set default testcluster password for all project modules

build.gradle

@@ -562,11 +562,18 @@ subprojects {
   // test with FIPS-140-3 enabled
   plugins.withType(JavaPlugin).configureEach {
     tasks.withType(Test).configureEach { testTask ->
-      if (BuildParams.inFipsJvm == true) {
+      if (BuildParams.inFipsJvm) {
         testTask.jvmArgs += "-Dorg.bouncycastle.fips.approved_only=true"
       }
     }
   }
+  plugins.withId('opensearch.testclusters') {
+    testClusters.configureEach {
+      if (BuildParams.inFipsJvm) {
+        keystorePassword 'notarealpasswordphrase'
+      }
+    }
+  }
 }
 
 // eclipse configuration

buildSrc/build.gradle

@@ -123,9 +123,6 @@ dependencies {
   api 'org.jruby.joni:joni:2.2.1'
   api "com.fasterxml.jackson.core:jackson-databind:${props.getProperty('jackson_databind')}"
   api "org.ajoberstar.grgit:grgit-core:5.2.1"
-  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-3') {
-    api "org.bouncycastle:bc-fips:${props.getProperty('bouncycastle_jce')}"
-  }
 
   testFixturesApi "junit:junit:${props.getProperty('junit')}"
   testFixturesApi "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${props.getProperty('randomizedrunner')}"

buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java

@@ -34,7 +34,6 @@
 
 import de.thetaphi.forbiddenapis.SuppressForbidden;
 
-import org.opensearch.gradle.SecureRandomProvider;
 import org.gradle.api.logging.Logger;
 import org.gradle.api.logging.Logging;
 
@@ -54,6 +53,7 @@
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.util.Arrays;
@@ -251,7 +251,7 @@ private SSLContext createSslContext(KeyStore trustStore) throws GeneralSecurityE
         TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         tmf.init(trustStore);
         SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-        sslContext.init(new KeyManager[0], tmf.getTrustManagers(), SecureRandomProvider.getSecureRandom());
+        sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom());
         return sslContext;
     }
 

buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java

@@ -10,7 +10,9 @@
 
 public class FipsBuildParams {
 
-    private static final String FIPS_MODE = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
+    private static final String FIPS_BUILD_PARAM = "OPENSEARCH_CRYPTO_STANDARD";
+
+    private static final String FIPS_MODE = System.getenv(FIPS_BUILD_PARAM);
 
     private FipsBuildParams() {}
 
@@ -22,4 +24,8 @@ public static String getFipsMode() {
         return FIPS_MODE;
     }
 
+    public static String getFipsBuildParam() {
+        return FIPS_BUILD_PARAM;
+    }
+
 }

buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java

@@ -46,6 +46,7 @@
 import org.opensearch.gradle.Version;
 import org.opensearch.gradle.VersionProperties;
 import org.opensearch.gradle.info.BuildParams;
+import org.opensearch.gradle.info.FipsBuildParams;
 import org.gradle.api.Action;
 import org.gradle.api.Named;
 import org.gradle.api.NamedDomainObjectContainer;
@@ -546,6 +547,10 @@ public synchronized void start() {
             logToProcessStdout("installed plugins");
         }
 
+        if (FipsBuildParams.isInFipsMode() && keystorePassword.isEmpty()) {
+            throw new TestClustersException("Can not start " + this + " in FIPS JVM, missing keystore password");
+        }
+
         logToProcessStdout("Creating opensearch keystore with password set to [" + keystorePassword + "]");
         if (keystorePassword.length() > 0) {
             runOpenSearchBinScriptWithInput(keystorePassword + "\n" + keystorePassword + "\n", "opensearch-keystore", "create", "-p");
@@ -791,6 +796,9 @@ private Map<String, String> getOpenSearchEnvironment() {
         // Override the system hostname variables for testing
         defaultEnv.put("HOSTNAME", HOSTNAME_OVERRIDE);
         defaultEnv.put("COMPUTERNAME", COMPUTERNAME_OVERRIDE);
+        if (FipsBuildParams.isInFipsMode()) {
+            defaultEnv.put(FipsBuildParams.getFipsBuildParam(), FipsBuildParams.getFipsMode());
+        }
 
         Set<String> commonKeys = new HashSet<>(environment.keySet());
         commonKeys.retainAll(defaultEnv.keySet());

distribution/src/bin/opensearch-cli

@@ -20,6 +20,12 @@ done
 # avoid stealing many CPU cycles; a user can override by setting OPENSEARCH_JAVA_OPTS
 OPENSEARCH_JAVA_OPTS="-Xms4m -Xmx64m -XX:+UseSerialGC ${OPENSEARCH_JAVA_OPTS}"
 
+if [ "$OPENSEARCH_CRYPTO_STANDARD" = "FIPS-140-3" ]; then
+  OPENSEARCH_JAVA_OPTS="-Dorg.bouncycastle.fips.approved_only=true \
+                        -Djava.security.properties=${OPENSEARCH_PATH_CONF}/fips_java.security \
+                        ${OPENSEARCH_JAVA_OPTS}"
+fi
+
 exec \
   "$JAVA" \
   "$XSHARE" \

distribution/src/bin/opensearch-cli.bat

@@ -16,6 +16,12 @@ rem use a small heap size for the CLI tools, and thus the serial collector to
 rem avoid stealing many CPU cycles; a user can override by setting OPENSEARCH_JAVA_OPTS
 set OPENSEARCH_JAVA_OPTS=-Xms4m -Xmx64m -XX:+UseSerialGC %OPENSEARCH_JAVA_OPTS%
 
+if "%OPENSEARCH_CRYPTO_STANDARD%"=="FIPS-140-3" (
+    set OPENSEARCH_JAVA_OPTS=-Dorg.bouncycastle.fips.approved_only=true ^
+                             -Djava.security.properties="%OPENSEARCH_PATH_CONF%\fips_java.security" ^
+                             %OPENSEARCH_JAVA_OPTS%
+)
+
 "%JAVA%" ^
   %OPENSEARCH_JAVA_OPTS% ^
   -Dopensearch.path.home="%OPENSEARCH_HOME%" ^

plugins/repository-s3/build.gradle

@@ -144,13 +144,6 @@ def fixtureAddress = { fixture, name, port ->
   'http://127.0.0.1:' + ephemeralPort
 }
 
-def applyFipsConfig(OpenSearchCluster cluster) {
-  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-3') {
-    cluster.keystorePassword 'notarealpasswordphrase'
-    cluster.environment 'OPENSEARCH_CRYPTO_STANDARD', 'FIPS-140-3'
-  }
-}
-
 // We test against two repositories, one which uses the usual two-part "permanent" credentials and
 // the other which uses three-part "temporary" or "session" credentials.
 
@@ -268,7 +261,6 @@ yamlRestTest {
 }
 
 testClusters.yamlRestTest {
-  applyFipsConfig(delegate)
   keystore 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
   keystore 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
 
@@ -332,7 +324,6 @@ if (useFixture) {
   check.dependsOn(yamlRestTestMinio)
 
   testClusters.yamlRestTestMinio {
-    applyFipsConfig(delegate)
     keystore 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
     keystore 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
     setting 's3.client.integration_test_permanent.endpoint', { "${-> fixtureAddress('minio-fixture', 'minio-fixture', '9000')}" }, IGNORE_VALUE
@@ -361,7 +352,6 @@ if (useFixture) {
   check.dependsOn(yamlRestTestECS)
 
   testClusters.yamlRestTestECS {
-    applyFipsConfig(delegate)
     setting 's3.client.integration_test_ecs.endpoint', { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ecs', '80')}" }, IGNORE_VALUE
     plugin tasks.bundlePlugin.archiveFile
     environment 'AWS_CONTAINER_CREDENTIALS_FULL_URI', { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ecs', '80')}/ecs_credentials_endpoint" }, IGNORE_VALUE
@@ -389,7 +379,6 @@ if (useFixture) {
   check.dependsOn(yamlRestTestEKS)
 
   testClusters.yamlRestTestEKS {
-    applyFipsConfig(delegate)
     keystore 's3.client.integration_test_eks.role_arn', "arn:aws:iam::000000000000:role/test"
     keystore 's3.client.integration_test_eks.role_session_name', "s3-test"
     keystore 's3.client.integration_test_eks.access_key', "access_key"