fipsccl: Add a SQL function to check fips status

This function provides a way to verify FIPS readiness without modifying
the deployment to add the --enterprise-require-fips-ready flag.

Updates #114344

Release note (enterprise change): New SQL function fips_ready can be
used to verify the FIPS readiness of the gateway node.

Author: bdarnell

pkg/ccl/BUILD.bazel

@@ -22,6 +22,7 @@ go_library(
         "//pkg/ccl/partitionccl",
         "//pkg/ccl/pgcryptoccl",
         "//pkg/ccl/plpgsqlccl",
+        "//pkg/ccl/securityccl/fipsccl",
         "//pkg/ccl/storageccl",
         "//pkg/ccl/storageccl/engineccl",
         "//pkg/ccl/streamingccl/streamingest",

pkg/ccl/ccl_init.go

@@ -28,6 +28,7 @@ import (
 	_ "github.com/cockroachdb/cockroach/pkg/ccl/partitionccl"
 	_ "github.com/cockroachdb/cockroach/pkg/ccl/pgcryptoccl"
 	_ "github.com/cockroachdb/cockroach/pkg/ccl/plpgsqlccl"
+	_ "github.com/cockroachdb/cockroach/pkg/ccl/securityccl/fipsccl"
 	_ "github.com/cockroachdb/cockroach/pkg/ccl/storageccl"
 	_ "github.com/cockroachdb/cockroach/pkg/ccl/storageccl/engineccl"
 	_ "github.com/cockroachdb/cockroach/pkg/ccl/streamingccl/streamingest"

pkg/ccl/logictestccl/testdata/logic_test/fips_ready

@@ -0,0 +1,14 @@
+subtest fips_ready
+
+# We do not have the plumbing that would let test cases know whether they are
+# running in a fips environment or not so this is just a very basic test to
+# make sure that all the registration, oids, etc work properly.
+query _
+SELECT crdb_internal.fips_ready()
+----
+_
+
+user testuser
+
+statement error pq: crdb_internal\.fips_ready\(\): user testuser does not have VIEWCLUSTERSETTING system privilege
+SELECT crdb_internal.fips_ready()

pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go

@@ -7,11 +7,20 @@ go_library(
         "build_noboring.go",
         "fips_linux.go",
         "fips_nolinux.go",
+        "sql.go",
     ],
     cgo = True,
     importpath = "github.com/cockroachdb/cockroach/pkg/ccl/securityccl/fipsccl",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/ccl/utilccl",
+        "//pkg/sql/privilege",
+        "//pkg/sql/roleoption",
+        "//pkg/sql/sem/eval",
+        "//pkg/sql/sem/tree",
+        "//pkg/sql/sem/volatility",
+        "//pkg/sql/syntheticprivilege",
+        "//pkg/sql/types",
         "@com_github_cockroachdb_errors//:errors",
     ],
 )

pkg/ccl/logictestccl/tests/fakedist-disk/generated_test.go

@@ -0,0 +1,64 @@
+// Copyright 2023 The Cockroach Authors.
+//
+// Licensed as a CockroachDB Enterprise file under the Cockroach Community
+// License (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+//     https://github.com/cockroachdb/cockroach/blob/master/licenses/CCL.txt
+
+package fipsccl
+
+import (
+	"context"
+
+	"github.com/cockroachdb/cockroach/pkg/ccl/utilccl"
+	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
+	"github.com/cockroachdb/cockroach/pkg/sql/roleoption"
+	"github.com/cockroachdb/cockroach/pkg/sql/sem/eval"
+	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
+	"github.com/cockroachdb/cockroach/pkg/sql/sem/volatility"
+	"github.com/cockroachdb/cockroach/pkg/sql/syntheticprivilege"
+	"github.com/cockroachdb/cockroach/pkg/sql/types"
+)
+
+func init() {
+	overload := tree.Overload{
+		Types:      tree.ParamTypes{},
+		ReturnType: tree.FixedReturnType(types.Bool),
+		Fn: func(ctx context.Context, evalCtx *eval.Context, args tree.Datums) (tree.Datum, error) {
+			if err := utilccl.CheckEnterpriseEnabled(
+				evalCtx.Settings, evalCtx.ClusterID, "fips_ready",
+			); err != nil {
+				return nil, err
+			}
+			// It's debatable whether we need a permission check here at all.
+			// It's not very sensitive and is (currently) a very cheap function
+			// call. However, it's something that regular users should have no
+			// reason to look at so in the interest of least privilege we put it
+			// behind the VIEWCLUSTERSETTING privilige.
+			session := evalCtx.SessionAccessor
+			isAdmin, err := session.HasAdminRole(ctx)
+			if err != nil {
+				return nil, err
+			}
+			if !isAdmin {
+				hasView, err := session.HasRoleOption(ctx, roleoption.VIEWCLUSTERSETTING)
+				if err != nil {
+					return nil, err
+				}
+				if !hasView {
+					if err := session.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWCLUSTERSETTING); err != nil {
+						return nil, err
+					}
+				}
+			}
+			return tree.MakeDBool(tree.DBool(IsFIPSReady())), nil
+		},
+		Class:      tree.NormalClass,
+		Volatility: volatility.Stable,
+	}
+
+	utilccl.RegisterCCLBuiltin("crdb_internal.fips_ready",
+		`Returns true if all FIPS readiness checks pass.`,
+		overload)
+}

pkg/ccl/logictestccl/tests/fakedist-vec-off/generated_test.go

@@ -2506,6 +2506,7 @@ var builtinOidsArray = []string{
 	2535: `last_value(val: refcursor) -> refcursor`,
 	2536: `percentile_disc_impl(arg1: float, arg2: refcursor) -> refcursor`,
 	2537: `percentile_disc_impl(arg1: float[], arg2: refcursor) -> refcursor[]`,
+	2543: `crdb_internal.fips_ready() -> bool`,
 }
 
 var builtinOidsBySignature map[string]oid.Oid