feat: [SVLS-6272] fips features for bottlecap (#1028)

apiarian-datadog · web-flow · commit d6a2da32c6b9 · 2025-04-24T17:14:12.000Z
We need a `ddcommon/fips` and a `trace_utils/fips` feature. This functionality is written specifically for use in the datadog-lambda-extension. Other use cases should probably validate carefully that the right dependencies are being used in their builds.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -44,8 +44,12 @@ jobs:
       - name: Run clippy on ${{ matrix.platform }} ${{ matrix.rust_version }}
         shell: bash
         run: |
+          if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then
+            export AWS_LC_FIPS_SYS_NO_ASM=1
+          fi
           # shellcheck disable=SC2046
           cargo clippy --workspace --all-targets --all-features -- -D warnings $([ ${{ matrix.rust_version }} = 1.78.0 ] || [ ${{ matrix.rust_version }} = stable ] && echo -Aunknown-lints -Ainvalid_reference_casting -Aclippy::redundant-closure-call)
+
   licensecheck:
     runs-on: ubuntu-latest
     name: "Presence of licence headers"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -56,19 +56,19 @@ jobs:
         # Run doc tests with cargo test and run tests with nextest and generate junit.xml
         run: cargo test --workspace --exclude builder --doc --verbose && cargo nextest run --workspace --exclude builder --profile ci --verbose -E '!test(tracing_integration_tests::)'
         env:
-          RUST_BACKTRACE: 1
+          RUST_BACKTRACE: full
       - name: "[${{ steps.rust-version.outputs.version}}] Tracing integration tests: cargo nextest run --workspace --exclude builder --profile ci --test-threads=1 --verbose -E 'test(tracing_integration_tests::)'"
         if: runner.os == 'Linux'
         shell: bash
         run: cargo nextest run --workspace --exclude builder --profile ci --test-threads=1 --verbose -E 'test(tracing_integration_tests::)'
         env:
-          RUST_BACKTRACE: 1
+          RUST_BACKTRACE: full
       - name: "[${{ steps.rust-version.outputs.version}}] RUSTFLAGS=\"-C prefer-dynamic\" cargo nextest run --package test_spawn_from_lib --features prefer-dynamic -E '!test(tracing_integration_tests::)'"
         shell: bash
         run: cargo nextest run --package test_spawn_from_lib --features prefer-dynamic -E '!test(tracing_integration_tests::)'
         env:
           RUSTFLAGS: "-C prefer-dynamic"
-          RUST_BACKTRACE: 1
+          RUST_BACKTRACE: full
       - name: Report Test Results
         if: success() || failure()
         uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # 4.3.1
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/LICENSE-3rdparty.yml b/LICENSE-3rdparty.yml
@@ -2492,7 +2492,7 @@ third_party_libraries:
       IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
       DEALINGS IN THE SOFTWARE.
 - package_name: aws-lc-rs
-  package_version: 1.10.0
+  package_version: 1.13.0
   repository: https://github.com/aws/aws-lc-rs
   license: ISC AND (Apache-2.0 OR ISC)
   licenses:
@@ -2905,7 +2905,7 @@ third_party_libraries:
       ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
       OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 - package_name: aws-lc-sys
-  package_version: 0.22.0
+  package_version: 0.28.0
   repository: https://github.com/aws/aws-lc-rs
   license: ISC AND (Apache-2.0 OR ISC) AND OpenSSL
   licenses:
@@ -15402,9 +15402,9 @@ third_party_libraries:
          limitations under the License.
 
 - package_name: itertools
-  package_version: 0.12.1
+  package_version: 0.10.5
   repository: https://github.com/rust-itertools/itertools
-  license: MIT OR Apache-2.0
+  license: MIT/Apache-2.0
   licenses:
   - license: MIT
     text: |
@@ -17827,13 +17827,6 @@ third_party_libraries:
       LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
       OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
       THE SOFTWARE.
-- package_name: mirai-annotations
-  package_version: 1.12.0
-  repository: https://github.com/facebookexperimental/MIRAI
-  license: MIT
-  licenses:
-  - license: MIT
-    text: NOT FOUND
 - package_name: msvc-demangler
   package_version: 0.10.1
   repository: https://github.com/mstange/msvc-demangler-rust
@@ -23406,7 +23399,7 @@ third_party_libraries:
       IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
       DEALINGS IN THE SOFTWARE.
 - package_name: rustls
-  package_version: 0.23.18
+  package_version: 0.23.23
   repository: https://github.com/rustls/rustls
   license: Apache-2.0 OR ISC OR MIT
   licenses:
diff --git a/ddcommon/Cargo.toml b/ddcommon/Cargo.toml
@@ -76,3 +76,16 @@ use_webpki_roots = ["hyper-rustls/webpki-roots"]
 # Enable this feature to enable stubbing of cgroup
 # php directly import this crate and uses functions gated by this feature for their test
 cgroup_testing = []
+# FIPS mode uses the FIPS-compliant cryptographic provider (Unix only)
+fips = ["https", "hyper-rustls/fips"]
+
+[lints.rust]
+# We run coverage checks in our github actions. These checks are run with
+# --all-features which is incompatible with our fips feature. The crypto
+# provider default needs to be set by the caller in fips mode. For now, we want
+# to make sure that the coverage tests use the non-fips version of the crypto
+# provider initialization logic, so we added a coverage cfg check on the
+# function in src/connector/mod.rs. The coverage config is actually not used in
+# normal environments, so we need to let the rust linter know that it is in
+# fact a real thing, though one that shows up only in some situations.
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(coverage)'] }
diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs
@@ -96,6 +96,8 @@ mod https {
     /// sometimes this is done as a side-effect of other operations, but we need to ensure it
     /// happens here.  On non-unix platforms, ddcommon uses `ring` instead, which handles this
     /// at rustls initialization. TODO: Move to the more ergonomic LazyLock when MSRV is 1.80
+    /// In fips mode we expect someone to have done this already.
+    #[cfg(any(not(feature = "fips"), coverage))]
     fn ensure_crypto_provider_initialized() {
         use std::sync::OnceLock;
         static INIT_CRYPTO_PROVIDER: OnceLock<()> = OnceLock::new();
@@ -108,6 +110,11 @@ mod https {
         });
     }
 
+    // This actually needs to be done by the user somewhere in their own main. This will only
+    // be active on Unix platforms
+    #[cfg(all(feature = "fips", not(coverage)))]
+    fn ensure_crypto_provider_initialized() {}
+
     #[cfg(feature = "use_webpki_roots")]
     pub(super) fn build_https_connector_with_webpki_roots() -> anyhow::Result<
         hyper_rustls::HttpsConnector<hyper_util::client::legacy::connect::HttpConnector>,
diff --git a/local-linux.Dockerfile b/local-linux.Dockerfile
@@ -13,8 +13,13 @@ RUN apt-get update && \
     protobuf-compiler \
     docker.io \
     sudo \
+    wget \
     && rm -rf /var/lib/apt/lists/*
 
+# We need go in order to build aws-lc-fips-sys
+RUN wget -O go1.24.2.linux-arm64.tar.gz https://go.dev/dl/go1.24.2.linux-arm64.tar.gz \
+    && tar -C /usr/local -xzf go1.24.2.linux-arm64.tar.gz
+
 # Docker-in-Docker configuration (necessary for integration tests)
 RUN mkdir -p /var/lib/docker
 EXPOSE 2375
diff --git a/trace-utils/Cargo.toml b/trace-utils/Cargo.toml
@@ -76,3 +76,5 @@ test-utils = [
 ]
 proxy = ["hyper-http-proxy"]
 compression = ["zstd", "flate2"]
+# FIPS mode uses the FIPS-compliant cryptographic provider (Unix only)
+fips = ["ddcommon/fips"]

Original file line number	Diff line number	Diff line change
`@@ -76,3 +76,5 @@ test-utils = [`
`76`	`76`	`]`
`77`	`77`	`proxy = ["hyper-http-proxy"]`
`78`	`78`	`compression = ["zstd", "flate2"]`
	`79`	`+# FIPS mode uses the FIPS-compliant cryptographic provider (Unix only)`
	`80`	`+fips = ["ddcommon/fips"]`