Fix discovery-gce when run in FIPS mode (#104179)

jakelandis · web-flow · commit fe091e846d8c · 2024-01-10T09:51:29.000-05:00
* Fix discovery-gce when run in FIPS mode

* dummy commit to re-kick off build

* spotless
diff --git a/plugins/discovery-gce/build.gradle b/plugins/discovery-gce/build.gradle
@@ -10,7 +10,7 @@ versions << [
   'google'              : '1.41.1',
   'google_api_client'   : '1.33.1',
   'api_services_compute': 'v1-rev20220322-1.32.1',
-  'google_oauth_client' : '1.34.1' 
+  'google_oauth_client' : '1.34.1'  
 ]
 
 dependencies {
diff --git a/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/GceInstancesServiceImpl.java b/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/GceInstancesServiceImpl.java
@@ -8,8 +8,8 @@
 
 package org.elasticsearch.cloud.gce;
 
+import com.google.api.client.googleapis.GoogleUtils;
 import com.google.api.client.googleapis.compute.ComputeCredential;
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
 import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpHeaders;
 import com.google.api.client.http.HttpRequest;
@@ -19,6 +19,7 @@
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.jackson2.JacksonFactory;
+import com.google.api.client.util.SecurityUtils;
 import com.google.api.services.compute.Compute;
 import com.google.api.services.compute.model.Instance;
 import com.google.api.services.compute.model.InstanceList;
@@ -35,7 +36,9 @@
 import org.elasticsearch.discovery.gce.RetryHttpInitializerWrapper;
 
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.GeneralSecurityException;
+import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -173,7 +176,12 @@ private static boolean headerContainsMetadataFlavor(HttpResponse response) {
     protected synchronized HttpTransport getGceHttpTransport() throws GeneralSecurityException, IOException {
         if (gceHttpTransport == null) {
             if (validateCerts) {
-                gceHttpTransport = GoogleNetHttpTransport.newTrustedTransport();
+                // Manually load the certificates in the jks format instead of the default p12 which is not compatible with FIPS.
+                KeyStore certTrustStore = SecurityUtils.getJavaKeyStore();
+                try (InputStream is = GoogleUtils.class.getResourceAsStream("google.jks")) {
+                    SecurityUtils.loadKeyStore(certTrustStore, is, "notasecret");
+                }
+                gceHttpTransport = new NetHttpTransport.Builder().trustCertificates(certTrustStore).build();
             } else {
                 // this is only used for testing - alternative we could use the defaul keystore but this requires special configs too..
                 gceHttpTransport = new NetHttpTransport.Builder().doNotValidateCertificate().build();

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ versions << [`
`10`	`10`	`'google' : '1.41.1',`
`11`	`11`	`'google_api_client' : '1.33.1',`
`12`	`12`	`'api_services_compute': 'v1-rev20220322-1.32.1',`
`13`		`- 'google_oauth_client' : '1.34.1'`
	`13`	`+ 'google_oauth_client' : '1.34.1'`
`14`	`14`	`]`
`15`	`15`
`16`	`16`	`dependencies {`