From 9a881e2e2031017083d2418bd5fd73cd3f28eac3 Mon Sep 17 00:00:00 2001
From: Harish Senthilkumar <63279489+harishxr@users.noreply.github.com>
Date: Tue, 28 May 2024 12:37:24 -0700
Subject: [PATCH] Enable agent to detect FIPS enabled hosts (#4189)

* Enable agent to detect FIPS enabled hosts

* Add unit test for FIPS detection

* Add FIPS detection stub function for Windows

* Update unit test for FIPS detection

* Adding fips_unsupported file, fixing build tags, adding additional logging

---------

Co-authored-by: Harish Senthilkumar <harishxr@amazon.com>
---
 agent/config/config.go          |  8 +++++
 agent/utils/fips_linux.go       | 45 ++++++++++++++++++++++++++++
 agent/utils/fips_linux_test.go  | 52 +++++++++++++++++++++++++++++++++
 agent/utils/fips_unsupported.go | 28 ++++++++++++++++++
 agent/utils/fips_windows.go     | 28 ++++++++++++++++++
 5 files changed, 161 insertions(+)
 create mode 100644 agent/utils/fips_linux.go
 create mode 100644 agent/utils/fips_linux_test.go
 create mode 100644 agent/utils/fips_unsupported.go
 create mode 100644 agent/utils/fips_windows.go

diff --git a/agent/config/config.go b/agent/config/config.go
index ea75b838515..02e45f23e7f 100644
--- a/agent/config/config.go
+++ b/agent/config/config.go
@@ -188,6 +188,9 @@ var (
 
 	// CgroupV2 Specifies whether or not to run in Cgroups V2 mode.
 	CgroupV2 = false
+
+	// isFIPSEnabled indicates whether FIPS mode is enabled on the host
+	isFIPSEnabled = false
 )
 
 // Merge merges two config files, preferring the ones on the left. Any nil or
@@ -226,6 +229,7 @@ func NewConfig(ec2client ec2.EC2MetadataClient) (*Config, error) {
 		errs = append(errs, err)
 	}
 	config := &envConfig
+	isFIPSEnabled = utils.DetectFIPSMode(utils.FIPSModeFilePath)
 
 	if config.External.Enabled() {
 		if config.AWSRegion == "" {
@@ -657,3 +661,7 @@ func (cfg *Config) String() string {
 		cfg.platformString(),
 	)
 }
+
+func IsFIPSEnabled() bool {
+	return isFIPSEnabled
+}
diff --git a/agent/utils/fips_linux.go b/agent/utils/fips_linux.go
new file mode 100644
index 00000000000..1b6e6b03a8a
--- /dev/null
+++ b/agent/utils/fips_linux.go
@@ -0,0 +1,45 @@
+//go:build linux
+// +build linux
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package utils
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
+)
+
+const FIPSModeFilePath = "/proc/sys/crypto/fips_enabled"
+
+// DetectFIPSMode checks if FIPS mode is enabled based on the provided file path.
+func DetectFIPSMode(filePath string) bool {
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		logger.Debug(fmt.Sprintf("Error while detecting FIPS is enabled or not, err: %v", err))
+		return false
+	}
+
+	fipsValue := strings.TrimSpace(string(data))
+	if fipsValue == "1" {
+		logger.Info("FIPS mode detected on the host")
+		return true
+	}
+
+	logger.Debug(fmt.Sprintf("FIPS mode not enabled. FIPS mode explicitly set to %v", fipsValue))
+	return false
+}
diff --git a/agent/utils/fips_linux_test.go b/agent/utils/fips_linux_test.go
new file mode 100644
index 00000000000..7558a244c71
--- /dev/null
+++ b/agent/utils/fips_linux_test.go
@@ -0,0 +1,52 @@
+//go:build linux && unit
+// +build linux,unit
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package utils
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDetectFIPSMode(t *testing.T) {
+	// Create a temporary file to mock the FIPS mode file
+	tempFile, err := ioutil.TempFile("", "fips_enabled")
+	assert.NoError(t, err)
+	defer os.Remove(tempFile.Name())
+	// Test FIPS mode enabled
+	_, err = tempFile.WriteString("1\n")
+	assert.NoError(t, err)
+	tempFile.Sync()
+	// Initialize the logger
+	log.SetFlags(log.LstdFlags | log.Lshortfile)
+	result := DetectFIPSMode(tempFile.Name())
+	assert.True(t, result, "FIPS mode should be detected")
+	// Test FIPS mode disabled
+	tempFile.Truncate(0)
+	tempFile.Seek(0, 0)
+	_, err = tempFile.WriteString("0\n")
+	assert.NoError(t, err)
+	tempFile.Sync()
+	result = DetectFIPSMode(tempFile.Name())
+	assert.False(t, result, "FIPS mode should not be detected")
+	// Test when the FIPS file does not exist
+	result = DetectFIPSMode("nonexistent_file")
+	assert.False(t, result, "FIPS mode should not be detected when file is missing")
+}
diff --git a/agent/utils/fips_unsupported.go b/agent/utils/fips_unsupported.go
new file mode 100644
index 00000000000..a0c666a0a11
--- /dev/null
+++ b/agent/utils/fips_unsupported.go
@@ -0,0 +1,28 @@
+//go:build !windows && !linux
+// +build !windows,!linux
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package utils
+
+import (
+	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
+)
+
+const FIPSModeFilePath = ""
+
+func DetectFIPSMode(filepath string) bool {
+	logger.Debug("FIPS mode detection is not supported on this platform")
+	return false
+}
diff --git a/agent/utils/fips_windows.go b/agent/utils/fips_windows.go
new file mode 100644
index 00000000000..94e7a40ba08
--- /dev/null
+++ b/agent/utils/fips_windows.go
@@ -0,0 +1,28 @@
+//go:build windows && !linux
+// +build windows,!linux
+
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package utils
+
+import (
+	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
+)
+
+const FIPSModeFilePath = ""
+
+func DetectFIPSMode(filepath string) bool {
+	logger.Debug("set isFIPSEnabled to false by default on Windows")
+	return false
+}