Fix forbidden apis on FIPS (#33202)
- third party audit detects jar hell with JDK so we disable it - jdk non portable in forbiddenapis detects classes being used from the JDK ( for fips ) that are not portable, this is intended so we don't scan for it on fips. - different exclusion rules for third party audit on fips Closes #33179
This commit is contained in:
parent
6a0d4b4a77
commit
3828ec60f5
|
@ -39,3 +39,9 @@ test {
|
||||||
// TODO: find a way to add permissions for the tests in this module
|
// TODO: find a way to add permissions for the tests in this module
|
||||||
systemProperty 'tests.security.manager', 'false'
|
systemProperty 'tests.security.manager', 'false'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (project.inFipsJvm) {
|
||||||
|
// FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
|
||||||
|
// rather than provide a long list of exclusions, disable the check on FIPS.
|
||||||
|
thirdPartyAudit.enabled = false
|
||||||
|
}
|
||||||
|
|
|
@ -83,7 +83,6 @@ thirdPartyAudit.excludes = [
|
||||||
'io.netty.internal.tcnative.SSLContext',
|
'io.netty.internal.tcnative.SSLContext',
|
||||||
|
|
||||||
// from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
|
// from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
|
||||||
'org.bouncycastle.asn1.x500.X500Name',
|
|
||||||
'org.bouncycastle.cert.X509v3CertificateBuilder',
|
'org.bouncycastle.cert.X509v3CertificateBuilder',
|
||||||
'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
|
'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
|
||||||
'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
|
'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
|
||||||
|
@ -163,3 +162,11 @@ thirdPartyAudit.excludes = [
|
||||||
'org.conscrypt.Conscrypt',
|
'org.conscrypt.Conscrypt',
|
||||||
'org.conscrypt.HandshakeListener'
|
'org.conscrypt.HandshakeListener'
|
||||||
]
|
]
|
||||||
|
|
||||||
|
if (project.inFipsJvm == false) {
|
||||||
|
// BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in
|
||||||
|
// a FIPS JVM with BouncyCastleFIPS Provider
|
||||||
|
thirdPartyAudit.excludes += [
|
||||||
|
'org.bouncycastle.asn1.x500.X500Name'
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
|
@ -2141,3 +2141,9 @@ if (project.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
|
||||||
'javax.xml.bind.Unmarshaller'
|
'javax.xml.bind.Unmarshaller'
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (project.inFipsJvm) {
|
||||||
|
// FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
|
||||||
|
// rather than provide a long list of exclusions, disable the check on FIPS.
|
||||||
|
thirdPartyAudit.enabled = false
|
||||||
|
}
|
||||||
|
|
|
@ -62,7 +62,6 @@ thirdPartyAudit.excludes = [
|
||||||
'io.netty.internal.tcnative.SSLContext',
|
'io.netty.internal.tcnative.SSLContext',
|
||||||
|
|
||||||
// from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
|
// from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
|
||||||
'org.bouncycastle.asn1.x500.X500Name',
|
|
||||||
'org.bouncycastle.cert.X509v3CertificateBuilder',
|
'org.bouncycastle.cert.X509v3CertificateBuilder',
|
||||||
'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
|
'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
|
||||||
'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
|
'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
|
||||||
|
@ -141,4 +140,11 @@ thirdPartyAudit.excludes = [
|
||||||
'org.conscrypt.BufferAllocator',
|
'org.conscrypt.BufferAllocator',
|
||||||
'org.conscrypt.Conscrypt',
|
'org.conscrypt.Conscrypt',
|
||||||
'org.conscrypt.HandshakeListener'
|
'org.conscrypt.HandshakeListener'
|
||||||
]
|
]
|
||||||
|
if (project.inFipsJvm == false) {
|
||||||
|
// BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in
|
||||||
|
// a FIPS JVM with BouncyCastleFIPS Provider
|
||||||
|
thirdPartyAudit.excludes += [
|
||||||
|
'org.bouncycastle.asn1.x500.X500Name'
|
||||||
|
]
|
||||||
|
}
|
|
@ -1,3 +1,5 @@
|
||||||
|
import org.elasticsearch.gradle.precommit.ForbiddenApisCliTask
|
||||||
|
|
||||||
apply plugin: 'elasticsearch.build'
|
apply plugin: 'elasticsearch.build'
|
||||||
|
|
||||||
archivesBaseName = 'elasticsearch-security-cli'
|
archivesBaseName = 'elasticsearch-security-cli'
|
||||||
|
@ -6,8 +8,8 @@ dependencies {
|
||||||
compileOnly "org.elasticsearch:elasticsearch:${version}"
|
compileOnly "org.elasticsearch:elasticsearch:${version}"
|
||||||
// "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
|
// "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
|
||||||
compileOnly project(path: xpackModule('core'), configuration: 'default')
|
compileOnly project(path: xpackModule('core'), configuration: 'default')
|
||||||
compile 'org.bouncycastle:bcprov-jdk15on:1.59'
|
|
||||||
compile 'org.bouncycastle:bcpkix-jdk15on:1.59'
|
compile 'org.bouncycastle:bcpkix-jdk15on:1.59'
|
||||||
|
compile 'org.bouncycastle:bcprov-jdk15on:1.59'
|
||||||
testImplementation 'com.google.jimfs:jimfs:1.1'
|
testImplementation 'com.google.jimfs:jimfs:1.1'
|
||||||
testCompile "junit:junit:${versions.junit}"
|
testCompile "junit:junit:${versions.junit}"
|
||||||
testCompile "org.hamcrest:hamcrest-all:${versions.hamcrest}"
|
testCompile "org.hamcrest:hamcrest-all:${versions.hamcrest}"
|
||||||
|
@ -20,6 +22,14 @@ dependencyLicenses {
|
||||||
mapping from: /bc.*/, to: 'bouncycastle'
|
mapping from: /bc.*/, to: 'bouncycastle'
|
||||||
}
|
}
|
||||||
|
|
||||||
if (inFipsJvm) {
|
if (project.inFipsJvm) {
|
||||||
test.enabled = false
|
test.enabled = false
|
||||||
|
// Forbiden APIs non-portable checks fail because bouncy castle classes being used from the FIPS JDK since those are
|
||||||
|
// not part of the Java specification - all of this is as designed, so we have to relax this check for FIPS.
|
||||||
|
tasks.withType(ForbiddenApisCliTask) {
|
||||||
|
bundledSignatures -= "jdk-non-portable"
|
||||||
|
}
|
||||||
|
// FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
|
||||||
|
// rather than provide a long list of exclusions, disable the check on FIPS.
|
||||||
|
thirdPartyAudit.enabled = false
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue