build with 'crypto.standard' gradle build parameter

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
opensearch-project · Jan 31, 2025 · a6abb44 · a6abb44
1 parent 000e1a6
commit a6abb44
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 22 deletions.
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
@@ -8,24 +8,28 @@
 
 package org.opensearch.gradle.info;
 
+import java.util.function.Function;
+
 public class FipsBuildParams {
 
-    private static final String FIPS_BUILD_PARAM = "OPENSEARCH_CRYPTO_STANDARD";
+    public static final String FIPS_BUILD_PARAM = "crypto.standard";
+
+    public static final String FIPS_ENV_VAR = "OPENSEARCH_CRYPTO_STANDARD";
+
+    private static String fipsMode;
 
-    private static final String FIPS_MODE = System.getenv(FIPS_BUILD_PARAM);
+    public static void init(Function<String, Object> fipsValue) {
+        fipsMode = (String) fipsValue.apply(FIPS_BUILD_PARAM);
+    }
 
     private FipsBuildParams() {}
 
     public static boolean isInFipsMode() {
-        return "FIPS-140-3".equals(FIPS_MODE);
+        return "FIPS-140-3".equals(fipsMode);
     }
 
     public static String getFipsMode() {
-        return FIPS_MODE;
-    }
-
-    public static String getFipsBuildParam() {
-        return FIPS_BUILD_PARAM;
+        return fipsMode;
     }
 
 }
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
@@ -109,6 +109,8 @@ public void apply(Project project) {
         File rootDir = project.getRootDir();
         GitInfo gitInfo = gitInfo(rootDir);
 
+        FipsBuildParams.init(project::findProperty);
+
         BuildParams.init(params -> {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -797,7 +797,7 @@ private Map<String, String> getOpenSearchEnvironment() {
         defaultEnv.put("HOSTNAME", HOSTNAME_OVERRIDE);
         defaultEnv.put("COMPUTERNAME", COMPUTERNAME_OVERRIDE);
         if (FipsBuildParams.isInFipsMode()) {
-            defaultEnv.put(FipsBuildParams.getFipsBuildParam(), FipsBuildParams.getFipsMode());
+            defaultEnv.put(FipsBuildParams.FIPS_ENV_VAR, FipsBuildParams.getFipsMode());
         }
 
         Set<String> commonKeys = new HashSet<>(environment.keySet());

diff --git a/...bution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/...bution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -44,6 +44,8 @@ final class SystemJvmOptions {
 
     static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
     static final String FIPS_140_3 = "FIPS-140-3";
+    static final boolean IS_IN_FIPS_JVM = FIPS_140_3.equals(System.getenv(OPENSEARCH_CRYPTO_STANDARD))
+        || "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.fips.approved_only"));
 
     static List<String> systemJvmOptions(final Path config, Runtime.Version runtimeVersion) throws FileNotFoundException {
         return Collections.unmodifiableList(
@@ -93,21 +95,11 @@ static List<String> systemJvmOptions(final Path config, Runtime.Version runtimeV
     }
 
     private static String enableFips() {
-        var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (FIPS_140_3.equals(cryptoStandard)) {
-            return "-Dorg.bouncycastle.fips.approved_only=true";
-        }
-        return "";
+        return IS_IN_FIPS_JVM ? "-Dorg.bouncycastle.fips.approved_only=true" : "";
     }
 
     private static String loadJavaSecurityProperties(final Path config) throws FileNotFoundException {
-        String securityFile;
-        var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (FIPS_140_3.equals(cryptoStandard)) {
-            securityFile = "fips_java.security";
-        } else {
-            securityFile = "java.security";
-        }
+        String securityFile = IS_IN_FIPS_JVM ? "fips_java.security" : "java.security";
         var securityFilePath = config.resolve(securityFile);
 
         if (!Files.exists(securityFilePath)) {

diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -199,7 +199,7 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
         SecureRandomInitializer.init();
 
         var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
-        if ("FIPS-140-3".equals(cryptoStandard)) {
+        if ("FIPS-140-3".equals(cryptoStandard) || "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.fips.approved_only"))) {
             LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-3 mode");
             SecurityProviderManager.excludeSunJCE();
         }