SNOW-748680: Update node fips docker image and re-add fips test (#500)

* Set centos7 node version to 14.17 * Re-add fips test * issue 207 - Update docker image to node18/openssl3 and enable fips * issue 207 - Fix spaces and remove "--enable-fips" flag * issue 217 - Use node 18.17.0 (LTS) for the FIPS docker image * SNOW-748680: Add FIPS image to the node matrix for Linux builds * SNOW-748680: Use legacy provider for openssl * SNOW-748680: Revert using legacy provider for openssl * SNOW-748680: Update "aws-sdk" to 2.14 * SNOW-748680: Revert update "aws-sdk" to 2.14 * SNOW-748680: Add FIPS image to the node matrix for Linux builds * SNOW-748680: Run "npm audit fix" for FIPS build * SNOW-748680: Revert running "npm audit fix" for FIPS build * SNOW-749232: Upgrade to aws-sdk v3 * SNOW-749232: Fix s3 unit tests * Set centos7 node version to 14.17 * issue 207 - Update docker image to node18/openssl3 and enable fips * issue 207 - Fix spaces and remove "--enable-fips" flag * issue 217 - Use node 18.17.0 (LTS) for the FIPS docker image * SNOW-748680: Add FIPS image to the node matrix for Linux builds * SNOW-748680: Run "npm audit fix" for FIPS build * SNOW-748680: Revert running "npm audit fix" for FIPS build --------- Co-authored-by: Dominik Przybysz <[email protected]>
snowflakedb · Sep 21, 2023 · 319adc8 · 319adc8
1 parent 48d2049
commit 319adc8
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 11 deletions.
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -114,7 +114,7 @@ jobs:
         strategy:
             fail-fast: false
             matrix:
-                image: [ 'nodejs-centos7-node14']
+                image: [ 'nodejs-centos7-node14', 'nodejs-centos7-fips']
                 cloud: [ 'AWS', 'AZURE', 'GCP' ]
         steps:
             - uses: actions/checkout@v1

diff --git a/ci/image/Dockerfile.nodejs-centos7-fips-test b/ci/image/Dockerfile.nodejs-centos7-fips-test
@@ -35,29 +35,49 @@ SHELL [ "/usr/bin/scl", "enable", "devtoolset-8"]
 
 # node-fips environment variables
 ENV NODE_HOME $HOME/node
-ENV NODEJS_VERSION 14.0.0
-ENV FIPSDIR $HOME/install-openssl-fips
-ENV OPENSSL_VERSION 2.0.16
+ENV NODEJS_VERSION 18.17.0
+ENV OPENSSL_VERSION 3.0.8
+ENV PKG_CONFIG_PATH "/usr/local/lib64/pkgconfig"
+ENV LD_LIBRARY_PATH "${LD_LIBRARY_PATH}:/usr/local/lib64"
+ENV OPENSSL_CONF /usr/local/ssl/openssl.cnf
+ENV FIPSCONF /usr/local/ssl/fipsmodule.cnf
+ENV OPENSSL_MODULES=/usr/local/lib64/ossl-modules
 
-# Install OpenSSL 
+# Install OpenSSL
 RUN cd $HOME
-RUN curl https://www.openssl.org/source/openssl-fips-$OPENSSL_VERSION.tar.gz -o $HOME/openssl-fips-$OPENSSL_VERSION.tar.gz
+RUN curl https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz -o $HOME/openssl-fips-$OPENSSL_VERSION.tar.gz
 RUN tar -xvf $HOME/openssl-fips-$OPENSSL_VERSION.tar.gz
-RUN mv openssl-fips-$OPENSSL_VERSION $HOME/openssl-fips
+RUN mv openssl-$OPENSSL_VERSION $HOME/openssl-fips
 RUN cd $HOME/openssl-fips
-
+
+# Install OpenSSL dependencies
+RUN yum -y install perl-IPC-Cmd
+RUN yum -y install perl-Digest-SHA
+RUN yum -y install openssl-devel
+
 # You must run ONLY these commands when building the FIPS version of OpenSSL
-RUN cd $HOME/openssl-fips && ./config && make && make install
-
+RUN cd $HOME/openssl-fips && ./config enable-fips && make && make install
+
+# Enable FIPS by editing the openssl.cnf file
+RUN sed -i "s/openssl_conf = openssl_init/nodejs_conf = openssl_init/g" $OPENSSL_CONF
+RUN sed -i "s/# .include fipsmodule.cnf/.include ${FIPSCONF//\//\\/}/g" $OPENSSL_CONF
+RUN sed -i 's/# fips = fips_sect/fips = fips_sect/g' $OPENSSL_CONF
+RUN sed -i 's/# activate = 1/activate = 1/g' $OPENSSL_CONF
+RUN sed -i '55ialg_section = algorithm_sect' $OPENSSL_CONF
+RUN sed -i '75idefault_properties = fips=yes' $OPENSSL_CONF
+RUN sed -i '75i[algorithm_sect]' $OPENSSL_CONF
+
 # Download and build NodeJS
 RUN git clone --branch v$NODEJS_VERSION https://github.com/nodejs/node.git $NODE_HOME
 RUN gcc --version
 RUN g++ --version
-RUN cd $NODE_HOME && ./configure --openssl-fips=$FIPSDIR && make -j2 &> /dev/null && make install
+RUN cd $NODE_HOME && ./configure --shared-openssl --shared-openssl-libpath=/usr/local/lib64 --shared-openssl-includes=/usr/local/include/openssl --openssl-is-fips && make -j2 &> /dev/null && make install
 # Should be $NODEJS_VERSION
 RUN node --version
 # Should be $OPENSSL_VERSION
 RUN node -p "process.versions.openssl"
+# Should be 1 (FIPS is enabled by default)
+RUN node -p 'crypto.getFips()'
 
 # workspace
 RUN mkdir -p /home/user