Skip to content

Commit 9d79db0

Browse files
ycombinatorycombinator
authored
[Filebeat] Allow v2 inputs to opt out of FIPS distributions (#45036)
* Add constant for FIPS mode * Add ability for v2 inputs to opt out of FIPS distributions * Return error in FIPS mode if input wants to opt-out of FIPS distributions * Fixing typo * Adding missing license header * Running mage fmt
1 parent 13da3a8 commit 9d79db0

5 files changed

Lines changed: 86 additions & 0 deletions

File tree

filebeat/input/v2/loader.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ package v2
2020
import (
2121
"fmt"
2222

23+
"github.com/elastic/beats/v7/libbeat/common"
2324
"github.com/elastic/beats/v7/libbeat/feature"
2425
conf "github.com/elastic/elastic-agent-libs/config"
2526
"github.com/elastic/elastic-agent-libs/logp"
@@ -96,6 +97,10 @@ func (l *Loader) Configure(cfg *conf.C) (Input, error) {
9697
log.Warnf("DEPRECATED: The %v input is deprecated", name)
9798
}
9899

100+
if common.FIPSMode && p.ExcludeFromFIPS {
101+
return nil, fmt.Errorf("running a FIPS-capable distribution but input [%s] is not FIPS capable", name)
102+
}
103+
99104
return p.Manager.Create(cfg)
100105
}
101106

filebeat/input/v2/loader_test.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@ import (
2121
"errors"
2222
"testing"
2323

24+
"github.com/stretchr/testify/require"
25+
26+
"github.com/elastic/beats/v7/libbeat/common"
2427
"github.com/elastic/beats/v7/libbeat/feature"
2528
conf "github.com/elastic/elastic-agent-libs/config"
2629
"github.com/elastic/elastic-agent-libs/logp"
@@ -180,6 +183,33 @@ func TestLoader_Configure(t *testing.T) {
180183
}
181184
}
182185

186+
func TestLoader_ConfigureFIPS(t *testing.T) {
187+
loaderCfg := loaderConfig{
188+
Plugins: []Plugin{
189+
{
190+
Name: "a",
191+
Stability: feature.Stable,
192+
Manager: ConfigureWith(func(_ *conf.C) (Input, error) {
193+
return nil, nil
194+
}),
195+
ExcludeFromFIPS: true,
196+
},
197+
},
198+
TypeField: "type",
199+
}
200+
201+
loader := loaderCfg.MustNewLoader()
202+
input, err := loader.Configure(conf.MustNewConfigFrom(map[string]any{"type": "a"}))
203+
require.Nil(t, input)
204+
205+
if common.FIPSMode {
206+
require.Error(t, err)
207+
} else {
208+
require.NoError(t, err)
209+
}
210+
t.Logf("FIPS mode = %v; err = %v", common.FIPSMode, err)
211+
}
212+
183213
func (b loaderConfig) MustNewLoader() *Loader {
184214
l, err := b.NewLoader()
185215
if err != nil {

filebeat/input/v2/plugin.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,11 @@ type Plugin struct {
6060

6161
// Manager MUST be configured. The manager is used to create the inputs.
6262
Manager InputManager
63+
64+
// ExcludeFromFIPS indicates whether this plugin should not be usable in
65+
// FIPS-capable Filebeat distributions. If set to true, FIPS-capable Filebeat
66+
// distributions will exit with an error if this plugin is configured for use.
67+
ExcludeFromFIPS bool
6368
}
6469

6570
func (p Plugin) validate() error {

libbeat/common/mode_fips.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
// Licensed to Elasticsearch B.V. under one or more contributor
2+
// license agreements. See the NOTICE file distributed with
3+
// this work for additional information regarding copyright
4+
// ownership. Elasticsearch B.V. licenses this file to you under
5+
// the Apache License, Version 2.0 (the "License"); you may
6+
// not use this file except in compliance with the License.
7+
// You may obtain a copy of the License at
8+
//
9+
// http://www.apache.org/licenses/LICENSE-2.0
10+
//
11+
// Unless required by applicable law or agreed to in writing,
12+
// software distributed under the License is distributed on an
13+
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14+
// KIND, either express or implied. See the License for the
15+
// specific language governing permissions and limitations
16+
// under the License.
17+
18+
//go:build requirefips
19+
20+
package common
21+
22+
// FIPSMode = true indicates that this is a FIPS-capable distribution.
23+
const FIPSMode = true

libbeat/common/mode_nofips.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
// Licensed to Elasticsearch B.V. under one or more contributor
2+
// license agreements. See the NOTICE file distributed with
3+
// this work for additional information regarding copyright
4+
// ownership. Elasticsearch B.V. licenses this file to you under
5+
// the Apache License, Version 2.0 (the "License"); you may
6+
// not use this file except in compliance with the License.
7+
// You may obtain a copy of the License at
8+
//
9+
// http://www.apache.org/licenses/LICENSE-2.0
10+
//
11+
// Unless required by applicable law or agreed to in writing,
12+
// software distributed under the License is distributed on an
13+
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14+
// KIND, either express or implied. See the License for the
15+
// specific language governing permissions and limitations
16+
// under the License.
17+
18+
//go:build !requirefips
19+
20+
package common
21+
22+
// FIPSMode = false indicates that this is not a FIPS-capable distribution.
23+
const FIPSMode = false

0 commit comments

Comments
 (0)