Add mage target and buildkite step to flag crypto imports for FIPS builds (#5534) (#5558)

* Add mage target and buildkite step to flag crypto imports for FIPS builds

* Rename file

(cherry picked from commit f44372c)

Co-authored-by: Michel Laterman <[email protected]>

Author: mergify[bot]

.buildkite/pipeline.yml

@@ -42,6 +42,9 @@ steps:
         agents:
           provider: "gcp"
 
+      - label: "Detect FIPS crypto imports"
+        command: ".buildkite/scripts/check_detect_fips_crypto.sh"
+
       - label: "Package x86_64"
         key: "package-x86-64-pr"
         env:

.buildkite/scripts/check_detect_fips_crypto.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common.sh
+
+add_bin_path
+
+with_go
+
+with_mage
+
+mage check:detectFIPSCryptoImports

magefile.go

@@ -483,6 +483,31 @@ func (Check) Notice() {
 	mg.SerialDeps(mg.F(genNotice, false), mg.F(genNotice, true))
 }
 
+// DetectFIPSCryptoImports will do a best effort attempt to ensure that the imports list for FIPS compatible artifacts does not contain any external crypto libraries.
+// Specifically it will fail if the modules list contains an entry with: "crypto", "gokrb5", or "pbkdf2"
+func (Check) DetectFIPSCryptoImports() error {
+	tags := []string{"requirefips", "ms_tls13kdf"}
+	mods, err := getModules(tags...)
+	if err != nil {
+		return err
+	}
+
+	args := append([]string{"list", "-m"}, mods...)
+	output, err := sh.Output("go", args...)
+	if err != nil {
+		return err
+	}
+	for _, line := range strings.Split(output, "\n") {
+		// keywords are crypto for x/crypto imports, gokrb5 for kerberos, and pbkdf2 for pbkdf2 generation
+		for _, keyword := range []string{"crypto", "gokrb5", "pbkdf2"} {
+			if strings.Contains(line, keyword) {
+				err = errors.Join(err, fmt.Errorf("Detected import %s may implement crypto functionality", line))
+			}
+		}
+	}
+	return err
+}
+
 // genNotice generates the NOTICE.txt or the NOTICE-fips.txt file.
 func genNotice(fips bool) error {
 	tags := []string{}