Remove transitive dependencies from encryption-sdk/build.gradle

[reta]

Description

Remove org.bouncycastle:bcprov-jdk15to18: not needed and breaks the plugins

Related Issues

Closes opensearch-project/security#3309

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[reta]

@peternied @cwperks @willyborankin please check it out

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/24512/
• CommitID: 54cfc0f
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/24513/
• CommitID: afae0aa
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Compatibility status:

Checks if related components are compatible with change 54cfc0f

Incompatible components

Incompatible components: [https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/anomaly-detection.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git]

[github-actions]

Compatibility status:

Checks if related components are compatible with change afae0aa

Incompatible components

Incompatible components: [https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/neural-search.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

[github-actions]

Compatibility status:

Checks if related components are compatible with change c8cb1c5

Incompatible components

Incompatible components: [https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/neural-search.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: UNSTABLE ❕
• TEST FAILURES:

      2 org.opensearch.index.shard.RemoteStoreRefreshListenerTests.classMethod
      1 org.opensearch.smoketest.SmokeTestMultiNodeClientYamlTestSuiteIT.test {yaml=pit/10_basic/Delete all}
      1 org.opensearch.index.shard.RemoteStoreRefreshListenerTests.testRefreshAfterCommit
      1 org.opensearch.cluster.allocation.ClusterRerouteIT.testDelayWithALargeAmountOfShards
      1 org.opensearch.cluster.allocation.AwarenessAllocationIT.testThreeZoneOneReplicaWithForceZoneValueAndLoadAwareness

• URL: https://build.ci.opensearch.org/job/gradle-check/24515/
• CommitID: c8cb1c5
  Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

[vikasvb90]

@reta We need to revert this change. BC is required by AWS encryption SDK which is currently not being used as we are waiting for approval from crypto BR team for custom changes. We have currently added just a NoOpCryptoHandler in place of it.

[reta]

@reta We need to revert this change. BC is required by AWS encryption SDK which is currently not being used as we are waiting for approval from crypto BR team for custom changes. We have currently added just a NoOpCryptoHandler in place of it.

@vikasvb90 We cannot revert this change, the BC should be added to the component which uses it: I suspect this a plugin, right? Adding hard dependency on BC breaks the whole plugin ecosystem.

[reta]

@vikasvb90 additionally, please check the dependencies https://mvnrepository.com/artifact/com.amazonaws/aws-encryption-sdk-java/2.4.1: it potentially needs bcprov-ext but not bcprov

[vikasvb90]

@reta No, it is not the plugin which uses it but the lib itself. Let me check the bcprov dependency but we anyways need other dependencies and bcprov-ext dependency. Also, I am not sure if adding bcprov-ext can avoid changes required for security plugin.

[reta]

@reta No, it is not the plugin which uses it but the lib itself. Let me check the bcprov dependency but we anyways need other dependencies and bcprov-ext dependency.

If lib uses it in any reasonable manner, it should either:

• fail to compile
• fail at runtime (I would imply tests here)

Nothing from the above is happening. Please provide more details where it is needed because everything indicates the otherwise.

[reta]

but we anyways need other dependencies and

@vikasvb90 which other dependencies? the only transitive ones are common-lang3 and it has been kept intact. The library must not bring the commons-logging or slf4j-api (it could indicated it needs it) - this is the responsibility of end consumer to provide, either plugin / server / client / extension.

[vikasvb90]

You are right that it is not being used right now. As I mentioned earlier, that this had changes done in encryption SDK to support partial encryption/decryption which is yet to undergo a review from SDK team itself and that's why it is just a NoOpCryptoHandler. Let me get back on how we can enforce its usage in lib meanwhile but inclusion of the dependency is something we need.