Exposing fips setting from security setup

x-pack/packages/security/plugin_types_server/src/plugin.ts

@@ -6,6 +6,7 @@
  */
 
 import type { SecurityLicense } from '@kbn/security-plugin-types-common';
+import { Experimental } from '@kbn/security-plugin/server/experimental';
 import type { AuditServiceSetup } from './audit';
 import type { PrivilegeDeprecationsService, AuthorizationServiceSetup } from './authorization';
 import type { AuthenticationServiceStart } from './authentication';
@@ -29,6 +30,11 @@ export interface SecurityPluginSetup {
    * Exposes services to access kibana roles per feature id with the GetDeprecationsContext
    */
   privilegeDeprecationsService: PrivilegeDeprecationsService;
+
+  /**
+   * Exposes experimental features
+   */
+  experimental: Experimental;
 }
 
 /**

x-pack/plugins/security/server/experimental/index.ts

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { FipsServiceSetupInternal } from '../fips';
+
+export interface Experimental {
+  isFipsEnabled: () => ReturnType<FipsServiceSetupInternal['isKibanaFipsModeEnabled']>;
+}

x-pack/plugins/security/server/fips/fips_service.test.ts

@@ -19,7 +19,7 @@ import { BehaviorSubject, of } from 'rxjs';
 
 import { loggingSystemMock } from '@kbn/core/server/mocks';
 import type { LicenseType } from '@kbn/licensing-plugin/common/types';
-import type { SecurityLicenseFeatures } from '@kbn/security-plugin-types-common';
+import type { SecurityLicense, SecurityLicenseFeatures } from '@kbn/security-plugin-types-common';
 
 import type { FipsServiceSetupInternal, FipsServiceSetupParams } from './fips_service';
 import { FipsService } from './fips_service';
@@ -75,12 +75,75 @@ describe('FipsService', () => {
 
       expect(fipsServiceSetup).toMatchInlineSnapshot(`
         Object {
+          "isKibanaFipsModeEnabled": [Function],
           "validateLicenseForFips": [Function],
         }
       `);
     });
   });
 
+  describe('#isKibanaFipsModeEnabled', () => {
+    let license: SecurityLicense;
+    beforeEach(() => {
+      license = licenseMock.create(of({ allowFips: true }), 'platinum');
+
+      fipsService = new FipsService(logger);
+    });
+
+    it('should return `true` when config `xpack.security.experimental.fipsMode.enabled` is `true`', () => {
+      mockGetFipsFn.mockImplementationOnce(() => {
+        return 1;
+      });
+
+      fipsServiceSetup = fipsService.setup({
+        license,
+        config: createConfig(
+          ConfigSchema.validate({ experimental: { fipsMode: { enabled: true } } }),
+          loggingSystemMock.createLogger(),
+          {
+            isTLSEnabled: false,
+          }
+        ),
+      });
+
+      expect(fipsServiceSetup.isKibanaFipsModeEnabled()).toBe(true);
+    });
+
+    it('should return `false` when config `xpack.security.experimental.fipsMode.enabled` is `false`', () => {
+      mockGetFipsFn.mockImplementationOnce(() => {
+        return 0;
+      });
+
+      fipsServiceSetup = fipsService.setup({
+        license,
+        config: createConfig(
+          ConfigSchema.validate({ experimental: { fipsMode: { enabled: false } } }),
+          loggingSystemMock.createLogger(),
+          {
+            isTLSEnabled: false,
+          }
+        ),
+      });
+
+      expect(fipsServiceSetup.isKibanaFipsModeEnabled()).toBe(false);
+    });
+
+    it('should return `false` when config `xpack.security.experimental.fipsMode.enabled` is `undefined`', () => {
+      mockGetFipsFn.mockImplementationOnce(() => {
+        return 0;
+      });
+
+      fipsServiceSetup = fipsService.setup({
+        license,
+        config: createConfig(ConfigSchema.validate({}), loggingSystemMock.createLogger(), {
+          isTLSEnabled: false,
+        }),
+      });
+
+      expect(fipsServiceSetup.isKibanaFipsModeEnabled()).toBe(false);
+    });
+  });
+
   describe('#validateLicenseForFips', () => {
     describe('start-up check', () => {
       it('should not throw Error/log.error if license features allowFips and `experimental.fipsMode.enabled` is `false`', () => {

x-pack/plugins/security/server/fips/fips_service.ts

@@ -17,6 +17,7 @@ export interface FipsServiceSetupParams {
 
 export interface FipsServiceSetupInternal {
   validateLicenseForFips: () => void;
+  isKibanaFipsModeEnabled: () => boolean;
 }
 
 export class FipsService {
@@ -31,9 +32,14 @@ export class FipsService {
   setup({ config, license }: FipsServiceSetupParams): FipsServiceSetupInternal {
     return {
       validateLicenseForFips: () => this.validateLicenseForFips(config, license),
+      isKibanaFipsModeEnabled: () => this.isKibanaFipsModeEnabled(config),
     };
   }
 
+  private isKibanaFipsModeEnabled(config: ConfigType): boolean {
+    return config?.experimental.fipsMode.enabled;
+  }
+
   private validateLicenseForFips(config: ConfigType, license: SecurityLicense) {
     license.features$.subscribe({
       next: (features) => {

x-pack/plugins/security/server/plugin.test.ts

@@ -113,6 +113,9 @@ describe('Security Plugin', () => {
               "useRbacForRequest": [Function],
             },
           },
+          "experimental": Object {
+            "isFipsEnabled": [Function],
+          },
           "license": Object {
             "features$": Observable {
               "operator": [Function],

x-pack/plugins/security/server/plugin.ts

@@ -357,6 +357,9 @@ export class SecurityPlugin
         license,
         logger: this.logger.get('deprecations'),
       }),
+      experimental: {
+        isFipsEnabled: this.fipsServiceSetup.isKibanaFipsModeEnabled,
+      },
     });
   }