From 8202c2e559caedccd5509fb90fab1fc6d270699d Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Mon, 1 Jun 2020 10:24:12 -0700 Subject: [PATCH] Move test fips configuration to script plugin (#57251) This commit moves the configuration of all test jvms for fips to a script plugin. Fips testing is something very specific to the Elasticsearch build and does not need to be passed on to plugin authors. --- build.gradle | 1 + .../elasticsearch/gradle/BuildPlugin.groovy | 76 ++----------------- .../test/StandaloneRestTestPlugin.groovy | 1 - gradle/fips.gradle | 57 ++++++++++++++ 4 files changed, 64 insertions(+), 71 deletions(-) create mode 100644 gradle/fips.gradle diff --git a/build.gradle b/build.gradle index e1b2caa951bee..f5ed3949b9034 100644 --- a/build.gradle +++ b/build.gradle @@ -44,6 +44,7 @@ apply from: 'gradle/build-complete.gradle' apply from: 'gradle/runtime-jdk-provision.gradle' apply from: 'gradle/ide.gradle' apply from: 'gradle/local-distribution.gradle' +apply from: 'gradle/fips.gradle' // common maven publishing configuration allprojects { diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy index e7031004c2f4a..e6b0a2579e293 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy @@ -41,14 +41,15 @@ import org.gradle.api.artifacts.repositories.IvyPatternRepositoryLayout import org.gradle.api.artifacts.repositories.MavenArtifactRepository import org.gradle.api.credentials.HttpHeaderCredentials import org.gradle.api.execution.TaskActionListener +import org.elasticsearch.gradle.info.GlobalBuildInfoPlugin +import org.elasticsearch.gradle.precommit.PrecommitTasks +import org.gradle.api.GradleException +import org.gradle.api.InvalidUserDataException +import org.gradle.api.Plugin +import org.gradle.api.Project import org.gradle.api.file.CopySpec import org.gradle.api.plugins.ExtraPropertiesExtension -import org.gradle.api.plugins.JavaPlugin import org.gradle.api.tasks.bundling.Jar -import org.gradle.api.tasks.testing.Test -import org.gradle.util.GradleVersion - -import java.nio.charset.StandardCharsets /** * Encapsulates build configuration for elasticsearch projects. @@ -75,71 +76,6 @@ class BuildPlugin implements Plugin { project.extensions.getByType(ExtraPropertiesExtension).set('versions', VersionProperties.versions) PrecommitTasks.create(project, true) - configureFips140(project) - } - - static void configureFips140(Project project) { - // Common config when running with a FIPS-140 runtime JVM - if (inFipsJvm()) { - // This configuration can be removed once system modules are available - GradleUtils.maybeCreate(project.configurations, 'extraJars') { - project.dependencies.add('extraJars', "org.bouncycastle:bc-fips:1.0.1") - project.dependencies.add('extraJars', "org.bouncycastle:bctls-fips:1.0.9") - } - ExportElasticsearchBuildResourcesTask buildResources = project.tasks.getByName('buildResources') as ExportElasticsearchBuildResourcesTask - File securityProperties = buildResources.copy("fips_java.security") - File security8Properties = buildResources.copy("fips_java8.security") - File securityPolicy = buildResources.copy("fips_java.policy") - File security8Policy = buildResources.copy("fips_java8.policy") - File bcfksKeystore = buildResources.copy("cacerts.bcfks") - project.pluginManager.withPlugin("elasticsearch.testclusters") { - NamedDomainObjectContainer testClusters = project.extensions.findByName(TestClustersPlugin.EXTENSION_NAME) as NamedDomainObjectContainer - if (testClusters != null) { - testClusters.all { ElasticsearchCluster cluster -> - cluster.setTestDistribution(TestDistribution.DEFAULT) - for (File dep : project.getConfigurations().getByName("extraJars").getFiles()) { - cluster.extraJarFile(dep) - } - if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) { - cluster.extraConfigFile("fips_java.security", securityProperties) - cluster.extraConfigFile("fips_java.policy", securityPolicy) - } else { - cluster.extraConfigFile("fips_java.security", security8Properties) - cluster.extraConfigFile("fips_java.policy", security8Policy) - } - cluster.extraConfigFile("cacerts.bcfks", bcfksKeystore) - cluster.systemProperty('java.security.properties', '=${ES_PATH_CONF}/fips_java.security') - cluster.systemProperty('java.security.policy', '=${ES_PATH_CONF}/fips_java.policy') - cluster.systemProperty('javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks') - cluster.systemProperty('javax.net.ssl.trustStorePassword', 'password') - cluster.systemProperty('javax.net.ssl.keyStorePassword', 'password') - cluster.systemProperty('javax.net.ssl.keyStoreType', 'BCFKS') - // Can't use our DiagnosticTrustManager with SunJSSE in FIPS mode - cluster.setting 'xpack.security.ssl.diagnose.trust', 'false' - } - } - } - project.tasks.withType(Test).configureEach { Test task -> - task.dependsOn(buildResources) - // Using the key==value format to override default JVM security settings and policy - // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html - if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) { - task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", securityProperties.toString())) - task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", securityPolicy.toString())) - } else { - task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", security8Properties.toString())) - task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", security8Policy.toString())) - } - task.systemProperty('javax.net.ssl.trustStorePassword', 'password') - task.systemProperty('javax.net.ssl.keyStorePassword', 'password') - task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS') - task.systemProperty('javax.net.ssl.trustStore', bcfksKeystore.toString()) - } - } - } - - private static inFipsJvm(){ - return Boolean.parseBoolean(System.getProperty("tests.fips.enabled")); } static void configureLicenseAndNotice(Project project) { diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/test/StandaloneRestTestPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/test/StandaloneRestTestPlugin.groovy index c4bf0e4db1d4c..a35d01a4bdac0 100644 --- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/test/StandaloneRestTestPlugin.groovy +++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/test/StandaloneRestTestPlugin.groovy @@ -65,7 +65,6 @@ class StandaloneRestTestPlugin implements Plugin { ElasticsearchJavaPlugin.configureRepositories(project) ElasticsearchJavaPlugin.configureTestTasks(project) ElasticsearchJavaPlugin.configureInputNormalization(project) - BuildPlugin.configureFips140(project) ElasticsearchJavaPlugin.configureCompile(project) project.extensions.getByType(JavaPluginExtension).sourceCompatibility = BuildParams.minimumRuntimeVersion diff --git a/gradle/fips.gradle b/gradle/fips.gradle new file mode 100644 index 0000000000000..f52628cae99f1 --- /dev/null +++ b/gradle/fips.gradle @@ -0,0 +1,57 @@ +import org.elasticsearch.gradle.ExportElasticsearchBuildResourcesTask +import org.elasticsearch.gradle.info.BuildParams +import org.elasticsearch.gradle.testclusters.ElasticsearchCluster +import org.elasticsearch.gradle.testclusters.ElasticsearchCluster + +// Common config when running with a FIPS-140 runtime JVM +if (BuildParams.inFipsJvm) { + allprojects { + File fipsResourcesDir = new File(project.buildDir, 'fips-resources') + boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8 + File fipsSecurity = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.security") + File fipsPolicy = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.policy") + File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks') + project.pluginManager.withPlugin('elasticsearch.java') { + TaskProvider fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask) + fipsResourcesTask.configure { + outputDir = fipsResourcesDir + copy fipsSecurity.name + copy fipsPolicy.name + copy 'cacerts.bcfks' + } + // This configuration can be removed once system modules are available + configurations.create('extraFipsJars') + dependencies { + extraFipsJars 'org.bouncycastle:bc-fips:1.0.1' + extraFipsJars 'org.bouncycastle:bctls-fips:1.0.9' + } + pluginManager.withPlugin("elasticsearch.testclusters") { + testClusters.all { + for (File dep : project.configurations.extraFipsJars.files) { + extraJarFile dep + } + extraConfigFile "fips_java.security", fipsSecurity + extraConfigFile "fips_java.policy", fipsPolicy + extraConfigFile "cacerts.bcfks", fipsTrustStore + systemProperty 'java.security.properties', '=${ES_PATH_CONF}/fips_java.security' + systemProperty 'java.security.policy', '=${ES_PATH_CONF}/fips_java.policy' + systemProperty 'javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks' + systemProperty 'javax.net.ssl.trustStorePassword', 'password' + systemProperty 'javax.net.ssl.keyStorePassword', 'password' + systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS' + } + } + project.tasks.withType(Test).configureEach { Test task -> + task.dependsOn('fipsResources') + task.systemProperty('javax.net.ssl.trustStorePassword', 'password') + task.systemProperty('javax.net.ssl.keyStorePassword', 'password') + task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS') + // Using the key==value format to override default JVM security settings and policy + // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html + task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity)) + task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy)) + task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore) + } + } + } +}