From 37f27fbecd422da9fefb8ae1cc601bc5b4fec44b Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Sun, 17 Nov 2024 17:17:50 -0500
Subject: [PATCH] cmd/go: enable fips test and fix caching bug

Enable the cmd/go fips test now that v1.0.0.zip has been checked in.
Will still need to enable the alias half when the alias is checked in.

Also fix a problem that was causing spurious failures, by fixing
repeated unpackings and also disabling modindex reads of the
virtual fips140 snapshot directories.

Fixes #71491.

Change-Id: I7fa21e9bde07ff4eb6c3483e99d49316ee0ea7f0
Reviewed-on: https://go-review.googlesource.com/c/go/+/645835
Reviewed-by: Michael Matloob <matloob@golang.org>
Reviewed-by: Sam Thanawalla <samthanawalla@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 src/cmd/go/internal/modfetch/cache.go   |  7 +++++++
 src/cmd/go/internal/modindex/read.go    | 11 +++++++----
 src/cmd/go/testdata/script/fipssnap.txt |  9 +++------
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/cmd/go/internal/modfetch/cache.go b/src/cmd/go/internal/modfetch/cache.go
index 02d3849314a..9c34581a910 100644
--- a/src/cmd/go/internal/modfetch/cache.go
+++ b/src/cmd/go/internal/modfetch/cache.go
@@ -113,6 +113,13 @@ func DownloadDir(ctx context.Context, m module.Version) (string, error) {
 		return dir, err
 	}
 
+	// Special case: ziphash is not required for the golang.org/fips140 module,
+	// because it is unpacked from a file in GOROOT, not downloaded.
+	// We've already checked that it's not a partial unpacking, so we're happy.
+	if m.Path == "golang.org/fips140" {
+		return dir, nil
+	}
+
 	// Check if a .ziphash file exists. It should be created before the
 	// zip is extracted, but if it was deleted (by another program?), we need
 	// to re-calculate it. Note that checkMod will repopulate the ziphash
diff --git a/src/cmd/go/internal/modindex/read.go b/src/cmd/go/internal/modindex/read.go
index 4c1fbd83596..76216f35ba1 100644
--- a/src/cmd/go/internal/modindex/read.go
+++ b/src/cmd/go/internal/modindex/read.go
@@ -33,10 +33,7 @@ import (
 	"cmd/internal/par"
 )
 
-// enabled is used to flag off the behavior of the module index on tip.
-// It will be removed before the release.
-// TODO(matloob): Remove enabled once we have more confidence on the
-// module index.
+// enabled is used to flag off the behavior of the module index on tip, for debugging.
 var enabled = godebug.New("#goindex").Value() != "0"
 
 // Module represents and encoded module index file. It is used to
@@ -126,6 +123,7 @@ var ErrNotIndexed = errors.New("not in module index")
 var (
 	errDisabled           = fmt.Errorf("%w: module indexing disabled", ErrNotIndexed)
 	errNotFromModuleCache = fmt.Errorf("%w: not from module cache", ErrNotIndexed)
+	errFIPS140            = fmt.Errorf("%w: fips140 snapshots not indexed", ErrNotIndexed)
 )
 
 // GetPackage returns the IndexPackage for the directory at the given path.
@@ -143,6 +141,11 @@ func GetPackage(modroot, pkgdir string) (*IndexPackage, error) {
 	if cfg.BuildContext.Compiler == "gccgo" && str.HasPathPrefix(modroot, cfg.GOROOTsrc) {
 		return nil, err // gccgo has no sources for GOROOT packages.
 	}
+	// The pkgdir for fips140 has been replaced in the fsys overlay,
+	// but the module index does not see that. Do not try to use the module index.
+	if strings.Contains(filepath.ToSlash(pkgdir), "internal/fips140/v") {
+		return nil, errFIPS140
+	}
 	return openIndexPackage(modroot, pkgdir)
 }
 
diff --git a/src/cmd/go/testdata/script/fipssnap.txt b/src/cmd/go/testdata/script/fipssnap.txt
index 465f304c46c..9888bc82f11 100644
--- a/src/cmd/go/testdata/script/fipssnap.txt
+++ b/src/cmd/go/testdata/script/fipssnap.txt
@@ -1,10 +1,6 @@
-## Note: Need a snapshot in lib/fips140 to run this test.
-## For local testing, can run 'cd lib/fips140; make v0.0.1.test'
-## and then remove the skip.
-env snap=v0.0.1
+env snap=v1.0.0
 env alias=inprocess
 
-skip 'no snapshots yet'
 env GOFIPS140=$snap
 
 # Go+BoringCrypto conflicts with GOFIPS140.
@@ -27,7 +23,8 @@ stdout crypto/internal/fips140/$snap/sha256
 ! stdout crypto/internal/fips140/check
 
 # again with GOFIPS140=$alias
-env GOFIPS140=$alias
+# TODO: enable when we add inprocess.txt
+# env GOFIPS140=$alias
 
 # default GODEBUG includes fips140=on
 go list -f '{{.DefaultGODEBUG}}'
-- 
GitLab