chore: ddcommon fips feature

Author: apiarian-datadog

Cargo.lock

@@ -76,3 +76,5 @@ use_webpki_roots = ["hyper-rustls/webpki-roots"]
 # Enable this feature to enable stubbing of cgroup
 # php directly import this crate and uses functions gated by this feature for their test
 cgroup_testing = []
+# FIPS mode uses the FIPS-compliant cryptographic provider
+fips = ["https", "hyper-rustls/fips"]

ddcommon/Cargo.toml

@@ -13,7 +13,10 @@ RUN apt-get update && \
     protobuf-compiler \
     docker.io \
     sudo \
-    && rm -rf /var/lib/apt/lists/*
+    wget \
+    && rm -rf /var/lib/apt/lists/* \
+    && wget -O go1.24.2.linux-arm64.tar.gz https://go.dev/dl/go1.24.2.linux-arm64.tar.gz \
+    && tar -C /usr/local -xzf go1.24.2.linux-arm64.tar.gz
 
 # Docker-in-Docker configuration (necessary for integration tests)
 RUN mkdir -p /var/lib/docker

local-linux.Dockerfile

@@ -0,0 +1,34 @@
+#!/bin/bash
+# verify_fips_deps.sh
+# Script to verify that the fips feature doesn't include ring and uses the proper crypto library
+# Usage: ./verify_fips_deps.sh [package_name] (defaults to ddcommon if not specified)
+
+set -e
+
+# Default to ddcommon if no package is specified
+PACKAGE=${1:-ddcommon}
+
+echo "Checking ${PACKAGE} with fips feature..."
+
+# Check if aws-lc-fips-sys is included with FIPS feature
+FIPS_SYS_COUNT=$(cargo tree -p ${PACKAGE} --features fips | grep -c "aws-lc-fips-sys" || true)
+
+if [ "$FIPS_SYS_COUNT" -eq 0 ]; then
+  echo "❌ ERROR: aws-lc-fips-sys is not included when fips feature is enabled"
+  exit 1
+else
+  echo "✅ aws-lc-fips-sys is correctly included with fips feature"
+fi
+
+# Check if ring is included with FIPS feature (should not be)
+RING_COUNT=$(cargo tree -p ${PACKAGE} --features fips | grep -c "ring" || true)
+
+if [ "$RING_COUNT" -eq 0 ]; then
+  echo "✅ ring is correctly NOT included with fips feature"
+else
+  echo "❌ ERROR: ring is included when fips feature is enabled"
+  exit 1
+fi
+
+echo "All checks passed! ${PACKAGE} FIPS feature doesn't include ring."
+exit 0