Upgrade to OpenSAML 4.3.0 (shadowed)

[albertzaharovits]

This commit upgrades to OpenSAML v4.3.0

Versions of OpenSAML ≥ 4.1 have a hard dependency on the non-FIPS release of BouncyCastle.
This would prevent ES from being able to run in a JVM where BC-FIPS is configured as the security provider.

Closes: #71983

Co-authored-by: Tim Vernum tim@adjective.org

[albertzaharovits]

@elasticsearchmachine run elasticsearch-ci/part-2

[albertzaharovits]

@tvernum This is your work passing CI 🎊

I'm going to try to reduce the surface of the changes by:

1. use a non-empty org.elasticsearch.xpack.security.authc.saml.OpenSamlConfig implementation that sets properties.setProperty("opensaml.config.ecdh.defaultKDF","PBKDF2") to avoid loading the KDF code that refers BC
2. remove the service implementation META-INF/services/org.opensaml.security.crypto.ec.NamedCurve form the opensaml-security-api-4.3.0.jar to avoid changing the AbstractNamedCurve class.

If all goes well there should be only one shadowed jar, which just removes the META-INF/services part from the original jar.
I'll ping you when I sort it out. (if it doesn't work out, I think this here is OK too, so I'll revert back to it).

[albertzaharovits]

These changes effectively bypass the BC dependency. Tests do pass, but I'm not 100% that somehow, via some obscure protocal/parameter combination, our SAML SP and IDP implementations won't try to use functionality that has hence been eliminated.
To learn what functionality has been eliminated, apply the following 2 patches and run any SAML test:

diff --git a/x-pack/libs/es-opensaml-security-api/build.gradle b/x-pack/libs/es-opensaml-security-api/build.gradle
index 56fd6b81df6..104bb51f1de 100644
--- a/x-pack/libs/es-opensaml-security-api/build.gradle
+++ b/x-pack/libs/es-opensaml-security-api/build.gradle
@@ -27,5 +27,5 @@ tasks.named("shadowJar").configure {
   manifest {
     attributes 'Automatic-Module-Name': 'org.opensaml.security'
   }
-  exclude 'META-INF/services/org.opensaml.security.crypto.ec.NamedCurve'
+  //exclude 'META-INF/services/org.opensaml.security.crypto.ec.NamedCurve'
 }

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/OpenSamlXpackSecurityConfigurationPropertiesSource.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/OpenSamlXpackSecurityConfigurationPropertiesSource.java
index 0e885dd0daa..45243df6baf 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/OpenSamlXpackSecurityConfigurationPropertiesSource.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/OpenSamlXpackSecurityConfigurationPropertiesSource.java
@@ -16,7 +16,7 @@ public class OpenSamlXpackSecurityConfigurationPropertiesSource implements Confi
     @Override
     public Properties getProperties() {
         Properties properties = new Properties();
-        properties.setProperty("opensaml.config.ecdh.defaultKDF", "PBKDF2");
+        //properties.setProperty("opensaml.config.ecdh.defaultKDF", "PBKDF2");
         return properties;
     }
 }

 ./gradlew ':x-pack:plugin:security:test' --tests "org.elasticsearch.xpack.security.authc.saml.SamlSpMetadataBuilderTests"

[albertzaharovits]

@mark-vieira I think it is possible to put the OpenSamlXpackSecurityConfigurationPropertiesSource service provider inside the shadowed jar, rather than put it in the ES code that uses the code that depends on the service. That's because the same code that uses the shadowed jar also uses the library code that depends on the service implementation.
But I'm not sure if this is better/preferable?
Also I couldn't figure out what the module declaration inside the shadowed jar should look like in order to be able to expose the ConfigurationPropertiesSource implementation (that's going to be used by the code that depends on the shadowed jar).

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[mark-vieira]

Yeah, I don't think we want to duplicate the property source. Sticking it in a library is probably the best way to go. It's still not clear to me that we need to repackage the dependency though.

[mark-vieira]

Is this the only modification to this JAR we're making? Typically a "shadow" JAR is repackaging several dependencies, or relocating them under a different package, etc. Is this effectively identical to the original JAR, just excluding this file?

[tvernum]

Pretty much.

OpenSAML out of the box doesn't work on FIPS. My first attempt to solve it required patching 2 classes. Albert worked out that we can just avoid ever loading those classes by manipulating the set of services - one of them can be handled by stripping this service, the other by implementing our own properties resolver so that a default property can be changed.

It does seem like overkill to repackage just to drop one services file, but I'm not aware of a simpler option.
We could just strip the file as part of the distribution, but I'm not a fan of shipping modified files JAR files that claim to be the originals.

[mark-vieira]

Gotcha, makes sense. I would suggest we go with the pattern we used for log4j though (look in libs/log4j/build.gradle rather than use the Shadow plugin. It's not really the intended use case, and it's more complex than necessary for this, plus the log4j hack plays more nicely with IDEs.

[tvernum]

++
The original attempt modified a couple of classes, so it was based on the approach we used for Jackson.
Now that we've settled on just stripping classes files, we can simplify it.

[albertzaharovits]

@mark-vieira I think it is possible to put the OpenSamlXpackSecurityConfigurationPropertiesSource service provider inside the shadowed jar, rather than put it in the ES code that uses the code that depends on the service. That's because the same code that uses the shadowed jar also uses the library code that depends on the service implementation.
But I'm not sure if this is better/preferable?

I think it's preferable to co-locate it with the shadowed jar. If for no other reason then it removes the existing duplication.

I've pushed 404298c and c179601 to incoporate the ConfigurationPropertiesSource service implementation in the shadowed jar, in order to avoid having two identical such implementations in the x-pack/plugin/security and x-pack/plugin/identity-provider projects (it works because the same code that must not see the NamedCurve implementations, also needs to see the new ConfigurationPropertiesSource implementation). So now the shadowed jar effectively removes one service implementation and adds another different one (a single new class).
I think this is now a fair usage of the "shadow" plugin?

[albertzaharovits]

When we say "pull in" what does that mean? Is it a transitive dependency or is it shadowed in the OpenSAML jar?

It is a runtime transitive dependency of OpenSAML (since version >4.1).

We manually manage transitive dependencies so we can use whatever bouncy castle jar we want, or omit it entirely.

We wish to omit it entirely because it contains crypto algorithms that are not FIPS compliant (there is a different bouncy castle with FIPS compliant algorithms), and that's a problem because we don't want the Elasticsearch FIPS distribution to ship with non-FIPS compliant crypto on the classpath (or really, no Elasticsearch distrib should have any crypto impl on the classpath. Instead we opt to delegate to the JCA API, where the JVM is configured for FIPS or not.).

[mark-vieira]

Ok, then I don't quite understand why we need this solution. We disable transitive dependencies by default in our build. The transitive BC jar shouldn't be brought in by this dependency. How does this relate to omitting that service file? From what I can tell that's part of the OpenSAML jar, not BC.

[albertzaharovits]

If we don't put the BC on the classpath and we don't shadow jar the OpenSAML lib, then ES throws a class not found exception when it starts up, see this issue: #71983 .

[mark-vieira]

Got it. So there is a runtime dependency on BC and stripping out that service avoids that issue. Understood.

[tvernum]

Yes, OpenSAML has had a transitive dependency on BouncyCastle for a while, but we've just avoided those parts.
In 4.1 the dependency become harder to avoid - a couple of classes that are eagerly loaded (with the the default services/properties config) have a direct dependency.

[tvernum]

LGTM

[tvernum]

Yes, OpenSAML has had a transitive dependency on BouncyCastle for a while, but we've just avoided those parts.
In 4.1 the dependency become harder to avoid - a couple of classes that are eagerly loaded (with the the default services/properties config) have a direct dependency.

[tvernum]

@mark-vieira Do you want a chance to review this again before it's merged?

[mark-vieira]

Minor comment about re-enabling some of our precommit checks but otherwise LGTM.

[mark-vieira]

I think we can (and should) re-enable things like forbiddenApis, checkstyle and spotless here since this module actually has some code (albeit minimal) of its own.

[albertzaharovits]

@mark-vieira I see that forbiddenApisMain fails with:

> Task :x-pack:libs:es-opensaml-security-api:forbiddenApisMain FAILED

> Task :libs:elasticsearch-core:compileJava
Note: Some input files use or override a deprecated API that is marked for removal.
Note: Recompile with -Xlint:removal for details.

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':x-pack:libs:es-opensaml-security-api:forbiddenApisMain'.
> Parsing signatures failed: Class 'org.apache.lucene.util.IOUtils' not found on classpath while parsing signature: org.apache.lucene.util.IOUtils

Is it a real problem? I suspect it's just the forbidden task itself missing a dependency classs?

[albertzaharovits]

I've only reenable checkstyle and spotless for now

[mark-vieira]

Yeah, this looks to be because some of our forbidden api rules reference classes that aren't on the classpath here. We can disable this task here for now.

[albertzaharovits]

@tvernum @mark-vieira any objections to merging this post FF in 8.10?

[albertzaharovits]

@elasticsearchmachine run elasticsearch-ci/example-plugins

[mark-vieira]

You can ignore the example-plugin build failures for now.

[tvernum]

any objections to merging this post FF in 8.10?

None from me. It's the type of upgrade we would consider backporting to a 8.10.x patch release any way, in which case it would be acceptable to merge post FF (since FF only applies to non-patch features)