Extend test pipelines for fips mode to java unit tests and integration

donoghuc · donoghuc · commit 41a470bb770e · 2025-02-06T11:19:48.000-08:00
diff --git a/.buildkite/pull_request_pipeline.yml b/.buildkite/pull_request_pipeline.yml
@@ -47,7 +47,8 @@ steps:
       diskSizeGb: 64
     retry:
       automatic:
-        - limit: 3
+      # dont retry on failure while they are expected
+        - limit: 0
     command: |
       set -euo pipefail
 
@@ -77,6 +78,30 @@ steps:
       - "**/jacocoTestReport.xml"
       - "**/build/classes/**/*.*"
 
+  - label: ":java: Java unit tests - FIPS mode"
+    key: "java-unit-tests-fips"
+    agents:
+      provider: gcp
+      imageProject: elastic-images-prod
+      image: family/platform-ingest-logstash-ubuntu-2204
+      machineType: "n2-standard-4"
+      diskSizeGb: 64
+    retry:
+      automatic:
+      # dont retry on failure while they are expected
+        - limit: 0
+    env:
+      ENABLE_SONARQUBE: true
+    command: |
+      set -euo pipefail
+
+      docker build -t test-runner-image -f x-pack/distributions/internal/observabilitySRE/docker/Dockerfile .
+      docker run test-runner-image ./gradlew --info --stacktrace -PrunTestsInFIPSMode=true javaTests
+    artifact_paths:
+      - "**/build/test-results/javaTests/TEST-*.xml"
+      - "**/jacocoTestReport.xml"
+      - "**/build/classes/**/*.*"
+
   - label: ":sonarqube: Continuous Code Inspection"
     if: | 
       build.pull_request.id != null || 
@@ -98,6 +123,24 @@ steps:
       manual:
         allowed: true
 
+  - label: ":lab_coat: Integration Tests - FIPS mode"
+    key: "integration-tests-fips"
+    agents:
+      provider: gcp
+      imageProject: elastic-images-prod
+      image: family/platform-ingest-logstash-ubuntu-2204
+      machineType: "n2-standard-4"
+      diskSizeGb: 64
+    retry:
+      automatic:
+      # dont retry on failure while they are expected
+        - limit: 0
+    command: |
+      set -euo pipefail
+
+      docker build -t test-runner-image -f x-pack/distributions/internal/observabilitySRE/docker/Dockerfile .
+      docker run test-runner-image ./gradlew --info --stacktrace -PrunTestsInFIPSMode=true runIntegrationTests
+
   - label: ":lab_coat: Integration Tests / part 1"
     key: "integration-tests-part-1"
     agents:
diff --git a/logstash-core/build.gradle b/logstash-core/build.gradle
@@ -124,6 +124,20 @@ tasks.register("javaTests", Test) {
     exclude '/org/logstash/plugins/factory/PluginFactoryExtTest.class'
     exclude '/org/logstash/execution/ObservedExecutionTest.class'
 
+    if (runTestsInFIPSMode) {
+        systemProperty "java.security.properties", System.getenv("JAVA_SECURITY_PROPERTIES")
+        systemProperty "javax.net.ssl.keyStore", "/etc/java/security/keystore.bcfks"
+        systemProperty "javax.net.ssl.keyStoreType", "BCFKS"
+        systemProperty "javax.net.ssl.keyStoreProvider", "BCFIPS"
+        systemProperty "javax.net.ssl.keyStorePassword", "changeit"
+        systemProperty "javax.net.ssl.trustStore", "/etc/java/security/cacerts.bcfks"
+        systemProperty "javax.net.ssl.trustStoreType", "BCFKS"
+        systemProperty "javax.net.ssl.trustStoreProvider", "BCFIPS"
+        systemProperty "javax.net.ssl.trustStorePassword", "changeit"
+        systemProperty "ssl.KeyManagerFactory.algorithm", "PKIX"
+        systemProperty "ssl.TrustManagerFactory.algorithm", "PKIX"
+        systemProperty "org.bouncycastle.fips.approved_only", "true"
+    }
     jacoco {
         enabled = true
         destinationFile = layout.buildDirectory.file('jacoco/test.exec').get().asFile
diff --git a/qa/integration/build.gradle b/qa/integration/build.gradle
@@ -72,6 +72,20 @@ tasks.register("integrationTests", Test) {
   inputs.files fileTree("${projectDir}/specs")
 
   systemProperty 'logstash.root.dir', projectDir.toPath().getParent().getParent().toString()
+  if (runTestsInFIPSMode) {
+      systemProperty "java.security.properties", System.getenv("JAVA_SECURITY_PROPERTIES")
+      systemProperty "javax.net.ssl.keyStore", "/etc/java/security/keystore.bcfks"
+      systemProperty "javax.net.ssl.keyStoreType", "BCFKS"
+      systemProperty "javax.net.ssl.keyStoreProvider", "BCFIPS"
+      systemProperty "javax.net.ssl.keyStorePassword", "changeit"
+      systemProperty "javax.net.ssl.trustStore", "/etc/java/security/cacerts.bcfks"
+      systemProperty "javax.net.ssl.trustStoreType", "BCFKS"
+      systemProperty "javax.net.ssl.trustStoreProvider", "BCFIPS"
+      systemProperty "javax.net.ssl.trustStorePassword", "changeit"
+      systemProperty "ssl.KeyManagerFactory.algorithm", "PKIX"
+      systemProperty "ssl.TrustManagerFactory.algorithm", "PKIX"
+      systemProperty "org.bouncycastle.fips.approved_only", "true"
+  }
   include '/org/logstash/integration/RSpecTests.class'
 
   outputs.upToDateWhen {
