FIPS Mode. WIP changes needed for 2.12 branch

At this revision some tests are failing due to OpenSAML's hard dependency on the non-FIPS distribution of BouncyCastle.

build.gradle

@@ -16,8 +16,12 @@ import groovy.json.JsonBuilder
 
 buildscript {
     ext {
-        opensearch_version = System.getProperty("opensearch.version", "2.12.1-SNAPSHOT")
-        isSnapshot = "true" == System.getProperty("build.snapshot", "true")
+//        opensearch_version = System.getProperty("opensearch.version", "2.12.1-SNAPSHOT")
+        opensearch_version = System.getProperty("opensearch.version", "2.12.0")
+
+//        isSnapshot = "true" == System.getProperty("build.snapshot", "true")
+        isSnapshot = "true" == System.getProperty("build.snapshot", "false")
+
         buildVersionQualifier = System.getProperty("build.version_qualifier", "")
 
         // 2.0.0-rc1-SNAPSHOT -> 2.0.0.0-rc1-SNAPSHOT
@@ -575,7 +579,6 @@ dependencies {
     implementation "com.google.guava:guava:${guava_version}"
     implementation 'org.greenrobot:eventbus-java:3.3.1'
     implementation 'commons-cli:commons-cli:1.6.0'
-    implementation 'commons-cli:commons-cli:1.5.0'
     implementation 'com.rfksystems:blake2b:2.0.0'
     compileOnly "org.bouncycastle:bc-fips:1.0.2.4"
     compileOnly "org.bouncycastle:bctls-fips:1.0.18"

src/main/java/org/opensearch/security/auth/internal/NoOpAuthenticationBackend.java

@@ -45,7 +45,7 @@ public String getType() {
     }
 
     @Override
-    public User authenticate(final AuthCredentials credentials) {
+    public User authenticate(final AuthCredentials credentials, final boolean fipsEnabled) {
         User user = new User(credentials.getUsername(), credentials.getBackendRoles(), credentials);
         user.addSecurityRoles(credentials.getSecurityRoles());
         return user;

src/main/java/org/opensearch/security/tools/democonfig/Installer.java

@@ -45,6 +45,7 @@ public class Installer {
     boolean assumeyes = false;
     boolean initsecurity = false;
     boolean cluster_mode = false;
+    boolean fips_enabled = false;
     int skip_updates = -1;
     String SCRIPT_DIR;
     String BASE_DIR;
@@ -144,6 +145,13 @@ void buildOptions() {
             false,
             "Set the execution environment to `test` to skip password validation. Should be used only for testing. (default is set to `demo`)"
         );
+        //workaround for now:
+        options.addOption(
+                "f",
+                "fips-enabled",
+                false,
+                "fips enabled"
+        );
     }
 
     /**

src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java

@@ -30,6 +30,7 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.core.common.Strings;
 import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.dlic.rest.support.Utils;
 import org.opensearch.security.dlic.rest.validation.PasswordValidator;
 import org.opensearch.security.dlic.rest.validation.RequestContentValidator;
 import org.opensearch.security.support.ConfigConstants;
@@ -163,7 +164,7 @@ void updateAdminPassword() {
             // Print an update to the logs
             System.out.println("Admin password set successfully.");
 
-            writePasswordToInternalUsersFile(ADMIN_PASSWORD, INTERNAL_USERS_FILE_PATH);
+            writePasswordToInternalUsersFile(ADMIN_PASSWORD, INTERNAL_USERS_FILE_PATH, installer.fips_enabled);
 
         } catch (IOException e) {
             System.out.println("Exception updating the admin password : " + e.getMessage());
@@ -177,8 +178,8 @@ void updateAdminPassword() {
      * @param internalUsersFile the file path string to internal_users.yml file
      * @throws IOException while reading, writing to files
      */
-    void writePasswordToInternalUsersFile(String adminPassword, String internalUsersFile) throws IOException {
-        String hashedAdminPassword = Hasher.hash(adminPassword.toCharArray());
+    void writePasswordToInternalUsersFile(String adminPassword, String internalUsersFile, final boolean fipsEnabled) throws IOException {
+        String hashedAdminPassword = Utils.hash(adminPassword.toCharArray(), fipsEnabled);
 
         if (hashedAdminPassword.isEmpty()) {
             System.out.println("Hash the admin password failure, see console for details");

src/test/java/org/opensearch/security/UtilTests.java

@@ -29,10 +29,8 @@
 import java.util.Map;
 
 import com.password4j.BcryptFunction;
-import com.password4j.Hash;
 import com.password4j.types.Bcrypt;
 import org.junit.Test;
-import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
 
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.support.ConfigConstants;