Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor FIPS BootstrapChecks to simple checks #47499

Merged
merged 4 commits into from
Oct 22, 2019
Merged

Refactor FIPS BootstrapChecks to simple checks #47499

merged 4 commits into from
Oct 22, 2019

Conversation

jkakavas
Copy link
Member

@jkakavas jkakavas commented Oct 3, 2019

FIPS 140 bootstrap checks should not be bootstrap checks as they
are always enforced. This commit moves the validation logic within
the security plugin.
The FIPS140SecureSettingsBootstrapCheck was not applicable as the
keystore was being loaded on init, before the Bootstrap checks
were checked, so an elasticsearch keystore of version < 3 would
cause the node to fail in a FIPS 140 JVM before the bootstrap check
kicked in, and as such hasn't been migrated.

Resolves: #34772
Replaces: #36677

@jkakavas
Refactor FIPS BootstrapChecks to simple checks
d5bf8e7 
FIPS 140 bootstrap checks should not be bootstrap checks as they
are always enforced. This commit moves the validation logic within
the security plugin.
The FIPS140SecureSettingsBootstrapCheck was not applicable as the
keystore was being loaded on init, before the Bootstrap checks
were checked, so an elasticsearch keystore of version < 3 would
cause the node to fail in a FIPS 140 JVM before the bootstrap check
kicked in, and as such hasn't been migrated.

Resolves: elastic#34772
@jkakavas jkakavas added >refactoring :Security/Security Security issues without another label v8.0.0 v7.5.0 labels Oct 3, 2019
@jkakavas jkakavas requested review from tvernum and jasontedor October 3, 2019 10:46
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Security)

jasontedor
jasontedor approved these changes Oct 3, 2019
View reviewed changes
Copy link
Member

@jasontedor jasontedor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@jkakavas jkakavas mentioned this pull request Oct 3, 2019
Closed
tvernum
tvernum reviewed Oct 7, 2019
View reviewed changes
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -326,8 +326,11 @@ public Security(Settings settings, final Path configPath) {

}

private static void runStartupChecks(Settings settings) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this no longer static? validateForFips is static, so I can't see why this method needs to change.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leftover change from uncompleted attempt I'd guess, wasn't left on purpose

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java Outdated
}
Settings keystorePathSettings = settings.filter(k -> k.endsWith("keystore.path"))
.filter(k -> settings.hasValue(k.replace(".path", ".type")) == false);
// Default Keystore type is JKS in JDK8 and PKCS12 in > JDK9 if not explicitly set
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the case. We explicitly set the keystore type to JKS, and don't depend on the JVM default.

elasticsearch/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java

Lines 245 to 252 in 9945d5c

private static String inferKeyStoreType(String path) {
String name = path == null ? "" : path.toLowerCase(Locale.ROOT);
if (name.endsWith(".p12") || name.endsWith(".pfx") || name.endsWith(".pkcs12")) {
return PKCS12_KEYSTORE_TYPE;
} else {
return DEFAULT_KEYSTORE_TYPE;
}
}

Perhaps we should call inferKeyStoreType here instead.

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java Outdated
@@ -303,19 +307,15 @@ public Security(Settings settings, final Path configPath) {
this.env = new Environment(settings, configPath);
this.enabled = XPackSettings.SECURITY_ENABLED.get(settings);
if (enabled) {
runStartupChecks(settings);
runStartupChecks(settings, getLicenseState());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is license state meaningful at this point during node start up?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point. Should we just remove checks for license on node startup and only leave ValidateLicenseForFIPS on node joins ?

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java Outdated
}

if (licenseState != null && FIPS_ALLOWED_LICENSE_OPERATION_MODES.contains(licenseState.getOperationMode()) == false) {
validationErrors.add("FIPS mode is only allowed with a Platinum or Trial license");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message should be built from FIPS_ALLOWED_LICENSE_OPERATION_MODES

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java Outdated
@@ -273,6 +275,8 @@
DiscoveryPlugin, MapperPlugin, ExtensiblePlugin {

private static final Logger logger = LogManager.getLogger(Security.class);
static final EnumSet<License.OperationMode> FIPS_ALLOWED_LICENSE_OPERATION_MODES =
EnumSet.of(License.OperationMode.PLATINUM, License.OperationMode.TRIAL);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move this to XPackLicenseState? We ought to keep licensing decisions centralised.

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java Outdated
@@ -253,7 +255,7 @@ public void testJoinValidatorForFIPSLicense() throws Exception {
new Security.ValidateLicenseForFIPS(false).accept(node, state);

final boolean isLicenseValidForFips =
FIPS140LicenseBootstrapCheck.ALLOWED_LICENSE_OPERATION_MODES.contains(license.operationMode());
Security.FIPS_ALLOWED_LICENSE_OPERATION_MODES.contains(license.operationMode());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This (existing) test is testing 2 different scenarios based on randomness in the license type.
Can we move it to 2 explicit test cases?

@jkakavas jkakavas requested a review from tvernum October 7, 2019 08:15
@jkakavas
Copy link
Member Author

@tvernum I believe I have addressed your comments, if you want to take another look at this

@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

2 similar comments
@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

@jkakavas
Copy link
Member Author

https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+pull-request+multijob+packaging-tests-unix-next-sample/os=ubuntu-16.04-packaging/415/console

22:57:21 FAILURE: Build failed with an exception.
22:57:21
22:57:21 * What went wrong:
22:57:21 Execution failed for task ':distribution:docker:buildDockerImage'.

22:44:27 
22:44:27 
22:44:27  One of the configured repositories failed (Unknown),
22:44:27  and yum doesn't have enough cached data to continue. At this point the only
22:44:27  safe thing yum can do is fail. There are a few ways to work "fix" this:
22:44:27 
22:44:27      1. Contact the upstream for the repository and get them to fix the problem.
22:44:27 
22:44:27      2. Reconfigure the baseurl/etc. for the repository, to point to a working
22:44:27         upstream. This is most often useful if you are using a newer
22:44:27         distribution release than is supported by the repository (and the
22:44:27         packages for the previous distribution release still work).
22:44:27 
22:44:27      3. Run the command with the repository temporarily disabled
22:44:27             yum --disablerepo=<repoid> ...
22:44:27 
22:44:27      4. Disable the repository permanently, so yum won't use it by default. Yum
22:44:27         will then just ignore the repository until you permanently enable it
22:44:27         again or use --enablerepo for temporary usage:
22:44:27 
22:44:27             yum-config-manager --disable <repoid>
22:44:27         or
22:44:27             subscription-manager repos --disable=<repoid>
22:44:27 
22:44:27      5. Configure the failing repository to be skipped, if it is unavailable.
22:44:27         Note that yum will try to contact the repo. when it runs most commands,
22:44:27         so will have to try and fail each time (and thus. yum will be be much
22:44:27         slower). If it is a very temporary problem though, this is often a nice
22:44:27         compromise:
22:44:27 
22:44:27             yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true
22:44:27 
22:44:27 Cannot find a valid baseurl for repo: base/7/x86_64
22:44:27 Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=container error was
22:44:27 14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"

@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample

@jkakavas jkakavas mentioned this pull request Oct 14, 2019
Closed
@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample

@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

2 similar comments
@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

@jkakavas
Copy link
Member Author

@elasticmachine update branch

@jkakavas
Copy link
Member Author

@elasticmachine run elasticsearch-ci/packaging-sample-matrix

@jkakavas jkakavas merged commit 4e2ee64 into elastic:master Oct 22, 2019
@jkakavas jkakavas added v7.6.0 and removed v7.5.0 labels Oct 22, 2019
@jkakavas jkakavas mentioned this pull request Oct 22, 2019
Merged
jkakavas added a commit to jkakavas/elasticsearch that referenced this pull request Oct 22, 2019
@jkakavas
Refactor FIPS BootstrapChecks to simple checks (elastic#47499)
d44e13a 
FIPS 140 bootstrap checks should not be bootstrap checks as they
are always enforced. This commit moves the validation logic within
the security plugin.
The FIPS140SecureSettingsBootstrapCheck was not applicable as the
keystore was being loaded on init, before the Bootstrap checks
were checked, so an elasticsearch keystore of version < 3 would
cause the node to fail in a FIPS 140 JVM before the bootstrap check
kicked in, and as such hasn't been migrated.

Resolves: elastic#34772
jkakavas added a commit that referenced this pull request Oct 22, 2019
@jkakavas
[7.x] Refactor FIPS BootstrapChecks to simple checks (#47499) (#48333)
24e43df 
FIPS 140 bootstrap checks should not be bootstrap checks as they
are always enforced. This commit moves the validation logic within
the security plugin.
The FIPS140SecureSettingsBootstrapCheck was not applicable as the
keystore was being loaded on init, before the Bootstrap checks
were checked, so an elasticsearch keystore of version < 3 would
cause the node to fail in a FIPS 140 JVM before the bootstrap check
kicked in, and as such hasn't been migrated.

Resolves: #34772
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Oct 22, 2019
@jasontedor
Merge remote-tracking branch 'elastic/master' into system-jvm-options
07bd9d8 
* elastic/master:
  [Docs] Fix opType options in IndexRequest API example. (elastic#48290)
  Simplify Shard Snapshot Upload Code (elastic#48155)
  Mute ClassificationIT tests (elastic#48338)
  Reenable azure repository tests and remove some randomization in http servers  (elastic#48283)
  Use an env var for the classpath of jar hell task (elastic#48240)
  Refactor FIPS BootstrapChecks to simple checks (elastic#47499)
  Add "format" to "range" queries resulted from optimizing a logical AND (elastic#48073)
  [DOCS][Transform] document limitation regarding rolling upgrade with 7.2, 7.3 (elastic#48118)
  Fail with a better error when if there are no ingest nodes (elastic#48272)
  Fix executing enrich policies stats (elastic#48132)
  Use MultiFileTransfer in CCR remote recovery (elastic#44514)
  Make BytesReference an interface (elastic#48171)
  Also validate source index at put enrich policy time. (elastic#48254)
  Add 'javadoc' task to lifecycle check tasks (elastic#48214)
  Remove option to enable direct buffer pooling (elastic#47956)
  [DOCS] Add 'Selecting gateway and seed nodes' section to CCS docs (elastic#48297)
  Add Enrich Origin (elastic#48098)
  fix incorrect comparison (elastic#48208)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasontedor jasontedor jasontedor approved these changes

@tvernum tvernum tvernum approved these changes

Assignees
No one assigned
Labels
>refactoring :Security/Security Security issues without another label v7.6.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FIPS checks should not be bootstrap checks
5 participants
@jkakavas @elasticmachine @tvernum @jasontedor @jakelandis