Restore python bazel build while fixing FIPS issue (#43636)

### What does this PR do?

It restores #43340 and fixes it by restoring the omnibus code path for fips mode Windows Agent.

### Motivation

#incident-46365

https://gitlab.ddbuild.io/DataDog/datadog-agent/-/jobs/1261560018

I didn't look close enough at how the fips build is meant to work and the job didn't run on the PR.

### Describe how you validated your changes

I've manually run the jobs that failed last time.
- https://gitlab.ddbuild.io/DataDog/datadog-agent/-/jobs/1261820270
- https://gitlab.ddbuild.io/DataDog/datadog-agent/-/jobs/1261820269

### Additional Notes


Co-authored-by: alex.lopez <[email protected]>

Author: alopezz

deps/cpython.BUILD.bazel

@@ -11,7 +11,6 @@ python_externals = {
     "xz": "5.2.5",
     "zlib": "1.3.1",
     "libffi": "3.4.4",
-    "openssl-bin": "3.0.16.2",
     "tcltk": "8.6.15.0",
 }
 
@@ -27,6 +26,26 @@ python_externals = {
     for dep, version in python_externals.items()
 ]
 
+# This sets up OpenSSL files in a layout such as the Python build system for Windows expects
+copy_to_directory(
+    name = "openssl-bin_win_dir",
+    srcs = ["@openssl"],
+    # TODO(team:agent-build): Single source of truth for dependency versions
+    out = "openssl-bin-3.5.4/amd64",
+    include_external_repositories = ["*openssl*"],
+    # This reproduces the expected layout (libs at root, includes under `include`)
+    root_paths = [
+        "openssl/bin",
+        "openssl/lib",
+        "openssl",
+    ],
+    replace_prefixes = {
+        # We need to rename the .dll.a's into .lib files as the Python build expects
+        "libcrypto.dll.a": "libcrypto.lib",
+        "libssl.dll.a": "libssl.lib",
+    },
+)
+
 run_binary(
     name = "python_win",
     srcs = (
@@ -57,7 +76,7 @@ run_binary(
         "XZ_DIR": "$(location xz_win_dir)",
         "ZLIB_DIR": "$(location zlib_win_dir)",
         "LIBFFI_DIR": "$(location libffi_win_dir)",
-        "OPENSSL_DIR": r"$(location openssl-bin_win_dir)\amd64",
+        "OPENSSL_DIR": r"$(location openssl-bin_win_dir)",
         "TCLTK_DIR": r"$(location tcltk_win_dir)\amd64",
         "TCL_VERSION": python_externals["tcltk"],
         "MSBUILD": "$(location @visual_studio//:msbuild)",

deps/cpython/build_python.bat

@@ -42,6 +42,9 @@ echo "/p:libffiDir=%LIBFFI_DIR%" >> %response_file%
 echo "/p:opensslOutDir=%OPENSSL_DIR%" >> %response_file%
 echo "/p:tcltkdir=%TCLTK_DIR%" >> %response_file%
 echo "/p:TclVersion=%TCL_VERSION%" >> %response_file%
+:: We disable copying around of the OpenSSL libraries (as defined in openssl.props)
+:: This simplifies the requirements on the input files and their names and gives us more control
+echo "/p:SkipCopySSLDLL=1" >> %response_file%
 
 :: -e flag would normally also fetch external dependencies, but we have a patch inhibiting that;
 :: the flag is still needed because otherwise modules depending on some of those external dependencies
@@ -52,6 +55,15 @@ if ERRORLEVEL 1 exit /b %ERRORLEVEL%
 
 @echo on
 
+:: Needed to avoid xcopy from failing when copying files out of this dir
+for %%F in (%OPENSSL_DIR%) do set OPENSSL_DIR=%%~fF
+
+:: Copy OpenSSL files to where the layout script expects them.
+:: The Python build would do this itself when SkipCopySSLDLL is not set,
+:: since we enabled that, we need to now copy them manually
+xcopy /f %OPENSSL_DIR%*.lib %build_outdir%\
+xcopy /f %OPENSSL_DIR%*.dll %build_outdir%\
+
 :: Create final layout from the build
 :: --include-dev - include include/ and libs/ directories
 :: --include-venv - necessary for ensurepip to work

deps/cpython/cpython.MODULE.bazel

@@ -46,7 +46,6 @@ python_src_deps = {
 
 python_bin_deps = {
     "libffi": ("3.4.4", "681c0e6306b4bcb54ecce8305f67ca88ab03be922b6c4dcfd18240ad46e357d8"),
-    "openssl-bin": ("3.0.16.2", "8686b76cbd4192143ed73bc60719efdb080bcdb8f887bdb7d66c5fecd2b6a36f"),
     "tcltk": ("8.6.15.0", "60adc5fc31c02347666198ffc74e5b6d0948f6765bb9034ae423a5a16c22a4e5"),
 }
 

omnibus/config/software/openssl3.rb

@@ -33,17 +33,10 @@
 
 build do
   if !fips_mode?
-    installation_dir = if windows? then python_3_embedded else "#{install_dir}/embedded" end
-    command_on_repo_root "bazelisk run -- @openssl//:install --destdir=#{installation_dir}"
-    if windows?
-      block do
-        # shutil generates temporary files during run install that are not removed afterwards.
-        Dir.glob("#{installation_dir}/include/openssl/tmp*").each do |tmp_file|
-          delete tmp_file
-        end
-      end
-    else
-      lib_extension = if linux_target? then ".so.#{version}" else ".#{version}.dylib" end
+    # OpenSSL on Windows now gets installed as part of the Python install, so we don't need to do anything here
+    if !windows?
+      command_on_repo_root "bazelisk run -- @openssl//:install --destdir=#{install_dir}/embedded"
+      lib_extension = if linux_target? then ".so" else ".dylib" end
       command_on_repo_root "bazelisk run -- //bazel/rules:replace_prefix --prefix #{install_dir}/embedded" \
         " #{install_dir}/embedded/lib/libssl#{lib_extension}" \
         " #{install_dir}/embedded/lib/libcrypto#{lib_extension}" \
@@ -124,4 +117,4 @@
     else
     end
     end
-  end
+  end

omnibus/config/software/python3.rb

@@ -21,7 +21,7 @@
   # 2.0 is the license version here, not the python version
   license "Python-2.0"
 
-  unless windows_target?
+  if !windows_target?
     env = with_standard_compiler_flags(with_embedded_path)
     python_configure_options = [
       "--without-readline",  # Disables readline support
@@ -66,7 +66,7 @@
     block do
       FileUtils.rm_f(Dir.glob("#{install_dir}/embedded/lib/python#{major}.#{minor}/distutils/command/wininst-*.exe"))
     end
-  else
+  elsif fips_mode?
     ###############################
     # Setup openssl dependency... #
     ###############################
@@ -123,6 +123,8 @@
 
     python = "#{windows_safe_path(python_3_embedded)}\\python.exe"
     command "#{python} -m ensurepip"
+  else
+    command_on_repo_root "bazelisk run -- @cpython//:install --destdir=#{python_3_embedded}"
   end
 end