search

puppetlabs / clj-http-client

HTTP client library wrapping Apache HttpAsyncClient
Apache License 2.0
15 stars 30 forks source link

(PE-26658) apply JVM security policy to FIPS #80

Closed robdaemon closed 5 years ago

robdaemon commented 5 years ago

adding a security policy to clj-http-client and testing with said security policies

puppetcla commented 5 years ago

CLA signed by all contributors.

justinstoller commented 5 years ago

I'm getting this locally with this PR:

08:36:19 clj-http-client justin (mergerob %) ‖ lein test :all
Warning: implicit hook found: i18n.plugin/hooks
...snip...
Retrieving org/apache/httpcomponents/httpasyncclient/4.1.4/httpasyncclient-4.1.4.jar from central
Compiling 44 source files to /Users/justin/Backup/code/work/clj-http-client/target/classes
/Users/justin/Backup/code/work/clj-http-client/src/java/com/puppetlabs/http/client/impl/JavaClient.java:455: error: cannot infer type arguments for FutureCallback<T>
        final FutureCallback<HttpResponse> futureCallback = new FutureCallback<>() {
                                                                              ^
  reason: cannot use '<>' with anonymous inner classes
  where T is a type-variable:
    T extends Object declared in interface FutureCallback
1 error
Compilation of Java sources(lein javac) failed.
08:36:37 clj-http-client justin (mergerob %) ‖ java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)

Do you have an idea what this could be? Is this using a construct only available in Java 9+?

robdaemon commented 5 years ago

Yeah, I was fixing a warning - that must have been a Java 9+ thing I did there. I reverted that.

I also commented out the FIPS tests in .travis.yml in this and tk-jetty9, I'll turn those back on in a subsequent PR.

justinstoller commented 5 years ago

Do we need the SNAPSHOT build of tk-jetty9 now that we've disabled the FIPS tests?

justinstoller commented 5 years ago

Can/should the security files go into the dev-resource directory?

robdaemon commented 5 years ago

I don't see how we're going to get around needing the SNAPSHOT when we do enable the FIPS tests, if we want to know they work.

I can take it out for now, but we're going to have to face this issue at some point.

robdaemon commented 5 years ago

Yeah, the security files can move, but they aren't loaded off the classpath, so we don't need them to be in the jar in the long run.

justinstoller commented 5 years ago

I was thinking that if we merge this w/ FIPS tested locally and non-FIPS tested in travis, then do a release of this library and tk-jetty9. Then we can update this library to pull in the then just released version of tk-jetty9 for its tests and renable FIPS. That should work, shouldn't it?

justinstoller commented 5 years ago

Yeah, the security files can move, but they aren't loaded off the classpath, so we don't need them to be in the jar in the long run.

Makes, sense. Puppet Server has a test security file that it puts in it's dev-resources to co-locate test/dev specific files.

robdaemon commented 5 years ago

moved the security policies