Add tests describing behavior of LS -> ES with non-fips config

donoghuc · donoghuc · commit 3873b44ed644 · 2025-05-22T14:38:27.000-07:00
This commit adds a test to show that data will not flow from LS to ES
when weak non fips config is used.
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/logstash/pipeline/logstash-to-elasticsearch-weak.conf b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/logstash/pipeline/logstash-to-elasticsearch-weak.conf
@@ -0,0 +1,28 @@
+input {
+  generator {
+    # Generate this message indefinitely to give ES container time to come online
+    count => -1
+    lines => ["FIPS weak protocol test heartbeat"]
+  }
+}
+
+filter {
+  mutate {
+    add_field => {
+      "fips_test" => "true"
+    }
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["https://elasticsearch:9200"]
+    user => "elastic"
+    password => "changeme"
+    ssl_enabled => true
+    ssl_verification_mode => "none"
+    ssl_supported_protocols => ["TLSv1.1"]
+    ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca.crt"]
+    index => "logstash-weak-ssl-test-%{+YYYY.MM.dd}"
+  }
+}
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/spec/acceptance_tests_spec.rb b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/spec/acceptance_tests_spec.rb
@@ -3,18 +3,41 @@
 require 'json'
 require 'timeout'
 
-describe "ObservabilitySRE FIPS container running on FIPS vm" do
+describe "ObservabilitySRE FIPS container" do
+  def es_request(path, body = nil)
+    es_url = "https://localhost:9200"
+    es_user = 'elastic'
+    es_password = 'changeme'
+    uri = URI.parse(es_url + path)
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+    request = body ? Net::HTTP::Post.new(uri.request_uri) : Net::HTTP::Get.new(uri.request_uri)
+    request.basic_auth(es_user, es_password)q
+    request["Content-Type"] = "application/json"
+    request.body = body if body
+
+    http.request(request)
+  end
+
+  def wait_until(timeout: 30, interval: 1, message: nil)
+    Timeout.timeout(timeout) do
+      loop do
+        break if yield
+        sleep interval
+      end
+    end
+  rescue Timeout::Error
+    raise message || "Condition not met within #{timeout} seconds"
+  end
   
-  before(:all) do
-    # Start docker-compose and wait for ES
-    system("cd #{__dir__}/../docker && docker-compose up -d") or fail "Failed to start Docker Compose environment"
-    max_retries = 120
+  def wait_for_elasticsearch(max_retries = 120)
     retries = 0
     ready = false
-    
+
     while !ready && retries < max_retries
       begin
-        # Wait for elasticsearch to be ready
         response = es_request("/_cluster/health")
         if response.code == "200"
           health = JSON.parse(response.body)
@@ -32,57 +55,64 @@
         end
       end
     end
-    
+
     raise "System not ready after #{max_retries} seconds" unless ready
   end
-  
-  after(:all) do
-    # stop docker network
-    system("cd #{__dir__}/../docker && docker-compose down -v")
-  end
-  
-  it "data flows from Logstash to Elasticsearch using FIPS-approved SSL" do
-    # Wait for index to appear, indicating data is flowing
-    wait_until(timeout: 30, message: "Index logstash-fips-test not found") do
-      response = es_request("/_cat/indices?v")
-      response.code == "200" && response.body.include?("logstash-fips-test")
+
+  context "when running with FIPS-compliant configuration" do
+    before(:all) do
+      system("cd #{__dir__}/../docker && docker-compose up -d") or fail "Failed to start Docker Compose environment"
+      wait_for_elasticsearch
     end
-    # Wait until specific data from logstash generator/mutate filters are observed
-    query = { query: { match_all: {} } }.to_json
-    result = nil
-    wait_until(timeout: 30, message: "Index logstash-fips-test not found") do
-        response = es_request("/logstash-fips-test-*/_search", query)
-        result = JSON.parse(response.body)
-        response.code == "200" && result["hits"]["total"]["value"] > 0
-      end
-    expect(result["hits"]["hits"].first["_source"]).to include("fips_test")
-  end
 
-  def wait_until(timeout: 30, interval: 1, message: nil)
-    Timeout.timeout(timeout) do
-      loop do
-        break if yield
-        sleep interval
+    after(:all) do
+      system("cd #{__dir__}/../docker && docker-compose down -v")
+    end
+
+    it "data flows from Logstash to Elasticsearch using FIPS-approved SSL" do
+      # Wait for index to appear, indicating data is flowing
+      wait_until(timeout: 30, message: "Index logstash-fips-test not found") do
+        response = es_request("/_cat/indices?v")
+        response.code == "200" && response.body.include?("logstash-fips-test")
       end
+      # Wait until specific data from logstash generator/mutate filters are observed
+      query = { query: { match_all: {} } }.to_json
+      result = nil
+      wait_until(timeout: 30, message: "Index logstash-fips-test not found") do
+          response = es_request("/logstash-fips-test-*/_search", query)
+          result = JSON.parse(response.body)
+          response.code == "200" && result["hits"]["total"]["value"] > 0
+        end
+      expect(result["hits"]["hits"].first["_source"]).to include("fips_test")
     end
-  rescue Timeout::Error
-    raise message || "Condition not met within #{timeout} seconds"
   end
 
-  def es_request(path, body = nil)
-    es_url = "https://localhost:9200"
-    es_user = 'elastic'
-    es_password = 'changeme'
-    uri = URI.parse(es_url + path)
-    http = Net::HTTP.new(uri.host, uri.port)
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-    
-    request = body ? Net::HTTP::Post.new(uri.request_uri) : Net::HTTP::Get.new(uri.request_uri)
-    request.basic_auth(es_user, es_password)
-    request["Content-Type"] = "application/json"
-    request.body = body if body
-    
-    http.request(request)
+  context "when running with non-FIPS compliant configuration" do
+    before(:all) do
+      system("cd #{__dir__}/../docker && LOGSTASH_PIPELINE=logstash-to-elasticsearch-weak.conf docker-compose up -d") or fail "Failed to start Docker Compose with weak SSL"
+      wait_for_elasticsearch
+    end
+
+    after(:all) do
+      system("cd #{__dir__}/../docker && docker-compose down -v")
+    end
+
+    it "prevents data flow when using TLSv1.1 which is not FIPS-compliant" do
+        # Allow time for Logstash to attempt connections (and fail)
+        sleep 15
+
+        # Verify that no index has been created that would indicate successful data flow
+        response = es_request("/_cat/indices?v")
+        today_pattern = "logstash-weak-ssl-test-#{Time.now.strftime('%Y.%m.%d')}"
+        expect(response.body).not_to include(today_pattern)
+
+        # Check logs for the specific BouncyCastle FIPS error we expect
+        logs = `docker logs fips_test_logstash 2>&1`
+
+        # Verify the logs contain the FIPS-mode TLS protocol error
+        expect(logs).to include("No usable protocols enabled")
+        expect(logs).to include("IllegalStateException")
+        expect(logs).to include("org.bouncycastle")
+      end
   end
 end
