darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2026-05-26 08:08:17 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
045fd4fe6f52dea4cd6de0725c1afef3f97211b2
notifications-api/dockerfile_alpine.txt

177 lines
5.0 KiB
Plaintext
Raw Blame History

FROM alpine:3.19
#### OPENSSL STUFF ####
ARG OPENSSL_VERSION=3.0.8
# Make the fips module using FIPS-approved openssl 3.0.8
RUN apk add --no-cache --virtual .build-deps \
make gcc libgcc musl-dev linux-headers perl vim \
&& wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz \
&& tar -xf openssl-${OPENSSL_VERSION}.tar.gz\
&& cd openssl-${OPENSSL_VERSION} \
&& ./Configure enable-fips --libdir=lib --prefix=/usr/local --openssldir=/usr/local/ssl \
&& make \
&& make install \
&& make install_fips
# && apk del .build-deps \
# && rm -rf openssl-${OPENSSL_VERSION}.tar.gz openssl-${OPENSSL_VERSION}
# Add openssl to the path
ENV PATH="${PATH}:/usr/local/bin"
# As per documentation, tests have to be run on every machine that uses
# openssl in FIPS mode
WORKDIR "/openssl-3.0.8"
RUN make tests
# TODO NOTE that we are running tests against /openssl-3.0.8 and not
# against /usr/local/bin. Something is wrong with /usr/local/bin still!
# TODO why does this say "/etc/ssl" and not "/usr/local/ssl"?
RUN echo "GET THE CONF DIRECTORY HERE"
RUN openssl version -d
# See https://www.openssl.org/docs/manmaster/man7/fips_module.html
RUN echo -e '\
config_diagnostics = 1\n\
openssl_conf = openssl_init\n\
\n\
.include /usr/local/ssl/fipsmodule.cnf\n\
\n\
[openssl_init]\n\
providers = provider_sect\n\
alg_section = algorithm_sect\n\
\n\
[provider_sect]\n\
fips = fips_sect\n\
default = default_sect\n\
\n\
[default_sect]\n\
activate = 1\n\
\n\
[algorithm_sect]\n\
default_properties = fips=yes'\
>> /usr/local/ssl/openssl.cnf
# Just to look at what you think you wrote
# RUN cat /usr/local/ssl/openssl.cnf
# This tells us what versions of openssl we have and if any are FIPs providers
RUN echo "looking /openssl-3.0.8"
WORKDIR "/openssl-3.0.8"
RUN ls -l
RUN ./util/wrap.pl -fips apps/openssl list -provider-path providers -provider fips -providers
#### PYTHON STUFF ####
# TODO Note that python does not build successfully with the version of openssl we made above
# It will build successful with a default installation of openssl
# The failure says we are missing a half dozen library files with names like lib-devz and lib-zdev, etc.
# But trying to apk add the listed files results in the same error
# you can specify python version during image build
ARG PYTHON_VERSION=3.12.2
WORKDIR "/"
# install build dependencies and needed tools
RUN apk add \
wget \
gcc \
make \
zlib-dev \
libffi-dev \
openssl-dev \
musl-dev
# download and extract python sources
RUN cd /opt \
&& wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz \
&& tar xzf Python-${PYTHON_VERSION}.tgz
# build python and remove left-over sources
RUN cd /opt/Python-${PYTHON_VERSION} \
&& ./configure --prefix=/usr/local --with-openssl=/openssl-3.0.8 -with-ensurepip=install \
&& make install \
&& rm /opt/Python-${PYTHON_VERSION}.tgz /opt/Python-${PYTHON_VERSION} -rf
# python doesn't come with cryptography by default so make a fake requirements.txt file to pull
# cryptography in
RUN echo -e '\
cryptography == 42.0.0'\
>> ./requirements.txt
RUN pip3 install -r ./requirements.txt
# This is a little test everyone uses to see if cryptography is fips-enabled
RUN echo -e '\
from cryptography.hazmat.backends import default_backend\n\
def is_fips_enabled():\n\
try:\n\
backend = default_backend()\n\
fips_mode = backend._fips_enabled\n\
return fips_mode\n\
except AttributeError:\n\
return False\n\
print(f"IS FIPS ENABLED? {is_fips_enabled()}")'\
>> ./is_fips_enabled.py
RUN echo "TRYING TO RUN is_fips_enabled.py"
RUN python3 ./is_fips_enabled.py
# Abandoned effort to just build cryptography
# It seems like we can't install cryptography until we install python, because we need pip
#Try to build cryptography https://cryptography.io/en/latest/installation/
# RUN apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo pkgconfig
# RUN apk add py3-pip
# RUN pip3 install cryptography --no-binary cryptography
# RUN pip3 wheel --no-cache-dir --no-binary cryptography cryptography
# TODO in theory if we could retrieve this wheel somehow, we could
# put it somewhere and notifications-utils could pull down this
# version of cartography. And if we did that, our app might be FIPS-compliant
# TODO NEED TO GET PIP INSTALLED SOMEHOW\
# RUN apk add --no-cache curl gcc python3 musl-dev python3 py3-pip libffi-dev openssl-dev git python3-dev
# Break system packages to avoid 'system is externally managed' error
# We don't care about this system, and we don't care about poetry
# We are just using it to generate a cryptography wheel
# RUN pip install poetry --break-system-packages
# ENV OPENSSL_FIPS=1
# RUN git clone https://github.com/pyca/cryptography.git
# RUN cd cryptography
# RUN ls -l
# WORKDIR /cryptography
# RUN poetry build
# RUN echo "WTF"
# RUN ls -l
# RUN apk del gcc musl-dev libffi-dev openssl-dev git python3-dev && \
# rm -rf /var/cache/apk/*
# WORKDIR /wheels
# CMD ["cp", "-r", ".", "/target"]
# docker run --rm -v "$(pwd)/wheels:/target" cryptography-builder
Reference in New Issue View Git Blame Copy Permalink