Skip to content

Commit

Permalink
Enabling Full FTR, Integration, and Unit tests to the FIPS Test Pipel…
Browse files Browse the repository at this point in the history
…ine (elastic#192632)

## Summary

Closes elastic#192233 

Just in time for Thanksgiving - a full buffet of FIPS testing fixes

Usage of non-compliant algorithms manifest as runtime errors, so it is
imperative that we attempt to run all tests possible with Kibana in FIPS
mode. However, several overrides are needed to run Kibana in FIPS mode,
resulting in setup that make it impossible to run.

## In this PR

- Enable Unit tests for FIPS pipeline
- Enable Integration Tests for FIPS pipeline
- Enable Full FTR suite for FIPS pipeline (smoke test had originally run
a subset)
- Skip tests that break with overrides
- Fix/change tests to work in FIPS mode to maximize coverage
- Examine necessity of MD5 when installing from source (TBD based Ops PR
feed back, see self review below)
- Remove md5 from es_file_client options

## Latest Successful FIPS Test Run

https://buildkite.com/elastic/kibana-fips/builds/268

---------

Co-authored-by: Brad White <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Aleh Zasypkin <[email protected]>
Co-authored-by: Larry Gregory <[email protected]>
  • Loading branch information
5 people authored Nov 19, 2024
1 parent 3757e64 commit ac0b0b4
Show file tree
Hide file tree
Showing 29 changed files with 520 additions and 400 deletions.
7 changes: 4 additions & 3 deletions .buildkite/pipelines/fips.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,15 @@ steps:
machineType: n2-standard-2
preemptible: true

- command: .buildkite/scripts/steps/fips/smoke_test.sh
label: 'Pick Smoke Test Group Run Order'
- command: .buildkite/scripts/steps/test/pick_test_group_run_order.sh
label: 'Pick Test Group Run Order'
depends_on: build
timeout_in_minutes: 10
env:
FTR_CONFIGS_SCRIPT: '.buildkite/scripts/steps/test/ftr_configs.sh'
FTR_EXTRA_ARGS: '$FTR_EXTRA_ARGS'
LIMIT_CONFIG_TYPE: 'functional'
JEST_UNIT_SCRIPT: '.buildkite/scripts/steps/test/jest.sh'
JEST_INTEGRATION_SCRIPT: '.buildkite/scripts/steps/test/jest_integration.sh'
retry:
automatic:
- exit_status: '*'
Expand Down
24 changes: 0 additions & 24 deletions .buildkite/scripts/steps/fips/smoke_test.sh

This file was deleted.

9 changes: 8 additions & 1 deletion .buildkite/scripts/steps/test/jest_parallel.sh
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,14 @@ while read -r config; do
# --trace-warnings to debug
# Node.js process-warning detected:
# Warning: Closing file descriptor 24 on garbage collection
cmd="NODE_OPTIONS=\"--max-old-space-size=12288 --trace-warnings\" node ./scripts/jest --config=\"$config\" $parallelism --coverage=false --passWithNoTests"
cmd="NODE_OPTIONS=\"--max-old-space-size=12288 --trace-warnings"

if [ "${KBN_ENABLE_FIPS:-}" == "true" ]; then
cmd=$cmd" --enable-fips --openssl-config=$HOME/nodejs.cnf"
fi

cmd=$cmd"\" node ./scripts/jest --config=\"$config\" $parallelism --coverage=false --passWithNoTests"

echo "actual full command is:"
echo "$cmd"
echo ""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,32 @@ import { loggerMock, MockedLogger } from '@kbn/logging-mocks';
import { mockCoreContext } from '@kbn/core-base-server-mocks';
import type { CoreSecurityDelegateContract } from '@kbn/core-security-server';
import { SecurityService } from './security_service';
import { configServiceMock } from '@kbn/config-mocks';
import { getFips } from 'crypto';

const createStubInternalContract = (): CoreSecurityDelegateContract => {
return Symbol('stubContract') as unknown as CoreSecurityDelegateContract;
};

describe('SecurityService', () => {
describe('SecurityService', function () {
let coreContext: ReturnType<typeof mockCoreContext.create>;
let configService: ReturnType<typeof configServiceMock.create>;
let service: SecurityService;

beforeEach(() => {
coreContext = mockCoreContext.create();
const mockConfig = {
xpack: {
security: {
experimental: {
fipsMode: {
enabled: !!getFips(),
},
},
},
},
};
configService = configServiceMock.create({ getConfig$: mockConfig });
coreContext = mockCoreContext.create({ configService });
service = new SecurityService(coreContext);

convertSecurityApiMock.mockReset();
Expand All @@ -51,8 +66,11 @@ describe('SecurityService', () => {
describe('#isEnabled', () => {
it('should return boolean', () => {
const { fips } = service.setup();

expect(fips.isEnabled()).toBe(false);
if (getFips() === 0) {
expect(fips.isEnabled()).toBe(false);
} else {
expect(fips.isEnabled()).toBe(true);
}
});
});
});
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,6 @@
"@kbn/core-base-server-mocks",
"@kbn/config",
"@kbn/core-logging-server-mocks",
"@kbn/config-mocks",
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,12 @@ import loadJsonFile from 'load-json-file';
import { defaultsDeep } from 'lodash';
import { BehaviorSubject } from 'rxjs';
import supertest from 'supertest';
import { set } from '@kbn/safer-lodash-set';

import { getPackages } from '@kbn/repo-packages';
import { ToolingLog } from '@kbn/tooling-log';
import { REPO_ROOT } from '@kbn/repo-info';
import { getFips } from 'crypto';
import {
createTestEsCluster,
CreateTestEsClusterOptions,
Expand Down Expand Up @@ -75,6 +77,17 @@ export function createRootWithSettings(
pkg.version = customKibanaVersion;
}

/*
* Most of these integration tests expect OSS to default to true, but FIPS
* requires the security plugin to be enabled
*/
let oss = true;
if (getFips() === 1) {
set(settings, 'xpack.security.experimental.fipsMode.enabled', true);
oss = false;
delete cliArgs.oss;
}

const env = Env.createDefault(
REPO_ROOT,
{
Expand All @@ -84,10 +97,10 @@ export function createRootWithSettings(
watch: false,
basePath: false,
runExamples: false,
oss: true,
disableOptimizer: true,
cache: true,
dist: false,
oss,
...cliArgs,
},
repoPackages: getPackages(REPO_ROOT),
Expand Down Expand Up @@ -255,7 +268,13 @@ export function createTestServers({
if (!adjustTimeout) {
throw new Error('adjustTimeout is required in order to avoid flaky tests');
}
const license = settings.es?.license ?? 'basic';
let license = settings.es?.license ?? 'basic';

if (getFips() === 1) {
// Set license to 'trial' if Node is running in FIPS mode
license = 'trial';
}

const usersToBeAdded = settings.users ?? [];
if (usersToBeAdded.length > 0) {
if (license !== 'trial') {
Expand Down Expand Up @@ -292,6 +311,7 @@ export function createTestServers({
hosts: es.getHostUrls(),
username: kibanaServerTestUser.username,
password: kibanaServerTestUser.password,
...(getFips() ? kbnSettings.elasticsearch : {}),
};
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"@kbn/repo-packages",
"@kbn/es",
"@kbn/dev-utils",
"@kbn/safer-lodash-set",
],
"exclude": [
"target/**/*",
Expand Down
4 changes: 2 additions & 2 deletions packages/kbn-es/src/install/install_source.ts
Original file line number Diff line number Diff line change
Expand Up @@ -84,15 +84,15 @@ async function sourceInfo(cwd: string, license: string, log: ToolingLog = defaul
log.info('on %s at %s', chalk.bold(branch), chalk.bold(sha));
log.info('%s locally modified file(s)', chalk.bold(status.modified.length));

const etag = crypto.createHash('md5').update(branch); // eslint-disable-line @kbn/eslint/no_unsafe_hash
const etag = crypto.createHash('sha256').update(branch);
etag.update(sha);

// for changed files, use last modified times in hash calculation
status.files.forEach((file) => {
etag.update(fs.statSync(path.join(cwd, file.path)).mtime.toString());
});

const cwdHash = crypto.createHash('md5').update(cwd).digest('hex').substr(0, 8); // eslint-disable-line @kbn/eslint/no_unsafe_hash
const cwdHash = crypto.createHash('sha256').update(cwd).digest('hex').substr(0, 8);

const basename = `${branch}-${task}-${cwdHash}`;
const filename = `${basename}.${ext}`;
Expand Down
6 changes: 5 additions & 1 deletion packages/kbn-test/src/es/test_es_cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import type { ToolingLog } from '@kbn/tooling-log';
import { REPO_ROOT } from '@kbn/repo-info';
import type { ArtifactLicense } from '@kbn/es';
import type { ServerlessOptions } from '@kbn/es/src/utils';
import { getFips } from 'crypto';
import { CI_PARALLEL_PROCESS_PREFIX } from '../ci_parallel_process_prefix';
import { esTestConfig } from './es_test_config';

Expand Down Expand Up @@ -200,12 +201,15 @@ export function createTestEsCluster<

const esArgs = assignArgs(defaultEsArgs, customEsArgs);

// Use 'trial' license if FIPS mode is enabled, otherwise use the provided license or default to 'basic'
const testLicense: ArtifactLicense = getFips() === 1 ? 'trial' : license ? license : 'basic';

const config = {
version: esVersion,
installPath: Path.resolve(basePath, clusterName),
sourcePath: Path.resolve(REPO_ROOT, '../elasticsearch'),
license: testLicense,
password,
license,
basePath,
esArgs,
resources: files,
Expand Down
Loading

0 comments on commit ac0b0b4

Please sign in to comment.