diff options
author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-06-20 12:08:42 +0300 |
---|---|---|
committer | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-06-20 12:08:42 +0300 |
commit | 6afafb4620863227175948c0f6266528c343d5e0 (patch) | |
tree | 2d6d8384dcd7e169b1affb31a4295ae127594f57 | |
parent | 2b069d8536df98547acba92719b7554d1c7f2262 (diff) | |
parent | 72497fc37983c9249261df2afd417069b7d4f1fa (diff) |
Merge branch 'pks-ci-add-fips-testing' into 'master'
ci: Add jobs which exercise Gitaly in FIPS mode
See merge request gitlab-org/gitaly!4622
-rw-r--r-- | .gitlab-ci.yml | 75 | ||||
-rw-r--r-- | Makefile | 9 | ||||
-rw-r--r-- | internal/testhelper/testcfg/build.go | 9 |
3 files changed, 57 insertions, 36 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d969f49a7..cdc5b575a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -84,7 +84,7 @@ include: - name: postgres:${POSTGRES_VERSION} alias: postgres command: ["postgres", "-c", "max_connections=500"] - variables: &postgres_variables + variables: &test_variables PGHOST: postgres PGPORT: 5432 PGUSER: postgres @@ -95,10 +95,17 @@ include: TEST_FULL_OUTPUT: /tmp/test-output.log before_script: &test_before_script - go version - - while ! psql -h $PGHOST -U $PGUSER -c 'SELECT 1' > /dev/null; do echo "awaiting Postgres service to be ready..." && sleep 1 ; done && echo "Postgres service is ready!" # Create a directory for the unprivileged user that we're running tests as. # This is required so that we can still store test reports successfully. - install --directory --owner=${TEST_UID} --group=${TEST_UID} _unprivileged + # We need to explicitly build all prerequisites so that we can run tests unprivileged. + - make -j$(nproc) build prepare-tests $(pwd)/_build/tools/gocover-cobertura $(test "${GIT_VERSION}" = default && echo WITH_BUNDLED_GIT=YesPlease) + script: + # But the actual tests should run unprivileged. This assures that we pay + # proper attention to permission bits and that we don't modify the source + # directory. + - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make ${TEST_TARGET} SKIP_RSPEC_BUILD=YesPlease $(test "${GIT_VERSION}" = default && echo WITH_BUNDLED_GIT=YesPlease) + after_script: - | # Checking for panics in ${TEST_FULL_OUTPUT} @@ -167,43 +174,35 @@ build:binaries: test: <<: *test_definition - script: - # We need to prepare test dependencies as privileged user. - - make -j$(nproc) build prepare-tests $(test "${GIT_VERSION}" = default && echo WITH_BUNDLED_GIT=YesPlease) - # But the actual tests should run unprivileged. This assures that we pay - # proper attention to permission bits and that we don't modify the source - # directory. - - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make ${TARGET} SKIP_RSPEC_BUILD=YesPlease $(test "${GIT_VERSION}" = default && echo WITH_BUNDLED_GIT=YesPlease) parallel: matrix: # The following jobs all test with our default Git version, which is # using bundled Git binaries. - GO_VERSION: [ "1.16", "1.17" ] - TARGET: test - - TARGET: [ test-with-proxies, test-with-praefect, race-go ] + TEST_TARGET: test + - TEST_TARGET: [ test-with-proxies, test-with-praefect, race-go ] # We also verify that things work as expected with a non-bundled Git # version matching our minimum required Git version. - - TARGET: test + - TEST_TARGET: test GIT_VERSION: "v2.33.0" # Execute tests with our minimum required Postgres version, as well. If # the minimum version changes, please change this to the new minimum # version. Furthermore, please make sure to update the minimum required # version in `datastore.CheckPostgresVersion()`. - POSTGRES_VERSION: "11.14-alpine" - TARGET: [ test, test-with-praefect ] + TEST_TARGET: [ test, test-with-praefect ] test:coverage: <<: *test_definition coverage: /^total:\t+\(statements\)\t+\d+\.\d+%$/ - script: - # We need to explicitly build all prerequisites so that we can run tests unprivileged. - - make -j$(nproc) build prepare-tests $(pwd)/_build/tools/gocover-cobertura - - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make cover SKIP_RSPEC_BUILD=YesPlease artifacts: reports: coverage_report: coverage_format: cobertura path: ${TEST_COVERAGE_DIR}/cobertura.xml + variables: + <<: *test_variables + TEST_TARGET: "cover" test:pgbouncer: <<: *test_definition @@ -214,7 +213,7 @@ test:pgbouncer: - name: bitnami/pgbouncer:${PGBOUNCER_VERSION} alias: pgbouncer variables: - <<: *postgres_variables + <<: *test_variables # The following variables are used by PgBouncer to connect to Postgres. POSTGRESQL_HOST: "${PGHOST}" # The image doesn't support setting `auth_user`, so we're cheating and use @@ -236,24 +235,14 @@ test:pgbouncer: # We need to enable per-build networking such that the PgBouncer service # can reach Postgres. FF_NETWORK_PER_BUILD: "true" - before_script: - - *test_before_script - - while ! psql -h "${PGHOST_PGBOUNCER}" -p "${PGPORT_PGBOUNCER}" -U "${PGUSER}" -c 'SELECT 1' > /dev/null; do echo "awaiting PgBouncer service to be ready..." && sleep 1 ; done && echo "PgBouncer service is ready!" - script: - # We need to explicitly build all prerequisites so that we can run tests unprivileged. - - make -j$(nproc) build prepare-tests - - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make test-with-praefect SKIP_RSPEC_BUILD=YesPlease + TEST_TARGET: "test-with-praefect" test:nightly: <<: *test_definition - script: - - go version - - make -j$(nproc) build prepare-tests - - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make ${TARGET} SKIP_RSPEC_BUILD=YesPlease parallel: matrix: - GIT_VERSION: [ "master", "next" ] - TARGET: [ test, test-with-proxies, test-with-praefect ] + TEST_TARGET: [ test, test-with-proxies, test-with-praefect ] rules: - if: '$CI_PIPELINE_SOURCE == "schedule"' @@ -265,6 +254,28 @@ test:praefect_smoke: - ./_build/bin/praefect -config config.praefect.toml sql-ping - ./_build/bin/praefect -config config.praefect.toml sql-migrate +test:fips: + <<: *test_definition + tags: + - fips + image: registry.access.redhat.com/ubi8/ubi:8.5 + before_script: + - test "$(cat /proc/sys/crypto/fips_enabled)" = "1" || (echo "System is not running in FIPS mode" && exit 1) + - dnf module enable -y ruby:2.7 + - dnf install -y bzip2 cmake gcc-c++ git go-toolset libcurl-devel libicu-devel make openssl procps-ng redhat-rpm-config ruby-devel rubygems + - gem install bundler:2.3.15 + - *test_before_script + parallel: + matrix: + - TEST_TARGET: [ test, test-with-praefect ] + FIPS_MODE: "YesPlease" + rules: + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_MERGE_REQUEST_LABELS =~ /FIPS/ + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + when: manual + allow_failure: true + verify: needs: [] stage: test @@ -296,9 +307,7 @@ dbschema: # available in the build image. - postgres:11.13-alpine variables: - <<: *postgres_variables - before_script: - - while ! psql -h $PGHOST -U $PGUSER -c 'SELECT 1' > /dev/null; do echo "awaiting Postgres service to be ready..." && sleep 1 ; done && echo "Postgres service is ready!" + <<: *test_variables script: - make dump-database-schema no-changes artifacts: @@ -41,7 +41,6 @@ bindir ?= ${exec_prefix}/bin INSTALL_DEST_DIR := ${DESTDIR}${bindir} ## The prefix where Git will be installed to. GIT_PREFIX ?= ${GIT_DEFAULT_PREFIX} -FIPS_MODE ?= 0 # Tools GIT := $(shell command -v git) @@ -75,7 +74,11 @@ GIT2GO_BUILD_TAGS := static,system_libgit2 # of the string "TEMP_GITALY_BUILD_ID". TEMPORARY_BUILD_ID := 54454D505F474954414C595F4255494C445F4944 -ifeq (${FIPS_MODE}, 1) +## FIPS_MODE controls whether to build Gitaly and dependencies in FIPS mode. +## Set this to a non-empty value to enable it. +FIPS_MODE ?= + +ifdef FIPS_MODE SERVER_BUILD_TAGS := ${SERVER_BUILD_TAGS},fips GIT2GO_BUILD_TAGS := ${GIT2GO_BUILD_TAGS},fips @@ -83,6 +86,8 @@ ifeq (${FIPS_MODE}, 1) # requested. Note that we explicitly don't do the same for SHA1: we # instead use SHA1DC to protect users against the SHAttered attack. GIT_FIPS_BUILD_OPTIONS := OPENSSL_SHA256=YesPlease + + export GITALY_TESTING_ENABLE_FIPS := YesPlease endif # Dependency versions diff --git a/internal/testhelper/testcfg/build.go b/internal/testhelper/testcfg/build.go index 262bc0058..f4e6be180 100644 --- a/internal/testhelper/testcfg/build.go +++ b/internal/testhelper/testcfg/build.go @@ -116,10 +116,17 @@ func BuildBinary(t testing.TB, targetDir, sourcePath string) string { "PATH=%s:%s", filepath.Dir(gitExecEnv.BinaryPath), os.Getenv("PATH"), )) + buildTags := []string{ + "static", "system_libgit2", "gitaly_test", + } + if os.Getenv("GITALY_TESTING_ENABLE_FIPS") != "" { + buildTags = append(buildTags, "fips") + } + cmd := exec.Command( "go", "build", - "-tags", "static,system_libgit2,gitaly_test", + "-tags", strings.Join(buildTags, ","), "-o", sharedBinaryPath, sourcePath, ) |