Check for -Dorg.bouncycastle.fips.approved_only in testclusters to run with FIPS enforcement

[cwperks]

Description

Currently, testclusters will always assume that it should run with FIPS enforcement if -Pcrypto.standard=FIPS-140-3 is supplied. The problem is, this is a build param needed for assembly, but at runtime the JVM expects the system prop org.bouncycastle.fips.approved_only to enforce that a cluster is running in FIPS mode.

Without this change, testclusters fail with

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':integ-test:integTest'.
> Can not start node{:integ-test:integTest-0} in FIPS JVM, missing keystore password

and the workaround is to add keystorePassword 'notarealpasswordphrase' to the testclusters declaration.

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Modified the FIPS mode validation in OpenSearchNode.start() to require both FIPS mode enabled and the system property org.bouncycastle.fips.approved_only set to "true" before enforcing keystore password requirements, adding an additional runtime gate to the validation logic.

Changes

Cohort / File(s)	Summary
FIPS Keystore Validation buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java	Tightened keystore password enforcement condition to additionally check for org.bouncycastle.fips.approved_only system property set to "true" alongside FIPS mode, adding an extra runtime gate before validation throws.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Use env variable (OPENSEARCH_FIPS_MODE) to enable opensearch to run in FIPS enforced mode instead of checking for existence of bcFIPS jars #20625: Introduces OPENSEARCH_FIPS_MODE and sets the -Dorg.bouncycastle.fips.approved_only=true system property that this change now gates validation against.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description clearly explains the problem (build param vs runtime property mismatch), the impact (test failures with a specific error), the solution, and includes the required checklist and DCO confirmation.
Title check	✅ Passed	The title accurately reflects the main change: checking for the org.bouncycastle.fips.approved_only system property in testclusters for FIPS enforcement at runtime.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

❗ AI-powered Code-Diff-Analyzer found issues on commit c09fabc.

Path	Line	Severity	Description
buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java	552	high	FIPS security check weakened: Added additional condition requiring 'org.bouncycastle.fips.approved_only' system property to be 'true'. This creates a bypass where FIPS mode can start without keystore password if this property is not set, potentially allowing unauthorized access or weak encryption in FIPS-compliant environments. The original check would unconditionally prevent starting in FIPS mode without a keystore password.

The table above displays the top 10 most important findings.

Total: 1 | Critical: 0 | High: 1 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[cwperks]

@reta when you have a moment, this is a quick fix to fix an issue encountered with testclusters.

[github-actions]

❌ Gradle check result for 62fd04d: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for e8525f8: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for e8525f8: SUCCESS

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.27%. Comparing base (6b557db) to head (e8525f8).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
...va/org/opensearch/gradle/info/FipsBuildParams.java	0.00%	1 Missing ⚠️
...opensearch/gradle/testclusters/OpenSearchNode.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20685      +/-   ##
============================================
- Coverage     73.32%   73.27%   -0.06%     
+ Complexity    72064    71972      -92     
============================================
  Files          5781     5781              
  Lines        329395   329403       +8     
  Branches      47525    47527       +2     
============================================
- Hits         241536   241370     -166     
- Misses        68507    68659     +152     
- Partials      19352    19374      +22     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.