config: fips: bin: Initial implementation to enable FIPS compliance#12024
config: fips: bin: Initial implementation to enable FIPS compliance#12024cosmo0920 wants to merge 8 commits into
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughThis PR adds FIPS mode configuration and startup initialization, wires a CLI enable flag, updates Azure Blob block ID generation for FIPS mode, and adds an S3 initialization guard for an incompatible setting. ChangesFIPS mode support
Estimated code review effort: 4 (Complex) | ~45 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e609bd5506
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/internal/azure_blob_path.c`:
- Around line 501-511: The current test for azb_block_blob_id_blob only checks
that the FIPS ID differs from the default ID, which does not verify the SHA-256
contract. Update the test in azure_blob_path.c to compare fips_id against a
known-good SHA-256-derived block ID, or compute the expected value using
FLB_HASH_SHA256, so the assertion directly validates the digest used by
azb_block_blob_id_blob when config.fips_mode is enabled.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 88b39125-649e-46f9-bc15-097fb3cce5b3
📒 Files selected for processing (3)
plugins/out_azure_blob/azure_blob.cplugins/out_azure_blob/azure_blob_blockblob.ctests/internal/azure_blob_path.c
19dc71a to
a2bf4af
Compare
edsiper
left a comment
There was a problem hiding this comment.
let's verify the configuration option name/prefix
| #define FLB_CONF_STR_STREAMS_FILE "Streams_File" | ||
| #define FLB_CONF_STR_STREAMS_STR_CONV "sp.convert_from_str_to_num" | ||
| #define FLB_CONF_STR_CONV_NAN "json.convert_nan_to_null" | ||
| #define FLB_CONF_STR_FIPS_MODE "FIPS_Mode" |
There was a problem hiding this comment.
I think we should get rid of camel case and just use lowercase for simplicity. also I think we need a prefix for those options, maybe security.* ?
There was a problem hiding this comment.
Yeah, good point. I fix to use security.fips_mode here.
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
a2bf4af to
b2d97ad
Compare
This PR implements the first step to enable FIPS compliance of OpenSSL component.
On trying to enable FIPS components, we need to failed to launch on exception to load FIPS module with turning on FIPS setting.
Plus, on enabled FIPS, we also need to block to use MD5 hash on out_s3 plugin.
This is related to #4640.
Enter
[N/A]in the box, if an item is not applicable to your change.Testing
Before we can approve your change; please submit the following in a comment:
If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
ok-package-testlabel to test for all targets (requires maintainer to do).Documentation
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.
Summary by CodeRabbit
--enable-fips, including startup-time initialization.