Skip to content

Commit

Permalink
Removing experimental for the FIPS mode config (elastic#200734)
Browse files Browse the repository at this point in the history
## Summary

Closes elastic#200718

Remove the `experimental` from the fipsMode config path

## Release note

Kibana's FIPS mode is no longer considered experimental

## FIPS Pipeline for this branch

https://buildkite.com/elastic/kibana-fips/builds/281
  • Loading branch information
kc13greiner authored and paulinashakirova committed Nov 26, 2024
1 parent 08acbfc commit 0afe5c1
Show file tree
Hide file tree
Showing 17 changed files with 79 additions and 73 deletions.
2 changes: 1 addition & 1 deletion .buildkite/scripts/common/env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ if [[ "${KBN_ENABLE_FIPS:-}" == "true" ]] || is_pr_with_label "ci:enable-fips-ag
fi

if [[ -f "$KIBANA_DIR/config/kibana.yml" ]]; then
echo -e '\nxpack.security.experimental.fipsMode.enabled: true' >>"$KIBANA_DIR/config/kibana.yml"
echo -e '\nxpack.security.fipsMode.enabled: true' >>"$KIBANA_DIR/config/kibana.yml"
fi
fi

Expand Down
4 changes: 2 additions & 2 deletions .devcontainer/scripts/env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ setup_fips() {
fi

if [ -n "$FIPS" ] && [ "$FIPS" = "1" ]; then
sed -i '/xpack.security.experimental.fipsMode.enabled:/ {s/.*/xpack.security.experimental.fipsMode.enabled: true/; t}; $a\xpack.security.experimental.fipsMode.enabled: true' "$KBN_CONFIG_FILE"
sed -i '/xpack.security.fipsMode.enabled:/ {s/.*/xpack.security.fipsMode.enabled: true/; t}; $a\xpack.security.fipsMode.enabled: true' "$KBN_CONFIG_FILE"

# Patch node_modules so we can start Kibana in dev mode
sed -i 's/hashType = hashType || '\''md5'\'';/hashType = hashType || '\''sha1'\'';/g' "${KBN_DIR}/node_modules/file-loader/node_modules/loader-utils/lib/getHashDigest.js"
Expand All @@ -21,7 +21,7 @@ setup_fips() {
echo "FIPS mode enabled"
echo "If manually bootstrapping in FIPS mode use: NODE_OPTIONS='' yarn kbn bootstrap"
else
sed -i '/xpack.security.experimental.fipsMode.enabled:/ {s/.*/xpack.security.experimental.fipsMode.enabled: false/; t}; $a\xpack.security.experimental.fipsMode.enabled: false' "$KBN_CONFIG_FILE"
sed -i '/xpack.security.fipsMode.enabled:/ {s/.*/xpack.security.fipsMode.enabled: false/; t}; $a\xpack.security.fipsMode.enabled: false' "$KBN_CONFIG_FILE"
fi
}

Expand Down
7 changes: 1 addition & 6 deletions docs/user/security/fips-140-2.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ For {kib}, adherence to FIPS 140-2 is ensured by:

==== Configuring {kib} for FIPS 140-2

Apart from setting `xpack.security.experimental.fipsMode.enabled` to `true` in your {kib} config, a number of security related
Apart from setting `xpack.security.fipsMode.enabled` to `true` in your {kib} config, a number of security related
settings need to be reviewed and configured in order to run {kib} successfully in a FIPS 140-2 compliant Node.js
environment.

Expand All @@ -56,8 +56,3 @@ As an example, avoid PKCS#12 specific settings such as:
* `server.ssl.truststore.path`
* `elasticsearch.ssl.keystore.path`
* `elasticsearch.ssl.truststore.path`

===== Limitations

Configuring {kib} to run in FIPS mode is still considered to be experimental. Not all features are guaranteed to
function as expected.
Original file line number Diff line number Diff line change
Expand Up @@ -25,26 +25,26 @@ import { loggingSystemMock } from '@kbn/core-logging-server-mocks';
describe('fips', () => {
let securityConfig: SecurityServiceConfigType;
describe('#isFipsEnabled', () => {
it('should return `true` if config.experimental.fipsMode.enabled is `true`', () => {
securityConfig = { experimental: { fipsMode: { enabled: true } } };
it('should return `true` if config.fipsMode.enabled is `true`', () => {
securityConfig = { fipsMode: { enabled: true } };

expect(isFipsEnabled(securityConfig)).toBe(true);
});

it('should return `false` if config.experimental.fipsMode.enabled is `false`', () => {
securityConfig = { experimental: { fipsMode: { enabled: false } } };
it('should return `false` if config.fipsMode.enabled is `false`', () => {
securityConfig = { fipsMode: { enabled: false } };

expect(isFipsEnabled(securityConfig)).toBe(false);
});

it('should return `false` if config.experimental.fipsMode.enabled is `undefined`', () => {
it('should return `false` if config.fipsMode.enabled is `undefined`', () => {
expect(isFipsEnabled(securityConfig)).toBe(false);
});
});

describe('checkFipsConfig', () => {
it('should log an error message if FIPS mode is misconfigured - xpack.security.experimental.fipsMode.enabled true, Nodejs FIPS mode false', async () => {
securityConfig = { experimental: { fipsMode: { enabled: true } } };
it('should log an error message if FIPS mode is misconfigured - xpack.security.fipsMode.enabled true, Nodejs FIPS mode false', async () => {
securityConfig = { fipsMode: { enabled: true } };
const logger = loggingSystemMock.create().get();
let fipsException: undefined | CriticalError;
try {
Expand All @@ -56,16 +56,16 @@ describe('fips', () => {
expect(fipsException).toBeInstanceOf(CriticalError);
expect(fipsException!.processExitCode).toBe(78);
expect(fipsException!.message).toEqual(
'Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to true and the configured Node.js environment has FIPS disabled'
'Configuration mismatch error. xpack.security.fipsMode.enabled is set to true and the configured Node.js environment has FIPS disabled'
);
});

it('should log an error message if FIPS mode is misconfigured - xpack.security.experimental.fipsMode.enabled false, Nodejs FIPS mode true', async () => {
it('should log an error message if FIPS mode is misconfigured - xpack.security.fipsMode.enabled false, Nodejs FIPS mode true', async () => {
mockGetFipsFn.mockImplementationOnce(() => {
return 1;
});

securityConfig = { experimental: { fipsMode: { enabled: false } } };
securityConfig = { fipsMode: { enabled: false } };
const logger = loggingSystemMock.create().get();

let fipsException: undefined | CriticalError;
Expand All @@ -77,16 +77,16 @@ describe('fips', () => {
expect(fipsException).toBeInstanceOf(CriticalError);
expect(fipsException!.processExitCode).toBe(78);
expect(fipsException!.message).toEqual(
'Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to false and the configured Node.js environment has FIPS enabled'
'Configuration mismatch error. xpack.security.fipsMode.enabled is set to false and the configured Node.js environment has FIPS enabled'
);
});

it('should log an info message if FIPS mode is properly configured - xpack.security.experimental.fipsMode.enabled true, Nodejs FIPS mode true', async () => {
it('should log an info message if FIPS mode is properly configured - xpack.security.fipsMode.enabled true, Nodejs FIPS mode true', async () => {
mockGetFipsFn.mockImplementationOnce(() => {
return 1;
});

securityConfig = { experimental: { fipsMode: { enabled: true } } };
securityConfig = { fipsMode: { enabled: true } };
const logger = loggingSystemMock.create().get();

try {
Expand All @@ -113,7 +113,7 @@ describe('fips', () => {
return 1;
});

securityConfig = { experimental: { fipsMode: { enabled: true } } };
securityConfig = { fipsMode: { enabled: true } };
});

afterEach(function () {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import { getFips } from 'crypto';
import { CriticalError } from '@kbn/core-base-server-internal';
import { PKCS12ConfigType, SecurityServiceConfigType } from '../utils';
export function isFipsEnabled(config: SecurityServiceConfigType): boolean {
return config?.experimental?.fipsMode?.enabled ?? false;
return config?.fipsMode?.enabled ?? false;
}

export function checkFipsConfig(
Expand All @@ -33,7 +33,7 @@ export function checkFipsConfig(
// FIPS must be enabled on both, or, log/error an exit Kibana
if (isFipsConfigEnabled !== isNodeRunningWithFipsEnabled) {
throw new CriticalError(
`Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to ${isFipsConfigEnabled} and the configured Node.js environment has FIPS ${
`Configuration mismatch error. xpack.security.fipsMode.enabled is set to ${isFipsConfigEnabled} and the configured Node.js environment has FIPS ${
isNodeRunningWithFipsEnabled ? 'enabled' : 'disabled'
}`,
'invalidConfig',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,8 @@ describe('SecurityService', function () {
const mockConfig = {
xpack: {
security: {
experimental: {
fipsMode: {
enabled: !!getFips(),
},
fipsMode: {
enabled: !!getFips(),
},
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,8 @@ export { convertSecurityApi } from './convert_security_api';
export { getDefaultSecurityImplementation } from './default_implementation';

export interface SecurityServiceConfigType {
experimental?: {
fipsMode?: {
enabled: boolean;
};
fipsMode?: {
enabled: boolean;
};
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ export function createRootWithSettings(
*/
let oss = true;
if (getFips() === 1) {
set(settings, 'xpack.security.experimental.fipsMode.enabled', true);
set(settings, 'xpack.security.fipsMode.enabled', true);
oss = false;
delete cliArgs.oss;
}
Expand Down
2 changes: 1 addition & 1 deletion src/core/server/integration_tests/node/migrator.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ describe('migrator-only node', () => {
'--no-optimizer',
'--no-base-path',
'--no-watch',
isFipsEnabled ? '--xpack.security.experimental.fipsMode.enabled=true' : '--oss',
isFipsEnabled ? '--xpack.security.fipsMode.enabled=true' : '--oss',
],
{ stdio: ['pipe', 'pipe', 'pipe'] }
);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -386,7 +386,7 @@ kibana_vars=(
xpack.security.authc.selector.enabled
xpack.security.cookieName
xpack.security.encryptionKey
xpack.security.experimental.fipsMode.enabled
xpack.security.fipsMode.enabled
xpack.security.loginAssistanceMessage
xpack.security.loginHelp
xpack.security.sameSiteCookies
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ RUN set -e ; \
make install > /dev/null ; \
rm -rf "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
chown -R 1000:0 "${OPENSSL_PATH}";

{{/fips}}
# Ensure that group permissions are the same as user permissions.
# This will help when relying on GID-0 to run Kibana, rather than UID-1000.
Expand Down Expand Up @@ -156,7 +156,7 @@ RUN /bin/echo -e '\n--enable-fips' >> config/node.options
RUN echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options
COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules
ENV XPACK_SECURITY_EXPERIMENTAL_FIPSMODE_ENABLED=true
ENV XPACK_SECURITY_FIPSMODE_ENABLED=true

{{/fips}}
RUN ln -s /usr/share/kibana /opt/kibana
Expand Down
24 changes: 8 additions & 16 deletions x-pack/plugins/security/server/config.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,8 @@ describe('config schema', () => {
},
"cookieName": "sid",
"encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"experimental": Object {
"fipsMode": Object {
"enabled": false,
},
"fipsMode": Object {
"enabled": false,
},
"loginAssistanceMessage": "",
"public": Object {},
Expand Down Expand Up @@ -121,10 +119,8 @@ describe('config schema', () => {
},
"cookieName": "sid",
"encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"experimental": Object {
"fipsMode": Object {
"enabled": false,
},
"fipsMode": Object {
"enabled": false,
},
"loginAssistanceMessage": "",
"public": Object {},
Expand Down Expand Up @@ -179,10 +175,8 @@ describe('config schema', () => {
"selector": Object {},
},
"cookieName": "sid",
"experimental": Object {
"fipsMode": Object {
"enabled": false,
},
"fipsMode": Object {
"enabled": false,
},
"loginAssistanceMessage": "",
"public": Object {},
Expand Down Expand Up @@ -240,10 +234,8 @@ describe('config schema', () => {
"selector": Object {},
},
"cookieName": "sid",
"experimental": Object {
"fipsMode": Object {
"enabled": false,
},
"fipsMode": Object {
"enabled": false,
},
"loginAssistanceMessage": "",
"public": Object {},
Expand Down
6 changes: 2 additions & 4 deletions x-pack/plugins/security/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -315,10 +315,8 @@ export const ConfigSchema = schema.object({
roleMappingManagementEnabled: schema.boolean({ defaultValue: true }),
}),
}),
experimental: schema.object({
fipsMode: schema.object({
enabled: schema.boolean({ defaultValue: false }),
}),
fipsMode: schema.object({
enabled: schema.boolean({ defaultValue: false }),
}),
});

Expand Down
22 changes: 22 additions & 0 deletions x-pack/plugins/security/server/config_deprecations.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,28 @@ describe('Config Deprecations', () => {
expect(messages).toHaveLength(0);
});

it('renames `xpack.security.experimental.fipsMode.enabled` to `xpack.security.fipsMode.enabled`', () => {
const config = {
xpack: {
security: {
experimental: {
fipsMode: {
enabled: true,
},
},
},
},
};
const { messages, migrated } = applyConfigDeprecations(cloneDeep(config));
expect(migrated.xpack.security.experimental?.fipsMode?.enabled).not.toBeDefined();
expect(migrated.xpack.security.fipsMode.enabled).toEqual(true);
expect(messages).toMatchInlineSnapshot(`
Array [
"Setting \\"xpack.security.experimental.fipsMode.enabled\\" has been replaced by \\"xpack.security.fipsMode.enabled\\"",
]
`);
});

it('renames sessionTimeout to session.idleTimeout', () => {
const config = {
xpack: {
Expand Down
3 changes: 3 additions & 0 deletions x-pack/plugins/security/server/config_deprecations.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({
rename('audit.appender.policy.kind', 'audit.appender.policy.type', { level: 'warning' }),
rename('audit.appender.strategy.kind', 'audit.appender.strategy.type', { level: 'warning' }),
rename('audit.appender.path', 'audit.appender.fileName', { level: 'warning' }),
rename('experimental.fipsMode.enabled', 'fipsMode.enabled', {
level: 'critical',
}),

renameFromRoot(
'security.showInsecureClusterWarning',
Expand Down
Loading

0 comments on commit 0afe5c1

Please sign in to comment.