Enabling Full FTR, Integration, and Unit tests to the FIPS Test Pipeline #192632
Conversation
kc13greiner
added
Team:Security
Co-authored-by: Brad White <Ikuni17@users.noreply.github.com>
kc13greiner
removed
the
Team:Security
| depends_on: build | ||
| timeout_in_minutes: 10 | ||
| env: | ||
| FTR_CONFIGS_SCRIPT: '.buildkite/scripts/steps/test/ftr_configs.sh' | ||
| FTR_EXTRA_ARGS: '$FTR_EXTRA_ARGS' | ||
| LIMIT_CONFIG_TYPE: 'functional' | ||
| JEST_UNIT_SCRIPT: '.buildkite/scripts/steps/test/jest.sh' |
There was a problem hiding this comment.
It doesn't look like these will run with FIPS enabled.
kibana/.buildkite/scripts/common/env.sh
Lines 143 to 146 in 833a267
NODE_OPTIONS for jest at
There was a problem hiding this comment.
Ok I think I have it setup properly now!
There was a problem hiding this comment.
botelastic
bot
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
kc13greiner
changed the title
| let coreContext: ReturnType<typeof mockCoreContext.create>; | ||
| let service: SecurityService; | ||
| describe('SecurityService', function () { | ||
| if (getFips() !== 1) { |
There was a problem hiding this comment.
question: can we add a code comment here explaining why we're doing this? Do all these tests fail in FIPS? Even #registerSecurityDelegate?
There was a problem hiding this comment.
Ah you are correct, I meant to modify this test and I will add the config for both cases, these should pass regardless of FIPS (except the FIPS check itself)
| @@ -75,6 +77,13 @@ export function createRootWithSettings( | |||
| pkg.version = customKibanaVersion; | |||
| } | |||
|
|
|||
| let oss = true; | |||
There was a problem hiding this comment.
Tip
Also a comment here would be helpful.
| if (getFips() === 1) { | ||
| // Set license to 'trial' if Node is running in FIPS mode | ||
| license = 'trial'; | ||
| } |
There was a problem hiding this comment.
Warning
I think it’s fine to default to trial instead of basic when we’re in FIPS mode and the license isn’t explicitly specified in settings. However, I’m a bit concerned about cases where some test suites request a specific license to verify behavior unique to that license, but we override it with trial.
Do we have many test suites that specify a license different from trial? Would it be an option to toggle the correct license at the point where it’s specified? That way, if certain tests don’t make sense to run with trial, we can explicitly skip them there.
There was a problem hiding this comment.
Similar to other responses, I think it is important to run as many tests as possible for maximum lines run in FIPS. I only skip if the overrides would break the tests. If a basic license test "runs" successfully with a trial license, I believe we should run it.
There was a problem hiding this comment.
I tend to agree with Oleg's concern that with FIPs mode on there is a possibility that we may subtly change test coverage by overriding explicit settings that could potentially surprise test authors:
Test authors may specify basic but actually it is gonna run both basic and trial. Given it's both today I tend to think this is OK (we are not losing coverage), but it could be surprising.
One alternative, instead of implicitly overriding settings in FIPs we can overtly error out with something like:
// If explicitly set, we throw something like this:
if (getFips() === 1 && (cliArgs.oss === true || settings.es?.license !== 'trial')) {
throw new Error(`
explicitly setting "cliArgs.oss: true" or "settings.es.license" to something other than "trial" is not compatible in FIPs mode.
Ensure that this test is skipped in FIPs mode in the following way...
`)
} Doing a search for license: 'basic' or oss: true in integration_tests does not turn up many results so perhaps skipping this set of tests in FIPs for now is an OK trade-off?
Weakly held opinion, WDY both T?
There was a problem hiding this comment.
I think it is important to run as many tests as possible for maximum lines run in FIPS
I agree!
If a basic license test "runs" successfully with a trial license, I believe we should run it.
The use case I had in mind was something like this: "test that this functionality is available and works correctly when the license is basic, potentially deviating from behavior in trial, so that if I mess up the license checks in my code, breaking my feature for basic, this test will catch it". If we silently switch the license to trial, it won’t test what the test author intended. Admittedly and as JL mentioned, it’s not a huge concern since, even though the FIPS test might mistakenly pass, the original non-FIPS test would still fail.
Doing a search for license: 'basic' or oss: true in integration_tests does not turn up many results so perhaps skipping this set of tests in FIPs for now is an OK trade-off?
If it doesn’t involve a lot of changes, I think it’s a reasonable trade-off 👍 Otherwise, feel free to ignore my concern, as I’m more in favor of running potentially misleading FIPS-related tests than not running them.
There was a problem hiding this comment.
++ Ok I can get on board with something like theat. There will be many more FIPS related PRs (not for this initial release, but for FRH and when we have to target 140-3). I will definitely take these recommendations into consideration as well as trying to expand the configuration options for Integration Tests to make allow for just single plugins to be enabled (vs. OSS=false)
| @@ -292,6 +307,7 @@ export function createTestServers({ | |||
| hosts: es.getHostUrls(), | |||
| username: kibanaServerTestUser.username, | |||
| password: kibanaServerTestUser.password, | |||
| ...(getFips() ? kbnSettings.elasticsearch : {}), | |||
There was a problem hiding this comment.
question: why do we need this?
There was a problem hiding this comment.
in is_scripting_enabled.test.ts the es settings were not being copied over since I had overridden the license to be trial, so I added this just for FIPS mode so we could have the es settings propagated and the trial license
There was a problem hiding this comment.
Got it, thanks for clarifying, I think it'd worth having a comment then (my favorite comment is about comments 😆)
| }, | ||
| import { getFips } from 'crypto'; | ||
|
|
||
| if (getFips() === 0) { |
There was a problem hiding this comment.
question: Here and in all similar places: is this a temporary measure? If so, are we tracking all the tests that were disabled somewhere to ensure we remember to re-enable them at some point? If it’s not temporary, could we add a comment explaining why we’re doing this and what areas are affected?
There was a problem hiding this comment.
I cant say it is temporary; I had to disable oss so xpack plugins would register and allow xpack.security.... configs to be allowed.
I think we would have to change the jest integration tests to allow me to add less broad-sweeping overrides.
I am not keeping track per se, but the search to find them is pretty straightforward.
the test in the else (FIPS portion) has the explanation (below), but Im happy to add a comment if you think that is clearer:
'is running in FIPS mode, skipping tests since they fail due to FIPS overrides'
There was a problem hiding this comment.
I see, I was just wondering if there was a clear, describable reason why certain tests fail in FIPS, like, for example, “dynamic config relies on MD5 for … and is hence not compatible with FIPS”. But if that’s not the case, or if it’s too much work to pinpoint and describe the reason for every such exception, feel free to keep things as they are, it's not worth it.
| @@ -42,7 +44,7 @@ describe('migrator-only node', () => { | |||
| '--no-optimizer', | |||
| '--no-base-path', | |||
| '--no-watch', | |||
| '--oss', | |||
| isFipsEnabled ? '--xpack.security.experimental.fipsMode.enabled=true' : '--oss', | |||
There was a problem hiding this comment.
I’m surprised we’re still testing OSS stuff (maybe we could save some CI costs… just saying) 🙈
There was a problem hiding this comment.
🤷♂️ They were running OSS when I found them!
There was a problem hiding this comment.
Yeah, it was more of a question for the Core Team 🙂
There was a problem hiding this comment.
As I understand it, the --oss flag actually helps these integration tests start up a bit faster since we are excluding loading any xpack plug-ins.
| manageES = await startES(); | ||
| manageKbn = await startKibana(); | ||
| esClient = manageKbn.coreStart.elasticsearch.client.asInternalUser; | ||
| esClient = manageKbn.coreStart.elasticsearch.createClient('es.test').asInternalUser; |
There was a problem hiding this comment.
question: I'm curious what this change does?
There was a problem hiding this comment.
This is changing the test to use a dedicated ES Client, instead of a shared one. I added it to squash some flakiness I was experiencing
There was a problem hiding this comment.
That’s weird, as I can’t think of any plausible reason why there would be an issue with the shared ES client, but I’ll defer to the code owners. Maybe they have some idea.
There was a problem hiding this comment.
@azasypkin this test was built to run without xpack plugins, and it just so happened that the shared ES client wasn't used by any other non-xpack plugin during the lifespan of the test.
When running this in FIPS mode, we have to include x-pack, and there are a number of x-pack plugins which use the shared client during their initialization phase. For example, the spaces plugin asserts that the default space exists. These additional usages of the shared client were causing some assertions in these tests to fail. By using a dedicated ES client, it removes the noise generated by other running plugins.
There was a problem hiding this comment.
Oh, I see that we set up spies for the ES client methods. Got it, thanks for adding more context @legrego, makes sense now.
| const fileHash = createFileHashTransform(algorithm); | ||
| await file.uploadContent(fileContent, undefined, { | ||
| transforms: [fileHash], | ||
| if (getFips() !== 1) { |
There was a problem hiding this comment.
question: can we have something like this to not duplicate the test body?
it.each([
['sha1', 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3'],
['sha256', '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'],
[
'sha512',
'ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff',
],
...(getFips() !== 1 ? [['md5', '098f6bcd4621d373cade4e832627b4f6']] : []),
] as Array<[SupportedFileHashAlgorithm, string]>)(There was a problem hiding this comment.
ahh that is much cleaner - fixing it!
| @@ -17,7 +17,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { | |||
| const kibanaServer = getService('kibanaServer'); | |||
| const dashboardAddPanel = getService('dashboardAddPanel'); | |||
|
|
|||
| describe('dashboard panel listing', () => { | |||
| describe('dashboard panel listing', function () { | |||
| this.tags('skipFIPS'); | |||
There was a problem hiding this comment.
Tip
Here and for other skips - it would be helpful to have a comment with a justification, and to track this somewhere if we intend to unskip them eventually.
There was a problem hiding this comment.
I think a follow up PR to 1) add comments to all skipped tests 2) try to fix the FTR FIPS Role overrides would be worthwhile.
There was a problem hiding this comment.
Sounds good to me. As I mentioned in #192632 (comment), it would only be worth adding comments if we can clearly articulate the problem to help future readers. Otherwise, it’s fine to keep it as is.
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
cc @kc13greiner |
kc13greiner
added
backport:version
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11917488539 |
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11917488475 |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
1 similar comment
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…ine (elastic#192632) ## Summary Closes elastic#192233 Just in time for Thanksgiving - a full buffet of FIPS testing fixes Usage of non-compliant algorithms manifest as runtime errors, so it is imperative that we attempt to run all tests possible with Kibana in FIPS mode. However, several overrides are needed to run Kibana in FIPS mode, resulting in setup that make it impossible to run. ## In this PR - Enable Unit tests for FIPS pipeline - Enable Integration Tests for FIPS pipeline - Enable Full FTR suite for FIPS pipeline (smoke test had originally run a subset) - Skip tests that break with overrides - Fix/change tests to work in FIPS mode to maximize coverage - Examine necessity of MD5 when installing from source (TBD based Ops PR feed back, see self review below) - Remove md5 from es_file_client options ## Latest Successful FIPS Test Run https://buildkite.com/elastic/kibana-fips/builds/268 --------- Co-authored-by: Brad White <Ikuni17@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: Larry Gregory <larry.gregory@elastic.co> (cherry picked from commit ac0b0b4) # Conflicts: # packages/kbn-es/src/install/install_source.ts # src/core/server/integration_tests/config/check_dynamic_config.test.ts # src/core/server/integration_tests/core_app/default_route_provider_config.test.ts
… Pipeline (#192632) (#200780) # Backport This will backport the following commits from `main` to `8.x`: - [Enabling Full FTR, Integration, and Unit tests to the FIPS Test Pipeline (#192632)](#192632) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kurt","email":"kc13greiner@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-19T13:31:47Z","message":"Enabling Full FTR, Integration, and Unit tests to the FIPS Test Pipeline (#192632)\n\n## Summary\r\n\r\nCloses #192233 \r\n\r\nJust in time for Thanksgiving - a full buffet of FIPS testing fixes\r\n\r\nUsage of non-compliant algorithms manifest as runtime errors, so it is\r\nimperative that we attempt to run all tests possible with Kibana in FIPS\r\nmode. However, several overrides are needed to run Kibana in FIPS mode,\r\nresulting in setup that make it impossible to run.\r\n\r\n## In this PR\r\n\r\n- Enable Unit tests for FIPS pipeline\r\n- Enable Integration Tests for FIPS pipeline\r\n- Enable Full FTR suite for FIPS pipeline (smoke test had originally run\r\na subset)\r\n- Skip tests that break with overrides\r\n- Fix/change tests to work in FIPS mode to maximize coverage\r\n- Examine necessity of MD5 when installing from source (TBD based Ops PR\r\nfeed back, see self review below)\r\n- Remove md5 from es_file_client options\r\n\r\n## Latest Successful FIPS Test Run\r\n\r\nhttps://buildkite.com/elastic/kibana-fips/builds/268\r\n\r\n---------\r\n\r\nCo-authored-by: Brad White <Ikuni17@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>\r\nCo-authored-by: Larry Gregory <larry.gregory@elastic.co>","sha":"ac0b0b4f05876f1c66f5b4fde7965a1955b90ec0","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","ci:build-docker-fips","backport:version","v8.17.0"],"number":192632,"url":"https://github.com/elastic/kibana/pull/192632","mergeCommit":{"message":"Enabling Full FTR, Integration, and Unit tests to the FIPS Test Pipeline (#192632)\n\n## Summary\r\n\r\nCloses #192233 \r\n\r\nJust in time for Thanksgiving - a full buffet of FIPS testing fixes\r\n\r\nUsage of non-compliant algorithms manifest as runtime errors, so it is\r\nimperative that we attempt to run all tests possible with Kibana in FIPS\r\nmode. However, several overrides are needed to run Kibana in FIPS mode,\r\nresulting in setup that make it impossible to run.\r\n\r\n## In this PR\r\n\r\n- Enable Unit tests for FIPS pipeline\r\n- Enable Integration Tests for FIPS pipeline\r\n- Enable Full FTR suite for FIPS pipeline (smoke test had originally run\r\na subset)\r\n- Skip tests that break with overrides\r\n- Fix/change tests to work in FIPS mode to maximize coverage\r\n- Examine necessity of MD5 when installing from source (TBD based Ops PR\r\nfeed back, see self review below)\r\n- Remove md5 from es_file_client options\r\n\r\n## Latest Successful FIPS Test Run\r\n\r\nhttps://buildkite.com/elastic/kibana-fips/builds/268\r\n\r\n---------\r\n\r\nCo-authored-by: Brad White <Ikuni17@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>\r\nCo-authored-by: Larry Gregory <larry.gregory@elastic.co>","sha":"ac0b0b4f05876f1c66f5b4fde7965a1955b90ec0"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192632","number":192632,"mergeCommit":{"message":"Enabling Full FTR, Integration, and Unit tests to the FIPS Test Pipeline (#192632)\n\n## Summary\r\n\r\nCloses #192233 \r\n\r\nJust in time for Thanksgiving - a full buffet of FIPS testing fixes\r\n\r\nUsage of non-compliant algorithms manifest as runtime errors, so it is\r\nimperative that we attempt to run all tests possible with Kibana in FIPS\r\nmode. However, several overrides are needed to run Kibana in FIPS mode,\r\nresulting in setup that make it impossible to run.\r\n\r\n## In this PR\r\n\r\n- Enable Unit tests for FIPS pipeline\r\n- Enable Integration Tests for FIPS pipeline\r\n- Enable Full FTR suite for FIPS pipeline (smoke test had originally run\r\na subset)\r\n- Skip tests that break with overrides\r\n- Fix/change tests to work in FIPS mode to maximize coverage\r\n- Examine necessity of MD5 when installing from source (TBD based Ops PR\r\nfeed back, see self review below)\r\n- Remove md5 from es_file_client options\r\n\r\n## Latest Successful FIPS Test Run\r\n\r\nhttps://buildkite.com/elastic/kibana-fips/builds/268\r\n\r\n---------\r\n\r\nCo-authored-by: Brad White <Ikuni17@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>\r\nCo-authored-by: Larry Gregory <larry.gregory@elastic.co>","sha":"ac0b0b4f05876f1c66f5b4fde7965a1955b90ec0"}},{"branch":"8.x","label":"v8.17.0","labelRegex":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
…ine (elastic#192632) ## Summary Closes elastic#192233 Just in time for Thanksgiving - a full buffet of FIPS testing fixes Usage of non-compliant algorithms manifest as runtime errors, so it is imperative that we attempt to run all tests possible with Kibana in FIPS mode. However, several overrides are needed to run Kibana in FIPS mode, resulting in setup that make it impossible to run. ## In this PR - Enable Unit tests for FIPS pipeline - Enable Integration Tests for FIPS pipeline - Enable Full FTR suite for FIPS pipeline (smoke test had originally run a subset) - Skip tests that break with overrides - Fix/change tests to work in FIPS mode to maximize coverage - Examine necessity of MD5 when installing from source (TBD based Ops PR feed back, see self review below) - Remove md5 from es_file_client options ## Latest Successful FIPS Test Run https://buildkite.com/elastic/kibana-fips/builds/268 --------- Co-authored-by: Brad White <Ikuni17@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
…ine (elastic#192632) ## Summary Closes elastic#192233 Just in time for Thanksgiving - a full buffet of FIPS testing fixes Usage of non-compliant algorithms manifest as runtime errors, so it is imperative that we attempt to run all tests possible with Kibana in FIPS mode. However, several overrides are needed to run Kibana in FIPS mode, resulting in setup that make it impossible to run. ## In this PR - Enable Unit tests for FIPS pipeline - Enable Integration Tests for FIPS pipeline - Enable Full FTR suite for FIPS pipeline (smoke test had originally run a subset) - Skip tests that break with overrides - Fix/change tests to work in FIPS mode to maximize coverage - Examine necessity of MD5 when installing from source (TBD based Ops PR feed back, see self review below) - Remove md5 from es_file_client options ## Latest Successful FIPS Test Run https://buildkite.com/elastic/kibana-fips/builds/268 --------- Co-authored-by: Brad White <Ikuni17@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
Summary
Closes #192233
Just in time for Thanksgiving - a full buffet of FIPS testing fixes
Usage of non-compliant algorithms manifest as runtime errors, so it is imperative that we attempt to run all tests possible with Kibana in FIPS mode. However, several overrides are needed to run Kibana in FIPS mode, resulting in setup that make it impossible to run.
In this PR
Latest Successful FIPS Test Run
https://buildkite.com/elastic/kibana-fips/builds/268