Add FIPS disabled components flag

Signed-off-by: Pavol Loffay <[email protected]>

Author: pavolloffay

README.md

@@ -33,7 +33,7 @@ kubectl apply -f - <<EOF
 apiVersion: opentelemetry.io/v1beta1
 kind: OpenTelemetryCollector
 metadata:
-  name: simplest
+  name: simplest222
 spec:
   config:
     receivers:

apis/v1beta1/collector_webhook.go

@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	ta "github.com/open-telemetry/opentelemetry-operator/internal/manifests/targetallocator/adapters"
 	"github.com/open-telemetry/opentelemetry-operator/internal/rbac"
 )
@@ -48,6 +49,7 @@ type CollectorWebhook struct {
 	reviewer *rbac.Reviewer
 	metrics  *Metrics
 	bv       BuildValidator
+	fips     fips.FipsCheck
 }
 
 func (c CollectorWebhook) Default(_ context.Context, obj runtime.Object) error {
@@ -290,6 +292,11 @@ func (c CollectorWebhook) Validate(ctx context.Context, r *OpenTelemetryCollecto
 		return warnings, fmt.Errorf("the OpenTelemetry Collector mode is set to %s, which does not support the attribute 'deploymentUpdateStrategy'", r.Spec.Mode)
 	}
 
+	components := r.Spec.Config.GetEnabledComponents()
+	if notAllowedComponents := c.fips.Check(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil {
+		return nil, fmt.Errorf("the collector configuration contains not FIPS compliant components: %s. Please remove it from the config", notAllowedComponents)
+	}
+
 	return warnings, nil
 }
 
@@ -423,6 +430,7 @@ func NewCollectorWebhook(
 	reviewer *rbac.Reviewer,
 	metrics *Metrics,
 	bv BuildValidator,
+	fips fips.FipsCheck,
 ) *CollectorWebhook {
 	return &CollectorWebhook{
 		logger:   logger,
@@ -431,11 +439,12 @@ func NewCollectorWebhook(
 		reviewer: reviewer,
 		metrics:  metrics,
 		bv:       bv,
+		fips:     fips,
 	}
 }
 
-func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator) error {
-	cvw := NewCollectorWebhook(mgr.GetLogger().WithValues("handler", "CollectorWebhook", "version", "v1beta1"), mgr.GetScheme(), cfg, reviewer, metrics, bv)
+func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, fipsCheck fips.FipsCheck) error {
+	cvw := NewCollectorWebhook(mgr.GetLogger().WithValues("handler", "CollectorWebhook", "version", "v1beta1"), mgr.GetScheme(), cfg, reviewer, metrics, bv, fipsCheck)
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&OpenTelemetryCollector{}).
 		WithValidator(cvw).

apis/v1beta1/collector_webhook_test.go

@@ -39,6 +39,7 @@ import (
 
 	"github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests"
 	collectorManifests "github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector"
 	"github.com/open-telemetry/opentelemetry-operator/internal/rbac"
@@ -113,6 +114,7 @@ func TestValidate(t *testing.T) {
 			getReviewer(test.shouldFailSar),
 			nil,
 			bv,
+			fips.NewFipsCheck(nil, nil, nil, nil),
 		)
 		t.Run(tt.name, func(t *testing.T) {
 			tt := tt
@@ -494,6 +496,7 @@ func TestCollectorDefaultingWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
+				fips.NewFipsCheck(nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			err := cvw.Default(ctx, &test.otelcol)
@@ -1285,6 +1288,7 @@ func TestOTELColValidatingWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
+				fips.NewFipsCheck(nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			warnings, err := cvw.ValidateCreate(ctx, &test.otelcol)
@@ -1352,6 +1356,7 @@ func TestOTELColValidateUpdateWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
+				fips.NewFipsCheck(nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			warnings, err := cvw.ValidateUpdate(ctx, &test.otelcolOld, &test.otelcolNew)

apis/v1beta1/config.go

@@ -41,6 +41,7 @@ const (
 	KindReceiver ComponentKind = iota
 	KindExporter
 	KindProcessor
+	KindExtension
 )
 
 func (c ComponentKind) String() string {
@@ -108,7 +109,14 @@ func (c *Config) GetEnabledComponents() map[ComponentKind]map[string]interface{}
 		KindReceiver:  {},
 		KindProcessor: {},
 		KindExporter:  {},
+		KindExtension: {},
 	}
+	if c.Service.Extensions != nil {
+		for _, extension := range *c.Service.Extensions {
+			toReturn[KindExtension][extension] = struct{}{}
+		}
+	}
+
 	for _, pipeline := range c.Service.Pipelines {
 		if pipeline == nil {
 			continue

apis/v1beta1/config_test.go

@@ -304,6 +304,7 @@ func TestConfig_GetEnabledComponents(t *testing.T) {
 					"bar":   struct{}{},
 					"count": struct{}{},
 				},
+				KindExtension: {},
 			},
 		},
 		{
@@ -321,6 +322,7 @@ func TestConfig_GetEnabledComponents(t *testing.T) {
 				KindExporter: {
 					"prometheus": struct{}{},
 				},
+				KindExtension: {},
 			},
 		},
 		{
@@ -339,6 +341,11 @@ func TestConfig_GetEnabledComponents(t *testing.T) {
 					"otlp":       struct{}{},
 					"prometheus": struct{}{},
 				},
+				KindExtension: {
+					"pprof":        struct{}{},
+					"zpages":       struct{}{},
+					"health_check": struct{}{},
+				},
 			},
 		},
 		{
@@ -352,6 +359,9 @@ func TestConfig_GetEnabledComponents(t *testing.T) {
 				KindExporter: {
 					"otlp/auth": struct{}{},
 				},
+				KindExtension: {
+					"oauth2client": struct{}{},
+				},
 			},
 		},
 		{
@@ -365,6 +375,7 @@ func TestConfig_GetEnabledComponents(t *testing.T) {
 				KindExporter: {
 					"debug": struct{}{},
 				},
+				KindExtension: {},
 			},
 		},
 		{
@@ -374,6 +385,7 @@ func TestConfig_GetEnabledComponents(t *testing.T) {
 				KindReceiver:  {},
 				KindProcessor: {},
 				KindExporter:  {},
+				KindExtension: {},
 			},
 		},
 	}

controllers/suite_test.go

@@ -59,6 +59,7 @@ import (
 	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus"
 	autoRBAC "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/rbac"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector/testdata"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/manifestutils"
@@ -178,7 +179,7 @@ func TestMain(m *testing.M) {
 	}
 	reviewer := rbac.NewReviewer(clientset)
 
-	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil); err != nil {
+	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil {
 		fmt.Printf("failed to SetupWebhookWithManager: %v", err)
 		os.Exit(1)
 	}

internal/fips/check.go

@@ -0,0 +1,102 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fips
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+)
+
+const fipsFile = "/proc/sys/crypto/fips_enabled"
+
+// FipsCheck holds configuration for FIPS black list.
+type FipsCheck struct {
+	isFIPSEnabled bool
+
+	receivers  map[string]bool
+	exporters  map[string]bool
+	processors map[string]bool
+	extensions map[string]bool
+}
+
+// NewFipsCheck creates new FipsCheck.
+// It checks if FIPS is enabled on the platform in /proc/sys/crypto/fips_enabled
+func NewFipsCheck(receivers, exporters, processors, extensions []string) FipsCheck {
+	return FipsCheck{
+		isFIPSEnabled: isFipsEnabled(),
+		receivers:     listToMap(receivers),
+		exporters:     listToMap(exporters),
+		processors:    listToMap(processors),
+		extensions:    listToMap(extensions),
+	}
+}
+
+func listToMap(list []string) map[string]bool {
+	m := map[string]bool{}
+	for _, v := range list {
+		m[v] = true
+	}
+	return m
+}
+
+// Check checks if a submitted components are back lister or not.
+func (fips FipsCheck) Check(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string {
+	if !fips.isFIPSEnabled {
+		return nil
+	}
+	var disabled []string
+	if comp := isBlackListed(fips.receivers, receivers); comp != "" {
+		disabled = append(disabled, comp)
+	}
+	if comp := isBlackListed(fips.exporters, exporters); comp != "" {
+		disabled = append(disabled, comp)
+	}
+	if comp := isBlackListed(fips.processors, processors); comp != "" {
+		disabled = append(disabled, comp)
+	}
+	if comp := isBlackListed(fips.extensions, extensions); comp != "" {
+		disabled = append(disabled, comp)
+	}
+	return disabled
+}
+
+func isBlackListed(blackListed map[string]bool, cfg map[string]interface{}) string {
+	for id, _ := range cfg {
+		component := strings.Split(id, "/")[0]
+		if blackListed[component] {
+			return component
+		}
+	}
+	return ""
+}
+
+func isFipsEnabled() bool {
+	// check if file exists
+	if _, err := os.Stat(fipsFile); errors.Is(err, os.ErrNotExist) {
+		fmt.Println("fips file doesn't exist")
+		return false
+	}
+	content, err := os.ReadFile(fipsFile)
+	if err != nil {
+		// file cannot be read, enable FIPS to avoid any violations
+		fmt.Println("cannot read fips file")
+		return true
+	}
+	contentStr := string(content)
+	contentStr = strings.TrimSpace(contentStr)
+	return contentStr == "1"
+}

internal/fips/check_test.go

@@ -0,0 +1,39 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fips
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFipsCheck(t *testing.T) {
+	fipsCheck := NewFipsCheck([]string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"})
+	assert.Equal(t, map[string]bool{"rec1": true, "rec2": true}, fipsCheck.receivers)
+	assert.Equal(t, map[string]bool{"exp1": true}, fipsCheck.exporters)
+	assert.Equal(t, map[string]bool{"processor": true}, fipsCheck.processors)
+	assert.Equal(t, map[string]bool{"ext1": true}, fipsCheck.extensions)
+
+	// test machine probably does not have this enabled
+	fipsCheck.isFIPSEnabled = true
+	blocked := fipsCheck.Check(
+		map[string]interface{}{"otlp": true, "rec1/my": true},
+		map[string]interface{}{"exp1": true},
+		map[string]interface{}{"processor": true},
+		map[string]interface{}{"ext1": true})
+
+	assert.Equal(t, []string{"rec1", "exp1", "processor", "ext1"}, blocked)
+}

internal/webhook/podmutation/webhookhandler_suite_test.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	"net"
 	"os"
 	"path/filepath"
@@ -105,7 +106,7 @@ func TestMain(m *testing.M) {
 	}
 	reviewer := rbac.NewReviewer(clientset)
 
-	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil); err != nil {
+	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil {
 		fmt.Printf("failed to SetupWebhookWithManager: %v", err)
 		os.Exit(1)
 	}