Use new ezbake methods for managing BC FIPS jars

project.clj

@@ -214,7 +214,22 @@
                          :lein-ezbake {:vars {:java-args ~(str
                                                             "-Djava.security.properties==/opt/puppetlabs/server/data/puppetserver/java.security.fips "
                                                             "-Xms2g -Xmx2g "
-                                                            "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger")}}
+                                                            "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger")}
+                                       :classpath-jars [{:artifact org.bouncycastle/bc-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 {:artifact org.bouncycastle/bcpkix-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 {:artifact org.bouncycastle/bctls-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 ;; Only used for installing vendored gems during packaging and not included
+                                                 ;; in the final package, thus no :install key.
+                                                 {:artifact org.bouncycastle/bcpkix-jdk18on}
+                                                 {:artifact org.bouncycastle/bcprov-jdk18on}]
+                                          :project-files [{:file "resources/ext/java.security.fips"
+                                                           :install {:path "/opt/puppetlabs/server/data/puppetserver"}}]}
                          :jvm-opts ~(let [version (System/getProperty "java.specification.version")
                                           [major minor _] (clojure.string/split version #"\.")
                                           unsupported-ex (ex-info "Unsupported major Java version."
@@ -256,19 +271,24 @@
                                                [org.openvoxproject/puppetserver "8.13.0-SNAPSHOT"]
                                                [org.openvoxproject/trapperkeeper-webserver-jetty10]
                                                [org.openvoxproject/trapperkeeper-metrics]]
-                      :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.2")]]
+                      :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.3")]]
                       :name "puppetserver"}
 
              :ezbake-fips {:dependencies ^:replace [[org.clojure/clojure]
+                                                    ;; The non-FIPS BC jar is only needed for installing vendored gems
+                                                    ;; at packaging time, and is not included in the final package.
                                                     [org.bouncycastle/bcpkix-jdk18on]
+                                                    [org.bouncycastle/bc-fips]
+                                                    [org.bouncycastle/bcpkix-fips]
+                                                    [org.bouncycastle/bctls-fips]
                                                     [org.openvoxproject/jruby-utils]
                                                     ;; Do not modify this line. It is managed by the release process
                                                     ;; via the scripts/sync_ezbake_dep.rb script.
                                                     [org.openvoxproject/puppetserver "8.13.0-SNAPSHOT"]
                                                     [org.openvoxproject/trapperkeeper-webserver-jetty10]
                                                     [org.openvoxproject/trapperkeeper-metrics]]
                             :uberjar-exclusions [#"^org/bouncycastle/.*"]
-                            :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.2")]]
+                            :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.3")]]
                       :name "puppetserver"}
              :uberjar {:dependencies [[org.openvoxproject/trapperkeeper-webserver-jetty10]]
                        :aot [puppetlabs.trapperkeeper.main

resources/ext/build-scripts/install-vendored-gems.sh

@@ -15,7 +15,7 @@ install_gems () {
     gem_list+=("$gem_name:$gem_version")
   done < $gem_file
 
-  java -cp ext/build-scripts/bc-nonfips-jars/*:puppet-server-release.jar:jruby-9k.jar clojure.main -m puppetlabs.puppetserver.cli.gem --config jruby.conf -- install ${additional_args:+"$additional_args"} --no-document "${gem_list[@]}"
+  java -cp ext/classpath-jars/*:puppet-server-release.jar:jruby-9k.jar clojure.main -m puppetlabs.puppetserver.cli.gem --config jruby.conf -- install ${additional_args:+"$additional_args"} --no-document "${gem_list[@]}"
 }
 
 SOURCE="${BASH_SOURCE[0]}"

resources/ext/ezbake.conf

@@ -9,14 +9,8 @@ ezbake: {
    foss: {
       redhat: { dependencies: ["openvox-agent >= 8.21.1"],
                 build-dependencies: ["%{open_jdk}"],
-                # Install some gems, and install BC FIPS jars if the build task copied them to the right place.
-                # This is admittedly pretty hacky, but it prevents us from having to add another strand of
-                # complexity to the already complex ezbake build process.
-                install: [
-                  "bash ./ext/build-scripts/install-vendored-gems.sh",
-                  "install -d -m 0700 \"${DESTDIR}${app_data}/jars\"",
-                  "if [ -d ext/build-scripts/bc-fips-jars ]; then files=(ext/build-scripts/bc-fips-jars/*); install -m 0644 \"${files[@]}\" \"${DESTDIR}${app_data}/jars/\"; install -m 0644 ext/build-scripts/java.security.fips \"${DESTDIR}${app_data}/\"; fi",
-                ]
+                # Install some gems
+                install: ["bash ./ext/build-scripts/install-vendored-gems.sh"]
                # This is terrible, but we need write access to puppet's
                # var/conf dirs, so we need to add ourselves to the group.
                # Then we need to chmod some dirs until the Puppet packaging
@@ -42,12 +36,7 @@ ezbake: {
 
       debian: { dependencies: ["openvox-agent (>= 8.21.1)"],
                 build-dependencies: ["openjdk-17-jre-headless"],
-                # see redhat comments on why this is hacky
-                install: [
-                  "bash ./ext/build-scripts/install-vendored-gems.sh",
-                  "install -d -m 0700 \"${DESTDIR}${app_data}/jars\"",
-                  "if [ -d ext/build-scripts/bc-fips-jars ]; then files=(ext/build-scripts/bc-fips-jars/*); install -m 0644 \"${files[@]}\" \"${DESTDIR}${app_data}/jars/\"; install -m 0644 ext/build-scripts/java.security.fips \"${DESTDIR}${app_data}/\"; fi",
-                ]
+                install: ["bash ./ext/build-scripts/install-vendored-gems.sh"]
                # see redhat comments on why this is terrible
                postinst-install: [
                  "install --owner={{user}} --group={{user}} -d /opt/puppetlabs/server/data/puppetserver/jruby-gems",

tasks/build.rake

@@ -152,31 +152,7 @@ namespace :vox do
         run("cd /code && COW=\"#{@debs}\" MOCK=\"#{@nonfips_rpms}\" GEM_SOURCE='https://rubygems.org' #{ezbake_version_var} EZBAKE_ALLOW_UNREPRODUCIBLE_BUILDS=true EZBAKE_NODEPLOY=true LEIN_PROFILES=ezbake lein with-profile user,ezbake,provided ezbake local-build")
       end
 
-      # When building for FIPS, we have to have the Bouncy Castle FIPS jars live on disk separate
-      # from the uberjar, due to signing of those jars. Ezbake doesn't have a great way to handle this,
-      # so we copy them from the local Maven cache inside the container to a place ezbake knows how to
-      # find them, and then have it build the RPM with it laying down those files in the right place.
       unless @fips_rpms.empty?
-        puts "Copy Bouncy Castle FIPS jars into ezbake resource location"
-        dest = '/code/resources/ext/build-scripts/bc-fips-jars'
-        run("mkdir -p #{dest}")
-        cmd = "cd /code && lein with-profile ezbake-fips,fips classpath"
-        stdout, stderr, status = Open3.capture3("docker exec #{@container} /bin/bash --login -c '#{cmd}'")
-        unless status.success?
-          puts "Failed to get classpath for FIPS build: #{stderr}"
-          exit 1
-        end
-        classpath = stdout.strip
-        paths = classpath.split(':').select { |p| p =~ /bcpkix-fips|bc-fips|bctls-fips/ }
-        paths.each { |p| run("cp #{p} #{dest}/") }
-
-        # We also copy the non-FIPS jdk18on jars as well. This is only for the step where we install
-        # vendored gems during the packaging step and they are not included in the final package.
-        dest = '/code/resources/ext/build-scripts/bc-nonfips-jars'
-        run("mkdir -p #{dest}")
-        paths = classpath.split(':').select { |p| p =~ /jdk18on/ }
-        paths.each { |p| run("cp #{p} #{dest}/") }
-
         run("cd /code && COW= MOCK=\"#{@fips_rpms}\" GEM_SOURCE='https://rubygems.org' #{ezbake_version_var} EZBAKE_ALLOW_UNREPRODUCIBLE_BUILDS=true EZBAKE_NODEPLOY=true LEIN_PROFILES=ezbake lein with-profile fips,user,ezbake-fips,provided ezbake local-build")
       end