Use labkit for fips check
What does this MR do?
labkit v1.14.0 added support for performing fips checks. This MR removes the existing code from pages and uses labkit for it.
fips
build tag is used instead of boringcrypto
in labkit to align to business names and to not inherit build tag dependency.
Testing
# building pages on a FIPS machine
gitlab-pages git:(fips-labkit) ✗ FIPS_MODE=1 make gitlab-pages
mkdir -p .GOPATH
GOBIN=/home/ec2-user/gitlab-pages/bin go install -v -ldflags="-X "main.VERSION=1.57.0" -X "main.REVISION=833b02a"" -tags "continuous_profiler_stackdriver,fips" -buildmode exe gitlab.com/gitlab-org/gitlab-pages
GO_BUILD_ID=$( go tool buildid /home/ec2-user/gitlab-pages/bin/gitlab-pages ) && \
GNU_BUILD_ID=$( echo $GO_BUILD_ID | sha1sum | cut -d' ' -f1 ) && \
GOBIN=/home/ec2-user/gitlab-pages/bin go install -v -ldflags="-X "main.VERSION=1.57.0" -X "main.REVISION=833b02a" -B 0x$GNU_BUILD_ID" -tags "continuous_profiler_stackdriver,fips" -buildmode exe gitlab.com/gitlab-org/gitlab-pages
go tool nm /home/ec2-user/gitlab-pages/bin/gitlab-pages | grep boringcrypto >/dev/null && echo "binary is correctly built in FIPS mode" || (echo "binary is not correctly built in FIPS mode" && exit 1)
binary is correctly built in FIPS mode
cp -f /home/ec2-user/gitlab-pages/bin/gitlab-pages .
# checking if boring function are properly compiled
gitlab-pages git:(fips-labkit) ✗ go tool nm gitlab-pages | grep _Cfunc__goboringcrypto_
401870 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_bin2bn
4018f0 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_bn2bin
401960 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_free
401c30 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_new
4019a0 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_num_bytes
401a00 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_DLOPEN_OPENSSL
...
TODO
-
I added the Changelog
trailer (e.g.Changelog: added
) to the commits that need to be included in the changelog -
I added unit tests or they are not required -
I added acceptance tests or they are not required -
I added documentation (or it's not required) -
I followed code review guidelines -
I followed Go Style guidelines
Edited by Vishal Tak