Skip to content

build-tools #5984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
beanuwave wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

build-tools #5984

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import com.diffplug.gradle.spotless.JavaExtension
import org.opensearch.gradle.info.FipsBuildParams
import org.opensearch.gradle.test.RestIntegTestTask
import org.opensearch.gradle.info.BuildParams
import groovy.json.JsonBuilder

buildscript {
Expand Down Expand Up @@ -241,6 +242,25 @@ task listTasksAsJSON {
}
}

def configureFipsJvmArgs(Test task) {
if (BuildParams.isInFipsJvm()) {
def fipsSecurityFile = project.rootProject.file('config/fips_java.security')
task.jvmArgs += "-Djava.security.properties=${fipsSecurityFile}"
task.jvmArgs += "-Dorg.bouncycastle.fips.approved_only=true"
task.jvmArgs += "-Djavax.net.ssl.trustStore=/home/iigonin/install/opensearch-3.4.0-SNAPSHOT/config/opensearch-fips-truststore.bcfks"
task.jvmArgs += "-Djavax.net.ssl.trustStoreProvider=BCFIPS"
task.jvmArgs += "-Djavax.net.ssl.trustStoreType=BCFKS"
task.jvmArgs += "-Djavax.net.ssl.trustStorePassword=dtekVF0vEAA9FNvm#KMkTwMN"
}
}

def configureSecurityAdminTestJvmArgs(Test task) {
if (!BuildParams.isInFipsJvm()) {
def bcProviderFile = project.rootProject.file('config/fips_java.security')
task.jvmArgs += "-Djava.security.properties=${bcProviderFile}"
}
}

tasks.register('copyExtraTestResources', Copy.class) {
dependsOn testClasses

Expand Down Expand Up @@ -270,6 +290,8 @@ def setCommonTestConfig(Test task) {
// this is needed to reflect access system env map.
task.jvmArgs += "--add-opens=java.base/java.io=ALL-UNNAMED"
task.jvmArgs += "--add-opens=java.base/java.util=ALL-UNNAMED"
configureFipsJvmArgs(task)
configureSecurityAdminTestJvmArgs(task)
task.retry {
failOnPassedAfterRetry = false
maxRetries = 5
Expand Down Expand Up @@ -303,6 +325,7 @@ test {
// this is needed to reflect access system env map.
jvmArgs += "--add-opens=java.base/java.io=ALL-UNNAMED"
jvmArgs += "--add-opens=java.base/java.util=ALL-UNNAMED"
configureFipsJvmArgs(it)
retry {
failOnPassedAfterRetry = false
maxRetries = 5
Expand Down Expand Up @@ -575,6 +598,7 @@ allprojects {
integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
integrationTestImplementation "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
integrationTestImplementation "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
integrationTestImplementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
integrationTestImplementation "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
integrationTestImplementation('org.awaitility:awaitility:4.3.0') {
Expand Down Expand Up @@ -637,6 +661,7 @@ task integrationTest(type: Test) {
systemProperty "java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager"
testClassesDirs = sourceSets.integrationTest.output.classesDirs
classpath = sourceSets.integrationTest.runtimeClasspath
configureFipsJvmArgs(it)
//run the integrationTest task after the test task
shouldRunAfter test
jacoco {
Expand Down Expand Up @@ -681,10 +706,12 @@ dependencies {
// When building with -Pcrypto.standard=FIPS-140-3, bcFips jars are provided by OpenSearch
if (FipsBuildParams.isInFipsMode()) {
compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
compileOnly "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
compileOnly "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
compileOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
} else {
implementation "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
implementation "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
implementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
implementation "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
}
Expand Down Expand Up @@ -796,6 +823,7 @@ dependencies {
exclude(group: 'org.hamcrest', module: 'hamcrest')
}
testImplementation "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
testImplementation "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
testImplementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
testImplementation "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
// JUnit build requirement
Expand Down Expand Up @@ -835,6 +863,18 @@ tasks.register('testsJar', Jar) {
from(sourceSets.test.output)
}

def configureSecurityAdminBcFips(AbstractArchiveTask task) {
def bcFipsJars = configurations.detachedConfiguration(
dependencies.create("org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"),
dependencies.create("org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"),
dependencies.create("org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"),
dependencies.create("org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}")
)
task.from(bcFipsJars) {
into 'deps/'
}
}

task bundleSecurityAdminStandalone(dependsOn: jar, type: Zip) {
archiveClassifier = 'securityadmin-standalone'
from(configurations.runtimeClasspath) {
Expand All @@ -850,6 +890,7 @@ task bundleSecurityAdminStandalone(dependsOn: jar, type: Zip) {
into 'deps/securityconfig'
}
}
configureSecurityAdminBcFips(bundleSecurityAdminStandalone)

task bundleSecurityAdminStandaloneTarGz(dependsOn: jar, type: Tar) {
archiveClassifier = 'securityadmin-standalone'
Expand All @@ -868,6 +909,7 @@ task bundleSecurityAdminStandaloneTarGz(dependsOn: jar, type: Tar) {
into 'deps/securityconfig'
}
}
configureSecurityAdminBcFips(bundleSecurityAdminStandaloneTarGz)

buildRpm {
arch = 'NOARCH'
Expand Down
20 changes: 20 additions & 0 deletions config/fips_java.security
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in approved-only mode
# Intended to be used complementary with a single equal sign e.g. 'java.security.properties=fips_java.security'

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
security.provider.4=SunJGSS

ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

# Revocation via BCTLS TrustManager (covers all TLS including LDAPS)
com.sun.net.ssl.checkRevocation=true

# BC FIPS CertPath revocation mechanisms
ocsp.enable=true
org.bouncycastle.x509.enableCRLDP=true

# OCSP stapling — request stapled response from server
jdk.tls.client.enableStatusRequestExtension=true