fips-validator/main.go at main · flightctl/fips-validator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
package main

import (
	"context"
	"errors"
	"flag"
	"fmt"
	"os"
	"path/filepath"

	"github.com/fatih/color"

	"github.com/flightctl/fips-validator/internal/executor"
	"github.com/flightctl/fips-validator/internal/scanner"
	"github.com/flightctl/fips-validator/internal/validation"
)

var (
	debugEnabled bool
	noColor      bool
	help         bool
)

var (
	info    = color.New(color.Bold).PrintfFunc()
	success = color.New(color.Bold, color.FgGreen).PrintfFunc()
	failure = color.New(color.Bold, color.FgRed).PrintfFunc()
)

func debug(format string, a ...interface{}) {
	if debugEnabled {
		fmt.Fprintf(os.Stderr, "[DEBUG] "+format+"\n", a...)
	}
}

func usage(err error) {
	fd, rc := os.Stdout, 0
	if err != nil {
		fd, rc = os.Stderr, 2
		fmt.Fprintf(fd, "Error: %v\n\n", err)
	}

	fmt.Fprintf(fd, `%[1]s validates that an RPM package, OCI image, or binary is capable of running in FIPS mode.

Usage:
  %[1]s [flags] binary <path_to_executable>
  %[1]s [flags] rpm <path_to_rpm_file>
  podman unshare -- %[1]s [flags] image <oci_image_ref>

Flags:
  --debug      Enable debug output
  --no-color   Disable colored output
  --help       Show this help message
`, filepath.Base(os.Args[0]))

	os.Exit(rc)
}

func main() {
	flag.BoolVar(&debugEnabled, "debug", false, "Enable debug output")
	flag.BoolVar(&noColor, "no-color", false, "Disable colored output")
	flag.BoolVar(&help, "help", false, "Show help")
	flag.Parse()

	if help {
		usage(nil)
	}

	color.NoColor = noColor

	args := flag.Args()
	if len(args) != 2 {
		usage(fmt.Errorf("incorrect number of arguments"))
	}
	mode := args[0]
	target := args[1]

	valid := true
	var err error
	switch mode {
	case "binary":
		valid, err = validateBinary(target)
	case "rpm":
		valid, err = validateRpmPackage(target)
	case "image":
		valid, err = validateOciImage(target)
	default:
		usage(fmt.Errorf("unknown mode %q", mode))
	}

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error: %v", err.Error())
		os.Exit(1)
	}
	if !valid {
		failure("Validation failed\n")
		os.Exit(1)
	}
	success("Validation successful\n")
	os.Exit(0)
}

func validateBinary(binaryPath string) (bool, error) {
	path, err := filepath.Abs(binaryPath)
	if err != nil {
		return false, fmt.Errorf("failed to get absolute path: %v", err)
	}
	info("Validating binary %q:\n", path)

	return validation.ValidateBinary(context.TODO(), "/", path, debug), nil
}

func validateRpmPackage(packagePath string) (bool, error) {
	path, err := filepath.Abs(packagePath)
	if err != nil {
		return false, fmt.Errorf("failed to get absolute path: %v", err)
	}
	info("Validating RPM package %q:\n", path)

	tempDir, err := os.MkdirTemp("", "fips-validator-")
	if err != nil {
		return false, fmt.Errorf("failed to create temporary directory: %v", err)
	}
	defer os.RemoveAll(tempDir)
	debug("Using temporary directory %s\n", tempDir)

	if err := unpackRPM(packagePath, tempDir); err != nil {
		return false, fmt.Errorf("failed to unpack RPM package: %v", err)
	}
	return scanner.ScanDirTree(context.TODO(), tempDir, debug), nil
}

func unpackRPM(packagePath, destDir string) error {
	fmt.Printf("• unpacking RPM... ")
	_, stderr, rc, err := executor.Execute(context.TODO(), destDir, "sh", "-c", fmt.Sprintf("rpm2cpio %s | cpio -idmv", packagePath))
	if err != nil {
		return errors.New(string(stderr))
	}
	if rc != 0 {
		return fmt.Errorf("failed to unpack RPM, exit code %d: %s", rc, string(stderr))
	}
	success("done\n")
	return nil
}

func validateOciImage(imageRef string) (bool, error) {
	info("Validating OCI image %q:\n", imageRef)

	tempDir, err := mountOciImage(imageRef)
	if err != nil {
		return false, err
	}
	defer unmountOciImage(imageRef)
	debug("Using temporary directory: %s", tempDir)

	allValid := true
	if !validation.ValidateOpenSSL(context.TODO(), tempDir) {
		allValid = false
	}
	if !scanner.ScanDirTree(context.TODO(), tempDir, debug) {
		allValid = false
	}
	return allValid, nil
}

func mountOciImage(imageRef string) (string, error) {
	fmt.Printf("• checking OCI image exists locally... ")
	_, _, rc, err := executor.Execute(context.TODO(), "", "podman", "image", "exists", imageRef)
	if err != nil {
		return "", fmt.Errorf("failed to check whether image exists: %v", err)
	}
	if rc == 0 {
		success("found\n")
	} else {
		info("not found\n")

		fmt.Printf("• pulling image... ")
		_, stderr, rc, err := executor.Execute(context.TODO(), "", "podman", "pull", imageRef)
		if err != nil {
			return "", fmt.Errorf("failed to pull image: %s", err)
		}
		if rc != 0 {
			return "", fmt.Errorf("failed to pull image, exit code %d: %s", rc, string(stderr))
		}
		success("done\n")
	}

	fmt.Printf("• mounting OCI image... ")
	cmdArgs := []string{"image", "mount", imageRef}
	stdout, stderr, rc, err := executor.Execute(context.TODO(), "", "podman", cmdArgs...)
	if err != nil {
		return "", fmt.Errorf("failed to mount image: %s", string(stderr))
	}
	if rc != 0 {
		return "", fmt.Errorf("failed to mount image, exit code %d: %s", rc, string(stderr))
	}
	success("done\n")

	mountPath := string(stdout)
	mountPath = mountPath[:len(mountPath)-1] // Remove trailing newline
	return mountPath, nil
}

func unmountOciImage(imageRef string) error {
	fmt.Printf("• unmounting OCI image... ")
	_, stderr, rc, err := executor.Execute(context.TODO(), "", "podman", "image", "unmount", imageRef)
	if err != nil {
		return fmt.Errorf("failed to unmount image: %v", err)
	}
	if rc != 0 {
		return fmt.Errorf("failed to unmount image, exit code %d: %s", rc, string(stderr))
	}
	success("done\n")
	return nil
}