:1.20.7-alpine3.18 AS builder
+FROM golang:1.21.6-bookworm AS builder
 
-RUN apk add git build-base bash
+ARG FIPS_MODE
+ARG COMMIT_SHA
+
+RUN apt update -y
+RUN apt install -y build-essential ca-certificates python3 git
 
 WORKDIR /splitd
 COPY . .
-RUN make clean splitd splitd.yaml.tpl
+
+RUN export GITHUB_SHA="${COMMIT_SHA}" && \
+    if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in fips mode"; make clean splitd-fips splitd.yaml.tpl EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \
+    else echo "building in standard mode"; make clean splitd splitd.yaml.tpl EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    fi
 
 # ----- Runner image
-FROM alpine:3.18 AS runner
 
-RUN apk add gettext yq bash
+FROM debian:12.4 AS runner
+
+RUN apt update -y
+RUN apt install -y bash ca-certificates wget
+
+RUN wget https://github.com/mikefarah/yq/releases/download/v4.40.5/yq_linux_amd64
+RUN chmod +x yq_linux_amd64
+RUN mv yq_linux_amd64 /usr/local/bin/yq
+
 RUN mkdir -p /opt/splitd
 COPY --from=builder /splitd/splitd /opt/splitd
 COPY --from=builder /splitd/splitd.yaml.tpl /opt/splitd

diff --git a/splitio/enforce_fips.go b/splitio/enforce_fips.go
@@ -0,0 +1,8 @@
+//go:build enforce_fips
+// +build enforce_fips
+
+package splitio
+
+import (
+	_ "crypto/tls/fipsonly"
+)