notifications-api/dockerfile_ubuntu_python_doesnt_work.txt

FROM ubuntu:24.04


#### OPENSSL STUFF ####

ARG OPENSSL_VERSION=3.0.8

# Make the fips module using FIPS-approved openssl 3.0.8
RUN apt-get update && apt-get install -y \
    make gcc libc-dev  perl vim wget

RUN wget https://www.openssl.org/source/openssl-3.0.8.tar.gz \
&& tar -xf openssl-3.0.8.tar.gz \
&& cd openssl-3.0.8 \
&& ./Configure enable-fips --libdir=lib --prefix=/usr/local --openssldir=/usr/local/ssl \
&& make \
&& make install \
&& make install_fips



# Add openssl to the path
ENV PATH="${PATH}:/usr/local/bin"

# As per documentation, tests have to be run on every machine that uses
# openssl in FIPS mode
WORKDIR "/openssl-3.0.8"
RUN make tests

# TODO NOTE that we are running tests against /openssl-3.0.8 and not
# against /usr/local/bin.  Something is wrong with /usr/local/bin still!

# TODO why does this say "/etc/ssl" and not "/usr/local/ssl"?
RUN echo "GET THE CONF DIRECTORY HERE"
RUN openssl version -d



# See https://www.openssl.org/docs/manmaster/man7/fips_module.html
RUN echo -e '\
config_diagnostics = 1\n\
openssl_conf = openssl_init\n\
\n\
.include /usr/local/ssl/fipsmodule.cnf\n\
\n\
[openssl_init]\n\
providers = provider_sect\n\
alg_section = algorithm_sect\n\
\n\
[provider_sect]\n\
fips = fips_sect\n\
default = default_sect\n\
\n\
[default_sect]\n\
activate = 1\n\
\n\
[algorithm_sect]\n\
default_properties = fips=yes'\
>> /usr/local/ssl/openssl.cnf

# Just to look at what you think you wrote
# RUN cat /usr/local/ssl/openssl.cnf


# This tells us what versions of openssl we have and if any are FIPs providers
RUN echo "looking /openssl-3.0.8"
WORKDIR "/openssl-3.0.8"
RUN ls -l
RUN ./util/wrap.pl -fips apps/openssl list -provider-path providers -provider fips -providers



#### PYTHON STUFF ####

# TODO Note that python does not build successfully with the version of openssl we made above
# It will build successful with a default installation of openssl
# The failure says we are missing a half dozen library files with names like lib-devz and lib-zdev, etc.
# But trying to apk add the listed files results in the same error

# you can specify python version during image build
ARG PYTHON_VERSION=3.12.2

WORKDIR "/"

# install build dependencies and needed tools
RUN apt-get update && apt-get install -y \
    wget gcc make zlib1g-dev libffi-dev libssl-dev libc-dev build-essential



# download and extract python sources
RUN cd /opt \
  && wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz \
  && tar xzf Python-${PYTHON_VERSION}.tgz

# build python and remove left-over sources
RUN cd /opt/Python-${PYTHON_VERSION} \
  && ./configure --prefix=/usr/local --with-openssl=/openssl-3.0.8 -with-ensurepip=install \
  && make install \
  && rm /opt/Python-${PYTHON_VERSION}.tgz /opt/Python-${PYTHON_VERSION} -rf

RUN python3 -m pip install cryptography

# This is a little test everyone uses to see if cryptography is fips-enabled
#from cryptography.hazmat.backends import default_backend\n\
RUN echo '\
from cryptography.hazmat.backends import default_backend\n\n\
def is_fips_enabled():\n\
    try:\n\
        backend = default_backend()\n\
        fips_mode = backend._fips_enabled\n\
        return fips_mode\n\
    except AttributeError:\n\
        return False\n\
print(f"IS FIPS ENABLED? {is_fips_enabled()}")'\
>> ./is_fips_enabled.py

RUN cat ./is_fips_enabled.py

RUN echo "looking /usr/local/bin"
WORKDIR "/usr/local/bin"
RUN ls -l

RUN echo "which python?"
RUN python3 -v

WORKDIR "/"
RUN echo "TRYING TO RUN is_fips_enabled.py"
RUN python3 ./is_fips_enabled.py

# This "succeeds" in that there are no errors, but fips says it is not enabled
# I think this is because we are trying to bolt on cryptography after we build python,
# and probably we have to build cryptography from source along with python.