From 2f11261da823bc858658b3218c6f913af36a5342 Mon Sep 17 00:00:00 2001
From: Rohan Kumar <rohaan@redhat.com>
Date: Fri, 16 Feb 2024 20:39:21 +0530
Subject: [PATCH] test : Add test in a separate module using bc-fips and
 bcpkix-fips

+ Add a comment for the reasoning behing moving Security.addProvider
  into a Callable block
+ Add a test inside a separate module using `bc-fips` and `bcpkis-fips`
  that reproduces the issue

Signed-off-by: Rohan Kumar <rohaan@redhat.com>
---
 .../kubernetes/client/internal/CertUtils.java |  3 +
 .../kubernetes-client-init-bc-fips/pom.xml    | 70 ++++++++++++++++
 ...ernetesClientLoadWithFipsProviderTest.java | 55 +++++++++++++
 .../src/test/resources/kube-config-ec-key     | 20 +++++
 .../pom.xml                                   | 80 +++++++++++++++++++
 pom.xml                                       |  3 +
 6 files changed, 231 insertions(+)
 create mode 100644 kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/pom.xml
 create mode 100644 kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/src/test/java/io/fabric8/deps/compatibility/tests/KubernetesClientLoadWithFipsProviderTest.java
 create mode 100644 kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/src/test/resources/kube-config-ec-key
 create mode 100644 kubernetes-client-deps-compatibility-tests/pom.xml

diff --git a/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java b/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java
index c06565556b2..33269dfa815 100644
--- a/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java
+++ b/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java
@@ -184,6 +184,9 @@ private static PrivateKey handleECKey(InputStream keyInputStream) {
         @Override
         public PrivateKey call() throws IOException {
           if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS") == null) {
+            // org.bouncycastle.jce.provider.BouncyCastleProvider needs to be wrapped with a Callable otherwise
+            // runtime won't even evaluate this whole block. This happens even when above condition testing if
+            // block evaluates to false
             new Callable<String>() {
               @Override
               public String call() {
diff --git a/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/pom.xml b/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/pom.xml
new file mode 100644
index 00000000000..7a3a01d4d11
--- /dev/null
+++ b/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/pom.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (C) 2015 Red Hat, Inc.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+            http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>io.fabric8</groupId>
+    <artifactId>kubernetes-client-deps-compatibility-tests</artifactId>
+    <version>6.11-SNAPSHOT</version>
+    <relativePath>../pom.xml</relativePath>
+  </parent>
+
+  <name>Fabric8 :: Kubernetes :: Bouncy Castle FIPS Compatibility :: Test</name>
+  <artifactId>kubernetes-client-init-bc-fips</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>io.fabric8</groupId>
+      <artifactId>kubernetes-client</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.assertj</groupId>
+      <artifactId>assertj-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bc-fips</artifactId>
+      <version>${bc-fips.version}</version>
+      <optional>false</optional>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-fips</artifactId>
+      <version>${bcpkix-fips.version}</version>
+      <optional>false</optional>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+</project>
diff --git a/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/src/test/java/io/fabric8/deps/compatibility/tests/KubernetesClientLoadWithFipsProviderTest.java b/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/src/test/java/io/fabric8/deps/compatibility/tests/KubernetesClientLoadWithFipsProviderTest.java
new file mode 100644
index 00000000000..fbaf5b8cbbb
--- /dev/null
+++ b/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/src/test/java/io/fabric8/deps/compatibility/tests/KubernetesClientLoadWithFipsProviderTest.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2015 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.fabric8.deps.compatibility.tests;
+
+import io.fabric8.kubernetes.client.KubernetesClient;
+import io.fabric8.kubernetes.client.KubernetesClientBuilder;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+import java.security.Security;
+import java.util.Objects;
+import java.util.Optional;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class KubernetesClientLoadWithFipsProviderTest {
+  @BeforeEach
+  void setUp() {
+    Security.addProvider(new BouncyCastleFipsProvider());
+  }
+
+  @AfterEach
+  void tearDown() {
+    Security.removeProvider(BouncyCastleFipsProvider.PROVIDER_NAME);
+  }
+
+  @Test
+  @DisplayName("Ensure KubernetesClient loads with EC private keys and a BouncyCastle FIPS provider is set, see https://github.com/fabric8io/kubernetes-client/issues/5296")
+  void kubernetesClientLoad() {
+    String oldKubeConfigValue = System.getProperty("kubeconfig");
+    System.setProperty("kubeconfig",
+        Objects.requireNonNull(KubernetesClientLoadWithFipsProviderTest.class.getResource("/kube-config-ec-key")).getFile());
+    try (KubernetesClient kubernetesClient = new KubernetesClientBuilder().build()) {
+      assertThat(kubernetesClient).isNotNull();
+    } finally {
+      System.setProperty("kubeconfig", Optional.ofNullable(oldKubeConfigValue).orElse(""));
+    }
+  }
+}
diff --git a/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/src/test/resources/kube-config-ec-key b/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/src/test/resources/kube-config-ec-key
new file mode 100644
index 00000000000..acffef8f2c0
--- /dev/null
+++ b/kubernetes-client-deps-compatibility-tests/kubernetes-client-init-bc-fips/src/test/resources/kube-config-ec-key
@@ -0,0 +1,20 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNkakNDQWh1Z0F3SUJBZ0lVZkM5U0M0SUM2alQzL1lwRVlOVjdTR3MrZHU4d0NnWUlLb1pJemowRUF3SXcKZ1k4eEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpQU0RFTE1Ba0dBMVVFQnd3Q1RrSXhFREFPQmdOVgpCQW9NQjBaaFluSnBZemd4RURBT0JnTlZCQXNNQjBaaFluSnBZemd4R1RBWEJnTlZCQU1NRUV0MVltVnlibVYwClpYTkRiR2xsYm5ReEp6QWxCZ2txaGtpRzl3MEJDUUVXR0daaFluSnBZemhBWjI5dloyeGxaM0p2ZFhCekxtTnYKYlRBZUZ3MHlOREF5TVRZeE1ESTRNVEphRncweU5EQXlNVGN4TURJNE1USmFNSUdQTVFzd0NRWURWUVFHRXdKVgpVekVMTUFrR0ExVUVDQXdDVDBneEN6QUpCZ05WQkFjTUFrNUNNUkF3RGdZRFZRUUtEQWRHWVdKeWFXTTRNUkF3CkRnWURWUVFMREFkR1lXSnlhV000TVJrd0Z3WURWUVFEREJCTGRXSmxjbTVsZEdWelEyeHBaVzUwTVNjd0pRWUoKS29aSWh2Y05BUWtCRmhobVlXSnlhV000UUdkdmIyZHNaV2R5YjNWd2N5NWpiMjB3V1RBVEJnY3Foa2pPUFFJQgpCZ2dxaGtqT1BRTUJCd05DQUFUVGZxR0hOcnk0K1NCMHJVMUZxVHZXd21rbm9hc013T2FmbG9SZS81bGZGQ2RXCjhvR3k0YjlwdXhNTC9TQnpoTlFpWWMrT0lSdlBFdWtkM3I1Q1FRR1NvMU13VVRBZEJnTlZIUTRFRmdRVVRWM2cKcVB1TjZ4VENRbWJIci83aHdYYkozRU13SHdZRFZSMGpCQmd3Rm9BVVRWM2dxUHVONnhUQ1FtYkhyLzdod1hiSgozRU13RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSkFEQkdBaUVBL0Z5M3IvWWdpTkl5CmJ4VGwrRDNMOHh0UXRrb0NWK0kzZ2Z1ZUpzRmFtRmdDSVFDMy8rd3FsaklkUVhrV04zTWFvWlNOeUs2bGNoUDAKcWFQdzFwMEtrQzJsSXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+    server: https://example.k8s.org:6443
+  name: test-cluster
+contexts:
+- context:
+    cluster: test-cluster
+    namespace: default
+    user: admin
+  name: admin
+current-context: "admin"
+kind: Config
+preferences: {}
+users:
+- name: admin
+  user:
+    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNkakNDQWh1Z0F3SUJBZ0lVZkM5U0M0SUM2alQzL1lwRVlOVjdTR3MrZHU4d0NnWUlLb1pJemowRUF3SXcKZ1k4eEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpQU0RFTE1Ba0dBMVVFQnd3Q1RrSXhFREFPQmdOVgpCQW9NQjBaaFluSnBZemd4RURBT0JnTlZCQXNNQjBaaFluSnBZemd4R1RBWEJnTlZCQU1NRUV0MVltVnlibVYwClpYTkRiR2xsYm5ReEp6QWxCZ2txaGtpRzl3MEJDUUVXR0daaFluSnBZemhBWjI5dloyeGxaM0p2ZFhCekxtTnYKYlRBZUZ3MHlOREF5TVRZeE1ESTRNVEphRncweU5EQXlNVGN4TURJNE1USmFNSUdQTVFzd0NRWURWUVFHRXdKVgpVekVMTUFrR0ExVUVDQXdDVDBneEN6QUpCZ05WQkFjTUFrNUNNUkF3RGdZRFZRUUtEQWRHWVdKeWFXTTRNUkF3CkRnWURWUVFMREFkR1lXSnlhV000TVJrd0Z3WURWUVFEREJCTGRXSmxjbTVsZEdWelEyeHBaVzUwTVNjd0pRWUoKS29aSWh2Y05BUWtCRmhobVlXSnlhV000UUdkdmIyZHNaV2R5YjNWd2N5NWpiMjB3V1RBVEJnY3Foa2pPUFFJQgpCZ2dxaGtqT1BRTUJCd05DQUFUVGZxR0hOcnk0K1NCMHJVMUZxVHZXd21rbm9hc013T2FmbG9SZS81bGZGQ2RXCjhvR3k0YjlwdXhNTC9TQnpoTlFpWWMrT0lSdlBFdWtkM3I1Q1FRR1NvMU13VVRBZEJnTlZIUTRFRmdRVVRWM2cKcVB1TjZ4VENRbWJIci83aHdYYkozRU13SHdZRFZSMGpCQmd3Rm9BVVRWM2dxUHVONnhUQ1FtYkhyLzdod1hiSgozRU13RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSkFEQkdBaUVBL0Z5M3IvWWdpTkl5CmJ4VGwrRDNMOHh0UXRrb0NWK0kzZ2Z1ZUpzRmFtRmdDSVFDMy8rd3FsaklkUVhrV04zTWFvWlNOeUs2bGNoUDAKcWFQdzFwMEtrQzJsSXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+    client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IUUNBUUVFSUwxejJ2YkRKSlYzN0xLNnJNTU9hZTFwcTVRRmhIejk2aGRPdEdnMTh4WEpvQWNHQlN1QkJBQUsKb1VRRFFnQUU1elV6bDQ5MXJoejFpMnZoU3F4a2tvQUtaMHZrY0VCbkVVVGFlMVFLbFRnWUtNZ2dPbU5jSGJybAoxVFRMZ1IzR1llRUU2cjhYZ2xra01WRUlTK1BzbkE9PQotLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0t
\ No newline at end of file
diff --git a/kubernetes-client-deps-compatibility-tests/pom.xml b/kubernetes-client-deps-compatibility-tests/pom.xml
new file mode 100644
index 00000000000..548edd23b5d
--- /dev/null
+++ b/kubernetes-client-deps-compatibility-tests/pom.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (C) 2015 Red Hat, Inc.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+            http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>io.fabric8</groupId>
+    <artifactId>kubernetes-client-project</artifactId>
+    <version>6.11-SNAPSHOT</version>
+  </parent>
+
+  <name>Fabric8 :: Kubernetes :: Dependency Compatibility :: Tests</name>
+  <artifactId>kubernetes-client-deps-compatibility-tests</artifactId>
+  <packaging>pom</packaging>
+
+  <modules>
+    <module>kubernetes-client-init-bc-fips</module>
+  </modules>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <configuration>
+          <!-- We cleanup system properties an env vars, so that we can test in a predictable env -->
+          <environmentVariables>
+            <KUBERNETES_MASTER />
+            <KUBERNETES_API_VERSION />
+            <KUBERNETES_TRUST_CERTIFICATES />
+            <KUBERNETES_CERTS_CA_FILE />
+            <KUBERNETES_CERTS_CA_DATA />
+            <KUBERNETES_CERTS_CLIENT_FILE />
+            <KUBERNETES_CERTS_CLIENT_DATA />
+            <KUBERNETES_CERTS_CLIENT_KEY_FILE />
+            <KUBERNETES_CERTS_CLIENT_KEY_DATA />
+            <KUBERNETES_CERTS_CLIENT_KEY_ALGO />
+            <KUBERNETES_CERTS_CLIENT_KEY_PASSPHRASE />
+            <KUBERNETES_AUTH_BASIC_USERNAME />
+            <KUBERNETES_AUTH_BASIC_PASSWORD />
+            <KUBERNETES_AUTH_TRYKUBECONFIG />
+            <KUBERNETES_AUTH_TRYSERVICEACCOUNT />
+            <KUBERNETES_AUTH_TOKEN />
+            <KUBERNETES_WATCH_RECONNECTINTERVAL />
+            <KUBERNETES_WATCH_RECONNECTLIMIT />
+            <KUBERNETES_REQUEST_TIMEOUT />
+            <KUBERNETES_NAMESPACE />
+            <KUBERNETES_TLS_VERSIONS>TLSv1.2,TLSv1.1,TLSv1</KUBERNETES_TLS_VERSIONS>
+          </environmentVariables>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <repositories>
+    <repository>
+      <id>sonatype-snapshots</id>
+      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+      <releases><enabled>false</enabled></releases>
+      <snapshots><enabled>true</enabled></snapshots>
+    </repository>
+  </repositories>
+</project>
diff --git a/pom.xml b/pom.xml
index 548611efd78..67d9a48b6c6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -127,6 +127,8 @@
     <snakeyaml.version>2.7</snakeyaml.version>
     <snakeyaml.bundle.version>2.2</snakeyaml.bundle.version> <!-- Transitive Jackson -->
     <bouncycastle.version>1.77</bouncycastle.version>
+    <bc-fips.version>1.0.2.4</bc-fips.version>
+    <bcpkix-fips.version>1.0.7</bcpkix-fips.version>
     <commons-compress.version>1.25.0</commons-compress.version>
     <commons-io.version>2.15.1</commons-io.version> <!-- Required by Gradle Testing Toolkit -->
     <guava.version>33.0.0-jre</guava.version> <!-- Required by Gradle Testing Toolkit -->
@@ -221,6 +223,7 @@
     <module>java-generator</module>
     <module>httpclient-okhttp</module>
     <module>httpclient-vertx</module>
+    <module>kubernetes-client-deps-compatibility-tests</module>
   </modules>
 
   <dependencyManagement>