Fix the REST FIPS tests (#61001)

Adds bouncycastle to classpath for tests and testclusters
This commit is contained in:
Jake Landis 2020-08-13 18:08:53 -05:00 committed by Ryan Ernst
parent f0128ae074
commit cb9f4cdae2
No known key found for this signature in database
GPG Key ID: 5F7EA39E15F54DCE
3 changed files with 15 additions and 12 deletions

View File

@ -98,11 +98,6 @@ public class ElasticsearchTestBasePlugin implements Plugin<Project> {
} }
} }
}); });
if (BuildParams.isInFipsJvm()) {
project.getDependencies().add("testRuntimeOnly", "org.bouncycastle:bc-fips:1.0.1");
project.getDependencies().add("testRuntimeOnly", "org.bouncycastle:bctls-fips:1.0.9");
}
test.getJvmArgumentProviders().add(nonInputProperties); test.getJvmArgumentProviders().add(nonInputProperties);
test.getExtensions().add("nonInputProperties", nonInputProperties); test.getExtensions().add("nonInputProperties", nonInputProperties);

View File

@ -6,14 +6,16 @@ import org.elasticsearch.gradle.testclusters.ElasticsearchCluster
// Common config when running with a FIPS-140 runtime JVM // Common config when running with a FIPS-140 runtime JVM
if (BuildParams.inFipsJvm) { if (BuildParams.inFipsJvm) {
allprojects { allprojects {
File fipsResourcesDir = new File(project.buildDir, 'fips-resources') File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8 boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
File fipsSecurity = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.security") File fipsSecurity = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.security")
File fipsPolicy = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.policy") File fipsPolicy = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.policy")
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks') File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
pluginManager.withPlugin('elasticsearch.java') { def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.1')
def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')
pluginManager.withPlugin('java') {
TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask) TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
fipsResourcesTask.configure { fipsResourcesTask.configure {
outputDir = fipsResourcesDir outputDir = fipsResourcesDir
@ -22,14 +24,20 @@ if (BuildParams.inFipsJvm) {
copy 'cacerts.bcfks' copy 'cacerts.bcfks'
} }
project.afterEvaluate {
def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
// ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly
// set the class path to help maintain pure black box testing, and here we are adding to that classpath
tasks.withType(Test).configureEach { Test test ->
test.setClasspath(test.getClasspath().plus(extraFipsJars))
}
}
pluginManager.withPlugin("elasticsearch.testclusters") { pluginManager.withPlugin("elasticsearch.testclusters") {
afterEvaluate { afterEvaluate {
// This afterEvaluate hooks is required to avoid deprecated configuration resolution // This afterEvaluate hooks is required to avoid deprecated configuration resolution
// This configuration can be removed once system modules are available // This configuration can be removed once system modules are available
def extraFipsJars = configurations.detachedConfiguration(dependencies.create('org.bouncycastle:bc-fips:1.0.1'), def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
dependencies.create('org.bouncycastle:bctls-fips:1.0.9'),
)
testClusters.all { testClusters.all {
extraFipsJars.files.each { extraFipsJars.files.each {
extraJarFile it extraJarFile it

View File

@ -104,6 +104,6 @@ if (BuildParams.inFipsJvm) {
// rather than provide a long list of exclusions, disable the check on FIPS. // rather than provide a long list of exclusions, disable the check on FIPS.
jarHell.enabled = false jarHell.enabled = false
test.enabled = false test.enabled = false
integTest.enabled = false yamlRestTest.enabled = false;
testingConventions.enabled = false testingConventions.enabled = false;
} }