Conditionally install bcfips jars when building for observabilitySRE

donoghuc · donoghuc · commit 44a5aaa07361 · 2025-03-19T13:15:54.000-07:00
This commit implements a pattern for performing specific gradle tasks based on a
newly named "fedrampHighMode" option. This option is used to configure tests to
run with additional configuration specific to the observabilitySRE use case.
Similarly the additional jar dependencies for bouncycastle fips providers are
conditionally installed gated on the "fedrampHighMode" option.
diff --git a/.buildkite/pull_request_pipeline.yml b/.buildkite/pull_request_pipeline.yml
@@ -54,7 +54,7 @@ steps:
       set -euo pipefail
 
       docker build -t test-runner-image -f x-pack/distributions/internal/observabilitySRE/docker/Dockerfile .
-      docker run test-runner-image ./gradlew --info --stacktrace -PrunTestsInFIPSMode=true rubyTests
+      docker run test-runner-image ./gradlew --info --stacktrace -PfedrampHighMode=true rubyTests
     artifact_paths:
       - "coverage/coverage.json"
 
@@ -96,7 +96,7 @@ steps:
       set -euo pipefail
 
       docker build -t test-runner-image -f x-pack/distributions/internal/observabilitySRE/docker/Dockerfile .
-      docker run test-runner-image ./gradlew --info --stacktrace -PrunTestsInFIPSMode=true javaTests
+      docker run test-runner-image ./gradlew --info --stacktrace -PfedrampHighMode=true javaTests
     artifact_paths:
       - "**/build/test-results/javaTests/TEST-*.xml"
       - "**/jacocoTestReport.xml"
diff --git a/ci/run-fips-integration-tests.sh b/ci/run-fips-integration-tests.sh
@@ -6,4 +6,4 @@
 half_number=$1
 source ci/get-test-half.sh
 specs=$(get_test_half "$half_number")
-./gradlew --info --stacktrace -PrunTestsInFIPSMode=true runIntegrationTests -PrubyIntegrationSpecs="$specs"
+./gradlew --info --stacktrace -PfedrampHighMode=true runIntegrationTests -PrubyIntegrationSpecs="$specs"
diff --git a/logstash-core/build.gradle b/logstash-core/build.gradle
@@ -235,11 +235,6 @@ dependencies {
     runtimeOnly 'commons-logging:commons-logging:1.3.1'
     // also handle libraries relying on log4j 1.x to redirect their logs
     runtimeOnly "org.apache.logging.log4j:log4j-1.2-api:${log4jVersion}"
-    // FIPS deps. TODO: figure out how to actually manage these
-    runtimeOnly("org.bouncycastle:bc-fips:2.0.0")
-    runtimeOnly("org.bouncycastle:bcpkix-fips:2.0.7")
-    runtimeOnly("org.bouncycastle:bctls-fips:2.0.19")
-    runtimeOnly("org.bouncycastle:bcutil-fips:2.0.3")
     implementation('org.reflections:reflections:0.10.2') {
         exclude group: 'com.google.guava', module: 'guava'
     }
diff --git a/x-pack/ci/integration_tests.sh b/x-pack/ci/integration_tests.sh
@@ -18,7 +18,7 @@ if [ -n "$BUILD_JAVA_HOME" ]; then
 fi
 
 if [ -n "$FIPS_MODE" ]; then
-  ./gradlew runXPackIntegrationTests -PrunTestsInFIPSMode=true
+  ./gradlew runXPackIntegrationTests -PfedrampHighMode=true
 else
   ./gradlew runXPackIntegrationTests
 fi
diff --git a/x-pack/ci/unit_tests.sh b/x-pack/ci/unit_tests.sh
@@ -17,7 +17,7 @@ if [ -n "$BUILD_JAVA_HOME" ]; then
 fi
 
 if [ -n "$FIPS_MODE" ]; then
-  ./gradlew runXPackUnitTests -PrunTestsInFIPSMode=true
+  ./gradlew runXPackUnitTests -PfedrampHighMode=true
 else
   ./gradlew runXPackUnitTests
 fi
diff --git a/x-pack/distributions/internal/observabilitySRE/build-ext.gradle b/x-pack/distributions/internal/observabilitySRE/build-ext.gradle
@@ -1,17 +1,17 @@
 ext {
-    runTestsInFIPSMode = project.hasProperty('runTestsInFIPSMode') ? project.property('runTestsInFIPSMode').toBoolean() : false
+    fedrampHighMode = project.hasProperty('fedrampHighMode') ? project.property('fedrampHighMode').toBoolean() : false
 }
 
 subprojects {
     ext {
-        runTestsInFIPSMode = rootProject.runTestsInFIPSMode
+        fedrampHighMode = rootProject.fedrampHighMode
     }
 }
 
 allprojects {
     afterEvaluate {
         tasks.withType(Test) {
-            if (runTestsInFIPSMode) {
+            if (rootProject.fedrampHighMode) {
                 logger.debug("configuring ${it} to run in FIPSMode ")
                 systemProperty "java.security.properties", System.getenv("JAVA_SECURITY_PROPERTIES")
                 systemProperty "javax.net.ssl.keyStore", "/etc/java/security/keystore.bcfks"
@@ -28,4 +28,18 @@ allprojects {
             }
         }
     }
-}
+}
+
+project(':logstash-core') {
+    afterEvaluate {
+        if (rootProject.fedrampHighMode) {
+            logger.lifecycle("Adding BouncyCastle FIPS dependencies to logstash-core")
+            dependencies {
+                implementation "org.bouncycastle:bc-fips:2.0.0"
+                implementation "org.bouncycastle:bcpkix-fips:2.0.7"
+                implementation "org.bouncycastle:bctls-fips:2.0.19"
+                implementation "org.bouncycastle:bcutil-fips:2.0.3"
+            }
+        }
+    }
+}
diff --git a/x-pack/distributions/internal/observabilitySRE/docker/Dockerfile b/x-pack/distributions/internal/observabilitySRE/docker/Dockerfile
@@ -43,7 +43,7 @@ ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
 ENV PATH="${JAVA_HOME}/bin:${PATH}"
 
 # Initial build using JKS truststore
-RUN ./gradlew clean bootstrap assemble installDefaultGems
+RUN ./gradlew clean bootstrap assemble installDefaultGems -PfedrampHighMode=true
 
 # Convert JKS to BCFKS for truststore and keystore
 RUN keytool -importkeystore \
@@ -87,4 +87,4 @@ ENV LS_JAVA_OPTS="\
     -Dorg.bouncycastle.fips.approved_only=true"
 
 # Example test run, most use cases will override this
-CMD ["./gradlew", "--info", "--stacktrace", "-PrunTestsInFIPSMode=true", "runIntegrationTests"]
+CMD ["./gradlew", "--info", "--stacktrace", "-PfedrampHighMode=true", "runIntegrationTests"]
