OpenSearch/gradle/fips.gradle

/*
 * SPDX-License-Identifier: Apache-2.0
 *
 * The OpenSearch Contributors require contributions made to
 * this file be licensed under the Apache-2.0 license or a
 * compatible open source license.
 *
 * Modifications Copyright OpenSearch Contributors. See
 * GitHub history for details.
 */

import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask
import org.opensearch.gradle.info.BuildParams
import org.opensearch.gradle.testclusters.OpenSearchCluster

// Common config when running with a FIPS-140 runtime JVM
if (BuildParams.inFipsJvm) {

  allprojects {
    File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
    boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
    boolean zulu8 = java8 && BuildParams.runtimeJavaDetails.contains("Zulu")
    File fipsSecurity;
    File fipsPolicy;
    if (java8) {
      if (zulu8) {
        //Azul brings many changes from JDK 11 to their Zulu8 so we can only use BCJSSE
        fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_8.security")
        fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_8.policy")
      } else {
        fipsSecurity = new File(fipsResourcesDir, "fips_java_sunjsse.security")
        fipsPolicy = new File(fipsResourcesDir, "fips_java_sunjsse.policy")
      }
    } else {
      fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_11.security")
      fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy")
    }
    File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2')
    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')

    pluginManager.withPlugin('java') {
      TaskProvider<ExportOpenSearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportOpenSearchBuildResourcesTask)
      fipsResourcesTask.configure {
        outputDir = fipsResourcesDir
        copy fipsSecurity.name
        copy fipsPolicy.name
        copy 'cacerts.bcfks'
      }

      project.afterEvaluate {
        def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
        // ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly
        // set the class path to help maintain pure black box testing, and here we are adding to that classpath
        tasks.withType(Test).configureEach { Test test ->
          test.setClasspath(test.getClasspath().plus(extraFipsJars))
        }
      }

      pluginManager.withPlugin("opensearch.testclusters") {
        afterEvaluate {
          // This afterEvaluate hooks is required to avoid deprecated configuration resolution
          // This configuration can be removed once system modules are available
          def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
          testClusters.all {
            extraFipsJars.files.each {
              extraJarFile it
            }
          }
        }
        testClusters.all {
          extraConfigFile "fips_java.security", fipsSecurity
          extraConfigFile "fips_java.policy", fipsPolicy
          extraConfigFile "cacerts.bcfks", fipsTrustStore
          systemProperty 'java.security.properties', '=${OPENSEARCH_PATH_CONF}/fips_java.security'
          systemProperty 'java.security.policy', '=${OPENSEARCH_PATH_CONF}/fips_java.policy'
          systemProperty 'javax.net.ssl.trustStore', '${OPENSEARCH_PATH_CONF}/cacerts.bcfks'
          systemProperty 'javax.net.ssl.trustStorePassword', 'password'
          systemProperty 'javax.net.ssl.keyStorePassword', 'password'
          systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'
        }
      }
      project.tasks.withType(Test).configureEach { Test task ->
        task.dependsOn('fipsResources')
        task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
        task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
        task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
        // Using the key==value format to override default JVM security settings and policy
        // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
        task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))
        task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))
        task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)
      }
    }
  }
}