Fix the REST FIPS tests (#61001)

Adds bouncycastle to classpath for tests and testclusters
elastic · Aug 14, 2020 · 255d2a4 · 255d2a4
1 parent fd4825b
commit 255d2a4
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 11 deletions.
diff --git a/gradle/fips.gradle b/gradle/fips.gradle
@@ -5,31 +5,46 @@ import org.elasticsearch.gradle.testclusters.ElasticsearchCluster
 
 // Common config when running with a FIPS-140 runtime JVM
 if (BuildParams.inFipsJvm) {
+
   allprojects {
     File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
     boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
     File fipsSecurity = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.security")
     File fipsPolicy = new File(fipsResourcesDir, "fips_java${java8 ? '8' : ''}.policy")
     File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
-    project.pluginManager.withPlugin('elasticsearch.java') {
+    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.1')
+    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')
+
+    pluginManager.withPlugin('java') {
       TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
       fipsResourcesTask.configure {
         outputDir = fipsResourcesDir
         copy fipsSecurity.name
         copy fipsPolicy.name
         copy 'cacerts.bcfks'
       }
-      // This configuration can be removed once system modules are available
-      configurations.create('extraFipsJars')
-      dependencies {
-        extraFipsJars 'org.bouncycastle:bc-fips:1.0.1'
-        extraFipsJars 'org.bouncycastle:bctls-fips:1.0.9'
+
+      project.afterEvaluate {
+        def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
+        // ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly
+        // set the class path to help maintain pure black box testing, and here we are adding to that classpath
+        tasks.withType(Test).configureEach { Test test ->
+          test.setClasspath(test.getClasspath().plus(extraFipsJars))
+        }
       }
+
       pluginManager.withPlugin("elasticsearch.testclusters") {
-        testClusters.all {
-          for (File dep : project.configurations.extraFipsJars.files) {
-            extraJarFile dep
+        afterEvaluate {
+          // This afterEvaluate hooks is required to avoid deprecated configuration resolution
+          // This configuration can be removed once system modules are available
+          def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
+          testClusters.all {
+            extraFipsJars.files.each {
+              extraJarFile it
+            }
           }
+        }
+        testClusters.all {
           extraConfigFile "fips_java.security", fipsSecurity
           extraConfigFile "fips_java.policy", fipsPolicy
           extraConfigFile "cacerts.bcfks", fipsTrustStore

diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle
@@ -104,6 +104,6 @@ if (BuildParams.inFipsJvm) {
   // rather than provide a long list of exclusions, disable the check on FIPS.
   jarHell.enabled = false
   test.enabled = false
-  integTest.enabled = false
-  testingConventions.enabled = false
+  integTest.enabled = false;
+  testingConventions.enabled = false;
 }