Use new ezbake methods for managing BC FIPS jars

The method we were using before was very hacky, taking advantage of this project copying stuff from resources/ext/build-scripts into the staging dir and using the vox:build Rake task to put things in the right place. This uses the changes in the latest ezbake to do the same procedure, pulling BC jars from the classpath and Maven cache, but letting ezbake handle it instead of hacking it in.

Author: nmburgan

.gitignore

@@ -36,9 +36,4 @@ acceptance/scripts/hosts.cfg
 /resources/puppetlabs/puppetserver/*.class
 /dev-resources/i18n/bin
 
-# Ignore temp directory where BC jars go during build
-# in case it doesn't get cleaned up.
-resources/ext/build-scripts/bc-fips-jars
-resources/ext/build-scripts/bc-nonfips-jars
-
 .DS_Store

project.clj

@@ -214,15 +214,30 @@
                          :lein-ezbake {:vars {:java-args ~(str
                                                             "-Djava.security.properties==/opt/puppetlabs/server/data/puppetserver/java.security.fips "
                                                             "-Xms2g -Xmx2g "
-                                                            "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger")}}
+                                                            "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger")}
+                                       :classpath-jars [{:artifact org.bouncycastle/bc-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 {:artifact org.bouncycastle/bcpkix-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 {:artifact org.bouncycastle/bctls-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 ;; Only used for installing vendored gems during packaging and not included
+                                                 ;; in the final package, thus no :install key.
+                                                 {:artifact org.bouncycastle/bcpkix-jdk18on}
+                                                 {:artifact org.bouncycastle/bcprov-jdk18on}]
+                                          :project-files [{:file "resources/ext/java.security.fips"
+                                                           :install {:path "/opt/puppetlabs/server/data/puppetserver"}}]}
                          :jvm-opts ~(let [version (System/getProperty "java.specification.version")
                                           [major minor _] (clojure.string/split version #"\.")
                                           unsupported-ex (ex-info "Unsupported major Java version."
                                                            {:major major
                                                             :minor minor})]
                                       (condp = (java.lang.Integer/parseInt major)
-                                        17 ["-Djava.security.properties==./resources/ext/build-scripts/java.security.fips"]
-                                        21 ["-Djava.security.properties==./resources/ext/build-scripts/java.security.fips"]
+                                        17 ["-Djava.security.properties==./resources/ext/java.security.fips"]
+                                        21 ["-Djava.security.properties==./resources/ext/java.security.fips"]
                                         (do)))}
              :fips [:defaults :fips-deps]
 
@@ -256,19 +271,24 @@
                                                [org.openvoxproject/puppetserver "8.13.0-SNAPSHOT"]
                                                [org.openvoxproject/trapperkeeper-webserver-jetty10]
                                                [org.openvoxproject/trapperkeeper-metrics]]
-                      :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.2")]]
+                      :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.3")]]
                       :name "puppetserver"}
 
              :ezbake-fips {:dependencies ^:replace [[org.clojure/clojure]
+                                                    ;; The non-FIPS BC jar is only needed for installing vendored gems
+                                                    ;; at packaging time, and is not included in the final package.
                                                     [org.bouncycastle/bcpkix-jdk18on]
+                                                    [org.bouncycastle/bc-fips]
+                                                    [org.bouncycastle/bcpkix-fips]
+                                                    [org.bouncycastle/bctls-fips]
                                                     [org.openvoxproject/jruby-utils]
                                                     ;; Do not modify this line. It is managed by the release process
                                                     ;; via the scripts/sync_ezbake_dep.rb script.
                                                     [org.openvoxproject/puppetserver "8.13.0-SNAPSHOT"]
                                                     [org.openvoxproject/trapperkeeper-webserver-jetty10]
                                                     [org.openvoxproject/trapperkeeper-metrics]]
                             :uberjar-exclusions [#"^org/bouncycastle/.*"]
-                            :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.2")]]
+                            :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.3")]]
                       :name "puppetserver"}
              :uberjar {:dependencies [[org.openvoxproject/trapperkeeper-webserver-jetty10]]
                        :aot [puppetlabs.trapperkeeper.main

resources/ext/build-scripts/install-vendored-gems.sh

@@ -15,7 +15,7 @@ install_gems () {
     gem_list+=("$gem_name:$gem_version")
   done < $gem_file
 
-  java -cp ext/build-scripts/bc-nonfips-jars/*:puppet-server-release.jar:jruby-9k.jar clojure.main -m puppetlabs.puppetserver.cli.gem --config jruby.conf -- install ${additional_args:+"$additional_args"} --no-document "${gem_list[@]}"
+  java -cp ext/classpath-jars/*:puppet-server-release.jar:jruby-9k.jar clojure.main -m puppetlabs.puppetserver.cli.gem --config jruby.conf -- install ${additional_args:+"$additional_args"} --no-document "${gem_list[@]}"
 }
 
 SOURCE="${BASH_SOURCE[0]}"

resources/ext/ezbake.conf

@@ -9,14 +9,8 @@ ezbake: {
    foss: {
       redhat: { dependencies: ["openvox-agent >= 8.21.1"],
                 build-dependencies: ["%{open_jdk}"],
-                # Install some gems, and install BC FIPS jars if the build task copied them to the right place.
-                # This is admittedly pretty hacky, but it prevents us from having to add another strand of
-                # complexity to the already complex ezbake build process.
-                install: [
-                  "bash ./ext/build-scripts/install-vendored-gems.sh",
-                  "install -d -m 0700 \"${DESTDIR}${app_data}/jars\"",
-                  "if [ -d ext/build-scripts/bc-fips-jars ]; then files=(ext/build-scripts/bc-fips-jars/*); install -m 0644 \"${files[@]}\" \"${DESTDIR}${app_data}/jars/\"; install -m 0644 ext/build-scripts/java.security.fips \"${DESTDIR}${app_data}/\"; fi",
-                ]
+                # Install some gems
+                install: ["bash ./ext/build-scripts/install-vendored-gems.sh"]
                # This is terrible, but we need write access to puppet's
                # var/conf dirs, so we need to add ourselves to the group.
                # Then we need to chmod some dirs until the Puppet packaging
@@ -42,12 +36,7 @@ ezbake: {
 
       debian: { dependencies: ["openvox-agent (>= 8.21.1)"],
                 build-dependencies: ["openjdk-17-jre-headless"],
-                # see redhat comments on why this is hacky
-                install: [
-                  "bash ./ext/build-scripts/install-vendored-gems.sh",
-                  "install -d -m 0700 \"${DESTDIR}${app_data}/jars\"",
-                  "if [ -d ext/build-scripts/bc-fips-jars ]; then files=(ext/build-scripts/bc-fips-jars/*); install -m 0644 \"${files[@]}\" \"${DESTDIR}${app_data}/jars/\"; install -m 0644 ext/build-scripts/java.security.fips \"${DESTDIR}${app_data}/\"; fi",
-                ]
+                install: ["bash ./ext/build-scripts/install-vendored-gems.sh"]
                # see redhat comments on why this is terrible
                postinst-install: [
                  "install --owner={{user}} --group={{user}} -d /opt/puppetlabs/server/data/puppetserver/jruby-gems",

…ces/ext/build-scripts/java.security.fips resources/ext/java.security.fipsresources/ext/build-scripts/java.security.fips renamed to resources/ext/java.security.fips resources/ext/build-scripts/java.security.fips renamed to resources/ext/java.security.fips

@@ -152,31 +152,7 @@ namespace :vox do
         run("cd /code && COW=\"#{@debs}\" MOCK=\"#{@nonfips_rpms}\" GEM_SOURCE='https://rubygems.org' #{ezbake_version_var} EZBAKE_ALLOW_UNREPRODUCIBLE_BUILDS=true EZBAKE_NODEPLOY=true LEIN_PROFILES=ezbake lein with-profile user,ezbake,provided ezbake local-build")
       end
 
-      # When building for FIPS, we have to have the Bouncy Castle FIPS jars live on disk separate
-      # from the uberjar, due to signing of those jars. Ezbake doesn't have a great way to handle this,
-      # so we copy them from the local Maven cache inside the container to a place ezbake knows how to
-      # find them, and then have it build the RPM with it laying down those files in the right place.
       unless @fips_rpms.empty?
-        puts "Copy Bouncy Castle FIPS jars into ezbake resource location"
-        dest = '/code/resources/ext/build-scripts/bc-fips-jars'
-        run("mkdir -p #{dest}")
-        cmd = "cd /code && lein with-profile ezbake-fips,fips classpath"
-        stdout, stderr, status = Open3.capture3("docker exec #{@container} /bin/bash --login -c '#{cmd}'")
-        unless status.success?
-          puts "Failed to get classpath for FIPS build: #{stderr}"
-          exit 1
-        end
-        classpath = stdout.strip
-        paths = classpath.split(':').select { |p| p =~ /bcpkix-fips|bc-fips|bctls-fips/ }
-        paths.each { |p| run("cp #{p} #{dest}/") }
-
-        # We also copy the non-FIPS jdk18on jars as well. This is only for the step where we install
-        # vendored gems during the packaging step and they are not included in the final package.
-        dest = '/code/resources/ext/build-scripts/bc-nonfips-jars'
-        run("mkdir -p #{dest}")
-        paths = classpath.split(':').select { |p| p =~ /jdk18on/ }
-        paths.each { |p| run("cp #{p} #{dest}/") }
-
         run("cd /code && COW= MOCK=\"#{@fips_rpms}\" GEM_SOURCE='https://rubygems.org' #{ezbake_version_var} EZBAKE_ALLOW_UNREPRODUCIBLE_BUILDS=true EZBAKE_NODEPLOY=true LEIN_PROFILES=ezbake lein with-profile fips,user,ezbake-fips,provided ezbake local-build")
       end