From 2cc1057626e89bea89d0741b9e23e35b00e0b910 Mon Sep 17 00:00:00 2001 From: Alpar Torok Date: Tue, 28 Aug 2018 14:51:28 +0300 Subject: [PATCH 1/2] Fix forbidden apis on FIPS - third party audit detects jar hell with JDK so we disable it - jdk non portable in forbiddenapis detects classes being used from the JDK ( for fips ) that are not portable, this is intended so we don't scan for it on fips. - different exclusion rules for third party audit on fips Closes #33179 --- distribution/tools/plugin-cli/build.gradle | 4 ++++ modules/transport-netty4/build.gradle | 7 ++++++- plugins/ingest-attachment/build.gradle | 5 +++++ plugins/transport-nio/build.gradle | 8 ++++++-- x-pack/plugin/security/cli/build.gradle | 10 ++++++++-- 5 files changed, 29 insertions(+), 5 deletions(-) diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle index c47786299bc2f..70905f6d28f08 100644 --- a/distribution/tools/plugin-cli/build.gradle +++ b/distribution/tools/plugin-cli/build.gradle @@ -39,3 +39,7 @@ test { // TODO: find a way to add permissions for the tests in this module systemProperty 'tests.security.manager', 'false' } + +if (project.inFipsJvm) { + thirdPartyAudit.enabled = false +} diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle index 12ce5ce7d4a8f..1388d1784ace8 100644 --- a/modules/transport-netty4/build.gradle +++ b/modules/transport-netty4/build.gradle @@ -83,7 +83,6 @@ thirdPartyAudit.excludes = [ 'io.netty.internal.tcnative.SSLContext', // from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty) - 'org.bouncycastle.asn1.x500.X500Name', 'org.bouncycastle.cert.X509v3CertificateBuilder', 'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter', 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', @@ -163,3 +162,9 @@ thirdPartyAudit.excludes = [ 'org.conscrypt.Conscrypt', 'org.conscrypt.HandshakeListener' ] + +if (project.inFipsJvm == false) { + thirdPartyAudit.excludes += [ + 'org.bouncycastle.asn1.x500.X500Name' + ] +} diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle index 6cd55f682c8b4..4987b7fd2234d 100644 --- a/plugins/ingest-attachment/build.gradle +++ b/plugins/ingest-attachment/build.gradle @@ -2141,3 +2141,8 @@ if (project.runtimeJavaVersion > JavaVersion.VERSION_1_8) { 'javax.xml.bind.Unmarshaller' ] } + +if (project.inFipsJvm) { + // jar hell with JDK on FIPS + thirdPartyAudit.enabled = false +} diff --git a/plugins/transport-nio/build.gradle b/plugins/transport-nio/build.gradle index 07605bfee29b3..728ad64d9f8f5 100644 --- a/plugins/transport-nio/build.gradle +++ b/plugins/transport-nio/build.gradle @@ -62,7 +62,6 @@ thirdPartyAudit.excludes = [ 'io.netty.internal.tcnative.SSLContext', // from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty) - 'org.bouncycastle.asn1.x500.X500Name', 'org.bouncycastle.cert.X509v3CertificateBuilder', 'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter', 'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder', @@ -141,4 +140,9 @@ thirdPartyAudit.excludes = [ 'org.conscrypt.BufferAllocator', 'org.conscrypt.Conscrypt', 'org.conscrypt.HandshakeListener' -] \ No newline at end of file +] +if (project.inFipsJvm == false) { + thirdPartyAudit.excludes += [ + 'org.bouncycastle.asn1.x500.X500Name' + ] +} \ No newline at end of file diff --git a/x-pack/plugin/security/cli/build.gradle b/x-pack/plugin/security/cli/build.gradle index 426c48aac80ae..113a960ecb816 100644 --- a/x-pack/plugin/security/cli/build.gradle +++ b/x-pack/plugin/security/cli/build.gradle @@ -1,3 +1,5 @@ +import org.elasticsearch.gradle.precommit.ForbiddenApisCliTask + apply plugin: 'elasticsearch.build' archivesBaseName = 'elasticsearch-security-cli' @@ -6,8 +8,8 @@ dependencies { compileOnly "org.elasticsearch:elasticsearch:${version}" // "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here compileOnly project(path: xpackModule('core'), configuration: 'default') - compile 'org.bouncycastle:bcprov-jdk15on:1.59' compile 'org.bouncycastle:bcpkix-jdk15on:1.59' + compile 'org.bouncycastle:bcprov-jdk15on:1.59' testImplementation 'com.google.jimfs:jimfs:1.1' testCompile "junit:junit:${versions.junit}" testCompile "org.hamcrest:hamcrest-all:${versions.hamcrest}" @@ -20,6 +22,10 @@ dependencyLicenses { mapping from: /bc.*/, to: 'bouncycastle' } -if (inFipsJvm) { +if (project.inFipsJvm) { test.enabled = false + tasks.withType(ForbiddenApisCliTask) { + bundledSignatures -= "jdk-non-portable" + } + thirdPartyAudit.enabled = false } From 6801f35a727b4ee3ffed8858248bdc8f44f5d698 Mon Sep 17 00:00:00 2001 From: Alpar Torok Date: Wed, 29 Aug 2018 14:54:32 +0300 Subject: [PATCH 2/2] Add comments --- distribution/tools/plugin-cli/build.gradle | 2 ++ modules/transport-netty4/build.gradle | 2 ++ plugins/ingest-attachment/build.gradle | 3 ++- plugins/transport-nio/build.gradle | 2 ++ x-pack/plugin/security/cli/build.gradle | 4 ++++ 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle index 70905f6d28f08..38be8db42ff6a 100644 --- a/distribution/tools/plugin-cli/build.gradle +++ b/distribution/tools/plugin-cli/build.gradle @@ -41,5 +41,7 @@ test { } if (project.inFipsJvm) { + // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit, + // rather than provide a long list of exclusions, disable the check on FIPS. thirdPartyAudit.enabled = false } diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle index 1388d1784ace8..e7c36ff506ed3 100644 --- a/modules/transport-netty4/build.gradle +++ b/modules/transport-netty4/build.gradle @@ -164,6 +164,8 @@ thirdPartyAudit.excludes = [ ] if (project.inFipsJvm == false) { + // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in + // a FIPS JVM with BouncyCastleFIPS Provider thirdPartyAudit.excludes += [ 'org.bouncycastle.asn1.x500.X500Name' ] diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle index 4987b7fd2234d..f55104f2a96fc 100644 --- a/plugins/ingest-attachment/build.gradle +++ b/plugins/ingest-attachment/build.gradle @@ -2143,6 +2143,7 @@ if (project.runtimeJavaVersion > JavaVersion.VERSION_1_8) { } if (project.inFipsJvm) { - // jar hell with JDK on FIPS + // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit, + // rather than provide a long list of exclusions, disable the check on FIPS. thirdPartyAudit.enabled = false } diff --git a/plugins/transport-nio/build.gradle b/plugins/transport-nio/build.gradle index 728ad64d9f8f5..cb8916b857c23 100644 --- a/plugins/transport-nio/build.gradle +++ b/plugins/transport-nio/build.gradle @@ -142,6 +142,8 @@ thirdPartyAudit.excludes = [ 'org.conscrypt.HandshakeListener' ] if (project.inFipsJvm == false) { + // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in + // a FIPS JVM with BouncyCastleFIPS Provider thirdPartyAudit.excludes += [ 'org.bouncycastle.asn1.x500.X500Name' ] diff --git a/x-pack/plugin/security/cli/build.gradle b/x-pack/plugin/security/cli/build.gradle index 113a960ecb816..377d10ec7f203 100644 --- a/x-pack/plugin/security/cli/build.gradle +++ b/x-pack/plugin/security/cli/build.gradle @@ -24,8 +24,12 @@ dependencyLicenses { if (project.inFipsJvm) { test.enabled = false + // Forbiden APIs non-portable checks fail because bouncy castle classes being used from the FIPS JDK since those are + // not part of the Java specification - all of this is as designed, so we have to relax this check for FIPS. tasks.withType(ForbiddenApisCliTask) { bundledSignatures -= "jdk-non-portable" } + // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit, + // rather than provide a long list of exclusions, disable the check on FIPS. thirdPartyAudit.enabled = false }