Skip to content

Skip entitlements for FIPS unit tests #130569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Skip entitlements for FIPS unit tests #130569

wants to merge 4 commits into from

Conversation

@n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Jul 3, 2025

No description provided.

@n1v0lg n1v0lg self-assigned this Jul 3, 2025
@n1v0lg n1v0lg added >test Issues or PRs that are addressing/adding tests :Security/FIPS Running ES in FIPS 140-2 mode test-fips Trigger CI checks for FIPS labels Jul 3, 2025
@prdoyle
Copy link
Contributor

prdoyle commented Jul 3, 2025

In my runs, I see these on the classpath:

63 = {UnixPath@5774} "/Users/prdoyle/IdeaProjects/elasticsearch/libs/ssl-config/build/classes/java/main"
64 = {UnixPath@5775} "/Users/prdoyle/IdeaProjects/elasticsearch/libs/ssl-config/build/classes/java/test"
65 = {UnixPath@5776} "/Users/prdoyle/IdeaProjects/elasticsearch/libs/ssl-config/build/resources/test"

And then I get this error:

NotEntitledException: component [security], module [ALL-UNNAMED], class [class org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi], entitlement [file], operation [read], path [/Users/prdoyle/IdeaProjects/elasticsearch/libs/ssl-config/build/fips-resources/cacerts.bcfks]

I wonder where build/fips-resources/cacerts.bcfks comes from. 🤔

@prdoyle
Copy link
Contributor

prdoyle commented Jul 3, 2025

I think it might come from here.

@prdoyle
Copy link
Contributor

prdoyle commented Jul 3, 2025

Even when I add that path explicitly, it's still denied.

checkFileRead is returning a ModuleEntitlements that contains just these two entries:

readPaths = {String[2]@8622} ["/Users/prdoyle/...", "/Users/prdoyle/..."]
 0 = "/Users/prdoyle/.gradle/jdks/oracle_corporation-24-aarch64-os_x.2/jdk-24.jdk/Contents/Home/conf"
 1 = "/Users/prdoyle/IdeaProjects/elasticsearch/libs/ssl-config/build/testrun/test/temp"

I think it's related to the module being reported as ALL-UNNAMED.

@n1v0lg
Copy link
Contributor Author

n1v0lg commented Jul 4, 2025

Looks like #130616 is the proper fix 🎉 Closing this PR.

@n1v0lg n1v0lg closed this Jul 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@n1v0lg n1v0lg

Labels

:Security/FIPS Running ES in FIPS 140-2 mode >test Issues or PRs that are addressing/adding tests test-fips Trigger CI checks for FIPS v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@n1v0lg @prdoyle @elasticsearchmachine