Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix forbidden apis on FIPS (#33202)

- third party audit detects jar hell with JDK so we disable it
- jdk non portable in forbiddenapis detects classes being used from the
JDK ( for fips ) that are not portable, this is intended so we don't
scan for it on fips.
- different exclusion rules for third party audit on fips

Closes #33179
Alpar Torok 7 years ago
parent
6a0d4b4a77
commit
3828ec60f5
5 changed files with 40 additions and 5 deletions
Split View Show Diff Stats
  1. 6 0
      distribution/tools/plugin-cli/build.gradle
  2. 8 1
      modules/transport-netty4/build.gradle
  3. 6 0
      plugins/ingest-attachment/build.gradle
  4. 8 2
      plugins/transport-nio/build.gradle
  5. 12 2
      x-pack/plugin/security/cli/build.gradle

+ 6 - 0
distribution/tools/plugin-cli/build.gradle
View File 

@@ -39,3 +39,9 @@ test {
 
   // TODO: find a way to add permissions for the tests in this module
 
   systemProperty 'tests.security.manager', 'false'
 
 }
 
+
 
+if (project.inFipsJvm) {
 
+  // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
 
+  // rather than provide a long list of exclusions, disable the check on FIPS.
 
+  thirdPartyAudit.enabled = false
 
+}

+ 8 - 1
modules/transport-netty4/build.gradle
View File 

@@ -83,7 +83,6 @@ thirdPartyAudit.excludes = [
 
         'io.netty.internal.tcnative.SSLContext',
 
 
         // from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
 
-        'org.bouncycastle.asn1.x500.X500Name',
 
         'org.bouncycastle.cert.X509v3CertificateBuilder',
 
         'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
 
         'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
 
@@ -163,3 +162,11 @@ thirdPartyAudit.excludes = [
 
         'org.conscrypt.Conscrypt',
 
         'org.conscrypt.HandshakeListener'
 
 ]
 
+
 
+if (project.inFipsJvm == false) {
 
+    // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in
 
+    // a FIPS JVM with BouncyCastleFIPS Provider
 
+    thirdPartyAudit.excludes += [
 
+            'org.bouncycastle.asn1.x500.X500Name'
 
+    ]
 
+}

+ 6 - 0
plugins/ingest-attachment/build.gradle
View File 

@@ -2141,3 +2141,9 @@ if (project.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
 
     'javax.xml.bind.Unmarshaller'
 
   ]
 
 }
 
+
 
+if (project.inFipsJvm) {
 
+    // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
 
+    // rather than provide a long list of exclusions, disable the check on FIPS.
 
+    thirdPartyAudit.enabled = false
 
+}

+ 8 - 2
plugins/transport-nio/build.gradle
View File 

@@ -62,7 +62,6 @@ thirdPartyAudit.excludes = [
 
         'io.netty.internal.tcnative.SSLContext',
 
 
         // from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
 
-        'org.bouncycastle.asn1.x500.X500Name',
 
         'org.bouncycastle.cert.X509v3CertificateBuilder',
 
         'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
 
         'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
 
@@ -141,4 +140,11 @@ thirdPartyAudit.excludes = [
 
         'org.conscrypt.BufferAllocator',
 
         'org.conscrypt.Conscrypt',
 
         'org.conscrypt.HandshakeListener'
 
-]
 
+]
 
+if (project.inFipsJvm == false) {
 
+    // BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in
 
+    // a FIPS JVM with BouncyCastleFIPS Provider
 
+    thirdPartyAudit.excludes += [
 
+            'org.bouncycastle.asn1.x500.X500Name'
 
+    ]
 
+}

+ 12 - 2
x-pack/plugin/security/cli/build.gradle
View File 

@@ -1,3 +1,5 @@
 
+import org.elasticsearch.gradle.precommit.ForbiddenApisCliTask
 
+
 
 apply plugin: 'elasticsearch.build'
 
 
 archivesBaseName = 'elasticsearch-security-cli'
 
@@ -6,8 +8,8 @@ dependencies {
 
     compileOnly "org.elasticsearch:elasticsearch:${version}"
 
     // "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
 
     compileOnly project(path: xpackModule('core'), configuration: 'default')
 
-    compile 'org.bouncycastle:bcprov-jdk15on:1.59'
 
     compile 'org.bouncycastle:bcpkix-jdk15on:1.59'
 
+    compile 'org.bouncycastle:bcprov-jdk15on:1.59'
 
     testImplementation 'com.google.jimfs:jimfs:1.1'
 
     testCompile "junit:junit:${versions.junit}"
 
     testCompile "org.hamcrest:hamcrest-all:${versions.hamcrest}"
 
@@ -20,6 +22,14 @@ dependencyLicenses {
 
     mapping from: /bc.*/, to: 'bouncycastle'
 
 }
 
 
-if (inFipsJvm) {
 
+if (project.inFipsJvm) {
 
     test.enabled = false
 
+    // Forbiden APIs non-portable checks fail because bouncy castle classes being used from the FIPS JDK since those are
 
+    // not part of the Java specification - all of this is as designed, so we have to relax this check for FIPS.
 
+    tasks.withType(ForbiddenApisCliTask) {
 
+        bundledSignatures -= "jdk-non-portable"
 
+    }
 
+    // FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
 
+    // rather than provide a long list of exclusions, disable the check on FIPS.
 
+    thirdPartyAudit.enabled = false
 
 }