Skip to content

Commit

Permalink
Fix custom policy in plugins in FIPS 140 (#52046)
Browse files Browse the repository at this point in the history
Our FIPS 140 testing depends on setting the appropriate java policy
in order to configure the JVM in FIPS mode. Some tests (
discovery-ec2 and ccr qa ) also needed to set a custom policy file
to grant a specific permission, which overwrote the FIPS related
policy and tests would fail. This change ensures that when a
custom policy needs to be set in these tests, the permissions that
are necessary for FIPS are also set.

Resolves: #51685, #52034
  • Loading branch information
jkakavas committed Feb 8, 2020
1 parent dda9850 commit 043279a
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 16 deletions.
42 changes: 35 additions & 7 deletions plugins/discovery-ec2/build.gradle
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import org.elasticsearch.gradle.info.BuildParams

/*
* Licensed to Elasticsearch under one or more contributor
* license agreements. See the NOTICE file distributed with
Expand Down Expand Up @@ -56,12 +58,34 @@ task writeTestJavaPolicy {
throw new GradleException("failed to create temporary directory [${tmp}]")
}
final File javaPolicy = file("${tmp}/java.policy")
javaPolicy.write(
[
"grant {",
" permission java.util.PropertyPermission \"com.amazonaws.sdk.ec2MetadataServiceEndpointOverride\", \"write\";",
"};"
].join("\n"))
if (BuildParams.inFipsJvm) {
javaPolicy.write(
[
"grant {",
"permission java.security.SecurityPermission \"putProviderProperty.BCFIPS\";",
"permission java.security.SecurityPermission \"putProviderProperty.BCJSSE\";",
"permission java.lang.RuntimePermission \"getProtectionDomain\";",
"permission java.util.PropertyPermission \"java.runtime.name\", \"read\";",
"permission org.bouncycastle.crypto.CryptoServicesPermission \"tlsAlgorithmsEnabled\";",
"permission java.lang.RuntimePermission \"accessClassInPackage.sun.security.internal.spec\";",
"permission java.lang.RuntimePermission \"accessDeclaredMembers\";",
"permission java.util.PropertyPermission \"intellij.debug.agent\", \"read\";",
"permission java.util.PropertyPermission \"intellij.debug.agent\", \"write\";",
"permission org.bouncycastle.crypto.CryptoServicesPermission \"exportSecretKey\";",
"permission org.bouncycastle.crypto.CryptoServicesPermission \"exportPrivateKey\";",
"permission java.io.FilePermission \"\${javax.net.ssl.trustStore}\", \"read\";",
" permission java.util.PropertyPermission \"com.amazonaws.sdk.ec2MetadataServiceEndpointOverride\", \"write\";",
"};"
].join("\n")
)
} else {
javaPolicy.write(
[
"grant {",
" permission java.util.PropertyPermission \"com.amazonaws.sdk.ec2MetadataServiceEndpointOverride\", \"write\";",
"};"
].join("\n"))
}
}
}

Expand All @@ -72,7 +96,11 @@ test {

// this is needed to manipulate com.amazonaws.sdk.ec2MetadataServiceEndpointOverride system property
// it is better rather disable security manager at all with `systemProperty 'tests.security.manager', 'false'`
systemProperty 'java.security.policy', "file://${buildDir}/tmp/java.policy"
if (BuildParams.inFipsJvm){
systemProperty 'java.security.policy', "=file://${buildDir}/tmp/java.policy"
} else {
systemProperty 'java.security.policy', "file://${buildDir}/tmp/java.policy"
}
}

check {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,6 @@ public void tearDown() throws Exception {
}

public void testEC2DiscoveryRetriesOnRateLimiting() throws IOException {
assumeFalse("https://github.com/elastic/elasticsearch/issues/51685", inFipsJvm());
final String accessKey = "ec2_access";
final List<String> hosts = List.of("127.0.0.1:9000");
final Map<String, Integer> failedRequests = new ConcurrentHashMap<>();
Expand Down
43 changes: 35 additions & 8 deletions x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import org.elasticsearch.gradle.info.BuildParams
import org.elasticsearch.gradle.test.RestIntegTestTask

apply plugin: 'elasticsearch.testclusters'
Expand Down Expand Up @@ -26,21 +27,47 @@ task writeJavaPolicy {
if (policyFile.parentFile.exists() == false && policyFile.parentFile.mkdirs() == false) {
throw new GradleException("failed to create temporary directory [${tmp}]")
}
policyFile.write(
[
"grant {",
" permission java.io.FilePermission \"${-> testClusters."follow-cluster".getFirstNode().getServerLog()}\", \"read\";",
"};"
].join("\n")
)
if (BuildParams.inFipsJvm) {
policyFile.write(
[
"grant {",
"permission java.security.SecurityPermission \"putProviderProperty.BCFIPS\";",
"permission java.security.SecurityPermission \"putProviderProperty.BCJSSE\";",
"permission java.lang.RuntimePermission \"getProtectionDomain\";",
"permission java.util.PropertyPermission \"java.runtime.name\", \"read\";",
"permission org.bouncycastle.crypto.CryptoServicesPermission \"tlsAlgorithmsEnabled\";",
"permission java.lang.RuntimePermission \"accessClassInPackage.sun.security.internal.spec\";",
"permission java.lang.RuntimePermission \"accessDeclaredMembers\";",
"permission java.util.PropertyPermission \"intellij.debug.agent\", \"read\";",
"permission java.util.PropertyPermission \"intellij.debug.agent\", \"write\";",
"permission org.bouncycastle.crypto.CryptoServicesPermission \"exportSecretKey\";",
"permission org.bouncycastle.crypto.CryptoServicesPermission \"exportPrivateKey\";",
"permission java.io.FilePermission \"\${javax.net.ssl.trustStore}\", \"read\";",
"permission java.io.FilePermission \"${-> testClusters."follow-cluster".getFirstNode().getServerLog()}\", \"read\";",
"};"
].join("\n")
)
} else {
policyFile.write(
[
"grant {",
" permission java.io.FilePermission \"${-> testClusters."follow-cluster".getFirstNode().getServerLog()}\", \"read\";",
"};"
].join("\n")
)
}
}
}

task "follow-cluster"(type: RestIntegTestTask) {
dependsOn 'writeJavaPolicy', "leader-cluster"
runner {
useCluster testClusters."leader-cluster"
systemProperty 'java.security.policy', "file://${policyFile}"
if (BuildParams.inFipsJvm){
systemProperty 'java.security.policy', "=file://${policyFile}"
} else {
systemProperty 'java.security.policy', "file://${policyFile}"
}
systemProperty 'tests.target_cluster', 'follow'
nonInputProperties.systemProperty 'tests.leader_host', "${-> testClusters."leader-cluster".getAllHttpSocketURI().get(0)}"
nonInputProperties.systemProperty 'log', "${-> testClusters."follow-cluster".getFirstNode().getServerLog()}"
Expand Down

0 comments on commit 043279a

Please sign in to comment.