[8.x] Enabling Full FTR, Integration, and Unit tests to the FIPS Test…

… Pipeline (#192632) (#200780)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Enabling Full FTR, Integration, and Unit tests to the FIPS Test
Pipeline (#192632)](#192632)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Kurt","email":"kc13greiner@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-19T13:31:47Z","message":"Enabling
Full FTR, Integration, and Unit tests to the FIPS Test Pipeline
(#192632)\n\n## Summary\r\n\r\nCloses #192233 \r\n\r\nJust in time for
Thanksgiving - a full buffet of FIPS testing fixes\r\n\r\nUsage of
non-compliant algorithms manifest as runtime errors, so it
is\r\nimperative that we attempt to run all tests possible with Kibana
in FIPS\r\nmode. However, several overrides are needed to run Kibana in
FIPS mode,\r\nresulting in setup that make it impossible to
run.\r\n\r\n## In this PR\r\n\r\n- Enable Unit tests for FIPS
pipeline\r\n- Enable Integration Tests for FIPS pipeline\r\n- Enable
Full FTR suite for FIPS pipeline (smoke test had originally run\r\na
subset)\r\n- Skip tests that break with overrides\r\n- Fix/change tests
to work in FIPS mode to maximize coverage\r\n- Examine necessity of MD5
when installing from source (TBD based Ops PR\r\nfeed back, see self
review below)\r\n- Remove md5 from es_file_client options\r\n\r\n##
Latest Successful FIPS Test
Run\r\n\r\nhttps://buildkite.com/elastic/kibana-fips/builds/268\r\n\r\n---------\r\n\r\nCo-authored-by:
Brad White <Ikuni17@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Aleh Zasypkin <aleh.zasypkin@gmail.com>\r\nCo-authored-by: Larry Gregory
<larry.gregory@elastic.co>","sha":"ac0b0b4f05876f1c66f5b4fde7965a1955b90ec0","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","ci:build-docker-fips","backport:version","v8.17.0"],"number":192632,"url":"https://github.com/elastic/kibana/pull/192632","mergeCommit":{"message":"Enabling
Full FTR, Integration, and Unit tests to the FIPS Test Pipeline
(#192632)\n\n## Summary\r\n\r\nCloses #192233 \r\n\r\nJust in time for
Thanksgiving - a full buffet of FIPS testing fixes\r\n\r\nUsage of
non-compliant algorithms manifest as runtime errors, so it
is\r\nimperative that we attempt to run all tests possible with Kibana
in FIPS\r\nmode. However, several overrides are needed to run Kibana in
FIPS mode,\r\nresulting in setup that make it impossible to
run.\r\n\r\n## In this PR\r\n\r\n- Enable Unit tests for FIPS
pipeline\r\n- Enable Integration Tests for FIPS pipeline\r\n- Enable
Full FTR suite for FIPS pipeline (smoke test had originally run\r\na
subset)\r\n- Skip tests that break with overrides\r\n- Fix/change tests
to work in FIPS mode to maximize coverage\r\n- Examine necessity of MD5
when installing from source (TBD based Ops PR\r\nfeed back, see self
review below)\r\n- Remove md5 from es_file_client options\r\n\r\n##
Latest Successful FIPS Test
Run\r\n\r\nhttps://buildkite.com/elastic/kibana-fips/builds/268\r\n\r\n---------\r\n\r\nCo-authored-by:
Brad White <Ikuni17@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Aleh Zasypkin <aleh.zasypkin@gmail.com>\r\nCo-authored-by: Larry Gregory
<larry.gregory@elastic.co>","sha":"ac0b0b4f05876f1c66f5b4fde7965a1955b90ec0"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192632","number":192632,"mergeCommit":{"message":"Enabling
Full FTR, Integration, and Unit tests to the FIPS Test Pipeline
(#192632)\n\n## Summary\r\n\r\nCloses #192233 \r\n\r\nJust in time for
Thanksgiving - a full buffet of FIPS testing fixes\r\n\r\nUsage of
non-compliant algorithms manifest as runtime errors, so it
is\r\nimperative that we attempt to run all tests possible with Kibana
in FIPS\r\nmode. However, several overrides are needed to run Kibana in
FIPS mode,\r\nresulting in setup that make it impossible to
run.\r\n\r\n## In this PR\r\n\r\n- Enable Unit tests for FIPS
pipeline\r\n- Enable Integration Tests for FIPS pipeline\r\n- Enable
Full FTR suite for FIPS pipeline (smoke test had originally run\r\na
subset)\r\n- Skip tests that break with overrides\r\n- Fix/change tests
to work in FIPS mode to maximize coverage\r\n- Examine necessity of MD5
when installing from source (TBD based Ops PR\r\nfeed back, see self
review below)\r\n- Remove md5 from es_file_client options\r\n\r\n##
Latest Successful FIPS Test
Run\r\n\r\nhttps://buildkite.com/elastic/kibana-fips/builds/268\r\n\r\n---------\r\n\r\nCo-authored-by:
Brad White <Ikuni17@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Aleh Zasypkin <aleh.zasypkin@gmail.com>\r\nCo-authored-by: Larry Gregory
<larry.gregory@elastic.co>","sha":"ac0b0b4f05876f1c66f5b4fde7965a1955b90ec0"}},{"branch":"8.x","label":"v8.17.0","labelRegex":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

.buildkite/pipelines/fips.yml

@@ -40,14 +40,15 @@ steps:
       machineType: n2-standard-2
       preemptible: true
 
-  - command: .buildkite/scripts/steps/fips/smoke_test.sh
-    label: 'Pick Smoke Test Group Run Order'
+  - command: .buildkite/scripts/steps/test/pick_test_group_run_order.sh
+    label: 'Pick Test Group Run Order'
     depends_on: build
     timeout_in_minutes: 10
     env:
       FTR_CONFIGS_SCRIPT: '.buildkite/scripts/steps/test/ftr_configs.sh'
       FTR_EXTRA_ARGS: '$FTR_EXTRA_ARGS'
-      LIMIT_CONFIG_TYPE: 'functional'
+      JEST_UNIT_SCRIPT: '.buildkite/scripts/steps/test/jest.sh'
+      JEST_INTEGRATION_SCRIPT: '.buildkite/scripts/steps/test/jest_integration.sh'
     retry:
       automatic:
         - exit_status: '*'

.buildkite/scripts/steps/test/jest_parallel.sh

@@ -60,7 +60,14 @@ while read -r config; do
   # --trace-warnings to debug
   # Node.js process-warning detected:
   # Warning: Closing file descriptor 24 on garbage collection
-  cmd="NODE_OPTIONS=\"--max-old-space-size=12288 --trace-warnings\" node ./scripts/jest --config=\"$config\" $parallelism --coverage=false --passWithNoTests"
+  cmd="NODE_OPTIONS=\"--max-old-space-size=12288 --trace-warnings"
+
+  if [ "${KBN_ENABLE_FIPS:-}" == "true" ]; then
+    cmd=$cmd" --enable-fips --openssl-config=$HOME/nodejs.cnf"
+  fi
+
+  cmd=$cmd"\" node ./scripts/jest --config=\"$config\" $parallelism --coverage=false --passWithNoTests"
+
   echo "actual full command is:"
   echo "$cmd"
   echo ""

packages/core/security/core-security-server-internal/src/security_service.test.ts

@@ -16,17 +16,32 @@ import { loggerMock, MockedLogger } from '@kbn/logging-mocks';
 import { mockCoreContext } from '@kbn/core-base-server-mocks';
 import type { CoreSecurityDelegateContract } from '@kbn/core-security-server';
 import { SecurityService } from './security_service';
+import { configServiceMock } from '@kbn/config-mocks';
+import { getFips } from 'crypto';
 
 const createStubInternalContract = (): CoreSecurityDelegateContract => {
   return Symbol('stubContract') as unknown as CoreSecurityDelegateContract;
 };
 
-describe('SecurityService', () => {
+describe('SecurityService', function () {
   let coreContext: ReturnType<typeof mockCoreContext.create>;
+  let configService: ReturnType<typeof configServiceMock.create>;
   let service: SecurityService;
 
   beforeEach(() => {
-    coreContext = mockCoreContext.create();
+    const mockConfig = {
+      xpack: {
+        security: {
+          experimental: {
+            fipsMode: {
+              enabled: !!getFips(),
+            },
+          },
+        },
+      },
+    };
+    configService = configServiceMock.create({ getConfig$: mockConfig });
+    coreContext = mockCoreContext.create({ configService });
     service = new SecurityService(coreContext);
 
     convertSecurityApiMock.mockReset();
@@ -51,8 +66,11 @@ describe('SecurityService', () => {
       describe('#isEnabled', () => {
         it('should return boolean', () => {
           const { fips } = service.setup();
-
-          expect(fips.isEnabled()).toBe(false);
+          if (getFips() === 0) {
+            expect(fips.isEnabled()).toBe(false);
+          } else {
+            expect(fips.isEnabled()).toBe(true);
+          }
         });
       });
     });

packages/core/security/core-security-server-internal/tsconfig.json

@@ -22,5 +22,6 @@
     "@kbn/core-base-server-mocks",
     "@kbn/config",
     "@kbn/core-logging-server-mocks",
+    "@kbn/config-mocks",
   ]
 }

packages/core/test-helpers/core-test-helpers-kbn-server/src/create_root.ts

@@ -12,10 +12,12 @@ import loadJsonFile from 'load-json-file';
 import { defaultsDeep } from 'lodash';
 import { BehaviorSubject } from 'rxjs';
 import supertest from 'supertest';
+import { set } from '@kbn/safer-lodash-set';
 
 import { getPackages } from '@kbn/repo-packages';
 import { ToolingLog } from '@kbn/tooling-log';
 import { REPO_ROOT } from '@kbn/repo-info';
+import { getFips } from 'crypto';
 import {
   createTestEsCluster,
   CreateTestEsClusterOptions,
@@ -58,6 +60,17 @@ export function createRootWithSettings(
     pkg.version = customKibanaVersion;
   }
 
+  /*
+   * Most of these integration tests expect OSS to default to true, but FIPS
+   * requires the security plugin to be enabled
+   */
+  let oss = true;
+  if (getFips() === 1) {
+    set(settings, 'xpack.security.experimental.fipsMode.enabled', true);
+    oss = false;
+    delete cliArgs.oss;
+  }
+
   const env = Env.createDefault(
     REPO_ROOT,
     {
@@ -67,10 +80,10 @@ export function createRootWithSettings(
         watch: false,
         basePath: false,
         runExamples: false,
-        oss: true,
         disableOptimizer: true,
         cache: true,
         dist: false,
+        oss,
         ...cliArgs,
       },
       repoPackages: getPackages(REPO_ROOT),
@@ -237,7 +250,13 @@ export function createTestServers({
   if (!adjustTimeout) {
     throw new Error('adjustTimeout is required in order to avoid flaky tests');
   }
-  const license = settings.es?.license ?? 'basic';
+  let license = settings.es?.license ?? 'basic';
+
+  if (getFips() === 1) {
+    // Set license to 'trial' if Node is running in FIPS mode
+    license = 'trial';
+  }
+
   const usersToBeAdded = settings.users ?? [];
   if (usersToBeAdded.length > 0) {
     if (license !== 'trial') {
@@ -274,6 +293,7 @@ export function createTestServers({
           hosts: es.getHostUrls(),
           username: kibanaServerTestUser.username,
           password: kibanaServerTestUser.password,
+          ...(getFips() ? kbnSettings.elasticsearch : {}),
         };
       }
 

packages/core/test-helpers/core-test-helpers-kbn-server/tsconfig.json

@@ -20,6 +20,7 @@
     "@kbn/repo-packages",
     "@kbn/es",
     "@kbn/dev-utils",
+    "@kbn/safer-lodash-set",
   ],
   "exclude": [
     "target/**/*",

packages/kbn-es/src/install/install_source.ts

@@ -84,15 +84,15 @@ async function sourceInfo(cwd: string, license: string, log: ToolingLog = defaul
   log.info('on %s at %s', chalk.bold(branch), chalk.bold(sha));
   log.info('%s locally modified file(s)', chalk.bold(status.modified.length));
 
-  const etag = crypto.createHash('md5').update(branch);
+  const etag = crypto.createHash('sha256').update(branch);
   etag.update(sha);
 
   // for changed files, use last modified times in hash calculation
   status.files.forEach((file) => {
     etag.update(fs.statSync(path.join(cwd, file.path)).mtime.toString());
   });
 
-  const cwdHash = crypto.createHash('md5').update(cwd).digest('hex').substr(0, 8);
+  const cwdHash = crypto.createHash('sha256').update(cwd).digest('hex').substr(0, 8);
 
   const basename = `${branch}-${task}-${cwdHash}`;
   const filename = `${basename}.${ext}`;

packages/kbn-test/src/es/test_es_cluster.ts

@@ -21,6 +21,7 @@ import type { ToolingLog } from '@kbn/tooling-log';
 import { REPO_ROOT } from '@kbn/repo-info';
 import type { ArtifactLicense } from '@kbn/es';
 import type { ServerlessOptions } from '@kbn/es/src/utils';
+import { getFips } from 'crypto';
 import { CI_PARALLEL_PROCESS_PREFIX } from '../ci_parallel_process_prefix';
 import { esTestConfig } from './es_test_config';
 
@@ -200,12 +201,15 @@ export function createTestEsCluster<
 
   const esArgs = assignArgs(defaultEsArgs, customEsArgs);
 
+  // Use 'trial' license if FIPS mode is enabled, otherwise use the provided license or default to 'basic'
+  const testLicense: ArtifactLicense = getFips() === 1 ? 'trial' : license ? license : 'basic';
+
   const config = {
     version: esVersion,
     installPath: Path.resolve(basePath, clusterName),
     sourcePath: Path.resolve(REPO_ROOT, '../elasticsearch'),
+    license: testLicense,
     password,
-    license,
     basePath,
     esArgs,
     resources: files,