Add FIPS build tooling

Signed-off-by: Igonin <[email protected]>
Co-authored-by: Benny Goerzig <[email protected]>
Co-authored-by: Karsten Schnitter <[email protected]>
Co-authored-by: Kai Sternad <[email protected]>

Author: 4 people

build.gradle

@@ -65,7 +65,6 @@ apply from: 'gradle/ide.gradle'
 apply from: 'gradle/forbidden-dependencies.gradle'
 apply from: 'gradle/formatting.gradle'
 apply from: 'gradle/local-distribution.gradle'
-apply from: 'gradle/fips.gradle'
 apply from: 'gradle/run.gradle'
 apply from: 'gradle/missing-javadoc.gradle'
 apply from: 'gradle/code-coverage.gradle'
@@ -439,6 +438,9 @@ gradle.projectsEvaluated {
         if (BuildParams.runtimeJavaVersion >= JavaVersion.VERSION_20) {
           task.jvmArgs += ["--add-modules=jdk.incubator.vector"]
         }
+        if (BuildParams.inFipsJvm) {
+          task.jvmArgs += ["-Dorg.bouncycastle.fips.approved_only=true"]
+        }
       }
     }
 
@@ -708,6 +710,14 @@ allprojects {
   plugins.withId('lifecycle-base') {
     checkPart1.configure { dependsOn 'check' }
   }
+
+  plugins.withId('opensearch.testclusters') {
+    testClusters.configureEach {
+      if (BuildParams.inFipsJvm) {
+        keystorePassword 'notarealpasswordphrase'
+      }
+    }
+  }
 }
 
 subprojects {

buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java

@@ -164,11 +164,12 @@ public void execute(Task t) {
                 test.systemProperty("tests.seed", BuildParams.getTestSeed());
             }
 
-            var securityFile = "java.security";
-            test.systemProperty(
-                "java.security.properties",
-                project.getRootProject().getLayout().getProjectDirectory() + "/distribution/src/config/" + securityFile
-            );
+            if (BuildParams.isInFipsJvm()) {
+                test.systemProperty(
+                    "java.security.properties",
+                    project.getRootProject().getLayout().getProjectDirectory() + "/distribution/src/config/fips_java.security"
+                );
+            }
 
             // don't track these as inputs since they contain absolute paths and break cache relocatability
             File gradleHome = project.getGradle().getGradleUserHomeDir();

buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java

@@ -0,0 +1,33 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.gradle.info;
+
+import java.util.function.Function;
+
+public class FipsBuildParams {
+
+    public static final String FIPS_BUILD_PARAM = "crypto.standard";
+
+    private static String fipsMode;
+
+    public static void init(Function<String, Object> fipsValue) {
+        fipsMode = (String) fipsValue.apply(FIPS_BUILD_PARAM);
+    }
+
+    private FipsBuildParams() {}
+
+    public static boolean isInFipsMode() {
+        return "FIPS-140-3".equals(fipsMode);
+    }
+
+    public static String getFipsMode() {
+        return fipsMode;
+    }
+
+}

buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java

@@ -109,6 +109,8 @@ public void apply(Project project) {
         File rootDir = project.getRootDir();
         GitInfo gitInfo = gitInfo(rootDir);
 
+        FipsBuildParams.init(project::findProperty);
+
         BuildParams.init(params -> {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
@@ -129,7 +131,7 @@ public void apply(Project project) {
             params.setIsCi(System.getenv("JENKINS_URL") != null);
             params.setIsInternal(isInternal);
             params.setDefaultParallel(findDefaultParallel(project));
-            params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", false));
+            params.setInFipsJvm(FipsBuildParams.isInFipsMode());
             params.setIsSnapshotBuild(Util.getBooleanProperty("build.snapshot", true));
             if (isInternal) {
                 params.setBwcVersions(resolveBwcVersions(rootDir));
@@ -179,7 +181,11 @@ private void logGlobalBuildInfo() {
             LOGGER.quiet("  JAVA_HOME             : " + gradleJvm.getJavaHome());
         }
         LOGGER.quiet("  Random Testing Seed   : " + BuildParams.getTestSeed());
-        LOGGER.quiet("  In FIPS 140 mode      : " + BuildParams.isInFipsJvm());
+        if (FipsBuildParams.isInFipsMode()) {
+            LOGGER.quiet("  Crypto Standard       : " + FipsBuildParams.getFipsMode());
+        } else {
+            LOGGER.quiet("  Crypto Standard       : any-supported");
+        }
         LOGGER.quiet("=======================================");
     }
 

buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java

@@ -46,6 +46,7 @@
 import org.opensearch.gradle.Version;
 import org.opensearch.gradle.VersionProperties;
 import org.opensearch.gradle.info.BuildParams;
+import org.opensearch.gradle.info.FipsBuildParams;
 import org.gradle.api.Action;
 import org.gradle.api.Named;
 import org.gradle.api.NamedDomainObjectContainer;
@@ -546,6 +547,10 @@ public synchronized void start() {
             logToProcessStdout("installed plugins");
         }
 
+        if (FipsBuildParams.isInFipsMode() && keystorePassword.isEmpty()) {
+            throw new TestClustersException("Can not start " + this + " in FIPS JVM, missing keystore password");
+        }
+
         logToProcessStdout("Creating opensearch keystore with password set to [" + keystorePassword + "]");
         if (keystorePassword.length() > 0) {
             runOpenSearchBinScriptWithInput(keystorePassword + "\n" + keystorePassword + "\n", "opensearch-keystore", "create", "-p");