diff --git a/filebeat/input/v2/loader.go b/filebeat/input/v2/loader.go index ef76d1b596ac..0331e95155cb 100644 --- a/filebeat/input/v2/loader.go +++ b/filebeat/input/v2/loader.go @@ -20,6 +20,7 @@ package v2 import ( "fmt" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/feature" conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" @@ -96,6 +97,10 @@ func (l *Loader) Configure(cfg *conf.C) (Input, error) { log.Warnf("DEPRECATED: The %v input is deprecated", name) } + if common.FIPSMode && p.ExcludeFromFIPS { + return nil, fmt.Errorf("running a FIPS-capable distribution but input [%s] is not FIPS capable", name) + } + return p.Manager.Create(cfg) } diff --git a/filebeat/input/v2/loader_test.go b/filebeat/input/v2/loader_test.go index be52c0d6737e..061fa0ef2815 100644 --- a/filebeat/input/v2/loader_test.go +++ b/filebeat/input/v2/loader_test.go @@ -21,6 +21,9 @@ import ( "errors" "testing" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/feature" conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" @@ -180,6 +183,33 @@ func TestLoader_Configure(t *testing.T) { } } +func TestLoader_ConfigureFIPS(t *testing.T) { + loaderCfg := loaderConfig{ + Plugins: []Plugin{ + { + Name: "a", + Stability: feature.Stable, + Manager: ConfigureWith(func(_ *conf.C) (Input, error) { + return nil, nil + }), + ExcludeFromFIPS: true, + }, + }, + TypeField: "type", + } + + loader := loaderCfg.MustNewLoader() + input, err := loader.Configure(conf.MustNewConfigFrom(map[string]any{"type": "a"})) + require.Nil(t, input) + + if common.FIPSMode { + require.Error(t, err) + } else { + require.NoError(t, err) + } + t.Logf("FIPS mode = %v; err = %v", common.FIPSMode, err) +} + func (b loaderConfig) MustNewLoader() *Loader { l, err := b.NewLoader() if err != nil { diff --git a/filebeat/input/v2/plugin.go b/filebeat/input/v2/plugin.go index 15a8b0f8ebed..7a5cfcdbab7d 100644 --- a/filebeat/input/v2/plugin.go +++ b/filebeat/input/v2/plugin.go @@ -60,6 +60,11 @@ type Plugin struct { // Manager MUST be configured. The manager is used to create the inputs. Manager InputManager + + // ExcludeFromFIPS indicates whether this plugin should not be usable in + // FIPS-capable Filebeat distributions. If set to true, FIPS-capable Filebeat + // distributions will exit with an error if this plugin is configured for use. + ExcludeFromFIPS bool } func (p Plugin) validate() error { diff --git a/libbeat/common/mode_fips.go b/libbeat/common/mode_fips.go new file mode 100644 index 000000000000..3823f04a5d41 --- /dev/null +++ b/libbeat/common/mode_fips.go @@ -0,0 +1,23 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build requirefips + +package common + +// FIPSMode = true indicates that this is a FIPS-capable distribution. +const FIPSMode = true diff --git a/libbeat/common/mode_nofips.go b/libbeat/common/mode_nofips.go new file mode 100644 index 000000000000..506bfd8721a7 --- /dev/null +++ b/libbeat/common/mode_nofips.go @@ -0,0 +1,23 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build !requirefips + +package common + +// FIPSMode = false indicates that this is not a FIPS-capable distribution. +const FIPSMode = false