anandpatel9998
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎build.gradle‎
Lines changed: 11 additions & 10 deletions b/‎build.gradle‎
Lines changed: 11 additions & 10 deletions
diff --git a/‎buildSrc/build.gradle‎
Lines changed: 2 additions & 2 deletions b/‎buildSrc/build.gradle‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎buildSrc/src/main/groovy/org/opensearch/gradle/test/ClusterFormationTasks.groovy‎
Lines changed: 1 addition & 1 deletion b/‎buildSrc/src/main/groovy/org/opensearch/gradle/test/ClusterFormationTasks.groovy‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎buildSrc/src/main/groovy/org/opensearch/gradle/test/StandaloneRestTestPlugin.groovy‎
Lines changed: 6 additions & 0 deletions b/‎buildSrc/src/main/groovy/org/opensearch/gradle/test/StandaloneRestTestPlugin.groovy‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎buildSrc/src/main/java/org/opensearch/gradle/test/rest/RestTestUtil.java‎
Lines changed: 12 additions & 0 deletions b/‎buildSrc/src/main/java/org/opensearch/gradle/test/rest/RestTestUtil.java‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎buildSrc/src/main/resources/opensearch-fips-truststore.bcfks‎
182 KB b/‎buildSrc/src/main/resources/opensearch-fips-truststore.bcfks‎
182 KB
diff --git a/‎client/test/src/main/java/org/opensearch/client/BouncyCastleThreadFilter.java‎
Lines changed: 25 additions & 0 deletions b/‎client/test/src/main/java/org/opensearch/client/BouncyCastleThreadFilter.java‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎client/test/src/main/java/org/opensearch/client/RestClientTestCase.java‎
Lines changed: 2 additions & 0 deletions b/‎client/test/src/main/java/org/opensearch/client/RestClientTestCase.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎distribution/build.gradle‎
Lines changed: 7 additions & 2 deletions b/‎distribution/build.gradle‎
Lines changed: 7 additions & 2 deletions
@@ -18,6 +18,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Introduced internal API for retrieving metadata about requested indices from transport actions  ([#18523](https://github.com/opensearch-project/OpenSearch/pull/18523))
 - Add Hybrid Cardinality collector to prioritize Ordinals Collector ([#19524](https://github.com/opensearch-project/OpenSearch/pull/19524))
 - Add cluster defaults for merge autoThrottle, maxMergeThreads, and maxMergeCount; Add segment size filter to the merged segment warmer ([#19629](https://github.com/opensearch-project/OpenSearch/pull/19629))
+- Add build-tooling to run in FIPS environment ([#18921](https://github.com/opensearch-project/OpenSearch/pull/18921))
 - Add SMILE/CBOR/YAML document format support to Bulk GRPC endpoint ([#19744](https://github.com/opensearch-project/OpenSearch/pull/19744))
 
 ### Changed
 
@@ -71,6 +71,11 @@ apply from: 'gradle/run.gradle'
 apply from: 'gradle/missing-javadoc.gradle'
 apply from: 'gradle/code-coverage.gradle'
 
+// Apply FIPS configuration to all projects
+allprojects {
+  apply from: "$rootDir/gradle/fips.gradle"
+}
+
 // common maven publishing configuration
 allprojects {
   group = 'org.opensearch'
@@ -421,8 +426,12 @@ gradle.projectsEvaluated {
           dependsOn(project(':libs:agent-sm:agent').prepareAgent)
           jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]
         }
-        if (BuildParams.inFipsJvm) {
-          task.jvmArgs += ["-Dorg.bouncycastle.fips.approved_only=true"]
+        if (BuildParams.isInFipsJvm()) {
+          def fipsSecurityFile = project.rootProject.file('distribution/src/config/fips_java.security')
+          task.jvmArgs += [
+              "-Dorg.bouncycastle.fips.approved_only=true",
+              "-Djava.security.properties=${fipsSecurityFile}"
+          ]
         }
       }
     }
@@ -693,14 +702,6 @@ allprojects {
   plugins.withId('lifecycle-base') {
     checkPart1.configure { dependsOn 'check' }
   }
-
-  plugins.withId('opensearch.testclusters') {
-    testClusters.configureEach {
-      if (BuildParams.inFipsJvm) {
-        keystorePassword 'notarealpasswordphrase'
-      }
-    }
-  }
 }
 
 subprojects {
 
@@ -193,7 +193,7 @@ if (project != rootProject) {
   disableTasks('forbiddenApisMain', 'forbiddenApisTest', 'forbiddenApisIntegTest', 'forbiddenApisTestFixtures')
   jarHell.enabled = false
   thirdPartyAudit.enabled = false
-  if (org.opensearch.gradle.info.BuildParams.inFipsJvm) {
+  if (org.opensearch.gradle.info.BuildParams.isInFipsJvm()) {
     // We don't support running gradle with a JVM that is in FIPS 140 mode, so we don't test it.
     // WaitForHttpResourceTests tests would fail as they use JKS/PKCS12 keystores
     test.enabled = false
@@ -264,7 +264,7 @@ if (project != rootProject) {
     useJUnitPlatform()
     inputs.dir(file("src/testKit")).withPropertyName("testkit dir").withPathSensitivity(PathSensitivity.RELATIVE)
     systemProperty 'test.version_under_test', version
-    onlyIf { org.opensearch.gradle.info.BuildParams.inFipsJvm == false }
+    onlyIf { org.opensearch.gradle.info.BuildParams.isInFipsJvm() == false }
     maxParallelForks = System.getProperty('tests.jvms', org.opensearch.gradle.info.BuildParams.defaultParallel.toString()) as Integer
     testClassesDirs = sourceSets.integTest.output.classesDirs
     classpath = sourceSets.integTest.runtimeClasspath
 
@@ -761,7 +761,7 @@ class ClusterFormationTasks {
         start.doLast(opensearchRunner)
         start.doFirst {
             // If the node runs in a FIPS 140-2 JVM, the BCFKS default keystore will be password protected
-            if (BuildParams.inFipsJvm) {
+            if (BuildParams.isInFipsJvm()) {
                 node.config.systemProperties.put('javax.net.ssl.trustStorePassword', 'password')
                 node.config.systemProperties.put('javax.net.ssl.keyStorePassword', 'password')
             }
 
@@ -31,6 +31,8 @@
 package org.opensearch.gradle.test
 
 import groovy.transform.CompileStatic
+import org.gradle.api.artifacts.VersionCatalog
+import org.gradle.api.artifacts.VersionCatalogsExtension
 import org.opensearch.gradle.OpenSearchJavaPlugin
 import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask
 import org.opensearch.gradle.RepositoriesSetupPlugin
@@ -92,6 +94,10 @@ class StandaloneRestTestPlugin implements Plugin<Project> {
         // create a compileOnly configuration as others might expect it
         project.configurations.create("compileOnly")
         project.dependencies.add('testImplementation', project.project(':test:framework'))
+        if (BuildParams.isInFipsJvm()) {
+            VersionCatalog libs = project.extensions.getByType(VersionCatalogsExtension).named("libs")
+            project.dependencies.add('testFipsRuntimeOnly', libs.findBundle("bouncycastle").get())
+        }
 
         EclipseModel eclipse = project.extensions.getByType(EclipseModel)
         eclipse.classpath.sourceSets = [testSourceSet]
 
@@ -102,6 +102,18 @@ static void setupDependencies(Project project, SourceSet sourceSet) {
                 );
         }
 
+        if (BuildParams.isInFipsJvm()) {
+            project.getDependencies()
+                .add(
+                    sourceSet.getImplementationConfigurationName(),
+                    "org.bouncycastle:bc-fips:" + VersionProperties.getVersions().get("bouncycastle_jce")
+                );
+            project.getDependencies()
+                .add(
+                    sourceSet.getImplementationConfigurationName(),
+                    "org.bouncycastle:bctls-fips:" + VersionProperties.getVersions().get("bouncycastle_tls")
+                );
+        }
     }
 
 }
@@ -0,0 +1,25 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.client;
+
+import com.carrotsearch.randomizedtesting.ThreadFilter;
+
+/**
+ * ThreadFilter to exclude ThreadLeak checks for BC’s global background threads
+ *
+ * <p>clone from the original, which is located in ':test:framework'</p>
+ */
+public class BouncyCastleThreadFilter implements ThreadFilter {
+    @Override
+    public boolean reject(Thread t) {
+        String n = t.getName();
+        // Ignore BC’s global background threads
+        return "BC Disposal Daemon".equals(n) || "BC Cleanup Executor".equals(n);
+    }
+}
@@ -38,6 +38,7 @@
 import com.carrotsearch.randomizedtesting.annotations.SeedDecorators;
 import com.carrotsearch.randomizedtesting.annotations.TestMethodProviders;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakAction;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakGroup;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakLingering;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
@@ -65,6 +66,7 @@
 @ThreadLeakAction({ ThreadLeakAction.Action.WARN, ThreadLeakAction.Action.INTERRUPT })
 @ThreadLeakZombies(ThreadLeakZombies.Consequence.IGNORE_REMAINING_TESTS)
 @ThreadLeakLingering(linger = 5000) // 5 sec lingering
+@ThreadLeakFilters(filters = BouncyCastleThreadFilter.class)
 @TimeoutSuite(millis = 2 * 60 * 60 * 1000)
 public abstract class RestClientTestCase extends RandomizedTest {
 
 
@@ -312,7 +312,7 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
    *             Properties to expand when copying packaging files             *
    *****************************************************************************/
   configurations {
-    ['libs', 'libsPluginCli', 'libsKeystoreCli', 'bcFips'].each {
+    ['libs', 'libsPluginCli', 'libsKeystoreCli', 'libsFipsInstallerCli', 'bcFips'].each {
       create(it) {
         canBeConsumed = false
         canBeResolved = true
@@ -333,6 +333,7 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
 
     libsPluginCli project(':distribution:tools:plugin-cli')
     libsKeystoreCli project(path: ':distribution:tools:keystore-cli')
+    libsFipsInstallerCli project(path: ':distribution:tools:fips-demo-installer-cli')
 
     bcFips libs.bundles.bouncycastle
   }
@@ -346,7 +347,7 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
       copySpec {
         // delay by using closures, since they have not yet been configured, so no jar task exists yet
         from(configurations.libs)
-        if ( BuildParams.inFipsJvm ) {
+        if ( BuildParams.isInFipsJvm() ) {
           from(configurations.bcFips)
         }
         into('tools/plugin-cli') {
@@ -355,6 +356,10 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
         into('tools/keystore-cli') {
           from(configurations.libsKeystoreCli)
         }
+        // Add FIPS installer CLI
+        into('tools/fips-demo-installer-cli') {
+          from(configurations.libsFipsInstallerCli)
+        }
       }
     }
Original file line number	Diff line number	Diff line change
`@@ -761,7 +761,7 @@ class ClusterFormationTasks {`
`761`	`761`	`start.doLast(opensearchRunner)`
`762`	`762`	`start.doFirst {`
`763`	`763`	`// If the node runs in a FIPS 140-2 JVM, the BCFKS default keystore will be password protected`
`764`		`- if (BuildParams.inFipsJvm) {`
	`764`	`+ if (BuildParams.isInFipsJvm()) {`
`765`	`765`	`node.config.systemProperties.put('javax.net.ssl.trustStorePassword', 'password')`
`766`	`766`	`node.config.systemProperties.put('javax.net.ssl.keyStorePassword', 'password')`
`767`	`767`	`}`
Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,18 @@ static void setupDependencies(Project project, SourceSet sourceSet) {`
`102`	`102`	`);`
`103`	`103`	`}`
`104`	`104`
	`105`	`+ if (BuildParams.isInFipsJvm()) {`
	`106`	`+ project.getDependencies()`
	`107`	`+ .add(`
	`108`	`+ sourceSet.getImplementationConfigurationName(),`
	`109`	`+ "org.bouncycastle:bc-fips:" + VersionProperties.getVersions().get("bouncycastle_jce")`
	`110`	`+ );`
	`111`	`+ project.getDependencies()`
	`112`	`+ .add(`
	`113`	`+ sourceSet.getImplementationConfigurationName(),`
	`114`	`+ "org.bouncycastle:bctls-fips:" + VersionProperties.getVersions().get("bouncycastle_tls")`
	`115`	`+ );`
	`116`	`+ }`
`105`	`117`	`}`
`106`	`118`
`107`	`119`	`}`