OpenSearch/gradle/fips.gradle

import org.elasticsearch.gradle.ExportElasticsearchBuildResourcesTask
import org.elasticsearch.gradle.info.BuildParams
import org.elasticsearch.gradle.testclusters.ElasticsearchCluster
import org.elasticsearch.gradle.testclusters.ElasticsearchCluster

// Common config when running with a FIPS-140 runtime JVM
if (BuildParams.inFipsJvm) {

  allprojects {
    File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
    boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
    File fipsSecurity = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.security")
    File fipsPolicy = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.policy")
    File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.1')
    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')

    pluginManager.withPlugin('java') {
      TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
      fipsResourcesTask.configure {
        outputDir = fipsResourcesDir
        copy fipsSecurity.name
        copy fipsPolicy.name
        copy 'cacerts.bcfks'
      }

      project.afterEvaluate {
        def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
        // ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly
        // set the class path to help maintain pure black box testing, and here we are adding to that classpath
        tasks.withType(Test).configureEach { Test test ->
          test.setClasspath(test.getClasspath().plus(extraFipsJars))
        }
      }

      pluginManager.withPlugin("elasticsearch.testclusters") {
        afterEvaluate {
          // This afterEvaluate hooks is required to avoid deprecated configuration resolution
          // This configuration can be removed once system modules are available
          def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
          testClusters.all {
            extraFipsJars.files.each {
              extraJarFile it
            }
          }
        }
        testClusters.all {
          extraConfigFile "fips_java.security", fipsSecurity
          extraConfigFile "fips_java.policy", fipsPolicy
          extraConfigFile "cacerts.bcfks", fipsTrustStore
          systemProperty 'java.security.properties', '=${ES_PATH_CONF}/fips_java.security'
          systemProperty 'java.security.policy', '=${ES_PATH_CONF}/fips_java.policy'
          systemProperty 'javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks'
          systemProperty 'javax.net.ssl.trustStorePassword', 'password'
          systemProperty 'javax.net.ssl.keyStorePassword', 'password'
          systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'
        }
      }
      project.tasks.withType(Test).configureEach { Test task ->
        task.dependsOn('fipsResources')
        task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
        task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
        task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
        // Using the key==value format to override default JVM security settings and policy
        // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
        task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))
        task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))
        task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)
      }
    }
  }
}
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`import org.elasticsearch.gradle.ExportElasticsearchBuildResourcesTask`
			`import org.elasticsearch.gradle.info.BuildParams`
			`import org.elasticsearch.gradle.testclusters.ElasticsearchCluster`
			`import org.elasticsearch.gradle.testclusters.ElasticsearchCluster`

			`// Common config when running with a FIPS-140 runtime JVM`
			`if (BuildParams.inFipsJvm) {`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`allprojects {`
			`File fipsResourcesDir = new File(project.buildDir, 'fips-resources')`
			`boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8`
			`File fipsSecurity = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.security")`
			`File fipsPolicy = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.policy")`
			`File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')`
Fix the REST FIPS tests (#61001) Adds bouncycastle to classpath for tests and testclusters 2020-08-13 19:08:53 -04:00			`def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.1')`
			`def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')`

			`pluginManager.withPlugin('java') {`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)`
			`fipsResourcesTask.configure {`
			`outputDir = fipsResourcesDir`
			`copy fipsSecurity.name`
			`copy fipsPolicy.name`
			`copy 'cacerts.bcfks'`
			`}`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00
Fix the REST FIPS tests (#61001) Adds bouncycastle to classpath for tests and testclusters 2020-08-13 19:08:53 -04:00			`project.afterEvaluate {`
			`def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)`
			`// ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly`
			`// set the class path to help maintain pure black box testing, and here we are adding to that classpath`
			`tasks.withType(Test).configureEach { Test test ->`
			`test.setClasspath(test.getClasspath().plus(extraFipsJars))`
			`}`
			`}`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`pluginManager.withPlugin("elasticsearch.testclusters") {`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00			`afterEvaluate {`
			`// This afterEvaluate hooks is required to avoid deprecated configuration resolution`
			`// This configuration can be removed once system modules are available`
Fix the REST FIPS tests (#61001) Adds bouncycastle to classpath for tests and testclusters 2020-08-13 19:08:53 -04:00			`def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00			`testClusters.all {`
			`extraFipsJars.files.each {`
			`extraJarFile it`
			`}`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`}`
Fix deprecation warning in fips.gradle (#60802) 2020-08-06 04:08:26 -04:00			`}`
			`testClusters.all {`
Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. 2020-06-01 13:24:12 -04:00			`extraConfigFile "fips_java.security", fipsSecurity`
			`extraConfigFile "fips_java.policy", fipsPolicy`
			`extraConfigFile "cacerts.bcfks", fipsTrustStore`
			`systemProperty 'java.security.properties', '=${ES_PATH_CONF}/fips_java.security'`
			`systemProperty 'java.security.policy', '=${ES_PATH_CONF}/fips_java.policy'`
			`systemProperty 'javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks'`
			`systemProperty 'javax.net.ssl.trustStorePassword', 'password'`
			`systemProperty 'javax.net.ssl.keyStorePassword', 'password'`
			`systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'`
			`}`
			`}`
			`project.tasks.withType(Test).configureEach { Test task ->`
			`task.dependsOn('fipsResources')`
			`task.systemProperty('javax.net.ssl.trustStorePassword', 'password')`
			`task.systemProperty('javax.net.ssl.keyStorePassword', 'password')`
			`task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')`
			`// Using the key==value format to override default JVM security settings and policy`
			`// see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html`
			`task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))`
			`task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))`
			`task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)`
			`}`
			`}`
			`}`
			`}`