Add go1.24 GODEBUG=fips140=only test (#4581)

michel-laterman · web-flow · commit 8e304bd68cb4 · 2025-03-19T13:23:28.000-07:00
Add a new target that uses GODEBUG=fips140=only to run unit tests.
This target should use the FIPS=true flag in order to pass -tags=requirefips.
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
@@ -87,6 +87,17 @@ steps:
           - build/*.xml
           - build/coverage*.out
 
+      - label: ":smartbear-testexecute: Run FIPS unit tests"
+        key: unit-test-fips
+        command: ".buildkite/scripts/unit_test.sh"
+        env:
+          FIPS: "true"
+        agents:
+          provider: "gcp"
+        artifact_paths:
+          - build/*.xml
+          - build/coverage*.out
+
       - label: ":smartbear-testexecute: Run unit tests: MacOS 13"
         key: unit-test-macos-13
         command: ".buildkite/scripts/unit_test.sh"
diff --git a/.buildkite/scripts/unit_test.sh b/.buildkite/scripts/unit_test.sh
@@ -9,4 +9,8 @@ add_bin_path
 with_go
 
 echo "Starting the unit tests..."
-make test-unit junit-report
+if [[ ${FIPS:-} == "true" ]]; then
+    make test-unit-fips junit-report
+else
+    make test-unit junit-report
+fi
diff --git a/Makefile b/Makefile
@@ -221,9 +221,16 @@ test: prepare-test-context  ## - Run all tests
 test-release:  ## - Check that all release binaries are created
 	./.buildkite/scripts/test-release.sh $(DEFAULT_VERSION)
 
+# If FIPS=true unit tests need microsoft/go + OpenSSL with FIPS
 .PHONY: test-unit
 test-unit: prepare-test-context  ## - Run unit tests only
-	set -o pipefail; go test ${GO_TEST_FLAG} -tags=$(GOBUILDTAGS) -v -race -coverprofile=build/coverage-${OS_NAME}.out ./... | tee build/test-unit-${OS_NAME}.out
+	set -o pipefail; ${GOFIPSEXPERIMENT} go test ${GO_TEST_FLAG} -tags=$(GOBUILDTAGS) -v -race -coverprofile=build/coverage-${OS_NAME}.out ./... | tee build/test-unit-${OS_NAME}.out
+
+# FIPS unit tests are meant to use go v1.24 to check FIPS compliance.
+# This check is very strict, and should be thought of as a static-code analysis tool.
+.PHONY: test-unit-fips
+test-unit-fips: prepare-test-context  ## - Run unit tests with go 1.24's fips140=only for testing
+	set -o pipefail; GOFIPS140=latest GODEBUG=fips140=only go test ${GO_TEST_FLAG} -tags=$(GOBUILDTAGS) -v -race -coverprofile=build/coverage-${OS_NAME}.out ./... | tee build/test-unit-fips-${OS_NAME}.out
 
 .PHONY: benchmark
 benchmark: prepare-test-context install-benchstat  ## - Run benchmark tests only
