mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-05 20:48:22 +00:00
7b021bf3fb
As we figured out in https://github.com/elastic/elasticsearch/issues/61316#issuecomment-685482708 Azul brings back a lot of changes from JDK 11 to their Zulu8 build and this means that we can't run this with SunJSSE in FIPS 140 mode. This change ensures that we configure Zulu8 JDK JVMs in FIPS 140 mode, using the bouncy castle JSSE FIPS provider, instead of the SunJSSE one ( as we do for the rest of the java 8 JVMs ) Resolves: #61316
86 lines
4.2 KiB
Groovy
86 lines
4.2 KiB
Groovy
import org.elasticsearch.gradle.ExportElasticsearchBuildResourcesTask
|
|
import org.elasticsearch.gradle.info.BuildParams
|
|
import org.elasticsearch.gradle.testclusters.ElasticsearchCluster
|
|
|
|
// Common config when running with a FIPS-140 runtime JVM
|
|
if (BuildParams.inFipsJvm) {
|
|
|
|
allprojects {
|
|
File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
|
|
boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
|
|
boolean zulu8 = java8 && BuildParams.runtimeJavaDetails.contains("Zulu")
|
|
File fipsSecurity;
|
|
File fipsPolicy;
|
|
if (java8) {
|
|
if (zulu8) {
|
|
//Azul brings many changes from JDK 11 to their Zulu8 so we can only use BCJSSE
|
|
fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_8.security")
|
|
fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_8.policy")
|
|
} else {
|
|
fipsSecurity = new File(fipsResourcesDir, "fips_java_sunjsse.security")
|
|
fipsPolicy = new File(fipsResourcesDir, "fips_java_sunjsse.policy")
|
|
}
|
|
} else {
|
|
fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_11.security")
|
|
fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy")
|
|
}
|
|
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
|
|
def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.1')
|
|
def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')
|
|
|
|
pluginManager.withPlugin('java') {
|
|
TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
|
|
fipsResourcesTask.configure {
|
|
outputDir = fipsResourcesDir
|
|
copy fipsSecurity.name
|
|
copy fipsPolicy.name
|
|
copy 'cacerts.bcfks'
|
|
}
|
|
|
|
project.afterEvaluate {
|
|
def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
|
|
// ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly
|
|
// set the class path to help maintain pure black box testing, and here we are adding to that classpath
|
|
tasks.withType(Test).configureEach { Test test ->
|
|
test.setClasspath(test.getClasspath().plus(extraFipsJars))
|
|
}
|
|
}
|
|
|
|
pluginManager.withPlugin("elasticsearch.testclusters") {
|
|
afterEvaluate {
|
|
// This afterEvaluate hooks is required to avoid deprecated configuration resolution
|
|
// This configuration can be removed once system modules are available
|
|
def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
|
|
testClusters.all {
|
|
extraFipsJars.files.each {
|
|
extraJarFile it
|
|
}
|
|
}
|
|
}
|
|
testClusters.all {
|
|
extraConfigFile "fips_java.security", fipsSecurity
|
|
extraConfigFile "fips_java.policy", fipsPolicy
|
|
extraConfigFile "cacerts.bcfks", fipsTrustStore
|
|
systemProperty 'java.security.properties', '=${ES_PATH_CONF}/fips_java.security'
|
|
systemProperty 'java.security.policy', '=${ES_PATH_CONF}/fips_java.policy'
|
|
systemProperty 'javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks'
|
|
systemProperty 'javax.net.ssl.trustStorePassword', 'password'
|
|
systemProperty 'javax.net.ssl.keyStorePassword', 'password'
|
|
systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'
|
|
}
|
|
}
|
|
project.tasks.withType(Test).configureEach { Test task ->
|
|
task.dependsOn('fipsResources')
|
|
task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
|
|
task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
|
|
task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
|
|
// Using the key==value format to override default JVM security settings and policy
|
|
// see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
|
|
task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))
|
|
task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))
|
|
task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)
|
|
}
|
|
}
|
|
}
|
|
}
|