honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move test fips configuration to script plugin (#57251) 

This commit moves the configuration of all test jvms for fips to a
script plugin. Fips testing is something very specific to the
Elasticsearch build and does not need to be passed on to plugin authors.
This commit is contained in:
Ryan Ernst 2020-06-01 10:24:12 -07:00 committed by Ryan Ernst
parent 6934264162
commit 6ccdceec79
No known key found for this signature in database
GPG Key ID: 5F7EA39E15F54DCE
4 changed files with 64 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
build.gradle
View File

@ -46,6 +46,7 @@ apply from: 'gradle/ide.gradle'
apply from: 'gradle/forbidden-dependencies.gradle' apply from: 'gradle/forbidden-dependencies.gradle'
apply from: 'gradle/formatting.gradle' apply from: 'gradle/formatting.gradle'
apply from: 'gradle/local-distribution.gradle' apply from: 'gradle/local-distribution.gradle'
apply from: 'gradle/fips.gradle'
// common maven publishing configuration // common maven publishing configuration
allprojects { allprojects {

74
buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy
View File

@ -41,14 +41,15 @@ import org.gradle.api.artifacts.repositories.IvyPatternRepositoryLayout
import org.gradle.api.artifacts.repositories.MavenArtifactRepository import org.gradle.api.artifacts.repositories.MavenArtifactRepository
import org.gradle.api.credentials.HttpHeaderCredentials import org.gradle.api.credentials.HttpHeaderCredentials
import org.gradle.api.execution.TaskActionListener import org.gradle.api.execution.TaskActionListener
import org.elasticsearch.gradle.info.GlobalBuildInfoPlugin
import org.elasticsearch.gradle.precommit.PrecommitTasks
import org.gradle.api.GradleException
import org.gradle.api.InvalidUserDataException
import org.gradle.api.Plugin
import org.gradle.api.Project
import org.gradle.api.file.CopySpec import org.gradle.api.file.CopySpec
import org.gradle.api.plugins.ExtraPropertiesExtension import org.gradle.api.plugins.ExtraPropertiesExtension
import org.gradle.api.plugins.JavaPlugin
import org.gradle.api.tasks.bundling.Jar import org.gradle.api.tasks.bundling.Jar
import org.gradle.api.tasks.testing.Test
import org.gradle.util.GradleVersion
import java.nio.charset.StandardCharsets
/** /**
* Encapsulates build configuration for elasticsearch projects. * Encapsulates build configuration for elasticsearch projects.
@ -75,69 +76,6 @@ class BuildPlugin implements Plugin<Project> {
project.extensions.getByType(ExtraPropertiesExtension).set('versions', VersionProperties.versions) project.extensions.getByType(ExtraPropertiesExtension).set('versions', VersionProperties.versions)
PrecommitTasks.create(project, true) PrecommitTasks.create(project, true)
configureFips140(project)
}
static void configureFips140(Project project) {
// Common config when running with a FIPS-140 runtime JVM
if (inFipsJvm()) {
// This configuration can be removed once system modules are available
GradleUtils.maybeCreate(project.configurations, 'extraJars') {
project.dependencies.add('extraJars', "org.bouncycastle:bc-fips:1.0.1")
project.dependencies.add('extraJars', "org.bouncycastle:bctls-fips:1.0.9")
}
ExportElasticsearchBuildResourcesTask buildResources = project.tasks.getByName('buildResources') as ExportElasticsearchBuildResourcesTask
File securityProperties = buildResources.copy("fips_java.security")
File security8Properties = buildResources.copy("fips_java8.security")
File securityPolicy = buildResources.copy("fips_java.policy")
File security8Policy = buildResources.copy("fips_java8.policy")
File bcfksKeystore = buildResources.copy("cacerts.bcfks")
project.pluginManager.withPlugin("elasticsearch.testclusters") {
NamedDomainObjectContainer<ElasticsearchCluster> testClusters = project.extensions.findByName(TestClustersPlugin.EXTENSION_NAME) as NamedDomainObjectContainer<ElasticsearchCluster>
if (testClusters != null) {
testClusters.all { ElasticsearchCluster cluster ->
cluster.setTestDistribution(TestDistribution.DEFAULT)
for (File dep : project.getConfigurations().getByName("extraJars").getFiles()) {
cluster.extraJarFile(dep)
}
if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
cluster.extraConfigFile("fips_java.security", securityProperties)
cluster.extraConfigFile("fips_java.policy", securityPolicy)
} else {
cluster.extraConfigFile("fips_java.security", security8Properties)
cluster.extraConfigFile("fips_java.policy", security8Policy)
}
cluster.extraConfigFile("cacerts.bcfks", bcfksKeystore)
cluster.systemProperty('java.security.properties', '=${ES_PATH_CONF}/fips_java.security')
cluster.systemProperty('java.security.policy', '=${ES_PATH_CONF}/fips_java.policy')
cluster.systemProperty('javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks')
cluster.systemProperty('javax.net.ssl.trustStorePassword', 'password')
cluster.systemProperty('javax.net.ssl.keyStorePassword', 'password')
cluster.systemProperty('javax.net.ssl.keyStoreType', 'BCFKS')
}
}
}
project.tasks.withType(Test).configureEach { Test task ->
task.dependsOn(buildResources)
// Using the key==value format to override default JVM security settings and policy
// see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", securityProperties.toString()))
task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", securityPolicy.toString()))
} else {
task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", security8Properties.toString()))
task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", security8Policy.toString()))
}
task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
task.systemProperty('javax.net.ssl.trustStore', bcfksKeystore.toString())
}
}
}
private static inFipsJvm(){
return Boolean.parseBoolean(System.getProperty("tests.fips.enabled"));
} }
static void configureLicenseAndNotice(Project project) { static void configureLicenseAndNotice(Project project) {

1
buildSrc/src/main/groovy/org/elasticsearch/gradle/test/StandaloneRestTestPlugin.groovy
View File

@ -65,7 +65,6 @@ class StandaloneRestTestPlugin implements Plugin<Project> {
ElasticsearchJavaPlugin.configureRepositories(project) ElasticsearchJavaPlugin.configureRepositories(project)
ElasticsearchJavaPlugin.configureTestTasks(project) ElasticsearchJavaPlugin.configureTestTasks(project)
ElasticsearchJavaPlugin.configureInputNormalization(project) ElasticsearchJavaPlugin.configureInputNormalization(project)
BuildPlugin.configureFips140(project)
ElasticsearchJavaPlugin.configureCompile(project) ElasticsearchJavaPlugin.configureCompile(project)
project.extensions.getByType(JavaPluginExtension).sourceCompatibility = BuildParams.minimumRuntimeVersion project.extensions.getByType(JavaPluginExtension).sourceCompatibility = BuildParams.minimumRuntimeVersion

57
gradle/fips.gradle Normal file
View File

@ -0,0 +1,57 @@
import org.elasticsearch.gradle.ExportElasticsearchBuildResourcesTask
import org.elasticsearch.gradle.info.BuildParams
import org.elasticsearch.gradle.testclusters.ElasticsearchCluster
import org.elasticsearch.gradle.testclusters.ElasticsearchCluster
// Common config when running with a FIPS-140 runtime JVM
if (BuildParams.inFipsJvm) {
allprojects {
File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
File fipsSecurity = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.security")
File fipsPolicy = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.policy")
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
project.pluginManager.withPlugin('elasticsearch.java') {
TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
fipsResourcesTask.configure {
outputDir = fipsResourcesDir
copy fipsSecurity.name
copy fipsPolicy.name
copy 'cacerts.bcfks'
}
// This configuration can be removed once system modules are available
configurations.create('extraFipsJars')
dependencies {
extraFipsJars 'org.bouncycastle:bc-fips:1.0.1'
extraFipsJars 'org.bouncycastle:bctls-fips:1.0.9'
}
pluginManager.withPlugin("elasticsearch.testclusters") {
testClusters.all {
for (File dep : project.configurations.extraFipsJars.files) {
extraJarFile dep
}
extraConfigFile "fips_java.security", fipsSecurity
extraConfigFile "fips_java.policy", fipsPolicy
extraConfigFile "cacerts.bcfks", fipsTrustStore
systemProperty 'java.security.properties', '=${ES_PATH_CONF}/fips_java.security'
systemProperty 'java.security.policy', '=${ES_PATH_CONF}/fips_java.policy'
systemProperty 'javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks'
systemProperty 'javax.net.ssl.trustStorePassword', 'password'
systemProperty 'javax.net.ssl.keyStorePassword', 'password'
systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'
}
}
project.tasks.withType(Test).configureEach { Test task ->
task.dependsOn('fipsResources')
task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
// Using the key==value format to override default JVM security settings and policy
// see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))
task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))
task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)
}
}
}
}