Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.x] Removing experimental for the FIPS mode config (#200734) #200825

Merged
merged 1 commit into from
Nov 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .buildkite/scripts/common/env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ if [[ "${KBN_ENABLE_FIPS:-}" == "true" ]] || is_pr_with_label "ci:enable-fips-ag
fi

if [[ -f "$KIBANA_DIR/config/kibana.yml" ]]; then
echo -e '\nxpack.security.experimental.fipsMode.enabled: true' >>"$KIBANA_DIR/config/kibana.yml"
echo -e '\nxpack.security.fipsMode.enabled: true' >>"$KIBANA_DIR/config/kibana.yml"
fi
fi

Expand Down
4 changes: 2 additions & 2 deletions .devcontainer/scripts/env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ setup_fips() {
fi

if [ -n "$FIPS" ] && [ "$FIPS" = "1" ]; then
sed -i '/xpack.security.experimental.fipsMode.enabled:/ {s/.*/xpack.security.experimental.fipsMode.enabled: true/; t}; $a\xpack.security.experimental.fipsMode.enabled: true' "$KBN_CONFIG_FILE"
sed -i '/xpack.security.fipsMode.enabled:/ {s/.*/xpack.security.fipsMode.enabled: true/; t}; $a\xpack.security.fipsMode.enabled: true' "$KBN_CONFIG_FILE"

# Patch node_modules so we can start Kibana in dev mode
sed -i 's/hashType = hashType || '\''md5'\'';/hashType = hashType || '\''sha1'\'';/g' "${KBN_DIR}/node_modules/file-loader/node_modules/loader-utils/lib/getHashDigest.js"
Expand All @@ -21,7 +21,7 @@ setup_fips() {
echo "FIPS mode enabled"
echo "If manually bootstrapping in FIPS mode use: NODE_OPTIONS='' yarn kbn bootstrap"
else
sed -i '/xpack.security.experimental.fipsMode.enabled:/ {s/.*/xpack.security.experimental.fipsMode.enabled: false/; t}; $a\xpack.security.experimental.fipsMode.enabled: false' "$KBN_CONFIG_FILE"
sed -i '/xpack.security.fipsMode.enabled:/ {s/.*/xpack.security.fipsMode.enabled: false/; t}; $a\xpack.security.fipsMode.enabled: false' "$KBN_CONFIG_FILE"
fi
}

Expand Down
7 changes: 1 addition & 6 deletions docs/user/security/fips-140-2.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ For {kib}, adherence to FIPS 140-2 is ensured by:

==== Configuring {kib} for FIPS 140-2

Apart from setting `xpack.security.experimental.fipsMode.enabled` to `true` in your {kib} config, a number of security related
Apart from setting `xpack.security.fipsMode.enabled` to `true` in your {kib} config, a number of security related
settings need to be reviewed and configured in order to run {kib} successfully in a FIPS 140-2 compliant Node.js
environment.

Expand All @@ -56,8 +56,3 @@ As an example, avoid PKCS#12 specific settings such as:
* `server.ssl.truststore.path`
* `elasticsearch.ssl.keystore.path`
* `elasticsearch.ssl.truststore.path`

===== Limitations

Configuring {kib} to run in FIPS mode is still considered to be experimental. Not all features are guaranteed to
function as expected.
Original file line number Diff line number Diff line change
Expand Up @@ -25,26 +25,26 @@ import { loggingSystemMock } from '@kbn/core-logging-server-mocks';
describe('fips', () => {
let securityConfig: SecurityServiceConfigType;
describe('#isFipsEnabled', () => {
it('should return `true` if config.experimental.fipsMode.enabled is `true`', () => {
securityConfig = { experimental: { fipsMode: { enabled: true } } };
it('should return `true` if config.fipsMode.enabled is `true`', () => {
securityConfig = { fipsMode: { enabled: true } };

expect(isFipsEnabled(securityConfig)).toBe(true);
});

it('should return `false` if config.experimental.fipsMode.enabled is `false`', () => {
securityConfig = { experimental: { fipsMode: { enabled: false } } };
it('should return `false` if config.fipsMode.enabled is `false`', () => {
securityConfig = { fipsMode: { enabled: false } };

expect(isFipsEnabled(securityConfig)).toBe(false);
});

it('should return `false` if config.experimental.fipsMode.enabled is `undefined`', () => {
it('should return `false` if config.fipsMode.enabled is `undefined`', () => {
expect(isFipsEnabled(securityConfig)).toBe(false);
});
});

describe('checkFipsConfig', () => {
it('should log an error message if FIPS mode is misconfigured - xpack.security.experimental.fipsMode.enabled true, Nodejs FIPS mode false', async () => {
securityConfig = { experimental: { fipsMode: { enabled: true } } };
it('should log an error message if FIPS mode is misconfigured - xpack.security.fipsMode.enabled true, Nodejs FIPS mode false', async () => {
securityConfig = { fipsMode: { enabled: true } };
const logger = loggingSystemMock.create().get();
let fipsException: undefined | CriticalError;
try {
Expand All @@ -56,16 +56,16 @@ describe('fips', () => {
expect(fipsException).toBeInstanceOf(CriticalError);
expect(fipsException!.processExitCode).toBe(78);
expect(fipsException!.message).toEqual(
'Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to true and the configured Node.js environment has FIPS disabled'
'Configuration mismatch error. xpack.security.fipsMode.enabled is set to true and the configured Node.js environment has FIPS disabled'
);
});

it('should log an error message if FIPS mode is misconfigured - xpack.security.experimental.fipsMode.enabled false, Nodejs FIPS mode true', async () => {
it('should log an error message if FIPS mode is misconfigured - xpack.security.fipsMode.enabled false, Nodejs FIPS mode true', async () => {
mockGetFipsFn.mockImplementationOnce(() => {
return 1;
});

securityConfig = { experimental: { fipsMode: { enabled: false } } };
securityConfig = { fipsMode: { enabled: false } };
const logger = loggingSystemMock.create().get();

let fipsException: undefined | CriticalError;
Expand All @@ -77,16 +77,16 @@ describe('fips', () => {
expect(fipsException).toBeInstanceOf(CriticalError);
expect(fipsException!.processExitCode).toBe(78);
expect(fipsException!.message).toEqual(
'Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to false and the configured Node.js environment has FIPS enabled'
'Configuration mismatch error. xpack.security.fipsMode.enabled is set to false and the configured Node.js environment has FIPS enabled'
);
});

it('should log an info message if FIPS mode is properly configured - xpack.security.experimental.fipsMode.enabled true, Nodejs FIPS mode true', async () => {
it('should log an info message if FIPS mode is properly configured - xpack.security.fipsMode.enabled true, Nodejs FIPS mode true', async () => {
mockGetFipsFn.mockImplementationOnce(() => {
return 1;
});

securityConfig = { experimental: { fipsMode: { enabled: true } } };
securityConfig = { fipsMode: { enabled: true } };
const logger = loggingSystemMock.create().get();

try {
Expand All @@ -113,7 +113,7 @@ describe('fips', () => {
return 1;
});

securityConfig = { experimental: { fipsMode: { enabled: true } } };
securityConfig = { fipsMode: { enabled: true } };
});

afterEach(function () {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import { getFips } from 'crypto';
import { CriticalError } from '@kbn/core-base-server-internal';
import { PKCS12ConfigType, SecurityServiceConfigType } from '../utils';
export function isFipsEnabled(config: SecurityServiceConfigType): boolean {
return config?.experimental?.fipsMode?.enabled ?? false;
return config?.fipsMode?.enabled ?? false;
}

export function checkFipsConfig(
Expand All @@ -33,7 +33,7 @@ export function checkFipsConfig(
// FIPS must be enabled on both, or, log/error an exit Kibana
if (isFipsConfigEnabled !== isNodeRunningWithFipsEnabled) {
throw new CriticalError(
`Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to ${isFipsConfigEnabled} and the configured Node.js environment has FIPS ${
`Configuration mismatch error. xpack.security.fipsMode.enabled is set to ${isFipsConfigEnabled} and the configured Node.js environment has FIPS ${
isNodeRunningWithFipsEnabled ? 'enabled' : 'disabled'
}`,
'invalidConfig',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,8 @@ describe('SecurityService', function () {
const mockConfig = {
xpack: {
security: {
experimental: {
fipsMode: {
enabled: !!getFips(),
},
fipsMode: {
enabled: !!getFips(),
},
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,8 @@ export { convertSecurityApi } from './convert_security_api';
export { getDefaultSecurityImplementation } from './default_implementation';

export interface SecurityServiceConfigType {
experimental?: {
fipsMode?: {
enabled: boolean;
};
fipsMode?: {
enabled: boolean;
};
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ export function createRootWithSettings(
*/
let oss = true;
if (getFips() === 1) {
set(settings, 'xpack.security.experimental.fipsMode.enabled', true);
set(settings, 'xpack.security.fipsMode.enabled', true);
oss = false;
delete cliArgs.oss;
}
Expand Down
2 changes: 1 addition & 1 deletion src/core/server/integration_tests/node/migrator.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ describe('migrator-only node', () => {
'--no-optimizer',
'--no-base-path',
'--no-watch',
isFipsEnabled ? '--xpack.security.experimental.fipsMode.enabled=true' : '--oss',
isFipsEnabled ? '--xpack.security.fipsMode.enabled=true' : '--oss',
],
{ stdio: ['pipe', 'pipe', 'pipe'] }
);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -393,7 +393,7 @@ kibana_vars=(
xpack.security.authc.selector.enabled
xpack.security.cookieName
xpack.security.encryptionKey
xpack.security.experimental.fipsMode.enabled
xpack.security.fipsMode.enabled
xpack.security.loginAssistanceMessage
xpack.security.loginHelp
xpack.security.sameSiteCookies
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ RUN set -e ; \
make install > /dev/null ; \
rm -rf "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
chown -R 1000:0 "${OPENSSL_PATH}";

{{/fips}}
# Ensure that group permissions are the same as user permissions.
# This will help when relying on GID-0 to run Kibana, rather than UID-1000.
Expand Down Expand Up @@ -156,7 +156,7 @@ RUN /bin/echo -e '\n--enable-fips' >> config/node.options
RUN echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options
COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules
ENV XPACK_SECURITY_EXPERIMENTAL_FIPSMODE_ENABLED=true
ENV XPACK_SECURITY_FIPSMODE_ENABLED=true

{{/fips}}
RUN ln -s /usr/share/kibana /opt/kibana
Expand Down
24 changes: 8 additions & 16 deletions x-pack/plugins/security/server/config.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,8 @@ describe('config schema', () => {
},
"cookieName": "sid",
"encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"experimental": Object {
"fipsMode": Object {
"enabled": false,
},
"fipsMode": Object {
"enabled": false,
},
"loginAssistanceMessage": "",
"public": Object {},
Expand Down Expand Up @@ -121,10 +119,8 @@ describe('config schema', () => {
},
"cookieName": "sid",
"encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"experimental": Object {
"fipsMode": Object {
"enabled": false,
},
"fipsMode": Object {
"enabled": false,
},
"loginAssistanceMessage": "",
"public": Object {},
Expand Down Expand Up @@ -179,10 +175,8 @@ describe('config schema', () => {
"selector": Object {},
},
"cookieName": "sid",
"experimental": Object {
"fipsMode": Object {
"enabled": false,
},
"fipsMode": Object {
"enabled": false,
},
"loginAssistanceMessage": "",
"public": Object {},
Expand Down Expand Up @@ -240,10 +234,8 @@ describe('config schema', () => {
"selector": Object {},
},
"cookieName": "sid",
"experimental": Object {
"fipsMode": Object {
"enabled": false,
},
"fipsMode": Object {
"enabled": false,
},
"loginAssistanceMessage": "",
"public": Object {},
Expand Down
6 changes: 2 additions & 4 deletions x-pack/plugins/security/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -314,10 +314,8 @@ export const ConfigSchema = schema.object({
roleMappingManagementEnabled: schema.boolean({ defaultValue: true }),
}),
}),
experimental: schema.object({
fipsMode: schema.object({
enabled: schema.boolean({ defaultValue: false }),
}),
fipsMode: schema.object({
enabled: schema.boolean({ defaultValue: false }),
}),
});

Expand Down
22 changes: 22 additions & 0 deletions x-pack/plugins/security/server/config_deprecations.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,28 @@ describe('Config Deprecations', () => {
expect(messages).toHaveLength(0);
});

it('renames `xpack.security.experimental.fipsMode.enabled` to `xpack.security.fipsMode.enabled`', () => {
const config = {
xpack: {
security: {
experimental: {
fipsMode: {
enabled: true,
},
},
},
},
};
const { messages, migrated } = applyConfigDeprecations(cloneDeep(config));
expect(migrated.xpack.security.experimental?.fipsMode?.enabled).not.toBeDefined();
expect(migrated.xpack.security.fipsMode.enabled).toEqual(true);
expect(messages).toMatchInlineSnapshot(`
Array [
"Setting \\"xpack.security.experimental.fipsMode.enabled\\" has been replaced by \\"xpack.security.fipsMode.enabled\\"",
]
`);
});

it('renames sessionTimeout to session.idleTimeout', () => {
const config = {
xpack: {
Expand Down
3 changes: 3 additions & 0 deletions x-pack/plugins/security/server/config_deprecations.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({
rename('audit.appender.policy.kind', 'audit.appender.policy.type', { level: 'warning' }),
rename('audit.appender.strategy.kind', 'audit.appender.strategy.type', { level: 'warning' }),
rename('audit.appender.path', 'audit.appender.fileName', { level: 'warning' }),
rename('experimental.fipsMode.enabled', 'fipsMode.enabled', {
level: 'critical',
}),

renameFromRoot(
'security.showInsecureClusterWarning',
Expand Down
Loading