Skip to content

Commit a9ce3f7

Browse files
cardosocardoso
committed
feat(queue-worker): fips
1 parent a011912 commit a9ce3f7

6 files changed

Lines changed: 31 additions & 3 deletions

File tree

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ env:
2323
DOCKER_BUILD_ARCHES_JSON: '["arm64","amd64"]'
2424
DOCKER_BUILD_SERVICES_JSON: '["authorization-service","queue-worker-service","ddp-streamer-service","account-service","presence-service","omnichannel-transcript-service","rocketchat"]'
2525
DOCKER_BUILD_EXTRA_COVERAGE_JSON: '[{"arch":"amd64","service":"rocketchat","type":"coverage"},{"arch":"arm64","service":"rocketchat","type":"coverage"}]'
26-
DOCKER_BUILD_FIPS_SERVICES_JSON: '["authorization-service","ddp-streamer-service","presence-service"]'
26+
DOCKER_BUILD_FIPS_SERVICES_JSON: '["authorization-service","queue-worker-service","ddp-streamer-service","presence-service"]'
2727

2828
jobs:
2929
release-versions:

docker-compose-ci.fips.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,3 +13,8 @@ services:
1313
build:
1414
target: release-fips
1515
image: ghcr.io/${LOWERCASE_REPOSITORY}/ddp-streamer-service:${DOCKER_TAG}-fips
16+
17+
queue-worker-service:
18+
build:
19+
target: release-fips
20+
image: ghcr.io/${LOWERCASE_REPOSITORY}/queue-worker-service:${DOCKER_TAG}-fips

docker-compose-ci.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,7 @@ services:
137137
build:
138138
dockerfile: ee/apps/queue-worker/Dockerfile
139139
context: .
140+
target: release-standard
140141
x-bake:
141142
platforms:
142143
- linux/amd64

ee/apps/queue-worker/Dockerfile

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ WORKDIR /app/ee/apps/${SERVICE}
101101

102102
RUN yarn workspaces focus --production
103103

104-
FROM node:22.16.0-alpine3.21
104+
FROM node:22.16.0-alpine3.21 AS release-standard
105105

106106
ARG SERVICE
107107

@@ -127,3 +127,14 @@ USER rocketchat
127127
EXPOSE 3000 9458
128128

129129
CMD ["node", "src/service.js"]
130+
131+
# FIPS RELEASE STAGE
132+
FROM rocketchatfips140/dhi-node:22-fips AS release-fips
133+
ARG SERVICE
134+
ENV NODE_ENV=production \
135+
PORT=3000
136+
COPY --chown=node:node --from=builder /app /app
137+
WORKDIR /app/ee/apps/${SERVICE}
138+
USER node
139+
EXPOSE 3000 9458
140+
CMD ["node", "--require", "./src/fips.js", "src/service.js"]

ee/apps/queue-worker/src/fips.ts

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
import crypto from 'crypto';
2+
3+
crypto.setFips(true);
4+
5+
if (crypto.getFips() !== 1) {
6+
throw new Error('FIPS mode was not enabled after crypto.setFips(true)');
7+
}
8+
9+
console.log('=========================================');
10+
console.log('FIPS COMPLIANCE CHECK: YES');
11+
console.log('=========================================');

ee/apps/queue-worker/tsconfig.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
"strictPropertyInitialization": false,
55
"outDir": "./dist/ee/apps/queue-worker/src",
66
},
7-
"files": ["./src/service.ts"],
7+
"files": ["./src/service.ts", "./src/fips.ts"],
88
"include": ["../../../apps/meteor/definition/externals/meteor"],
99
"exclude": ["./dist"]
1010
}

0 commit comments

Comments
 (0)