Merge pull request #31 from splitio/fips_binaries

fips compliant binaries
splitio · Feb 23, 2024 · 242be9c · 242be9c
2 parents 639a07b + 68c62f7
commit 242be9c
Show file tree

Hide file tree

Showing 14 changed files with 93 additions and 15 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -3,10 +3,14 @@
 .gitignore
 .netrc
 splitd
+splitd-fips
 splitcli
 shared
 testcfg
 TODO
 
+splitio/commitsha.go
+
 splitd.linux.*
 splitd.darwin.*
+
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -83,4 +83,5 @@ jobs:
             splitd-darwin-amd64-${{ env.VERSION }}.bin
             splitd-darwin-arm-${{ env.VERSION }}.bin
             splitd-linux-amd64-${{ env.VERSION }}.bin
+            splitd-linux-amd64-fips-${{ env.VERSION }}.bin
             splitd-linux-arm-${{ env.VERSION }}.bin
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -9,6 +9,9 @@ jobs:
   build-docker-image:
     name: Build and push Docker image
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        fips_mode: [enabled, disabled]
     steps:
       - name: Login to Artifactory
         uses: docker/login-action@v3
@@ -29,4 +32,6 @@ jobs:
           context: .
           file: "infra/sidecar.Dockerfile"
           push: true
-          tags: splitio-docker.jfrog.io/splitd/sidecar:latest,splitio-docker.jfrog.io/splitd/sidecar:${{ env.VERSION }}
+          tags: splitio-docker.jfrog.io/splitd/sidecar${{ matrix.fips_mode == 'enabled' && '-fips' || ''}}:${{ env.VERSION }}
+          build-args: |
+            FIPS_MODE=${{ matrix.fips_mode }}
diff --git a/.github/workflows/unstable.yml b/.github/workflows/unstable.yml
@@ -8,6 +8,9 @@ jobs:
   push-docker-image:
     name: Build and Push Docker Image
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        fips_mode: [enabled, disabled]
     steps:
       - name: Login to Artifactory
         uses: docker/login-action@v3
@@ -28,4 +31,4 @@ jobs:
           context: .
           file: "infra/sidecar.Dockerfile"
           push: true
-          tags: splitio-docker-dev.jfrog.io/splitd/sidecar:${{ env.SHORT_SHA }}
+          tags: splitio-docker-dev.jfrog.io/splitd/sidecar${{ matrix.fips_mode == 'enabled' && '-fips' || '' }}:${{ env.SHORT_SHA }}
diff --git a/.gitignore b/.gitignore
@@ -15,6 +15,7 @@
 # vendor/
 
 /splitd
+/splitd-fips
 /splitcli
 /sdhelper
 /splitd.yaml

diff --git a/CHANGES b/CHANGES
@@ -1,3 +1,6 @@
+1.3.4 (Feb 22, 2024):
+- Add boringcrypto-based FIPS-compliant build for amd64/linux
+
 1.2.0 (Jan 25, 2024):
 - Added support for Flag Sets on the SDK, which enables grouping feature flags and interacting with the group rather than individually (more details in our documentation):
   - Added new variations of the get treatment methods to support evaluating flags in given flag set/s.

diff --git a/Makefile b/Makefile
@@ -10,10 +10,11 @@ PLATFORM ?=
 PLATFORM_STR := $(if $(PLATFORM),--platform=$(PLATFORM),)
 
 VERSION	:= $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"')
-COMMIT_SHA := $(shell bash -c '[ ! -z $${GITHUB_SHA} ] && echo $${GITHUB_SHA:0:7} || git rev-parse --short=7 HEAD')
+COMMIT_SHA := $(shell bash -c '[[ ! -z $${GITHUB_SHA} ]] && echo $${GITHUB_SHA:0:7} || git rev-parse --short=7 HEAD')
 COMMIT_SHA_FILE := splitio/commitsha.go
 
 GO_FILES := $(shell find . -name "*.go" -not -name "$(COMMIT_SHA_FILE)") go.sum
+ENFORCE_FIPS := -tags enforce_fips
 
 CONFIG_TEMPLATE ?= splitd.yaml.tpl
 COVERAGE_FILE ?= coverage.out
@@ -32,7 +33,8 @@ clean:
 		splitd-linux-amd64-$(VERSION).bin \
 		splitd-darwin-amd64-$(VERSION).bin \
 		splitd-linux-arm-$(VERSION).bin \
-		splitd-darwin-arm-$(VERSION).bin
+		splitd-darwin-arm-$(VERSION).bin \
+		splitd-linux-amd64-fips-$(VERSION).bin
 
 ## build binaries for this platform
 build: splitd splitcli sdhelper
@@ -58,9 +60,13 @@ entrypoint-test: splitd # requires splitd binary to generate a config and valida
 	bash infra/test/test_entrypoint.sh
 
 ## build splitd for local machine
-splitd: $(GO_FILES)
+splitd: $(GO_FILES) $(COMMIT_SHA_FILE)
 	go build -o splitd cmd/splitd/main.go
 
+## build splitd for local machine
+splitd-fips: $(GO_FILES) $(COMMIT_SHA_FILE)
+	GOEXPERIMENT=boringcrypto go build -o $@ $(ENFORCE_FIPS) cmd/splitd/main.go
+
 ## build splitcli for local machine
 splitcli: $(GO_FILES)
 	go build -o splitcli cmd/splitcli/main.go
@@ -74,13 +80,25 @@ sdhelper: $(GO_FILES)
 
 ## build docker images for sidecar
 images_release: # entrypoints
-	$(DOCKER) build $(PLATFORM_STR) -t splitsoftware/splitd-sidecar:latest -t splitsoftware/splitd-sidecar:$(VERSION) -f infra/sidecar.Dockerfile .
+	$(DOCKER) build $(PLATFORM_STR) \
+		-t splitsoftware/splitd-sidecar:latest -t splitsoftware/splitd-sidecar:$(VERSION) \
+		--build-arg COMMIT_SHA=$(COMMIT_SHA) \
+		-f infra/sidecar.Dockerfile .
+	$(DOCKER) build $(PLATFORM_STR) -t splitsoftware/splitd-sidecar-fips:latest -t splitsoftware/splitd-sidecar-fips:$(VERSION) \
+		--build-arg FIPS_MODE=1 --build-arg COMMIT_SHA=$(COMMIT_SHA) \
+		-f infra/sidecar.Dockerfile .
 	@echo "Image created. Make sure everything works ok, and then run the following commands to push them."
 	@echo "$(DOCKER) push splitsoftware/splitd-sidecar:latest"
 	@echo "$(DOCKER) push splitsoftware/splitd-sidecar:$(VERSION)"
+	@echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:latest"
+	@echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:$(VERSION)"
 
 ## build release for binaires
-binaries_release: splitd-linux-amd64-$(VERSION).bin splitd-darwin-amd64-$(VERSION).bin splitd-linux-arm-$(VERSION).bin splitd-darwin-arm-$(VERSION).bin
+binaries_release: splitd-linux-amd64-$(VERSION).bin \
+	splitd-darwin-amd64-$(VERSION).bin \
+	splitd-linux-arm-$(VERSION).bin \
+	splitd-darwin-arm-$(VERSION).bin \
+	splitd-linux-amd64-fips-$(VERSION).bin
 
 $(COVERAGE_FILE): unit-tests
 
@@ -92,6 +110,9 @@ $(COMMIT_SHA_FILE):
 splitd-linux-amd64-$(VERSION).bin: $(GO_FILES)
 	GOARCH=amd64 GOOS=linux $(GO) build -o $@ cmd/splitd/main.go
 
+splitd-linux-amd64-fips-$(VERSION).bin: $(GO_FILES)
+	GOEXPERIMENT=boringcrypto GOARCH=amd64 GOOS=linux $(GO) build -o $@ $(ENFORCE_FIPS) cmd/splitd/main.go
+
 splitd-darwin-amd64-$(VERSION).bin: $(GO_FILES)
 	GOARCH=amd64 GOOS=darwin $(GO) build -o $@ cmd/splitd/main.go
 

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/splitio/splitd
 
-go 1.20
+go 1.21
 
 require (
 	github.com/splitio/go-split-commons/v5 v5.1.0

diff --git a/go.sum b/go.sum
@@ -1,5 +1,7 @@
 github.com/bits-and-blooms/bitset v1.3.1 h1:y+qrlmq3XsWi+xZqSaueaE8ry8Y127iMxlMfqcK8p0g=
+github.com/bits-and-blooms/bitset v1.3.1/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bits-and-blooms/bloom/v3 v3.3.1 h1:K2+A19bXT8gJR5mU7y+1yW6hsKfNCjcP2uNfLFKncjQ=
+github.com/bits-and-blooms/bloom/v3 v3.3.1/go.mod h1:bhUUknWd5khVbTe4UgMCSiOOVJzr3tMoijSK3WwvW90=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

diff --git a/infra/entrypoint.sh b/infra/entrypoint.sh
@@ -9,6 +9,16 @@ TPL_FILE="${TPL_FILE:-${SCRIPT_DIR}/splitd.yaml.tpl}"
 SPLITD_CFG_OUTPUT="${SPLITD_CFG_OUTPUT:-/etc/splitd.yaml}"
 SPLITD_EXEC="${SPLITD_EXEC:-/opt/splitd/splitd}"
 
+function prepare_sets() {
+    local RES="["
+    local IFS=','
+    read -ra SETS <<< "${1}"
+    for SET in "${SETS[@]}"; do
+        RES="${RES}\"${SET}\","
+    done
+    echo "${RES/%,}]"
+}
+
 # Validate mandatory arguments and initialize the template with those values
 [ -z ${SPLITD_APIKEY+x} ] && echo "SPLITD_APIKEY env var is mandatory." && exit 1
 [ -z ${SPLITD_LINK_ADDRESS+x} ] && echo "SPLITD_LINK_ADDRESS env var is mandatory." && exit 1
@@ -45,6 +55,11 @@ accum=$(yq '.sdk.apikey = env(SPLITD_APIKEY) | .link.address = env(SPLITD_LINK_A
 [ ! -z ${SPLITD_EVENTS_REFRESH_SECS+x} ]                && accum=$(echo "${accum}" | yq '.sdk.events.refreshRateSeconds = env(SPLITD_EVENTS_REFRESH_SECS)')
 [ ! -z ${SPLITD_EVENTS_QUEUE_SIZE+x} ]                  && accum=$(echo "${accum}" | yq '.sdk.events.queueSize = env(SPLITD_EVENTS_QUEUE_SIZE)')
 
+if [ ! -z ${SPLITD_FLAG_SETS_FILTER+x} ]; then
+    export PARSED_FLAGSETS=$(prepare_sets "${SPLITD_FLAG_SETS_FILTER}")
+    accum=$(echo "${accum}" | yq '.sdk.flagSetsFilter += env(PARSED_FLAGSETS)')
+fi
+
 # link configs
 [ ! -z ${SPLITD_LINK_TYPE+x} ] 		        && accum=$(echo "${accum}" | yq '.link.type = env(SPLITD_LINK_TYPE)')
 [ ! -z ${SPLITD_LINK_SERIALIZATION+x} ]     && accum=$(echo "${accum}" | yq '.link.serialization = env(SPLITD_LINK_SERIALIZATION)')

diff --git a/infra/sidecar.Dockerfile b/infra/sidecar.Dockerfile
@@ -1,16 +1,31 @@
 # ----- Builder image
-FROM golang:1.20.7-alpine3.18 AS builder
+FROM golang:1.21.6-bookworm AS builder
 
-RUN apk add git build-base bash
+ARG FIPS_MODE
+ARG COMMIT_SHA
+
+RUN apt update -y
+RUN apt install -y build-essential ca-certificates python3 git socat
 
 WORKDIR /splitd
 COPY . .
-RUN make clean splitd splitd.yaml.tpl
+
+RUN export GITHUB_SHA="${COMMIT_SHA}" && bash -c '\
+    if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in fips mode"; make clean splitd-fips splitd.yaml.tpl EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \
+    else echo "building in standard mode"; make clean splitd splitd.yaml.tpl EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    fi'
 
 # ----- Runner image
-FROM alpine:3.18 AS runner
+FROM debian:12.4 AS runner
+
+RUN apt update -y
+RUN apt install -y bash ca-certificates wget
+
+RUN wget https://github.com/mikefarah/yq/releases/download/v4.40.5/yq_linux_amd64
+RUN chmod +x yq_linux_amd64
+RUN mv yq_linux_amd64 /usr/local/bin/yq
 
-RUN apk add gettext yq bash
 RUN mkdir -p /opt/splitd
 COPY --from=builder /splitd/splitd /opt/splitd
 COPY --from=builder /splitd/splitd.yaml.tpl /opt/splitd

diff --git a/splitio/commitsha.go b/splitio/commitsha.go
@@ -1,3 +1,3 @@
 package splitio
 
-const CommitSHA = "15ef04f"
+const CommitSHA = "3f5eb7e"
diff --git a/splitio/enforce_fips.go b/splitio/enforce_fips.go
@@ -0,0 +1,8 @@
+//go:build enforce_fips
+// +build enforce_fips
+
+package splitio
+
+import (
+	_ "crypto/tls/fipsonly"
+)
diff --git a/splitio/version.go b/splitio/version.go
@@ -1,3 +1,3 @@
 package splitio
 
-const Version = "1.2.0"
+const Version = "1.3.0"