search

Azure / azure-sdk-for-python

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
MIT License
4.53k stars 2.76k forks source link

Make SDK FIPS compliant. #36961

Open InsomniacFury opened 3 weeks ago

InsomniacFury commented 3 weeks ago

Is your feature request related to a problem? Please describe. Yes. I'm trying to move a project that consumes this API onto a FIPS compliant Python 3.9 image, i.e. https://images.chainguard.dev/directory/image/python-fips/overview, image tag 3.9.

The problem is that an underlying use of hashlib.md5() that is ultimately consumed by azure.ai.ml.MLClient is not FIPS compliant and ultimately returns the following error on importing MLClient.

Traceback (most recent call last):
...
  File "/runtime/llm_proxy/clients/azure.py", line 7, in <module>
    from azure.ai.ml import MLClient
  File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/__init__.py", line 11, in <module>
    from azure.ai.ml.entities._inputs_outputs import Input, Output
  File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/entities/__init__.py", line 18, in <module>
    from ._assets._artifacts._package.base_environment_source import BaseEnvironment
  File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/entities/_assets/__init__.py", line 9, in <module>
    from ._artifacts.code import Code
  File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/entities/_assets/_artifacts/code.py", line 12, in <module>
    from azure.ai.ml._utils._asset_utils import IgnoreFile, get_content_hash, get_content_hash_version, get_ignore_file
  File "/opt/venv/lib/python3.9/site-packages/azure/ai/ml/_utils/_asset_utils.py", line 80, in <module>
    hash_type = type(hashlib.md5())  # nosec
ValueError: [digital envelope routines] unsupported

The issue is that the md5 hash is being used for non-cryptographic purposes, but not indicated as such. If it were, then it's usage within /azure/ai/ml/_utils/_asset_utils.py would work in FIPS mode.

Describe the solution you'd like For 3.9+, update the use of the hashlib.md5() to indicate that it's not being used for security, with the following usage: hashlib.md5(usedforsecurity=False) hashlib.md5(b"Initialize for october 2021 AML CLI version", usedforsecurity=False)

The above solution, i.e. the support for the usedforsecurity parameter, only works for 3.9+. Context for the above solution and a potential solution for 3.7-3.8 is here: https://til.simonwillison.net/python/md5-fips#user-content-python-md5-and-usedforsecurityfalse

Describe alternatives you've considered An alternative since the current usage of MD5, which seems for providing a checksum, is so use a different FIPS-compliant hash algorithm, like SHA256.

Additional context N/A

github-actions[bot] commented 3 weeks ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/azure-ml-sdk @azureml-github.