From f4aca0620c2c03b62841de2543120582a0f1af72 Mon Sep 17 00:00:00 2001
From: Alex Lopez <alex.lopez.zorzano@gmail.com>
Date: Tue, 4 Mar 2025 12:11:59 +0100
Subject: [PATCH] Build cryptography against embedded OpenSSL for FIPS Windows
 Agent (#34619)

(cherry picked from commit 09d81f65ee678c99b0f12c5a8ae8dc97f35b3d48)
---
 .gitlab/package_build/windows.yml             |  1 +
 .../datadog-agent-integrations-py3.rb         | 26 +++++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/.gitlab/package_build/windows.yml b/.gitlab/package_build/windows.yml
index 0d3c936d8112e..839bdf43a1a18 100644
--- a/.gitlab/package_build/windows.yml
+++ b/.gitlab/package_build/windows.yml
@@ -40,6 +40,7 @@
       -e AGENT_FLAVOR=${AGENT_FLAVOR}
       -e OMNIBUS_SOFTWARE_VERSION="${OMNIBUS_SOFTWARE_VERSION}"
       -e OMNIBUS_RUBY_VERSION="${OMNIBUS_RUBY_VERSION}"
+      -e PYTHONUTF8=1
       ${WINBUILDIMAGE}
       powershell -C "c:\mnt\tasks\winbuildscripts\Build-AgentPackages.ps1 -BuildOutOfSource 1 -InstallDeps 1 -CheckGoVersion 1 -BuildUpgrade 1"
     - If ($lastExitCode -ne "0") { throw "Previous command returned $lastExitCode" }
diff --git a/omnibus/config/software/datadog-agent-integrations-py3.rb b/omnibus/config/software/datadog-agent-integrations-py3.rb
index 73517f7568824..d80b782138e6d 100644
--- a/omnibus/config/software/datadog-agent-integrations-py3.rb
+++ b/omnibus/config/software/datadog-agent-integrations-py3.rb
@@ -262,8 +262,8 @@
   # This is intended as a temporary kludge while we make a decision on how to handle the multiplicity
   # of openssl copies in a more general way while keeping risk low.
   if fips_mode?
-    block "Patch cryptography's openssl linking" do
-      if linux_target?
+    if linux_target?
+      block "Patch cryptography's openssl linking" do
         # We delete the libraries shipped with the wheel and replace references to those names
         # in the binary that references it using patchelf
         cryptography_folder = "#{install_dir}/embedded/lib/python#{python_version}/site-packages/cryptography"
@@ -275,6 +275,28 @@
         shellout! "patchelf --add-rpath #{install_dir}/embedded/lib #{so_to_patch}"
         FileUtils.rm([libssl_match, libcrypto_match])
       end
+    elsif windows_target?
+      dll_folder = File.join(install_dir, "embedded3", "DLLS")
+      # Build the cryptography library in this case so that it gets linked to Agent's OpenSSL
+      # We first need to copy some files around (we need the .lib files for building)
+      copy File.join(install_dir, "embedded3", "lib", "libssl.dll.a"),
+           File.join(dll_folder, "libssl-3-x64.lib")
+      copy File.join(install_dir, "embedded3", "lib", "libcrypto.dll.a"),
+           File.join(dll_folder, "libcrypto-3-x64.lib")
+
+      command "#{python} -m pip install --force-reinstall --no-deps --no-binary cryptography cryptography==43.0.1",
+              env: {
+                "OPENSSL_LIB_DIR" => dll_folder,
+                "OPENSSL_INCLUDE_DIR" => File.join(install_dir, "embedded3", "include"),
+                "OPENSSL_LIBS" => "libssl-3-x64:libcrypto-3-x64",
+              }
+      # Python extensions on windows require this to find their DLL dependencies,
+      # we abuse the `.pth` loading system to inject it
+      block "Inject dll path for Python extensions" do
+        File.open(File.join(install_dir, "embedded3", "lib", "site-packages", "add-dll-directory.pth"), "w") do |f|
+          f.puts 'import os; os.add_dll_directory(os.path.abspath(os.path.join(__file__, "..", "..", "DLLS")))'
+        end
+      end
     end
   end