Move test fips configuration to script plugin (#57251)

This commit moves the configuration of all test jvms for fips to a
script plugin. Fips testing is something very specific to the
Elasticsearch build and does not need to be passed on to plugin authors.

build.gradle

@@ -44,6 +44,7 @@ apply from: 'gradle/build-complete.gradle'
 apply from: 'gradle/runtime-jdk-provision.gradle'
 apply from: 'gradle/ide.gradle'
 apply from: 'gradle/local-distribution.gradle'
+apply from: 'gradle/fips.gradle'
 
 // common maven publishing configuration
 allprojects {

buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy

@@ -41,14 +41,15 @@ import org.gradle.api.artifacts.repositories.IvyPatternRepositoryLayout
 import org.gradle.api.artifacts.repositories.MavenArtifactRepository
 import org.gradle.api.credentials.HttpHeaderCredentials
 import org.gradle.api.execution.TaskActionListener
+import org.elasticsearch.gradle.info.GlobalBuildInfoPlugin
+import org.elasticsearch.gradle.precommit.PrecommitTasks
+import org.gradle.api.GradleException
+import org.gradle.api.InvalidUserDataException
+import org.gradle.api.Plugin
+import org.gradle.api.Project
 import org.gradle.api.file.CopySpec
 import org.gradle.api.plugins.ExtraPropertiesExtension
-import org.gradle.api.plugins.JavaPlugin
 import org.gradle.api.tasks.bundling.Jar
-import org.gradle.api.tasks.testing.Test
-import org.gradle.util.GradleVersion
-
-import java.nio.charset.StandardCharsets
 
 /**
  * Encapsulates build configuration for elasticsearch projects.
@@ -75,71 +76,6 @@ class BuildPlugin implements Plugin<Project> {
 
         project.extensions.getByType(ExtraPropertiesExtension).set('versions', VersionProperties.versions)
         PrecommitTasks.create(project, true)
-        configureFips140(project)
-    }
-
-    static void configureFips140(Project project) {
-        // Common config when running with a FIPS-140 runtime JVM
-        if (inFipsJvm()) {
-            // This configuration can be removed once system modules are available
-            GradleUtils.maybeCreate(project.configurations, 'extraJars') {
-                project.dependencies.add('extraJars', "org.bouncycastle:bc-fips:1.0.1")
-                project.dependencies.add('extraJars', "org.bouncycastle:bctls-fips:1.0.9")
-            }
-            ExportElasticsearchBuildResourcesTask buildResources = project.tasks.getByName('buildResources') as ExportElasticsearchBuildResourcesTask
-            File securityProperties = buildResources.copy("fips_java.security")
-            File security8Properties = buildResources.copy("fips_java8.security")
-            File securityPolicy = buildResources.copy("fips_java.policy")
-            File security8Policy = buildResources.copy("fips_java8.policy")
-            File bcfksKeystore = buildResources.copy("cacerts.bcfks")
-            project.pluginManager.withPlugin("elasticsearch.testclusters") {
-                NamedDomainObjectContainer<ElasticsearchCluster> testClusters = project.extensions.findByName(TestClustersPlugin.EXTENSION_NAME) as NamedDomainObjectContainer<ElasticsearchCluster>
-                if (testClusters != null) {
-                    testClusters.all { ElasticsearchCluster cluster ->
-                        cluster.setTestDistribution(TestDistribution.DEFAULT)
-                        for (File dep : project.getConfigurations().getByName("extraJars").getFiles()) {
-                            cluster.extraJarFile(dep)
-                        }
-                        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
-                            cluster.extraConfigFile("fips_java.security", securityProperties)
-                            cluster.extraConfigFile("fips_java.policy", securityPolicy)
-                        } else {
-                            cluster.extraConfigFile("fips_java.security", security8Properties)
-                            cluster.extraConfigFile("fips_java.policy", security8Policy)
-                        }
-                        cluster.extraConfigFile("cacerts.bcfks", bcfksKeystore)
-                        cluster.systemProperty('java.security.properties', '=${ES_PATH_CONF}/fips_java.security')
-                        cluster.systemProperty('java.security.policy', '=${ES_PATH_CONF}/fips_java.policy')
-                        cluster.systemProperty('javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks')
-                        cluster.systemProperty('javax.net.ssl.trustStorePassword', 'password')
-                        cluster.systemProperty('javax.net.ssl.keyStorePassword', 'password')
-                        cluster.systemProperty('javax.net.ssl.keyStoreType', 'BCFKS')
-                        // Can't use our DiagnosticTrustManager with SunJSSE in FIPS mode
-                        cluster.setting 'xpack.security.ssl.diagnose.trust', 'false'
-                    }
-                }
-            }
-            project.tasks.withType(Test).configureEach { Test task ->
-                task.dependsOn(buildResources)
-                // Using the key==value format to override default JVM security settings and policy
-                // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
-                if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
-                    task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", securityProperties.toString()))
-                    task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", securityPolicy.toString()))
-                } else {
-                    task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", security8Properties.toString()))
-                    task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", security8Policy.toString()))
-                }
-                task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
-                task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
-                task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
-                task.systemProperty('javax.net.ssl.trustStore', bcfksKeystore.toString())
-            }
-        }
-    }
-
-    private static inFipsJvm(){
-        return Boolean.parseBoolean(System.getProperty("tests.fips.enabled"));
     }
 
     static void configureLicenseAndNotice(Project project) {

buildSrc/src/main/groovy/org/elasticsearch/gradle/test/StandaloneRestTestPlugin.groovy

@@ -65,7 +65,6 @@ class StandaloneRestTestPlugin implements Plugin<Project> {
         ElasticsearchJavaPlugin.configureRepositories(project)
         ElasticsearchJavaPlugin.configureTestTasks(project)
         ElasticsearchJavaPlugin.configureInputNormalization(project)
-        BuildPlugin.configureFips140(project)
         ElasticsearchJavaPlugin.configureCompile(project)
 
         project.extensions.getByType(JavaPluginExtension).sourceCompatibility = BuildParams.minimumRuntimeVersion

gradle/fips.gradle

@@ -0,0 +1,57 @@
+import org.elasticsearch.gradle.ExportElasticsearchBuildResourcesTask
+import org.elasticsearch.gradle.info.BuildParams
+import org.elasticsearch.gradle.testclusters.ElasticsearchCluster
+import org.elasticsearch.gradle.testclusters.ElasticsearchCluster
+
+// Common config when running with a FIPS-140 runtime JVM
+if (BuildParams.inFipsJvm) {
+  allprojects {
+    File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
+    boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
+    File fipsSecurity = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.security")
+    File fipsPolicy = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.policy")
+    File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
+    project.pluginManager.withPlugin('elasticsearch.java') {
+      TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
+      fipsResourcesTask.configure {
+        outputDir = fipsResourcesDir
+        copy fipsSecurity.name
+        copy fipsPolicy.name
+        copy 'cacerts.bcfks'
+      }
+      // This configuration can be removed once system modules are available
+      configurations.create('extraFipsJars')
+      dependencies {
+        extraFipsJars 'org.bouncycastle:bc-fips:1.0.1'
+        extraFipsJars 'org.bouncycastle:bctls-fips:1.0.9'
+      }
+      pluginManager.withPlugin("elasticsearch.testclusters") {
+        testClusters.all {
+          for (File dep : project.configurations.extraFipsJars.files) {
+            extraJarFile dep
+          }
+          extraConfigFile "fips_java.security", fipsSecurity
+          extraConfigFile "fips_java.policy", fipsPolicy
+          extraConfigFile "cacerts.bcfks", fipsTrustStore
+          systemProperty 'java.security.properties', '=${ES_PATH_CONF}/fips_java.security'
+          systemProperty 'java.security.policy', '=${ES_PATH_CONF}/fips_java.policy'
+          systemProperty 'javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks'
+          systemProperty 'javax.net.ssl.trustStorePassword', 'password'
+          systemProperty 'javax.net.ssl.keyStorePassword', 'password'
+          systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'
+        }
+      }
+      project.tasks.withType(Test).configureEach { Test task ->
+        task.dependsOn('fipsResources')
+        task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
+        task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
+        task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
+        // Using the key==value format to override default JVM security settings and policy
+        // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
+        task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))
+        task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))
+        task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)
+      }
+    }
+  }
+}