Test LS wont accept input from non fips configured filebeat

donoghuc · donoghuc · commit d39a0808550d · 2025-05-30T14:17:31.000-07:00
This test ensures logstash will not accept data from filebeat when using weak tls configuration. See elastic/ingest-dev#5472
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/logstash/pipeline/filebeat-to-ls-weak.conf b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/logstash/pipeline/filebeat-to-ls-weak.conf
@@ -0,0 +1,27 @@
+input {
+  beats {
+    port => 5044
+    ssl_enabled => true
+    ssl_certificate => "/usr/share/logstash/config/certs/logstash.crt"
+    ssl_key => "/usr/share/logstash/config/certs/logstash.key"
+    ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca.crt"]
+    ssl_supported_protocols => ["TLSv1.1"]
+  }
+}
+
+filter {
+  mutate {
+    add_tag => ["filebeat"]
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["https://elasticsearch:9200"]
+    user => "elastic"
+    password => "changeme"
+    ssl_enabled => true
+    ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca.crt"]
+    index => "filebeat-weak-ssl-test-%{+YYYY.MM.dd}"
+  }
+}
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/spec/acceptance_tests_spec.rb b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/spec/acceptance_tests_spec.rb
@@ -70,7 +70,7 @@ def docker_compose_up(env={}) = docker_compose_invoke("up --detach", env)
 
   def docker_compose_down(env={}) = docker_compose_invoke("down --volumes", env)
 
-  context "when running with FIPS-compliant configuration" do
+  context "when running LS to ES with FIPS-compliant configuration" do
     before(:all) do
       docker_compose_up
       wait_for_elasticsearch
@@ -98,7 +98,7 @@ def docker_compose_down(env={}) = docker_compose_invoke("down --volumes", env)
     end
   end
 
-  context "when running with non-FIPS compliant configuration" do
+  context "when running LS to ES with non-FIPS compliant configuration" do
     before(:all) do
       docker_compose_up({"LOGSTASH_PIPELINE" => "logstash-to-elasticsearch-weak.conf"})
       wait_for_elasticsearch
@@ -127,7 +127,7 @@ def docker_compose_down(env={}) = docker_compose_invoke("down --volumes", env)
       end
   end
 
-  context "When running in a FIPS compliant configuration" do
+  context "When running Filebeat through LS to ES in a FIPS compliant configuration" do
     before(:all) do
       docker_compose_up({"LOGSTASH_PIPELINE" => "filebeat-to-ls-to-es.conf"})
       wait_for_elasticsearch
@@ -154,4 +154,33 @@ def docker_compose_down(env={}) = docker_compose_invoke("down --volumes", env)
       expect(result["hits"]["hits"].first["_source"]["tags"]).to include("filebeat")
     end
   end
+
+  context "when running Filebeat through LS to ES with non-FIPS compliant configuration" do
+    before(:all) do
+      docker_compose_up({"LOGSTASH_PIPELINE" => "filebeat-to-ls-weak.conf"})
+      wait_for_elasticsearch
+    end
+
+    after(:all) do
+      docker_compose_down
+    end
+
+    it "prevents data flow when using TLSv1.1 which is not FIPS-compliant" do
+        # Allow time for Logstash to attempt connections (and fail)
+        sleep 15
+
+        # Verify that no index has been created that would indicate successful data flow
+        response = es_request("/_cat/indices?v")
+        today_pattern = "filebeat-weak-ssl-test"
+        expect(response.body).not_to include(today_pattern)
+
+        # Check logs for the specific BouncyCastle FIPS error we expect
+        logs = `docker logs fips_test_logstash 2>&1`
+
+        # Verify the logs contain the FIPS-mode TLS protocol error
+        expect(logs).to include("No usable protocols enabled")
+        expect(logs).to include("IllegalStateException")
+        expect(logs).to include("org.bouncycastle")
+      end
+  end
 end
