From 4554b758994671bdc2c1e34c5f5efaaaaac5bd45 Mon Sep 17 00:00:00 2001 From: Kurt Date: Tue, 2 Jul 2024 11:03:28 -0400 Subject: [PATCH] Add license check for FIPS (#181187) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Updates ### Latest updates - Expose whether KB is configured to run in FIPS mode from Core -> Security Screenshot 2024-06-20 at 9 55 17 PM Consolidating all FIPS PRs into this PR *Previous PRs were Approved ### Changes - Config option is now experimental: `xpack.security.experimental.fipsMode.enabled` - Documentation has been revised - Listed as an experimental feature - Added keystore references for adding a password ## Summary Closes #169738 Closes #169739 Closes #169740 Closes #185948 FIPS is a platinum license feature. KIbana instances must have a platinum or better license to start up in FIPS mode, a lesser license will result in Kibana failing to start up If the license is degraded, Kibana will still run, but an error will be logged letting the user know that Kibana will not be able to restart. ## Config changes This PR required the changes that were approved from [a previous PR](https://github.com/elastic/kibana/pull/174558), since that PR couldn't be merged into main, I merged it here. ## Testing ### Locally In your `kibana.dev.yml` add: `xpack.security.experimental.fipsMode.enabled: true` To allow Kibana to start without actually providing a compliant OpenSSL provider, in `x-pack/plugins/security/server/config.ts` change L328 from `if (isFipsEnabled !== isNodeRunningWithFipsEnabled)` to `if (false)` You are now configured to run in FIPS-spoof mode! Run: `yarn es snapshot` and `yarn start` > You should see Kibana fail to start with an error about using a basic license. Run: `yarn es snapshot --license trial` and `yarn start` > Kibana should start. Login as `elastic` and navigate to Stack Management > License Management Switch your license to `basic` and accept. In your logs, you will see an error letting users know that you no longer have an appropriate license and Kibana will not restart. ### For FIPS enthusiasts Start an ES instance in a method of your choosing, but not using `yarn es snapshot`. I like to use an 8.15.0-snapshot from the `.es/cache` directory by running `tar -xzvf elasticsearch-8.15.0-SNAPSHOT-darwin-aarch64.tar.gz ` and cd into the new directory's `bin` folder to run `./elasticsearch` Ensure you have Docker running locally. From any command line, run: `docker run --rm -it -e XPACK_SECURITY_FIPSMODE_ENABLED='true' -p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:8.15.0-SNAPSHOT-bc3150316ed317c08d57c6bd785ba39586072e1d` This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs. Kibana should fail to start and you should see Kibana fail to start with an error about using a basic license. Repeat the above process except before you paste the token from ES, do the following to enable a trial license on your ES instance: In a new terminal window, navigate to your the top level of your elasticsearch folder and run `curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"` You should receive a successful response. Now paste the token from the ES startup logs into the Kibana Interactive Setup window and Kibana should start. Login as `elastic` and navigate to Stack Management > License Management Switch your license to `basic` and accept. In your logs, you will see an error letting users know that you no longer have an appropriate license and Kibana will not restart. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: lcawl --- docs/user/security/fips-140-2.asciidoc | 63 ++++++ docs/user/security/index.asciidoc | 1 + .../src/plugin_context.ts | 1 + .../src/fips/fips.test.ts | 119 ++++++++++ .../src/fips/fips.ts | 35 +++ .../src/security_service.test.ts | 10 + .../src/security_service.ts | 38 +++- .../src/utils/index.ts | 8 + .../tsconfig.json | 2 + .../src/security_service.mock.ts | 2 + .../security/core-security-server/index.ts | 1 + .../core-security-server/src/contracts.ts | 6 + .../security/core-security-server/src/fips.ts | 19 ++ .../resources/base/bin/kibana-docker | 1 + .../src/licensing/license.ts | 1 + .../src/licensing/license_features.ts | 6 + .../security/common/licensing/index.mock.ts | 27 ++- .../common/licensing/license_service.test.ts | 9 + .../common/licensing/license_service.ts | 5 + .../elasticsearch_privileges.test.tsx.snap | 2 + .../index_privileges.test.tsx.snap | 1 + .../remote_cluster_privileges.test.tsx.snap | 1 + .../plugins/security/public/plugin.test.tsx | 2 + x-pack/plugins/security/server/config.test.ts | 20 ++ x-pack/plugins/security/server/config.ts | 5 + .../security/server/fips/fips_service.test.ts | 210 ++++++++++++++++++ .../security/server/fips/fips_service.ts | 67 ++++++ x-pack/plugins/security/server/fips/index.ts | 10 + x-pack/plugins/security/server/plugin.test.ts | 1 + x-pack/plugins/security/server/plugin.ts | 10 + .../server/routes/views/login.test.ts | 1 + 31 files changed, 679 insertions(+), 5 deletions(-) create mode 100644 docs/user/security/fips-140-2.asciidoc create mode 100644 packages/core/security/core-security-server-internal/src/fips/fips.test.ts create mode 100644 packages/core/security/core-security-server-internal/src/fips/fips.ts create mode 100644 packages/core/security/core-security-server/src/fips.ts create mode 100644 x-pack/plugins/security/server/fips/fips_service.test.ts create mode 100644 x-pack/plugins/security/server/fips/fips_service.ts create mode 100644 x-pack/plugins/security/server/fips/index.ts diff --git a/docs/user/security/fips-140-2.asciidoc b/docs/user/security/fips-140-2.asciidoc new file mode 100644 index 0000000000000..2b4b195f38b05 --- /dev/null +++ b/docs/user/security/fips-140-2.asciidoc @@ -0,0 +1,63 @@ +[[xpack-security-fips-140-2]] +=== FIPS 140-2 + +experimental::[] + +The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), +titled "Security Requirements for Cryptographic Modules" is a U.S. government computer security standard +used to approve cryptographic modules. + +{kib} offers a FIPS 140-2 compliant mode and as such can run in a Node.js environment configured with a FIPS +140-2 compliant OpenSSL3 provider. + +To run {kib} in FIPS mode, you must have the appropriate {subscriptions}[subscription]. + +[IMPORTANT] +============================================================================ +The Node bundled with {kib} is not configured for FIPS 140-2. You must configure a FIPS 140-2 compliant OpenSSL3 +provider. Consult the Node.js documentation to learn how to configure your environment. +============================================================================ + +For {kib}, adherence to FIPS 140-2 is ensured by: + +* Using FIPS approved / NIST recommended cryptographic algorithms. + +* Delegating the implementation of these cryptographic algorithms to a NIST validated cryptographic module +(available via Node.js configured with an OpenSSL3 provider). + +* Allowing the configuration of {kib} in a FIPS 140-2 compliant manner, as documented below. + +==== Configuring {kib} for FIPS 140-2 + +Apart from setting `xpack.security.experimental.fipsMode.enabled` to `true` in your {kib} config, a number of security related +settings need to be reviewed and configured in order to run {kib} successfully in a FIPS 140-2 compliant Node.js +environment. + +===== Kibana keystore + +FIPS 140-2 (via NIST Special Publication 800-132) dictates that encryption keys should at least have an effective +strength of 112 bits. As such, the Kibana keystore that stores the application’s secure settings needs to be +password protected with a password that satisfies this requirement. This means that the password needs to be 14 bytes +long which is equivalent to a 14 character ASCII encoded password, or a 7 character UTF-8 encoded password. + +For more information on how to set this password, refer to the <>. + +===== TLS keystore and keys + +Keystores can be used in a number of General TLS settings in order to conveniently store key and trust material. +PKCS#12 keystores cannot be used in a FIPS 140-2 compliant Node.js environment. Avoid using these types of keystores. +Your FIPS 140-2 provider may provide a compliant keystore implementation that can be used, or you can use PEM encoded +files. To use PEM encoded key material, you can use the relevant `\*.key` and `*.certificate` configuration options, +and for trust material you can use `*.certificate_authorities`. + +As an example, avoid PKCS#12 specific settings such as: + +* `server.ssl.keystore.path` +* `server.ssl.truststore.path` +* `elasticsearch.ssl.keystore.path` +* `elasticsearch.ssl.truststore.path` + +===== Limitations + +Configuring {kib} to run in FIPS mode is still considered to be experimental. Not all features are guaranteed to +function as expected. diff --git a/docs/user/security/index.asciidoc b/docs/user/security/index.asciidoc index f4678700d5e77..906aee3d76d5a 100644 --- a/docs/user/security/index.asciidoc +++ b/docs/user/security/index.asciidoc @@ -46,3 +46,4 @@ include::authorization/index.asciidoc[] include::authorization/kibana-privileges.asciidoc[] include::api-keys/index.asciidoc[] include::role-mappings/index.asciidoc[] +include::fips-140-2.asciidoc[] diff --git a/packages/core/plugins/core-plugins-server-internal/src/plugin_context.ts b/packages/core/plugins/core-plugins-server-internal/src/plugin_context.ts index f1469fa57ced6..70551c1e27504 100644 --- a/packages/core/plugins/core-plugins-server-internal/src/plugin_context.ts +++ b/packages/core/plugins/core-plugins-server-internal/src/plugin_context.ts @@ -284,6 +284,7 @@ export function createPluginSetupContext({ }, security: { registerSecurityDelegate: (api) => deps.security.registerSecurityDelegate(api), + fips: deps.security.fips, }, userProfile: { registerUserProfileDelegate: (delegate) => diff --git a/packages/core/security/core-security-server-internal/src/fips/fips.test.ts b/packages/core/security/core-security-server-internal/src/fips/fips.test.ts new file mode 100644 index 0000000000000..65f95aa7da691 --- /dev/null +++ b/packages/core/security/core-security-server-internal/src/fips/fips.test.ts @@ -0,0 +1,119 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +const mockGetFipsFn = jest.fn(); +jest.mock('crypto', () => ({ + randomBytes: jest.fn(), + constants: jest.requireActual('crypto').constants, + get getFips() { + return mockGetFipsFn; + }, +})); + +import { SecurityServiceConfigType } from '../utils'; +import { isFipsEnabled, checkFipsConfig } from './fips'; +import { loggingSystemMock } from '@kbn/core-logging-server-mocks'; + +describe('fips', () => { + let config: SecurityServiceConfigType; + describe('#isFipsEnabled', () => { + it('should return `true` if config.experimental.fipsMode.enabled is `true`', () => { + config = { experimental: { fipsMode: { enabled: true } } }; + + expect(isFipsEnabled(config)).toBe(true); + }); + + it('should return `false` if config.experimental.fipsMode.enabled is `false`', () => { + config = { experimental: { fipsMode: { enabled: false } } }; + + expect(isFipsEnabled(config)).toBe(false); + }); + + it('should return `false` if config.experimental.fipsMode.enabled is `undefined`', () => { + expect(isFipsEnabled(config)).toBe(false); + }); + }); + + describe('checkFipsConfig', () => { + let mockExit: jest.SpyInstance; + + beforeAll(() => { + mockExit = jest.spyOn(process, 'exit').mockImplementation((exitCode) => { + throw new Error(`Fake Exit: ${exitCode}`); + }); + }); + + afterAll(() => { + mockExit.mockRestore(); + }); + + it('should log an error message if FIPS mode is misconfigured - xpack.security.experimental.fipsMode.enabled true, Nodejs FIPS mode false', async () => { + config = { experimental: { fipsMode: { enabled: true } } }; + const logger = loggingSystemMock.create().get(); + try { + checkFipsConfig(config, logger); + } catch (e) { + expect(mockExit).toHaveBeenNthCalledWith(1, 78); + } + + expect(loggingSystemMock.collect(logger).error).toMatchInlineSnapshot(` + Array [ + Array [ + "Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to true and the configured Node.js environment has FIPS disabled", + ], + ] + `); + }); + + it('should log an error message if FIPS mode is misconfigured - xpack.security.experimental.fipsMode.enabled false, Nodejs FIPS mode true', async () => { + mockGetFipsFn.mockImplementationOnce(() => { + return 1; + }); + + config = { experimental: { fipsMode: { enabled: false } } }; + const logger = loggingSystemMock.create().get(); + + try { + checkFipsConfig(config, logger); + } catch (e) { + expect(mockExit).toHaveBeenNthCalledWith(1, 78); + } + + expect(loggingSystemMock.collect(logger).error).toMatchInlineSnapshot(` + Array [ + Array [ + "Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to false and the configured Node.js environment has FIPS enabled", + ], + ] + `); + }); + + it('should log an info message if FIPS mode is properly configured - xpack.security.experimental.fipsMode.enabled true, Nodejs FIPS mode true', async () => { + mockGetFipsFn.mockImplementationOnce(() => { + return 1; + }); + + config = { experimental: { fipsMode: { enabled: true } } }; + const logger = loggingSystemMock.create().get(); + + try { + checkFipsConfig(config, logger); + } catch (e) { + logger.error('Should not throw error!'); + } + + expect(loggingSystemMock.collect(logger).info).toMatchInlineSnapshot(` + Array [ + Array [ + "Kibana is running in FIPS mode.", + ], + ] + `); + }); + }); +}); diff --git a/packages/core/security/core-security-server-internal/src/fips/fips.ts b/packages/core/security/core-security-server-internal/src/fips/fips.ts new file mode 100644 index 0000000000000..2b48fb68ff607 --- /dev/null +++ b/packages/core/security/core-security-server-internal/src/fips/fips.ts @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { Logger } from '@kbn/logging'; +import { getFips } from 'crypto'; +import { SecurityServiceConfigType } from '../utils'; + +export function isFipsEnabled(config: SecurityServiceConfigType): boolean { + return config?.experimental?.fipsMode?.enabled ?? false; +} + +export function checkFipsConfig(config: SecurityServiceConfigType, logger: Logger) { + const isFipsConfigEnabled = isFipsEnabled(config); + const isNodeRunningWithFipsEnabled = getFips() === 1; + + // Check if FIPS is enabled in either setting + if (isFipsConfigEnabled || isNodeRunningWithFipsEnabled) { + // FIPS must be enabled on both or log and error an exit Kibana + if (isFipsConfigEnabled !== isNodeRunningWithFipsEnabled) { + logger.error( + `Configuration mismatch error. xpack.security.experimental.fipsMode.enabled is set to ${isFipsConfigEnabled} and the configured Node.js environment has FIPS ${ + isNodeRunningWithFipsEnabled ? 'enabled' : 'disabled' + }` + ); + process.exit(78); + } else { + logger.info('Kibana is running in FIPS mode.'); + } + } +} diff --git a/packages/core/security/core-security-server-internal/src/security_service.test.ts b/packages/core/security/core-security-server-internal/src/security_service.test.ts index 4f5ae5e86cbab..5fb6b46f6dc63 100644 --- a/packages/core/security/core-security-server-internal/src/security_service.test.ts +++ b/packages/core/security/core-security-server-internal/src/security_service.test.ts @@ -45,6 +45,16 @@ describe('SecurityService', () => { ); }); }); + + describe('#fips', () => { + describe('#isEnabled', () => { + it('should return boolean', () => { + const { fips } = service.setup(); + + expect(fips.isEnabled()).toBe(false); + }); + }); + }); }); describe('#start', () => { diff --git a/packages/core/security/core-security-server-internal/src/security_service.ts b/packages/core/security/core-security-server-internal/src/security_service.ts index 826019f773b93..215e7ef376285 100644 --- a/packages/core/security/core-security-server-internal/src/security_service.ts +++ b/packages/core/security/core-security-server-internal/src/security_service.ts @@ -9,23 +9,49 @@ import type { Logger } from '@kbn/logging'; import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; import type { CoreSecurityDelegateContract } from '@kbn/core-security-server'; +import { Observable, Subscription } from 'rxjs'; +import { Config } from '@kbn/config'; +import { isFipsEnabled, checkFipsConfig } from './fips/fips'; import type { InternalSecurityServiceSetup, InternalSecurityServiceStart, } from './internal_contracts'; -import { getDefaultSecurityImplementation, convertSecurityApi } from './utils'; +import { + getDefaultSecurityImplementation, + convertSecurityApi, + SecurityServiceConfigType, +} from './utils'; export class SecurityService implements CoreService { private readonly log: Logger; private securityApi?: CoreSecurityDelegateContract; + private config$: Observable; + private configSubscription?: Subscription; + private config: Config | undefined; + private readonly getConfig = () => { + if (!this.config) { + throw new Error('Config is not available.'); + } + return this.config; + }; constructor(coreContext: CoreContext) { this.log = coreContext.logger.get('security-service'); + + this.config$ = coreContext.configService.getConfig$(); + this.configSubscription = this.config$.subscribe((config) => { + this.config = config; + }); } public setup(): InternalSecurityServiceSetup { + const config = this.getConfig(); + const securityConfig: SecurityServiceConfigType = config.get(['xpack', 'security']); + + checkFipsConfig(securityConfig, this.log); + return { registerSecurityDelegate: (api) => { if (this.securityApi) { @@ -33,6 +59,9 @@ export class SecurityService } this.securityApi = api; }, + fips: { + isEnabled: () => isFipsEnabled(securityConfig), + }, }; } @@ -44,5 +73,10 @@ export class SecurityService return convertSecurityApi(apiContract); } - public stop() {} + public stop() { + if (this.configSubscription) { + this.configSubscription.unsubscribe(); + this.configSubscription = undefined; + } + } } diff --git a/packages/core/security/core-security-server-internal/src/utils/index.ts b/packages/core/security/core-security-server-internal/src/utils/index.ts index e43884f204ece..6ce85739b44f6 100644 --- a/packages/core/security/core-security-server-internal/src/utils/index.ts +++ b/packages/core/security/core-security-server-internal/src/utils/index.ts @@ -8,3 +8,11 @@ export { convertSecurityApi } from './convert_security_api'; export { getDefaultSecurityImplementation } from './default_implementation'; + +export interface SecurityServiceConfigType { + experimental?: { + fipsMode?: { + enabled: boolean; + }; + }; +} diff --git a/packages/core/security/core-security-server-internal/tsconfig.json b/packages/core/security/core-security-server-internal/tsconfig.json index ad66b66deeeeb..e1812dc77cf49 100644 --- a/packages/core/security/core-security-server-internal/tsconfig.json +++ b/packages/core/security/core-security-server-internal/tsconfig.json @@ -20,5 +20,7 @@ "@kbn/core-http-server", "@kbn/logging-mocks", "@kbn/core-base-server-mocks", + "@kbn/config", + "@kbn/core-logging-server-mocks", ] } diff --git a/packages/core/security/core-security-server-mocks/src/security_service.mock.ts b/packages/core/security/core-security-server-mocks/src/security_service.mock.ts index b19539fd862c0..59a560d562e06 100644 --- a/packages/core/security/core-security-server-mocks/src/security_service.mock.ts +++ b/packages/core/security/core-security-server-mocks/src/security_service.mock.ts @@ -20,6 +20,7 @@ import { auditServiceMock, type MockedAuditService } from './audit.mock'; const createSetupMock = () => { const mock: jest.Mocked = { registerSecurityDelegate: jest.fn(), + fips: { isEnabled: jest.fn() }, }; return mock; @@ -43,6 +44,7 @@ const createStartMock = (): SecurityStartMock => { const createInternalSetupMock = () => { const mock: jest.Mocked = { registerSecurityDelegate: jest.fn(), + fips: { isEnabled: jest.fn() }, }; return mock; diff --git a/packages/core/security/core-security-server/index.ts b/packages/core/security/core-security-server/index.ts index a4d3027c97fdb..6a111ab6e27ab 100644 --- a/packages/core/security/core-security-server/index.ts +++ b/packages/core/security/core-security-server/index.ts @@ -26,3 +26,4 @@ export type { AuditRequest, } from './src/audit_logging/audit_events'; export type { AuditLogger } from './src/audit_logging/audit_logger'; +export type { CoreFipsService } from './src/fips'; diff --git a/packages/core/security/core-security-server/src/contracts.ts b/packages/core/security/core-security-server/src/contracts.ts index ed25737823f7b..d2bf7d97e9472 100644 --- a/packages/core/security/core-security-server/src/contracts.ts +++ b/packages/core/security/core-security-server/src/contracts.ts @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +import type { CoreFipsService } from './fips'; import type { CoreAuthenticationService } from './authc'; import type { CoreSecurityDelegateContract } from './api_provider'; import type { CoreAuditService } from './audit'; @@ -21,6 +22,11 @@ export interface SecurityServiceSetup { * @remark this should **exclusively** be used by the security plugin. */ registerSecurityDelegate(api: CoreSecurityDelegateContract): void; + + /** + * The {@link CoreFipsService | FIPS service} + */ + fips: CoreFipsService; } /** diff --git a/packages/core/security/core-security-server/src/fips.ts b/packages/core/security/core-security-server/src/fips.ts new file mode 100644 index 0000000000000..239903caba3bc --- /dev/null +++ b/packages/core/security/core-security-server/src/fips.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Core's FIPS service + * + * @public + */ +export interface CoreFipsService { + /** + * Check if Kibana is configured to run in FIPS mode + */ + isEnabled(): boolean; +} diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker index 27d7a465186a4..10fcbe6d06d6a 100755 --- a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker +++ b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker @@ -390,6 +390,7 @@ kibana_vars=( xpack.security.authc.selector.enabled xpack.security.cookieName xpack.security.encryptionKey + xpack.security.experimental.fipsMode.enabled xpack.security.loginAssistanceMessage xpack.security.loginHelp xpack.security.sameSiteCookies diff --git a/x-pack/packages/security/plugin_types_common/src/licensing/license.ts b/x-pack/packages/security/plugin_types_common/src/licensing/license.ts index 0a7e8e3b87c67..349395ee63fdc 100644 --- a/x-pack/packages/security/plugin_types_common/src/licensing/license.ts +++ b/x-pack/packages/security/plugin_types_common/src/licensing/license.ts @@ -13,6 +13,7 @@ import type { SecurityLicenseFeatures } from './license_features'; export interface SecurityLicense { isLicenseAvailable(): boolean; + getLicenseType(): string | undefined; getUnavailableReason: () => string | undefined; isEnabled(): boolean; getFeatures(): SecurityLicenseFeatures; diff --git a/x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts b/x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts index 58fb081a5760d..68dc87b0f5778 100644 --- a/x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts +++ b/x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts @@ -83,4 +83,10 @@ export interface SecurityLicenseFeatures { * Describes the layout of the login form if it's displayed. */ readonly layout?: LoginLayout; + + /** + * Indicates whether we allow FIPS mode + */ + + readonly allowFips: boolean; } diff --git a/x-pack/plugins/security/common/licensing/index.mock.ts b/x-pack/plugins/security/common/licensing/index.mock.ts index 9d2fef049de82..6ee9910b768bd 100644 --- a/x-pack/plugins/security/common/licensing/index.mock.ts +++ b/x-pack/plugins/security/common/licensing/index.mock.ts @@ -14,12 +14,33 @@ import type { SecurityLicense, SecurityLicenseFeatures } from '@kbn/security-plu export const licenseMock = { create: ( features: Partial | Observable> = {}, - licenseType: LicenseType = 'basic' // default to basic if this is not specified + licenseType: LicenseType = 'basic', // default to basic if this is not specified, + isAvailable: Observable = of(true) ): jest.Mocked => ({ - isLicenseAvailable: jest.fn().mockReturnValue(true), + isLicenseAvailable: jest.fn().mockImplementation(() => { + let result = true; + + isAvailable.subscribe((next) => { + result = next; + }); + + return result; + }), + getLicenseType: jest.fn().mockReturnValue(licenseType), getUnavailableReason: jest.fn(), isEnabled: jest.fn().mockReturnValue(true), - getFeatures: jest.fn().mockReturnValue(features), + getFeatures: + features instanceof Observable + ? jest.fn().mockImplementation(() => { + let subbedFeatures: Partial = {}; + + features.subscribe((next) => { + subbedFeatures = next; + }); + + return subbedFeatures; + }) + : jest.fn().mockReturnValue(features), hasAtLeast: jest .fn() .mockImplementation( diff --git a/x-pack/plugins/security/common/licensing/license_service.test.ts b/x-pack/plugins/security/common/licensing/license_service.test.ts index f1b80db5cba2d..ab8b5c803deab 100644 --- a/x-pack/plugins/security/common/licensing/license_service.test.ts +++ b/x-pack/plugins/security/common/licensing/license_service.test.ts @@ -32,6 +32,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: false, + allowFips: false, }); }); @@ -57,6 +58,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: false, + allowFips: false, }); }); @@ -78,6 +80,7 @@ describe('license features', function () { Object { "allowAccessAgreement": false, "allowAuditLogging": false, + "allowFips": false, "allowLogin": false, "allowRbac": false, "allowRemoteClusterPrivileges": false, @@ -102,6 +105,7 @@ describe('license features', function () { Object { "allowAccessAgreement": true, "allowAuditLogging": true, + "allowFips": true, "allowLogin": true, "allowRbac": true, "allowRemoteClusterPrivileges": true, @@ -146,6 +150,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: false, + allowFips: false, }); expect(getFeatureSpy).toHaveBeenCalledTimes(1); expect(getFeatureSpy).toHaveBeenCalledWith('security'); @@ -174,6 +179,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: false, + allowFips: false, }); }); @@ -201,6 +207,7 @@ describe('license features', function () { allowSubFeaturePrivileges: false, allowAuditLogging: false, allowUserProfileCollaboration: true, + allowFips: false, }); }); @@ -228,6 +235,7 @@ describe('license features', function () { allowSubFeaturePrivileges: true, allowAuditLogging: true, allowUserProfileCollaboration: true, + allowFips: false, }); }); @@ -255,6 +263,7 @@ describe('license features', function () { allowSubFeaturePrivileges: true, allowAuditLogging: true, allowUserProfileCollaboration: true, + allowFips: true, }); }); }); diff --git a/x-pack/plugins/security/common/licensing/license_service.ts b/x-pack/plugins/security/common/licensing/license_service.ts index 3066d32a72695..817b3f207aa14 100644 --- a/x-pack/plugins/security/common/licensing/license_service.ts +++ b/x-pack/plugins/security/common/licensing/license_service.ts @@ -28,6 +28,8 @@ export class SecurityLicenseService { license: Object.freeze({ isLicenseAvailable: () => rawLicense?.isAvailable ?? false, + getLicenseType: () => rawLicense?.type ?? undefined, + getUnavailableReason: () => rawLicense?.getUnavailableReason(), isEnabled: () => this.isSecurityEnabledFromRawLicense(rawLicense), @@ -81,6 +83,7 @@ export class SecurityLicenseService { allowRbac: false, allowSubFeaturePrivileges: false, allowUserProfileCollaboration: false, + allowFips: false, layout: rawLicense !== undefined && !rawLicense?.isAvailable ? 'error-xpack-unavailable' @@ -103,6 +106,7 @@ export class SecurityLicenseService { allowRbac: false, allowSubFeaturePrivileges: false, allowUserProfileCollaboration: false, + allowFips: false, }; } @@ -124,6 +128,7 @@ export class SecurityLicenseService { allowRemoteClusterPrivileges: isLicensePlatinumOrBetter, allowRbac: true, allowUserProfileCollaboration: isLicenseStandardOrBetter, + allowFips: isLicensePlatinumOrBetter, }; } } diff --git a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap index e64e867a71a57..ccb8decacd812 100644 --- a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap +++ b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap @@ -124,6 +124,7 @@ exports[`it renders correctly in serverless mode 1`] = ` "_subscribe": [Function], }, "getFeatures": [MockFunction], + "getLicenseType": [MockFunction], "getUnavailableReason": [MockFunction], "hasAtLeast": [MockFunction], "isEnabled": [MockFunction], @@ -322,6 +323,7 @@ exports[`it renders without crashing 1`] = ` "_subscribe": [Function], }, "getFeatures": [MockFunction], + "getLicenseType": [MockFunction], "getUnavailableReason": [MockFunction], "hasAtLeast": [MockFunction], "isEnabled": [MockFunction], diff --git a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/index_privileges.test.tsx.snap b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/index_privileges.test.tsx.snap index c3df729a7e3ee..705af534bc71d 100644 --- a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/index_privileges.test.tsx.snap +++ b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/index_privileges.test.tsx.snap @@ -24,6 +24,7 @@ exports[`it renders without crashing 1`] = ` "_subscribe": [Function], }, "getFeatures": [MockFunction], + "getLicenseType": [MockFunction], "getUnavailableReason": [MockFunction], "hasAtLeast": [MockFunction], "isEnabled": [MockFunction], diff --git a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/remote_cluster_privileges.test.tsx.snap b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/remote_cluster_privileges.test.tsx.snap index e0939f7f55e02..7cc4e67ece4fc 100644 --- a/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/remote_cluster_privileges.test.tsx.snap +++ b/x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/remote_cluster_privileges.test.tsx.snap @@ -14,6 +14,7 @@ exports[`it renders without crashing 1`] = ` "_subscribe": [Function], }, "getFeatures": [MockFunction], + "getLicenseType": [MockFunction], "getUnavailableReason": [MockFunction], "hasAtLeast": [MockFunction], "isEnabled": [MockFunction], diff --git a/x-pack/plugins/security/public/plugin.test.tsx b/x-pack/plugins/security/public/plugin.test.tsx index 874196f3e4c0e..433e1981e9ce9 100644 --- a/x-pack/plugins/security/public/plugin.test.tsx +++ b/x-pack/plugins/security/public/plugin.test.tsx @@ -43,6 +43,7 @@ describe('Security Plugin', () => { authz: { isRoleManagementEnabled: expect.any(Function), roles: expect.any(Object) }, license: { isLicenseAvailable: expect.any(Function), + getLicenseType: expect.any(Function), isEnabled: expect.any(Function), getUnavailableReason: expect.any(Function), getFeatures: expect.any(Function), @@ -71,6 +72,7 @@ describe('Security Plugin', () => { authc: { getCurrentUser: expect.any(Function), areAPIKeysEnabled: expect.any(Function) }, license: { isLicenseAvailable: expect.any(Function), + getLicenseType: expect.any(Function), isEnabled: expect.any(Function), getUnavailableReason: expect.any(Function), getFeatures: expect.any(Function), diff --git a/x-pack/plugins/security/server/config.test.ts b/x-pack/plugins/security/server/config.test.ts index 3a6ccc619fdb9..5e6c59aee4668 100644 --- a/x-pack/plugins/security/server/config.test.ts +++ b/x-pack/plugins/security/server/config.test.ts @@ -61,6 +61,11 @@ describe('config schema', () => { }, "cookieName": "sid", "encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "experimental": Object { + "fipsMode": Object { + "enabled": false, + }, + }, "loginAssistanceMessage": "", "public": Object {}, "secureCookies": false, @@ -115,6 +120,11 @@ describe('config schema', () => { }, "cookieName": "sid", "encryptionKey": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "experimental": Object { + "fipsMode": Object { + "enabled": false, + }, + }, "loginAssistanceMessage": "", "public": Object {}, "secureCookies": false, @@ -168,6 +178,11 @@ describe('config schema', () => { "selector": Object {}, }, "cookieName": "sid", + "experimental": Object { + "fipsMode": Object { + "enabled": false, + }, + }, "loginAssistanceMessage": "", "public": Object {}, "secureCookies": false, @@ -224,6 +239,11 @@ describe('config schema', () => { "selector": Object {}, }, "cookieName": "sid", + "experimental": Object { + "fipsMode": Object { + "enabled": false, + }, + }, "loginAssistanceMessage": "", "public": Object {}, "roleManagementEnabled": false, diff --git a/x-pack/plugins/security/server/config.ts b/x-pack/plugins/security/server/config.ts index 1ea1c87d31d5d..e12f1462b39b4 100644 --- a/x-pack/plugins/security/server/config.ts +++ b/x-pack/plugins/security/server/config.ts @@ -314,6 +314,11 @@ export const ConfigSchema = schema.object({ roleMappingManagementEnabled: schema.boolean({ defaultValue: true }), }), }), + experimental: schema.object({ + fipsMode: schema.object({ + enabled: schema.boolean({ defaultValue: false }), + }), + }), }); export function createConfig( diff --git a/x-pack/plugins/security/server/fips/fips_service.test.ts b/x-pack/plugins/security/server/fips/fips_service.test.ts new file mode 100644 index 0000000000000..aba86633c281f --- /dev/null +++ b/x-pack/plugins/security/server/fips/fips_service.test.ts @@ -0,0 +1,210 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +const mockGetFipsFn = jest.fn(); +jest.mock('crypto', () => ({ + randomBytes: jest.fn(), + constants: jest.requireActual('crypto').constants, + get getFips() { + return mockGetFipsFn; + }, +})); + +import type { Observable } from 'rxjs'; +import { BehaviorSubject, of } from 'rxjs'; + +import { loggingSystemMock } from '@kbn/core/server/mocks'; +import type { LicenseType } from '@kbn/licensing-plugin/common/types'; +import type { SecurityLicenseFeatures } from '@kbn/security-plugin-types-common'; + +import type { FipsServiceSetupInternal, FipsServiceSetupParams } from './fips_service'; +import { FipsService } from './fips_service'; +import { licenseMock } from '../../common/licensing/index.mock'; +import { ConfigSchema, createConfig } from '../config'; + +const logger = loggingSystemMock.createLogger(); + +function buildMockFipsServiceSetupParams( + licenseType: LicenseType, + isFipsConfigured: boolean, + features$: Observable>, + isAvailable: Observable = of(true) +): FipsServiceSetupParams { + mockGetFipsFn.mockImplementationOnce(() => { + return isFipsConfigured ? 1 : 0; + }); + + const license = licenseMock.create(features$, licenseType, isAvailable); + + let mockConfig = {}; + if (isFipsConfigured) { + mockConfig = { experimental: { fipsMode: { enabled: true } } }; + } + + return { + license, + config: createConfig(ConfigSchema.validate(mockConfig), loggingSystemMock.createLogger(), { + isTLSEnabled: false, + }), + }; +} + +describe('FipsService', () => { + let fipsService: FipsService; + let fipsServiceSetup: FipsServiceSetupInternal; + + beforeEach(() => { + fipsService = new FipsService(logger); + logger.error.mockClear(); + }); + + afterEach(() => { + logger.error.mockClear(); + }); + + describe('setup()', () => { + it('should expose correct setup contract', () => { + fipsService = new FipsService(logger); + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', true, of({ allowFips: true })) + ); + + expect(fipsServiceSetup).toMatchInlineSnapshot(` + Object { + "validateLicenseForFips": [Function], + } + `); + }); + }); + + describe('#validateLicenseForFips', () => { + describe('start-up check', () => { + it('should not throw Error/log.error if license features allowFips and `experimental.fipsMode.enabled` is `false`', () => { + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', false, of({ allowFips: true })) + ); + fipsServiceSetup.validateLicenseForFips(); + + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not throw Error/log.error if license features allowFips and `experimental.fipsMode.enabled` is `true`', () => { + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', true, of({ allowFips: true })) + ); + fipsServiceSetup.validateLicenseForFips(); + + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not throw Error/log.error if license features do not allowFips and `experimental.fipsMode.enabled` is `false`', () => { + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('basic', false, of({ allowFips: false })) + ); + fipsServiceSetup.validateLicenseForFips(); + + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should throw Error/log.error if license features do not allowFips and `experimental.fipsMode.enabled` is `true`', () => { + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('basic', true, of({ allowFips: false })) + ); + + // Because the Error is thrown from within a SafeSubscriber and cannot be hooked into + fipsServiceSetup.validateLicenseForFips(); + + expect(logger.error).toHaveBeenCalled(); + }); + }); + + describe('monitoring check', () => { + describe('with experimental.fipsMode.enabled', () => { + let mockFeaturesSubject: BehaviorSubject>; + let mockIsAvailableSubject: BehaviorSubject; + let mockFeatures$: Observable>; + let mockIsAvailable$: Observable; + + beforeAll(() => { + mockFeaturesSubject = new BehaviorSubject>({ + allowFips: true, + }); + mockIsAvailableSubject = new BehaviorSubject(true); + mockFeatures$ = mockFeaturesSubject.asObservable(); + mockIsAvailable$ = mockIsAvailableSubject.asObservable(); + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', true, mockFeatures$, mockIsAvailable$) + ); + + fipsServiceSetup.validateLicenseForFips(); + }); + + beforeEach(() => { + mockFeaturesSubject.next({ allowFips: true }); + mockIsAvailableSubject.next(true); + }); + + it('should not log.error if license changes to unavailable and `experimental.fipsMode.enabled` is `true`', () => { + mockIsAvailableSubject.next(false); + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not log.error if license features continue to allowFips and `experimental.fipsMode.enabled` is `true`', () => { + mockFeaturesSubject.next({ allowFips: true }); + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should log.error if license features change to not allowFips and `experimental.fipsMode.enabled` is `true`', () => { + mockFeaturesSubject.next({ allowFips: false }); + expect(logger.error).toHaveBeenCalledTimes(1); + }); + }); + + describe('with not experimental.fipsMode.enabled', () => { + let mockFeaturesSubject: BehaviorSubject>; + let mockIsAvailableSubject: BehaviorSubject; + let mockFeatures$: Observable>; + let mockIsAvailable$: Observable; + + beforeAll(() => { + mockFeaturesSubject = new BehaviorSubject>({ + allowFips: true, + }); + mockIsAvailableSubject = new BehaviorSubject(true); + mockFeatures$ = mockFeaturesSubject.asObservable(); + mockIsAvailable$ = mockIsAvailableSubject.asObservable(); + + fipsServiceSetup = fipsService.setup( + buildMockFipsServiceSetupParams('platinum', false, mockFeatures$, mockIsAvailable$) + ); + + fipsServiceSetup.validateLicenseForFips(); + }); + + beforeEach(() => { + mockFeaturesSubject.next({ allowFips: true }); + mockIsAvailableSubject.next(true); + }); + + it('should not log.error if license changes to unavailable and `experimental.fipsMode.enabled` is `false`', () => { + mockIsAvailableSubject.next(false); + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not log.error if license features continue to allowFips and `experimental.fipsMode.enabled` is `false`', () => { + mockFeaturesSubject.next({ allowFips: true }); + expect(logger.error).not.toHaveBeenCalled(); + }); + + it('should not log.error if license change to not allowFips and `experimental.fipsMode.enabled` is `false`', () => { + mockFeaturesSubject.next({ allowFips: false }); + expect(logger.error).not.toHaveBeenCalled(); + }); + }); + }); + }); +}); diff --git a/x-pack/plugins/security/server/fips/fips_service.ts b/x-pack/plugins/security/server/fips/fips_service.ts new file mode 100644 index 0000000000000..aa351ab48828d --- /dev/null +++ b/x-pack/plugins/security/server/fips/fips_service.ts @@ -0,0 +1,67 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Logger } from '@kbn/logging'; +import type { SecurityLicense } from '@kbn/security-plugin-types-common'; + +import type { ConfigType } from '../config'; + +export interface FipsServiceSetupParams { + config: ConfigType; + license: SecurityLicense; +} + +export interface FipsServiceSetupInternal { + validateLicenseForFips: () => void; +} + +export class FipsService { + private readonly logger: Logger; + private isInitialLicenseLoaded: boolean; + + constructor(logger: Logger) { + this.logger = logger; + this.isInitialLicenseLoaded = false; + } + + setup({ config, license }: FipsServiceSetupParams): FipsServiceSetupInternal { + return { + validateLicenseForFips: () => this.validateLicenseForFips(config, license), + }; + } + + private validateLicenseForFips(config: ConfigType, license: SecurityLicense) { + license.features$.subscribe({ + next: (features) => { + const errorMessage = `Your current license level is ${license.getLicenseType()} and does not support running in FIPS mode.`; + + if (license.isLicenseAvailable() && !this.isInitialLicenseLoaded) { + if (config?.experimental.fipsMode.enabled && !license.getFeatures().allowFips) { + this.logger.error(errorMessage); + throw new Error(errorMessage); + } + + this.isInitialLicenseLoaded = true; + } + + if ( + this.isInitialLicenseLoaded && + license.isLicenseAvailable() && + config?.experimental.fipsMode.enabled && + !features.allowFips + ) { + this.logger.error( + `${errorMessage} Kibana will not be able to restart. Please upgrade your license to platinum or higher.` + ); + } + }, + error: (error) => { + this.logger.debug(`Unable to check license: ${error}`); + }, + }); + } +} diff --git a/x-pack/plugins/security/server/fips/index.ts b/x-pack/plugins/security/server/fips/index.ts new file mode 100644 index 0000000000000..3af4435169348 --- /dev/null +++ b/x-pack/plugins/security/server/fips/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { FipsService } from './fips_service'; + +export type { FipsServiceSetupInternal, FipsServiceSetupParams } from './fips_service'; diff --git a/x-pack/plugins/security/server/plugin.test.ts b/x-pack/plugins/security/server/plugin.test.ts index be3d00b77cff9..a82b45753845b 100644 --- a/x-pack/plugins/security/server/plugin.test.ts +++ b/x-pack/plugins/security/server/plugin.test.ts @@ -121,6 +121,7 @@ describe('Security Plugin', () => { }, }, "getFeatures": [Function], + "getLicenseType": [Function], "getUnavailableReason": [Function], "hasAtLeast": [Function], "isEnabled": [Function], diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts index cf362926bdd04..9d5ffde67b1d7 100644 --- a/x-pack/plugins/security/server/plugin.ts +++ b/x-pack/plugins/security/server/plugin.ts @@ -52,6 +52,8 @@ import { ElasticsearchService } from './elasticsearch'; import type { SecurityFeatureUsageServiceStart } from './feature_usage'; import { SecurityFeatureUsageService } from './feature_usage'; import { securityFeatures } from './features'; +import type { FipsServiceSetupInternal } from './fips'; +import { FipsService } from './fips'; import { defineRoutes } from './routes'; import { setupSavedObjects } from './saved_objects'; import type { Session } from './session_management'; @@ -177,6 +179,9 @@ export class SecurityPlugin return this.userProfileStart; }; + private readonly fipsService: FipsService; + private fipsServiceSetup?: FipsServiceSetupInternal; + constructor(private readonly initializerContext: PluginInitializerContext) { this.logger = this.initializerContext.logger.get(); @@ -199,6 +204,8 @@ export class SecurityPlugin ); this.analyticsService = new AnalyticsService(this.initializerContext.logger.get('analytics')); + + this.fipsService = new FipsService(this.initializerContext.logger.get('fips')); } public setup( @@ -280,6 +287,9 @@ export class SecurityPlugin this.userProfileService.setup({ authz: this.authorizationSetup, license }); + this.fipsServiceSetup = this.fipsService.setup({ config, license }); + this.fipsServiceSetup.validateLicenseForFips(); + setupSpacesClient({ spaces, audit: this.auditSetup, diff --git a/x-pack/plugins/security/server/routes/views/login.test.ts b/x-pack/plugins/security/server/routes/views/login.test.ts index 87e9bf9e4495b..b19ef41ca9098 100644 --- a/x-pack/plugins/security/server/routes/views/login.test.ts +++ b/x-pack/plugins/security/server/routes/views/login.test.ts @@ -175,6 +175,7 @@ describe('Login view routes', () => { allowAuditLogging: true, showLogin: true, allowUserProfileCollaboration: true, + allowFips: false, }); const request = httpServerMock.createKibanaRequest();