Prefer new test cluster framework for new fips setting

jakelandis · Jan 11, 2024 · 8ab505a · 8ab505a
1 parent a354b45
commit 8ab505a
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 27 deletions.
diff --git a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
@@ -79,7 +79,6 @@ if (BuildParams.inFipsJvm) {
           // with no x-pack. Tests having security explicitly enabled/disabled will override this setting
           setting 'xpack.security.enabled', 'false'
           setting 'xpack.security.fips_mode.enabled', 'true'
-          setting 'xpack.security.fips_mode.required_providers', '["BCFIPS", "BCJSSE"]'
           setting 'xpack.license.self_generated.type', 'trial'
           setting 'xpack.security.authc.password_hashing.algorithm', 'pbkdf2_stretch'
           keystorePassword 'keystore-password'

diff --git a/.../src/main/java/org/elasticsearch/test/cluster/local/FipsEnabledClusterConfigProvider.java b/.../src/main/java/org/elasticsearch/test/cluster/local/FipsEnabledClusterConfigProvider.java
@@ -8,10 +8,15 @@
 
 package org.elasticsearch.test.cluster.local;
 
+
+import org.elasticsearch.test.cluster.util.Version;
 import org.elasticsearch.test.cluster.util.resource.Resource;
 
+import java.util.HashMap;
+
 public class FipsEnabledClusterConfigProvider implements LocalClusterConfigProvider {
 
+
     @Override
     public void apply(LocalClusterSpecBuilder<?> builder) {
         if (isFipsEnabled()) {
@@ -33,7 +38,14 @@ public void apply(LocalClusterSpecBuilder<?> builder) {
                 .setting("xpack.security.fips_mode.enabled", "true")
                 .setting("xpack.license.self_generated.type", "trial")
                 .setting("xpack.security.authc.password_hashing.algorithm", "pbkdf2_stretch")
-                .keystorePassword("keystore-password");
+                .keystorePassword("keystore-password")
+                .settings(node -> {
+                    var settings = new HashMap<String, String>(1);
+                    if(node.getVersion().onOrAfter(Version.fromString("8.13.0"))){
+                        settings.put("xpack.security.fips_mode.required_providers", "[BCFIPS, BCJSSE]");
+                    }
+                    return settings;
+                });
         }
     }
 

diff --git a/x-pack/plugin/ml/qa/multi-cluster-tests-with-security/build.gradle b/x-pack/plugin/ml/qa/multi-cluster-tests-with-security/build.gradle
@@ -50,29 +50,16 @@ testClusters.register('mixed-cluster') {
 tasks.register('remote-cluster', RestIntegTestTask) {
   mustRunAfter("precommit")
   systemProperty 'tests.rest.suite', 'remote_cluster'
-  maybeDisableForFips(it)
 }
 
 tasks.register('mixed-cluster', RestIntegTestTask) {
   dependsOn 'remote-cluster'
   useCluster remoteCluster
   systemProperty 'tests.rest.suite', 'multi_cluster'
-  maybeDisableForFips(it)
 }
 
 tasks.register("integTest") {
   dependsOn 'mixed-cluster'
-  maybeDisableForFips(it)
 }
 
 tasks.named("check").configure { dependsOn("integTest") }
-
-//TODO: remove with version 8.14. A new FIPS setting was added in 8.13. Since FIPS configures all test clusters and this specific integTest uses
-// the previous minor version, that setting is not available when running in FIPS until 8.14.
-def maybeDisableForFips(task) {
-  if (BuildParams.inFipsJvm) {
-    if(Version.fromString(project.version).before(Version.fromString('8.14.0'))) {
-      task.enabled = false
-    }
-  }
-}
diff --git a/x-pack/plugin/transform/qa/multi-cluster-tests-with-security/build.gradle b/x-pack/plugin/transform/qa/multi-cluster-tests-with-security/build.gradle
@@ -54,29 +54,17 @@ testClusters.register('mixed-cluster') {
 tasks.register('remote-cluster', RestIntegTestTask) {
   mustRunAfter("precommit")
   systemProperty 'tests.rest.suite', 'remote_cluster'
-  maybeDisableForFips(it)
 }
 
 tasks.register('mixed-cluster', RestIntegTestTask) {
   dependsOn 'remote-cluster'
   useCluster remoteCluster
   systemProperty 'tests.rest.suite', 'multi_cluster'
-  maybeDisableForFips(it)
 }
 
 tasks.register("integTest") {
   dependsOn 'mixed-cluster'
-  maybeDisableForFips(it)
 }
 
 tasks.named("check").configure { dependsOn("integTest") }
 
-//TODO: remove with version 8.14. A new FIPS setting was added in 8.13. Since FIPS configures all test clusters and this specific integTest uses
-// the previous minor version, that setting is not available when running in FIPS until 8.14.
-def maybeDisableForFips(task) {
-  if (BuildParams.inFipsJvm) {
-    if(Version.fromString(project.version).before(Version.fromString('8.14.0'))) {
-      task.enabled = false
-    }
-  }
-}