Adjustments for FIPS 140 testing (elastic#49319)

- Don't install ingest-attachment and don't run the related docs
tests, since ingest-attachment is not supported in FIPS 140 JVMs
- Move copying extra jars and extra config files earlier on in the
node configuration so that elasticsearch-keystore and
elasticsearch-plugin that run before the node starts have all files
(policy, properties, jars) available.
- BCJSSE needs a certificate to be explicitly added in a keystore
as a trustedcerty entry, it's not enough for it to be in privatekeyentry
for it to be trusted
- Set the value for BuildParams.inFipsJvm configuration time

Author: jkakavas

buildSrc/build.gradle

@@ -171,6 +171,9 @@ if (project != rootProject) {
   forbiddenApisTest.enabled = false
   jarHell.enabled = false
   thirdPartyAudit.enabled = false
+  if (Boolean.parseBoolean(System.getProperty("tests.fips.enabled"))){
+    test.enabled = false
+  }
 
   configurations {
     distribution

buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy

@@ -18,7 +18,6 @@
  */
 package org.elasticsearch.gradle
 
-import com.github.jengelman.gradle.plugins.shadow.ShadowPlugin
 import com.github.jengelman.gradle.plugins.shadow.ShadowBasePlugin
 import com.github.jengelman.gradle.plugins.shadow.ShadowExtension
 import com.github.jengelman.gradle.plugins.shadow.ShadowJavaPlugin
@@ -27,6 +26,8 @@ import groovy.transform.CompileStatic
 import org.apache.commons.io.IOUtils
 import org.elasticsearch.gradle.info.BuildParams
 import org.elasticsearch.gradle.info.GlobalBuildInfoPlugin
+import org.elasticsearch.gradle.info.GlobalInfoExtension
+import org.elasticsearch.gradle.info.JavaHome
 import org.elasticsearch.gradle.precommit.DependencyLicensesTask
 import org.elasticsearch.gradle.precommit.PrecommitTasks
 import org.elasticsearch.gradle.test.ErrorReportingTestListener
@@ -144,44 +145,60 @@ class BuildPlugin implements Plugin<Project> {
     static void configureFips140(Project project) {
         // Common config when running with a FIPS-140 runtime JVM
         if (inFipsJvm()) {
-            ExportElasticsearchBuildResourcesTask buildResources = project.tasks.getByName('buildResources') as ExportElasticsearchBuildResourcesTask
-            File securityProperties = buildResources.copy("fips_java.security")
-            File securityPolicy = buildResources.copy("fips_java.policy")
-            File bcfksKeystore = buildResources.copy("cacerts.bcfks")
             // This configuration can be removed once system modules are available
             Boilerplate.maybeCreate(project.configurations, 'extraJars') {
                 project.dependencies.add('extraJars', "org.bouncycastle:bc-fips:1.0.1")
                 project.dependencies.add('extraJars', "org.bouncycastle:bctls-fips:1.0.9")
             }
+            ExportElasticsearchBuildResourcesTask buildResources = project.tasks.getByName('buildResources') as ExportElasticsearchBuildResourcesTask
+            File securityProperties = buildResources.copy("fips_java.security")
+            File security8Properties = buildResources.copy("fips_java8.security")
+            File securityPolicy = buildResources.copy("fips_java.policy")
+            File security8Policy = buildResources.copy("fips_java8.policy")
+            File bcfksKeystore = buildResources.copy("cacerts.bcfks")
+            GlobalInfoExtension globalInfo = project.rootProject.extensions.getByType(GlobalInfoExtension)
             project.pluginManager.withPlugin("elasticsearch.testclusters") {
                 NamedDomainObjectContainer<ElasticsearchCluster> testClusters = project.extensions.findByName(TestClustersPlugin.EXTENSION_NAME) as NamedDomainObjectContainer<ElasticsearchCluster>
                 testClusters.all { ElasticsearchCluster cluster ->
-                    for (File dep : project.getConfigurations().getByName("extraJars").getFiles()){
-                        cluster.extraJarFile(dep)
+                    globalInfo.ready {
+                        for (File dep : project.getConfigurations().getByName("extraJars").getFiles()) {
+                            cluster.extraJarFile(dep)
+                        }
+                        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
+                            cluster.extraConfigFile("fips_java.security", securityProperties)
+                            cluster.extraConfigFile("fips_java.policy", securityPolicy)
+                        } else {
+                            cluster.extraConfigFile("fips_java.security", security8Properties)
+                            cluster.extraConfigFile("fips_java.policy", security8Policy)
+                        }
+                        cluster.extraConfigFile("cacerts.bcfks", bcfksKeystore)
+                        cluster.systemProperty('java.security.properties', '=${ES_PATH_CONF}/fips_java.security')
+                        cluster.systemProperty('java.security.policy', '=${ES_PATH_CONF}/fips_java.policy')
+                        cluster.systemProperty('javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks')
+                        cluster.systemProperty('javax.net.ssl.trustStorePassword', 'password')
+                        cluster.systemProperty('javax.net.ssl.keyStorePassword', 'password')
+                        cluster.systemProperty('javax.net.ssl.keyStoreType', 'BCFKS')
                     }
-                    cluster.extraConfigFile("fips_java.security", securityProperties)
-                    cluster.extraConfigFile("fips_java.policy", securityPolicy)
-                    cluster.extraConfigFile("cacerts.bcfks", bcfksKeystore)
-                    cluster.systemProperty('java.security.properties', '=${ES_PATH_CONF}/fips_java.security')
-                    cluster.systemProperty('java.security.policy', '=${ES_PATH_CONF}/fips_java.policy')
-                    cluster.systemProperty('javax.net.ssl.trustStore', '${ES_PATH_CONF}/cacerts.bcfks')
-                    cluster.systemProperty('javax.net.ssl.trustStorePassword', 'password')
-                    cluster.systemProperty('javax.net.ssl.keyStorePassword', 'password')
-                    cluster.systemProperty('javax.net.ssl.keyStoreType', 'BCFKS')
                 }
             }
             project.tasks.withType(Test).configureEach { Test task ->
                 task.dependsOn(buildResources)
-                task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
-                task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
-                task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
-                // Using the key==value format to override default JVM security settings and policy
-                // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
-                task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", securityProperties.toString()))
-                task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", securityPolicy.toString()))
-                task.systemProperty('javax.net.ssl.trustStore', bcfksKeystore.toString())
+                globalInfo.ready {
+                    task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
+                    task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
+                    task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
+                    // Using the key==value format to override default JVM security settings and policy
+                    // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
+                    if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
+                        task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", securityProperties.toString()))
+                        task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", securityPolicy.toString()))
+                    } else {
+                        task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", security8Properties.toString()))
+                        task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", security8Policy.toString()))
+                    }
+                    task.systemProperty('javax.net.ssl.trustStore', bcfksKeystore.toString())
+                }
             }
-
         }
     }
 

buildSrc/src/main/java/org/elasticsearch/gradle/info/GenerateGlobalBuildInfoTask.java

@@ -41,14 +41,12 @@ public class GenerateGlobalBuildInfoTask extends DefaultTask {
     private final RegularFileProperty outputFile;
     private final RegularFileProperty compilerVersionFile;
     private final RegularFileProperty runtimeVersionFile;
-    private final RegularFileProperty fipsJvmFile;
 
     @Inject
     public GenerateGlobalBuildInfoTask(ObjectFactory objectFactory) {
         this.outputFile = objectFactory.fileProperty();
         this.compilerVersionFile = objectFactory.fileProperty();
         this.runtimeVersionFile = objectFactory.fileProperty();
-        this.fipsJvmFile = objectFactory.fileProperty();
     }
 
     @Input
@@ -113,11 +111,6 @@ public RegularFileProperty getRuntimeVersionFile() {
         return runtimeVersionFile;
     }
 
-    @OutputFile
-    public RegularFileProperty getFipsJvmFile() {
-        return fipsJvmFile;
-    }
-
     @TaskAction
     public void generate() {
         String javaVendorVersion = System.getProperty("java.vendor.version", System.getProperty("java.vendor"));
@@ -130,7 +123,6 @@ public void generate() {
         String runtimeJavaVersionDetails = gradleJavaVersionDetails;
         JavaVersion runtimeJavaVersionEnum = JavaVersion.current();
         File gradleJavaHome = Jvm.current().getJavaHome();
-        boolean inFipsJvm = false;
 
         try {
             if (Files.isSameFile(compilerJavaHome.toPath(), gradleJavaHome.toPath()) == false) {
@@ -146,8 +138,6 @@ public void generate() {
                 if (runtimeJavaHome.exists()) {
                     runtimeJavaVersionDetails = findJavaVersionDetails(runtimeJavaHome);
                     runtimeJavaVersionEnum = JavaVersion.toVersion(findJavaSpecificationVersion(runtimeJavaHome));
-
-                    inFipsJvm = Boolean.parseBoolean(System.getProperty("tests.fips.enabled"));
                 } else {
                     throw new RuntimeException("Runtime Java home path of '" + compilerJavaHome + "' does not exist");
                 }
@@ -213,7 +203,6 @@ public void generate() {
 
         writeToFile(compilerVersionFile.getAsFile().get(), compilerJavaVersionEnum.name());
         writeToFile(runtimeVersionFile.getAsFile().get(), runtimeJavaVersionEnum.name());
-        writeToFile(fipsJvmFile.getAsFile().get(), Boolean.toString(inFipsJvm));
     }
 
     private void writeToFile(File file, String content) {

buildSrc/src/main/java/org/elasticsearch/gradle/info/GlobalBuildInfoPlugin.java

@@ -76,14 +76,12 @@ public void apply(Project project) {
                 task.getOutputFile().set(new File(project.getBuildDir(), "global-build-info"));
                 task.getCompilerVersionFile().set(new File(project.getBuildDir(), "java-compiler-version"));
                 task.getRuntimeVersionFile().set(new File(project.getBuildDir(), "java-runtime-version"));
-                task.getFipsJvmFile().set(new File(project.getBuildDir(), "in-fips-jvm"));
             });
 
         PrintGlobalBuildInfoTask printTask = project.getTasks().create("printGlobalBuildInfo", PrintGlobalBuildInfoTask.class, task -> {
             task.getBuildInfoFile().set(generateTask.getOutputFile());
             task.getCompilerVersionFile().set(generateTask.getCompilerVersionFile());
             task.getRuntimeVersionFile().set(generateTask.getRuntimeVersionFile());
-            task.getFipsJvmFile().set(generateTask.getFipsJvmFile());
             task.setGlobalInfoListeners(extension.listeners);
         });
 
@@ -103,6 +101,7 @@ public void apply(Project project) {
             params.setIsCi(System.getenv("JENKINS_URL") != null);
             params.setIsInternal(GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null);
             params.setDefaultParallel(findDefaultParallel(project));
+            params.setInFipsJvm(isInFipsJvm());
         });
 
         project.allprojects(p -> {
@@ -153,6 +152,10 @@ private static String getJavaHomeEnvVarName(String version) {
         return "JAVA" + version + "_HOME";
     }
 
+    private static boolean isInFipsJvm() {
+        return Boolean.parseBoolean(System.getProperty("tests.fips.enabled"));
+    }
+
     private static String getResourceContents(String resourcePath) {
         try (BufferedReader reader = new BufferedReader(
             new InputStreamReader(GlobalBuildInfoPlugin.class.getResourceAsStream(resourcePath))

buildSrc/src/main/java/org/elasticsearch/gradle/info/PrintGlobalBuildInfoTask.java

@@ -16,15 +16,13 @@ public class PrintGlobalBuildInfoTask extends DefaultTask {
     private final RegularFileProperty buildInfoFile;
     private final RegularFileProperty compilerVersionFile;
     private final RegularFileProperty runtimeVersionFile;
-    private final RegularFileProperty fipsJvmFile;
     private List<Runnable> globalInfoListeners = new ArrayList<>();
 
     @Inject
     public PrintGlobalBuildInfoTask(ObjectFactory objectFactory) {
         this.buildInfoFile = objectFactory.fileProperty();
         this.compilerVersionFile = objectFactory.fileProperty();
         this.runtimeVersionFile = objectFactory.fileProperty();
-        this.fipsJvmFile = objectFactory.fileProperty();
     }
 
     @InputFile
@@ -42,11 +40,6 @@ public RegularFileProperty getRuntimeVersionFile() {
         return runtimeVersionFile;
     }
 
-    @InputFile
-    public RegularFileProperty getFipsJvmFile() {
-        return fipsJvmFile;
-    }
-
     public void setGlobalInfoListeners(List<Runnable> globalInfoListeners) {
         this.globalInfoListeners = globalInfoListeners;
     }
@@ -57,6 +50,7 @@ public void print() {
         getLogger().quiet("Elasticsearch Build Hamster says Hello!");
         getLogger().quiet(getFileText(getBuildInfoFile()).asString());
         getLogger().quiet("  Random Testing Seed   : " + BuildParams.getTestSeed());
+        getLogger().quiet("  In FIPS 140 mode      : " + BuildParams.isInFipsJvm());
         getLogger().quiet("=======================================");
 
         setGlobalProperties();
@@ -76,7 +70,6 @@ private void setGlobalProperties() {
         BuildParams.init(params -> {
             params.setCompilerJavaVersion(JavaVersion.valueOf(getFileText(getCompilerVersionFile()).asString()));
             params.setRuntimeJavaVersion(JavaVersion.valueOf(getFileText(getRuntimeVersionFile()).asString()));
-            params.setInFipsJvm(Boolean.parseBoolean(getFileText(getFipsJvmFile()).asString()));
         });
     }
 }

buildSrc/src/main/java/org/elasticsearch/gradle/testclusters/ElasticsearchNode.java

@@ -415,6 +415,11 @@ public synchronized void start() {
         } catch (IOException e) {
             throw new UncheckedIOException("Failed to create working directory for " + this, e);
         }
+
+        copyExtraJars();
+
+        copyExtraConfigFiles();
+
         createConfiguration();
 
         if (plugins.isEmpty() == false) {
@@ -438,7 +443,7 @@ public synchronized void start() {
             runElaticsearchBinScript("elasticsearch-keystore", "create");
 
             keystoreSettings.forEach((key, value) ->
-                runElaticsearchBinScriptWithInput(value.toString(), "elasticsearch-keystore", "add", "-x", key)
+                runElasticsearchBinScriptWithInput(value.toString(), "elasticsearch-keystore", "add", "-x", key)
             );
 
             for (Map.Entry<String, File> entry : keystoreFiles.entrySet()) {
@@ -453,10 +458,6 @@ public synchronized void start() {
 
         installModules();
 
-        copyExtraConfigFiles();
-
-        copyExtraJars();
-
         if (isSettingTrue("xpack.security.enabled")) {
             if (credentials.isEmpty()) {
                 user(Collections.emptyMap());
@@ -622,7 +623,7 @@ public void user(Map<String, String> userSpec) {
         credentials.add(cred);
     }
 
-    private void runElaticsearchBinScriptWithInput(String input, String tool, String... args) {
+    private void runElasticsearchBinScriptWithInput(String input, String tool, String... args) {
         if (
             Files.exists(getDistroDir().resolve("bin").resolve(tool)) == false &&
                 Files.exists(getDistroDir().resolve("bin").resolve(tool + ".bat")) == false
@@ -663,7 +664,7 @@ private void runElaticsearchBinScriptWithInput(String input, String tool, String
     }
 
     private void runElaticsearchBinScript(String tool, String... args) {
-        runElaticsearchBinScriptWithInput("", tool, args);
+        runElasticsearchBinScriptWithInput("", tool, args);
     }
 
     private Map<String, String> getESEnvironment() {
@@ -676,6 +677,10 @@ private Map<String, String> getESEnvironment() {
         if (systemProperties.isEmpty() == false) {
             systemPropertiesString = " " + systemProperties.entrySet().stream()
                 .map(entry -> "-D" + entry.getKey() + "=" + entry.getValue())
+                // ES_PATH_CONF is also set as an environment variable and for a reference to ${ES_PATH_CONF}
+                // to work ES_JAVA_OPTS, we need to make sure that ES_PATH_CONF before ES_JAVA_OPTS. Instead,
+                // we replace the reference with the actual value in other environment variables
+                .map(p -> p.replace("${ES_PATH_CONF}", configFile.getParent().toString()))
                 .collect(Collectors.joining(" "));
         }
         String jvmArgsString = "";

buildSrc/src/main/resources/fips_java8.policy

@@ -0,0 +1,16 @@
+grant codeBase "file:${java.home}/lib/ext/localedata.jar" {
+          // Allow resource bundles to be loaded for non root locales. See
+          // https://github.com/elastic/elasticsearch/issues/39981
+          permission java.lang.RuntimePermission "accessClassInPackage.sun.util.*";
+};
+grant {
+          permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
+          permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
+          permission java.lang.RuntimePermission "getProtectionDomain";
+          permission java.util.PropertyPermission "java.runtime.name", "read";
+          permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
+          //io.netty.handler.codec.DecoderException
+          permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
+          //java.security.InvalidAlgorithmParameterException: Cannot process GCMParameterSpec
+          permission java.lang.RuntimePermission "accessDeclaredMembers";
+};