Skip to content

[8.19](backport #45036) [Filebeat] Allow v2 inputs to opt out of FIPS distributions#45039

Merged
ycombinator merged 1 commit into8.19from
mergify/bp/8.19/pr-45036
Jun 25, 2025
Merged

[8.19](backport #45036) [Filebeat] Allow v2 inputs to opt out of FIPS distributions#45039
ycombinator merged 1 commit into8.19from
mergify/bp/8.19/pr-45036

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify bot commented Jun 25, 2025

Proposed commit message

This PR adds a new boolean field, ExcludeFromFIPS to the v2.Plugin struct for optional use by v2 inputs. Inputs that set this field to true are indicating that they should NOT be usable in FIPS-capable distributions of Filebeat. If an input that sets this field to true is configured in a FIPS-capable Filebeat distribution, Filebeat will exit with an error like so:

{"log.level":"error","@timestamp":"2025-06-25T11:22:14.686-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1355},"message":"Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [o365audit] is not FIPS capable","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [o365audit] is not FIPS capable

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works~
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

None; the changes in this PR merely allow for Filebeat v2 inputs to be excluded from FIPS-capable Filebeat artifacts; there are no inputs actually being excluded in this PR.

How to test this PR locally

$ go test ./filebeat/input/v2/ -test.run TestLoader_ConfigureFIPS -test.count 1 -test.v
=== RUN   TestLoader_ConfigureFIPS
    loader_test.go:209: FIPS mode = false; err = <nil>
--- PASS: TestLoader_ConfigureFIPS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/filebeat/input/v2	0.006s

In an environment configured for FIPS, i.e. with the Microsoft Go fork installed and with the OpenSSL FIPS provider installed:

$ GOEXPERIMENT=systemcrypto go test -tags requirefips ./filebeat/input/v2/ -test.run TestLoader_ConfigureFIPS -test.count 1 -test.v
=== RUN   TestLoader_ConfigureFIPS
    loader_test.go:209: FIPS mode = true; err = running a FIPS-capable distribution but input [a] is not FIPS capable
--- PASS: TestLoader_ConfigureFIPS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/filebeat/input/v2	0.014s

Related issues

This PR replaces the implementation done in #44920

This is an automatic backport of pull request #45036 done by Mergify.

@ycombinator @mergify
[Filebeat] Allow v2 inputs to opt out of FIPS distributions (#45036)
7a8a8f2 
* Add constant for FIPS mode

* Add ability for v2 inputs to opt out of FIPS distributions

* Return error in FIPS mode if input wants to opt-out of FIPS distributions

* Fixing typo

* Adding missing license header

* Running mage fmt

(cherry picked from commit 9d79db0)
@mergify mergify bot added the backport label Jun 25, 2025
@mergify mergify bot requested a review from a team as a code owner June 25, 2025 20:49
@mergify mergify bot requested review from andrzej-stencel and rdner and removed request for a team June 25, 2025 20:49
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 25, 2025
@github-actions github-actions bot added >enhancement release-note:skip The PR should be ignored when processing the changelog Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team labels Jun 25, 2025
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jun 25, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 25, 2025
@ycombinator ycombinator enabled auto-merge (squash) June 25, 2025 20:53
@ycombinator ycombinator merged commit 1eec383 into 8.19 Jun 25, 2025
201 checks passed
@ycombinator ycombinator deleted the mergify/bp/8.19/pr-45036 branch June 25, 2025 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ycombinator ycombinator ycombinator approved these changes

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

@andrzej-stencel andrzej-stencel Awaiting requested review from andrzej-stencel andrzej-stencel is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@ycombinator ycombinator

Labels

backport >enhancement release-note:skip The PR should be ignored when processing the changelog Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elasticmachine @ycombinator