forked from opensearch-project/OpenSearch
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfips.gradle
96 lines (90 loc) · 4.47 KB
/
fips.gradle
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/
import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask
import org.opensearch.gradle.info.BuildParams
import org.opensearch.gradle.testclusters.OpenSearchCluster
// Common config when running with a FIPS-140 runtime JVM
if (BuildParams.inFipsJvm) {
allprojects {
File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
boolean zulu8 = java8 && BuildParams.runtimeJavaDetails.contains("Zulu")
File fipsSecurity;
File fipsPolicy;
if (java8) {
if (zulu8) {
//Azul brings many changes from JDK 11 to their Zulu8 so we can only use BCJSSE
fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_8.security")
fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_8.policy")
} else {
fipsSecurity = new File(fipsResourcesDir, "fips_java_sunjsse.security")
fipsPolicy = new File(fipsResourcesDir, "fips_java_sunjsse.policy")
}
} else {
fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_11.security")
fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy")
}
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2')
def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')
pluginManager.withPlugin('java') {
TaskProvider<ExportOpenSearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportOpenSearchBuildResourcesTask)
fipsResourcesTask.configure {
outputDir = fipsResourcesDir
copy fipsSecurity.name
copy fipsPolicy.name
copy 'cacerts.bcfks'
}
project.afterEvaluate {
def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
// ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly
// set the class path to help maintain pure black box testing, and here we are adding to that classpath
tasks.withType(Test).configureEach { Test test ->
test.setClasspath(test.getClasspath().plus(extraFipsJars))
}
}
pluginManager.withPlugin("opensearch.testclusters") {
afterEvaluate {
// This afterEvaluate hooks is required to avoid deprecated configuration resolution
// This configuration can be removed once system modules are available
def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
testClusters.all {
extraFipsJars.files.each {
extraJarFile it
}
}
}
testClusters.all {
extraConfigFile "fips_java.security", fipsSecurity
extraConfigFile "fips_java.policy", fipsPolicy
extraConfigFile "cacerts.bcfks", fipsTrustStore
systemProperty 'java.security.properties', '=${OPENSEARCH_PATH_CONF}/fips_java.security'
systemProperty 'java.security.policy', '=${OPENSEARCH_PATH_CONF}/fips_java.policy'
systemProperty 'javax.net.ssl.trustStore', '${OPENSEARCH_PATH_CONF}/cacerts.bcfks'
systemProperty 'javax.net.ssl.trustStorePassword', 'password'
systemProperty 'javax.net.ssl.keyStorePassword', 'password'
systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'
}
}
project.tasks.withType(Test).configureEach { Test task ->
task.dependsOn('fipsResources')
task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
// Using the key==value format to override default JVM security settings and policy
// see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))
task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))
task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)
}
}
}
}