test: add job to check openssl symbols in agent binaries

Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
DataDog · Aug 22, 2024 · ce45213 · ce45213
1 parent 709ea0f
commit ce45213
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -75,6 +75,7 @@ stages:
   - benchmarks
   - package_build
   - packaging
+  - check_fips_compliance
   - pkg_metrics
   - kitchen_deploy
   - kitchen_testing

diff --git a/.gitlab/fips_compliance/check_binary_symbols.yml b/.gitlab/fips_compliance/check_binary_symbols.yml
@@ -0,0 +1,18 @@
+---
+
+# maybe do invoke tasks instead
+check_binary_symbols:
+  stage: fips_compliance
+  image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/ci/datadog-agent-buildimages/deb_x64$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES
+  tags: ["arch:amd64"]
+  rules:
+    - when: always
+      allow_failure: true
+  script:
+    - ls -l $OMNIBUS_PACKAGE_DIR/
+    - ls -l $OMNIBUS_PACKAGE_DIR/datadog-agent-dbg*amd64.deb
+    - tar -xvf $OMNIBUS_PACKAGE_DIR/datadog-agent-dbg*amd64.deb
+    - tar -xvf data.tar.xz ./opt/datadog-agent/.debug/opt/datadog-agent/bin/agent/agent.dbg
+    - $CI_PROJECT_DIR/tools/fips/verify_binary_symbols.sh ./opt/datadog-agent/.debug/opt/datadog-agent/bin/agent/agent.dbg
+  dependencies:
+    - agent_deb-x64-a7
diff --git a/tools/fips/check_binary_symbols.sh b/tools/fips/check_binary_symbols.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+go tool nm "$1" > tags.txt
+
+# TODO: support windows as well
+count=$(grep -c '_Cfunc_go_openssl' tags.txt)
+
+if [ "$count" -eq 0 ]; then
+    echo "Error: Symbol '_Cfunc_go_openssl' not found in binary."
+    exit 1
+else
+    echo "Success: Symbol '_Cfunc_go_openssl' found $count times in binary."
+fi