Skip to content

Added cargo test for checking compliance to fedora-crypto-policies#308

Merged
Jakob-Naucke merged 1 commit into
trusted-execution-clusters:mainfrom
SpaceFace02:fedora-crypt-policy-compliance-test
Jul 13, 2026
Merged

Added cargo test for checking compliance to fedora-crypto-policies#308
Jakob-Naucke merged 1 commit into
trusted-execution-clusters:mainfrom
SpaceFace02:fedora-crypt-policy-compliance-test

Conversation

@SpaceFace02

@SpaceFace02 SpaceFace02 commented Jul 10, 2026

Copy link
Copy Markdown
Member

Added a test to check for compliance to fedora-crypt-policies for the final shipped bundle, without test-suite deps and build deps.

the allowlist is subject to change based on inputs.

Summary by Sourcery

Add an automated check ensuring shipped binaries do not depend on non-compliant cryptography crates.

Tests:

  • Add a cargo test that scans normal (non-dev, non-build) dependencies for disallowed crypto/TLS crates based on Fedora crypto policies.
  • Wire the new crypto-compliance test into the lint GitHub Actions workflow to run on CI.

@SpaceFace02 SpaceFace02 requested a review from Jakob-Naucke July 10, 2026 10:02
@sourcery-ai

sourcery-ai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Reviewer's Guide

Adds a new test that enforces Fedora crypto policy compliance by scanning shipped, non-dev dependencies for unapproved crypto crates and wiring it into the test suite and CI lint workflow.

Sequence diagram for new Fedora crypto policy compliance test in CI

sequenceDiagram
    actor Developer
    participant GitHubActions as GitHubActions_lint_workflow
    participant Cargo as cargo
    participant Test as no_disallowed_crypto_test

    Developer->>GitHubActions: push_changes
    GitHubActions->>Cargo: cargo test --test no_disallowed_crypto
    Cargo->>Test: run_tests
    Test->>Test: scan_shipped_dependencies
    alt [disallowed crypto crate found]
        Test-->>Cargo: test_failure
        Cargo-->>GitHubActions: non_zero_exit_status
        GitHubActions-->>Developer: report_lint_job_failure
    else [no disallowed crypto crate]
        Test-->>Cargo: test_success
        Cargo-->>GitHubActions: zero_exit_status
        GitHubActions-->>Developer: report_lint_job_success
    end
Loading

File-Level Changes

Change Details Files
Introduce a test that scans normal dependency crates and fails if non-allowlisted crypto implementations are present.
  • Add a new test target no_disallowed_crypto in the tests workspace configuration.
  • Implement Rust test that uses cargo tree and cargo metadata to collect normal (non-dev, non-build) dependencies for the shipping target.
  • Filter out test-only workspace members and allowed crypto crates, then detect crates categorized/keyworded as cryptography/crypto.
  • Fail the test with a detailed message listing violating crates and remediation guidance.
tests/Cargo.toml
tests/no_disallowed_crypto.rs
Integrate the new crypto-policy compliance test into the CI lint workflow.
  • Extend lint GitHub Actions job to run cargo test --test no_disallowed_crypto after existing checks.
  • Ensure the check runs on the same job that already validates rustls usage, keeping crypto compliance checks centralized.
.github/workflows/lint.yml

Possibly linked issues

  • #0: PR adds the no_disallowed_crypto test and CI step explicitly enforcing Fedora crypto policy alignment requested in issue.

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue

Prompt for AI Agents
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="tests/no_disallowed_crypto.rs" line_range="155-159" />
<code_context>
+        .iter()
+        .filter(|pkg| !workspace_members.contains(pkg["id"].as_str().unwrap_or_default()))
+        .filter(|pkg| normal_deps.contains(pkg["name"].as_str().unwrap_or_default()))
+        .filter(|pkg| {
+            !ALLOWED_CRYPTO_CRATES.contains(&pkg["name"].as_str().unwrap_or_default())
+        })
+        .filter(|pkg| {
+            let categories = as_lowercase_str_vec(&pkg["categories"]);
+            let keywords = as_lowercase_str_vec(&pkg["keywords"]);
+            categories.iter().any(|c| c == "cryptography")
</code_context>
<issue_to_address>
**suggestion:** Consider how to handle crypto crates that lack `cryptography` category or `crypto` keyword to avoid silently missing non-compliant crates.

Because detection depends on `categories` including `"cryptography"` or `keywords` including `"crypto"`, any crate that implements its own crypto/TLS without these tags will be missed.

To mitigate this:
- Consider adding a blocklist of known non-OpenSSL crypto/TLS crates alongside the allowlist.
- At minimum, document in the test that it relies on crates.io metadata and may miss untagged crypto crates, so the limitation is clear.

This helps avoid tests giving a false sense of coverage when mis-tagged crypto crates are introduced.

Suggested implementation:

```rust
        .filter(|pkg| {
            let name = pkg["name"].as_str().unwrap_or_default();
            let categories = as_lowercase_str_vec(&pkg["categories"]);
            let keywords = as_lowercase_str_vec(&pkg["keywords"]);

            let looks_like_crypto =
                categories.iter().any(|c| c == "cryptography")
                    || keywords.iter().any(|k| k.contains("crypto"));

            let is_blocklisted_known_crypto_crate =
                DISALLOWED_CRYPTO_CRATES.contains(&name);

            // NOTE: This test relies on crates.io metadata (categories/keywords) to
            // detect crypto usage and may miss crates that implement their own
            // crypto/TLS without appropriate tags. The explicit blocklist of known
            // non-OpenSSL crypto/TLS crates (DISALLOWED_CRYPTO_CRATES) exists to
            // mitigate this, but coverage is necessarily best-effort.
            looks_like_crypto || is_blocklisted_known_crypto_crate
        })

```

To fully implement the suggestion, you should also:
1. Define the `DISALLOWED_CRYPTO_CRATES` blocklist alongside `ALLOWED_CRYPTO_CRATES`, for example:
   ```rust
   const DISALLOWED_CRYPTO_CRATES: &[&str] = &[
       "rustls",
       "rustls-pemfile",
       "ring",
       "boring",
       // extend this list as additional non-OpenSSL crypto/TLS crates are introduced
   ];
   ```
2. Optionally add a short module- or test-level doc comment at the top of `tests/no_disallowed_crypto.rs` explicitly stating that this test is best-effort, relies on crates.io metadata, and uses a curated blocklist, so readers understand its limitations.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread tests/no_disallowed_crypto.rs Outdated
Comment on lines +155 to +159
.filter(|pkg| {
!ALLOWED_CRYPTO_CRATES.contains(&pkg["name"].as_str().unwrap_or_default())
})
.filter(|pkg| {
let categories = as_lowercase_str_vec(&pkg["categories"]);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Consider how to handle crypto crates that lack cryptography category or crypto keyword to avoid silently missing non-compliant crates.

Because detection depends on categories including "cryptography" or keywords including "crypto", any crate that implements its own crypto/TLS without these tags will be missed.

To mitigate this:

  • Consider adding a blocklist of known non-OpenSSL crypto/TLS crates alongside the allowlist.
  • At minimum, document in the test that it relies on crates.io metadata and may miss untagged crypto crates, so the limitation is clear.

This helps avoid tests giving a false sense of coverage when mis-tagged crypto crates are introduced.

Suggested implementation:

        .filter(|pkg| {
            let name = pkg["name"].as_str().unwrap_or_default();
            let categories = as_lowercase_str_vec(&pkg["categories"]);
            let keywords = as_lowercase_str_vec(&pkg["keywords"]);

            let looks_like_crypto =
                categories.iter().any(|c| c == "cryptography")
                    || keywords.iter().any(|k| k.contains("crypto"));

            let is_blocklisted_known_crypto_crate =
                DISALLOWED_CRYPTO_CRATES.contains(&name);

            // NOTE: This test relies on crates.io metadata (categories/keywords) to
            // detect crypto usage and may miss crates that implement their own
            // crypto/TLS without appropriate tags. The explicit blocklist of known
            // non-OpenSSL crypto/TLS crates (DISALLOWED_CRYPTO_CRATES) exists to
            // mitigate this, but coverage is necessarily best-effort.
            looks_like_crypto || is_blocklisted_known_crypto_crate
        })

To fully implement the suggestion, you should also:

  1. Define the DISALLOWED_CRYPTO_CRATES blocklist alongside ALLOWED_CRYPTO_CRATES, for example:
    const DISALLOWED_CRYPTO_CRATES: &[&str] = &[
        "rustls",
        "rustls-pemfile",
        "ring",
        "boring",
        // extend this list as additional non-OpenSSL crypto/TLS crates are introduced
    ];
  2. Optionally add a short module- or test-level doc comment at the top of tests/no_disallowed_crypto.rs explicitly stating that this test is best-effort, relies on crates.io metadata, and uses a curated blocklist, so readers understand its limitations.

@SpaceFace02 SpaceFace02 force-pushed the fedora-crypt-policy-compliance-test branch from 38ee33a to bef5d96 Compare July 10, 2026 10:14

@Jakob-Naucke Jakob-Naucke left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, we should get oci-client to use jsonwebtoken-openssl when native-tls is enabled, but it's a bit of a separate issue.

Comment thread tests/no_disallowed_crypto.rs
Comment thread tests/no_disallowed_crypto.rs Outdated
Comment thread .github/workflows/lint.yml Outdated
@SpaceFace02 SpaceFace02 force-pushed the fedora-crypt-policy-compliance-test branch from bef5d96 to 066d138 Compare July 13, 2026 04:38
Signed-off-by: Chirag Rao <crao@redhat.com>
@SpaceFace02 SpaceFace02 force-pushed the fedora-crypt-policy-compliance-test branch from 066d138 to e4f975f Compare July 13, 2026 04:44
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Jakob-Naucke, SpaceFace02

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@SpaceFace02 SpaceFace02 requested a review from alicefr July 13, 2026 09:24
@Jakob-Naucke Jakob-Naucke merged commit 73fdc7a into trusted-execution-clusters:main Jul 13, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants