Merge branch 'pks-ci-add-fips-testing' into 'master'

ci: Add jobs which exercise Gitaly in FIPS mode See merge request gitlab-org/gitaly!4622
author: Patrick Steinhardt <psteinhardt@gitlab.com> 2022-06-20 12:08:42 +0300
committer: Patrick Steinhardt <psteinhardt@gitlab.com> 2022-06-20 12:08:42 +0300
commit: 6afafb4620863227175948c0f6266528c343d5e0 (patch)
tree: 2d6d8384dcd7e169b1affb31a4295ae127594f57
parent: 2b069d8536df98547acba92719b7554d1c7f2262 (diff)
parent: 72497fc37983c9249261df2afd417069b7d4f1fa (diff)
3 files changed, 57 insertions, 36 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d969f49a7..cdc5b575a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -84,7 +84,7 @@ include:
     - name: postgres:${POSTGRES_VERSION}
       alias: postgres
       command: ["postgres", "-c", "max_connections=500"]
-  variables: &postgres_variables
+  variables: &test_variables
     PGHOST: postgres
     PGPORT: 5432
     PGUSER: postgres
@@ -95,10 +95,17 @@ include:
     TEST_FULL_OUTPUT: /tmp/test-output.log
   before_script: &test_before_script
     - go version
-    - while ! psql -h $PGHOST -U $PGUSER -c 'SELECT 1' > /dev/null; do echo "awaiting Postgres service to be ready..." && sleep 1 ; done && echo "Postgres service is ready!"
     # Create a directory for the unprivileged user that we're running tests as.
     # This is required so that we can still store test reports successfully.
     - install --directory --owner=${TEST_UID} --group=${TEST_UID} _unprivileged
+    # We need to explicitly build all prerequisites so that we can run tests unprivileged.
+    - make -j$(nproc) build prepare-tests $(pwd)/_build/tools/gocover-cobertura $(test "${GIT_VERSION}" = default && echo WITH_BUNDLED_GIT=YesPlease)
+  script:
+    # But the actual tests should run unprivileged. This assures that we pay
+    # proper attention to permission bits and that we don't modify the source
+    # directory.
+    - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make ${TEST_TARGET} SKIP_RSPEC_BUILD=YesPlease $(test "${GIT_VERSION}" = default && echo WITH_BUNDLED_GIT=YesPlease)
+
   after_script:
     - |
       # Checking for panics in ${TEST_FULL_OUTPUT}
@@ -167,43 +174,35 @@ build:binaries:
 
 test:
   <<: *test_definition
-  script:
-    # We need to prepare test dependencies as privileged user.
-    - make -j$(nproc) build prepare-tests $(test "${GIT_VERSION}" = default && echo WITH_BUNDLED_GIT=YesPlease)
-    # But the actual tests should run unprivileged. This assures that we pay
-    # proper attention to permission bits and that we don't modify the source
-    # directory.
-    - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make ${TARGET} SKIP_RSPEC_BUILD=YesPlease $(test "${GIT_VERSION}" = default && echo WITH_BUNDLED_GIT=YesPlease)
   parallel:
     matrix:
       # The following jobs all test with our default Git version, which is
       # using bundled Git binaries.
       - GO_VERSION: [ "1.16", "1.17" ]
-        TARGET: test
-      - TARGET: [ test-with-proxies, test-with-praefect, race-go ]
+        TEST_TARGET: test
+      - TEST_TARGET: [ test-with-proxies, test-with-praefect, race-go ]
       # We also verify that things work as expected with a non-bundled Git
       # version matching our minimum required Git version.
-      - TARGET: test
+      - TEST_TARGET: test
         GIT_VERSION: "v2.33.0"
       # Execute tests with our minimum required Postgres version, as well. If
       # the minimum version changes, please change this to the new minimum
       # version. Furthermore, please make sure to update the minimum required
       # version in `datastore.CheckPostgresVersion()`.
       - POSTGRES_VERSION: "11.14-alpine"
-        TARGET: [ test, test-with-praefect ]
+        TEST_TARGET: [ test, test-with-praefect ]
 
 test:coverage:
   <<: *test_definition
   coverage: /^total:\t+\(statements\)\t+\d+\.\d+%$/
-  script:
-    # We need to explicitly build all prerequisites so that we can run tests unprivileged.
-    - make -j$(nproc) build prepare-tests $(pwd)/_build/tools/gocover-cobertura
-    - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make cover SKIP_RSPEC_BUILD=YesPlease
   artifacts:
     reports:
       coverage_report:
         coverage_format: cobertura
         path: ${TEST_COVERAGE_DIR}/cobertura.xml
+  variables:
+    <<: *test_variables
+    TEST_TARGET: "cover"
 
 test:pgbouncer:
   <<: *test_definition
@@ -214,7 +213,7 @@ test:pgbouncer:
     - name: bitnami/pgbouncer:${PGBOUNCER_VERSION}
       alias: pgbouncer
   variables:
-    <<: *postgres_variables
+    <<: *test_variables
     # The following variables are used by PgBouncer to connect to Postgres.
     POSTGRESQL_HOST: "${PGHOST}"
     # The image doesn't support setting `auth_user`, so we're cheating and use
@@ -236,24 +235,14 @@ test:pgbouncer:
     # We need to enable per-build networking such that the PgBouncer service
     # can reach Postgres.
     FF_NETWORK_PER_BUILD: "true"
-  before_script:
-    - *test_before_script
-    - while ! psql -h "${PGHOST_PGBOUNCER}" -p "${PGPORT_PGBOUNCER}" -U "${PGUSER}" -c 'SELECT 1' > /dev/null; do echo "awaiting PgBouncer service to be ready..." && sleep 1 ; done && echo "PgBouncer service is ready!"
-  script:
-    # We need to explicitly build all prerequisites so that we can run tests unprivileged.
-    - make -j$(nproc) build prepare-tests
-    - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make test-with-praefect SKIP_RSPEC_BUILD=YesPlease
+    TEST_TARGET: "test-with-praefect"
 
 test:nightly:
   <<: *test_definition
-  script:
-    - go version
-    - make -j$(nproc) build prepare-tests
-    - setpriv --reuid=${TEST_UID} --regid=${TEST_UID} --clear-groups --no-new-privs make ${TARGET} SKIP_RSPEC_BUILD=YesPlease
   parallel:
     matrix:
       - GIT_VERSION: [ "master", "next" ]
-        TARGET: [ test, test-with-proxies, test-with-praefect ]
+        TEST_TARGET: [ test, test-with-proxies, test-with-praefect ]
   rules:
     - if: '$CI_PIPELINE_SOURCE == "schedule"'
 
@@ -265,6 +254,28 @@ test:praefect_smoke:
     - ./_build/bin/praefect -config config.praefect.toml sql-ping
     - ./_build/bin/praefect -config config.praefect.toml sql-migrate
 
+test:fips:
+  <<: *test_definition
+  tags:
+    - fips
+  image: registry.access.redhat.com/ubi8/ubi:8.5
+  before_script:
+    - test "$(cat /proc/sys/crypto/fips_enabled)" = "1" || (echo "System is not running in FIPS mode" && exit 1)
+    - dnf module enable -y ruby:2.7
+    - dnf install -y bzip2 cmake gcc-c++ git go-toolset libcurl-devel libicu-devel make openssl procps-ng redhat-rpm-config ruby-devel rubygems
+    - gem install bundler:2.3.15
+    - *test_before_script
+  parallel:
+    matrix:
+      - TEST_TARGET: [ test, test-with-praefect ]
+        FIPS_MODE: "YesPlease"
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_LABELS =~ /FIPS/
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: manual
+      allow_failure: true
+
 verify:
   needs: []
   stage: test
@@ -296,9 +307,7 @@ dbschema:
     # available in the build image.
     - postgres:11.13-alpine
   variables:
-    <<: *postgres_variables
-  before_script:
-    - while ! psql -h $PGHOST -U $PGUSER -c 'SELECT 1' > /dev/null; do echo "awaiting Postgres service to be ready..." && sleep 1 ; done && echo "Postgres service is ready!"
+    <<: *test_variables
   script:
     - make dump-database-schema no-changes
   artifacts:
diff --git a/Makefile b/Makefile
index 117498e19..7503b8729 100644
--- a/Makefile
+++ b/Makefile
@@ -41,7 +41,6 @@ bindir           ?= ${exec_prefix}/bin
 INSTALL_DEST_DIR := ${DESTDIR}${bindir}
 ## The prefix where Git will be installed to.
 GIT_PREFIX       ?= ${GIT_DEFAULT_PREFIX}
-FIPS_MODE        ?= 0
 
 # Tools
 GIT                         := $(shell command -v git)
@@ -75,7 +74,11 @@ GIT2GO_BUILD_TAGS := static,system_libgit2
 # of the string "TEMP_GITALY_BUILD_ID".
 TEMPORARY_BUILD_ID := 54454D505F474954414C595F4255494C445F4944
 
-ifeq (${FIPS_MODE}, 1)
+## FIPS_MODE controls whether to build Gitaly and dependencies in FIPS mode.
+## Set this to a non-empty value to enable it.
+FIPS_MODE ?=
+
+ifdef FIPS_MODE
     SERVER_BUILD_TAGS := ${SERVER_BUILD_TAGS},fips
     GIT2GO_BUILD_TAGS := ${GIT2GO_BUILD_TAGS},fips
 
@@ -83,6 +86,8 @@ ifeq (${FIPS_MODE}, 1)
     # requested. Note that we explicitly don't do the same for SHA1: we
     # instead use SHA1DC to protect users against the SHAttered attack.
     GIT_FIPS_BUILD_OPTIONS := OPENSSL_SHA256=YesPlease
+
+    export GITALY_TESTING_ENABLE_FIPS := YesPlease
 endif
 
 # Dependency versions
diff --git a/internal/testhelper/testcfg/build.go b/internal/testhelper/testcfg/build.go
index 262bc0058..f4e6be180 100644
--- a/internal/testhelper/testcfg/build.go
+++ b/internal/testhelper/testcfg/build.go
@@ -116,10 +116,17 @@ func BuildBinary(t testing.TB, targetDir, sourcePath string) string {
 			"PATH=%s:%s", filepath.Dir(gitExecEnv.BinaryPath), os.Getenv("PATH"),
 		))
 
+		buildTags := []string{
+			"static", "system_libgit2", "gitaly_test",
+		}
+		if os.Getenv("GITALY_TESTING_ENABLE_FIPS") != "" {
+			buildTags = append(buildTags, "fips")
+		}
+
 		cmd := exec.Command(
 			"go",
 			"build",
-			"-tags", "static,system_libgit2,gitaly_test",
+			"-tags", strings.Join(buildTags, ","),
 			"-o", sharedBinaryPath,
 			sourcePath,
 		)
author	Patrick Steinhardt <psteinhardt@gitlab.com>	2022-06-20 12:08:42 +0300
committer	Patrick Steinhardt <psteinhardt@gitlab.com>	2022-06-20 12:08:42 +0300
commit	6afafb4620863227175948c0f6266528c343d5e0 (patch)
tree	2d6d8384dcd7e169b1affb31a4295ae127594f57
parent	2b069d8536df98547acba92719b7554d1c7f2262 (diff)
parent	72497fc37983c9249261df2afd417069b7d4f1fa (diff)