chore: update verify_fips_deps script to account for additional features

apiarian-datadog · apiarian-datadog · commit f94594442e4d · 2025-04-22T16:55:58.000-04:00
diff --git a/scripts/verify_fips_deps.sh b/scripts/verify_fips_deps.sh
@@ -1,34 +1,49 @@
 #!/bin/bash
 # verify_fips_deps.sh
 # Script to verify that the fips feature doesn't include ring and uses the proper crypto library
-# Usage: ./verify_fips_deps.sh [package_name] (defaults to ddcommon if not specified)
+# Usage: ./verify_fips_deps.sh [package_name] [additional_features]
+# Examples:
+#   ./verify_fips_deps.sh                          # Checks ddcommon with fips feature
+#   ./verify_fips_deps.sh datadog-trace-utils      # Checks trace-utils with fips feature
+#   ./verify_fips_deps.sh datadog-trace-utils compression  # Checks trace-utils with fips,compression features
 
 set -e
 
 # Default to ddcommon if no package is specified
 PACKAGE=${1:-ddcommon}
+shift 2>/dev/null || true
 
-echo "Checking ${PACKAGE} with fips feature..."
+# Additional features to include
+ADDITIONAL_FEATURES="$@"
+FEATURES="fips"
 
-# Check if aws-lc-fips-sys is included with FIPS feature
-FIPS_SYS_COUNT=$(cargo tree -p ${PACKAGE} --features fips | grep -c "aws-lc-fips-sys" || true)
+# Add additional features if specified
+if [ -n "$ADDITIONAL_FEATURES" ]; then
+  FEATURES="$FEATURES,$ADDITIONAL_FEATURES"
+fi
+
+echo "Checking ${PACKAGE} with features: ${FEATURES}..."
+
+# Check if aws-lc-fips-sys is included
+FIPS_SYS_COUNT=$(cargo tree -p ${PACKAGE} --features ${FEATURES} | grep -c "aws-lc-fips-sys" || true)
 
 if [ "$FIPS_SYS_COUNT" -eq 0 ]; then
   echo "❌ ERROR: aws-lc-fips-sys is not included when fips feature is enabled"
   exit 1
 else
-  echo "✅ aws-lc-fips-sys is correctly included with fips feature"
+  echo "✅ aws-lc-fips-sys is correctly included with features: ${FEATURES}"
 fi
 
-# Check if ring is included with FIPS feature (should not be)
-RING_COUNT=$(cargo tree -p ${PACKAGE} --features fips | grep -c "ring" || true)
+# Check if ring is included (should not be for runtime dependencies)
+RING_COUNT=$(cargo tree -p ${PACKAGE} --features ${FEATURES} -e=no-dev -i ring | grep -c "ring" || true)
 
 if [ "$RING_COUNT" -eq 0 ]; then
-  echo "✅ ring is correctly NOT included with fips feature"
+  echo "✅ ring is correctly NOT included with features: ${FEATURES} (in runtime dependencies)"
 else
-  echo "❌ ERROR: ring is included when fips feature is enabled"
+  echo "❌ ERROR: ring is included with features: ${FEATURES} (in runtime dependencies)"
+  cargo tree -p ${PACKAGE} --features ${FEATURES} --no-dev-dependencies -i ring
   exit 1
 fi
 
-echo "All checks passed! ${PACKAGE} FIPS feature doesn't include ring."
-exit 0
+echo "All checks passed! ${PACKAGE} with features ${FEATURES} doesn't include ring in runtime dependencies."
+exit 0
