OpenSearch/gradle/fips.gradle

/*
 * SPDX-License-Identifier: Apache-2.0
 *
 * The OpenSearch Contributors require contributions made to
 * this file be licensed under the Apache-2.0 license or a
 * compatible open source license.
 *
 * Modifications Copyright OpenSearch Contributors. See
 * GitHub history for details.
 */

import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask
import org.opensearch.gradle.info.BuildParams
import org.opensearch.gradle.testclusters.OpenSearchCluster

// Common config when running with a FIPS-140 runtime JVM
if (BuildParams.inFipsJvm) {

  allprojects {
    File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
    boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
    boolean zulu8 = java8 && BuildParams.runtimeJavaDetails.contains("Zulu")
    File fipsSecurity;
    File fipsPolicy;
    if (java8) {
      if (zulu8) {
        //Azul brings many changes from JDK 11 to their Zulu8 so we can only use BCJSSE
        fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_8.security")
        fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_8.policy")
      } else {
        fipsSecurity = new File(fipsResourcesDir, "fips_java_sunjsse.security")
        fipsPolicy = new File(fipsResourcesDir, "fips_java_sunjsse.policy")
      }
    } else {
      fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_11.security")
      fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy")
    }
    File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2')
    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')

    pluginManager.withPlugin('java') {
      TaskProvider<ExportOpenSearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportOpenSearchBuildResourcesTask)
      fipsResourcesTask.configure {
        outputDir = fipsResourcesDir
        copy fipsSecurity.name
        copy fipsPolicy.name
        copy 'cacerts.bcfks'
      }

      project.afterEvaluate {
        def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
        // ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly
        // set the class path to help maintain pure black box testing, and here we are adding to that classpath
        tasks.withType(Test).configureEach { Test test ->
          test.setClasspath(test.getClasspath().plus(extraFipsJars))
        }
      }

      pluginManager.withPlugin("opensearch.testclusters") {
        afterEvaluate {
          // This afterEvaluate hooks is required to avoid deprecated configuration resolution
          // This configuration can be removed once system modules are available
          def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
          testClusters.all {
            extraFipsJars.files.each {
              extraJarFile it
            }
          }
        }
        testClusters.all {
          extraConfigFile "fips_java.security", fipsSecurity
          extraConfigFile "fips_java.policy", fipsPolicy
          extraConfigFile "cacerts.bcfks", fipsTrustStore
          systemProperty 'java.security.properties', '=${OPENSEARCH_PATH_CONF}/fips_java.security'
          systemProperty 'java.security.policy', '=${OPENSEARCH_PATH_CONF}/fips_java.policy'
          systemProperty 'javax.net.ssl.trustStore', '${OPENSEARCH_PATH_CONF}/cacerts.bcfks'
          systemProperty 'javax.net.ssl.trustStorePassword', 'password'
          systemProperty 'javax.net.ssl.keyStorePassword', 'password'
          systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'
        }
      }
      project.tasks.withType(Test).configureEach { Test task ->
        task.dependsOn('fipsResources')
        task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
        task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
        task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
        // Using the key==value format to override default JVM security settings and policy
        // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
        task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))
        task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))
        task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)
      }
    }
  }
}
[License] Add SPDX and OpenSearch Modification license header (#509) This commit adds the SPDX Apache-2.0 license header along with an additional copyright header for all modifications. Signed-off-by: Nicholas Walter Knize <nknize@apache.org> 2021-04-09 15:28:18 -04:00			`/*`
			`* SPDX-License-Identifier: Apache-2.0`
			`*`
			`* The OpenSearch Contributors require contributions made to`
			`* this file be licensed under the Apache-2.0 license or a`
			`* compatible open source license.`
			`*`
			`* Modifications Copyright OpenSearch Contributors. See`
			`* GitHub history for details.`
			`*/`

[Rename] refactor the gradle directory. (#276) Refactor the `gradle` directory as part of the renaming to OpenSearch work. Signed-off-by: Rabi Panda <adnapibar@gmail.com> 2021-03-12 13:49:28 -05:00			`import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask`
			`import org.opensearch.gradle.info.BuildParams`
			`import org.opensearch.gradle.testclusters.OpenSearchCluster`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00
			`// Common config when running with a FIPS-140 runtime JVM`
			`if (BuildParams.inFipsJvm) {`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`allprojects {`
			`File fipsResourcesDir = new File(project.buildDir, 'fips-resources')`
			`boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8`
Run zulu8 fips CI with BCJSSE instead of SunJSSE (#61857) As we figured out in https://github.com/elastic/elasticsearch/issues/61316#issuecomment-685482708 Azul brings back a lot of changes from JDK 11 to their Zulu8 build and this means that we can't run this with SunJSSE in FIPS 140 mode. This change ensures that we configure Zulu8 JDK JVMs in FIPS 140 mode, using the bouncy castle JSSE FIPS provider, instead of the SunJSSE one ( as we do for the rest of the java 8 JVMs ) Resolves: #61316 2020-09-04 07:53:43 -04:00			`boolean zulu8 = java8 && BuildParams.runtimeJavaDetails.contains("Zulu")`
			`File fipsSecurity;`
			`File fipsPolicy;`
			`if (java8) {`
			`if (zulu8) {`
			`//Azul brings many changes from JDK 11 to their Zulu8 so we can only use BCJSSE`
			`fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_8.security")`
			`fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_8.policy")`
			`} else {`
			`fipsSecurity = new File(fipsResourcesDir, "fips_java_sunjsse.security")`
			`fipsPolicy = new File(fipsResourcesDir, "fips_java_sunjsse.policy")`
			`}`
			`} else {`
			`fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_11.security")`
			`fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy")`
			`}`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')`
Use BCFIPS 1.0.2 in our CI (#63116) Bouncy Castle's BC-FJA-1.0.2 has been certified for a while now but we had noticed that it seems to be rather entropy hungry and ES would start very slowly ( and tests would take forever ) because of blocking calls to /dev/random. We verified that this is resolved when enabling hw RNG or a software one like haveged. While rng-tools should be suggested for production uses, our ephemeral workers have haveged installed which should work just fine for CI. Backport of 63099 2020-10-01 07:48:53 -04:00			`def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2')`
Fix the REST FIPS tests (#61001) Adds bouncycastle to classpath for tests and testclusters 2020-08-13 19:08:53 -04:00			`def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')`

			`pluginManager.withPlugin('java') {`
[Rename] refactor the gradle directory. (#276) Refactor the `gradle` directory as part of the renaming to OpenSearch work. Signed-off-by: Rabi Panda <adnapibar@gmail.com> 2021-03-12 13:49:28 -05:00			`TaskProvider<ExportOpenSearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportOpenSearchBuildResourcesTask)`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`fipsResourcesTask.configure {`
			`outputDir = fipsResourcesDir`
			`copy fipsSecurity.name`
			`copy fipsPolicy.name`
			`copy 'cacerts.bcfks'`
			`}`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00
Fix the REST FIPS tests (#61001) Adds bouncycastle to classpath for tests and testclusters 2020-08-13 19:08:53 -04:00			`project.afterEvaluate {`
			`def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)`
			`// ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly`
			`// set the class path to help maintain pure black box testing, and here we are adding to that classpath`
			`tasks.withType(Test).configureEach { Test test ->`
			`test.setClasspath(test.getClasspath().plus(extraFipsJars))`
			`}`
			`}`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00
[Rename] refactor the gradle directory. (#276) Refactor the `gradle` directory as part of the renaming to OpenSearch work. Signed-off-by: Rabi Panda <adnapibar@gmail.com> 2021-03-12 13:49:28 -05:00			`pluginManager.withPlugin("opensearch.testclusters") {`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00			`afterEvaluate {`
			`// This afterEvaluate hooks is required to avoid deprecated configuration resolution`
			`// This configuration can be removed once system modules are available`
Fix the REST FIPS tests (#61001) Adds bouncycastle to classpath for tests and testclusters 2020-08-13 19:08:53 -04:00			`def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00			`testClusters.all {`
			`extraFipsJars.files.each {`
			`extraJarFile it`
			`}`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`}`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00			`}`
			`testClusters.all {`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`extraConfigFile "fips_java.security", fipsSecurity`
			`extraConfigFile "fips_java.policy", fipsPolicy`
			`extraConfigFile "cacerts.bcfks", fipsTrustStore`
[Rename] refactor the gradle directory. (#276) Refactor the `gradle` directory as part of the renaming to OpenSearch work. Signed-off-by: Rabi Panda <adnapibar@gmail.com> 2021-03-12 13:49:28 -05:00			`systemProperty 'java.security.properties', '=${OPENSEARCH_PATH_CONF}/fips_java.security'`
			`systemProperty 'java.security.policy', '=${OPENSEARCH_PATH_CONF}/fips_java.policy'`
			`systemProperty 'javax.net.ssl.trustStore', '${OPENSEARCH_PATH_CONF}/cacerts.bcfks'`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`systemProperty 'javax.net.ssl.trustStorePassword', 'password'`
			`systemProperty 'javax.net.ssl.keyStorePassword', 'password'`
			`systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'`
			`}`
			`}`
			`project.tasks.withType(Test).configureEach { Test task ->`
			`task.dependsOn('fipsResources')`
			`task.systemProperty('javax.net.ssl.trustStorePassword', 'password')`
			`task.systemProperty('javax.net.ssl.keyStorePassword', 'password')`
			`task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')`
			`// Using the key==value format to override default JVM security settings and policy`
			`// see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html`
			`task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))`
			`task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))`
			`task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)`
			`}`
			`}`
			`}`
			`}`