Check for -Dorg.bouncycastle.fips.approved_only in testclusters to run with FIPS enforcement (opensearch-project#20685)

cwperks · reta · web-flow · commit bc98ec87043c · 2026-02-20T07:24:26.000-05:00
* Also check for -Dorg.bouncycastle.fips.approved_only in testclusters to enforce running with FIPS enforcement

Signed-off-by: Craig Perkins &lt;craig5008@gmail.com&gt;
Co-authored-by: Andriy Redko &lt;andriy.redko@aiven.io&gt;
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
@@ -36,6 +36,10 @@ public static boolean isInFipsMode() {
         return DEFAULT_FIPS_MODE.equals(fipsMode);
     }
 
+    public static boolean isInFipsApprovedOnlyMode() {
+        return isInFipsMode() && "true".equals(System.getProperty("org.bouncycastle.fips.approved_only"));
+    }
+
     public static String getFipsMode() {
         return fipsMode;
     }
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -549,7 +549,7 @@ public synchronized void start() {
             logToProcessStdout("installed plugins");
         }
 
-        if (FipsBuildParams.isInFipsMode() && keystorePassword.isEmpty()) {
+        if (FipsBuildParams.isInFipsApprovedOnlyMode() && keystorePassword.isEmpty()) {
             throw new TestClustersException("Can not start " + this + " in FIPS JVM, missing keystore password");
         }
 

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,10 @@ public static boolean isInFipsMode() {`
`36`	`36`	`return DEFAULT_FIPS_MODE.equals(fipsMode);`
`37`	`37`	`}`
`38`	`38`
	`39`	`+ public static boolean isInFipsApprovedOnlyMode() {`
	`40`	`+ return isInFipsMode() && "true".equals(System.getProperty("org.bouncycastle.fips.approved_only"));`
	`41`	`+ }`
	`42`	`+`
`39`	`43`	`public static String getFipsMode() {`
`40`	`44`	`return fipsMode;`
`41`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -549,7 +549,7 @@ public synchronized void start() {`
`549`	`549`	`logToProcessStdout("installed plugins");`
`550`	`550`	`}`
`551`	`551`
`552`		`- if (FipsBuildParams.isInFipsMode() && keystorePassword.isEmpty()) {`
	`552`	`+ if (FipsBuildParams.isInFipsApprovedOnlyMode() && keystorePassword.isEmpty()) {`
`553`	`553`	`throw new TestClustersException("Can not start " + this + " in FIPS JVM, missing keystore password");`
`554`	`554`	`}`
`555`	`555`