Fix issue with FIPS compliance and CAT. (#148)

TimPansino · web-flow · commit e99af8f64921 · 2021-02-24T11:07:02.000-08:00
diff --git a/newrelic/api/cat_header_mixin.py b/newrelic/api/cat_header_mixin.py
@@ -88,16 +88,21 @@ def generate_request_headers(cls, transaction):
 
         elif settings.cross_application_tracer.enabled:
             transaction.is_part_of_cat = True
-            encoded_cross_process_id = obfuscate(settings.cross_process_id,
-                    settings.encoding_key)
-            nr_headers.append((cls.cat_id_key, encoded_cross_process_id))
-
-            transaction_data = [transaction.guid, transaction.record_tt,
-                    transaction.trip_id, transaction.path_hash]
-            encoded_transaction = obfuscate(json_encode(transaction_data),
-                    settings.encoding_key)
-            nr_headers.append(
-                    (cls.cat_transaction_key, encoded_transaction))
+            path_hash = transaction.path_hash
+            if path_hash is None:
+                # Disable cat if path_hash fails to generate.
+                transaction.is_part_of_cat = False
+            else:
+                encoded_cross_process_id = obfuscate(settings.cross_process_id,
+                        settings.encoding_key)
+                nr_headers.append((cls.cat_id_key, encoded_cross_process_id))
+
+                transaction_data = [transaction.guid, transaction.record_tt,
+                        transaction.trip_id, path_hash]
+                encoded_transaction = obfuscate(json_encode(transaction_data),
+                        settings.encoding_key)
+                nr_headers.append(
+                        (cls.cat_transaction_key, encoded_transaction))
 
         if transaction.synthetics_header:
             nr_headers.append(
diff --git a/newrelic/api/transaction.py b/newrelic/api/transaction.py
@@ -719,7 +719,16 @@ def path_hash(self):
         except Exception:
             seed = 0
 
-        path_hash = generate_path_hash(identifier, seed)
+        try: 
+            path_hash = generate_path_hash(identifier, seed)
+        except ValueError:
+            _logger.warning(
+                "Unable to generate cross application tracer headers. "
+                "MD5 hashing may not be available. (Is this system FIPS compliant?) "
+                "We recommend enabling distributed tracing instead. For details and a transition guide see "
+                "https://docs.newrelic.com/docs/agents/python-agent/configuration/python-agent-configuration#distributed-tracing-settings"
+            )
+            return None
 
         # Only store up to 10 alternate path hashes.
 
diff --git a/newrelic/common/encoding_utils.py b/newrelic/common/encoding_utils.py
@@ -17,17 +17,17 @@
 
 """
 
-import random
-import itertools
-import types
 import base64
-import json
-import zlib
-import io
 import gzip
+import hashlib
+import io
+import itertools
+import json
+import random
 import re
+import types
+import zlib
 from collections import OrderedDict
-from hashlib import md5
 
 from newrelic.packages import six
 
@@ -265,7 +265,7 @@ def generate_path_hash(name, seed):
     if not isinstance(name, bytes):
         name = name.encode('UTF-8')
 
-    path_hash = (rotated ^ int(md5(name).hexdigest()[-8:], base=16))
+    path_hash = (rotated ^ int(hashlib.md5(name).hexdigest()[-8:], base=16))
     return '%08x' % path_hash
 
 
diff --git a/tests/agent_features/test_cat.py b/tests/agent_features/test_cat.py
@@ -21,8 +21,11 @@
 end style test, it does not fit as a unittest.
 """
 
+import pytest
 import webtest
 
+from newrelic.api.background_task import background_task
+from newrelic.api.external_trace import ExternalTrace
 from newrelic.api.wsgi_application import wsgi_application
 
 from testing_support.fixtures import (make_cross_agent_headers,
@@ -72,3 +75,28 @@ def test_cat_insertion_disabled_on_304():
     headers = make_cross_agent_headers(payload, ENCODING_KEY, '1#1')
     response = test_application.get('/304', headers=headers)
     assert 'X-NewRelic-App-Data' not in response.headers
+
+_override_settings = {
+    'cross_application_tracing.enabled': True,
+    'distributed_tracing.enabled': False,
+}
+@override_application_settings(_override_settings)
+@pytest.mark.parametrize('fips_enabled', (False, True))
+@background_task()
+def test_cat_fips_compliance(monkeypatch, fips_enabled):
+    # Set md5 to raise a ValueError to simulate FIPS compliance issues.
+    def md5_crash(*args, **kwargs):
+        raise ValueError()
+
+    if fips_enabled:
+        # monkeypatch.setattr("hashlib.md5", md5_crash)
+        import hashlib
+        monkeypatch.setattr(hashlib, "md5", md5_crash)
+
+    # Generate and send request using actual transaction api instead of fixture.
+    # Otherwise the proper code paths are not exercised.
+    with ExternalTrace("cat_test", "http://localhost/200") as tracer:
+        headers = tracer.generate_request_headers(tracer.transaction)
+    
+    expected = not fips_enabled  # Invert to make more human readable
+    assert ('X-NewRelic-Transaction' in dict(headers)) == expected
diff --git a/tests/cross_agent/test_cat_map.py b/tests/cross_agent/test_cat_map.py
@@ -197,7 +197,7 @@ def run_cat_test():
 
         content = response.html.html.body.p.string
 
-        # Validate actual body content as sansity check.
+        # Validate actual body content as sanity check.
 
         assert content == 'RESPONSE'
 
