config: fips: bin: Initial implementation to enable FIPS compliance#12024
config: fips: bin: Initial implementation to enable FIPS compliance#12024cosmo0920 wants to merge 8 commits into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (11)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (10)
📝 WalkthroughWalkthroughThis PR adds FIPS mode configuration, initialization, and startup wiring, plus Azure Blob block ID changes for FIPS mode and an S3 output validation check. It also adds a CLI flag to enable FIPS and a test covering Azure Blob ID generation. ChangesFIPS mode support
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant CLI
participant flb_engine_start
participant flb_fips_init
participant OpenSSL
CLI->>flb_engine_start: start with config
flb_engine_start->>flb_fips_init: flb_fips_init(config)
flb_fips_init->>OpenSSL: load base provider
flb_fips_init->>OpenSSL: load fips provider
flb_fips_init->>OpenSSL: enable FIPS default properties
OpenSSL-->>flb_fips_init: verify properties
flb_fips_init-->>flb_engine_start: status and active flag
flb_engine_start-->>CLI: continue or abort
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e609bd5506
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/internal/azure_blob_path.c`:
- Around line 501-511: The current test for azb_block_blob_id_blob only checks
that the FIPS ID differs from the default ID, which does not verify the SHA-256
contract. Update the test in azure_blob_path.c to compare fips_id against a
known-good SHA-256-derived block ID, or compute the expected value using
FLB_HASH_SHA256, so the assertion directly validates the digest used by
azb_block_blob_id_blob when config.fips_mode is enabled.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 88b39125-649e-46f9-bc15-097fb3cce5b3
📒 Files selected for processing (3)
plugins/out_azure_blob/azure_blob.cplugins/out_azure_blob/azure_blob_blockblob.ctests/internal/azure_blob_path.c
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
19dc71a to
a2bf4af
Compare
This PR implements the first step to enable FIPS compliance of OpenSSL component.
On trying to enable FIPS components, we need to failed to launch on exception to load FIPS module with turning on FIPS setting.
Plus, on enabled FIPS, we also need to block to use MD5 hash on out_s3 plugin.
This is related to #4640.
Enter
[N/A]in the box, if an item is not applicable to your change.Testing
Before we can approve your change; please submit the following in a comment:
If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
ok-package-testlabel to test for all targets (requires maintainer to do).Documentation
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.
Summary by CodeRabbit
--enable-fips.