Skip to content

[8.19](backport #44920) Allow Filebeat modules to be excluded from FIPS-capable artifacts#45014

Merged
ycombinator merged 1 commit into8.19from
mergify/bp/8.19/pr-44920
Jun 24, 2025
Merged

[8.19](backport #44920) Allow Filebeat modules to be excluded from FIPS-capable artifacts#45014
ycombinator merged 1 commit into8.19from
mergify/bp/8.19/pr-44920

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify bot commented Jun 24, 2025

Proposed commit message

This PR introduces a new type:

type FIPSAwareInput interface {
    IsFIPSCapable() bool
}

Filebeat inputs that wish to report if they are FIPS-capable (or not) are expected to implement this interface. Inputs that do not implement this interface are considered to be FIPS-capable.

For inputs that implement the above interface, FIPS-capable builds of Filebeat will check the input's FIPS-capability. If the input is not FIPS-capable, the input will fail to start with an error message and Filebeat will exit, e.g.:

{"log.level":"error","@timestamp":"2025-06-23T23:50:39.852-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1355},"message":"Exiting: Failed to start crawler: starting input failed: input o365audit is not FIPS capable","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: starting input failed: input o365audit is not FIPS capable

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

None; the changes in this PR merely allow for Filebeat modules to be excluded from FIPS-capable Filebeat artifacts; there are no modules being excluded in this PR.

How to test this PR locally

$ mage clean && FIPS=true mage build
$ cat <<EOF > filebeat-test.yml
filebeat.inputs:
- type: o365audit
  id: id-nofips
  enabled: true
  application_id: foo
  tenant_id: bar
  client_secret: qux

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test.yml -e
```<hr>This is an automatic backport of pull request #44920 done by [Mergify](https://mergify.com).

@ycombinator @mergify
Allow Filebeat modules to be excluded from FIPS-capable artifacts (#4…
d28fcc5 
…4920)

* Add ability for Filebeat plugins (inputs) to specify that they should be excluded from FIPS builds

* Remove ExcludeForFIPS implementation

* Create and check FIPSAwareInput interface

* Make o365 input use FIPSAwareInput interface

* Running mage fmt

* Remove debugging statement

* Explain behavior for types not implementing the interface

* Adding godoc comments for implementations of the IsFIPSCapable() method

* Add unit test for checkFIPSCapability()

* Running mage fmt

* Remove example implementation

(cherry picked from commit 322d694)
@mergify mergify bot requested a review from a team as a code owner June 24, 2025 22:04
@mergify mergify bot added the backport label Jun 24, 2025
@mergify mergify bot requested review from belimawr and rdner and removed request for a team June 24, 2025 22:04
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 24, 2025
@github-actions github-actions bot added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Jun 24, 2025
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jun 24, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 24, 2025
@ycombinator ycombinator enabled auto-merge (squash) June 24, 2025 22:18
@ycombinator ycombinator merged commit ccea0c7 into 8.19 Jun 24, 2025
43 of 46 checks passed
@ycombinator ycombinator deleted the mergify/bp/8.19/pr-44920 branch June 24, 2025 23:47
@ycombinator ycombinator mentioned this pull request Jun 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ycombinator ycombinator ycombinator approved these changes

@belimawr belimawr Awaiting requested review from belimawr belimawr is a code owner automatically assigned from elastic/elastic-agent-data-plane

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@ycombinator ycombinator

Labels

backport Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elasticmachine @ycombinator