feat: Add FIPS version (#19676)

erezrokah · web-flow · commit bcdf696bc9a3 · 2024-11-25T16:11:35.000Z
#### Summary This PR is intended to add a FIPS version of the test source plugin, it works only for linux arm64 and amd64, since that's what `boringcrypto` [supports](https://github.com/golang/go/blob/4865aadc21acebc8039f914929f03c7042b2ae8d/src/crypto/boring/boring_test.go#L16). Needs cloudquery/plugin-sdk#1974 for validation
diff --git a/.github/workflows/publish_plugin_to_hub_fips.yml b/.github/workflows/publish_plugin_to_hub_fips.yml
@@ -0,0 +1,122 @@
+name: Publish plugin to hub FIPS
+on:
+  push:
+    tags:
+      - "plugins-source-test-v*.*.*"
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      plugin_name: ${{ steps.split.outputs.plugin_name }}
+      plugin_kind: ${{ steps.split.outputs.plugin_kind }}
+      plugin_version: ${{ steps.split.outputs.plugin_version }}-fips
+      plugin_dir: ${{ steps.split.outputs.plugin_dir }}
+      prerelease: ${{ steps.semver_parser.outputs.prerelease }}
+    steps:
+      - name: Split tag
+        id: split
+        run: |
+          tag=${{ github.ref_name }}
+          plugin_kind=$(echo $tag | cut -d- -f2)
+          plugin_name=$(echo $tag | cut -d- -f3)
+          plugin_version=$(echo $tag | cut -d- -f4-)
+          # perform looping till either the plugin version passes our semver test or is empty
+          until [[ $plugin_version =~ ^v?[0-9]+\.[0-9]+ ]] || [[ $(echo $plugin_version | wc -c) -eq 0 ]] ; do
+             echo "${plugin_version} is not a valid version"
+             plugin_name="$plugin_name-$(echo $plugin_version | cut -d- -f1)"
+             plugin_version=$(echo $plugin_version | cut -d- -f2-)
+          done
+          echo "plugin_name=${plugin_name}" >> $GITHUB_OUTPUT
+          echo "plugin_kind=${plugin_kind}" >> $GITHUB_OUTPUT
+          echo "plugin_version=${plugin_version}" >> $GITHUB_OUTPUT
+          echo "plugin_dir=plugins/${plugin_kind}/${plugin_name}" >> $GITHUB_OUTPUT
+
+      # Fail if not a valid SemVer string
+      - name: Parse semver string
+        uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3
+        id: semver_parser
+        with:
+          input_string: ${{steps.split.outputs.plugin_version}}
+      - name: Checkout
+        uses: actions/checkout@v4
+
+  publish-plugin-to-hub-fips:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/cloudquery/golang-cross:v10.0.0
+      env:
+        CC: /usr/bin/gencc.sh
+        CXX: /usr/bin/gencpp.sh
+    needs:
+      - prepare
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-1.22.4-publish-plugin-to-hub-fips-cache-${{ hashFiles(format('{0}/{1}', needs.prepare.outputs.plugin_dir, 'go.sum')) }}
+          restore-keys: |
+            ${{ runner.os }}-go-1.22.4-publish-plugin-to-hub-fips-cache-plugins-${{ needs.prepare.outputs.plugin_kind }}-${{ needs.prepare.outputs.plugin_name }}
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ${{ needs.prepare.outputs.plugin_dir }}/go.mod
+          cache: false
+
+      # Needed for shell escape
+      - name: Use Node.js LTS
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+
+      - name: Install shell escape
+        run: |
+          npm install shell-escape@0.2.0
+
+      - name: Get Release Notes
+        id: release-notes
+        uses: actions/github-script@v7
+        env:
+          PRERELEASE: ${{ needs.prepare.outputs.prerelease }}
+        with:
+          result-encoding: string
+          script: |
+            const shellescape = require('shell-escape');
+            const { PRERELEASE } = process.env;
+            if (PRERELEASE) {
+              return shellescape(["This is a pre-release version of the plugin and should be used for testing purposes only"])
+            }
+            const { data } = await github.rest.repos.getReleaseByTag({
+              owner: "cloudquery",
+              repo: context.repo.repo,
+              tag: context.ref.replace('refs/tags/', ''),
+            });
+            return shellescape([data.body]);
+
+      - name: Find and Replace
+        uses: jacobtomlinson/gha-find-replace@3a8ed858a4e3fb487c6f53658ec40b2b1d45d9d8
+        with:
+          find: "(?i)version_${{ needs.prepare.outputs.plugin_kind }}_${{ needs.prepare.outputs.plugin_name }}"
+          replace: ${{ needs.prepare.outputs.plugin_version }}
+          include: ${{ needs.prepare.outputs.plugin_dir }}/docs/*.md
+
+      - name: Run package command
+        working-directory: ${{ needs.prepare.outputs.plugin_dir }}
+        env:
+          GOEXPERIMENT: "boringcrypto"
+        run: |
+          rm -rf docs/tables.md
+          go run main.go package -m ${{ steps.release-notes.outputs.result }} ${{ needs.prepare.outputs.plugin_version }} .
+
+      - name: Setup CloudQuery
+        uses: cloudquery/setup-cloudquery@v4
+        with:
+          version: v6.11.2
diff --git a/.github/workflows/source_test.yml b/.github/workflows/source_test.yml
@@ -55,4 +55,49 @@ jobs:
         run: go build .
       - name: Test
         run: make test
-  
+  validate-fips:
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/cloudquery/golang-cross:v10.0.0
+      env:
+        CC: /usr/bin/gencc.sh
+        CXX: /usr/bin/gencpp.sh
+    defaults:
+      run:
+        working-directory: ./plugins/source/test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-1.22.4-validate-plugin-fips-cache-${{ hashFiles('plugins/source/test/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-1.22.4-validate-plugin-fips-cache-source-test
+
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: plugins/source/test/go.mod
+          cache: false
+
+      - name: Run package command
+        env:
+          GOEXPERIMENT: "boringcrypto"
+        run: |
+          rm -rf docs/tables.md
+          go run main.go package -m "chore: Test FIPS" "v1.0.0" .
+
+      - name: Unzip package artifacts
+        run: |
+          unzip -o dist/plugin-test-v1.0.0-linux-amd64.zip
+          chmod +x plugin-test-v1.0.0-linux-amd64
+          ./plugin-test-v1.0.0-linux-amd64 --version
+
+      - name: Validate FIPS build
+        run: |
+          go tool nm plugin-test-v1.0.0-linux-amd64 | grep -E 'sig.FIPSOnly|sig.BoringCrypto'
diff --git a/plugins/source/test/main.go b/plugins/source/test/main.go
@@ -1,3 +1,5 @@
+//go:build !(linux && boringcrypto)
+
 package main
 
 import (
diff --git a/plugins/source/test/main_fips.go b/plugins/source/test/main_fips.go
@@ -0,0 +1,19 @@
+//go:build linux && boringcrypto
+
+package main
+
+import (
+	"context"
+	_ "crypto/tls/fipsonly"
+	"log"
+
+	"github.com/cloudquery/cloudquery/plugins/source/test/resources/plugin"
+	"github.com/cloudquery/plugin-sdk/v4/serve"
+)
+
+func main() {
+	p := serve.Plugin(plugin.Plugin())
+	if err := p.Serve(context.Background()); err != nil {
+		log.Fatalf("failed to serve plugin: %v", err)
+	}
+}
diff --git a/plugins/source/test/resources/plugin/plugin.go b/plugins/source/test/resources/plugin/plugin.go
@@ -1,3 +1,5 @@
+//go:build !(linux && boringcrypto)
+
 package plugin
 
 import (
diff --git a/plugins/source/test/resources/plugin/plugin_fips.go b/plugins/source/test/resources/plugin/plugin_fips.go
@@ -0,0 +1,31 @@
+//go:build linux && boringcrypto
+
+package plugin
+
+import (
+	"github.com/cloudquery/cloudquery/plugins/source/test/client"
+	"github.com/cloudquery/plugin-sdk/v4/plugin"
+)
+
+var (
+	Name    = "test"
+	Kind    = "source"
+	Team    = "cloudquery"
+	Version = "development"
+)
+
+func Plugin() *plugin.Plugin {
+	return plugin.NewPlugin(
+		Name,
+		Version,
+		Configure,
+		plugin.WithKind(Kind),
+		plugin.WithTeam(Team),
+		plugin.WithJSONSchema(client.JSONSchema),
+		plugin.WithConnectionTester(TestConnection),
+		plugin.WithBuildTargets([]plugin.BuildTarget{
+			{OS: plugin.GoOSLinux, Arch: plugin.GoArchAmd64, CGO: true, IncludeSymbols: true},
+			{OS: plugin.GoOSLinux, Arch: plugin.GoArchArm64, CGO: true, IncludeSymbols: true},
+		}),
+	)
+}
diff --git a/scripts/workflows/wait_for_required_workflows.js b/scripts/workflows/wait_for_required_workflows.js
@@ -62,6 +62,14 @@ module.exports = async ({github, context}) => {
         }
     }
 
+    const pluginsWithFipsVersion = ["plugins/source/test"]
+    for (const action of actions) {
+        if (pluginsWithFipsVersion.includes(action)) {
+            console.log(`Adding validate-fips to the list of required workflows for plugin ${action}`)
+            actions = [...actions, 'validate-fips']
+        }
+    }
+
     pendingActions = [...actions]
     console.log(`Waiting for ${pendingActions.join(", ")}`)
     while (now <= deadline) {

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+//go:build !(linux && boringcrypto)`
	`2`	`+`
`1`	`3`	`package main`
`2`	`4`
`3`	`5`	`import (`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+//go:build !(linux && boringcrypto)`
	`2`	`+`
`1`	`3`	`package plugin`
`2`	`4`
`3`	`5`	`import (`
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,14 @@ module.exports = async ({github, context}) => {`
`62`	`62`	`}`
`63`	`63`	`}`
`64`	`64`
	`65`	`+ const pluginsWithFipsVersion = ["plugins/source/test"]`
	`66`	`+ for (const action of actions) {`
	`67`	`+ if (pluginsWithFipsVersion.includes(action)) {`
	`68`	+ console.log(`Adding validate-fips to the list of required workflows for plugin ${action}`)
	`69`	`+ actions = [...actions, 'validate-fips']`
	`70`	`+ }`
	`71`	`+ }`
	`72`	`+`
`65`	`73`	`pendingActions = [...actions]`
`66`	`74`	console.log(`Waiting for ${pendingActions.join(", ")}`)
`67`	`75`	`while (now <= deadline) {`