Add fips.mode configuration to control truststore check in FIPS mode

tangkai55 · tangkai55 · commit 128224fdeb91 · 2026-04-04T15:20:09.000+08:00
diff --git a/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageClientSettings.java b/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageClientSettings.java
@@ -189,6 +189,16 @@ public class GoogleCloudStorageClientSettings {
         key -> Setting.simpleString(key, Setting.Property.NodeScope)
     );
 
+    /**
+     * Whether to enable FIPS mode validation for the GCS client.
+     * Set to false to bypass custom truststore check in FIPS-enabled environments.
+     */
+    static final Setting.AffixSetting<Boolean> FIPS_MODE_SETTING = Setting.affixKeySetting(
+        PREFIX,
+        "fips.mode",
+        key -> Setting.boolSetting(key, true, Setting.Property.NodeScope)
+    );
+
     /** The credentials used by the client to connect to the Storage endpoint. */
     private final ServiceAccountCredentials credential;
 
@@ -216,6 +226,12 @@ public class GoogleCloudStorageClientSettings {
     /** The GCS SDK Truststore settings. */
     private final TruststoreSettings truststoreSettings;
 
+    /**
+     * Whether to enforce FIPS mode validation for this GCS client.
+     * When true and running in a FIPS-enabled JVM, a custom truststore must be configured.
+     */
+    private final boolean fipsMode;
+
     GoogleCloudStorageClientSettings(
         final ServiceAccountCredentials credential,
         final String endpoint,
@@ -225,7 +241,8 @@ public class GoogleCloudStorageClientSettings {
         final String applicationName,
         final URI tokenUri,
         final ProxySettings proxySettings,
-        final TruststoreSettings truststoreSettings
+        final TruststoreSettings truststoreSettings,
+        final boolean fipsMode
     ) {
         this.credential = credential;
         this.endpoint = endpoint;
@@ -236,6 +253,7 @@ public class GoogleCloudStorageClientSettings {
         this.tokenUri = tokenUri;
         this.proxySettings = proxySettings;
         this.truststoreSettings = truststoreSettings;
+        this.fipsMode = fipsMode;
     }
 
     public ServiceAccountCredentials getCredential() {
@@ -297,7 +315,8 @@ static GoogleCloudStorageClientSettings getClientSettings(final Settings setting
             getConfigValue(settings, clientName, APPLICATION_NAME_SETTING),
             getConfigValue(settings, clientName, TOKEN_URI_SETTING),
             validateAndCreateProxySettings(settings, clientName),
-            validateAndCreateTruststoreSettings(settings, clientName)
+            validateAndCreateTruststoreSettings(settings, clientName),
+            getConfigValue(settings, clientName, FIPS_MODE_SETTING)
         );
     }
 
@@ -397,4 +416,12 @@ private static <T> T getConfigValue(final Settings settings, final String client
         final Setting<T> concreteSetting = clientSetting.getConcreteSettingForNamespace(clientName);
         return concreteSetting.get(settings);
     }
+
+    /**
+     * Returns whether FIPS mode validation is enabled for this client.
+     * @return true if FIPS mode validation is enabled, false otherwise
+     */
+    public boolean isFipsMode() {
+        return fipsMode;
+    }
 }
diff --git a/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java b/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
@@ -193,8 +193,7 @@ private HttpTransport createHttpTransport(final GoogleCloudStorageClientSettings
         return AccessController.doPrivilegedChecked(() -> {
             try {
                 final NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
-                final TruststoreSettings truststoreSettings = clientSettings.getTruststoreSettings();
-                builder.trustCertificates(loadTrustStore(truststoreSettings));
+                builder.trustCertificates(loadTrustStore(clientSettings));
 
                 final ProxySettings proxySettings = clientSettings.getProxySettings();
                 if (proxySettings != ProxySettings.NO_PROXY_SETTINGS) {
@@ -219,7 +218,8 @@ protected PasswordAuthentication getPasswordAuthentication() {
         });
     }
 
-    private KeyStore loadTrustStore(TruststoreSettings truststoreSettings) throws GeneralSecurityException, IOException {
+    private KeyStore loadTrustStore(GoogleCloudStorageClientSettings clientSettings) throws GeneralSecurityException, IOException {
+        TruststoreSettings truststoreSettings = clientSettings.getTruststoreSettings();
         KeyStore certTrustStore;
         if (truststoreSettings.isConfigured()) {
             final var truststorePath = truststoreSettings.path();
@@ -230,7 +230,7 @@ private KeyStore loadTrustStore(TruststoreSettings truststoreSettings) throws Ge
                 SecurityUtils.loadKeyStore(certTrustStore, trustStoreStream, truststorePassword.toString());
             }
             logger.debug("Loaded custom truststore from path: {} with type: {}", truststorePath, truststoreType);
-        } else if (Security.getProvider("BCFIPS") != null) {
+        } else if (clientSettings.isFipsMode() && Security.getProvider("BCFIPS") != null) {
             throw new IllegalStateException(
                 "FIPS mode is active but no custom truststore is configured. "
                     + "Please configure gcs.client.<client-name>.truststore.path and "
