WIP: First pass at a reprodicible env for running under FIPS mode

Dockerfile

@@ -0,0 +1,77 @@
+# Start from the FIPS-compliant base image
+FROM docker.elastic.co/wolfi/chainguard-base-fips:latest
+
+# Install OpenJDK 21
+RUN apk add --no-cache \
+    openjdk-21 \
+    bash
+
+# Create directory for security configuration
+RUN mkdir -p /etc/java/security
+RUN mkdir -p /root/.gradle
+
+# Copy configuration files
+COPY java.security /etc/java/security/
+COPY java.policy /etc/java/security/
+
+# Set environment variables
+ENV JAVA_HOME=/usr/lib/jvm/java-21-openjdk
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+
+# Create working directory
+WORKDIR /logstash
+
+# Copy the local Logstash source
+COPY . .
+
+# Initial build using JKS truststore
+# ENV JAVA_OPTS="-Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=changeit"
+RUN ./gradlew clean bootstrap assemble installDefaultGems testSetup --no-daemon
+
+# CMD ["sleep", "infinity"]
+RUN keytool -importkeystore \
+    -srckeystore $JAVA_HOME/lib/security/cacerts \
+    -destkeystore /etc/java/security/cacerts.bcfks \
+    -srcstoretype jks \
+    -deststoretype bcfks \
+    -providerpath /logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \
+    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
+    -deststorepass changeit \
+    -srcstorepass changeit \
+    -noprompt
+
+RUN keytool -importkeystore \
+    -srckeystore $JAVA_HOME/lib/security/cacerts \
+    -destkeystore /etc/java/security/keystore.bcfks \
+    -srcstoretype jks \
+    -deststoretype bcfks \
+    -providerpath /logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \
+    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
+    -deststorepass changeit \
+    -srcstorepass changeit \
+    -noprompt
+
+
+# Uncomment this out and build for interactive terminal sessions in a container
+# Currently this dockerfile is just for running tests, but I have been also using it to
+# do manual validation. Need to think more about how to separate concerns. 
+ENV JAVA_SECURITY_PROPERTIES=/etc/java/security/java.security
+ENV JAVA_OPTS="\
+    -Djava.security.debug=ssl,provider \
+    -Djava.security.properties=${JAVA_SECURITY_PROPERTIES} \
+    -Djavax.net.ssl.keyStore=/etc/java/security/keystore.bcfks \
+    -Djavax.net.ssl.keyStoreType=BCFKS \
+    -Djavax.net.ssl.keyStoreProvider=BCFIPS \
+    -Djavax.net.ssl.keyStorePassword=changeit \
+    -Djavax.net.ssl.trustStore=/etc/java/security/cacerts.bcfks \
+    -Djavax.net.ssl.trustStoreType=BCFKS \
+    -Djavax.net.ssl.trustStoreProvider=BCFIPS \
+    -Djavax.net.ssl.trustStorePassword=changeit \
+    -Dssl.KeyManagerFactory.algorithm=PKIX \
+    -Dssl.TrustManagerFactory.algorithm=PKIX \
+    -Dorg.bouncycastle.fips.approved_only=true"
+
+ENV LS_JAVA_OPTS="${JAVA_OPTS}"
+# Run tests with BCFKS truststore
+CMD ["./gradlew","-PskipJRubySetup=true", "--info", "--stacktrace", "javaTestsOnly", "rubyTestsOnly"]
+

build.gradle

@@ -295,15 +295,18 @@ clean {
   delete "${projectDir}/logstash-core/src/main/resources/org/logstash/plugins/plugin_aliases.yml"
 }
 
-def assemblyDeps = [downloadAndInstallJRuby, assemble] + subprojects.collect {
-  it.tasks.findByName("assemble")
+def getAssemblyDeps() {
+    return project.hasProperty('skipJRubySetup') ? [] : [downloadAndInstallJRuby, assemble] + subprojects.collect {
+        it.tasks.findByName("assemble") 
+    }
 }
 
 tasks.register("bootstrap") {
-    dependsOn assemblyDeps
+    // onlyIf { !project.hasProperty('skipJRubySetup') }
+    dependsOn getAssemblyDeps()
     doLast {
-      setupJruby(projectDir, buildDir)
-  }
+        setupJruby(projectDir, buildDir)
+    }
 }
 
 

java.policy

@@ -0,0 +1,15 @@
+grant {
+    // Your existing permissions
+    permission java.lang.PropertyPermission "java.runtime.name", "read";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
+    permission java.lang.RuntimePermission "getProtectionDomain";
+    permission java.lang.RuntimePermission "accessDeclaredMembers";
+    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
+    permission org.bouncycastle.crypto.CryptoServicesPermission "exportKeys";
+
+    // Add provider permissions
+    permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
+    permission java.security.SecurityPermission "insertProvider.BCFIPS";
+    permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
+    permission java.security.SecurityPermission "insertProvider.BCJSSE";
+};

java.security

@@ -0,0 +1,117 @@
+security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
+security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
+security.provider.3=SUN
+
+securerandom.source=file:/dev/random
+securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN
+securerandom.drbg.config=
+
+login.configuration.provider=sun.security.provider.ConfigFile
+
+policy.provider=sun.security.provider.PolicyFile
+policy.url.1=file:/etc/java/security/java.policy
+policy.expandProperties=true
+policy.allowSystemProperty=true
+policy.ignoreIdentityScope=false
+
+keystore.type=bcfks
+keystore.type.compat=true
+
+package.access=sun.misc.,\
+               sun.reflect.
+package.definition=sun.misc.,\
+                   sun.reflect.
+
+security.overridePropertiesFile=true
+
+ssl.KeyManagerFactory.algorithm=PKIX
+ssl.TrustManagerFactory.algorithm=PKIX
+
+networkaddress.cache.negative.ttl=10
+
+krb5.kdc.bad.policy = tryLast
+
+sun.security.krb5.disableReferrals=false
+sun.security.krb5.maxReferrals=5
+
+jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
+    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
+    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
+    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
+    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
+    sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
+    X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
+    X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
+    X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
+    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
+
+jdk.certpath.disabledAlgorithms=MD2, MD5, \
+    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
+    SHA1, \
+    secp112r1, secp112r2, secp128r1, secp128r2, \
+    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
+    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
+    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
+    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
+    sect571k1, sect571r1, \
+    brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
+
+jdk.security.legacyAlgorithms=SHA1, \
+    RSA keySize < 2048, DSA keySize < 2048
+
+jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
+    DSA keySize < 1024, SHA1, \
+    secp112r1, secp112r2, secp128r1, secp128r2, \
+    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
+    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
+    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
+    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
+    sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
+    X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
+    X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
+    X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
+    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
+
+jdk.tls.disabledAlgorithms=MD5, SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+    secp112r1, secp112r2, secp128r1, secp128r2, \
+    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
+    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
+    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
+    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
+    sect571k1, sect571r1, brainpoolP256r1, \
+    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
+jdk.tls.legacyAlgorithms= \
+        K_NULL, C_NULL, M_NULL, \
+        DH_anon, ECDH_anon, \
+        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
+        3DES_EDE_CBC
+jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37, \
+                  ChaCha20-Poly1305 KeyUpdate 2^37
+
+crypto.policy=unlimited
+
+jdk.xml.dsig.secureValidationPolicy=\
+    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
+    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
+    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
+    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
+    maxTransforms 5,\
+    maxReferences 30,\
+    disallowReferenceUriSchemes file http https,\
+    minKeySize RSA 1024,\
+    minKeySize DSA 1024,\
+    minKeySize EC 224,\
+    noDuplicateIds,\
+    noRetrievalMethodLoops
+
+jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\
+  java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*
+
+jdk.sasl.disabledMechanisms=CRAM-MD5, DIGEST-MD5
+jdk.security.caDistrustPolicies=SYMANTEC_TLS
+jdk.io.permissionsUseCanonicalPath=false
+
+jdk.tls.alpnCharset=ISO_8859_1
+
+org.bouncycastle.fips.approved_only=true

logstash-core/build.gradle

@@ -27,27 +27,12 @@ buildscript {
     }
 }
 
-plugins {
-    id "jacoco"
-    id "org.sonarqube" version "4.3.0.3225"
-}
 
-apply plugin: 'jacoco'
-apply plugin: "org.sonarqube"
 
 repositories {
     mavenCentral()
 }
 
-sonarqube {
-    properties {
-        property 'sonar.coverage.jacoco.xmlReportPaths', "${buildDir}/reports/jacoco/test/jacocoTestReport.xml"
-    }
-}
-
-jacoco {
-    toolVersion = "0.8.9"
-}
 
 
 import org.yaml.snakeyaml.Yaml
@@ -124,21 +109,8 @@ tasks.register("javaTests", Test) {
     exclude '/org/logstash/plugins/factory/PluginFactoryExtTest.class'
     exclude '/org/logstash/execution/ObservedExecutionTest.class'
 
-    jacoco {
-        enabled = true
-        destinationFile = layout.buildDirectory.file('jacoco/test.exec').get().asFile
-        classDumpDir = layout.buildDirectory.dir('jacoco/classpathdumps').get().asFile
-    }
 }
 
-jacocoTestReport {
-    reports {
-        xml.required = true
-        html.required = true
-    }
-}
-
-javaTests.finalizedBy(jacocoTestReport)
 
 tasks.register("rubyTests", Test) {
     dependsOn compileTestJava
@@ -196,6 +168,79 @@ task generateVersionInfoResources(type: DefaultTask) {
         resourceFile.text = "logstash-core: ${logstashCoreVersion}"
     }
 }
+// Test execution tasks without dependencies
+tasks.register("javaTestsOnly", Test) {
+    setDependsOn([])
+    exclude '/org/logstash/RSpecTests.class'
+    exclude '/org/logstash/config/ir/ConfigCompilerTest.class'
+    exclude '/org/logstash/config/ir/CompiledPipelineTest.class'
+    exclude '/org/logstash/config/ir/EventConditionTest.class'
+    exclude '/org/logstash/config/ir/PipelineConfigTest.class'
+    exclude '/org/logstash/config/ir/compiler/OutputDelegatorTest.class'
+    exclude '/org/logstash/config/ir/compiler/JavaCodecDelegatorTest.class'
+    exclude '/org/logstash/plugins/NamespacedMetricImplTest.class'
+    exclude '/org/logstash/plugins/CounterMetricImplTest.class'
+    exclude '/org/logstash/plugins/factory/PluginFactoryExtTest.class'
+    exclude '/org/logstash/execution/ObservedExecutionTest.class'
+
+    // SSL and security settings
+    systemProperty "java.security.properties", System.getenv("JAVA_SECURITY_PROPERTIES")
+    systemProperty "javax.net.ssl.keyStore", "/etc/java/security/keystore.bcfks"
+    systemProperty "javax.net.ssl.keyStoreType", "BCFKS"
+    systemProperty "javax.net.ssl.keyStoreProvider", "BCFIPS"
+    systemProperty "javax.net.ssl.keyStorePassword", "changeit"
+    systemProperty "javax.net.ssl.trustStore", "/etc/java/security/cacerts.bcfks"
+    systemProperty "javax.net.ssl.trustStoreType", "BCFKS"
+    systemProperty "javax.net.ssl.trustStoreProvider", "BCFIPS"
+    systemProperty "javax.net.ssl.trustStorePassword", "changeit"
+    systemProperty "ssl.KeyManagerFactory.algorithm", "PKIX"
+    systemProperty "ssl.TrustManagerFactory.algorithm", "PKIX"
+    systemProperty "org.bouncycastle.fips.approved_only", "true"
+}
+
+tasks.register("rubyTestsOnly", Test) {
+    setDependsOn([])
+    inputs.files fileTree("${projectDir}/lib")
+    inputs.files fileTree("${projectDir}/spec")
+    systemProperty 'logstash.root.dir', projectDir.parent
+
+    include '/org/logstash/RSpecTests.class'
+    include '/org/logstash/config/ir/ConfigCompilerTest.class'
+    include '/org/logstash/config/ir/CompiledPipelineTest.class'
+    include '/org/logstash/config/ir/EventConditionTest.class'
+    include '/org/logstash/config/ir/PipelineConfigTest.class'
+    include '/org/logstash/config/ir/compiler/OutputDelegatorTest.class'
+    include '/org/logstash/config/ir/compiler/JavaCodecDelegatorTest.class'
+    include '/org/logstash/plugins/NamespacedMetricImplTest.class'
+    include '/org/logstash/plugins/CounterMetricImplTest.class'
+    include '/org/logstash/plugins/factory/PluginFactoryExtTest.class'
+    include '/org/logstash/execution/ObservedExecutionTest.class'
+
+    // SSL and security settings
+    systemProperty "java.security.properties", System.getenv("JAVA_SECURITY_PROPERTIES")
+    systemProperty "javax.net.ssl.keyStore", "/etc/java/security/keystore.bcfks"
+    systemProperty "javax.net.ssl.keyStoreType", "BCFKS"
+    systemProperty "javax.net.ssl.keyStoreProvider", "BCFIPS"
+    systemProperty "javax.net.ssl.keyStorePassword", "changeit"
+    systemProperty "javax.net.ssl.trustStore", "/etc/java/security/cacerts.bcfks"
+    systemProperty "javax.net.ssl.trustStoreType", "BCFKS"
+    systemProperty "javax.net.ssl.trustStoreProvider", "BCFIPS"
+    systemProperty "javax.net.ssl.trustStorePassword", "changeit"
+    systemProperty "ssl.KeyManagerFactory.algorithm", "PKIX"
+    systemProperty "ssl.TrustManagerFactory.algorithm", "PKIX"
+    systemProperty "org.bouncycastle.fips.approved_only", "true"
+}
+// Setup task combining all prerequisites
+tasks.register("testSetup") {
+    dependsOn ':bootstrap'
+    dependsOn 'classes'
+    dependsOn 'testClasses'
+    dependsOn 'compileTestJava'
+    dependsOn 'copyRuntimeLibs'
+    dependsOn 'generateVersionInfoResources'
+    dependsOn ':copyPluginTestAlias'
+    dependsOn ':installDevelopmentGems'
+}
 sourceSets {
     main { output.dir(generateVersionInfoResources.outputs.files) }
 }
@@ -235,6 +280,10 @@ dependencies {
     runtimeOnly 'commons-logging:commons-logging:1.3.1'
     // also handle libraries relying on log4j 1.x to redirect their logs
     runtimeOnly "org.apache.logging.log4j:log4j-1.2-api:${log4jVersion}"
+    runtimeOnly("org.bouncycastle:bc-fips:2.0.0")
+    runtimeOnly("org.bouncycastle:bcpkix-fips:2.0.7")
+    runtimeOnly("org.bouncycastle:bctls-fips:2.0.19")
+    runtimeOnly("org.bouncycastle:bcutil-fips:2.0.3")
     implementation('org.reflections:reflections:0.10.2') {
         exclude group: 'com.google.guava', module: 'guava'
     }
@@ -263,4 +312,4 @@ dependencies {
     api group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.14'
     api group: 'commons-codec', name: 'commons-codec', version: '1.17.0'
     api group: 'org.apache.httpcomponents', name: 'httpcore', version: '4.4.16'
-}
+}

rubyUtils.gradle

@@ -228,6 +228,7 @@ def customJRubyVersion = customJRubyDir == "" ? "" : Files.readAllLines(Paths.ge
 def customJRubyTar = customJRubyDir == "" ? "" : (customJRubyDir + "/maven/jruby-dist/target/jruby-dist-${customJRubyVersion}-bin.tar.gz")
 
 tasks.register("downloadJRuby", Download) {
+    onlyIf { !project.hasProperty('skipJRubySetup') }
     description "Download JRuby artifact from this specific URL: ${jRubyURL}"
     src jRubyURL
     onlyIfNewer true