/* * SPDX-License-Identifier: Apache-2.0 * * The OpenSearch Contributors require contributions made to * this file be licensed under the Apache-2.0 license or a * compatible open source license. * * Modifications Copyright OpenSearch Contributors. See * GitHub history for details. */ import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask import org.opensearch.gradle.info.BuildParams import org.opensearch.gradle.testclusters.OpenSearchCluster // Common config when running with a FIPS-140 runtime JVM if (BuildParams.inFipsJvm) { allprojects { File fipsResourcesDir = new File(project.buildDir, 'fips-resources') boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8 boolean zulu8 = java8 && BuildParams.runtimeJavaDetails.contains("Zulu") File fipsSecurity; File fipsPolicy; if (java8) { if (zulu8) { //Azul brings many changes from JDK 11 to their Zulu8 so we can only use BCJSSE fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_8.security") fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_8.policy") } else { fipsSecurity = new File(fipsResourcesDir, "fips_java_sunjsse.security") fipsPolicy = new File(fipsResourcesDir, "fips_java_sunjsse.policy") } } else { fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_11.security") fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy") } File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks') def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2') def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9') pluginManager.withPlugin('java') { TaskProvider fipsResourcesTask = project.tasks.register('fipsResources', ExportOpenSearchBuildResourcesTask) fipsResourcesTask.configure { outputDir = fipsResourcesDir copy fipsSecurity.name copy fipsPolicy.name copy 'cacerts.bcfks' } project.afterEvaluate { def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips) // ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly // set the class path to help maintain pure black box testing, and here we are adding to that classpath tasks.withType(Test).configureEach { Test test -> test.setClasspath(test.getClasspath().plus(extraFipsJars)) } } pluginManager.withPlugin("opensearch.testclusters") { afterEvaluate { // This afterEvaluate hooks is required to avoid deprecated configuration resolution // This configuration can be removed once system modules are available def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips) testClusters.all { extraFipsJars.files.each { extraJarFile it } } } testClusters.all { extraConfigFile "fips_java.security", fipsSecurity extraConfigFile "fips_java.policy", fipsPolicy extraConfigFile "cacerts.bcfks", fipsTrustStore systemProperty 'java.security.properties', '=${OPENSEARCH_PATH_CONF}/fips_java.security' systemProperty 'java.security.policy', '=${OPENSEARCH_PATH_CONF}/fips_java.policy' systemProperty 'javax.net.ssl.trustStore', '${OPENSEARCH_PATH_CONF}/cacerts.bcfks' systemProperty 'javax.net.ssl.trustStorePassword', 'password' systemProperty 'javax.net.ssl.keyStorePassword', 'password' systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS' } } project.tasks.withType(Test).configureEach { Test task -> task.dependsOn('fipsResources') task.systemProperty('javax.net.ssl.trustStorePassword', 'password') task.systemProperty('javax.net.ssl.keyStorePassword', 'password') task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS') // Using the key==value format to override default JVM security settings and policy // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity)) task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy)) task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore) } } } }