From 60dadd6181bfcac88374d5f944954b35e69d9921 Mon Sep 17 00:00:00 2001 From: Rei Shimizu Date: Thu, 2 Dec 2021 15:39:31 +0900 Subject: [PATCH] Enable CI for clang with FIPS mode. (#199) * enable CI for clang with FIPS mode Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa * fix Signed-off-by: Shikugawa --- .github/workflows/workflow.yml | 25 +++++++++++++++++++------ bazel/bazel.bzl | 22 ++++++++++++++++++---- bazel/install-clang-ci.sh | 13 +++++++++++++ src/common/http/BUILD | 4 ++-- src/common/session/BUILD | 4 ++-- src/common/utilities/BUILD | 10 +++++----- src/config/BUILD | 4 ++-- src/filters/BUILD | 10 +++++----- src/filters/mock/BUILD | 4 ++-- src/filters/oidc/BUILD | 24 ++++++++++++------------ src/main/BUILD | 4 ++-- src/service/BUILD | 6 ++++-- test/common/http/BUILD | 7 ++++--- test/common/session/BUILD | 7 ++++--- test/common/utilities/BUILD | 11 ++++++----- test/config/BUILD | 5 +++-- test/filters/BUILD | 8 ++++---- test/filters/oidc/BUILD | 21 +++++++++------------ test/service/BUILD | 8 ++++---- test/shared/BUILD | 4 ++-- 20 files changed, 122 insertions(+), 79 deletions(-) create mode 100755 bazel/install-clang-ci.sh diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index dbddcb57..11ee3a23 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -15,14 +15,11 @@ jobs: - uses: actions/checkout@v1 - name: Setup clang-format run: | - wget https://github.com/llvm/llvm-project/releases/download/llvmorg-10.0.1/clang+llvm-10.0.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz - tar -xvf clang+llvm-10.0.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz - sudo mv ./clang+llvm-10.0.1-x86_64-linux-gnu-ubuntu-16.04/bin/clang-format /usr/local/bin - rm -rf clang+llvm-10.0.1-x86_64-linux-gnu-ubuntu-16.04/ + sudo sh -c ${PWD}/bazel/install-clang-ci.sh git clone https://github.com/Sarcasm/run-clang-format.git - name: Run clang-format - run: find ./ -iname "*.h" -o -iname "*.cc" | xargs ./run-clang-format/run-clang-format.py - build: + run: find ./ -iname "*.h" -o -iname "*.cc" | xargs ./run-clang-format/run-clang-format.py --clang-format-executable=/opt/llvm/bin/clang-format + gcc-test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 @@ -34,3 +31,19 @@ jobs: run: | sudo chmod -R a+rxw /home make test + clang-fips-test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Setup Bazel + run: sudo build/install-bazel.sh + - name: Install dependencies + run: sudo apt-get update && sudo apt-get -y install make cmake ninja-build build-essential + - name: Setup clang + run: | + sudo sh -c ${PWD}/bazel/install-clang-ci.sh + bazel/setup_clang.sh /opt/llvm + - name: make test + run: | + sudo chmod -R a+rxw /home + BAZEL_FLAGS="--config=clang --define=boringssl=fips" make test diff --git a/bazel/bazel.bzl b/bazel/bazel.bzl index d370ec61..36963c59 100644 --- a/bazel/bazel.bzl +++ b/bazel/bazel.bzl @@ -1,9 +1,23 @@ # Wrappers around native build recipes to enforce consistent use of flags and build variables. +load("@rules_cc//cc:defs.bzl", "cc_binary", "cc_library", "cc_test") + _DEFAULT_COPTS = ["-Wall", "-Wextra"] -def xx_library(name, deps = [], srcs = [], hdrs = [], copts = [], defines = [], includes = [], textual_hdrs = []): - native.cc_library(name = name, deps = deps, srcs = srcs, hdrs = hdrs, copts = _DEFAULT_COPTS + copts, defines = defines, includes = includes, textual_hdrs = textual_hdrs) +def authsvc_cc_library(name, deps = [], srcs = [], hdrs = [], copts = [], defines = [], includes = [], textual_hdrs = [], visibility = None): + cc_library(name = name, deps = deps, srcs = srcs, hdrs = hdrs, copts = _DEFAULT_COPTS + copts, defines = defines, includes = includes, textual_hdrs = textual_hdrs, visibility = visibility) + +def authsvc_cc_binary(name, deps = [], srcs = [], copts = [], defines = []): + cc_binary(name = name, deps = deps, srcs = srcs, copts = _DEFAULT_COPTS + copts, defines = defines) -def xx_binary(name, deps = [], srcs = [], copts = [], defines = []): - native.cc_binary(name = name, deps = deps, srcs = srcs, copts = _DEFAULT_COPTS + copts, defines = defines) +def authsvc_cc_test(name, deps = [], srcs = [], data = []): + cc_test( + name = name, + deps = deps, + srcs = srcs, + data = data, + # We choose to use static link because boringssl FIPS build seem not be able + # to resolved for unit test, + # https://gist.github.com/Shikugawa/0ff7ef056cf6fdb2605ad81fcb0be814 (optional) + linkstatic = True, + ) diff --git a/bazel/install-clang-ci.sh b/bazel/install-clang-ci.sh new file mode 100755 index 00000000..a0541cca --- /dev/null +++ b/bazel/install-clang-ci.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +LLVM_VERSION=12.0.0 +LLVM_TAR=clang+llvm-${LLVM_VERSION}-x86_64-linux-gnu-ubuntu-20.04.tar.xz +TARGET_DST=/opt/llvm + +wget https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VERSION}/${LLVM_TAR} + +if [[ ! -e "${TARGET_DST}" ]]; then + mkdir -p ${TARGET_DST} +fi + +tar -xvf ${LLVM_TAR} -C ${TARGET_DST} --strip-components 1 diff --git a/src/common/http/BUILD b/src/common/http/BUILD index 1acc9ae9..6b633426 100644 --- a/src/common/http/BUILD +++ b/src/common/http/BUILD @@ -1,9 +1,9 @@ -load("//bazel:bazel.bzl", "xx_library") +load("//bazel:bazel.bzl", "authsvc_cc_library") load("@envoy//bazel:repositories.bzl", "envoy_dependencies") package(default_visibility = ["//visibility:public"]) -xx_library( +authsvc_cc_library( name = "http", srcs = ["http.cc"], hdrs = [ diff --git a/src/common/session/BUILD b/src/common/session/BUILD index aa5444e4..96bc0c28 100644 --- a/src/common/session/BUILD +++ b/src/common/session/BUILD @@ -1,8 +1,8 @@ -load("//bazel:bazel.bzl", "xx_library") +load("//bazel:bazel.bzl", "authsvc_cc_library") package(default_visibility = ["//visibility:public"]) -xx_library( +authsvc_cc_library( name = "session_string_generator", srcs = [ "session_string_generator.cc", diff --git a/src/common/utilities/BUILD b/src/common/utilities/BUILD index 49537cc5..1c9d4356 100644 --- a/src/common/utilities/BUILD +++ b/src/common/utilities/BUILD @@ -1,9 +1,9 @@ -load("//bazel:bazel.bzl", "xx_library") +load("//bazel:bazel.bzl", "authsvc_cc_library") load("@envoy//bazel:repositories.bzl", "envoy_dependencies") package(default_visibility = ["//visibility:public"]) -xx_library( +authsvc_cc_library( name = "random", srcs = ["random.cc"], hdrs = ["random.h"], @@ -14,7 +14,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "time_service", srcs = ["time_service.cc"], hdrs = ["time_service.h"], @@ -22,14 +22,14 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "synchronized", hdrs = ["synchronized.h"], deps = [ ], ) -xx_library( +authsvc_cc_library( name = "trigger_rules", srcs = ["trigger_rules.cc"], hdrs = ["trigger_rules.h"], diff --git a/src/config/BUILD b/src/config/BUILD index ba6eec41..e215189d 100644 --- a/src/config/BUILD +++ b/src/config/BUILD @@ -1,8 +1,8 @@ -load("//bazel:bazel.bzl", "xx_library") +load("//bazel:bazel.bzl", "authsvc_cc_library") package(default_visibility = ["//visibility:public"]) -xx_library( +authsvc_cc_library( name = "config", srcs = ["get_config.cc"], hdrs = [ diff --git a/src/filters/BUILD b/src/filters/BUILD index 2eeeedc1..dadf5f46 100644 --- a/src/filters/BUILD +++ b/src/filters/BUILD @@ -1,8 +1,8 @@ -load("//bazel:bazel.bzl", "xx_library") +load("//bazel:bazel.bzl", "authsvc_cc_library") package(default_visibility = ["//visibility:public"]) -xx_library( +authsvc_cc_library( name = "filter", srcs = [], hdrs = ["filter.h"], @@ -14,7 +14,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "pipe", srcs = ["pipe.cc"], hdrs = ["pipe.h"], @@ -24,7 +24,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "filter_factory", hdrs = ["filter_factory.h"], deps = [ @@ -32,7 +32,7 @@ xx_library( ] ) -xx_library( +authsvc_cc_library( name = "filter_chain", srcs = [ "filter_chain.cc", diff --git a/src/filters/mock/BUILD b/src/filters/mock/BUILD index 0377d75b..026a9a95 100644 --- a/src/filters/mock/BUILD +++ b/src/filters/mock/BUILD @@ -1,8 +1,8 @@ -load("//bazel:bazel.bzl", "xx_library") +load("//bazel:bazel.bzl", "authsvc_cc_library") package(default_visibility = ["//visibility:public"]) -xx_library( +authsvc_cc_library( name = "mock_filter", srcs = ["mock_filter.cc"], hdrs = ["mock_filter.h"], diff --git a/src/filters/oidc/BUILD b/src/filters/oidc/BUILD index d3fe60fb..a2b2edb9 100644 --- a/src/filters/oidc/BUILD +++ b/src/filters/oidc/BUILD @@ -1,8 +1,8 @@ -load("//bazel:bazel.bzl", "xx_library") +load("//bazel:bazel.bzl", "authsvc_cc_library") package(default_visibility = ["//visibility:public"]) -xx_library( +authsvc_cc_library( name = "token_response", srcs = ["token_response.cc"], hdrs = ["token_response.h"], @@ -16,7 +16,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "authorization_state", srcs = ["authorization_state.cc"], hdrs = ["authorization_state.h"], @@ -26,7 +26,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "session_store_factory", hdrs = ["session_store_factory.h"], deps = [ @@ -34,7 +34,7 @@ xx_library( ] ) -xx_library( +authsvc_cc_library( name = "in_memory_session_store", srcs = ["in_memory_session_store.cc"], hdrs = ["in_memory_session_store.h", "session_store.h"], @@ -51,7 +51,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "session_store", srcs = [], hdrs = ["session_store.h"], @@ -63,7 +63,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "redis_session_store", srcs = ["redis_session_store.cc"], hdrs = ["redis_session_store.h", "session_store.h"], @@ -82,7 +82,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "redis_wrapper", srcs = ["redis_wrapper.cc"], hdrs = ["redis_wrapper.h"], @@ -96,7 +96,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "redis_retry_wrapper", srcs = ["redis_retry_wrapper.cc"], hdrs = ["redis_retry_wrapper.h"], @@ -109,7 +109,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "jwks_resolver", srcs = ["jwks_resolver.cc"], hdrs = ["jwks_resolver.h"], @@ -122,7 +122,7 @@ xx_library( ], ) -xx_library( +authsvc_cc_library( name = "jwt_verifier", srcs = ["jwt_verifier.cc"], hdrs = ["jwt_verifier.h"], @@ -138,7 +138,7 @@ xx_library( ] ) -xx_library( +authsvc_cc_library( name = "oidc_filter", srcs = ["oidc_filter.cc"], hdrs = ["oidc_filter.h"], diff --git a/src/main/BUILD b/src/main/BUILD index 73fd1aa5..c3d9d59a 100644 --- a/src/main/BUILD +++ b/src/main/BUILD @@ -1,8 +1,8 @@ -load("//bazel:bazel.bzl", "xx_binary") +load("//bazel:bazel.bzl", "authsvc_cc_binary") package(default_visibility = ["//visibility:public"]) -xx_binary( +authsvc_cc_binary( name = "auth_server", srcs = ["auth_server.cc"], deps = [ diff --git a/src/service/BUILD b/src/service/BUILD index df0ce6bf..341a9245 100644 --- a/src/service/BUILD +++ b/src/service/BUILD @@ -1,6 +1,8 @@ +load("//bazel:bazel.bzl", "authsvc_cc_library") + package(default_visibility = ["//visibility:public"]) -cc_library( +authsvc_cc_library( name = "healthcheck_http_server_lib", hdrs = [ "healthcheck_http_server.h" @@ -14,7 +16,7 @@ cc_library( ] ) -cc_library( +authsvc_cc_library( name = "serviceimpl", srcs = [ "async_service_impl.cc", diff --git a/test/common/http/BUILD b/test/common/http/BUILD index 0084add8..ef1c686d 100644 --- a/test/common/http/BUILD +++ b/test/common/http/BUILD @@ -1,4 +1,6 @@ -cc_library( +load("//bazel:bazel.bzl", "authsvc_cc_test", "authsvc_cc_library") + +authsvc_cc_library( name = "mocks", hdrs = ["mocks.h"], visibility = ["//test:__subpackages__"], @@ -8,7 +10,7 @@ cc_library( ], ) -cc_test( +authsvc_cc_test( name = "http_test", srcs = ["http_test.cc"], deps = [ @@ -17,5 +19,4 @@ cc_test( "@com_github_grpc_grpc//:grpc++", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) diff --git a/test/common/session/BUILD b/test/common/session/BUILD index 8fbaa7d8..9f4cdf3c 100644 --- a/test/common/session/BUILD +++ b/test/common/session/BUILD @@ -1,4 +1,6 @@ -cc_library( +load("//bazel:bazel.bzl", "authsvc_cc_test", "authsvc_cc_library") + +authsvc_cc_library( name = "mocks", hdrs = ["mocks.h"], visibility = ["//test:__subpackages__"], @@ -7,12 +9,11 @@ cc_library( ], ) -cc_test( +authsvc_cc_test( name = "session_string_generator_test", srcs = ["session_string_generator_test.cc"], deps = [ "//src/common/session:session_string_generator", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) diff --git a/test/common/utilities/BUILD b/test/common/utilities/BUILD index 847dea13..2a9d16bb 100644 --- a/test/common/utilities/BUILD +++ b/test/common/utilities/BUILD @@ -1,4 +1,6 @@ -cc_library( +load("//bazel:bazel.bzl", "authsvc_cc_test", "authsvc_cc_library") + +authsvc_cc_library( name = "mocks", hdrs = ["mocks.h"], visibility = ["//test:__subpackages__"], @@ -8,22 +10,21 @@ cc_library( ], ) -cc_test( +authsvc_cc_test( name = "random_test", srcs = ["random_test.cc"], deps = [ "//src/common/utilities:random", "@com_google_googletest//:gtest_main", + "@envoy//bazel:boringssl", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) -cc_test( +authsvc_cc_test( name = "trigger_rules_test", srcs = ["trigger_rules_test.cc"], deps = [ "//src/common/utilities:trigger_rules", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) diff --git a/test/config/BUILD b/test/config/BUILD index 7cfc6455..bbd7aaf6 100644 --- a/test/config/BUILD +++ b/test/config/BUILD @@ -1,4 +1,6 @@ -cc_test( +load("//bazel:bazel.bzl", "authsvc_cc_test") + +authsvc_cc_test( name = "config_test", srcs = ["getconfig_test.cc"], data = ["//test/fixtures"], @@ -7,5 +9,4 @@ cc_test( "@com_google_googletest//:gtest_main", "//test/shared:shared_test_helpers" ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) diff --git a/test/filters/BUILD b/test/filters/BUILD index 88f850b5..2b45bf52 100644 --- a/test/filters/BUILD +++ b/test/filters/BUILD @@ -1,4 +1,6 @@ -cc_test( +load("//bazel:bazel.bzl", "authsvc_cc_test") + +authsvc_cc_test( name = "pipe_test", srcs = ["pipe_test.cc"], deps = [ @@ -6,10 +8,9 @@ cc_test( "@com_github_grpc_grpc//:grpc++", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) -cc_test( +authsvc_cc_test( name = "filter_chain_test", srcs = ["filter_chain_test.cc"], deps = [ @@ -18,5 +19,4 @@ cc_test( "@com_github_grpc_grpc//:grpc++", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) diff --git a/test/filters/oidc/BUILD b/test/filters/oidc/BUILD index 70db96a8..6b8d4d05 100644 --- a/test/filters/oidc/BUILD +++ b/test/filters/oidc/BUILD @@ -1,4 +1,6 @@ -cc_library( +load("//bazel:bazel.bzl", "authsvc_cc_test", "authsvc_cc_library") + +authsvc_cc_library( name = "mocks", hdrs = ["mocks.h"], deps = [ @@ -14,7 +16,7 @@ cc_library( visibility = ["//visibility:public"], ) -cc_test( +authsvc_cc_test( name = "token_response_test", srcs = ["token_response_test.cc"], deps = [ @@ -23,10 +25,9 @@ cc_test( "@com_github_grpc_grpc//:grpc++", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) -cc_test( +authsvc_cc_test( name = "in_memory_session_store_test", srcs = ["in_memory_session_store_test.cc"], deps = [ @@ -35,10 +36,9 @@ cc_test( "//src/filters/oidc:in_memory_session_store", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) -cc_test( +authsvc_cc_test( name = "redis_session_store_test", srcs = ["redis_session_store_test.cc"], deps = [ @@ -49,10 +49,9 @@ cc_test( "//test/shared:shared_test_helpers", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) -cc_test( +authsvc_cc_test( name = "redis_retry_wrapper_test", srcs = ["redis_retry_wrapper_test.cc"], deps = [ @@ -61,10 +60,9 @@ cc_test( "//test/filters/oidc:mocks", "//test/shared:shared_test_helpers", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) -cc_test( +authsvc_cc_test( name = "oidc_filter_test", srcs = ["oidc_filter_test.cc"], deps = [ @@ -75,10 +73,9 @@ cc_test( "@com_github_grpc_grpc//:grpc++", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) -cc_test( +authsvc_cc_test( name = "jwks_resolver_test", srcs = ["jwks_resolver_test.cc"], deps = [ diff --git a/test/service/BUILD b/test/service/BUILD index 9671289d..533ad807 100644 --- a/test/service/BUILD +++ b/test/service/BUILD @@ -1,4 +1,6 @@ -cc_test( +load("//bazel:bazel.bzl", "authsvc_cc_test") + +authsvc_cc_test( name = "async_service_impl_test", srcs = ["async_service_impl_test.cc"], data = ["//test/fixtures"], @@ -7,10 +9,9 @@ cc_test( "//src/filters:filter_chain", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) -cc_test( +authsvc_cc_test( name = "healthcheck_http_server_test", srcs = ["healthcheck_http_server_test.cc"], data = ["//test/fixtures"], @@ -21,5 +22,4 @@ cc_test( "//test/filters/oidc:mocks", "@com_google_googletest//:gtest_main", ], - linkstatic = select({"@boost//:osx": True, "//conditions:default": False}), # workaround for not being able to figure out how to link dynamically on MacOS ) diff --git a/test/shared/BUILD b/test/shared/BUILD index d002f223..bb5800e8 100644 --- a/test/shared/BUILD +++ b/test/shared/BUILD @@ -1,8 +1,8 @@ -load("//bazel:bazel.bzl", "xx_library") +load("//bazel:bazel.bzl", "authsvc_cc_library") package(default_visibility = ["//visibility:public"]) -xx_library( +authsvc_cc_library( name = "shared_test_helpers", srcs = [], hdrs = [