From 6c97380c8d2aab2a0f0e6754e3281aa9bb11c9b0 Mon Sep 17 00:00:00 2001 From: lidezhu Date: Thu, 26 Oct 2023 18:29:52 +0800 Subject: [PATCH 1/4] support build cdc in fips mode --- Makefile | 7 ++++++- cmd/cdc/fips.go | 27 +++++++++++++++++++++++++++ pkg/version/check.go | 1 + pkg/version/check_test.go | 4 ++++ 4 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 cmd/cdc/fips.go diff --git a/Makefile b/Makefile index 4d1c39caa18..e645e40824d 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ ### Makefile for tiflow -.PHONY: build test check clean fmt cdc kafka_consumer storage_consumer coverage \ +.PHONY: build test check clean fmt cdc cdc_fips kafka_consumer storage_consumer coverage \ integration_test_build integration_test integration_test_mysql integration_test_kafka bank \ kafka_docker_integration_test kafka_docker_integration_test_with_build \ clean_integration_test_containers \ @@ -42,6 +42,7 @@ DM_TEST_DIR := /tmp/dm_test ENGINE_TEST_DIR := /tmp/engine_test GO := GO111MODULE=on go + ifeq (${CDC_ENABLE_VENDOR}, 1) GOVENDORFLAG := -mod=vendor endif @@ -59,6 +60,7 @@ else ifeq (${OS}, "darwin") endif GOBUILD := CGO_ENABLED=$(CGO) $(GO) build $(BUILD_FLAG) -trimpath $(GOVENDORFLAG) +GOBUILDFIPS := CGO_ENABLED=1 GOEXPERIMENT=boringcrypto $(GO) build -tags boringcrypto $(BUILD_FLAG) -trimpath $(GOVENDORFLAG) GOBUILDNOVENDOR := CGO_ENABLED=0 $(GO) build $(BUILD_FLAG) -trimpath GOTEST := CGO_ENABLED=1 $(GO) test -p $(P) --race --tags=intest GOTESTNORACE := CGO_ENABLED=1 $(GO) test -p $(P) @@ -157,6 +159,9 @@ build-cdc-with-failpoint: ## Build cdc with failpoint enabled. cdc: $(GOBUILD) -ldflags '$(LDFLAGS)' -o bin/cdc ./cmd/cdc/main.go +cdc_fips: + $(GOBUILDFIPS) -ldflags '$(LDFLAGS)' -o bin/cdc ./cmd/cdc + kafka_consumer: $(GOBUILD) -ldflags '$(LDFLAGS)' -o bin/cdc_kafka_consumer ./cmd/kafka-consumer/main.go diff --git a/cmd/cdc/fips.go b/cmd/cdc/fips.go new file mode 100644 index 00000000000..770cf8843b6 --- /dev/null +++ b/cmd/cdc/fips.go @@ -0,0 +1,27 @@ +// Copyright 2020 PingCAP, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build boringcrypto +// +build boringcrypto + +package main + +import ( + _ "crypto/tls/fipsonly" + + "github.com/pingcap/tiflow/pkg/version" +) + +func init() { + version.ReleaseVersion += "-fips" +} diff --git a/pkg/version/check.go b/pkg/version/check.go index 1399c0734e4..95a6959593a 100644 --- a/pkg/version/check.go +++ b/pkg/version/check.go @@ -67,6 +67,7 @@ func SanitizeVersion(v string) string { return v } v = versionHash.ReplaceAllLiteralString(v, "") + v = strings.TrimSuffix(v, "-fips") v = strings.TrimSuffix(v, "-dirty") return strings.TrimPrefix(v, "v") } diff --git a/pkg/version/check_test.go b/pkg/version/check_test.go index ba3eef8a916..fdddd2f7db7 100644 --- a/pkg/version/check_test.go +++ b/pkg/version/check_test.go @@ -266,6 +266,10 @@ func TestCompareVersion(t *testing.T) { dirtyVersion := semver.New(SanitizeVersion("v6.3.0-dirty")) require.Equal(t, 1, dirtyVersion.Compare(*MinTiCDCVersion)) require.Equal(t, 0, dirtyVersion.Compare(*semver.New("6.3.0"))) + + dirtyVersionWithFIPS := semver.New(SanitizeVersion("v6.3.0-dirty-fips")) + require.Equal(t, 1, dirtyVersionWithFIPS.Compare(*MinTiCDCVersion)) + require.Equal(t, 0, dirtyVersionWithFIPS.Compare(*semver.New("6.3.0"))) } func TestReleaseSemver(t *testing.T) { From b623fd8086c6be59cc4d87227aba2af7c665515f Mon Sep 17 00:00:00 2001 From: lidezhu Date: Thu, 26 Oct 2023 18:34:50 +0800 Subject: [PATCH 2/4] remove extra blank line --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index e645e40824d..e7d611eca5b 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,6 @@ DM_TEST_DIR := /tmp/dm_test ENGINE_TEST_DIR := /tmp/engine_test GO := GO111MODULE=on go - ifeq (${CDC_ENABLE_VENDOR}, 1) GOVENDORFLAG := -mod=vendor endif From 1c6bb42cf03f3ef972a58803f1ec9c0e9d8af375 Mon Sep 17 00:00:00 2001 From: lidezhu Date: Fri, 27 Oct 2023 15:29:09 +0800 Subject: [PATCH 3/4] fix format --- cmd/cdc/fips.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/cdc/fips.go b/cmd/cdc/fips.go index 770cf8843b6..36d0db733e6 100644 --- a/cmd/cdc/fips.go +++ b/cmd/cdc/fips.go @@ -18,7 +18,7 @@ package main import ( _ "crypto/tls/fipsonly" - + // "github.com/pingcap/tiflow/pkg/version" ) From a2672152c39d7bedae793982e2b0e2ffd845e997 Mon Sep 17 00:00:00 2001 From: lidezhu Date: Mon, 13 Nov 2023 10:55:24 +0800 Subject: [PATCH 4/4] update Makefile --- Makefile | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index e7d611eca5b..128abe23f47 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ ### Makefile for tiflow -.PHONY: build test check clean fmt cdc cdc_fips kafka_consumer storage_consumer coverage \ +.PHONY: build test check clean fmt cdc kafka_consumer storage_consumer coverage \ integration_test_build integration_test integration_test_mysql integration_test_kafka bank \ kafka_docker_integration_test kafka_docker_integration_test_with_build \ clean_integration_test_containers \ @@ -58,8 +58,14 @@ else ifeq (${OS}, "darwin") CGO := 1 endif -GOBUILD := CGO_ENABLED=$(CGO) $(GO) build $(BUILD_FLAG) -trimpath $(GOVENDORFLAG) -GOBUILDFIPS := CGO_ENABLED=1 GOEXPERIMENT=boringcrypto $(GO) build -tags boringcrypto $(BUILD_FLAG) -trimpath $(GOVENDORFLAG) +BUILD_FLAG = +GOEXPERIMENT= +ifeq ("${ENABLE_FIPS}", "1") + BUILD_FLAG = -tags boringcrypto + GOEXPERIMENT = GOEXPERIMENT=boringcrypto + CGO = 1 +endif +GOBUILD := $(GOEXPERIMENT) CGO_ENABLED=$(CGO) $(GO) build $(BUILD_FLAG) -trimpath $(GOVENDORFLAG) GOBUILDNOVENDOR := CGO_ENABLED=0 $(GO) build $(BUILD_FLAG) -trimpath GOTEST := CGO_ENABLED=1 $(GO) test -p $(P) --race --tags=intest GOTESTNORACE := CGO_ENABLED=1 $(GO) test -p $(P) @@ -156,10 +162,7 @@ build-cdc-with-failpoint: ## Build cdc with failpoint enabled. $(FAILPOINT_DISABLE) cdc: - $(GOBUILD) -ldflags '$(LDFLAGS)' -o bin/cdc ./cmd/cdc/main.go - -cdc_fips: - $(GOBUILDFIPS) -ldflags '$(LDFLAGS)' -o bin/cdc ./cmd/cdc + $(GOBUILD) -ldflags '$(LDFLAGS)' -o bin/cdc ./cmd/cdc kafka_consumer: $(GOBUILD) -ldflags '$(LDFLAGS)' -o bin/cdc_kafka_consumer ./cmd/kafka-consumer/main.go