From 62f1c8393b9f3da69651d7b3397c3e482e38b71d Mon Sep 17 00:00:00 2001 From: Ravindra Akella Date: Fri, 22 Jan 2021 03:54:11 +0530 Subject: [PATCH] server: add FIPS mode statistic indicating FIPS compliance (#14719) Signed-off-by: Ravindra Akella --- .../configuration/observability/statistics.rst | 10 ++++++++++ docs/root/version_history/current.rst | 1 + source/common/version/version.cc | 8 ++++++++ source/common/version/version.h | 2 ++ source/server/server.cc | 10 ++++++++++ source/server/server.h | 14 ++++++++++++++ test/server/server_test.cc | 17 +++++++++++++++++ 7 files changed, 62 insertions(+) diff --git a/docs/root/configuration/observability/statistics.rst b/docs/root/configuration/observability/statistics.rst index ed25a3e2de8d..4732d88d25c1 100644 --- a/docs/root/configuration/observability/statistics.rst +++ b/docs/root/configuration/observability/statistics.rst @@ -34,3 +34,13 @@ Server related statistics are rooted at *server.* with following statistics: static_unknown_fields, Counter, Number of messages in static configuration with unknown fields dynamic_unknown_fields, Counter, Number of messages in dynamic configuration with unknown fields +Server Compilation Settings +--------------------------- + +Server Compilation Settings related statistics are rooted at *server.compilation_settings.* with following statistics: + +.. csv-table:: + :header: Name, Type, Description + :widths: 1, 1, 2 + + fips_mode, Gauge, Integer representing whether the envoy build is FIPS compliant or not \ No newline at end of file diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 0651fdfda358..62ab94f0ce40 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -46,6 +46,7 @@ New Features * dispatcher: supports a stack of `Envoy::ScopeTrackedObject` instead of a single tracked object. This will allow Envoy to dump more debug information on crash. * http: added support for :ref:`:ref:`preconnecting `. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic, especially if using HTTP/1.1. * http: change frame flood and abuse checks to the upstream HTTP/2 codec to ON by default. It can be disabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to false. +* server: added :ref:`fips_mode ` statistic. * tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation ` for details. Deprecated diff --git a/source/common/version/version.cc b/source/common/version/version.cc index d2ddbae3c818..8b013dde01cb 100644 --- a/source/common/version/version.cc +++ b/source/common/version/version.cc @@ -36,6 +36,14 @@ const envoy::config::core::v3::BuildVersion& VersionInfo::buildVersion() { return *result; } +bool VersionInfo::sslFipsCompliant() { + bool fipsCompliant = false; +#ifdef BORINGSSL_FIPS + fipsCompliant = true; +#endif + return fipsCompliant; +} + const std::string& VersionInfo::buildType() { #ifdef NDEBUG static const std::string release_type = "RELEASE"; diff --git a/source/common/version/version.h b/source/common/version/version.h index a5720105ef85..345ef2714c06 100644 --- a/source/common/version/version.h +++ b/source/common/version/version.h @@ -22,6 +22,8 @@ class VersionInfo { static const std::string& revisionStatus(); // Repository information and build type. static const std::string& version(); + // FIPS Compliance of envoy build + static bool sslFipsCompliant(); static const envoy::config::core::v3::BuildVersion& buildVersion(); diff --git a/source/server/server.cc b/source/server/server.cc index 58e37836bf69..b7afdd253e25 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -356,10 +356,17 @@ void InstanceImpl::initialize(const Options& options, stats_store_.setHistogramSettings(Config::Utility::createHistogramSettings(bootstrap_)); const std::string server_stats_prefix = "server."; + const std::string server_compilation_settings_stats_prefix = "server.compilation_settings"; server_stats_ = std::make_unique( ServerStats{ALL_SERVER_STATS(POOL_COUNTER_PREFIX(stats_store_, server_stats_prefix), POOL_GAUGE_PREFIX(stats_store_, server_stats_prefix), POOL_HISTOGRAM_PREFIX(stats_store_, server_stats_prefix))}); + server_compilation_settings_stats_ = + std::make_unique( + CompilationSettings::ServerCompilationSettingsStats{ALL_SERVER_COMPILATION_SETTINGS_STATS( + POOL_COUNTER_PREFIX(stats_store_, server_compilation_settings_stats_prefix), + POOL_GAUGE_PREFIX(stats_store_, server_compilation_settings_stats_prefix), + POOL_HISTOGRAM_PREFIX(stats_store_, server_compilation_settings_stats_prefix))}); validation_context_.staticWarningValidationVisitor().setUnknownCounter( server_stats_->static_unknown_fields_); validation_context_.dynamicWarningValidationVisitor().setUnknownCounter( @@ -388,6 +395,9 @@ void InstanceImpl::initialize(const Options& options, } } server_stats_->version_.set(version_int); + if (VersionInfo::sslFipsCompliant()) { + server_compilation_settings_stats_->fips_mode_.set(1); + } bootstrap_.mutable_node()->set_hidden_envoy_deprecated_build_version(VersionInfo::version()); bootstrap_.mutable_node()->set_user_agent_name("envoy"); diff --git a/source/server/server.h b/source/server/server.h index cf4d24eadd56..cea2e6dff812 100644 --- a/source/server/server.h +++ b/source/server/server.h @@ -50,6 +50,18 @@ namespace Envoy { namespace Server { +namespace CompilationSettings { +/** + * All server compilation settings stats. @see stats_macros.h + */ +#define ALL_SERVER_COMPILATION_SETTINGS_STATS(COUNTER, GAUGE, HISTOGRAM) \ + GAUGE(fips_mode, NeverImport) + +struct ServerCompilationSettingsStats { + ALL_SERVER_COMPILATION_SETTINGS_STATS(GENERATE_COUNTER_STRUCT, GENERATE_GAUGE_STRUCT, + GENERATE_HISTOGRAM_STRUCT) +}; +} // namespace CompilationSettings /** * All server wide stats. @see stats_macros.h @@ -322,6 +334,8 @@ class InstanceImpl final : Logger::Loggable, time_t original_start_time_; Stats::StoreRoot& stats_store_; std::unique_ptr server_stats_; + std::unique_ptr + server_compilation_settings_stats_; Assert::ActionRegistrationPtr assert_action_registration_; Assert::ActionRegistrationPtr envoy_bug_action_registration_; ThreadLocal::Instance& thread_local_; diff --git a/test/server/server_test.cc b/test/server/server_test.cc index 9bcd83f21f27..8695c0d0255d 100644 --- a/test/server/server_test.cc +++ b/test/server/server_test.cc @@ -362,6 +362,23 @@ TEST_P(ServerInstanceImplTest, ProxyVersionOveridesFromBootstrap) { server_thread->join(); } +// Validates that the "server.fips_mode" stat indicates the FIPS compliance from the Envoy Build +TEST_P(ServerInstanceImplTest, ValidateFIPSModeStat) { + auto server_thread = + startTestServer("test/server/test_data/server/proxy_version_bootstrap.yaml", true); + + if (VersionInfo::sslFipsCompliant()) { + EXPECT_EQ( + 1L, TestUtility::findGauge(stats_store_, "server.compilation_settings.fips_mode")->value()); + } else { + EXPECT_EQ( + 0L, TestUtility::findGauge(stats_store_, "server.compilation_settings.fips_mode")->value()); + } + + server_->dispatcher().post([&] { server_->shutdown(); }); + server_thread->join(); +} + TEST_P(ServerInstanceImplTest, EmptyShutdownLifecycleNotifications) { auto server_thread = startTestServer("test/server/test_data/server/node_bootstrap.yaml", false); server_->dispatcher().post([&] { server_->shutdown(); });