diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy index 3d8ba1f3b36a5..d5b9332e61686 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy @@ -152,9 +152,8 @@ class BuildPlugin implements Plugin { runtimeJavaVersionDetails = findJavaVersionDetails(project, runtimeJavaHome) runtimeJavaVersionEnum = JavaVersion.toVersion(findJavaSpecificationVersion(project, runtimeJavaHome)) } - - String inFipsJvmScript = 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));' - boolean inFipsJvm = Boolean.parseBoolean(runJavaAsScript(project, runtimeJavaHome, inFipsJvmScript)) + // Java home name checking is fragile, but we control the environment + boolean inFipsJvm = runtimeJavaHome.contains("fips") // Build debugging info println '=======================================' @@ -590,6 +589,16 @@ class BuildPlugin implements Plugin { url "https://s3.amazonaws.com/download.elasticsearch.org/lucenesnapshots/${revision}" } } + String compilerJavaHome = findCompilerJavaHome() + String runtimeJavaHome = findRuntimeJavaHome(compilerJavaHome) + if (runtimeJavaHome.contains("fips")) { + repos.ivy { + url "https://downloads.bouncycastle.org" + patternLayout { + artifact 'fips-java/[module]-[revision].[ext]' + } + } + } } /** @@ -906,6 +915,10 @@ class BuildPlugin implements Plugin { File heapdumpDir = new File(project.buildDir, 'heapdump') project.tasks.withType(Test) { Test test -> + RepositoryHandler repos = project.repositories + if (project.ext.inFipsJvm) { + project.dependencies.add('testRuntimeOnly', "org.bouncycastle:bc-fips:1.0.1:jar") + } File testOutputDir = new File(test.reports.junitXml.getDestination(), "output") doFirst { diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/precommit/PrecommitTasks.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/precommit/PrecommitTasks.groovy index 0316acef922c4..548268f424887 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/precommit/PrecommitTasks.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/precommit/PrecommitTasks.groovy @@ -111,6 +111,11 @@ class PrecommitTasks { } task.dependsOn(project.sourceSets.test.classesTaskName) task.javaHome = project.runtimeJavaHome + + // Java home name checking is fragile, but we control the environment + if (project.runtimeJavaHome.contains("fips")){ + task.enabled = false + } return task } diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle index 61e3546ed8919..9c159533a774d 100644 --- a/distribution/tools/plugin-cli/build.gradle +++ b/distribution/tools/plugin-cli/build.gradle @@ -39,9 +39,3 @@ test { // TODO: find a way to add permissions for the tests in this module systemProperty 'tests.security.manager', 'false' } - -if (project.inFipsJvm) { - // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit, - // rather than provide a long list of exclusions, disable the check on FIPS. - thirdPartyAudit.enabled = false -} diff --git a/modules/reindex/build.gradle b/modules/reindex/build.gradle index 400bb3d4841bc..0decd967fea33 100644 --- a/modules/reindex/build.gradle +++ b/modules/reindex/build.gradle @@ -98,6 +98,7 @@ dependencies { // Issue tracked in https://github.com/elastic/elasticsearch/issues/40904 if (project.inFipsJvm) { integTest.enabled = false + testingConventions.enabled = false } if (Os.isFamily(Os.FAMILY_WINDOWS)) { diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle index e8050c637f160..c2232988504dc 100644 --- a/modules/transport-netty4/build.gradle +++ b/modules/transport-netty4/build.gradle @@ -88,6 +88,7 @@ thirdPartyAudit { 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', 'org.bouncycastle.jce.provider.BouncyCastleProvider', 'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', + 'org.bouncycastle.asn1.x500.X500Name', // from io.netty.handler.ssl.JettyNpnSslEngine (netty) 'org.eclipse.jetty.npn.NextProtoNego$ClientProvider', @@ -169,12 +170,4 @@ thirdPartyAudit { 'io.netty.util.internal.shaded.org.jctools.util.UnsafeRefArrayAccess', 'io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator' ) -} - -if (project.inFipsJvm == false) { - // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in - // a FIPS JVM with BouncyCastleFIPS Provider - thirdPartyAudit.ignoreMissingClasses ( - 'org.bouncycastle.asn1.x500.X500Name' - ) -} +} \ No newline at end of file diff --git a/plugins/discovery-azure-classic/build.gradle b/plugins/discovery-azure-classic/build.gradle index d7847259defaf..05f4499d4f6e8 100644 --- a/plugins/discovery-azure-classic/build.gradle +++ b/plugins/discovery-azure-classic/build.gradle @@ -48,7 +48,7 @@ dependencies { compile 'org.codehaus.jackson:jackson-core-asl:1.9.2' compile 'org.codehaus.jackson:jackson-mapper-asl:1.9.2' compile 'org.codehaus.jackson:jackson-jaxrs:1.9.2' - compile 'org.codehaus.jackson:jackson-xc:1.9.2' + compile 'org.codehaus.jackson:jackson-xc:1.9.2' // HACK: javax.xml.bind was removed from default modules in java 9, so we pull the api in here, // and whitelist this hack in JarHell @@ -63,6 +63,7 @@ File keystore = new File(project.buildDir, 'keystore/test-node.jks') // generate the keystore task createKey(type: LoggedExec) { + onlyIf { inFipsJvm == false } doFirst { project.delete(keystore.parentFile) keystore.parentFile.mkdirs() @@ -133,3 +134,9 @@ thirdPartyAudit.ignoreMissingClasses ( 'com.sun.xml.fastinfoset.stax.StAXDocumentParser', 'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer' ) + +if (inFipsJvm) { + // We do not run integ tests in FIPS mode as these use a JKS keystore for the azure settings + integTest.enabled = false + testingConventions.enabled = false +} \ No newline at end of file diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle index cbe417708d778..7ed05f411b6c3 100644 --- a/plugins/ingest-attachment/build.gradle +++ b/plugins/ingest-attachment/build.gradle @@ -82,10 +82,4 @@ forbiddenPatterns { thirdPartyAudit{ ignoreMissingClasses() -} - -if (project.inFipsJvm) { - // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit, - // rather than provide a long list of exclusions, disable the check on FIPS. - thirdPartyAudit.enabled = false -} +} \ No newline at end of file diff --git a/plugins/transport-nio/build.gradle b/plugins/transport-nio/build.gradle index 9e855995c3bfa..1c44ec3ac827e 100644 --- a/plugins/transport-nio/build.gradle +++ b/plugins/transport-nio/build.gradle @@ -59,6 +59,7 @@ thirdPartyAudit { 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', 'org.bouncycastle.jce.provider.BouncyCastleProvider', 'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder', + 'org.bouncycastle.asn1.x500.X500Name', // from io.netty.handler.ssl.JettyNpnSslEngine (netty) 'org.eclipse.jetty.npn.NextProtoNego$ClientProvider', @@ -147,11 +148,4 @@ thirdPartyAudit { 'io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator' ) -} -if (project.inFipsJvm == false) { - // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in - // a FIPS JVM with BouncyCastleFIPS Provider - thirdPartyAudit.ignoreMissingClasses ( - 'org.bouncycastle.asn1.x500.X500Name' - ) -} +} \ No newline at end of file diff --git a/x-pack/plugin/ml/build.gradle b/x-pack/plugin/ml/build.gradle index 6ca1a44c145da..683466ca665ce 100644 --- a/x-pack/plugin/ml/build.gradle +++ b/x-pack/plugin/ml/build.gradle @@ -113,4 +113,4 @@ gradle.projectsEvaluated { // also add an "alias" task to make typing on the command line easier task icTest { dependsOn internalClusterTest -} +} \ No newline at end of file diff --git a/x-pack/plugin/ml/qa/native-multi-node-tests/build.gradle b/x-pack/plugin/ml/qa/native-multi-node-tests/build.gradle index 22fd7837628b9..27fec9be95086 100644 --- a/x-pack/plugin/ml/qa/native-multi-node-tests/build.gradle +++ b/x-pack/plugin/ml/qa/native-multi-node-tests/build.gradle @@ -69,4 +69,4 @@ integTestCluster { retries: 10) return tmpFile.exists() } -} +} \ No newline at end of file diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index cab1a7f8d6e3b..026ee6de1ee02 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -325,5 +325,4 @@ gradle.projectsEvaluated { .subprojects .findAll { it.path.startsWith(project.path + ":qa") } .each { check.dependsOn it.check } -} - +} \ No newline at end of file diff --git a/x-pack/plugin/security/cli/build.gradle b/x-pack/plugin/security/cli/build.gradle index 19a8d11dd6f0c..db5ca51069f36 100644 --- a/x-pack/plugin/security/cli/build.gradle +++ b/x-pack/plugin/security/cli/build.gradle @@ -30,8 +30,4 @@ if (project.inFipsJvm) { tasks.withType(CheckForbiddenApis) { bundledSignatures -= "jdk-non-portable" } - // FIPS JVM includes many classes from bouncycastle which count as jar hell for the third party audit, - // rather than provide a long list of exclusions, disable the check on FIPS. - thirdPartyAudit.enabled = false - } diff --git a/x-pack/plugin/security/qa/tls-basic/build.gradle b/x-pack/plugin/security/qa/tls-basic/build.gradle index 9f5ef26f6e6a6..ef46e8f15ab87 100644 --- a/x-pack/plugin/security/qa/tls-basic/build.gradle +++ b/x-pack/plugin/security/qa/tls-basic/build.gradle @@ -44,5 +44,4 @@ integTestCluster { http.setCertificateAuthorities(caFile) return http.wait(5000) } -} - +} \ No newline at end of file diff --git a/x-pack/plugin/sql/build.gradle b/x-pack/plugin/sql/build.gradle index c4719aef04ab8..69b72459c0afc 100644 --- a/x-pack/plugin/sql/build.gradle +++ b/x-pack/plugin/sql/build.gradle @@ -146,4 +146,4 @@ task regen { patternset(includes: 'SqlBase*.java') } } -} +} \ No newline at end of file diff --git a/x-pack/plugin/sql/qa/security/with-ssl/build.gradle b/x-pack/plugin/sql/qa/security/with-ssl/build.gradle index de4e173463612..13bc2b3c572f4 100644 --- a/x-pack/plugin/sql/qa/security/with-ssl/build.gradle +++ b/x-pack/plugin/sql/qa/security/with-ssl/build.gradle @@ -208,8 +208,7 @@ integTestCluster { } } Closure notRunningFips = { - Boolean.parseBoolean(BuildPlugin.runJavaAsScript(project, project.runtimeJavaHome, - 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false + inFipsJvm == false } // Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail. @@ -219,6 +218,16 @@ tasks.matching({ it.name == "integTestCluster#init" }).all { onlyIf notRunningFi tasks.matching({ it.name == "integTestCluster#start" }).all { onlyIf notRunningFips } tasks.matching({ it.name == "integTestCluster#wait" }).all { onlyIf notRunningFips } tasks.matching({ it.name == "integTestRunner" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "createNodeKeyStore" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "createClientKeyStore" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "exportNodeCertificate" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "exportClientCertificate" }).all { onlyIf notRunningFips } +tasks.matching({ it.name == "importNodeCertificateInClientKeyStore" }).all { onlyIf notRunningFips} +tasks.matching({ it.name == "importClientCertificateInNodeKeyStore" }).all { onlyIf notRunningFips} + +if (project.inFipsJvm) { + testingConventions.enabled = false +} /** A lazy evaluator to find the san to use for certificate generation. */ class SanEvaluator { diff --git a/x-pack/plugin/sql/qa/security/without-ssl/build.gradle b/x-pack/plugin/sql/qa/security/without-ssl/build.gradle index ac748527da371..64202673d6e66 100644 --- a/x-pack/plugin/sql/qa/security/without-ssl/build.gradle +++ b/x-pack/plugin/sql/qa/security/without-ssl/build.gradle @@ -15,3 +15,6 @@ integTestCluster { return tmpFile.exists() } } +if (project.inFipsJvm) { + testingConventions.enabled = false +} \ No newline at end of file diff --git a/x-pack/qa/core-rest-tests-with-security/build.gradle b/x-pack/qa/core-rest-tests-with-security/build.gradle index dbf5aa6fc227c..d2a94dbcebc6c 100644 --- a/x-pack/qa/core-rest-tests-with-security/build.gradle +++ b/x-pack/qa/core-rest-tests-with-security/build.gradle @@ -43,4 +43,4 @@ integTestCluster { retries: 10) return tmpFile.exists() } -} +} \ No newline at end of file diff --git a/x-pack/qa/evil-tests/build.gradle b/x-pack/qa/evil-tests/build.gradle index d411909fb310b..68cc76f337755 100644 --- a/x-pack/qa/evil-tests/build.gradle +++ b/x-pack/qa/evil-tests/build.gradle @@ -8,4 +8,4 @@ dependencies { test { systemProperty 'tests.security.manager', 'false' include '**/*Tests.class' -} +} \ No newline at end of file diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle index 964cc2fb43cc7..da501ee16d4eb 100644 --- a/x-pack/qa/full-cluster-restart/build.gradle +++ b/x-pack/qa/full-cluster-restart/build.gradle @@ -232,4 +232,4 @@ task copyXPackPluginProps(type: Copy) { from project(xpackModule('core')).tasks.pluginProperties into outputDir } -project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps) +project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps) \ No newline at end of file diff --git a/x-pack/qa/kerberos-tests/build.gradle b/x-pack/qa/kerberos-tests/build.gradle index 88248f89b72c5..ee7103d54c714 100644 --- a/x-pack/qa/kerberos-tests/build.gradle +++ b/x-pack/qa/kerberos-tests/build.gradle @@ -73,5 +73,4 @@ task copyKeytabToGeneratedResources(type: Copy) { into generatedResources dependsOn project(':test:fixtures:krb5kdc-fixture').postProcessFixture } -project.sourceSets.test.output.dir(generatedResources, builtBy:copyKeytabToGeneratedResources) - +project.sourceSets.test.output.dir(generatedResources, builtBy:copyKeytabToGeneratedResources) \ No newline at end of file diff --git a/x-pack/qa/openldap-tests/build.gradle b/x-pack/qa/openldap-tests/build.gradle index 5305699b9a0c7..54d53c26e2f25 100644 --- a/x-pack/qa/openldap-tests/build.gradle +++ b/x-pack/qa/openldap-tests/build.gradle @@ -17,4 +17,4 @@ task copyIdpTrust(type: Copy) { from idpFixtureProject.file('openldap/certs/ca_server.pem'); into outputDir } -project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust) +project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust) \ No newline at end of file diff --git a/x-pack/qa/reindex-tests-with-security/build.gradle b/x-pack/qa/reindex-tests-with-security/build.gradle index 64e1c61b60717..4f203cc743f00 100644 --- a/x-pack/qa/reindex-tests-with-security/build.gradle +++ b/x-pack/qa/reindex-tests-with-security/build.gradle @@ -58,4 +58,4 @@ integTestCluster { http.setPassword("x-pack-test-password") return http.wait(5000) } -} +} \ No newline at end of file diff --git a/x-pack/qa/saml-idp-tests/build.gradle b/x-pack/qa/saml-idp-tests/build.gradle index 7b76321fe9d4f..7e8933b543bae 100644 --- a/x-pack/qa/saml-idp-tests/build.gradle +++ b/x-pack/qa/saml-idp-tests/build.gradle @@ -111,4 +111,4 @@ thirdPartyAudit { ignoreMissingClasses ( 'com.ibm.icu.lang.UCharacter' ) -} +} \ No newline at end of file diff --git a/x-pack/qa/security-tools-tests/build.gradle b/x-pack/qa/security-tools-tests/build.gradle index 135f82bb4a617..2530df2b0aa3d 100644 --- a/x-pack/qa/security-tools-tests/build.gradle +++ b/x-pack/qa/security-tools-tests/build.gradle @@ -20,4 +20,4 @@ forbiddenPatterns { } // these are just tests, no need to audit -thirdPartyAudit.enabled = false +thirdPartyAudit.enabled = false \ No newline at end of file diff --git a/x-pack/qa/third-party/active-directory/build.gradle b/x-pack/qa/third-party/active-directory/build.gradle index 2d4af2b46bbc0..a096c2c5cf95b 100644 --- a/x-pack/qa/third-party/active-directory/build.gradle +++ b/x-pack/qa/third-party/active-directory/build.gradle @@ -30,5 +30,4 @@ test { systemProperty 'es.set.netty.runtime.available.processors', 'false' include '**/*IT.class' include '**/*Tests.class' -} - +} \ No newline at end of file