Merge pull request #196 from OpenVoxProject/classpath_jars

nmburgan · web-flow · commit fa9e70096d9e · 2026-01-22T18:26:49.000-08:00
Use new ezbake methods for managing BC FIPS jars
diff --git a/.gitignore b/.gitignore
@@ -36,9 +36,4 @@ acceptance/scripts/hosts.cfg
 /resources/puppetlabs/puppetserver/*.class
 /dev-resources/i18n/bin
 
-# Ignore temp directory where BC jars go during build
-# in case it doesn't get cleaned up.
-resources/ext/build-scripts/bc-fips-jars
-resources/ext/build-scripts/bc-nonfips-jars
-
 .DS_Store
diff --git a/project.clj b/project.clj
@@ -214,15 +214,30 @@
                          :lein-ezbake {:vars {:java-args ~(str
                                                             "-Djava.security.properties==/opt/puppetlabs/server/data/puppetserver/java.security.fips "
                                                             "-Xms2g -Xmx2g "
-                                                            "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger")}}
+                                                            "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger")}
+                                       :classpath-jars [{:artifact org.bouncycastle/bc-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 {:artifact org.bouncycastle/bcpkix-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 {:artifact org.bouncycastle/bctls-fips
+                                                  :install {:path "/opt/puppetlabs/server/data/puppetserver/jars"
+                                                            :mode "0644"}}
+                                                 ;; Only used for installing vendored gems during packaging and not included
+                                                 ;; in the final package, thus no :install key.
+                                                 {:artifact org.bouncycastle/bcpkix-jdk18on}
+                                                 {:artifact org.bouncycastle/bcprov-jdk18on}]
+                                          :project-files [{:file "resources/ext/java.security.fips"
+                                                           :install {:path "/opt/puppetlabs/server/data/puppetserver"}}]}
                          :jvm-opts ~(let [version (System/getProperty "java.specification.version")
                                           [major minor _] (clojure.string/split version #"\.")
                                           unsupported-ex (ex-info "Unsupported major Java version."
                                                            {:major major
                                                             :minor minor})]
                                       (condp = (java.lang.Integer/parseInt major)
-                                        17 ["-Djava.security.properties==./resources/ext/build-scripts/java.security.fips"]
-                                        21 ["-Djava.security.properties==./resources/ext/build-scripts/java.security.fips"]
+                                        17 ["-Djava.security.properties==./resources/ext/java.security.fips"]
+                                        21 ["-Djava.security.properties==./resources/ext/java.security.fips"]
                                         (do)))}
              :fips [:defaults :fips-deps]
 
@@ -256,19 +271,24 @@
                                                [org.openvoxproject/puppetserver "8.13.0-SNAPSHOT"]
                                                [org.openvoxproject/trapperkeeper-webserver-jetty10]
                                                [org.openvoxproject/trapperkeeper-metrics]]
-                      :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.2")]]
+                      :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.3")]]
                       :name "puppetserver"}
 
              :ezbake-fips {:dependencies ^:replace [[org.clojure/clojure]
+                                                    ;; The non-FIPS BC jar is only needed for installing vendored gems
+                                                    ;; at packaging time, and is not included in the final package.
                                                     [org.bouncycastle/bcpkix-jdk18on]
+                                                    [org.bouncycastle/bc-fips]
+                                                    [org.bouncycastle/bcpkix-fips]
+                                                    [org.bouncycastle/bctls-fips]
                                                     [org.openvoxproject/jruby-utils]
                                                     ;; Do not modify this line. It is managed by the release process
                                                     ;; via the scripts/sync_ezbake_dep.rb script.
                                                     [org.openvoxproject/puppetserver "8.13.0-SNAPSHOT"]
                                                     [org.openvoxproject/trapperkeeper-webserver-jetty10]
                                                     [org.openvoxproject/trapperkeeper-metrics]]
                             :uberjar-exclusions [#"^org/bouncycastle/.*"]
-                            :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.2")]]
+                            :plugins [[org.openvoxproject/lein-ezbake ~(or (System/getenv "EZBAKE_VERSION") "2.7.3")]]
                       :name "puppetserver"}
              :uberjar {:dependencies [[org.openvoxproject/trapperkeeper-webserver-jetty10]]
                        :aot [puppetlabs.trapperkeeper.main
diff --git a/resources/ext/build-scripts/install-vendored-gems.sh b/resources/ext/build-scripts/install-vendored-gems.sh
@@ -15,7 +15,7 @@ install_gems () {
     gem_list+=("$gem_name:$gem_version")
   done < $gem_file
 
-  java -cp ext/build-scripts/bc-nonfips-jars/*:puppet-server-release.jar:jruby-9k.jar clojure.main -m puppetlabs.puppetserver.cli.gem --config jruby.conf -- install ${additional_args:+"$additional_args"} --no-document "${gem_list[@]}"
+  java -cp ext/classpath-jars/*:puppet-server-release.jar:jruby-9k.jar clojure.main -m puppetlabs.puppetserver.cli.gem --config jruby.conf -- install ${additional_args:+"$additional_args"} --no-document "${gem_list[@]}"
 }
 
 SOURCE="${BASH_SOURCE[0]}"
diff --git a/resources/ext/ezbake.conf b/resources/ext/ezbake.conf
@@ -9,14 +9,8 @@ ezbake: {
    foss: {
       redhat: { dependencies: ["openvox-agent >= 8.21.1"],
                 build-dependencies: ["%{open_jdk}"],
-                # Install some gems, and install BC FIPS jars if the build task copied them to the right place.
-                # This is admittedly pretty hacky, but it prevents us from having to add another strand of
-                # complexity to the already complex ezbake build process.
-                install: [
-                  "bash ./ext/build-scripts/install-vendored-gems.sh",
-                  "install -d -m 0700 \"${DESTDIR}${app_data}/jars\"",
-                  "if [ -d ext/build-scripts/bc-fips-jars ]; then files=(ext/build-scripts/bc-fips-jars/*); install -m 0644 \"${files[@]}\" \"${DESTDIR}${app_data}/jars/\"; install -m 0644 ext/build-scripts/java.security.fips \"${DESTDIR}${app_data}/\"; fi",
-                ]
+                # Install some gems
+                install: ["bash ./ext/build-scripts/install-vendored-gems.sh"]
                # This is terrible, but we need write access to puppet's
                # var/conf dirs, so we need to add ourselves to the group.
                # Then we need to chmod some dirs until the Puppet packaging
@@ -42,12 +36,7 @@ ezbake: {
 
       debian: { dependencies: ["openvox-agent (>= 8.21.1)"],
                 build-dependencies: ["openjdk-17-jre-headless"],
-                # see redhat comments on why this is hacky
-                install: [
-                  "bash ./ext/build-scripts/install-vendored-gems.sh",
-                  "install -d -m 0700 \"${DESTDIR}${app_data}/jars\"",
-                  "if [ -d ext/build-scripts/bc-fips-jars ]; then files=(ext/build-scripts/bc-fips-jars/*); install -m 0644 \"${files[@]}\" \"${DESTDIR}${app_data}/jars/\"; install -m 0644 ext/build-scripts/java.security.fips \"${DESTDIR}${app_data}/\"; fi",
-                ]
+                install: ["bash ./ext/build-scripts/install-vendored-gems.sh"]
                # see redhat comments on why this is terrible
                postinst-install: [
                  "install --owner={{user}} --group={{user}} -d /opt/puppetlabs/server/data/puppetserver/jruby-gems",
diff --git a/resources/ext/java.security.fips b/resources/ext/java.security.fips
diff --git a/tasks/build.rake b/tasks/build.rake
@@ -152,31 +152,7 @@ namespace :vox do
         run("cd /code && COW=\"#{@debs}\" MOCK=\"#{@nonfips_rpms}\" GEM_SOURCE='https://rubygems.org' #{ezbake_version_var} EZBAKE_ALLOW_UNREPRODUCIBLE_BUILDS=true EZBAKE_NODEPLOY=true LEIN_PROFILES=ezbake lein with-profile user,ezbake,provided ezbake local-build")
       end
       
-      # When building for FIPS, we have to have the Bouncy Castle FIPS jars live on disk separate
-      # from the uberjar, due to signing of those jars. Ezbake doesn't have a great way to handle this,
-      # so we copy them from the local Maven cache inside the container to a place ezbake knows how to
-      # find them, and then have it build the RPM with it laying down those files in the right place.
       unless @fips_rpms.empty?
-        puts "Copy Bouncy Castle FIPS jars into ezbake resource location"
-        dest = '/code/resources/ext/build-scripts/bc-fips-jars'
-        run("mkdir -p #{dest}")
-        cmd = "cd /code && lein with-profile ezbake-fips,fips classpath"
-        stdout, stderr, status = Open3.capture3("docker exec #{@container} /bin/bash --login -c '#{cmd}'")
-        unless status.success?
-          puts "Failed to get classpath for FIPS build: #{stderr}"
-          exit 1
-        end
-        classpath = stdout.strip
-        paths = classpath.split(':').select { |p| p =~ /bcpkix-fips|bc-fips|bctls-fips/ }
-        paths.each { |p| run("cp #{p} #{dest}/") }
-
-        # We also copy the non-FIPS jdk18on jars as well. This is only for the step where we install
-        # vendored gems during the packaging step and they are not included in the final package.
-        dest = '/code/resources/ext/build-scripts/bc-nonfips-jars'
-        run("mkdir -p #{dest}")
-        paths = classpath.split(':').select { |p| p =~ /jdk18on/ }
-        paths.each { |p| run("cp #{p} #{dest}/") }
-
         run("cd /code && COW= MOCK=\"#{@fips_rpms}\" GEM_SOURCE='https://rubygems.org' #{ezbake_version_var} EZBAKE_ALLOW_UNREPRODUCIBLE_BUILDS=true EZBAKE_NODEPLOY=true LEIN_PROFILES=ezbake lein with-profile fips,user,ezbake-fips,provided ezbake local-build")
       end
 

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ install_gems () {`
`15`	`15`	`gem_list+=("$gem_name:$gem_version")`
`16`	`16`	`done < $gem_file`
`17`	`17`
`18`		`- java -cp ext/build-scripts/bc-nonfips-jars/*:puppet-server-release.jar:jruby-9k.jar clojure.main -m puppetlabs.puppetserver.cli.gem --config jruby.conf -- install ${additional_args:+"$additional_args"} --no-document "${gem_list[@]}"`
	`18`	`+ java -cp ext/classpath-jars/*:puppet-server-release.jar:jruby-9k.jar clojure.main -m puppetlabs.puppetserver.cli.gem --config jruby.conf -- install ${additional_args:+"$additional_args"} --no-document "${gem_list[@]}"`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`SOURCE="${BASH_SOURCE[0]}"`