chore: our upstream dependencies use the fips flag

Author: apiarian-datadog

bottlecap-run/runBottlecap.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -e
+set -ex
 arch=$(uname -a)
 cd ../bottlecap
 # build bottlecap in debug mode

bottlecap/Cargo.lock

@@ -9,12 +9,12 @@ async-trait = { version = "0.1", default-features = false }
 chrono = { version = "0.4", features = ["serde", "std", "now"], default-features = false }
 datadog-protos = { version = "0.1.0", default-features = false, git = "https://github.com/DataDog/saluki/" }
 ddsketch-agent = { version = "0.1.0", default-features = false, git = "https://github.com/DataDog/saluki/" }
-ddcommon = { git = "https://github.com/DataDog/libdatadog", rev = "a0b92b643dff8bc28d87c974eddf7189c238eaa5" }
-datadog-trace-protobuf = { git = "https://github.com/DataDog/libdatadog", rev = "a0b92b643dff8bc28d87c974eddf7189c238eaa5" }
-datadog-trace-utils = { git = "https://github.com/DataDog/libdatadog", rev = "a0b92b643dff8bc28d87c974eddf7189c238eaa5", features = ["compression"] }
-datadog-trace-mini-agent = { git = "https://github.com/DataDog/libdatadog", rev = "a0b92b643dff8bc28d87c974eddf7189c238eaa5" }
-datadog-trace-normalization = { git = "https://github.com/DataDog/libdatadog", rev = "a0b92b643dff8bc28d87c974eddf7189c238eaa5" }
-datadog-trace-obfuscation = { git = "https://github.com/DataDog/libdatadog", rev = "a0b92b643dff8bc28d87c974eddf7189c238eaa5" }
+ddcommon = { git = "https://github.com/DataDog/libdatadog", branch = "aleksandr.pasechnik/svls-6242-fips-features-for-bottlecap"}
+datadog-trace-protobuf = { git = "https://github.com/DataDog/libdatadog", branch = "aleksandr.pasechnik/svls-6242-fips-features-for-bottlecap" }
+datadog-trace-utils = { git = "https://github.com/DataDog/libdatadog", branch = "aleksandr.pasechnik/svls-6242-fips-features-for-bottlecap", features = ["compression"] }
+datadog-trace-mini-agent = { git = "https://github.com/DataDog/libdatadog", branch = "aleksandr.pasechnik/svls-6242-fips-features-for-bottlecap" }
+datadog-trace-normalization = { git = "https://github.com/DataDog/libdatadog",  branch = "aleksandr.pasechnik/svls-6242-fips-features-for-bottlecap"}
+datadog-trace-obfuscation = { git = "https://github.com/DataDog/libdatadog", branch = "aleksandr.pasechnik/svls-6242-fips-features-for-bottlecap" }
 dogstatsd = { git = "https://github.com/DataDog/serverless-components", rev = "4dfe72ab1850680f41dd79d30a937eb68e7ba6da" }
 figment = { version = "0.10", default-features = false, features = ["yaml", "env"] }
 hyper = { version = "1.6", default-features = false, features = ["server"] }
@@ -30,7 +30,7 @@ log = { version = "0.4", default-features = false }
 nix = { version = "0.26", default-features = false, features = ["feature", "fs"] }
 protobuf = { version = "3.5", default-features = false }
 regex = { version = "1.10", default-features = false }
-reqwest = { version = "0.12.11", features = ["json", "http2", "rustls-tls"], default-features = false }
+reqwest = { version = "0.12.11", features = ["json", "http2"], default-features = false }
 serde = { version = "1.0", default-features = false, features = ["derive"] }
 serde_json = { version = "1.0", default-features = false, features = ["alloc"] }
 thiserror = { version = "1.0", default-features = false}
@@ -56,6 +56,9 @@ proptest = "1.4"
 httpmock = "0.7"
 serial_test = "3.1"
 
+[build-dependencies]
+# No external dependencies needed for the build script
+
 [[bin]]
 name = "bottlecap"
 
@@ -64,3 +67,12 @@ opt-level = "z"  # Optimize for size.
 lto = true
 codegen-units = 1
 strip = true
+
+[features]
+default = ["reqwest/rustls-tls"]
+fips = [
+    "ddcommon/fips",
+    "datadog-trace-utils/fips",
+    "reqwest/rustls-tls-no-provider",
+    "rustls/fips",
+]

bottlecap/Cargo.toml

@@ -0,0 +1,74 @@
+use std::process::Command;
+
+fn main() {
+    // Check if the "fips" feature is enabled
+    let fips_enabled = std::env::var("CARGO_FEATURE_FIPS").is_ok();
+
+    if fips_enabled {
+        println!("cargo:warning=FIPS feature is enabled, checking for ring dependency...");
+
+        // First run cargo tree to get dependency on ring with detailed info
+        let output = Command::new("cargo")
+            .args(&[
+                "tree",
+                "-i",
+                "ring",
+                "--format={p} {f}",
+                "--prefix-depth",
+                "--features=fips",
+                "--no-default-features",
+            ])
+            .output()
+            .expect("Failed to execute cargo tree command");
+
+        // Also get the complete dependency path to help debugging
+        let path_output = Command::new("cargo")
+            .args(&[
+                "tree",
+                "-i",
+                "ring",
+                "--features=fips",
+                "--no-default-features",
+            ])
+            .output()
+            .expect("Failed to execute detailed cargo tree command");
+
+        let output_str = String::from_utf8_lossy(&output.stdout);
+
+        // Check if ring is in the dependency tree
+        if output_str.contains("ring v") {
+            // Get the dependency paths to ring
+            let ring_deps: Vec<&str> = output_str
+                .lines()
+                .filter(|line| line.contains("ring v"))
+                .collect();
+
+            // Get the detailed dependency path
+            let path_str = String::from_utf8_lossy(&path_output.stdout);
+
+            // Print detailed error message with dependency paths
+            let error_msg = format!(
+                "\n\nERROR: ring dependency detected with FIPS feature enabled!\n\
+                FIPS compliance requires eliminating all ring dependencies.\n\
+                \n\
+                Ring dependency versions and features:\n{}\n\
+                \n\
+                Detailed dependency paths to ring:\n{}\n\
+                \n\
+                Ensure all dependencies use aws-lc-rs instead of ring.\n\
+                Consider updating the following in your Cargo.toml:\n\
+                1. Ensure all dependencies that use rustls have the 'aws-lc-rs' feature\n\
+                2. Check transitive dependencies in reqwest, hyper-rustls, etc.\n\
+                3. Update your dependencies to versions that support FIPS mode\n",
+                ring_deps.join("\n"),
+                path_str
+            );
+
+            panic!("{}", error_msg);
+        } else {
+            println!("cargo:warning=No ring dependency found. FIPS compliance check passed!");
+        }
+    } else {
+        println!("cargo:warning=FIPS feature is not enabled, skipping ring dependency check.");
+    }
+}

bottlecap/build.rs

@@ -5,7 +5,7 @@ ARG PLATFORM
 ARG FIPS
 
 # Install dependencies
-RUN yum install -y curl gcc gcc-c++ make unzip
+RUN yum install -y curl gcc gcc-c++ make unzip cmake3 perl go
 
 # Install Protocol Buffers compiler by hand, since AL2 does not have a recent enough version.
 COPY ./scripts/install-protoc.sh /
@@ -20,13 +20,21 @@ RUN rustup component add rust-src --toolchain stable-$PLATFORM-unknown-linux-gnu
 # Copy source code
 RUN mkdir -p /tmp/dd
 COPY ./bottlecap/src /tmp/dd/bottlecap/src
+COPY ./bottlecap/build.rs /tmp/dd/bottlecap/build.rs
 COPY ./bottlecap/Cargo.toml /tmp/dd/bottlecap/Cargo.toml
 COPY ./bottlecap/Cargo.lock /tmp/dd/bottlecap/Cargo.lock
 
 # Build the binary
 ENV RUSTFLAGS="-C panic=abort"
 WORKDIR /tmp/dd/bottlecap
-RUN --mount=type=cache,target=/usr/local/cargo/registry cargo +stable build --release --target $PLATFORM-unknown-linux-gnu
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    if [ "$FIPS" = "1" ]; then \
+        export FEATURES=fips; \
+    else \
+        export FEATURES=default; \
+    fi; \
+    echo FEATURES=$FEATURES; \
+    cargo +stable build --no-default-features --features $FEATURES --release --target $PLATFORM-unknown-linux-gnu;
 RUN cp /tmp/dd/bottlecap/target/$PLATFORM-unknown-linux-gnu/release/bottlecap /tmp/dd/bottlecap/bottlecap
 
 # Use smallest image possible