From 42edc0b182fae75b749150627cd6dd38ba73a8e3 Mon Sep 17 00:00:00 2001 From: Harish Senthilkumar Date: Wed, 22 May 2024 23:42:20 +0000 Subject: [PATCH 1/5] Enable agent to detect FIPS enabled hosts --- agent/config/config.go | 8 ++++++++ agent/utils/fips_linux.go | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 agent/utils/fips_linux.go diff --git a/agent/config/config.go b/agent/config/config.go index ea75b838515..1ab5e1bdd42 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -188,6 +188,9 @@ var ( // CgroupV2 Specifies whether or not to run in Cgroups V2 mode. CgroupV2 = false + + // isFIPSEnabled indicates whether FIPS mode is enabled on the host + isFIPSEnabled = false ) // Merge merges two config files, preferring the ones on the left. Any nil or @@ -226,6 +229,7 @@ func NewConfig(ec2client ec2.EC2MetadataClient) (*Config, error) { errs = append(errs, err) } config := &envConfig + isFIPSEnabled = utils.DetectFIPSMode() if config.External.Enabled() { if config.AWSRegion == "" { @@ -657,3 +661,7 @@ func (cfg *Config) String() string { cfg.platformString(), ) } + +func IsFIPSEnabled() bool { + return isFIPSEnabled +} diff --git a/agent/utils/fips_linux.go b/agent/utils/fips_linux.go new file mode 100644 index 00000000000..87c30a92c18 --- /dev/null +++ b/agent/utils/fips_linux.go @@ -0,0 +1,36 @@ +//go:build linux +// +build linux + +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +package utils + +import ( + "os" + "strings" + + "github.com/aws/amazon-ecs-agent/ecs-agent/logger" +) + +const fipsModeFilePath = "/proc/sys/crypto/fips_enabled" + +func DetectFIPSMode() bool { + data, err := os.ReadFile(fipsModeFilePath) + if err == nil && strings.TrimSpace(string(data)) == "1" { + logger.Debug("FIPS mode detected on the host") + return true + } + logger.Debug("FIPS mode not detected on the host") + return false +} From 7e0a762fe127e9f9710e902623653d2f71947bf9 Mon Sep 17 00:00:00 2001 From: Harish Senthilkumar Date: Thu, 23 May 2024 17:00:29 +0000 Subject: [PATCH 2/5] Add unit test for FIPS detection --- agent/utils/fips_linux_test.go | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 agent/utils/fips_linux_test.go diff --git a/agent/utils/fips_linux_test.go b/agent/utils/fips_linux_test.go new file mode 100644 index 00000000000..a365d5dde3b --- /dev/null +++ b/agent/utils/fips_linux_test.go @@ -0,0 +1,58 @@ +//go:build !windows && unit +// +build !windows,unit + +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +package utils + +import ( + "io/ioutil" + "log" + "os" + "strings" + "testing" + + "github.com/stretchr/testify/assert" +) + +// detectFIPSModeWithPath is a helper function for testing +func detectFIPSModeWithPath(filePath string) bool { + data, err := ioutil.ReadFile(filePath) + if err == nil && strings.TrimSpace(string(data)) == "1" { + return true + } + return false +} +func TestDetectFIPSMode(t *testing.T) { + // Create a temporary file to mock the FIPS mode file + tempFile, err := ioutil.TempFile("", "fips_enabled") + assert.NoError(t, err) + defer os.Remove(tempFile.Name()) + // Test FIPS mode enabled + _, err = tempFile.WriteString("1\n") + assert.NoError(t, err) + tempFile.Sync() + // Initialize the logger + log.SetFlags(log.LstdFlags | log.Lshortfile) + result := detectFIPSModeWithPath(tempFile.Name()) + assert.True(t, result, "FIPS mode should be detected") + // Test FIPS mode disabled + tempFile.Truncate(0) + tempFile.Seek(0, 0) + _, err = tempFile.WriteString("0\n") + assert.NoError(t, err) + tempFile.Sync() + result = detectFIPSModeWithPath(tempFile.Name()) + assert.False(t, result, "FIPS mode should not be detected") +} From bb017d841f043fc1a2d9ac062c8cd3695a79a843 Mon Sep 17 00:00:00 2001 From: Harish Senthilkumar Date: Thu, 23 May 2024 19:14:51 +0000 Subject: [PATCH 3/5] Add FIPS detection stub function for Windows --- agent/utils/fips_windows.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 agent/utils/fips_windows.go diff --git a/agent/utils/fips_windows.go b/agent/utils/fips_windows.go new file mode 100644 index 00000000000..d98124c895a --- /dev/null +++ b/agent/utils/fips_windows.go @@ -0,0 +1,26 @@ +//go:build windows +// +build windows + +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +package utils + +import ( + "github.com/aws/amazon-ecs-agent/ecs-agent/logger" +) + +func DetectFIPSMode() bool { + logger.Debug("set isFIPSEnabled to false by default on Windows") + return false +} From 4bbc53d0a89272643438b70f71ca13ac3546ae50 Mon Sep 17 00:00:00 2001 From: Harish Senthilkumar Date: Fri, 24 May 2024 03:21:35 +0000 Subject: [PATCH 4/5] Update unit test for FIPS detection --- agent/config/config.go | 2 +- agent/utils/fips_linux.go | 7 ++++--- agent/utils/fips_linux_test.go | 16 +++++----------- agent/utils/fips_windows.go | 4 +++- 4 files changed, 13 insertions(+), 16 deletions(-) diff --git a/agent/config/config.go b/agent/config/config.go index 1ab5e1bdd42..02e45f23e7f 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -229,7 +229,7 @@ func NewConfig(ec2client ec2.EC2MetadataClient) (*Config, error) { errs = append(errs, err) } config := &envConfig - isFIPSEnabled = utils.DetectFIPSMode() + isFIPSEnabled = utils.DetectFIPSMode(utils.FIPSModeFilePath) if config.External.Enabled() { if config.AWSRegion == "" { diff --git a/agent/utils/fips_linux.go b/agent/utils/fips_linux.go index 87c30a92c18..14c585adbe2 100644 --- a/agent/utils/fips_linux.go +++ b/agent/utils/fips_linux.go @@ -23,10 +23,11 @@ import ( "github.com/aws/amazon-ecs-agent/ecs-agent/logger" ) -const fipsModeFilePath = "/proc/sys/crypto/fips_enabled" +const FIPSModeFilePath = "/proc/sys/crypto/fips_enabled" -func DetectFIPSMode() bool { - data, err := os.ReadFile(fipsModeFilePath) +// DetectFIPSMode checks if FIPS mode is enabled based on the provided file path. +func DetectFIPSMode(filePath string) bool { + data, err := os.ReadFile(filePath) if err == nil && strings.TrimSpace(string(data)) == "1" { logger.Debug("FIPS mode detected on the host") return true diff --git a/agent/utils/fips_linux_test.go b/agent/utils/fips_linux_test.go index a365d5dde3b..c257cc0ff3c 100644 --- a/agent/utils/fips_linux_test.go +++ b/agent/utils/fips_linux_test.go @@ -20,20 +20,11 @@ import ( "io/ioutil" "log" "os" - "strings" "testing" "github.com/stretchr/testify/assert" ) -// detectFIPSModeWithPath is a helper function for testing -func detectFIPSModeWithPath(filePath string) bool { - data, err := ioutil.ReadFile(filePath) - if err == nil && strings.TrimSpace(string(data)) == "1" { - return true - } - return false -} func TestDetectFIPSMode(t *testing.T) { // Create a temporary file to mock the FIPS mode file tempFile, err := ioutil.TempFile("", "fips_enabled") @@ -45,7 +36,7 @@ func TestDetectFIPSMode(t *testing.T) { tempFile.Sync() // Initialize the logger log.SetFlags(log.LstdFlags | log.Lshortfile) - result := detectFIPSModeWithPath(tempFile.Name()) + result := DetectFIPSMode(tempFile.Name()) assert.True(t, result, "FIPS mode should be detected") // Test FIPS mode disabled tempFile.Truncate(0) @@ -53,6 +44,9 @@ func TestDetectFIPSMode(t *testing.T) { _, err = tempFile.WriteString("0\n") assert.NoError(t, err) tempFile.Sync() - result = detectFIPSModeWithPath(tempFile.Name()) + result = DetectFIPSMode(tempFile.Name()) assert.False(t, result, "FIPS mode should not be detected") + // Test when the FIPS file does not exist + result = DetectFIPSMode("nonexistent_file") + assert.False(t, result, "FIPS mode should not be detected when file is missing") } diff --git a/agent/utils/fips_windows.go b/agent/utils/fips_windows.go index d98124c895a..7b8a60f42be 100644 --- a/agent/utils/fips_windows.go +++ b/agent/utils/fips_windows.go @@ -20,7 +20,9 @@ import ( "github.com/aws/amazon-ecs-agent/ecs-agent/logger" ) -func DetectFIPSMode() bool { +const FIPSModeFilePath = "" + +func DetectFIPSMode(filepath string) bool { logger.Debug("set isFIPSEnabled to false by default on Windows") return false } From a77b0953c7afb8e5e151980a730a418677c0ca58 Mon Sep 17 00:00:00 2001 From: Harish Senthilkumar Date: Fri, 24 May 2024 17:55:18 +0000 Subject: [PATCH 5/5] Adding fips_unsupported file, fixing build tags, adding additional logging --- agent/utils/fips_linux.go | 14 +++++++++++--- agent/utils/fips_linux_test.go | 4 ++-- agent/utils/fips_unsupported.go | 28 ++++++++++++++++++++++++++++ agent/utils/fips_windows.go | 4 ++-- 4 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 agent/utils/fips_unsupported.go diff --git a/agent/utils/fips_linux.go b/agent/utils/fips_linux.go index 14c585adbe2..1b6e6b03a8a 100644 --- a/agent/utils/fips_linux.go +++ b/agent/utils/fips_linux.go @@ -17,6 +17,7 @@ package utils import ( + "fmt" "os" "strings" @@ -28,10 +29,17 @@ const FIPSModeFilePath = "/proc/sys/crypto/fips_enabled" // DetectFIPSMode checks if FIPS mode is enabled based on the provided file path. func DetectFIPSMode(filePath string) bool { data, err := os.ReadFile(filePath) - if err == nil && strings.TrimSpace(string(data)) == "1" { - logger.Debug("FIPS mode detected on the host") + if err != nil { + logger.Debug(fmt.Sprintf("Error while detecting FIPS is enabled or not, err: %v", err)) + return false + } + + fipsValue := strings.TrimSpace(string(data)) + if fipsValue == "1" { + logger.Info("FIPS mode detected on the host") return true } - logger.Debug("FIPS mode not detected on the host") + + logger.Debug(fmt.Sprintf("FIPS mode not enabled. FIPS mode explicitly set to %v", fipsValue)) return false } diff --git a/agent/utils/fips_linux_test.go b/agent/utils/fips_linux_test.go index c257cc0ff3c..7558a244c71 100644 --- a/agent/utils/fips_linux_test.go +++ b/agent/utils/fips_linux_test.go @@ -1,5 +1,5 @@ -//go:build !windows && unit -// +build !windows,unit +//go:build linux && unit +// +build linux,unit // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. // diff --git a/agent/utils/fips_unsupported.go b/agent/utils/fips_unsupported.go new file mode 100644 index 00000000000..a0c666a0a11 --- /dev/null +++ b/agent/utils/fips_unsupported.go @@ -0,0 +1,28 @@ +//go:build !windows && !linux +// +build !windows,!linux + +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"). You may +// not use this file except in compliance with the License. A copy of the +// License is located at +// +// http://aws.amazon.com/apache2.0/ +// +// or in the "license" file accompanying this file. This file is distributed +// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +// express or implied. See the License for the specific language governing +// permissions and limitations under the License. + +package utils + +import ( + "github.com/aws/amazon-ecs-agent/ecs-agent/logger" +) + +const FIPSModeFilePath = "" + +func DetectFIPSMode(filepath string) bool { + logger.Debug("FIPS mode detection is not supported on this platform") + return false +} diff --git a/agent/utils/fips_windows.go b/agent/utils/fips_windows.go index 7b8a60f42be..94e7a40ba08 100644 --- a/agent/utils/fips_windows.go +++ b/agent/utils/fips_windows.go @@ -1,5 +1,5 @@ -//go:build windows -// +build windows +//go:build windows && !linux +// +build windows,!linux // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. //