Skip to content

Commit

Permalink
fipsccl: Add a SQL function to check fips status
Browse files Browse the repository at this point in the history
This function provides a way to verify FIPS readiness without modifying
the deployment to add the --enterprise-require-fips-ready flag.

Updates #114344

Release note (enterprise change): New SQL function fips_ready can be
used to verify the FIPS readiness of the gateway node.
  • Loading branch information
bdarnell committed Nov 28, 2023
1 parent 1ceb423 commit 62af449
Show file tree
Hide file tree
Showing 23 changed files with 161 additions and 8 deletions.
1 change: 1 addition & 0 deletions pkg/ccl/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ go_library(
"//pkg/ccl/oidcccl",
"//pkg/ccl/partitionccl",
"//pkg/ccl/pgcryptoccl",
"//pkg/ccl/securityccl/fipsccl",
"//pkg/ccl/storageccl",
"//pkg/ccl/storageccl/engineccl",
"//pkg/ccl/streamingccl/streamingest",
Expand Down
1 change: 1 addition & 0 deletions pkg/ccl/ccl_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
_ "github.com/cockroachdb/cockroach/pkg/ccl/oidcccl"
_ "github.com/cockroachdb/cockroach/pkg/ccl/partitionccl"
_ "github.com/cockroachdb/cockroach/pkg/ccl/pgcryptoccl"
_ "github.com/cockroachdb/cockroach/pkg/ccl/securityccl/fipsccl"
_ "github.com/cockroachdb/cockroach/pkg/ccl/storageccl"
_ "github.com/cockroachdb/cockroach/pkg/ccl/storageccl/engineccl"
_ "github.com/cockroachdb/cockroach/pkg/ccl/streamingccl/streamingest"
Expand Down
14 changes: 14 additions & 0 deletions pkg/ccl/logictestccl/testdata/logic_test/fips_ready
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
subtest fips_ready

# We do not have the plumbing that would let test cases know whether they are
# running in a fips environment or not so this is just a very basic test to
# make sure that all the registration, oids, etc work properly.
query _
SELECT crdb_internal.fips_ready()
----
_

user testuser

statement error pq: crdb_internal\.fips_ready\(\): user testuser does not have VIEWCLUSTERSETTING system privilege
SELECT crdb_internal.fips_ready()
7 changes: 7 additions & 0 deletions pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/ccl/logictestccl/tests/fakedist-disk/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ go_test(
"//pkg/ccl/logictestccl:testdata", # keep
],
exec_properties = {"Pool": "large"},
shard_count = 6,
shard_count = 7,
tags = [
"ccl_test",
"cpu:2",
Expand Down
7 changes: 7 additions & 0 deletions pkg/ccl/logictestccl/tests/fakedist-disk/generated_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/ccl/logictestccl/tests/fakedist-vec-off/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ go_test(
"//pkg/ccl/logictestccl:testdata", # keep
],
exec_properties = {"Pool": "large"},
shard_count = 6,
shard_count = 7,
tags = [
"ccl_test",
"cpu:2",
Expand Down
7 changes: 7 additions & 0 deletions pkg/ccl/logictestccl/tests/fakedist-vec-off/generated_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/ccl/logictestccl/tests/fakedist/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ go_test(
"//pkg/ccl/logictestccl:testdata", # keep
],
exec_properties = {"Pool": "large"},
shard_count = 7,
shard_count = 8,
tags = [
"ccl_test",
"cpu:2",
Expand Down
7 changes: 7 additions & 0 deletions pkg/ccl/logictestccl/tests/fakedist/generated_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ go_test(
"//pkg/ccl/logictestccl:testdata", # keep
],
exec_properties = {"Pool": "large"},
shard_count = 6,
shard_count = 7,
tags = [
"ccl_test",
"cpu:1",
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/ccl/logictestccl/tests/local-mixed-23.1/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ go_test(
"//pkg/ccl/logictestccl:testdata", # keep
],
exec_properties = {"Pool": "large"},
shard_count = 7,
shard_count = 8,
tags = [
"ccl_test",
"cpu:1",
Expand Down
7 changes: 7 additions & 0 deletions pkg/ccl/logictestccl/tests/local-mixed-23.1/generated_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/ccl/logictestccl/tests/local-mixed-23.2/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ go_test(
"//pkg/ccl/logictestccl:testdata", # keep
],
exec_properties = {"Pool": "large"},
shard_count = 6,
shard_count = 7,
tags = [
"ccl_test",
"cpu:1",
Expand Down
7 changes: 7 additions & 0 deletions pkg/ccl/logictestccl/tests/local-mixed-23.2/generated_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/ccl/logictestccl/tests/local-vec-off/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ go_test(
"//pkg/ccl/logictestccl:testdata", # keep
],
exec_properties = {"Pool": "large"},
shard_count = 6,
shard_count = 7,
tags = [
"ccl_test",
"cpu:1",
Expand Down
7 changes: 7 additions & 0 deletions pkg/ccl/logictestccl/tests/local-vec-off/generated_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/ccl/logictestccl/tests/local/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ go_test(
"//pkg/ccl/logictestccl:testdata", # keep
],
exec_properties = {"Pool": "large"},
shard_count = 20,
shard_count = 21,
tags = [
"ccl_test",
"cpu:1",
Expand Down
7 changes: 7 additions & 0 deletions pkg/ccl/logictestccl/tests/local/generated_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions pkg/ccl/securityccl/fipsccl/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,20 @@ go_library(
"build_noboring.go",
"fips_linux.go",
"fips_nolinux.go",
"sql.go",
],
cgo = True,
importpath = "github.com/cockroachdb/cockroach/pkg/ccl/securityccl/fipsccl",
visibility = ["//visibility:public"],
deps = [
"//pkg/ccl/utilccl",
"//pkg/sql/privilege",
"//pkg/sql/roleoption",
"//pkg/sql/sem/eval",
"//pkg/sql/sem/tree",
"//pkg/sql/sem/volatility",
"//pkg/sql/syntheticprivilege",
"//pkg/sql/types",
"@com_github_cockroachdb_errors//:errors",
],
)
64 changes: 64 additions & 0 deletions pkg/ccl/securityccl/fipsccl/sql.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
// Copyright 2023 The Cockroach Authors.
//
// Licensed as a CockroachDB Enterprise file under the Cockroach Community
// License (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// https://github.com/cockroachdb/cockroach/blob/master/licenses/CCL.txt

package fipsccl

import (
"context"

"github.com/cockroachdb/cockroach/pkg/ccl/utilccl"
"github.com/cockroachdb/cockroach/pkg/sql/privilege"
"github.com/cockroachdb/cockroach/pkg/sql/roleoption"
"github.com/cockroachdb/cockroach/pkg/sql/sem/eval"
"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
"github.com/cockroachdb/cockroach/pkg/sql/sem/volatility"
"github.com/cockroachdb/cockroach/pkg/sql/syntheticprivilege"
"github.com/cockroachdb/cockroach/pkg/sql/types"
)

func init() {
overload := tree.Overload{
Types: tree.ParamTypes{},
ReturnType: tree.FixedReturnType(types.Bool),
Fn: func(ctx context.Context, evalCtx *eval.Context, args tree.Datums) (tree.Datum, error) {
if err := utilccl.CheckEnterpriseEnabled(
evalCtx.Settings, evalCtx.ClusterID, "fips_ready",
); err != nil {
return nil, err
}
// It's debatable whether we need a permission check here at all.
// It's not very sensitive and is (currently) a very cheap function
// call. However, it's something that regular users should have no
// reason to look at so in the interest of least privilege we put it
// behind the VIEWCLUSTERSETTING privilige.
session := evalCtx.SessionAccessor
isAdmin, err := session.HasAdminRole(ctx)
if err != nil {
return nil, err
}
if !isAdmin {
hasView, err := session.HasRoleOption(ctx, roleoption.VIEWCLUSTERSETTING)
if err != nil {
return nil, err
}
if !hasView {
if err := session.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWCLUSTERSETTING); err != nil {
return nil, err
}
}
}
return tree.MakeDBool(tree.DBool(IsFIPSReady())), nil
},
Class: tree.NormalClass,
Volatility: volatility.Stable,
}

utilccl.RegisterCCLBuiltin("crdb_internal.fips_ready",
`Returns true if all FIPS readiness checks pass.`,
overload)
}
1 change: 1 addition & 0 deletions pkg/sql/sem/builtins/fixed_oids.go
Original file line number Diff line number Diff line change
Expand Up @@ -2509,6 +2509,7 @@ var builtinOidsArray = []string{
2540: `information_schema._pg_datetime_precision(typid: oid, typmod: int4) -> int`,
2541: `information_schema._pg_interval_type(typid: oid, typmod: int4) -> string`,
2542: `crdb_internal.release_series(version: string) -> string`,
2543: `crdb_internal.fips_ready() -> bool`,
}

var builtinOidsBySignature map[string]oid.Oid
Expand Down

0 comments on commit 62af449

Please sign in to comment.