Enable CI for clang with FIPS mode. (#199)

* enable CI for clang with FIPS mode Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]> * fix Signed-off-by: Shikugawa <[email protected]>
istio-ecosystem · Dec 2, 2021 · 60dadd6 · 60dadd6
1 parent 0f0c186
commit 60dadd6
Show file tree

Hide file tree

Showing 20 changed files with 122 additions and 79 deletions.
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -15,14 +15,11 @@ jobs:
     - uses: actions/checkout@v1
     - name: Setup clang-format
       run: |
-        wget https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/clang+llvm-10.0.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-        tar -xvf clang+llvm-10.0.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-        sudo mv ./clang+llvm-10.0.1-x86_64-linux-gnu-ubuntu-16.04/bin/clang-format /usr/local/bin
-        rm -rf clang+llvm-10.0.1-x86_64-linux-gnu-ubuntu-16.04/
+        sudo sh -c ${PWD}/bazel/install-clang-ci.sh
         git clone https://github.com/Sarcasm/run-clang-format.git
     - name: Run clang-format
-      run: find ./ -iname "*.h" -o -iname "*.cc" | xargs ./run-clang-format/run-clang-format.py
-  build:
+      run: find ./ -iname "*.h" -o -iname "*.cc" | xargs ./run-clang-format/run-clang-format.py --clang-format-executable=/opt/llvm/bin/clang-format
+  gcc-test:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v1
@@ -34,3 +31,19 @@ jobs:
       run: |
        sudo chmod -R a+rxw /home
        make test
+  clang-fips-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v1
+    - name: Setup Bazel
+      run: sudo build/install-bazel.sh
+    - name: Install dependencies
+      run: sudo apt-get update && sudo apt-get -y install make cmake ninja-build build-essential
+    - name: Setup clang
+      run: |
+        sudo sh -c ${PWD}/bazel/install-clang-ci.sh
+        bazel/setup_clang.sh /opt/llvm
+    - name: make test
+      run: |
+        sudo chmod -R a+rxw /home
+        BAZEL_FLAGS="--config=clang --define=boringssl=fips" make test
diff --git a/bazel/bazel.bzl b/bazel/bazel.bzl
@@ -1,9 +1,23 @@
 # Wrappers around native build recipes to enforce consistent use of flags and build variables.
 
+load("@rules_cc//cc:defs.bzl", "cc_binary", "cc_library", "cc_test")
+
 _DEFAULT_COPTS = ["-Wall", "-Wextra"]
 
-def xx_library(name, deps = [], srcs = [], hdrs = [], copts = [], defines = [], includes = [], textual_hdrs = []):
-    native.cc_library(name = name, deps = deps, srcs = srcs, hdrs = hdrs, copts = _DEFAULT_COPTS + copts, defines = defines, includes = includes, textual_hdrs = textual_hdrs)
+def authsvc_cc_library(name, deps = [], srcs = [], hdrs = [], copts = [], defines = [], includes = [], textual_hdrs = [], visibility = None):
+    cc_library(name = name, deps = deps, srcs = srcs, hdrs = hdrs, copts = _DEFAULT_COPTS + copts, defines = defines, includes = includes, textual_hdrs = textual_hdrs, visibility = visibility)
+
+def authsvc_cc_binary(name, deps = [], srcs = [], copts = [], defines = []):
+    cc_binary(name = name, deps = deps, srcs = srcs, copts = _DEFAULT_COPTS + copts, defines = defines)
 
-def xx_binary(name, deps = [], srcs = [], copts = [], defines = []):
-    native.cc_binary(name = name, deps = deps, srcs = srcs, copts = _DEFAULT_COPTS + copts, defines = defines)
+def authsvc_cc_test(name, deps = [], srcs = [], data = []):
+    cc_test(
+        name = name,
+        deps = deps,
+        srcs = srcs,
+        data = data,
+        # We choose to use static link because boringssl FIPS build seem not be able
+        # to resolved for unit test,
+        # https://gist.github.com/Shikugawa/0ff7ef056cf6fdb2605ad81fcb0be814 (optional)
+        linkstatic = True,
+    )
diff --git a/bazel/install-clang-ci.sh b/bazel/install-clang-ci.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+LLVM_VERSION=12.0.0
+LLVM_TAR=clang+llvm-${LLVM_VERSION}-x86_64-linux-gnu-ubuntu-20.04.tar.xz
+TARGET_DST=/opt/llvm
+
+wget https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VERSION}/${LLVM_TAR}
+
+if [[ ! -e "${TARGET_DST}" ]]; then
+  mkdir -p ${TARGET_DST}
+fi
+
+tar -xvf ${LLVM_TAR} -C ${TARGET_DST} --strip-components 1
diff --git a/src/common/http/BUILD b/src/common/http/BUILD
@@ -1,9 +1,9 @@
-load("//bazel:bazel.bzl", "xx_library")
+load("//bazel:bazel.bzl", "authsvc_cc_library")
 load("@envoy//bazel:repositories.bzl", "envoy_dependencies")
 
 package(default_visibility = ["//visibility:public"])
 
-xx_library(
+authsvc_cc_library(
     name = "http",
     srcs = ["http.cc"],
     hdrs = [

diff --git a/src/common/session/BUILD b/src/common/session/BUILD
@@ -1,8 +1,8 @@
-load("//bazel:bazel.bzl", "xx_library")
+load("//bazel:bazel.bzl", "authsvc_cc_library")
 
 package(default_visibility = ["//visibility:public"])
 
-xx_library(
+authsvc_cc_library(
     name = "session_string_generator",
     srcs = [
         "session_string_generator.cc",

diff --git a/src/common/utilities/BUILD b/src/common/utilities/BUILD
@@ -1,9 +1,9 @@
-load("//bazel:bazel.bzl", "xx_library")
+load("//bazel:bazel.bzl", "authsvc_cc_library")
 load("@envoy//bazel:repositories.bzl", "envoy_dependencies")
 
 package(default_visibility = ["//visibility:public"])
 
-xx_library(
+authsvc_cc_library(
     name = "random",
     srcs = ["random.cc"],
     hdrs = ["random.h"],
@@ -14,22 +14,22 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "time_service",
     srcs = ["time_service.cc"],
     hdrs = ["time_service.h"],
     deps = [
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "synchronized",
     hdrs = ["synchronized.h"],
     deps = [
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "trigger_rules",
     srcs = ["trigger_rules.cc"],
     hdrs = ["trigger_rules.h"],

diff --git a/src/config/BUILD b/src/config/BUILD
@@ -1,8 +1,8 @@
-load("//bazel:bazel.bzl", "xx_library")
+load("//bazel:bazel.bzl", "authsvc_cc_library")
 
 package(default_visibility = ["//visibility:public"])
 
-xx_library(
+authsvc_cc_library(
     name = "config",
     srcs = ["get_config.cc"],
     hdrs = [

diff --git a/src/filters/BUILD b/src/filters/BUILD
@@ -1,8 +1,8 @@
-load("//bazel:bazel.bzl", "xx_library")
+load("//bazel:bazel.bzl", "authsvc_cc_library")
 
 package(default_visibility = ["//visibility:public"])
 
-xx_library(
+authsvc_cc_library(
     name = "filter",
     srcs = [],
     hdrs = ["filter.h"],
@@ -14,7 +14,7 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "pipe",
     srcs = ["pipe.cc"],
     hdrs = ["pipe.h"],
@@ -24,15 +24,15 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "filter_factory",
     hdrs = ["filter_factory.h"],
     deps = [
         ":pipe",
     ]
 )
 
-xx_library(
+authsvc_cc_library(
     name = "filter_chain",
     srcs = [
         "filter_chain.cc",

diff --git a/src/filters/mock/BUILD b/src/filters/mock/BUILD
@@ -1,8 +1,8 @@
-load("//bazel:bazel.bzl", "xx_library")
+load("//bazel:bazel.bzl", "authsvc_cc_library")
 
 package(default_visibility = ["//visibility:public"])
 
-xx_library(
+authsvc_cc_library(
     name = "mock_filter",
     srcs = ["mock_filter.cc"],
     hdrs = ["mock_filter.h"],

diff --git a/src/filters/oidc/BUILD b/src/filters/oidc/BUILD
@@ -1,8 +1,8 @@
-load("//bazel:bazel.bzl", "xx_library")
+load("//bazel:bazel.bzl", "authsvc_cc_library")
 
 package(default_visibility = ["//visibility:public"])
 
-xx_library(
+authsvc_cc_library(
     name = "token_response",
     srcs = ["token_response.cc"],
     hdrs = ["token_response.h"],
@@ -16,7 +16,7 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "authorization_state",
     srcs = ["authorization_state.cc"],
     hdrs = ["authorization_state.h"],
@@ -26,15 +26,15 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "session_store_factory",
     hdrs = ["session_store_factory.h"],
     deps = [
         "//config:config_cc",
     ]
 )
 
-xx_library(
+authsvc_cc_library(
     name = "in_memory_session_store",
     srcs = ["in_memory_session_store.cc"],
     hdrs = ["in_memory_session_store.h", "session_store.h"],
@@ -51,7 +51,7 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "session_store",
     srcs = [],
     hdrs = ["session_store.h"],
@@ -63,7 +63,7 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "redis_session_store",
     srcs = ["redis_session_store.cc"],
     hdrs = ["redis_session_store.h", "session_store.h"],
@@ -82,7 +82,7 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "redis_wrapper",
     srcs = ["redis_wrapper.cc"],
     hdrs = ["redis_wrapper.h"],
@@ -96,7 +96,7 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "redis_retry_wrapper",
     srcs = ["redis_retry_wrapper.cc"],
     hdrs = ["redis_retry_wrapper.h"],
@@ -109,7 +109,7 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "jwks_resolver",
     srcs = ["jwks_resolver.cc"],
     hdrs = ["jwks_resolver.h"],
@@ -122,7 +122,7 @@ xx_library(
     ],
 )
 
-xx_library(
+authsvc_cc_library(
     name = "jwt_verifier",
     srcs = ["jwt_verifier.cc"],
     hdrs = ["jwt_verifier.h"],
@@ -138,7 +138,7 @@ xx_library(
     ]
 )
 
-xx_library(
+authsvc_cc_library(
     name = "oidc_filter",
     srcs = ["oidc_filter.cc"],
     hdrs = ["oidc_filter.h"],

diff --git a/src/main/BUILD b/src/main/BUILD
@@ -1,8 +1,8 @@
-load("//bazel:bazel.bzl", "xx_binary")
+load("//bazel:bazel.bzl", "authsvc_cc_binary")
 
 package(default_visibility = ["//visibility:public"])
 
-xx_binary(
+authsvc_cc_binary(
     name = "auth_server",
     srcs = ["auth_server.cc"],
     deps = [

diff --git a/src/service/BUILD b/src/service/BUILD
@@ -1,6 +1,8 @@
+load("//bazel:bazel.bzl", "authsvc_cc_library")
+
 package(default_visibility = ["//visibility:public"])
 
-cc_library(
+authsvc_cc_library(
     name = "healthcheck_http_server_lib",
     hdrs = [
         "healthcheck_http_server.h"
@@ -14,7 +16,7 @@ cc_library(
     ]
 )
 
-cc_library(
+authsvc_cc_library(
     name = "serviceimpl",
     srcs = [
         "async_service_impl.cc",

diff --git a/test/common/http/BUILD b/test/common/http/BUILD
@@ -1,4 +1,6 @@
-cc_library(
+load("//bazel:bazel.bzl", "authsvc_cc_test", "authsvc_cc_library")
+
+authsvc_cc_library(
     name = "mocks",
     hdrs = ["mocks.h"],
     visibility = ["//test:__subpackages__"],
@@ -8,7 +10,7 @@ cc_library(
     ],
 )
 
-cc_test(
+authsvc_cc_test(
     name = "http_test",
     srcs = ["http_test.cc"],
     deps = [
@@ -17,5 +19,4 @@ cc_test(
         "@com_github_grpc_grpc//:grpc++",
         "@com_google_googletest//:gtest_main",
     ],
-    linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS
 )
diff --git a/test/common/session/BUILD b/test/common/session/BUILD
@@ -1,4 +1,6 @@
-cc_library(
+load("//bazel:bazel.bzl", "authsvc_cc_test", "authsvc_cc_library")
+
+authsvc_cc_library(
     name = "mocks",
     hdrs = ["mocks.h"],
     visibility = ["//test:__subpackages__"],
@@ -7,12 +9,11 @@ cc_library(
     ],
 )
 
-cc_test(
+authsvc_cc_test(
     name = "session_string_generator_test",
     srcs = ["session_string_generator_test.cc"],
     deps = [
         "//src/common/session:session_string_generator",
         "@com_google_googletest//:gtest_main",
     ],
-    linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS
 )