for GCS plugin prioritize custom truststore. With fallback to default google.p12 in non-FIPS mode and an exception in FIPS mode when no truststore is set up.

Signed-off-by: Igonin <[email protected]>
Co-authored-by: Benny Goerzig <[email protected]>
Co-authored-by: Karsten Schnitter <[email protected]>
Co-authored-by: Kai Sternad <[email protected]>

Author: 4 people

plugins/repository-gcs/build.gradle

@@ -12,6 +12,7 @@
 
 import org.opensearch.gradle.MavenFilteringHack
 import org.opensearch.gradle.info.BuildParams
+import org.opensearch.gradle.info.FipsBuildParams
 import org.opensearch.gradle.test.InternalClusterTestPlugin
 import org.opensearch.gradle.test.RestIntegTestTask
 import org.opensearch.gradle.test.rest.YamlRestTestPlugin
@@ -351,6 +352,14 @@ processYamlRestTestResources {
 internalClusterTest {
   // this is tested explicitly in a separate test task
   exclude '**/GoogleCloudStorageThirdPartyTests.class'
+  exclude '**/GoogleCloudStorageThirdPartyFipsTests.class'
+
+  // Conditionally exclude based on FIPS mode
+  if (FipsBuildParams.isInFipsMode()) {
+    exclude '**/GoogleCloudStorageBlobStoreRepositoryTests.class'
+  } else {
+    exclude '**/GoogleCloudStorageBlobStoreRepositoryFipsTests.class'
+  }
 }
 
 final Closure testClustersConfiguration = {
@@ -413,7 +422,11 @@ task gcsThirdPartyTest(type: Test) {
   SourceSet internalTestSourceSet = sourceSets.getByName(InternalClusterTestPlugin.SOURCE_SET_NAME)
   setTestClassesDirs(internalTestSourceSet.getOutput().getClassesDirs())
   setClasspath(internalTestSourceSet.getRuntimeClasspath())
-  include '**/GoogleCloudStorageThirdPartyTests.class'
+  if (FipsBuildParams.isInFipsMode()) {
+    include '**/GoogleCloudStorageThirdPartyFipsTests.class'
+  } else {
+    include '**/GoogleCloudStorageThirdPartyTests.class'
+  }
   systemProperty 'tests.security.manager', false
   systemProperty 'test.google.bucket', gcsBucket
   nonInputProperties.systemProperty 'test.google.base', gcsBasePath + "_third_party_tests_" + BuildParams.testSeed

plugins/repository-gcs/src/internalClusterTest/java/org/opensearch/repositories/gcs/GoogleCloudStorageBlobStoreRepositoryFipsTests.java

@@ -0,0 +1,34 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.repositories.gcs;
+
+import org.opensearch.common.settings.MockSecureSettings;
+import org.opensearch.common.settings.Settings;
+
+import java.nio.file.Path;
+
+import static org.opensearch.repositories.gcs.GoogleCloudStorageClientSettings.TRUSTSTORE_PASSWORD_SETTING;
+import static org.opensearch.repositories.gcs.GoogleCloudStorageClientSettings.TRUSTSTORE_PATH_SETTING;
+import static org.opensearch.repositories.gcs.GoogleCloudStorageClientSettings.TRUSTSTORE_TYPE_SETTING;
+
+public class GoogleCloudStorageBlobStoreRepositoryFipsTests extends GoogleCloudStorageBlobStoreRepositoryTests {
+
+    private final Path truststorePath = getDataPath("/google.bcfks");
+
+    @Override
+    protected void configureClientSettings(Settings.Builder settings) {
+        settings.put(TRUSTSTORE_PATH_SETTING.getConcreteSettingForNamespace("test").getKey(), truststorePath.toString());
+        settings.put(TRUSTSTORE_TYPE_SETTING.getConcreteSettingForNamespace("test").getKey(), "BCFKS");
+    }
+
+    @Override
+    protected void configureSecureSettings(MockSecureSettings secureSettings) {
+        secureSettings.setString(TRUSTSTORE_PASSWORD_SETTING.getConcreteSettingForNamespace("test").getKey(), "notasecret");
+    }
+}

plugins/repository-gcs/src/internalClusterTest/java/org/opensearch/repositories/gcs/GoogleCloudStorageBlobStoreRepositoryTests.java

@@ -121,14 +121,34 @@ protected Settings nodeSettings(int nodeOrdinal) {
         settings.put(super.nodeSettings(nodeOrdinal));
         settings.put(ENDPOINT_SETTING.getConcreteSettingForNamespace("test").getKey(), httpServerUrl());
         settings.put(TOKEN_URI_SETTING.getConcreteSettingForNamespace("test").getKey(), httpServerUrl() + "/token");
+        configureClientSettings(settings);
 
         final MockSecureSettings secureSettings = new MockSecureSettings();
         final byte[] serviceAccount = TestUtils.createServiceAccount(random());
         secureSettings.setFile(CREDENTIALS_FILE_SETTING.getConcreteSettingForNamespace("test").getKey(), serviceAccount);
+        configureSecureSettings(secureSettings);
         settings.setSecureSettings(secureSettings);
         return settings.build();
     }
 
+    /**
+     * Hook method for subclasses to add additional client settings.
+     *
+     * @param settings the settings builder to add settings to
+     */
+    protected void configureClientSettings(Settings.Builder settings) {
+        // Default implementation: no additional settings
+    }
+
+    /**
+     * Hook method for subclasses to add additional secure settings.
+     *
+     * @param secureSettings the secure settings to add settings to
+     */
+    protected void configureSecureSettings(MockSecureSettings secureSettings) {
+        // Default implementation: no additional secure settings
+    }
+
     public void testDeleteSingleItem() {
         final String repoName = createRepository(randomName());
         final RepositoriesService repositoriesService = internalCluster().getClusterManagerNodeInstance(RepositoriesService.class);

plugins/repository-gcs/src/internalClusterTest/java/org/opensearch/repositories/gcs/GoogleCloudStorageThirdPartyFipsTests.java

@@ -0,0 +1,35 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.repositories.gcs;
+
+import org.opensearch.common.settings.MockSecureSettings;
+import org.opensearch.common.settings.SecureSettings;
+import org.opensearch.common.settings.Settings;
+
+import java.nio.file.Path;
+
+public class GoogleCloudStorageThirdPartyFipsTests extends GoogleCloudStorageThirdPartyTests {
+
+    private final Path truststorePath = getDataPath("/google.bcfks");
+
+    @Override
+    protected Settings nodeSettings() {
+        Settings.Builder builder = Settings.builder().put(super.nodeSettings());
+        builder.put("gcs.client.default.truststore.path", truststorePath.toString());
+        builder.put("gcs.client.default.truststore.type", "BCFKS");
+        return builder.build();
+    }
+
+    @Override
+    protected SecureSettings credentials() {
+        MockSecureSettings secureSettings = (MockSecureSettings) super.credentials();
+        secureSettings.setString("gcs.client.default.truststore.password", "notasecret");
+        return secureSettings;
+    }
+}

plugins/repository-gcs/src/main/resources/google.bcfks renamed to plugins/repository-gcs/src/internalClusterTest/resources/google.bcfks

@@ -167,6 +167,27 @@ public class GoogleCloudStorageClientSettings {
         () -> PROXY_USERNAME_SETTING
     );
 
+    /** The path to the truststore file for SSL/TLS connections */
+    static final Setting.AffixSetting<String> TRUSTSTORE_PATH_SETTING = Setting.affixKeySetting(
+        PREFIX,
+        "truststore.path",
+        key -> Setting.simpleString(key, Setting.Property.NodeScope)
+    );
+
+    /** The secure password for the truststore */
+    static final Setting.AffixSetting<SecureString> TRUSTSTORE_PASSWORD_SETTING = Setting.affixKeySetting(
+        PREFIX,
+        "truststore.password",
+        key -> SecureSetting.secureString(key, null)
+    );
+
+    /** The type of the truststore (e.g., BCFKS, PKCS11, PKCS12, JKS) */
+    static final Setting.AffixSetting<String> TRUSTSTORE_TYPE_SETTING = Setting.affixKeySetting(
+        PREFIX,
+        "truststore.type",
+        key -> Setting.simpleString(key, Setting.Property.NodeScope)
+    );
+
     /** The credentials used by the client to connect to the Storage endpoint. */
     private final ServiceAccountCredentials credential;
 
@@ -191,6 +212,9 @@ public class GoogleCloudStorageClientSettings {
     /** The GCS SDK Proxy settings. */
     private final ProxySettings proxySettings;
 
+    /** The GCS SDK Truststore settings. */
+    private final TruststoreSettings truststoreSettings;
+
     GoogleCloudStorageClientSettings(
         final ServiceAccountCredentials credential,
         final String endpoint,
@@ -199,7 +223,8 @@ public class GoogleCloudStorageClientSettings {
         final TimeValue readTimeout,
         final String applicationName,
         final URI tokenUri,
-        final ProxySettings proxySettings
+        final ProxySettings proxySettings,
+        final TruststoreSettings truststoreSettings
     ) {
         this.credential = credential;
         this.endpoint = endpoint;
@@ -209,6 +234,7 @@ public class GoogleCloudStorageClientSettings {
         this.applicationName = applicationName;
         this.tokenUri = tokenUri;
         this.proxySettings = proxySettings;
+        this.truststoreSettings = truststoreSettings;
     }
 
     public ServiceAccountCredentials getCredential() {
@@ -243,6 +269,10 @@ public ProxySettings getProxySettings() {
         return proxySettings;
     }
 
+    public TruststoreSettings getTruststoreSettings() {
+        return truststoreSettings;
+    }
+
     public static Map<String, GoogleCloudStorageClientSettings> load(final Settings settings) {
         final Map<String, GoogleCloudStorageClientSettings> clients = new HashMap<>();
         for (final String clientName : settings.getGroups(PREFIX).keySet()) {
@@ -265,7 +295,8 @@ static GoogleCloudStorageClientSettings getClientSettings(final Settings setting
             getConfigValue(settings, clientName, READ_TIMEOUT_SETTING),
             getConfigValue(settings, clientName, APPLICATION_NAME_SETTING),
             getConfigValue(settings, clientName, TOKEN_URI_SETTING),
-            validateAndCreateProxySettings(settings, clientName)
+            validateAndCreateProxySettings(settings, clientName),
+            validateAndCreateTruststoreSettings(settings, clientName)
         );
     }
 
@@ -297,6 +328,36 @@ static ProxySettings validateAndCreateProxySettings(final Settings settings, fin
         }
     }
 
+    static TruststoreSettings validateAndCreateTruststoreSettings(final Settings settings, final String clientName) {
+        final String truststorePathString = getConfigValue(settings, clientName, TRUSTSTORE_PATH_SETTING);
+        final String truststoreType = getConfigValue(settings, clientName, TRUSTSTORE_TYPE_SETTING);
+        final SecureString truststorePassword = getConfigValue(settings, clientName, TRUSTSTORE_PASSWORD_SETTING);
+        final SecureString password = (truststorePassword != null) ? truststorePassword : new SecureString(new char[0]);
+        final boolean hasPath = Strings.hasText(truststorePathString);
+        final boolean hasType = Strings.hasText(truststoreType);
+        final boolean hasPassword = Strings.hasText(password);
+
+        if (!hasPath && !hasType && !hasPassword) {
+            return TruststoreSettings.NO_TRUSTSTORE_SETTINGS;
+        }
+        if (!hasType) {
+            throw new SettingsException(
+                "Google Cloud Storage truststore type is missing. Use '"
+                    + TRUSTSTORE_TYPE_SETTING.getConcreteSettingForNamespace(clientName).getKey()
+                    + "' setting to configure the truststore type."
+            );
+        }
+        if (!hasPath) {
+            throw new SettingsException(
+                "Google Cloud Storage truststore path is missing. Use '"
+                    + TRUSTSTORE_PATH_SETTING.getConcreteSettingForNamespace(clientName).getKey()
+                    + "' setting to configure the truststore path."
+            );
+        }
+
+        return new TruststoreSettings(java.nio.file.Path.of(truststorePathString), truststoreType, password);
+    }
+
     /**
      * Loads the service account file corresponding to a given client name. If no
      * file is defined for the client, a {@code null} credential is returned.

plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageClientSettings.java

@@ -97,7 +97,10 @@ public List<Setting<?>> getSettings() {
             GoogleCloudStorageClientSettings.PROXY_HOST_SETTING,
             GoogleCloudStorageClientSettings.PROXY_PORT_SETTING,
             GoogleCloudStorageClientSettings.PROXY_USERNAME_SETTING,
-            GoogleCloudStorageClientSettings.PROXY_PASSWORD_SETTING
+            GoogleCloudStorageClientSettings.PROXY_PASSWORD_SETTING,
+            GoogleCloudStorageClientSettings.TRUSTSTORE_PATH_SETTING,
+            GoogleCloudStorageClientSettings.TRUSTSTORE_PASSWORD_SETTING,
+            GoogleCloudStorageClientSettings.TRUSTSTORE_TYPE_SETTING
         );
     }
 

plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStoragePlugin.java

@@ -49,13 +49,15 @@
 import org.opensearch.common.collect.MapBuilder;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.core.common.Strings;
+import org.opensearch.core.common.settings.SecureString;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.net.Authenticator;
 import java.net.PasswordAuthentication;
 import java.net.Proxy;
 import java.net.URI;
+import java.nio.file.Files;
+import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.Security;
 import java.util.Map;
@@ -189,18 +191,12 @@ public HttpRequestInitializer getHttpRequestInitializer(ServiceOptions<?, ?> ser
     private HttpTransport createHttpTransport(final GoogleCloudStorageClientSettings clientSettings) throws IOException {
         return SocketAccess.doPrivilegedIOException(() -> {
             final NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
-            KeyStore certTrustStore;
-            if (Security.getProvider("BCFIPS") != null) {
-                certTrustStore = KeyStore.getInstance("BCFKS");
-                InputStream keyStoreStream = getClass().getResourceAsStream("/google.bcfks");
-                SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret");
-            } else {
-                // requires java.lang.RuntimePermission "setFactory"
-                // Pin the TLS trust certificates.
-                certTrustStore = GoogleUtils.getCertificateTrustStore();
+            final TruststoreSettings truststoreSettings = clientSettings.getTruststoreSettings();
+            try {
+                builder.trustCertificates(loadTrustStore(truststoreSettings));
+            } catch (GeneralSecurityException e) {
+                throw new IllegalStateException("Failed to load truststore", e);
             }
-
-            builder.trustCertificates(certTrustStore);
             final ProxySettings proxySettings = clientSettings.getProxySettings();
             if (proxySettings != ProxySettings.NO_PROXY_SETTINGS) {
                 if (proxySettings.isAuthenticated()) {
@@ -217,6 +213,32 @@ protected PasswordAuthentication getPasswordAuthentication() {
         });
     }
 
+    private KeyStore loadTrustStore(TruststoreSettings truststoreSettings) throws GeneralSecurityException, IOException {
+        KeyStore certTrustStore;
+        if (truststoreSettings.isConfigured()) {
+            final var truststorePath = truststoreSettings.path();
+            final var truststoreType = truststoreSettings.type();
+            final SecureString truststorePassword = truststoreSettings.password();
+            certTrustStore = KeyStore.getInstance(truststoreType);
+            try (var trustStoreStream = Files.newInputStream(truststorePath)) {
+                SecurityUtils.loadKeyStore(certTrustStore, trustStoreStream, truststorePassword.toString());
+            }
+            logger.debug("Loaded custom truststore from path: {} with type: {}", truststorePath, truststoreType);
+        } else if (Security.getProvider("BCFIPS") != null) {
+            throw new IllegalStateException(
+                "FIPS mode is active but no custom truststore is configured. "
+                    + "Please configure gcs.client.<client-name>.truststore.path and "
+                    + "gcs.client.<client-name>.truststore.secure_password settings."
+            );
+        } else {
+            // requires java.lang.RuntimePermission "setFactory"
+            // Pin the TLS trust certificates.
+            certTrustStore = GoogleUtils.getCertificateTrustStore();
+            logger.debug("Using Google default certificate trust store");
+        }
+        return certTrustStore;
+    }
+
     StorageOptions createStorageOptions(
         final GoogleCloudStorageClientSettings clientSettings,
         final HttpTransportOptions httpTransportOptions

plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java

@@ -0,0 +1,28 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.repositories.gcs;
+
+import org.opensearch.core.common.Strings;
+import org.opensearch.core.common.settings.SecureString;
+
+import java.nio.file.Path;
+
+/**
+ * Encapsulates truststore configuration for Google Cloud Storage client.
+ * Provides validation and convenient access to truststore settings.
+ */
+public record TruststoreSettings(Path path, String type, SecureString password) {
+
+    public static final TruststoreSettings NO_TRUSTSTORE_SETTINGS = new TruststoreSettings(null, null, null);
+
+    public boolean isConfigured() {
+        return path != null && Strings.hasText(type);
+    }
+
+}