Configure FIPS mode through global ENV VAR instead of thread-based.

Signed-off-by: Iwan Igonin <[email protected]>

buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java

@@ -77,6 +77,7 @@ public class GlobalBuildInfoPlugin implements Plugin<Project> {
  private static final Logger LOGGER = Logging.getLogger(GlobalBuildInfoPlugin.class);
  private static final String DEFAULT_LEGACY_VERSION_JAVA_FILE_PATH = "libs/core/src/main/java/org/opensearch/LegacyESVersion.java";
  private static final String DEFAULT_VERSION_JAVA_FILE_PATH = "libs/core/src/main/java/org/opensearch/Version.java";
+ protected static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
  private static Integer _defaultParallel = null;
 
  private final JvmMetadataDetector jvmMetadataDetector;
@@ -112,6 +113,8 @@ public void apply(Project project) {
  BuildParams.init(params -> {
  // Initialize global build parameters
  boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
+ var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
+ var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-2");
 
  params.reset();
  params.setRuntimeJavaHome(runtimeJavaHome);
@@ -129,7 +132,7 @@ public void apply(Project project) {
  params.setIsCi(System.getenv("JENKINS_URL") != null);
  params.setIsInternal(isInternal);
  params.setDefaultParallel(findDefaultParallel(project));
- params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", false));
+ params.setInFipsJvm(inFipsJvm);
  params.setIsSnapshotBuild(Util.getBooleanProperty("build.snapshot", true));
  if (isInternal) {
  params.setBwcVersions(resolveBwcVersions(rootDir));
@@ -179,7 +182,7 @@ private void logGlobalBuildInfo() {
  LOGGER.quiet(" JAVA_HOME : " + gradleJvm.getJavaHome());
  }
  LOGGER.quiet(" Random Testing Seed : " + BuildParams.getTestSeed());
- LOGGER.quiet(" In FIPS 140 mode  : " + BuildParams.isInFipsJvm());
+ LOGGER.quiet(" Crypto Standard  : " + Optional.ofNullable(System.getenv(OPENSEARCH_CRYPTO_STANDARD)).orElse("any-supported"));
  LOGGER.quiet("=======================================");
  }
 

buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java

@@ -556,7 +556,7 @@ public synchronized void start() {
  if (keystoreSettings.isEmpty() == false || keystoreFiles.isEmpty() == false) {
  logToProcessStdout("Adding " + keystoreSettings.size() + " keystore settings and " + keystoreFiles.size() + " keystore files");
 
- keystoreSettings.forEach((key, value) -> runKeystoreCommandWithPassword(keystorePassword, value.toString(), "add", "-x", key));
+ keystoreSettings.forEach((key, value) -> runKeystoreCommandWithPassword(keystorePassword, value.toString(), "add", key));
 
  for (Map.Entry<String, File> entry : keystoreFiles.entrySet()) {
  File file = entry.getValue();
@@ -738,7 +738,12 @@ private void runOpenSearchBinScriptWithInput(String input, String tool, CharSequ
  }
 
  private void runKeystoreCommandWithPassword(String keystorePassword, String input, CharSequence... args) {
- final String actualInput = keystorePassword.length() > 0 ? keystorePassword + "\n" + input : input;
+ final String actualInput;
+ if (keystorePassword.length() > 0) {
+ actualInput = keystorePassword + "\n" + input + "\n" + input;
+ } else {
+ actualInput = input + "\n" + input;
+ }
  runOpenSearchBinScriptWithInput(actualInput, "opensearch-keystore", args);
  }
 

client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java

@@ -48,7 +48,6 @@
 import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 import org.apache.hc.core5.reactor.ssl.TlsDetails;
 import org.apache.hc.core5.util.Timeout;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -332,20 +331,9 @@ public TlsDetails create(final SSLEngine sslEngine) {
  .setTlsStrategy(tlsStrategy)
  .build();
 
- var inFipsJvm = CryptoServicesRegistrar.isInApprovedOnlyMode();
-
  HttpAsyncClientBuilder httpClientBuilder = HttpAsyncClientBuilder.create()
  .setDefaultRequestConfig(requestConfigBuilder.build())
  .setConnectionManager(connectionManager)
- .setThreadFactory((Runnable r) -> {
- Runnable runnable = () -> {
- if (inFipsJvm) {
- CryptoServicesRegistrar.setApprovedOnlyMode(true);
- }
- r.run();
- };
- return new Thread(runnable, "os-client-dispatcher");
- })
  .setTargetAuthenticationStrategy(DefaultAuthenticationStrategy.INSTANCE)
  .disableAutomaticRetries();
  if (httpClientConfigCallback != null) {

client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java

@@ -39,7 +39,6 @@
 
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.crypto.KeyStoreType;
 import org.junit.AfterClass;
@@ -60,7 +59,6 @@
 import java.security.SecureRandom;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
 
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -80,17 +78,6 @@ public static void startHttpServer() throws Exception {
  httpsServer = HttpsServer.create(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
  httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext(true)));
  httpsServer.createContext("/", new ResponseHandler());
- var inFipsJvm = inFipsJvm();
- Executor executor = Executors.newFixedThreadPool(1, (Runnable r) -> {
- Runnable runnable = () -> {
- if (inFipsJvm) {
- CryptoServicesRegistrar.setApprovedOnlyMode(true);
- }
- r.run();
- };
- return new Thread(runnable, "test-httpserver-dispatcher");
- });
- httpsServer.setExecutor(executor);
  httpsServer.start();
  }
 

client/test/src/main/java/org/opensearch/client/RestClientTestCase.java

@@ -45,8 +45,6 @@
 import com.carrotsearch.randomizedtesting.annotations.TimeoutSuite;
 
 import org.apache.hc.core5.http.Header;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
-import org.junit.BeforeClass;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -127,14 +125,4 @@ private static void addValueToListEntry(final Map<String, List<String>> map, fin
  values.add(value);
  }
 
- @BeforeClass
- public static void setFipsJvm() {
- boolean isFipsEnabled = Boolean.parseBoolean(System.getProperty("tests.fips.enabled", "false"));
- CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
- }
-
- public static boolean inFipsJvm() {
- return CryptoServicesRegistrar.isInApprovedOnlyMode();
- }
-
 }

distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java

@@ -78,14 +78,23 @@ static List<String> systemJvmOptions(final Path config) {
  // log4j 2
  "-Dlog4j.shutdownHookEnabled=false",
  "-Dlog4j2.disable.jmx=true",
- // security manager
+ // security settings
+ enableFips(),
  allowSecurityManagerOption(),
  loadJavaSecurityProperties(config),
  javaLocaleProviders()
  )
  ).stream().filter(e -> e.isEmpty() == false).collect(Collectors.toList());
  }
 
+ private static String enableFips() {
+ var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
+ if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) {
+ return "-Dorg.bouncycastle.fips.approved_only=true";
+ }
+ return "";
+ }
+
  private static String loadJavaSecurityProperties(final Path config) {
  var securityFile = config.resolve("fips_java.security");
  return "-Djava.security.properties=" + securityFile.toAbsolutePath();

modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java

@@ -45,7 +45,6 @@
 import org.apache.hc.core5.util.Timeout;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.action.DocWriteRequest;
 import org.opensearch.action.bulk.BackoffPolicy;
 import org.opensearch.action.bulk.BulkItemResponse;
@@ -183,14 +182,7 @@ private ActionListener<BulkByScrollResponse> getRemoteReindexWrapperListener(
  }
 
  static RestClient buildRestClient(RemoteInfo remoteInfo, ReindexSslConfig sslConfig, long taskId, List<Thread> threadCollector) {
- return buildRestClient(
- remoteInfo,
- sslConfig,
- taskId,
- threadCollector,
- Optional.empty(),
- CryptoServicesRegistrar.isInApprovedOnlyMode()
- );
+ return buildRestClient(remoteInfo, sslConfig, taskId, threadCollector, Optional.empty());
  }
 
  /**
@@ -207,8 +199,7 @@ static RestClient buildRestClient(
  ReindexSslConfig sslConfig,
  long taskId,
  List<Thread> threadCollector,
- Optional<HttpRequestInterceptor> restInterceptor,
- boolean isFipsEnabled
+ Optional<HttpRequestInterceptor> restInterceptor
  ) {
  Header[] clientHeaders = new Header[remoteInfo.getHeaders().size()];
  int i = 0;
@@ -235,16 +226,11 @@ static RestClient buildRestClient(
  }
  // Stick the task id in the thread name so we can track down tasks from stack traces
  AtomicInteger threads = new AtomicInteger();
- c.setThreadFactory((Runnable r) -> {
- Runnable runnable = () -> {
- if (isFipsEnabled) {
- CryptoServicesRegistrar.setApprovedOnlyMode(true);
- }
- r.run();
- };
- var thread = new Thread(runnable, "os-client-" + taskId + "-" + threads.getAndIncrement());
- threadCollector.add(thread);
- return thread;
+ c.setThreadFactory(r -> {
+ String name = "es-client-" + taskId + "-" + threads.getAndIncrement();
+ Thread t = new Thread(r, name);
+ threadCollector.add(t);
+ return t;
  });
  // Limit ourselves to one reactor thread because for now the search process is single threaded.
  c.setIOReactorConfig(IOReactorConfig.custom().setIoThreadCount(1).build());
@@ -327,14 +313,7 @@ protected ScrollableHitSource buildScrollableResultSource(BackoffPolicy backoffP
  RemoteInfo remoteInfo = mainRequest.getRemoteInfo();
  createdThreads = synchronizedList(new ArrayList<>());
  assert sslConfig != null : "Reindex ssl config must be set";
- RestClient restClient = buildRestClient(
- remoteInfo,
- sslConfig,
- task.getId(),
- createdThreads,
- this.interceptor,
- CryptoServicesRegistrar.isInApprovedOnlyMode()
- );
+ RestClient restClient = buildRestClient(remoteInfo, sslConfig, task.getId(), createdThreads, this.interceptor);
  return new RemoteScrollableHitSource(
  logger,
  backoffPolicy,

modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java

@@ -77,7 +77,7 @@ public void testBuildRestClient() throws Exception {
  assertBusy(() -> assertThat(threads, hasSize(2)));
  int i = 0;
  for (Thread thread : threads) {
- assertEquals("os-client-" + taskId + "-" + i, thread.getName());
+ assertEquals("es-client-" + taskId + "-" + i, thread.getName());
  i++;
  }
  } finally {

modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java

@@ -37,7 +37,6 @@
 import com.sun.net.httpserver.HttpsParameters;
 import com.sun.net.httpserver.HttpsServer;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.client.RestClient;
@@ -73,7 +72,6 @@
 import java.util.List;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
@@ -99,17 +97,6 @@ public static void setupHttpServer() throws Exception {
  SSLContext sslContext = buildServerSslContext();
  server = HttpsServer.create(address, 0);
  server.setHttpsConfigurator(new ClientAuthHttpsConfigurator(sslContext));
- var inFipsJvm = inFipsJvm();
- Executor executor = Executors.newFixedThreadPool(1, (Runnable r) -> {
- Runnable runnable = () -> {
- if (inFipsJvm) {
- CryptoServicesRegistrar.setApprovedOnlyMode(true);
- }
- r.run();
- };
- return new Thread(runnable, "test-httpserver-dispatcher");
- });
- server.setExecutor(executor);
  server.start();
  server.createContext("/", http -> {
  assert http instanceof HttpsExchange;

modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java

@@ -123,9 +123,9 @@ public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Setti
  @Override
  public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
  try {
- final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12);
+ final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
  keyStore.load(
- SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.p12"),
+ SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.jks"),
  "password".toCharArray()
  );
 

modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java

@@ -8,6 +8,7 @@
 
 package org.opensearch.transport.netty4.ssl;
 
+import org.apache.lucene.tests.util.LuceneTestCase;
 import org.opensearch.Version;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.common.crypto.KeyStoreFactory;
@@ -66,6 +67,7 @@
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.lessThanOrEqualTo;
 
+@LuceneTestCase.AwaitsFix(bugUrl = "")
 public class SimpleSecureNetty4TransportTests extends AbstractSimpleTransportTestCase {
  @Override
  protected Transport build(Settings settings, final Version version, ClusterSettings clusterSettings, boolean doHandshake) {
@@ -79,9 +81,9 @@ public Optional<TransportExceptionHandler> buildServerTransportExceptionHandler(
  @Override
  public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException {
  try {
- final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12);
+ final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
  keyStore.load(
- SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.p12"),
+ SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.jks"),
  "password".toCharArray()
  );
 

modules/transport-netty4/src/test/resources/README.txt

@@ -6,12 +6,12 @@
 
 # 1. Create certificate key
 
-openssl req  -x509  -sha256  -newkey rsa:2048  -keyout certificate.key  -out certificate.crt  -days 1024  -nodes
+openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes
 
 # 2. Export the certificate in pkcs12 format
 
-openssl pkcs12  -export  -in certificate.crt  -inkey certificate.key  -out server.p12  -name netty4-secure -password pass:password
+openssl pkcs12 -export -in certificate.crt -inkey certificate.key -out netty4-secure.p12 -name netty4-secure -password pass:password
 
-# 3. Import the certificate into JDK keystore (PKCS12 type)
+# 3. Migrate from P12 to JKS keystore
 
-keytool -importkeystore -srcstorepass password  -destkeystore netty4-secure.jks -srckeystore server.p12  -srcstoretype PKCS12  -alias netty4-secure  -deststorepass password
+keytool -importkeystore -srcstorepass password -destkeystore netty4-secure.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias netty4-secure -deststorepass password

plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java

@@ -55,8 +55,6 @@
 import org.opensearch.transport.TransportSettings;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
-import org.junit.ClassRule;
-import org.junit.rules.ExternalResource;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -107,17 +105,6 @@ protected Collection<Class<? extends Plugin>> nodePlugins() {
 
  private static Path keyStoreFile;
 
- @ClassRule
- public static final ExternalResource MUTE_IN_FIPS_JVM = new ExternalResource() {
- @Override
- protected void before() {
- assumeFalse(
- "Can't run in a FIPS JVM because none of the supported Keystore types can be used",
- Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP))
- );
- }
- };
-
  @BeforeClass
  public static void setupKeyStore() throws IOException {
  Path tempDir = createTempDir();