diff --git a/docs/user/security/fips-140-2.asciidoc b/docs/user/security/fips-140-2.asciidoc new file mode 100644 index 0000000000000..2b4b195f38b05 --- /dev/null +++ b/docs/user/security/fips-140-2.asciidoc @@ -0,0 +1,63 @@ +[[xpack-security-fips-140-2]] +=== FIPS 140-2 + +experimental::[] + +The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), +titled "Security Requirements for Cryptographic Modules" is a U.S. government computer security standard +used to approve cryptographic modules. + +{kib} offers a FIPS 140-2 compliant mode and as such can run in a Node.js environment configured with a FIPS +140-2 compliant OpenSSL3 provider. + +To run {kib} in FIPS mode, you must have the appropriate {subscriptions}[subscription]. + +[IMPORTANT] +============================================================================ +The Node bundled with {kib} is not configured for FIPS 140-2. You must configure a FIPS 140-2 compliant OpenSSL3 +provider. Consult the Node.js documentation to learn how to configure your environment. +============================================================================ + +For {kib}, adherence to FIPS 140-2 is ensured by: + +* Using FIPS approved / NIST recommended cryptographic algorithms. + +* Delegating the implementation of these cryptographic algorithms to a NIST validated cryptographic module +(available via Node.js configured with an OpenSSL3 provider). + +* Allowing the configuration of {kib} in a FIPS 140-2 compliant manner, as documented below. + +==== Configuring {kib} for FIPS 140-2 + +Apart from setting `xpack.security.experimental.fipsMode.enabled` to `true` in your {kib} config, a number of security related +settings need to be reviewed and configured in order to run {kib} successfully in a FIPS 140-2 compliant Node.js +environment. + +===== Kibana keystore + +FIPS 140-2 (via NIST Special Publication 800-132) dictates that encryption keys should at least have an effective +strength of 112 bits. As such, the Kibana keystore that stores the application’s secure settings needs to be +password protected with a password that satisfies this requirement. This means that the password needs to be 14 bytes +long which is equivalent to a 14 character ASCII encoded password, or a 7 character UTF-8 encoded password. + +For more information on how to set this password, refer to the <>. + +===== TLS keystore and keys + +Keystores can be used in a number of General TLS settings in order to conveniently store key and trust material. +PKCS#12 keystores cannot be used in a FIPS 140-2 compliant Node.js environment. Avoid using these types of keystores. +Your FIPS 140-2 provider may provide a compliant keystore implementation that can be used, or you can use PEM encoded +files. To use PEM encoded key material, you can use the relevant `\*.key` and `*.certificate` configuration options, +and for trust material you can use `*.certificate_authorities`. + +As an example, avoid PKCS#12 specific settings such as: + +* `server.ssl.keystore.path` +* `server.ssl.truststore.path` +* `elasticsearch.ssl.keystore.path` +* `elasticsearch.ssl.truststore.path` + +===== Limitations + +Configuring {kib} to run in FIPS mode is still considered to be experimental. Not all features are guaranteed to +function as expected. diff --git a/docs/user/security/index.asciidoc b/docs/user/security/index.asciidoc index f4678700d5e77..906aee3d76d5a 100644 --- a/docs/user/security/index.asciidoc +++ b/docs/user/security/index.asciidoc @@ -46,3 +46,4 @@ include::authorization/index.asciidoc[] include::authorization/kibana-privileges.asciidoc[] include::api-keys/index.asciidoc[] include::role-mappings/index.asciidoc[] +include::fips-140-2.asciidoc[] diff --git a/packages/core/plugins/core-plugins-server-internal/src/plugin_context.ts b/packages/core/plugins/core-plugins-server-internal/src/plugin_context.ts index f1469fa57ced6..70551c1e27504 100644 --- a/packages/core/plugins/core-plugins-server-internal/src/plugin_context.ts +++ b/packages/core/plugins/core-plugins-server-internal/src/plugin_context.ts @@ -284,6 +284,7 @@ export function createPluginSetupContext({ }, security: { registerSecurityDelegate: (api) => deps.security.registerSecurityDelegate(api), + fips: deps.security.fips, }, userProfile: { registerUserProfileDelegate: (delegate) => diff --git a/packages/core/security/core-security-server-internal/src/fips/fips.test.ts b/packages/core/security/core-security-server-internal/src/fips/fips.test.ts new file mode 100644 index 0000000000000..65f95aa7da691 --- /dev/null +++ b/packages/core/security/core-security-server-internal/src/fips/fips.test.ts @@ -0,0 +1,119 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +const mockGetFipsFn = jest.fn(); +jest.mock('crypto', () => ({ + randomBytes: jest.fn(), + constants: jest.requireActual('crypto').constants, + get getFips() { + return mockGetFipsFn; + }, +})); + +import { SecurityServiceConfigType } from '../utils'; +import { isFipsEnabled, checkFipsConfig } from './fips'; +import { loggingSystemMock } from '@kbn/core-logging-server-mocks'; + +describe('fips', () => { + let config: SecurityServiceConfigType; + describe('#isFipsEnabled', () => { + it('should return `true` if config.experimental.fipsMode.enabled is `true`', () => { + config = { experimental: { fipsMode: { enabled: true } } }; + + expect(isFipsEnabled(config)).toBe(true); + }); + + it('should return `false` if config.experimental.fipsMode.enabled is `false`', () => { + config = { experimental: { fipsMode: { enabled: false } } }; + + expect(isFipsEnabled(config)).toBe(false); + }); + + it('should return `false` if config.experimental.fipsMode.enabled is `undefined`', () => { + expect(isFipsEnabled(config)).toBe(false); + }); + }); + + describe('checkFipsConfig', () => { + let mockExit: jest.SpyInstance; + + beforeAll(() => { + mockExit = jest.spyOn(process, 'exit').mockImplementation((exitCode) => { + throw new Error(`Fake Exit: ${exitCode}`); + }); + }); + + afterAll(() => { + mockExit.mockRestore(); + }); + + it('should log an error message if FIPS mode is misconfigured - xpack.security.experimental.fipsMode.enabled true, Nodejs FIPS mode false', async () => { + config = { experimental: { fipsMode: { enabled: true } } }; + const logger = loggingSystemMock.create().get(); + try { + checkFipsConfig(config, logger); + } catch (e) { + expect(mockExit).toHaveBeenNthCalledWith(1, 78); + } + + expect(loggingSystemMock.collect(logger).error).toMatchInlineSnapshot(` + Array [ + Array [ + "Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to true and the configured Node.js environment has FIPS disabled", + ], + ] + `); + }); + + it('should log an error message if FIPS mode is misconfigured - xpack.security.experimental.fipsMode.enabled false, Nodejs FIPS mode true', async () => { + mockGetFipsFn.mockImplementationOnce(() => { + return 1; + }); + + config = { experimental: { fipsMode: { enabled: false } } }; + const logger = loggingSystemMock.create().get(); + + try { + checkFipsConfig(config, logger); + } catch (e) { + expect(mockExit).toHaveBeenNthCalledWith(1, 78); + } + + expect(loggingSystemMock.collect(logger).error).toMatchInlineSnapshot(` + Array [ + Array [ + "Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to false and the configured Node.js environment has FIPS enabled", + ], + ] + `); + }); + + it('should log an info message if FIPS mode is properly configured - xpack.security.experimental.fipsMode.enabled true, Nodejs FIPS mode true', async () => { + mockGetFipsFn.mockImplementationOnce(() => { + return 1; + }); + + config = { experimental: { fipsMode: { enabled: true } } }; + const logger = loggingSystemMock.create().get(); + + try { + checkFipsConfig(config, logger); + } catch (e) { + logger.error('Should not throw error!'); + } + + expect(loggingSystemMock.collect(logger).info).toMatchInlineSnapshot(` + Array [ + Array [ + "Kibana is running in FIPS mode.", + ], + ] + `); + }); + }); +}); diff --git a/packages/core/security/core-security-server-internal/src/fips/fips.ts b/packages/core/security/core-security-server-internal/src/fips/fips.ts new file mode 100644 index 0000000000000..2b48fb68ff607 --- /dev/null +++ b/packages/core/security/core-security-server-internal/src/fips/fips.ts @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { Logger } from '@kbn/logging'; +import { getFips } from 'crypto'; +import { SecurityServiceConfigType } from '../utils'; + +export function isFipsEnabled(config: SecurityServiceConfigType): boolean { + return config?.experimental?.fipsMode?.enabled ?? false; +} + +export function checkFipsConfig(config: SecurityServiceConfigType, logger: Logger) { + const isFipsConfigEnabled = isFipsEnabled(config); + const isNodeRunningWithFipsEnabled = getFips() === 1; + + // Check if FIPS is enabled in either setting + if (isFipsConfigEnabled || isNodeRunningWithFipsEnabled) { + // FIPS must be enabled on both or log and error an exit Kibana + if (isFipsConfigEnabled !== isNodeRunningWithFipsEnabled) { + logger.error( + `Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to ${isFipsConfigEnabled} and the configured Node.js environment has FIPS ${ + isNodeRunningWithFipsEnabled ? 'enabled' : 'disabled' + }` + ); + process.exit(78); + } else { + logger.info('Kibana is running in FIPS mode.'); + } + } +} diff --git a/packages/core/security/core-security-server-internal/src/security_service.test.ts b/packages/core/security/core-security-server-internal/src/security_service.test.ts index 4f5ae5e86cbab..5fb6b46f6dc63 100644 --- a/packages/core/security/core-security-server-internal/src/security_service.test.ts +++ b/packages/core/security/core-security-server-internal/src/security_service.test.ts @@ -45,6 +45,16 @@ describe('SecurityService', () => { ); }); }); + + describe('#fips', () => { + describe('#isEnabled', () => { + it('should return boolean', () => { + const { fips } = service.setup(); + + expect(fips.isEnabled()).toBe(false); + }); + }); + }); }); describe('#start', () => { diff --git a/packages/core/security/core-security-server-internal/src/security_service.ts b/packages/core/security/core-security-server-internal/src/security_service.ts index 826019f773b93..215e7ef376285 100644 --- a/packages/core/security/core-security-server-internal/src/security_service.ts +++ b/packages/core/security/core-security-server-internal/src/security_service.ts @@ -9,23 +9,49 @@ import type { Logger } from '@kbn/logging'; import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; import type { CoreSecurityDelegateContract } from '@kbn/core-security-server'; +import { Observable, Subscription } from 'rxjs'; +import { Config } from '@kbn/config'; +import { isFipsEnabled, checkFipsConfig } from './fips/fips'; import type { InternalSecurityServiceSetup, InternalSecurityServiceStart, } from './internal_contracts'; -import { getDefaultSecurityImplementation, convertSecurityApi } from './utils'; +import { + getDefaultSecurityImplementation, + convertSecurityApi, + SecurityServiceConfigType, +} from './utils'; export class SecurityService implements CoreService { private readonly log: Logger; private securityApi?: CoreSecurityDelegateContract; + private config$: Observable; + private configSubscription?: Subscription; + private config: Config | undefined; + private readonly getConfig = () => { + if (!this.config) { + throw new Error('Config is not available.'); + } + return this.config; + }; constructor(coreContext: CoreContext) { this.log = coreContext.logger.get('security-service'); + + this.config$ = coreContext.configService.getConfig$(); + this.configSubscription = this.config$.subscribe((config) => { + this.config = config; + }); } public setup(): InternalSecurityServiceSetup { + const config = this.getConfig(); + const securityConfig: SecurityServiceConfigType = config.get(['xpack', 'security']); + + checkFipsConfig(securityConfig, this.log); + return { registerSecurityDelegate: (api) => { if (this.securityApi) { @@ -33,6 +59,9 @@ export class SecurityService } this.securityApi = api; }, + fips: { + isEnabled: () => isFipsEnabled(securityConfig), + }, }; } @@ -44,5 +73,10 @@ export class SecurityService return convertSecurityApi(apiContract); } - public stop() {} + public stop() { + if (this.configSubscription) { + this.configSubscription.unsubscribe(); + this.configSubscription = undefined; + } + } } diff --git a/packages/core/security/core-security-server-internal/src/utils/index.ts b/packages/core/security/core-security-server-internal/src/utils/index.ts index e43884f204ece..6ce85739b44f6 100644 --- a/packages/core/security/core-security-server-internal/src/utils/index.ts +++ b/packages/core/security/core-security-server-internal/src/utils/index.ts @@ -8,3 +8,11 @@ export { convertSecurityApi } from './convert_security_api'; export { getDefaultSecurityImplementation } from './default_implementation'; + +export interface SecurityServiceConfigType { + experimental?: { + fipsMode?: { + enabled: boolean; + }; + }; +} diff --git a/packages/core/security/core-security-server-internal/tsconfig.json b/packages/core/security/core-security-server-internal/tsconfig.json index ad66b66deeeeb..e1812dc77cf49 100644 --- a/packages/core/security/core-security-server-internal/tsconfig.json +++ b/packages/core/security/core-security-server-internal/tsconfig.json @@ -20,5 +20,7 @@ "@kbn/core-http-server", "@kbn/logging-mocks", "@kbn/core-base-server-mocks", + "@kbn/config", + "@kbn/core-logging-server-mocks", ] } diff --git a/packages/core/security/core-security-server-mocks/src/security_service.mock.ts b/packages/core/security/core-security-server-mocks/src/security_service.mock.ts index b19539fd862c0..59a560d562e06 100644 --- a/packages/core/security/core-security-server-mocks/src/security_service.mock.ts +++ b/packages/core/security/core-security-server-mocks/src/security_service.mock.ts @@ -20,6 +20,7 @@ import { auditServiceMock, type MockedAuditService } from './audit.mock'; const createSetupMock = () => { const mock: jest.Mocked = { registerSecurityDelegate: jest.fn(), + fips: { isEnabled: jest.fn() }, }; return mock; @@ -43,6 +44,7 @@ const createStartMock = (): SecurityStartMock => { const createInternalSetupMock = () => { const mock: jest.Mocked = { registerSecurityDelegate: jest.fn(), + fips: { isEnabled: jest.fn() }, }; return mock; diff --git a/packages/core/security/core-security-server/index.ts b/packages/core/security/core-security-server/index.ts index a4d3027c97fdb..6a111ab6e27ab 100644 --- a/packages/core/security/core-security-server/index.ts +++ b/packages/core/security/core-security-server/index.ts @@ -26,3 +26,4 @@ export type { AuditRequest, } from './src/audit_logging/audit_events'; export type { AuditLogger } from './src/audit_logging/audit_logger'; +export type { CoreFipsService } from './src/fips'; diff --git a/packages/core/security/core-security-server/src/contracts.ts b/packages/core/security/core-security-server/src/contracts.ts index ed25737823f7b..d2bf7d97e9472 100644 --- a/packages/core/security/core-security-server/src/contracts.ts +++ b/packages/core/security/core-security-server/src/contracts.ts @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +import type { CoreFipsService } from './fips'; import type { CoreAuthenticationService } from './authc'; import type { CoreSecurityDelegateContract } from './api_provider'; import type { CoreAuditService } from './audit'; @@ -21,6 +22,11 @@ export interface SecurityServiceSetup { * @remark this should **exclusively** be used by the security plugin. */ registerSecurityDelegate(api: CoreSecurityDelegateContract): void; + + /** + * The {@link CoreFipsService | FIPS service} + */ + fips: CoreFipsService; } /** diff --git a/packages/core/security/core-security-server/src/fips.ts b/packages/core/security/core-security-server/src/fips.ts new file mode 100644 index 0000000000000..239903caba3bc --- /dev/null +++ b/packages/core/security/core-security-server/src/fips.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Core's FIPS service + * + * @public + */ +export interface CoreFipsService { + /** + * Check if Kibana is configured to run in FIPS mode + */ + isEnabled(): boolean; +} diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker index 27d7a465186a4..10fcbe6d06d6a 100755 --- a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker +++ b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker @@ -390,6 +390,7 @@ kibana_vars=( xpack.security.authc.selector.enabled xpack.security.cookieName xpack.security.encryptionKey + xpack.security.experimental.fipsMode.enabled xpack.security.loginAssistanceMessage xpack.security.loginHelp xpack.security.sameSiteCookies diff --git a/x-pack/packages/security/plugin_types_common/src/licensing/license.ts b/x-pack/packages/security/plugin_types_common/src/licensing/license.ts index 0a7e8e3b87c67..349395ee63fdc 100644 --- a/x-pack/packages/security/plugin_types_common/src/licensing/license.ts +++ b/x-pack/packages/security/plugin_types_common/src/licensing/license.ts @@ -13,6 +13,7 @@ import type { SecurityLicenseFeatures } from './license_features'; export interface SecurityLicense { isLicenseAvailable(): boolean; + getLicenseType(): string | undefined; getUnavailableReason: () => string | undefined; isEnabled(): boolean; getFeatures(): SecurityLicenseFeatures; diff --git a/x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts b/x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts index 58fb081a5760d..68dc87b0f5778 100644 --- a/x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts +++ b/x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts @@ -83,4 +83,10 @@ export interface SecurityLicenseFeatures { * Describes the layout of the login form if it's displayed. */ readonly layout?: LoginLayout; + + /** + * Indicates whether we allow FIPS mode + */ + + readonly allowFips: boolean; } diff --git a/x-pack/plugins/security/common/licensing/index.mock.ts b/x-pack/plugins/security/common/licensing/index.mock.ts index 9d2fef049de82..6ee9910b768bd 100644 --- a/x-pack/plugins/security/common/licensing/index.mock.ts +++ b/x-pack/plugins/security/common/licensing/index.mock.ts @@ -14,12 +14,33 @@ import type { SecurityLicense, SecurityLicenseFeatures } from '@kbn/security-plu export const licenseMock = { create: ( features: Partial | Observable> = {}, - licenseType: LicenseType = 'basic' // default to basic if this is not specified + licenseType: LicenseType = 'basic', // default to basic if this is not specified, + isAvailable: Observable = of(true) ): jest.Mocked => ({ - isLicenseAvailable: jest.fn().mockReturnValue(true), + isLicenseAvailable: jest.fn().mockImplementation(() => { + let result = true; + + isAvailable.subscribe((next) => { + result = next; + }); + + return result; + }), + getLicenseType: jest.fn().mockReturnValue(licenseType), getUnavailableReason: jest.fn(), isEnabled: jest.fn().mockReturnValue(true), - getFeatures: jest.fn().mockReturnValue(features), + getFeatures: + features instanceof Observable + ? jest.fn().mockImplementation(() => { + let subbedFeatures: Partial = {}; + + features.subscribe((next) => { + subbedFeatures = next; + }); + + return subbedFeatures; + }) + : jest.fn().mockReturnValue(features), hasAtLeast: jest .fn() .mockImplementation( diff --git a/x-pack/plugins/security/common/licensing/license_service.test.ts b/x-pack/plugins/security/common/licensing/license_service.test.ts index f1b80db5cba2d..ab8b5c803deab 100644 --- a/x-pack/plugins/security/common/licensing/license_service.test.ts +++ b/x-pack/plugins/security/common/licensing/license_service.test.ts @@ -32,6 +32,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: false, + allowFips: false, }); }); @@ -57,6 +58,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: false, + allowFips: false, }); }); @@ -78,6 +80,7 @@ describe('license features', function () { Object { "allowAccessAgreement": false, "allowAuditLogging": false, + "allowFips": false, "allowLogin": false, "allowRbac": false, "allowRemoteClusterPrivileges": false, @@ -102,6 +105,7 @@ describe('license features', function () { Object { "allowAccessAgreement": true, "allowAuditLogging": true, + "allowFips": true, "allowLogin": true, "allowRbac": true, "allowRemoteClusterPrivileges": true, @@ -146,6 +150,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: false, + allowFips: false, }); expect(getFeatureSpy).toHaveBeenCalledTimes(1); expect(getFeatureSpy).toHaveBeenCalledWith('security'); @@ -174,6 +179,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: false, + allowFips: false, }); }); @@ -201,6 +207,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: true, + allowFips: false, }); }); @@ -228,6 +235,7 @@ describe('license features', function () { allowSubFeaturePrivileges: true, allowAuditLogging: true, allowUserProfileCollaboration: true, + allowFips: false, }); }); @@ -255,6 +263,7 @@ describe('license features', function () { allowSubFeaturePrivileges: true, allowAuditLogging: true, allowUserProfileCollaboration: true, + allowFips: true, }); }); }); diff --git a/x-pack/plugins/security/common/licensing/license_service.ts b/x-pack/plugins/security/common/licensing/license_service.ts index 3066d32a72695..817b3f207aa14 100644 --- a/x-pack/plugins/security/common/licensing/license_service.ts +++ b/x-pack/plugins/security/common/licensing/license_service.ts @@ -28,6 +28,8 @@ export class SecurityLicenseService { license: Object.freeze({ isLicenseAvailable: () => rawLicense?.isAvailable ?? false, + getLicenseType: () => rawLicense?.type ?? undefined, + getUnavailableReason: () => rawLicense?.getUnavailableReason(), isEnabled: () => this.isSecurityEnabledFromRawLicense(rawLicense), @@ -81,6 +83,7 @@ export class SecurityLicenseService { allowRbac: false, allowSubFeaturePrivileges: false, allowUserProfileCollaboration: false, + allowFips: false, layout: rawLicense !== undefined && !rawLicense?.isAvailable ? 'error-xpack-unavailable' @@ -103,6 +106,7 @@ export class SecurityLicenseService { allowRbac: false, allowSubFeaturePrivileges: false, allowUserProfileCollaboration: false, + allowFips: false, }; } @@ -124,6 +128,7 @@ export class SecurityLicenseService { allowRemoteClusterPrivileges: isLicensePlatinumOrBetter, allowRbac: true, allowUserProfileCollaboration: isLicenseStandardOrBetter, + allowFips: isLicensePlatinumOrBetter, }; } } diff --git a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap index e64e867a71a57..ccb8decacd812 100644 --- a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap +++ b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap @@ -124,6 +124,7 @@ exports[`it renders correctly in serverless mode 1`] = ` "_subscribe": [Function], }, "getFeatures": [MockFunction], + "getLicenseType": [MockFunction], "getUnavailableReason": [MockFunction], "hasAtLeast": [MockFunction], "isEnabled": [MockFunction], @@ -322,6 +323,7 @@ exports[`it renders without crashing 1`] = ` "_subscribe": [Function], }, "getFeatures": [MockFunction], + "getLicenseType": [MockFunction], "getUnavailableReason": [MockFunction], "hasAtLeast": [MockFunction], "isEnabled": [MockFunction], diff --git a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/index_privileges.test.tsx.snap b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/index_privileges.test.tsx.snap index c3df729a7e3ee..705af534bc71d 100644 --- a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/index_privileges.test.tsx.snap +++ b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/index_privileges.test.tsx.snap @@ -24,6 +24,7 @@ exports[`it renders without crashing 1`] = ` "_subscribe": [Function], }, "getFeatures": [MockFunction], + "getLicenseType": [MockFunction], "getUnavailableReason": [MockFunction], "hasAtLeast": [MockFunction], "isEnabled": [MockFunction], diff --git a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/remote_cluster_privileges.test.tsx.snap b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/remote_cluster_privileges.test.tsx.snap index e0939f7f55e02..7cc4e67ece4fc 100644 --- a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/remote_cluster_privileges.test.tsx.snap +++ b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/remote_cluster_privileges.test.tsx.snap @@ -14,6 +14,7 @@ exports[`it renders without crashing 1`] = ` "_subscribe": [Function], }, "getFeatures": [MockFunction], + "getLicenseType": [MockFunction], "getUnavailableReason": [MockFunction], "hasAtLeast": [MockFunction], "isEnabled": [MockFunction], diff --git a/x-pack/plugins/security/public/plugin.test.tsx b/x-pack/plugins/security/public/plugin.test.tsx index 874196f3e4c0e..433e1981e9ce9 100644 --- a/x-pack/plugins/security/public/plugin.test.tsx +++ b/x-pack/plugins/security/public/plugin.test.tsx @@ -43,6 +43,7 @@ describe('Security Plugin', () => { authz: { isRoleManagementEnabled: expect.any(Function), roles: expect.any(Object) }, license: { isLicenseAvailable: expect.any(Function), + getLicenseType: expect.any(Function), isEnabled: expect.any(Function), getUnavailableReason: expect.any(Function), getFeatures: expect.any(Function), @@ -71,6 +72,7 @@ describe('Security Plugin', () => { authc: { getCurrentUser: expect.any(Function), areAPIKeysEnabled: expect.any(Function) }, license: { isLicenseAvailable: expect.any(Function), + getLicenseType: expect.any(Function), isEnabled: expect.any(Function), getUnavailableReason: expect.any(Function), getFeatures: expect.any(Function), diff --git a/x-pack/plugins/security/server/config.test.ts b/x-pack/plugins/security/server/config.test.ts index 3a6ccc619fdb9..5e6c59aee4668 100644 --- a/x-pack/plugins/security/server/config.test.ts +++ b/x-pack/plugins/security/server/config.test.ts @@ -61,6 +61,11 @@ describe('config schema', () => { }, "cookieName": "sid", "encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "experimental": Object { + "fipsMode": Object { + "enabled": false, + }, + }, "loginAssistanceMessage": "", "public": Object {}, "secureCookies": false, @@ -115,6 +120,11 @@ describe('config schema', () => { }, "cookieName": "sid", "encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "experimental": Object { + "fipsMode": Object { + "enabled": false, + }, + }, "loginAssistanceMessage": "", "public": Object {}, "secureCookies": false, @@ -168,6 +178,11 @@ describe('config schema', () => { "selector": Object {}, }, "cookieName": "sid", + "experimental": Object { + "fipsMode": Object { + "enabled": false, + }, + }, "loginAssistanceMessage": "", "public": Object {}, "secureCookies": false, @@ -224,6 +239,11 @@ describe('config schema', () => { "selector": Object {}, }, "cookieName": "sid", + "experimental": Object { + "fipsMode": Object { + "enabled": false, + }, + }, "loginAssistanceMessage": "", "public": Object {}, "roleManagementEnabled": false, diff --git a/x-pack/plugins/security/server/config.ts b/x-pack/plugins/security/server/config.ts index 1ea1c87d31d5d..e12f1462b39b4 100644 --- a/x-pack/plugins/security/server/config.ts +++ b/x-pack/plugins/security/server/config.ts @@ -314,6 +314,11 @@ export const ConfigSchema = schema.object({ roleMappingManagementEnabled: schema.boolean({ defaultValue: true }), }), }), + experimental: schema.object({ + fipsMode: schema.object({ + enabled: schema.boolean({ defaultValue: false }), + }), + }), }); export function createConfig( diff --git a/x-pack/plugins/security/server/fips/fips_service.test.ts b/x-pack/plugins/security/server/fips/fips_service.test.ts new file mode 100644 index 0000000000000..aba86633c281f --- /dev/null +++ b/x-pack/plugins/security/server/fips/fips_service.test.ts @@ -0,0 +1,210 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +const mockGetFipsFn = jest.fn(); +jest.mock('crypto', () => ({ + randomBytes: jest.fn(), + constants: jest.requireActual('crypto').constants, + get getFips() { + return mockGetFipsFn; + }, +})); + +import type { Observable } from 'rxjs'; +import { BehaviorSubject, of } from 'rxjs'; + +import { loggingSystemMock } from '@kbn/core/server/mocks'; +import type { LicenseType } from '@kbn/licensing-plugin/common/types'; +import type { SecurityLicenseFeatures } from '@kbn/security-plugin-types-common'; + +import type { FipsServiceSetupInternal, FipsServiceSetupParams } from './fips_service'; +import { FipsService } from './fips_service'; +import { licenseMock } from '../../common/licensing/index.mock'; +import { ConfigSchema, createConfig } from '../config'; + +const logger = loggingSystemMock.createLogger(); + +function buildMockFipsServiceSetupParams( + licenseType: LicenseType, + isFipsConfigured: boolean, + features$: Observable>, + isAvailable: Observable = of(true) +): FipsServiceSetupParams { + mockGetFipsFn.mockImplementationOnce(() => { + return isFipsConfigured ? 1 : 0; + }); + + const license = licenseMock.create(features$, licenseType, isAvailable); + + let mockConfig = {}; + if (isFipsConfigured) { + mockConfig = { experimental: { fipsMode: { enabled: true } } }; + } + + return { + license, + config: createConfig(ConfigSchema.validate(mockConfig), loggingSystemMock.createLogger(), { + isTLSEnabled: false, + }), + }; +} + +describe('FipsService', () => { + let fipsService: FipsService; + let fipsServiceSetup: FipsServiceSetupInternal; + + beforeEach(() => { + fipsService = new FipsService(logger); + logger.error.mockClear(); + }); + + afterEach(() => { + logger.error.mockClear(); + }); + + describe('setup()', () => { + it('should expose correct setup contract', () => { + fipsService = new FipsService(logger); + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', true, of({ allowFips: true })) + ); + + expect(fipsServiceSetup).toMatchInlineSnapshot(` + Object { + "validateLicenseForFips": [Function], + } + `); + }); + }); + + describe('#validateLicenseForFips', () => { + describe('start-up check', () => { + it('should not throw Error/log.error if license features allowFips and `experimental.fipsMode.enabled` is `false`', () => { + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', false, of({ allowFips: true })) + ); + fipsServiceSetup.validateLicenseForFips(); + + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not throw Error/log.error if license features allowFips and `experimental.fipsMode.enabled` is `true`', () => { + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', true, of({ allowFips: true })) + ); + fipsServiceSetup.validateLicenseForFips(); + + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not throw Error/log.error if license features do not allowFips and `experimental.fipsMode.enabled` is `false`', () => { + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('basic', false, of({ allowFips: false })) + ); + fipsServiceSetup.validateLicenseForFips(); + + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should throw Error/log.error if license features do not allowFips and `experimental.fipsMode.enabled` is `true`', () => { + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('basic', true, of({ allowFips: false })) + ); + + // Because the Error is thrown from within a SafeSubscriber and cannot be hooked into + fipsServiceSetup.validateLicenseForFips(); + + expect(logger.error).toHaveBeenCalled(); + }); + }); + + describe('monitoring check', () => { + describe('with experimental.fipsMode.enabled', () => { + let mockFeaturesSubject: BehaviorSubject>; + let mockIsAvailableSubject: BehaviorSubject; + let mockFeatures$: Observable>; + let mockIsAvailable$: Observable; + + beforeAll(() => { + mockFeaturesSubject = new BehaviorSubject>({ + allowFips: true, + }); + mockIsAvailableSubject = new BehaviorSubject(true); + mockFeatures$ = mockFeaturesSubject.asObservable(); + mockIsAvailable$ = mockIsAvailableSubject.asObservable(); + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', true, mockFeatures$, mockIsAvailable$) + ); + + fipsServiceSetup.validateLicenseForFips(); + }); + + beforeEach(() => { + mockFeaturesSubject.next({ allowFips: true }); + mockIsAvailableSubject.next(true); + }); + + it('should not log.error if license changes to unavailable and `experimental.fipsMode.enabled` is `true`', () => { + mockIsAvailableSubject.next(false); + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not log.error if license features continue to allowFips and `experimental.fipsMode.enabled` is `true`', () => { + mockFeaturesSubject.next({ allowFips: true }); + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should log.error if license features change to not allowFips and `experimental.fipsMode.enabled` is `true`', () => { + mockFeaturesSubject.next({ allowFips: false }); + expect(logger.error).toHaveBeenCalledTimes(1); + }); + }); + + describe('with not experimental.fipsMode.enabled', () => { + let mockFeaturesSubject: BehaviorSubject>; + let mockIsAvailableSubject: BehaviorSubject; + let mockFeatures$: Observable>; + let mockIsAvailable$: Observable; + + beforeAll(() => { + mockFeaturesSubject = new BehaviorSubject>({ + allowFips: true, + }); + mockIsAvailableSubject = new BehaviorSubject(true); + mockFeatures$ = mockFeaturesSubject.asObservable(); + mockIsAvailable$ = mockIsAvailableSubject.asObservable(); + + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', false, mockFeatures$, mockIsAvailable$) + ); + + fipsServiceSetup.validateLicenseForFips(); + }); + + beforeEach(() => { + mockFeaturesSubject.next({ allowFips: true }); + mockIsAvailableSubject.next(true); + }); + + it('should not log.error if license changes to unavailable and `experimental.fipsMode.enabled` is `false`', () => { + mockIsAvailableSubject.next(false); + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not log.error if license features continue to allowFips and `experimental.fipsMode.enabled` is `false`', () => { + mockFeaturesSubject.next({ allowFips: true }); + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not log.error if license change to not allowFips and `experimental.fipsMode.enabled` is `false`', () => { + mockFeaturesSubject.next({ allowFips: false }); + expect(logger.error).not.toHaveBeenCalled(); + }); + }); + }); + }); +}); diff --git a/x-pack/plugins/security/server/fips/fips_service.ts b/x-pack/plugins/security/server/fips/fips_service.ts new file mode 100644 index 0000000000000..aa351ab48828d --- /dev/null +++ b/x-pack/plugins/security/server/fips/fips_service.ts @@ -0,0 +1,67 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Logger } from '@kbn/logging'; +import type { SecurityLicense } from '@kbn/security-plugin-types-common'; + +import type { ConfigType } from '../config'; + +export interface FipsServiceSetupParams { + config: ConfigType; + license: SecurityLicense; +} + +export interface FipsServiceSetupInternal { + validateLicenseForFips: () => void; +} + +export class FipsService { + private readonly logger: Logger; + private isInitialLicenseLoaded: boolean; + + constructor(logger: Logger) { + this.logger = logger; + this.isInitialLicenseLoaded = false; + } + + setup({ config, license }: FipsServiceSetupParams): FipsServiceSetupInternal { + return { + validateLicenseForFips: () => this.validateLicenseForFips(config, license), + }; + } + + private validateLicenseForFips(config: ConfigType, license: SecurityLicense) { + license.features$.subscribe({ + next: (features) => { + const errorMessage = `Your current license level is ${license.getLicenseType()} and does not support running in FIPS mode.`; + + if (license.isLicenseAvailable() && !this.isInitialLicenseLoaded) { + if (config?.experimental.fipsMode.enabled && !license.getFeatures().allowFips) { + this.logger.error(errorMessage); + throw new Error(errorMessage); + } + + this.isInitialLicenseLoaded = true; + } + + if ( + this.isInitialLicenseLoaded && + license.isLicenseAvailable() && + config?.experimental.fipsMode.enabled && + !features.allowFips + ) { + this.logger.error( + `${errorMessage} Kibana will not be able to restart. Please upgrade your license to platinum or higher.` + ); + } + }, + error: (error) => { + this.logger.debug(`Unable to check license: ${error}`); + }, + }); + } +} diff --git a/x-pack/plugins/security/server/fips/index.ts b/x-pack/plugins/security/server/fips/index.ts new file mode 100644 index 0000000000000..3af4435169348 --- /dev/null +++ b/x-pack/plugins/security/server/fips/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { FipsService } from './fips_service'; + +export type { FipsServiceSetupInternal, FipsServiceSetupParams } from './fips_service'; diff --git a/x-pack/plugins/security/server/plugin.test.ts b/x-pack/plugins/security/server/plugin.test.ts index be3d00b77cff9..a82b45753845b 100644 --- a/x-pack/plugins/security/server/plugin.test.ts +++ b/x-pack/plugins/security/server/plugin.test.ts @@ -121,6 +121,7 @@ describe('Security Plugin', () => { }, }, "getFeatures": [Function], + "getLicenseType": [Function], "getUnavailableReason": [Function], "hasAtLeast": [Function], "isEnabled": [Function], diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts index cf362926bdd04..9d5ffde67b1d7 100644 --- a/x-pack/plugins/security/server/plugin.ts +++ b/x-pack/plugins/security/server/plugin.ts @@ -52,6 +52,8 @@ import { ElasticsearchService } from './elasticsearch'; import type { SecurityFeatureUsageServiceStart } from './feature_usage'; import { SecurityFeatureUsageService } from './feature_usage'; import { securityFeatures } from './features'; +import type { FipsServiceSetupInternal } from './fips'; +import { FipsService } from './fips'; import { defineRoutes } from './routes'; import { setupSavedObjects } from './saved_objects'; import type { Session } from './session_management'; @@ -177,6 +179,9 @@ export class SecurityPlugin return this.userProfileStart; }; + private readonly fipsService: FipsService; + private fipsServiceSetup?: FipsServiceSetupInternal; + constructor(private readonly initializerContext: PluginInitializerContext) { this.logger = this.initializerContext.logger.get(); @@ -199,6 +204,8 @@ export class SecurityPlugin ); this.analyticsService = new AnalyticsService(this.initializerContext.logger.get('analytics')); + + this.fipsService = new FipsService(this.initializerContext.logger.get('fips')); } public setup( @@ -280,6 +287,9 @@ export class SecurityPlugin this.userProfileService.setup({ authz: this.authorizationSetup, license }); + this.fipsServiceSetup = this.fipsService.setup({ config, license }); + this.fipsServiceSetup.validateLicenseForFips(); + setupSpacesClient({ spaces, audit: this.auditSetup, diff --git a/x-pack/plugins/security/server/routes/views/login.test.ts b/x-pack/plugins/security/server/routes/views/login.test.ts index 87e9bf9e4495b..b19ef41ca9098 100644 --- a/x-pack/plugins/security/server/routes/views/login.test.ts +++ b/x-pack/plugins/security/server/routes/views/login.test.ts @@ -175,6 +175,7 @@ describe('Login view routes', () => { allowAuditLogging: true, showLogin: true, allowUserProfileCollaboration: true, + allowFips: false, }); const request = httpServerMock.createKibanaRequest();