OpenSearch/x-pack/plugin/security/cli/build.gradle

import de.thetaphi.forbiddenapis.gradle.CheckForbiddenApis
import org.elasticsearch.gradle.info.BuildParams

apply plugin: 'elasticsearch.build'

archivesBaseName = 'elasticsearch-security-cli'

dependencies {
  compileOnly project(":server")
  compileOnly project(path: xpackModule('core'), configuration: 'default')
  compile "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
  compile "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"
  testImplementation('com.google.jimfs:jimfs:1.1') {
    // this is provided by the runtime classpath, from the security project
    exclude group: 'com.google.guava', module: 'guava'
  }
  testRuntimeOnly 'com.google.guava:guava:19.0'
  testCompile project(":test:framework")
  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
}

dependencyLicenses {
  mapping from: /bc.*/, to: 'bouncycastle'
}

forbiddenPatterns {
  exclude '**/*.p12'
  exclude '**/*.jks'
}

thirdPartyAudit {
  ignoreMissingClasses(
    // Used in org.bouncycastle.pqc.crypto.qtesla.QTeslaKeyEncodingTests
    'junit.framework.Assert',
    'junit.framework.TestCase'
  )
}

if (BuildParams.inFipsJvm) {
  test.enabled = false
  jarHell.enabled = false
  testingConventions.enabled = false
  // Forbiden APIs non-portable checks fail because bouncy castle classes being used from the FIPS JDK since those are
  // not part of the Java specification - all of this is as designed, so we have to relax this check for FIPS.
  tasks.withType(CheckForbiddenApis).configureEach {
    bundledSignatures -= "jdk-non-portable"
  }
}
Upgrade forbiddenapis to 2.6 (#33809) * Upgrade forbiddenapis to 2.6 Closes #33759 * Switch forbiddenApis back to official plugin * Remove CLI based task * Fix forbiddenApisJava9 2018-10-23 12:06:46 +03:00			`import de.thetaphi.forbiddenapis.gradle.CheckForbiddenApis`
[7.x] Introduce type-safe and consistent pattern for handling build globals (#48818) This commit introduces a consistent, and type-safe manner for handling global build parameters through out our build logic. Primarily this replaces the existing usages of extra properties with static accessors. It also introduces and explicit API for initialization and mutation of any such parameters, as well as better error handling for uninitialized or eager access of parameter values. Closes #42042 2019-11-01 11:33:11 -07:00			`import org.elasticsearch.gradle.info.BuildParams`
Fix forbidden apis on FIPS (#33202) - third party audit detects jar hell with JDK so we disable it - jdk non portable in forbiddenapis detects classes being used from the JDK ( for fips ) that are not portable, this is intended so we don't scan for it on fips. - different exclusion rules for third party audit on fips Closes #33179 2018-08-29 17:43:40 +03:00
Remove BouncyCastle dependency from runtime (#32193) * Remove BouncyCastle dependency from runtime This commit introduces a new gradle project that contains the classes that have a dependency on BouncyCastle. For the default distribution, It builds a jar from those and in puts it in a subdirectory of lib (/tools/security-cli) along with the BouncyCastle jars. This directory is then passed in the ES_ADDITIONAL_CLASSPATH_DIRECTORIES of the CLI tools that use these classes. BouncyCastle is removed as a runtime dependency (remains as a compileOnly one) from x-pack core and x-pack security. 2018-07-21 00:03:58 +03:00			`apply plugin: 'elasticsearch.build'`

			`archivesBaseName = 'elasticsearch-security-cli'`

			`dependencies {`
Apply 2-space indent to all gradle scripts (#49071) Backport of #48849. Update `.editorconfig` to make the Java settings the default for all files, and then apply a 2-space indent to all `*.gradle` files. Then reformat all the files. 2019-11-14 11:01:23 +00:00			`compileOnly project(":server")`
			`compileOnly project(path: xpackModule('core'), configuration: 'default')`
			`compile "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"`
			`compile "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"`
Remove guava from transitive compile classpath (#54309) (#54695) Guava was removed from Elasticsearch many years ago, but remnants of it remain due to transitive dependencies. When a dependency pulls guava into the compile classpath, devs can inadvertently begin using methods from guava without realizing it. This commit moves guava to a runtime dependency in the modules that it is needed. Note that one special case is the html sanitizer in watcher. The third party dep uses guava in the PolicyFactory class signature. However, only calling a method on the PolicyFactory actually causes the class to be loaded, a reference alone does not trigger compilation to look at the class implementation. There we utilize a MethodHandle for invoking the relevant method at runtime, where guava will continue to exist. 2020-04-07 23:20:17 -07:00			`testImplementation('com.google.jimfs:jimfs:1.1') {`
			`// this is provided by the runtime classpath, from the security project`
			`exclude group: 'com.google.guava', module: 'guava'`
			`}`
			`testRuntimeOnly 'com.google.guava:guava:19.0'`
Apply 2-space indent to all gradle scripts (#49071) Backport of #48849. Update `.editorconfig` to make the Java settings the default for all files, and then apply a 2-space indent to all `*.gradle` files. Then reformat all the files. 2019-11-14 11:01:23 +00:00			`testCompile project(":test:framework")`
			`testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')`
Remove BouncyCastle dependency from runtime (#32193) * Remove BouncyCastle dependency from runtime This commit introduces a new gradle project that contains the classes that have a dependency on BouncyCastle. For the default distribution, It builds a jar from those and in puts it in a subdirectory of lib (/tools/security-cli) along with the BouncyCastle jars. This directory is then passed in the ES_ADDITIONAL_CLASSPATH_DIRECTORIES of the CLI tools that use these classes. BouncyCastle is removed as a runtime dependency (remains as a compileOnly one) from x-pack core and x-pack security. 2018-07-21 00:03:58 +03:00			`}`

			`dependencyLicenses {`
Apply 2-space indent to all gradle scripts (#49071) Backport of #48849. Update `.editorconfig` to make the Java settings the default for all files, and then apply a 2-space indent to all `*.gradle` files. Then reformat all the files. 2019-11-14 11:01:23 +00:00			`mapping from: /bc.*/, to: 'bouncycastle'`
Build: Shadow x-pack:protocol into x-pack:plugin:core (#32240) This bundles the x-pack:protocol project into the x-pack:plugin:core project because we'd like folks to consider it an implementation detail of our build rather than a separate artifact to be managed and depended on. It is now bundled into both x-pack:plugin:core and client:rest-high-level. To make this work I had to fix a few things. Firstly, I had to make PluginBuildPlugin work with the shadow plugin. In that case we have to bundle only the `shadow` dependencies and the shadow jar. Secondly, every reference to x-pack:plugin:core has to use the `shadow` configuration. Without that the reference is missing all of the un-shadowed dependencies. I tried to make it so that applying the shadow plugin automatically redefines the `default` configuration to mirror the `shadow` configuration which would allow us to use bare project references to the x-pack:plugin:core project but I couldn't make it work. It'd look like it works but then fail for transitive dependencies anyway. I think it is still a good thing to do but I don't have the willpower to do it now. Finally, I had to fix an issue where Eclipse and IntelliJ didn't properly reference shadowed transitive dependencies. Neither IDE supports shadowing natively so they have to reference the shadowed projects. We fix this by detecting `shadow` dependencies when in "Intellij mode" or "Eclipse mode" and adding `runtime` dependencies to the same target. This convinces IntelliJ and Eclipse to play nice. 2018-07-24 11:53:04 -04:00			`}`
Mute security-cli tests in FIPS JVM (#32812) All Unit tests in this module are muted in FIPS 140 JVMs and as such the CI run fails. This commit disables test task for the module in a FIPS JVM and reverts adding a dummy test in 4cbcc1. 2018-08-13 21:27:06 +03:00
Add certutil http command (#50952) This adds a new "http" sub-command to the certutil CLI tool. The http command generates certificates/CSRs for use on the http interface of an elasticsearch node/cluster. It is designed to be a guided tool that provides explanations and sugestions for each of the configuration options. The generated zip file output includes extensive "readme" documentation and sample configuration files for core Elastic products. Backport of: #49827 2020-01-14 21:24:21 +11:00			`forbiddenPatterns {`
			`exclude '*/.p12'`
			`exclude '*/.jks'`
			`}`

Update BouncyCastle to 1.64 (#52185) (#52464) This commit upgrades the bouncycastle dependency from 1.61 to 1.64. 2020-02-18 14:11:34 +02:00			`thirdPartyAudit {`
			`ignoreMissingClasses(`
			`// Used in org.bouncycastle.pqc.crypto.qtesla.QTeslaKeyEncodingTests`
			`'junit.framework.Assert',`
			`'junit.framework.TestCase'`
			`)`
			`}`

Enable tests in FIPS 140 in JDK 11 (#49485) This change changes the way to run our test suites in JVMs configured in FIPS 140 approved mode. It does so by: - Configuring any given runtime Java in FIPS mode with the bundled policy and security properties files, setting the system properties java.security.properties and java.security.policy with the == operator that overrides the default JVM properties and policy. - When runtime java is 11 and higher, using BouncyCastle FIPS Cryptographic provider and BCJSSE in FIPS mode. These are used as testRuntime dependencies for unit tests and internal clusters, and copied (relevant jars) explicitly to the lib directory for testclusters used in REST tests - When runtime java is 8, using BouncyCastle FIPS Cryptographic provider and SunJSSE in FIPS mode. Running the tests in FIPS 140 approved mode doesn't require an additional configuration either in CI workers or locally and is controlled by specifying -Dtests.fips.enabled=true 2020-01-27 11:14:52 +02:00			`if (BuildParams.inFipsJvm) {`
			`test.enabled = false`
Adjust jarHell and 3rd party audit exclusions (#51733) (#51766) Now that the FIPS 140 security provider is simply a test dependency we don't need the thirdPartyAudit exceptions, but plugin-cli and transport-netty4 do need jarHell disabled as they use the non fips BouncyCastle security provider as a test dependency too. 2020-02-10 07:38:59 +02:00			`jarHell.enabled = false`
Enable tests in FIPS 140 in JDK 11 (#49485) This change changes the way to run our test suites in JVMs configured in FIPS 140 approved mode. It does so by: - Configuring any given runtime Java in FIPS mode with the bundled policy and security properties files, setting the system properties java.security.properties and java.security.policy with the == operator that overrides the default JVM properties and policy. - When runtime java is 11 and higher, using BouncyCastle FIPS Cryptographic provider and BCJSSE in FIPS mode. These are used as testRuntime dependencies for unit tests and internal clusters, and copied (relevant jars) explicitly to the lib directory for testclusters used in REST tests - When runtime java is 8, using BouncyCastle FIPS Cryptographic provider and SunJSSE in FIPS mode. Running the tests in FIPS 140 approved mode doesn't require an additional configuration either in CI workers or locally and is controlled by specifying -Dtests.fips.enabled=true 2020-01-27 11:14:52 +02:00			`testingConventions.enabled = false`
			`// Forbiden APIs non-portable checks fail because bouncy castle classes being used from the FIPS JDK since those are`
			`// not part of the Java specification - all of this is as designed, so we have to relax this check for FIPS.`
Use task avoidance with forbidden apis (#55034) Currently forbidden apis accounts for 800+ tasks in the build. These tasks are aggressively created by the plugin. In forbidden apis 3.0, we will get task avoidance (https://github.com/policeman-tools/forbidden-apis/pull/162), but we need to ourselves use the same task avoidance mechanisms to not trigger these task creations. This commit does that for our foribdden apis usages, in preparation for upgrading to 3.0 when it is released. 2020-04-15 13:23:55 -07:00			`tasks.withType(CheckForbiddenApis).configureEach {`
Enable tests in FIPS 140 in JDK 11 (#49485) This change changes the way to run our test suites in JVMs configured in FIPS 140 approved mode. It does so by: - Configuring any given runtime Java in FIPS mode with the bundled policy and security properties files, setting the system properties java.security.properties and java.security.policy with the == operator that overrides the default JVM properties and policy. - When runtime java is 11 and higher, using BouncyCastle FIPS Cryptographic provider and BCJSSE in FIPS mode. These are used as testRuntime dependencies for unit tests and internal clusters, and copied (relevant jars) explicitly to the lib directory for testclusters used in REST tests - When runtime java is 8, using BouncyCastle FIPS Cryptographic provider and SunJSSE in FIPS mode. Running the tests in FIPS 140 approved mode doesn't require an additional configuration either in CI workers or locally and is controlled by specifying -Dtests.fips.enabled=true 2020-01-27 11:14:52 +02:00			`bundledSignatures -= "jdk-non-portable"`
Apply 2-space indent to all gradle scripts (#49071) Backport of #48849. Update `.editorconfig` to make the Java settings the default for all files, and then apply a 2-space indent to all `*.gradle` files. Then reformat all the files. 2019-11-14 11:01:23 +00:00			`}`
			`}`