elastic · jkakavas · Apr 9, 2019 · Apr 9, 2019 · Apr 10, 2019 · jkakavas
diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy
@@ -152,9 +152,8 @@ class BuildPlugin implements Plugin<Project> {
                 runtimeJavaVersionDetails = findJavaVersionDetails(project, runtimeJavaHome)
                 runtimeJavaVersionEnum = JavaVersion.toVersion(findJavaSpecificationVersion(project, runtimeJavaHome))
             }
-
-            String inFipsJvmScript = 'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));'
-            boolean inFipsJvm = Boolean.parseBoolean(runJavaAsScript(project, runtimeJavaHome, inFipsJvmScript))
+            // Java home name checking is fragile, but we control the environment
+            boolean inFipsJvm = runtimeJavaHome.contains("fips")
 
             // Build debugging info
             println '======================================='
@@ -590,6 +589,16 @@ class BuildPlugin implements Plugin<Project> {
                 url "https://s3.amazonaws.com/download.elasticsearch.org/lucenesnapshots/${revision}"
             }
         }
+        String compilerJavaHome = findCompilerJavaHome()
+        String runtimeJavaHome = findRuntimeJavaHome(compilerJavaHome)
+        if (runtimeJavaHome.contains("fips")) {
+            repos.ivy {
+                url "https://downloads.bouncycastle.org"
+                patternLayout {
+                    artifact 'fips-java/[module]-[revision].[ext]'
+                }
+            }
+        }
     }
 
     /**
@@ -906,6 +915,10 @@ class BuildPlugin implements Plugin<Project> {
             File heapdumpDir = new File(project.buildDir, 'heapdump')
 
             project.tasks.withType(Test) { Test test ->
+                RepositoryHandler repos = project.repositories
+                if (project.ext.inFipsJvm) {
+                    project.dependencies.add('testRuntimeOnly', "org.bouncycastle:bc-fips:1.0.1:jar")
+                }
                 File testOutputDir = new File(test.reports.junitXml.getDestination(), "output")
 
                 doFirst {

diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/precommit/PrecommitTasks.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/precommit/PrecommitTasks.groovy
@@ -111,6 +111,11 @@ class PrecommitTasks {
         }
         task.dependsOn(project.sourceSets.test.classesTaskName)
         task.javaHome = project.runtimeJavaHome
+
+        // Java home name checking is fragile, but we control the environment
+        if (project.runtimeJavaHome.contains("fips")){
+            task.enabled = false
+        }
         return task
     }
 

diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle
@@ -39,9 +39,3 @@ test {
   // TODO: find a way to add permissions for the tests in this module
   systemProperty 'tests.security.manager', 'false'
 }
-
-if (project.inFipsJvm) {
-  // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
-  // rather than provide a long list of exclusions, disable the check on FIPS.
-  thirdPartyAudit.enabled = false
-}
diff --git a/modules/reindex/build.gradle b/modules/reindex/build.gradle
@@ -98,6 +98,7 @@ dependencies {
 // Issue tracked in https://github.com/elastic/elasticsearch/issues/40904
 if (project.inFipsJvm) {
   integTest.enabled = false
+  testingConventions.enabled = false
 }
 
 if (Os.isFamily(Os.FAMILY_WINDOWS)) {

diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle
@@ -88,6 +88,7 @@ thirdPartyAudit {
         'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
         'org.bouncycastle.jce.provider.BouncyCastleProvider',
         'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
+        'org.bouncycastle.asn1.x500.X500Name',
 
         // from io.netty.handler.ssl.JettyNpnSslEngine (netty)
         'org.eclipse.jetty.npn.NextProtoNego$ClientProvider',
@@ -169,12 +170,4 @@ thirdPartyAudit {
         'io.netty.util.internal.shaded.org.jctools.util.UnsafeRefArrayAccess',
         'io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator'
     )
-}
-
-if (project.inFipsJvm == false) {
-    // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in
-    // a FIPS JVM with BouncyCastleFIPS Provider
-    thirdPartyAudit.ignoreMissingClasses (
-            'org.bouncycastle.asn1.x500.X500Name'
-    )
-}
+}
diff --git a/plugins/discovery-azure-classic/build.gradle b/plugins/discovery-azure-classic/build.gradle
@@ -48,7 +48,7 @@ dependencies {
   compile 'org.codehaus.jackson:jackson-core-asl:1.9.2'
   compile 'org.codehaus.jackson:jackson-mapper-asl:1.9.2'
   compile 'org.codehaus.jackson:jackson-jaxrs:1.9.2'
-  compile 'org.codehaus.jackson:jackson-xc:1.9.2'  
+  compile 'org.codehaus.jackson:jackson-xc:1.9.2'
 
   // HACK: javax.xml.bind was removed from default modules in java 9, so we pull the api in here,
   // and whitelist this hack in JarHell 
@@ -63,6 +63,7 @@ File keystore = new File(project.buildDir, 'keystore/test-node.jks')
 
 // generate the keystore
 task createKey(type: LoggedExec) {
+  onlyIf { inFipsJvm == false }
   doFirst {
     project.delete(keystore.parentFile)
     keystore.parentFile.mkdirs()
@@ -133,3 +134,9 @@ thirdPartyAudit.ignoreMissingClasses (
   'com.sun.xml.fastinfoset.stax.StAXDocumentParser', 
   'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer'
 )
+
+if (inFipsJvm) {
+  // We do not run integ tests in FIPS mode as these use a JKS keystore for the azure settings
+  integTest.enabled = false
+  testingConventions.enabled = false
+}
diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle
@@ -82,10 +82,4 @@ forbiddenPatterns {
 
 thirdPartyAudit{ 
     ignoreMissingClasses()
-}
-
-if (project.inFipsJvm) {
-    // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
-    // rather than provide a long list of exclusions, disable the check on FIPS.
-    thirdPartyAudit.enabled = false
-}
+}
diff --git a/plugins/transport-nio/build.gradle b/plugins/transport-nio/build.gradle
@@ -59,6 +59,7 @@ thirdPartyAudit {
         'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
         'org.bouncycastle.jce.provider.BouncyCastleProvider',
         'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
+        'org.bouncycastle.asn1.x500.X500Name',
 
         // from io.netty.handler.ssl.JettyNpnSslEngine (netty)
         'org.eclipse.jetty.npn.NextProtoNego$ClientProvider',
@@ -147,11 +148,4 @@ thirdPartyAudit {
 
         'io.netty.handler.ssl.util.OpenJdkSelfSignedCertGenerator'
     )
-}
-if (project.inFipsJvm == false) {
-    // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in
-    // a FIPS JVM with BouncyCastleFIPS Provider
-    thirdPartyAudit.ignoreMissingClasses (
-            'org.bouncycastle.asn1.x500.X500Name'
-    )
-}
+}
diff --git a/x-pack/plugin/ml/build.gradle b/x-pack/plugin/ml/build.gradle
@@ -113,4 +113,4 @@ gradle.projectsEvaluated {
 // also add an "alias" task to make typing on the command line easier
 task icTest {
   dependsOn internalClusterTest
-}
+}
diff --git a/x-pack/plugin/ml/qa/native-multi-node-tests/build.gradle b/x-pack/plugin/ml/qa/native-multi-node-tests/build.gradle
@@ -69,4 +69,4 @@ integTestCluster {
                 retries: 10)
         return tmpFile.exists()
     }
-}
+}
diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle
@@ -325,5 +325,4 @@ gradle.projectsEvaluated {
             .subprojects
             .findAll { it.path.startsWith(project.path + ":qa") }
             .each { check.dependsOn it.check }
-}
-
+}
diff --git a/x-pack/plugin/security/cli/build.gradle b/x-pack/plugin/security/cli/build.gradle
@@ -30,8 +30,4 @@ if (project.inFipsJvm) {
     tasks.withType(CheckForbiddenApis) {
         bundledSignatures -= "jdk-non-portable"
     }
-    // FIPS JVM includes many classes from bouncycastle which count as jar hell for the third party audit,
-    // rather than provide a long list of exclusions, disable the check on FIPS.
-    thirdPartyAudit.enabled = false
-
 }
diff --git a/x-pack/plugin/security/qa/tls-basic/build.gradle b/x-pack/plugin/security/qa/tls-basic/build.gradle
@@ -44,5 +44,4 @@ integTestCluster {
     http.setCertificateAuthorities(caFile)
     return http.wait(5000)
   }
-}
-
+}
diff --git a/x-pack/plugin/sql/build.gradle b/x-pack/plugin/sql/build.gradle
@@ -146,4 +146,4 @@ task regen {
             patternset(includes: 'SqlBase*.java')
         }
     }
-}
+}
diff --git a/x-pack/plugin/sql/qa/security/with-ssl/build.gradle b/x-pack/plugin/sql/qa/security/with-ssl/build.gradle
@@ -208,8 +208,7 @@ integTestCluster {
   }
 }
 Closure notRunningFips = {
-  Boolean.parseBoolean(BuildPlugin.runJavaAsScript(project, project.runtimeJavaHome,
-          'print(java.security.Security.getProviders()[0].name.toLowerCase().contains("fips"));')) == false
+  inFipsJvm == false
 }
 
 // Do not attempt to form a cluster in a FIPS JVM, as doing so with a JKS keystore will fail.
@@ -219,6 +218,16 @@ tasks.matching({ it.name == "integTestCluster#init" }).all { onlyIf notRunningFi
 tasks.matching({ it.name == "integTestCluster#start" }).all { onlyIf notRunningFips }
 tasks.matching({ it.name == "integTestCluster#wait" }).all { onlyIf notRunningFips }
 tasks.matching({ it.name == "integTestRunner" }).all { onlyIf notRunningFips }
+tasks.matching({ it.name == "createNodeKeyStore" }).all { onlyIf notRunningFips }
+tasks.matching({ it.name == "createClientKeyStore" }).all { onlyIf notRunningFips }
+tasks.matching({ it.name == "exportNodeCertificate" }).all { onlyIf notRunningFips }
+tasks.matching({ it.name == "exportClientCertificate" }).all { onlyIf  notRunningFips }
+tasks.matching({ it.name == "importNodeCertificateInClientKeyStore" }).all { onlyIf notRunningFips}
+tasks.matching({ it.name == "importClientCertificateInNodeKeyStore" }).all { onlyIf notRunningFips}
+
+if (project.inFipsJvm) {
+  testingConventions.enabled = false
+}
 
 /** A lazy evaluator to find the san to use for certificate generation. */
 class SanEvaluator {

diff --git a/x-pack/plugin/sql/qa/security/without-ssl/build.gradle b/x-pack/plugin/sql/qa/security/without-ssl/build.gradle
@@ -15,3 +15,6 @@ integTestCluster {
     return tmpFile.exists()
   }
 }
+if (project.inFipsJvm) {
+  testingConventions.enabled = false
+}
diff --git a/x-pack/qa/core-rest-tests-with-security/build.gradle b/x-pack/qa/core-rest-tests-with-security/build.gradle
@@ -43,4 +43,4 @@ integTestCluster {
             retries: 10)
     return tmpFile.exists()
   }
-}
+}
diff --git a/x-pack/qa/evil-tests/build.gradle b/x-pack/qa/evil-tests/build.gradle
@@ -8,4 +8,4 @@ dependencies {
 test {
     systemProperty 'tests.security.manager', 'false'
     include '**/*Tests.class'
-}
+}
diff --git a/x-pack/qa/full-cluster-restart/build.gradle b/x-pack/qa/full-cluster-restart/build.gradle
@@ -232,4 +232,4 @@ task copyXPackPluginProps(type: Copy) {
     from project(xpackModule('core')).tasks.pluginProperties
     into outputDir
 }
-project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps)
+project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps)
diff --git a/x-pack/qa/kerberos-tests/build.gradle b/x-pack/qa/kerberos-tests/build.gradle
@@ -73,5 +73,4 @@ task copyKeytabToGeneratedResources(type: Copy) {
     into generatedResources
     dependsOn project(':test:fixtures:krb5kdc-fixture').postProcessFixture
 }
-project.sourceSets.test.output.dir(generatedResources, builtBy:copyKeytabToGeneratedResources)
-
+project.sourceSets.test.output.dir(generatedResources, builtBy:copyKeytabToGeneratedResources)
diff --git a/x-pack/qa/openldap-tests/build.gradle b/x-pack/qa/openldap-tests/build.gradle
@@ -17,4 +17,4 @@ task copyIdpTrust(type: Copy) {
     from idpFixtureProject.file('openldap/certs/ca_server.pem');
     into outputDir
 }
-project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)
+project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)
diff --git a/x-pack/qa/reindex-tests-with-security/build.gradle b/x-pack/qa/reindex-tests-with-security/build.gradle
@@ -58,4 +58,4 @@ integTestCluster {
     http.setPassword("x-pack-test-password")
     return http.wait(5000)
   }
-}
+}
diff --git a/x-pack/qa/saml-idp-tests/build.gradle b/x-pack/qa/saml-idp-tests/build.gradle
@@ -111,4 +111,4 @@ thirdPartyAudit {
    ignoreMissingClasses ( 
        'com.ibm.icu.lang.UCharacter'
    )
-}
+}
diff --git a/x-pack/qa/security-tools-tests/build.gradle b/x-pack/qa/security-tools-tests/build.gradle
@@ -20,4 +20,4 @@ forbiddenPatterns {
 }
 
 // these are just tests, no need to audit
-thirdPartyAudit.enabled = false
+thirdPartyAudit.enabled = false
diff --git a/x-pack/qa/third-party/active-directory/build.gradle b/x-pack/qa/third-party/active-directory/build.gradle
@@ -30,5 +30,4 @@ test {
   systemProperty 'es.set.netty.runtime.available.processors', 'false'
   include '**/*IT.class'
   include '**/*Tests.class'
-}
-
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -69,4 +69,4 @@ integTestCluster { @@
                     retries: 10)
             return tmpFile.exists()
         }
-    }
+    }