-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix the REST FIPS tests #61001
Fix the REST FIPS tests #61001
Conversation
Pinging @elastic/es-core-infra (:Core/Infra/Build) |
It seems like the testclusters configuration block is still guarded by use of elasticsearch.java. I see that we are now adding the bcfips jar files, but without the necessary jvm args for Tests that are nested underneath the testclusters block, won't we be actually executing the tests without fips? |
I expected some failures once run on CI for the reasons you mention, but hadn't considered false positives where it passes but not actually running in FIPS. I will keep iterating on this ... |
@rjernst this should be ready for review, the additional change is pretty minor but seems to do the trick 5714e6d and pretty confident we won't get false positives. A scan of the filesystem and it appears that the bc jars are landing for all the specialized tests. I still have a couple failures locally, but don't think they are related... in short I am confident that this won't have false positives and fixes it for yaml/java REST tests, but not 100% sure that all tests are passing...need to commit to get CI to run the FIPS tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Adds bouncycastle to classpath for tests and testclusters
Adds bouncycastle to classpath for tests and testclusters
When run with the
-Dtests.fips.enabled=true
most all of the REST tests fail.This fixes most (all?) of the REST test failures in FIPS mode.
Specifically:
The bouncy castle library was no longer on the classpath for the tests for
[yaml/java]RestTests since they explicitly set the classpath to only that of
the test sourceset. The fix for this to ensure that bouncy castle is added to
classpath for these (and all) types of tests when running with FIPS.
The elasticsearch.java plugin is not applied to every standalone test project.
This mainly impacts the specialized tests that setup custom test clusters such as CCR.
The fix for this is to hook into the java plugin instead of the elasticsearch.java plugin.
One or more project would throw an error about could not change dependency after
evaluation (it did so without any of the changes here). The fix for this was to move
the FIPS config out of the TestBasePlugin and just use the classpath addition via
gradle/fips.gradle.
Ingest attachment was conditionally disabling integTest, now it conditionally
disables yamlRestTest
fixes #60990