Fix

Signed-off-by: Pavol Loffay <[email protected]>

Author: pavolloffay

apis/v1beta1/collector_webhook.go

@@ -49,7 +49,7 @@ type CollectorWebhook struct {
 	reviewer *rbac.Reviewer
 	metrics  *Metrics
 	bv       BuildValidator
-	fips     fips.FipsCheck
+	fips     fips.FIPSCheck
 }
 
 func (c CollectorWebhook) Default(_ context.Context, obj runtime.Object) error {
@@ -293,7 +293,7 @@ func (c CollectorWebhook) Validate(ctx context.Context, r *OpenTelemetryCollecto
 	}
 
 	components := r.Spec.Config.GetEnabledComponents()
-	if notAllowedComponents := c.fips.Check(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil {
+	if notAllowedComponents := c.fips.DisabledComponents(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil {
 		return nil, fmt.Errorf("the collector configuration contains not FIPS compliant components: %s. Please remove it from the config", notAllowedComponents)
 	}
 
@@ -430,7 +430,7 @@ func NewCollectorWebhook(
 	reviewer *rbac.Reviewer,
 	metrics *Metrics,
 	bv BuildValidator,
-	fips fips.FipsCheck,
+	fips fips.FIPSCheck,
 ) *CollectorWebhook {
 	return &CollectorWebhook{
 		logger:   logger,
@@ -443,7 +443,7 @@ func NewCollectorWebhook(
 	}
 }
 
-func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, fipsCheck fips.FipsCheck) error {
+func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, fipsCheck fips.FIPSCheck) error {
 	cvw := NewCollectorWebhook(mgr.GetLogger().WithValues("handler", "CollectorWebhook", "version", "v1beta1"), mgr.GetScheme(), cfg, reviewer, metrics, bv, fipsCheck)
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&OpenTelemetryCollector{}).

apis/v1beta1/collector_webhook_test.go

@@ -114,7 +114,7 @@ func TestValidate(t *testing.T) {
 			getReviewer(test.shouldFailSar),
 			nil,
 			bv,
-			fips.NewFipsCheck(nil, nil, nil, nil),
+			fips.NewFipsCheck(false, nil, nil, nil, nil),
 		)
 		t.Run(tt.name, func(t *testing.T) {
 			tt := tt
@@ -496,7 +496,7 @@ func TestCollectorDefaultingWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
-				fips.NewFipsCheck(nil, nil, nil, nil),
+				fips.NewFipsCheck(false, nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			err := cvw.Default(ctx, &test.otelcol)
@@ -1288,7 +1288,7 @@ func TestOTELColValidatingWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
-				fips.NewFipsCheck(nil, nil, nil, nil),
+				fips.NewFipsCheck(false, nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			warnings, err := cvw.ValidateCreate(ctx, &test.otelcol)
@@ -1356,7 +1356,7 @@ func TestOTELColValidateUpdateWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
-				fips.NewFipsCheck(nil, nil, nil, nil),
+				fips.NewFipsCheck(false, nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			warnings, err := cvw.ValidateUpdate(ctx, &test.otelcolOld, &test.otelcolNew)

controllers/suite_test.go

@@ -103,6 +103,10 @@ type mockAutoDetect struct {
 	RBACPermissionsFunc             func(ctx context.Context) (autoRBAC.Availability, error)
 }
 
+func (m *mockAutoDetect) FIPSEnabled(ctx context.Context) bool {
+	return false
+}
+
 func (m *mockAutoDetect) PrometheusCRsAvailability() (prometheus.Availability, error) {
 	if m.PrometheusCRsAvailabilityFunc != nil {
 		return m.PrometheusCRsAvailabilityFunc()
@@ -179,7 +183,7 @@ func TestMain(m *testing.M) {
 	}
 	reviewer := rbac.NewReviewer(clientset)
 
-	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil {
+	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil {
 		fmt.Printf("failed to SetupWebhookWithManager: %v", err)
 		os.Exit(1)
 	}

internal/autodetect/fips/fipsautodetect.go

@@ -0,0 +1,39 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fips
+
+import (
+	"errors"
+	"os"
+	"strings"
+)
+
+const fipsFile = "/proc/sys/crypto/fips_enabled"
+
+// IsFipsEnabled checks whether FIPS is enabled on the platform.
+func IsFipsEnabled() bool {
+	// check if file exists
+	if _, err := os.Stat(fipsFile); errors.Is(err, os.ErrNotExist) {
+		return false
+	}
+	content, err := os.ReadFile(fipsFile)
+	if err != nil {
+		// file cannot be read, enable FIPS to avoid any violations
+		return true
+	}
+	contentStr := string(content)
+	contentStr = strings.TrimSpace(contentStr)
+	return contentStr == "1"
+}

internal/autodetect/main.go

@@ -18,6 +18,7 @@ package autodetect
 import (
 	"context"
 	"fmt"
+	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/fips"
 
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/rest"
@@ -35,6 +36,7 @@ type AutoDetect interface {
 	OpenShiftRoutesAvailability() (openshift.RoutesAvailability, error)
 	PrometheusCRsAvailability() (prometheus.Availability, error)
 	RBACPermissions(ctx context.Context) (autoRBAC.Availability, error)
+	FIPSEnabled(ctx context.Context) bool
 }
 
 type autoDetect struct {
@@ -122,3 +124,7 @@ func (a *autoDetect) RBACPermissions(ctx context.Context) (autoRBAC.Availability
 
 	return autoRBAC.Available, nil
 }
+
+func (a *autoDetect) FIPSEnabled(_ context.Context) bool {
+	return fips.IsFipsEnabled()
+}

internal/config/main_test.go

@@ -82,6 +82,10 @@ type mockAutoDetect struct {
 	RBACPermissionsFunc             func(ctx context.Context) (rbac.Availability, error)
 }
 
+func (m *mockAutoDetect) FIPSEnabled(_ context.Context) bool {
+	return false
+}
+
 func (m *mockAutoDetect) OpenShiftRoutesAvailability() (openshift.RoutesAvailability, error) {
 	if m.OpenShiftRoutesAvailabilityFunc != nil {
 		return m.OpenShiftRoutesAvailabilityFunc()

internal/fips/check.go internal/fips/fipscheck.go

@@ -15,16 +15,15 @@
 package fips
 
 import (
-	"errors"
-	"fmt"
-	"os"
 	"strings"
 )
 
-const fipsFile = "/proc/sys/crypto/fips_enabled"
+type FIPSCheck interface {
+	DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string
+}
 
 // FipsCheck holds configuration for FIPS black list.
-type FipsCheck struct {
+type fipsCheck struct {
 	isFIPSEnabled bool
 
 	receivers  map[string]bool
@@ -33,15 +32,24 @@ type FipsCheck struct {
 	extensions map[string]bool
 }
 
+type noopFIPSCheck struct{}
+
+func (noopFIPSCheck) DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string {
+	return nil
+}
+
 // NewFipsCheck creates new FipsCheck.
 // It checks if FIPS is enabled on the platform in /proc/sys/crypto/fips_enabled.
-func NewFipsCheck(receivers, exporters, processors, extensions []string) FipsCheck {
-	return FipsCheck{
-		isFIPSEnabled: isFipsEnabled(),
-		receivers:     listToMap(receivers),
-		exporters:     listToMap(exporters),
-		processors:    listToMap(processors),
-		extensions:    listToMap(extensions),
+func NewFipsCheck(FIPSEnabled bool, receivers, exporters, processors, extensions []string) FIPSCheck {
+	if !FIPSEnabled {
+		return &noopFIPSCheck{}
+	}
+
+	return &fipsCheck{
+		receivers:  listToMap(receivers),
+		exporters:  listToMap(exporters),
+		processors: listToMap(processors),
+		extensions: listToMap(extensions),
 	}
 }
 
@@ -54,27 +62,24 @@ func listToMap(list []string) map[string]bool {
 }
 
 // Check checks if a submitted components are back lister or not.
-func (fips FipsCheck) Check(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string {
-	if !fips.isFIPSEnabled {
-		return nil
-	}
+func (fips fipsCheck) DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string {
 	var disabled []string
-	if comp := isBlackListed(fips.receivers, receivers); comp != "" {
+	if comp := isDisabled(fips.receivers, receivers); comp != "" {
 		disabled = append(disabled, comp)
 	}
-	if comp := isBlackListed(fips.exporters, exporters); comp != "" {
+	if comp := isDisabled(fips.exporters, exporters); comp != "" {
 		disabled = append(disabled, comp)
 	}
-	if comp := isBlackListed(fips.processors, processors); comp != "" {
+	if comp := isDisabled(fips.processors, processors); comp != "" {
 		disabled = append(disabled, comp)
 	}
-	if comp := isBlackListed(fips.extensions, extensions); comp != "" {
+	if comp := isDisabled(fips.extensions, extensions); comp != "" {
 		disabled = append(disabled, comp)
 	}
 	return disabled
 }
 
-func isBlackListed(blackListed map[string]bool, cfg map[string]interface{}) string {
+func isDisabled(blackListed map[string]bool, cfg map[string]interface{}) string {
 	for id := range cfg {
 		component := strings.Split(id, "/")[0]
 		if blackListed[component] {
@@ -83,20 +88,3 @@ func isBlackListed(blackListed map[string]bool, cfg map[string]interface{}) stri
 	}
 	return ""
 }
-
-func isFipsEnabled() bool {
-	// check if file exists
-	if _, err := os.Stat(fipsFile); errors.Is(err, os.ErrNotExist) {
-		fmt.Println("fips file doesn't exist")
-		return false
-	}
-	content, err := os.ReadFile(fipsFile)
-	if err != nil {
-		// file cannot be read, enable FIPS to avoid any violations
-		fmt.Println("cannot read fips file")
-		return true
-	}
-	contentStr := string(content)
-	contentStr = strings.TrimSpace(contentStr)
-	return contentStr == "1"
-}

internal/fips/check_test.go internal/fips/fipscheck_test.go

@@ -21,15 +21,8 @@ import (
 )
 
 func TestFipsCheck(t *testing.T) {
-	fipsCheck := NewFipsCheck([]string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"})
-	assert.Equal(t, map[string]bool{"rec1": true, "rec2": true}, fipsCheck.receivers)
-	assert.Equal(t, map[string]bool{"exp1": true}, fipsCheck.exporters)
-	assert.Equal(t, map[string]bool{"processor": true}, fipsCheck.processors)
-	assert.Equal(t, map[string]bool{"ext1": true}, fipsCheck.extensions)
-
-	// test machine probably does not have this enabled
-	fipsCheck.isFIPSEnabled = true
-	blocked := fipsCheck.Check(
+	fipsCheck := NewFipsCheck(true, []string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"})
+	blocked := fipsCheck.DisabledComponents(
 		map[string]interface{}{"otlp": true, "rec1/my": true},
 		map[string]interface{}{"exp1": true},
 		map[string]interface{}{"processor": true},

internal/webhook/podmutation/webhookhandler_suite_test.go

@@ -106,7 +106,7 @@ func TestMain(m *testing.M) {
 	}
 	reviewer := rbac.NewReviewer(clientset)
 
-	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil {
+	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil {
 		fmt.Printf("failed to SetupWebhookWithManager: %v", err)
 		os.Exit(1)
 	}

main.go

@@ -442,8 +442,8 @@ func main() {
 		}
 
 		receivers, exporters, processors, extensions := parseFipsFlag(fipsDisabledComponents)
-		fipsCheck := fips.NewFipsCheck(receivers, exporters, processors, extensions)
 		logger.Info("Fips disabled components", "receivers", receivers, "exporters", exporters, "processors", processors, "extensions", extensions)
+		fipsCheck := fips.NewFipsCheck(ad.FIPSEnabled(ctx), receivers, exporters, processors, extensions)
 		if err = otelv1beta1.SetupCollectorWebhook(mgr, cfg, reviewer, crdMetrics, bv, fipsCheck); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "OpenTelemetryCollector")
 			os.Exit(1)

pkg/collector/upgrade/suite_test.go

@@ -106,7 +106,7 @@ func TestMain(m *testing.M) {
 	}
 	reviewer := rbac.NewReviewer(clientset)
 
-	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil {
+	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil {
 		fmt.Printf("failed to SetupWebhookWithManager: %v", err)
 		os.Exit(1)
 	}