feature: add a 'fips' feature to crates

add a 'fips' feature to tough crates to enable toggling fips enforcement on crate dependencies. Remove the prebuilt-nasm feature in favor of allowing downstream consumers to set this feature if needed; set PREBUILT_NASM=1 in CI for windows integ testing and split out integ testing fips to a new Makefile rule such that it can be skipped in macos testing Signed-off-by: Gavin Inglis <giinglis@amazon.com>
awslabs · Sep 27, 2024 · 9b4425b · 9b4425b
1 parent bbc3509
commit 9b4425b
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 11 deletions.
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -15,14 +15,16 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        make_target: ["check-licenses", "build", "integ"]
+        make_target: ["check-licenses", "build", "integ", "integ-fips"]
         os: [ubuntu-latest, windows-latest, macos-latest]
         exclude:
           - os: windows-latest
             make_target: check-licenses
           - os: macos-latest
-            make_target: check-licenses
+            make_target: [check-licenses, integ-fips]
     runs-on: ${{ matrix.os }}
+    env:
+      PREBUILT_NASM: 1
     steps:
       - uses: actions/checkout@v4
       - uses: actions/cache@v4
@@ -33,6 +35,8 @@ jobs:
           key: ${{ hashFiles('.github/cache_bust') }}-${{ runner.os }}-${{ matrix.make_target }}-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: |
             ${{ hashFiles('.github/cache_bust') }}-${{ runner.os }}-${{ matrix.make_target }}
+      - name: Install ninja-build tool
+        uses: seanmiddleditch/gha-setup-ninja@v4
       # print the current rustc. replace stable to pin to a specific toolchain version.
       - run: rustup default stable
       - run: rustup component add rustfmt

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Makefile b/Makefile
@@ -42,4 +42,10 @@ noxious:
 integ: noxious
 	set +e
 	cargo test --manifest-path tough/Cargo.toml --features '' --locked
+	cargo test --manifest-path tough/Cargo.toml --features 'http' --features 'integ' --locked
+
+# tests tough fips features with and without the http feature.
+integ-fips: noxious
+	set +e
+	cargo test --manifest-path tough/Cargo.toml --features 'fips' --locked
 	cargo test --manifest-path tough/Cargo.toml --all-features --locked
diff --git a/tough-kms/Cargo.toml b/tough-kms/Cargo.toml
@@ -12,10 +12,11 @@ edition = "2018"
 default = ["aws-sdk-rust"]
 aws-sdk-rust = ["aws-sdk-rust-rustls"]
 aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-kms/rustls"]
+fips = ["aws-lc-rs/fips", "tough/fips"]
 
 [dependencies]
 tough = { version = "0.18", path = "../tough", features = ["http"] }
-aws-lc-rs = { version = "1", features = ["prebuilt-nasm"] }
+aws-lc-rs = "1"
 aws-sdk-kms = "1"
 aws-config = "1"
 snafu = { version = "0.8", features = ["backtraces-impl-backtrace-crate"] }

diff --git a/tough-ssm/Cargo.toml b/tough-ssm/Cargo.toml
@@ -12,6 +12,7 @@ edition = "2018"
 default = ["aws-sdk-rust"]
 aws-sdk-rust = ["aws-sdk-rust-rustls"]
 aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-ssm/rustls"]
+fips = ["tough/fips"]
 
 [dependencies]
 tough = { version = "0.18", path = "../tough", features = ["http"] }

diff --git a/tough/Cargo.toml b/tough/Cargo.toml
@@ -11,7 +11,7 @@ edition = "2018"
 [dependencies]
 async-recursion = "1"
 async-trait = "0.1"
-aws-lc-rs = { version = "1", features = ["prebuilt-nasm"] }
+aws-lc-rs = "1"
 bytes = "1"
 chrono = { version = "0.4", default-features = false, features = ["std", "alloc", "serde", "clock"] }
 dyn-clone = "1"
@@ -23,7 +23,8 @@ log = "0.4"
 olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 pem = "3"
 percent-encoding = "2"
-reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream"] }
+reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream", "rustls-tls-native-roots"] }
+rustls = "0.23"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_plain = "1"
@@ -47,6 +48,7 @@ tokio = { version = "1", features = ["macros", "rt", "rt-multi-thread"] }
 tokio-test = "0.4"
 
 [features]
+fips = ["aws-lc-rs/fips", "rustls/fips"]
 http = ["reqwest"]
 
 # The `integ` feature enables integration tests. These tests require `noxious-server` to be installed on the host.

diff --git a/tuftool/Cargo.toml b/tuftool/Cargo.toml
@@ -13,10 +13,11 @@ integ = []
 default = ["aws-sdk-rust"]
 aws-sdk-rust = ["aws-sdk-rust-rustls"]
 aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-ssm/rustls", "aws-sdk-kms/rustls", ]
+fips = ["default", "tough/fips", "rustls/fips"]
 
 [dependencies]
 aws-config = "1"
-aws-lc-rs = { version = "1", features = ["prebuilt-nasm"] }
+aws-lc-rs = "1"
 aws-sdk-kms = "1"
 aws-sdk-ssm = "1"
 chrono = { version = "0.4", default-features = false, features = ["alloc", "std", "clock"] }
@@ -28,6 +29,7 @@ maplit = "1"
 olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 rayon = "1"
 reqwest = { version = "0.11", default-features = false, features = ["rustls-tls-native-roots"] }
+rustls = "0.23"
 serde = "1"
 serde_json = "1"
 simplelog = "0.12"