Keep building python the same old way for fips agent

alopezz · alopezz · commit 1ff8ed192ffc · 2025-11-28T14:58:50.000+01:00
diff --git a/omnibus/config/software/python3.rb b/omnibus/config/software/python3.rb
@@ -21,7 +21,7 @@
   # 2.0 is the license version here, not the python version
   license "Python-2.0"
 
-  unless windows_target?
+  if !windows_target?
     env = with_standard_compiler_flags(with_embedded_path)
     python_configure_options = [
       "--without-readline",  # Disables readline support
@@ -66,6 +66,63 @@
     block do
       FileUtils.rm_f(Dir.glob("#{install_dir}/embedded/lib/python#{major}.#{minor}/distutils/command/wininst-*.exe"))
     end
+  elsif fips_mode?
+    ###############################
+    # Setup openssl dependency... #
+    ###############################
+
+    # We must provide python with the same file hierarchy as
+    # https://github.com/python/cpython-bin-deps/tree/openssl-bin-3.0/amd64
+    # but with our OpenSSL build instead.
+
+    # This is not necessarily the version we built, but the version
+    # the Python build system expects.
+    openssl_version = "3.0.16.2"
+    python_arch = "amd64"
+
+    mkdir "externals\\openssl-bin-#{openssl_version}\\#{python_arch}\\include"
+    # Copy the import library to have them point at our own built versions, regardless of
+    # their names in usual python builds
+    copy "#{install_dir}\\embedded3\\lib\\libcrypto.dll.a", "externals\\openssl-bin-#{openssl_version}\\#{python_arch}\\libcrypto.lib"
+    copy "#{install_dir}\\embedded3\\lib\\libssl.dll.a", "externals\\openssl-bin-#{openssl_version}\\#{python_arch}\\libssl.lib"
+    # Copy the actual DLLs, be sure to keep the same name since that's what the IMPLIBs expect
+    copy "#{install_dir}\\embedded3\\bin\\libssl-3-x64.dll", "externals\\openssl-bin-#{openssl_version}\\#{python_arch}\\libssl-3.dll"
+    # Create empty PDBs since python's build system require those to be present
+    command "touch externals\\openssl-bin-#{openssl_version}\\#{python_arch}\\libssl-3.pdb"
+    copy "#{install_dir}\\embedded3\\bin\\libcrypto-3-x64.dll", "externals\\openssl-bin-#{openssl_version}\\#{python_arch}\\libcrypto-3.dll"
+    command "touch externals\\openssl-bin-#{openssl_version}\\#{python_arch}\\libcrypto-3.pdb"
+    # And finally the headers:
+    copy "#{install_dir}\\embedded3\\include\\openssl", "externals\\openssl-bin-#{openssl_version}\\#{python_arch}\\include\\"
+    # Now build python itself...
+
+    ###############################
+    # Build Python...             #
+    ###############################
+    # -e to enable external libraries. They won't be fetched if already
+    # present, but the modules will be built nonetheless.
+    command "PCbuild\\build.bat -e --pgo"
+    # Install the built artifacts to their expected locations
+    # --include-dev - include include/ and libs/ directories
+    # --include-venv - necessary for ensurepip to work
+    # --include-stable - adds python3.dll
+    command "PCbuild\\#{python_arch}\\python.exe PC\\layout\\main.py --build PCbuild\\#{python_arch} --precompile --copy #{windows_safe_path(python_3_embedded)} --include-dev --include-venv --include-stable -vv"
+
+    ###############################
+    # Install build artifacts...  #
+    ###############################
+    # We copied the OpenSSL libraries with the name python expects to keep the build happy
+    # but at runtime, it will attempt to load the DLLs pointed at by the .dll.a generated by
+    # the OpenSSL build, so we need to copy those files to the install directory.
+    # The ones we copied for the build are now irrelevant
+    openssl_arch = "x64"
+    copy "#{install_dir}\\embedded3\\bin\\libcrypto-3-#{openssl_arch}.dll", "#{windows_safe_path(python_3_embedded)}\\DLLs"
+    copy "#{install_dir}\\embedded3\\bin\\libssl-3-#{openssl_arch}.dll", "#{windows_safe_path(python_3_embedded)}\\DLLs"
+    # We can also remove the DLLs that were put there by the python build since they won't be loaded anyway
+    delete "#{windows_safe_path(python_3_embedded)}\\DLLs\\libcrypto-3.dll"
+    delete "#{windows_safe_path(python_3_embedded)}\\DLLs\\libssl-3.dll"
+
+    python = "#{windows_safe_path(python_3_embedded)}\\python.exe"
+    command "#{python} -m ensurepip"
   else
     command_on_repo_root "bazelisk run -- @cpython//:install --destdir=#{python_3_embedded}"
   end
