Make security plugin aware of FIPS build param (-Pcrypto.standard=FIPS-140-3)

[cwperks]

Description

This PR makes the security plugin aware of the -Pcrypto.standard=FIPS-140-3 build param. When present, it means that any bc (bouncycastle) FIPS jars are provided from the core and available at runtime. When absent, the security plugin needs to include them in its assembly (i.e. difference between compileOnly and implementation for dependency scope.

Testing:

1. When core built with ./gradlew localDistro -Pcrypto.standard=FIPS-140-3 but security plugin is not

➜  opensearch-3.6.0-SNAPSHOT git:(main) ✗ ./bin/opensearch-plugin install file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
BouncyCastle FIPS library found, setting FIPS JVM options.
-> Installing file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
-> Downloading file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
[=================================================] 100%
2026-02-11T21:28:01.960511Z main WARN Missing plugin [workload-management], dependency of [opensearch-security]
2026-02-11T21:28:01.961930Z main WARN Some features of this plugin may not function without the dependencies being installed.

-> Failed installing file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
-> Rolling back file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
-> Rolled back file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
Exception in thread "main" java.lang.IllegalStateException: failed to load plugin opensearch-security due to jar hell
	at org.opensearch.plugins.PluginsService.checkBundleJarHell(PluginsService.java:779)
	at org.opensearch.plugins.PluginsService.checkJarHellForPlugin(PluginsService.java:404)
	at org.opensearch.tools.cli.plugin.InstallPluginCommand.jarHellCheck(InstallPluginCommand.java:834)
	at org.opensearch.tools.cli.plugin.InstallPluginCommand.loadPluginInfo(InstallPluginCommand.java:811)
	at org.opensearch.tools.cli.plugin.InstallPluginCommand.installPlugin(InstallPluginCommand.java:846)
	at org.opensearch.tools.cli.plugin.InstallPluginCommand.execute(InstallPluginCommand.java:277)
	at org.opensearch.tools.cli.plugin.InstallPluginCommand.execute(InstallPluginCommand.java:251)
	at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110)
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
	at org.opensearch.cli.MultiCommand.execute(MultiCommand.java:104)
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
	at org.opensearch.cli.Command.main(Command.java:101)
	at org.opensearch.tools.cli.plugin.PluginCli.main(PluginCli.java:66)
Caused by: java.lang.IllegalStateException: jar hell!
class: org.bouncycastle.cert.AttributeCertificateHolder
jar1: /Users/cwperx/Projects/opensearch/OpenSearch/build/distribution/local/opensearch-3.6.0-SNAPSHOT/plugins/.installing-18149285464355557826/bcpkix-fips-2.1.9.jar
jar2: /Users/cwperx/Projects/opensearch/OpenSearch/build/distribution/local/opensearch-3.6.0-SNAPSHOT/lib/bcpkix-fips-2.1.9.jar
	at org.opensearch.common.bootstrap.JarHell.checkClass(JarHell.java:316)
	at org.opensearch.common.bootstrap.JarHell.checkJarHell(JarHell.java:215)
	at org.opensearch.plugins.PluginsService.checkBundleJarHell(PluginsService.java:777)
	... 12 more

2. When both core and security are built with -Pcrypto.standard=FIPS-140-3

➜  opensearch-3.6.0-SNAPSHOT git:(main) ✗ ./bin/opensearch-plugin install file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
BouncyCastle FIPS library found, setting FIPS JVM options.
-> Installing file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
-> Downloading file:////Users/cwperx/Projects/opensearch/security/build/distributions/opensearch-security-3.6.0.0-SNAPSHOT.zip
[=================================================] 100%
2026-02-11T21:31:59.054783Z main WARN Missing plugin [workload-management], dependency of [opensearch-security]
2026-02-11T21:31:59.055322Z main WARN Some features of this plugin may not function without the dependencies being installed.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.io.FilePermission /proc/sys/net/core/somaxconn read
* java.lang.RuntimePermission accessClassInPackage.com.sun.jndi.*
* java.lang.RuntimePermission accessClassInPackage.sun.misc
* java.lang.RuntimePermission accessClassInPackage.sun.nio.ch
* java.lang.RuntimePermission accessClassInPackage.sun.security.x509
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission accessUserInformation
* java.lang.RuntimePermission createClassLoader
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission shutdownHooks
* java.net.NetPermission accessUnixDomainSocket
* java.net.NetPermission getNetworkInformation
* java.net.NetPermission getProxySelector
* java.net.SocketPermission * connect,accept,resolve
* java.security.SecurityPermission getProperty.org.bouncycastle.ec.max_f2m_field_size
* java.security.SecurityPermission getProperty.org.bouncycastle.pkcs12.default
* java.security.SecurityPermission getProperty.org.bouncycastle.rsa.max_mr_tests
* java.security.SecurityPermission getProperty.org.bouncycastle.rsa.max_size
* java.security.SecurityPermission getProperty.ssl.KeyManagerFactory.algorithm
* java.security.SecurityPermission insertProvider.BC
* java.security.SecurityPermission org.apache.xml.security.register
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission removeProviderProperty.BC
* java.security.SecurityPermission setProperty.ocsp.enable
* java.util.PropertyPermission * read,write
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y
-> Installed opensearch-security with folder name opensearch-security

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Issues Resolved

Resolves opensearch-project/opensearch-build#5979

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[cwperks]

FYI @beanuwave this PR would fix jar hell, but you would still get an error when trying to start OpenSearch + security:

➜  opensearch-3.6.0-SNAPSHOT git:(main) ✗ ./bin/opensearch
WARNING: Using incubator modules: jdk.incubator.vector
WARNING: Unknown module: org.apache.arrow.memory.core specified to --add-opens
Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.FileAlreadyExistsException: /Users/cwperx/Projects/opensearch/OpenSearch/build/distribution/local/opensearch-3.6.0-SNAPSHOT/config/opensearch.keystore.tmp
Likely root cause: java.nio.file.FileAlreadyExistsException: /Users/cwperx/Projects/opensearch/OpenSearch/build/distribution/local/opensearch-3.6.0-SNAPSHOT/config/opensearch.keystore.tmp
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:94)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:261)
	at java.base/java.nio.file.spi.FileSystemProvider.newOutputStream(FileSystemProvider.java:482)
	at java.base/java.nio.file.Files.newOutputStream(Files.java:227)
	at org.apache.lucene.store.FSDirectory$FSIndexOutput.<init>(FSDirectory.java:390)
	at org.apache.lucene.store.FSDirectory$FSIndexOutput.<init>(FSDirectory.java:383)
	at org.apache.lucene.store.FSDirectory.createOutput(FSDirectory.java:216)
	at org.apache.lucene.backward_codecs.store.EndiannessReverserUtil.createOutput(EndiannessReverserUtil.java:54)
	at org.opensearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:535)
	at org.opensearch.bootstrap.Bootstrap.loadSecureSettings(Bootstrap.java:284)
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:376)
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:168)
	at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:159)
	at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110)
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
	at org.opensearch.cli.Command.main(Command.java:101)
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:125)
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:91)

Do you think we should revisit the logic in openseach-env?

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.76%. Comparing base (fc00ab1) to head (75acfa7).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5952      +/-   ##
==========================================
+ Coverage   73.75%   73.76%   +0.01%     
==========================================
  Files         439      439              
  Lines       26884    26884              
  Branches     3980     3980              
==========================================
+ Hits        19827    19832       +5     
+ Misses       5172     5165       -7     
- Partials     1885     1887       +2     

see 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.