Skip to content

Enable unit tests with -tags=requirefips #43611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
michel-laterman merged 15 commits into from
Apr 7, 2025
Merged

Enable unit tests with -tags=requirefips #43611

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
58c9498
Enable unit tests with -tags=requirefips
michel-laterman Mar 31, 2025
b599a8b
Remove build target in pipelines
michel-laterman Mar 31, 2025
65dcf2a
rename pipeline key
michel-laterman Mar 31, 2025
7afd15f
Use crossBuild for filebeat targets
michel-laterman Mar 31, 2025
417f2c9
revert crossbuild target, add integration tag to filebeat testfile
michel-laterman Mar 31, 2025
d47d6ae
add to failing xpack/filebeat tests
michel-laterman Mar 31, 2025
d277f10
reenable netflow tests when requirefips is passed
michel-laterman Apr 4, 2025
90c4a27
Re-enable cisco/ios pipeline test, add libbeat tests
michel-laterman Apr 4, 2025
14d5039
Rename test func
michel-laterman Apr 4, 2025
3616e3d
Fix libbeat fips test
michel-laterman Apr 4, 2025
ad3fe0c
Fix libbeat pipelines
michel-laterman Apr 4, 2025
6cbfb7d
Fix oteltranslate fips test
michel-laterman Apr 4, 2025
6b731b9
remove test case
michel-laterman Apr 4, 2025
b8cce79
Merge branch 'main' into unit-test-fips
michel-laterman Apr 4, 2025
4ad85c7
Merge branch 'main' into unit-test-fips
michel-laterman Apr 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .buildkite/auditbeat/auditbeat-pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,33 @@ steps:
- github_commit_status:
context: "auditbeat: Ubuntu x86_64 Unit Tests"

- label: ":ubuntu: Auditbeat: Ubuntu x86_64 Unit Tests FIPS"
command: |
set -euo pipefail
cd auditbeat
mage unitTest
retry:
automatic:
- limit: 1
agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_2204_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
env:
FIPS: "true"
artifact_paths:
- "auditbeat/build/*.xml"
- "auditbeat/build/*.json"
plugins:
- test-collector#v1.10.2:
files: "auditbeat/build/TEST-*.xml"
format: "junit"
branches: "main"
debug: true
notify:
- github_commit_status:
context: "auditbeat: Ubuntu x86_64 Unit Tests FIPS"

- label: ":rhel: Auditbeat: RHEL9 Unit Tests"
command: |
set -euo pipefail
Expand Down
26 changes: 26 additions & 0 deletions .buildkite/filebeat/filebeat-pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,32 @@ steps:
- github_commit_status:
context: "filebeat: Ubuntu x86_64 Unit Tests"

- label: ":ubuntu: Filebeat: Ubuntu x86_64 Unit Tests FIPS"
command: |
cd filebeat
mage unitTest
retry:
automatic:
- limit: 1
agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
env:
FIPS: "true"
artifact_paths:
- "filebeat/build/*.xml"
- "filebeat/build/*.json"
plugins:
- test-collector#v1.10.2:
files: "filebeat/build/TEST-*.xml"
format: "junit"
branches: "main"
debug: true
notify:
- github_commit_status:
context: "filebeat: Ubuntu x86_64 Unit Tests FIPS"

- label: ":ubuntu: Filebeat: Go Integration Tests"
command: |
cd filebeat
Expand Down
30 changes: 29 additions & 1 deletion .buildkite/libbeat/pipeline.libbeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,34 @@ steps:
- github_commit_status:
context: "libbeat: Ubuntu x86_64 Unit Tests"

- label: ":ubuntu: Libbeat: Ubuntu x86_64 Unit Tests FIPS"
key: "mandatory-linux-unit-test-fips"
command: |
set -euo pipefail
cd libbeat
mage unitTest
retry:
automatic:
- limit: 1
agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
env:
FIPS: "true"
artifact_paths:
- "libbeat/build/*.xml"
- "libbeat/build/*.json"
plugins:
- test-collector#v1.10.2:
files: "libbeat/build/TEST-*-unit.xml"
format: "junit"
branches: "main"
debug: true
notify:
- github_commit_status:
context: "libbeat: Ubuntu x86_64 Unit Tests FIPS"

- label: ":ubuntu: Libbeat: Go Integration Tests"
key: "mandatory-int-test"
command: |
Expand All @@ -111,7 +139,7 @@ steps:
debug: true
notify:
- github_commit_status:
context: "libbeat: Go Integration Tests"
context: "libbeat: Go Integration Tests FIPS"

- label: ":ubuntu: Libbeat: Python Integration Tests"
key: "mandatory-python-int-test"
Expand Down
27 changes: 27 additions & 0 deletions .buildkite/metricbeat/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,33 @@ steps:
- github_commit_status:
context: "metricbeat: Ubuntu x86_64 Unit Tests"

- label: ":ubuntu: Metricbeat: Ubuntu x86_64 Unit Tests FIPS"
key: "mandatory-linux-unit-test-fips"
command: |
cd metricbeat
mage unitTest
retry:
automatic:
- limit: 1
agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
env:
FIPS: "true"
artifact_paths:
- "metricbeat/build/*.xml"
- "metricbeat/build/*.json"
plugins:
- test-collector#v1.10.2:
files: "metricbeat/build/TEST-*.xml"
format: "junit"
branches: "main"
debug: true
notify:
- github_commit_status:
context: "metricbeat: Ubuntu x86_64 Unit Tests FIPS"

- label: ":ubuntu: Metricbeat: Go Integration Tests (Module)"
key: "mandatory-int-test"
command: |
Expand Down
27 changes: 27 additions & 0 deletions .buildkite/x-pack/pipeline.xpack.auditbeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,33 @@ steps:
- github_commit_status:
context: "x-pack/auditbeat: Build Tests (Module)"

- label: ":ubuntu: x-pack/auditbeat: Ubuntu Unit Tests FIPS"
key: "mandatory-linux-unit-test-fips"
command: |
cd x-pack/auditbeat
mage unitTest
retry:
automatic:
- limit: 1
agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
env:
FIPS: "true"
artifact_paths:
- "x-pack/auditbeat/build/*.xml"
- "x-pack/auditbeat/build/*.json"
plugins:
- test-collector#v1.10.2:
files: "x-pack/auditbeat/build/TEST-*.xml"
format: "junit"
branches: "main"
debug: true
notify:
- github_commit_status:
context: "x-pack/auditbeat: Ubuntu Unit Tests FIPS"

- label: ":rhel: x-pack/auditbeat: RHEL9 Unit Tests"
key: "mandatory-rhel9-unit-test"
command: |
Expand Down
27 changes: 27 additions & 0 deletions .buildkite/x-pack/pipeline.xpack.filebeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,33 @@ steps:
- github_commit_status:
context: "x-pack/filebeat: Ubuntu x86_64 Unit Tests"

- label: ":ubuntu: x-pack/filebeat: Ubuntu x86_64 Unit Tests FIPS"
key: "x-pack-filebeat-mandatory-linux-unit-test-FIPS"
command: |
cd x-pack/filebeat
mage unitTest
retry:
automatic:
- limit: 1
agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
env:
FIPS: "true"
artifact_paths:
- "x-pack/filebeat/build/*.xml"
- "x-pack/filebeat/build/*.json"
plugins:
- test-collector#v1.10.2:
files: "x-pack/filebeat/build/TEST-*.xml"
format: "junit"
branches: "main"
debug: true
notify:
- github_commit_status:
context: "x-pack/filebeat: Ubuntu x86_64 Unit Tests FIPS"

- label: ":ubuntu: x-pack/filebeat: Go Integration Tests"
key: "x-pack-filebeat-mandatory-int-test"
command: |
Expand Down
21 changes: 21 additions & 0 deletions .buildkite/x-pack/pipeline.xpack.libbeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,27 @@ steps:
- github_commit_status:
context: "x-pack/libbeat: Ubuntu x86_64 Unit Tests"

- label: ":ubuntu: x-pack/libbeat: Ubuntu x86_64 Unit Tests FIPS"
key: "mandatory-linux-unit-test-fips"
command: |
cd x-pack/libbeat
mage unitTest
retry:
automatic:
- limit: 1
agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
env:
FIPS: "true"
artifact_paths:
- "x-pack/libbeat/build/*.xml"
- "x-pack/libbeat/build/*.json"
notify:
- github_commit_status:
context: "x-pack/libbeat: Ubuntu x86_64 Unit Tests FIPS"

- label: ":ubuntu: x-pack/libbeat: Go Integration Tests"
key: "mandatory-int-test"
command: |
Expand Down
29 changes: 28 additions & 1 deletion .buildkite/x-pack/pipeline.xpack.metricbeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,33 @@ steps:
- github_commit_status:
context: "x-pack/metricbeat: Ubuntu x86_64 Unit Tests"

- label: ":ubuntu: x-pack/metricbeat: Ubuntu x86_64 Unit Tests FIPS"
key: "mandatory-linux-unit-test-fips"
command: |
cd x-pack/metricbeat
mage unitTest
retry:
automatic:
- limit: 1
agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
env:
FIPS: "true"
artifact_paths:
- "x-pack/metricbeat/build/*.xml"
- "x-pack/metricbeat/build/*.json"
plugins:
- test-collector#v1.10.2:
files: "x-pack/metricbeat/build/TEST-*.xml"
format: "junit"
branches: "main"
debug: true
notify:
- github_commit_status:
context: "x-pack/metricbeat: Ubuntu x86_64 Unit Tests FIPS"

- label: ":ubuntu: x-pack/metricbeat: Go Integration Tests (Module)"
key: "mandatory-int-test"
env:
Expand Down Expand Up @@ -483,4 +510,4 @@ steps:
instanceType: "${AWS_ARM_INSTANCE_TYPE}"
notify:
- github_commit_status:
context: "x-pack/metricbeat: Packaging Linux arm64 FIPS"
context: "x-pack/metricbeat: Packaging Linux arm64 FIPS"
64 changes: 64 additions & 0 deletions auditbeat/module/file_integrity/file_parsers_fips_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

//go:build requirefips
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there way to accomplish the variant testing without utilizing build tags? Minimizing the amount of code behind build tags makes maintenance easier. Build tags can hide errors.

For example, is there some runtime method of checking if the binary is in FIPS mode (akin to https://pkg.go.dev/crypto/fips140#Enabled) that we can use to skip tests at runtime instead of using build tags?

Copy link
Copy Markdown
Contributor Author

@michel-laterman michel-laterman Apr 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fips140.Enabled() returns true if fips140 is set to on, or only.
On enables FIPS compliant algorithms, and will allow you to use non-FIPS algorithms (such as SHA1)
Only forces you to use FIPS (fips 140-3) compliance, without using non-FIPS algorithms.

Our current binaries (built with microsoft/go target fips 140-2) function the same as if the flag has an on value.

The next step in our FIPS testing will be to run these unit tests with fips140=only just to make sure we don't accidentally add non compliant algorithms in the future.

Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't mean to use fips140.Enabled() directly, but was asking if there was something similar in nature that we could use to minimize the amount code hidden behind build tags? One possible example would be to have a very slim package that exports a constant based on the build tag used, e.g.

//go:build requirefips

const FIPS = true

//go:build !requirefips

const FIPS = false

Then utilize this value to control the expectations set by the tests.

Copy link
Copy Markdown
Contributor Author

@michel-laterman michel-laterman Apr 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently we don't have anything available in beats.
I'll create an issue to discuss this; enabling test coverage is our priority at the moment


package file_integrity

import (
"reflect"
"testing"

"github.com/elastic/elastic-agent-libs/config"
)

func TestFileParsers(t *testing.T) {
cfg, err := config.NewConfigFrom(map[string]interface{}{
"paths": []string{"/usr/bin"},
"file_parsers": []string{"file.elf.sections", `/\.pe\./`},
})
if err != nil {
t.Fatal(err)
}

c := defaultConfig
if err := cfg.Unpack(&c); err != nil {
t.Fatal(err)
}

wantParserNames := map[string]bool{
"executable_object": true,
}
wantFields := map[string]bool{
"file.elf.sections": true,
"file.pe.sections": true,
"file.pe.sections.name": true,
"file.pe.sections.physical_size": true,
"file.pe.sections.virtual_size": true,
"file.pe.sections.entropy": true,
"file.pe.sections.var_entropy": true,
"file.pe.go_stripped": true,
}

gotParserNames, gotFields := parserNamesAndFields(c)
if !reflect.DeepEqual(gotParserNames, wantParserNames) {
t.Errorf("unexpected parser name set: got:%v want:%v", gotParserNames, wantParserNames)
}
if !reflect.DeepEqual(gotFields, wantFields) {
t.Errorf("unexpected fields set: got:%v want:%v", gotFields, wantFields)
}
}
2 changes: 2 additions & 0 deletions ...odule/file_integrity/file_parsers_test.go → ...ile_integrity/file_parsers_nofips_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
// specific language governing permissions and limitations
// under the License.

//go:build !requirefips

package file_integrity

import (
Expand Down
Loading
Loading