Skip to content

Commit c3cd834

Browse files
iigoniniigonin
committed
Add FIPS build-tooling
Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]> # Conflicts: # CHANGELOG.md # buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
1 parent 70e890a commit c3cd834

File tree

41 files changed

+556
-546
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

41 files changed

+556
-546
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
1515
- [Security Manager Replacement] Enhance Java Agent to intercept newByteChannel ([#17989](https://github.com/opensearch-project/OpenSearch/pull/17989))
1616
- Enabled Async Shard Batch Fetch by default ([#18139](https://github.com/opensearch-project/OpenSearch/pull/18139))
1717
- Allow to get the search request from the QueryCoordinatorContext ([#17818](https://github.com/opensearch-project/OpenSearch/pull/17818))
18+
- Add FIPS build tooling ([#4254](https://github.com/opensearch-project/security/issues/4254))
1819

1920
### Changed
2021

build.gradle

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,6 @@ apply from: 'gradle/ide.gradle'
6666
apply from: 'gradle/forbidden-dependencies.gradle'
6767
apply from: 'gradle/formatting.gradle'
6868
apply from: 'gradle/local-distribution.gradle'
69-
apply from: 'gradle/fips.gradle'
7069
apply from: 'gradle/run.gradle'
7170
apply from: 'gradle/missing-javadoc.gradle'
7271
apply from: 'gradle/code-coverage.gradle'
@@ -434,6 +433,9 @@ gradle.projectsEvaluated {
434433
dependsOn(project(':libs:agent-sm:agent').prepareAgent)
435434
jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]
436435
}
436+
if (BuildParams.inFipsJvm) {
437+
task.jvmArgs += ["-Dorg.bouncycastle.fips.approved_only=true"]
438+
}
437439
}
438440
}
439441

@@ -703,6 +705,14 @@ allprojects {
703705
plugins.withId('lifecycle-base') {
704706
checkPart1.configure { dependsOn 'check' }
705707
}
708+
709+
plugins.withId('opensearch.testclusters') {
710+
testClusters.configureEach {
711+
if (BuildParams.inFipsJvm) {
712+
keystorePassword 'notarealpasswordphrase'
713+
}
714+
}
715+
}
706716
}
707717

708718
subprojects {

buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -161,11 +161,13 @@ public void execute(Task t) {
161161
test.systemProperty("tests.seed", BuildParams.getTestSeed());
162162
}
163163

164-
var securityFile = "java.security";
165-
test.systemProperty(
166-
"java.security.properties",
167-
project.getRootProject().getLayout().getProjectDirectory() + "/distribution/src/config/" + securityFile
168-
);
164+
if (BuildParams.isInFipsJvm()) {
165+
test.systemProperty(
166+
"java.security.properties",
167+
project.getRootProject().getLayout().getProjectDirectory() + "/distribution/src/config/fips_java.security"
168+
);
169+
}
170+
169171
// don't track these as inputs since they contain absolute paths and break cache relocatability
170172
File gradleHome = project.getGradle().getGradleUserHomeDir();
171173
String gradleVersion = project.getGradle().getGradleVersion();

buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
/*
2+
* SPDX-License-Identifier: Apache-2.0
3+
*
4+
* The OpenSearch Contributors require contributions made to
5+
* this file be licensed under the Apache-2.0 license or a
6+
* compatible open source license.
7+
*/
8+
9+
package org.opensearch.gradle.info;
10+
11+
import java.util.function.Function;
12+
13+
public class FipsBuildParams {
14+
15+
public static final String FIPS_BUILD_PARAM = "crypto.standard";
16+
17+
private static String fipsMode;
18+
19+
public static void init(Function<String, Object> fipsValue) {
20+
fipsMode = (String) fipsValue.apply(FIPS_BUILD_PARAM);
21+
fipsMode = fipsMode == null ? "any-supported" : fipsMode;
22+
}
23+
24+
private FipsBuildParams() {}
25+
26+
public static boolean isInFipsMode() {
27+
return "FIPS-140-3".equals(fipsMode);
28+
}
29+
30+
public static String getFipsMode() {
31+
return fipsMode;
32+
}
33+
34+
}

buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,8 @@ public void apply(Project project) {
109109
File rootDir = project.getRootDir();
110110
GitInfo gitInfo = gitInfo(rootDir);
111111

112+
FipsBuildParams.init(project::findProperty);
113+
112114
BuildParams.init(params -> {
113115
// Initialize global build parameters
114116
boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
@@ -129,7 +131,7 @@ public void apply(Project project) {
129131
params.setIsCi(System.getenv("JENKINS_URL") != null);
130132
params.setIsInternal(isInternal);
131133
params.setDefaultParallel(findDefaultParallel(project));
132-
params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", false));
134+
params.setInFipsJvm(FipsBuildParams.isInFipsMode());
133135
params.setIsSnapshotBuild(Util.getBooleanProperty("build.snapshot", true));
134136
if (isInternal) {
135137
params.setBwcVersions(resolveBwcVersions(rootDir));
@@ -179,7 +181,7 @@ private void logGlobalBuildInfo() {
179181
LOGGER.quiet(" JAVA_HOME : " + gradleJvm.getJavaHome());
180182
}
181183
LOGGER.quiet(" Random Testing Seed : " + BuildParams.getTestSeed());
182-
LOGGER.quiet(" In FIPS 140 mode : " + BuildParams.isInFipsJvm());
184+
LOGGER.quiet(" Crypto Standard : " + FipsBuildParams.getFipsMode());
183185
LOGGER.quiet("=======================================");
184186
}
185187

buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@
4646
import org.opensearch.gradle.Version;
4747
import org.opensearch.gradle.VersionProperties;
4848
import org.opensearch.gradle.info.BuildParams;
49+
import org.opensearch.gradle.info.FipsBuildParams;
4950
import org.gradle.api.Action;
5051
import org.gradle.api.Named;
5152
import org.gradle.api.NamedDomainObjectContainer;
@@ -546,6 +547,10 @@ public synchronized void start() {
546547
logToProcessStdout("installed plugins");
547548
}
548549

550+
if (FipsBuildParams.isInFipsMode() && keystorePassword.isEmpty()) {
551+
throw new TestClustersException("Can not start " + this + " in FIPS JVM, missing keystore password");
552+
}
553+
549554
logToProcessStdout("Creating opensearch keystore with password set to [" + keystorePassword + "]");
550555
if (keystorePassword.length() > 0) {
551556
runOpenSearchBinScriptWithInput(keystorePassword + "\n" + keystorePassword + "\n", "opensearch-keystore", "create", "-p");

buildSrc/src/main/resources/cacerts.bcfks

-101 KB
Binary file not shown.

buildSrc/src/main/resources/fips_java_bcjsse_11.policy

Lines changed: 0 additions & 29 deletions
This file was deleted.

buildSrc/src/main/resources/fips_java_bcjsse_11.security

Lines changed: 0 additions & 53 deletions
This file was deleted.

buildSrc/src/main/resources/fips_java_bcjsse_8.policy

Lines changed: 0 additions & 34 deletions
This file was deleted.

buildSrc/src/main/resources/fips_java_bcjsse_8.security

Lines changed: 0 additions & 134 deletions
This file was deleted.

0 commit comments

Comments
 (0)