Add build-tooling to run in the FIPS environment

CHANGELOG.md

@@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Expand fetch phase profiling to support inner hits and top hits aggregation phases  ([##18936](https://github.com/opensearch-project/OpenSearch/pull/18936))
 - Add temporal routing processors for time-based document routing ([#18920](https://github.com/opensearch-project/OpenSearch/issues/18920))
 - The dynamic mapping parameter supports false_allow_templates ([#19065](https://github.com/opensearch-project/OpenSearch/pull/19065))
+- Add build-tooling to run in the FIPS environment ([#18921](https://github.com/opensearch-project/OpenSearch/pull/18921))
 - Add a toBuilder method in EngineConfig to support easy modification of configs([#19054](https://github.com/opensearch-project/OpenSearch/pull/19054))
 - Add StoreFactory plugin interface for custom Store implementations([#19091](https://github.com/opensearch-project/OpenSearch/pull/19091))
 - Add a dynamic setting to change skip_cache_factor and min_frequency for querycache ([#18351](https://github.com/opensearch-project/OpenSearch/issues/18351))

build.gradle

@@ -419,7 +419,11 @@ gradle.projectsEvaluated {
           jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]
         }
         if (BuildParams.inFipsJvm) {
-          task.jvmArgs += ["-Dorg.bouncycastle.fips.approved_only=true"]
+          def fipsSecurityFile = project.rootProject.file('distribution/src/config/fips_java.security')
+          task.jvmArgs += [
+              "-Dorg.bouncycastle.fips.approved_only=true",
+              "-Djava.security.properties=${fipsSecurityFile}"
+          ]
         }
       }
     }
@@ -695,6 +699,7 @@ allprojects {
     testClusters.configureEach {
       if (BuildParams.inFipsJvm) {
         keystorePassword 'notarealpasswordphrase'
+        setting 'cluster.fips.truststore.source', 'GENERATED'
       }
     }
   }

buildSrc/src/main/groovy/org/opensearch/gradle/test/StandaloneRestTestPlugin.groovy

@@ -31,6 +31,8 @@
 package org.opensearch.gradle.test
 
 import groovy.transform.CompileStatic
+import org.gradle.api.artifacts.VersionCatalog
+import org.gradle.api.artifacts.VersionCatalogsExtension
 import org.opensearch.gradle.OpenSearchJavaPlugin
 import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask
 import org.opensearch.gradle.RepositoriesSetupPlugin
@@ -92,6 +94,10 @@ class StandaloneRestTestPlugin implements Plugin<Project> {
         // create a compileOnly configuration as others might expect it
         project.configurations.create("compileOnly")
         project.dependencies.add('testImplementation', project.project(':test:framework'))
+        if (BuildParams.inFipsJvm) {
+            VersionCatalog libs = project.extensions.getByType(VersionCatalogsExtension).named("libs")
+            project.dependencies.add('testImplementation', libs.findBundle("bouncycastle").get())
+        }
 
         EclipseModel eclipse = project.extensions.getByType(EclipseModel)
         eclipse.classpath.sourceSets = [testSourceSet]

buildSrc/src/main/java/org/opensearch/gradle/test/rest/RestTestUtil.java

@@ -102,6 +102,18 @@ static void setupDependencies(Project project, SourceSet sourceSet) {
                 );
         }
 
+        if (BuildParams.isInFipsJvm()) {
+            project.getDependencies()
+                .add(
+                    sourceSet.getImplementationConfigurationName(),
+                    "org.bouncycastle:bc-fips:" + VersionProperties.getVersions().get("bouncycastle_jce")
+                );
+            project.getDependencies()
+                .add(
+                    sourceSet.getImplementationConfigurationName(),
+                    "org.bouncycastle:bctls-fips:" + VersionProperties.getVersions().get("bouncycastle_tls")
+                );
+        }
     }
 
 }

qa/fips-compliance/build.gradle

@@ -34,6 +34,7 @@ afterEvaluate {
     // configure cluster to start in FIPS JVM
     javaRestTest {
       keystorePassword 'notarealpasswordphrase'
+      setting 'cluster.fips.truststore.source', 'GENERATED'
       configurations.bcFips.resolve().each { jarFile ->
         extraJarFile jarFile
       }

qa/remote-clusters/build.gradle

@@ -72,10 +72,11 @@ tasks.named("preProcessFixture").configure {
 
 dockerCompose {
   tcpPortsToIgnoreWhenWaiting = [9600, 9601]
-  useComposeFiles = ['docker-compose.yml']
+  def composeFiles = ['docker-compose.yml']
   if (BuildParams.inFipsJvm) {
-    environment.put("KEYSTORE_PASSWORD", "notarealpasswordphrase")
+    composeFiles.add('docker-compose.fips.yml')
   }
+  useComposeFiles = composeFiles
 }
 
 def createAndSetWritable(Object... locations) {

qa/remote-clusters/docker-compose.fips.yml

@@ -0,0 +1,9 @@
+services:
+  opensearch-1:
+    environment:
+      KEYSTORE_PASSWORD: notarealpasswordphrase
+      cluster.fips.truststore.source: GENERATED
+  opensearch-2:
+    environment:
+      KEYSTORE_PASSWORD: notarealpasswordphrase
+      cluster.fips.truststore.source: GENERATED

qa/remote-clusters/docker-compose.yml

@@ -16,7 +16,6 @@ services:
        - cluster.routing.allocation.disk.watermark.high=1b
        - cluster.routing.allocation.disk.watermark.flood_stage=1b
        - node.store.allow_mmap=false
-       - "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}"
     volumes:
        - ./build/repo:/tmp/opensearch-repo
        - ./build/logs/1:/usr/share/opensearch/logs
@@ -51,7 +50,6 @@ services:
        - cluster.routing.allocation.disk.watermark.high=1b
        - cluster.routing.allocation.disk.watermark.flood_stage=1b
        - node.store.allow_mmap=false
-       - "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}"
     volumes:
        - ./build/repo:/tmp/opensearch-repo
        - ./build/logs/2:/usr/share/opensearch/logs

qa/wildfly/build.gradle

@@ -86,10 +86,11 @@ preProcessFixture {
 }
 
 dockerCompose {
-  useComposeFiles = ['docker-compose.yml']
+  def composeFiles = ['docker-compose.yml']
   if (BuildParams.inFipsJvm) {
-    environment.put("KEYSTORE_PASSWORD", "notarealpasswordphrase")
+    composeFiles.add('docker-compose.fips.yml')
   }
+  useComposeFiles = composeFiles
 }
 
 tasks.register("integTest", TestTask) {

qa/wildfly/docker-compose.fips.yml

@@ -0,0 +1,5 @@
+services:
+  opensearch:
+    environment:
+      KEYSTORE_PASSWORD: notarealpasswordphrase
+      cluster.fips.truststore.source: GENERATED

qa/wildfly/docker-compose.yml

@@ -19,7 +19,6 @@ services:
   opensearch:
     image: opensearch:test
     environment:
-      KEYSTORE_PASSWORD: ${KEYSTORE_PASSWORD}
       discovery.type: single-node
     ulimits:
       memlock:

server/build.gradle

@@ -125,6 +125,8 @@ dependencies {
     exclude group: 'org.opensearch', module: 'server'
   }
   testFipsRuntimeOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  testFipsRuntimeOnly "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
+  testFipsRuntimeOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
 }
 
 tasks.withType(JavaCompile).configureEach {

server/src/main/java/org/opensearch/bootstrap/Bootstrap.java

@@ -200,6 +200,7 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
         if ("FIPS-140-3".equals(cryptoStandard) || "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.fips.approved_only"))) {
             LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-3 mode");
             SecurityProviderManager.removeNonCompliantFipsProviders();
+            MultiProviderTrustStoreHandler.configureTrustStore(settings, environment.tmpDir(), Path.of(System.getProperty("java.home")));
         }
 
         // initialize probes before the security manager is installed