From 5cfeba5803326e2948e47a3ce2bba4af9eb9ecf8 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Thu, 25 Sep 2025 10:16:47 -0700 Subject: [PATCH 01/23] Bump Go version to 1.25.1 --- .go-version | 2 +- NOTICE.txt | 4 ++-- auditbeat/Dockerfile | 2 +- dev-tools/kubernetes/filebeat/Dockerfile.debug | 2 +- dev-tools/kubernetes/heartbeat/Dockerfile.debug | 2 +- dev-tools/kubernetes/metricbeat/Dockerfile.debug | 2 +- go.mod | 4 ++-- go.sum | 4 ++-- heartbeat/Dockerfile | 2 +- libbeat/docs/version.asciidoc | 2 +- metricbeat/Dockerfile | 2 +- metricbeat/module/http/_meta/Dockerfile | 2 +- metricbeat/module/vsphere/_meta/Dockerfile | 2 +- packetbeat/Dockerfile | 2 +- x-pack/metricbeat/module/stan/_meta/Dockerfile | 2 +- 15 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.go-version b/.go-version index 59b054466064..26a9e99b38be 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.13 +1.25.4 diff --git a/NOTICE.txt b/NOTICE.txt index 2d085b071194..46d244d8f08b 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -16532,11 +16532,11 @@ Contents of probable licence file $GOMODCACHE/github.com/gomodule/redigo@v1.9.3/ -------------------------------------------------------------------------------- Dependency : github.com/google/cel-go -Version: v0.25.0 +Version: v0.26.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.25.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/google/cel-go@v0.26.1/LICENSE: Apache License diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index dfa5f485f313..769fc2fa56b2 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.4-bookworm RUN \ apt-get update \ diff --git a/dev-tools/kubernetes/filebeat/Dockerfile.debug b/dev-tools/kubernetes/filebeat/Dockerfile.debug index 70a0ecf534f6..2af090c81ba0 100644 --- a/dev-tools/kubernetes/filebeat/Dockerfile.debug +++ b/dev-tools/kubernetes/filebeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm as builder +FROM golang:1.25.4-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/dev-tools/kubernetes/heartbeat/Dockerfile.debug b/dev-tools/kubernetes/heartbeat/Dockerfile.debug index 454032afb38f..d62210efd48a 100644 --- a/dev-tools/kubernetes/heartbeat/Dockerfile.debug +++ b/dev-tools/kubernetes/heartbeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm as builder +FROM golang:1.25.4-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/dev-tools/kubernetes/metricbeat/Dockerfile.debug b/dev-tools/kubernetes/metricbeat/Dockerfile.debug index 4b51753e891c..95fd00aac058 100644 --- a/dev-tools/kubernetes/metricbeat/Dockerfile.debug +++ b/dev-tools/kubernetes/metricbeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm as builder +FROM golang:1.25.4-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/go.mod b/go.mod index fa184a955363..5a3908de1732 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/beats/v7 -go 1.24.13 +go 1.25.4 require ( cloud.google.com/go/bigquery v1.69.0 @@ -188,7 +188,7 @@ require ( github.com/go-resty/resty/v2 v2.17.1 github.com/gofrs/uuid/v5 v5.3.2 github.com/golang-jwt/jwt/v5 v5.3.0 - github.com/google/cel-go v0.25.0 + github.com/google/cel-go v0.26.1 github.com/googleapis/gax-go/v2 v2.15.0 github.com/gorilla/handlers v1.5.1 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 diff --git a/go.sum b/go.sum index 1217cf00f746..b696f4ae4b55 100644 --- a/go.sum +++ b/go.sum @@ -604,8 +604,8 @@ github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs= github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.9.3 h1:dNPSXeXv6HCq2jdyWfjgmhBdqnR6PRO3m/G05nvpPC8= github.com/gomodule/redigo v1.9.3/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+ywhcgtw= -github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY= -github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI= +github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ= +github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q= github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 5307b48d604c..ef290b488ceb 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.4-bookworm RUN \ apt-get update \ diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index 26fee6f23609..2769e92862f0 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 9.3.0 :doc-branch: current -:go-version: 1.24.13 +:go-version: 1.25.4 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index aef808d92b3d..5569f7c21b1e 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.4-bookworm COPY --from=docker:26.0.0-alpine3.19 /usr/local/bin/docker /usr/local/bin/ COPY --from=docker:26.0.0-alpine3.19 /usr/local/libexec/docker/cli-plugins/docker-compose /usr/local/lib/docker/cli-plugins/docker-compose diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index df34ec3b0853..49a14654d482 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.4-bookworm COPY test/main.go main.go diff --git a/metricbeat/module/vsphere/_meta/Dockerfile b/metricbeat/module/vsphere/_meta/Dockerfile index f18078fde01f..81eb9a401d7c 100644 --- a/metricbeat/module/vsphere/_meta/Dockerfile +++ b/metricbeat/module/vsphere/_meta/Dockerfile @@ -1,5 +1,5 @@ ARG VSPHERE_GOLANG_VERSION -FROM golang:1.24.13-bookworm +FROM golang:1.25.4-bookworm RUN apt-get install curl git RUN go install github.com/vmware/govmomi/vcsim@v0.30.4 diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index bf2f3d97aa47..03dbda9973b9 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.13-bookworm +FROM golang:1.25.4-bookworm RUN \ apt-get update \ diff --git a/x-pack/metricbeat/module/stan/_meta/Dockerfile b/x-pack/metricbeat/module/stan/_meta/Dockerfile index 66efaecbb10c..b3d589c444f8 100644 --- a/x-pack/metricbeat/module/stan/_meta/Dockerfile +++ b/x-pack/metricbeat/module/stan/_meta/Dockerfile @@ -2,7 +2,7 @@ ARG STAN_VERSION=0.15.1 FROM nats-streaming:$STAN_VERSION # build stage -FROM golang:1.24.13-bookworm AS build-env +FROM golang:1.25.4-bookworm AS build-env RUN apt-get install git mercurial gcc RUN git clone https://github.com/nats-io/stan.go.git /stan-go RUN cd /stan-go/examples/stan-bench && git checkout tags/v0.5.2 && go build . From 6e04af4dd1aa51b66238aaacc085edd5b72a889f Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Thu, 25 Sep 2025 10:28:31 -0700 Subject: [PATCH 02/23] Bump the version of golangci-lint --- .github/workflows/golangci-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 623a1d2921c5..7e7066a6cd64 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -36,7 +36,7 @@ jobs: uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version - version: v2.1.0 + version: v2.5.0 # Give the job more time to execute. # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but, From 3a4aacdc6a9c8fb8c4d68f4881238c739edd3e67 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Thu, 25 Sep 2025 13:27:25 -0700 Subject: [PATCH 03/23] Use net.JoinHostPort --- heartbeat/hbtest/hbtestutil.go | 2 +- heartbeat/monitors/active/http/http_test.go | 5 +++-- libbeat/processors/add_kubernetes_metadata/indexers.go | 6 ++++-- libbeat/processors/add_kubernetes_metadata/indexers_test.go | 6 ++++-- metricbeat/helper/server/tcp/tcp_test.go | 6 +++--- metricbeat/helper/server/udp/udp_test.go | 5 +++-- x-pack/metricbeat/module/airflow/statsd/data_test.go | 3 ++- 7 files changed, 20 insertions(+), 13 deletions(-) diff --git a/heartbeat/hbtest/hbtestutil.go b/heartbeat/hbtest/hbtestutil.go index 74cc99648140..50588a7aac86 100644 --- a/heartbeat/hbtest/hbtestutil.go +++ b/heartbeat/hbtest/hbtestutil.go @@ -212,7 +212,7 @@ func ResolveChecks(ip string) validator.Validator { func SimpleURLChecks(t *testing.T, scheme string, host string, port uint16) validator.Validator { hostPort := host if port != 0 { - hostPort = fmt.Sprintf("%s:%d", host, port) + hostPort = net.JoinHostPort(host, strconv.Itoa(int(port))) } u, err := url.Parse(fmt.Sprintf("%s://%s", scheme, hostPort)) diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index de786fba2862..460acf35f4f2 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -32,6 +32,7 @@ import ( "os" "path" "reflect" + "strconv" "sync" "testing" "time" @@ -620,7 +621,7 @@ func TestConnRefusedJob(t *testing.T) { lookslike.Strict(lookslike.Compose( hbtest.BaseChecks(ip, "down", "http"), hbtest.SummaryStateChecks(0, 1), - hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, fmt.Sprintf("%s:%d", ip, port)), + hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, net.JoinHostPort(ip, strconv.Itoa(int(port)))), urlChecks(url), )), event.Fields, @@ -642,7 +643,7 @@ func TestUnreachableJob(t *testing.T) { lookslike.Strict(lookslike.Compose( hbtest.BaseChecks(ip, "down", "http"), hbtest.SummaryStateChecks(0, 1), - hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, fmt.Sprintf("%s:%d", ip, port)), + hbtest.ECSErrCodeChecks(ecserr.CODE_NET_COULD_NOT_CONNECT, net.JoinHostPort(ip, strconv.Itoa(int(port)))), urlChecks(url), )), event.Fields, diff --git a/libbeat/processors/add_kubernetes_metadata/indexers.go b/libbeat/processors/add_kubernetes_metadata/indexers.go index b3ab387b2068..a60ee2e21ea7 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers.go @@ -19,6 +19,8 @@ package add_kubernetes_metadata import ( "fmt" + "net" + "strconv" "github.com/elastic/elastic-agent-autodiscover/kubernetes" "github.com/elastic/elastic-agent-autodiscover/kubernetes/metadata" @@ -247,7 +249,7 @@ func (h *IPPortIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex { if port.ContainerPort != 0 { m = append(m, MetadataIndex{ - Index: fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort), + Index: net.JoinHostPort(pod.Status.PodIP, strconv.Itoa(int(port.ContainerPort))), Data: h.metaGen.Generate( pod, metadata.WithFields("container.name", container.Name), @@ -279,7 +281,7 @@ func (h *IPPortIndexer) GetIndexes(pod *kubernetes.Pod) []string { for _, port := range ports { if port.ContainerPort != 0 { - hostPorts = append(hostPorts, fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort)) + hostPorts = append(hostPorts, net.JoinHostPort(pod.Status.PodIP, strconv.Itoa(int(port.ContainerPort)))) } } } diff --git a/libbeat/processors/add_kubernetes_metadata/indexers_test.go b/libbeat/processors/add_kubernetes_metadata/indexers_test.go index ab506f45a15a..26768fb9d2bc 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers_test.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers_test.go @@ -19,6 +19,8 @@ package add_kubernetes_metadata import ( "fmt" + "net" + "strconv" "testing" "github.com/elastic/elastic-agent-autodiscover/kubernetes" @@ -468,12 +470,12 @@ func TestIpPortIndexer(t *testing.T) { indexers = ipIndexer.GetMetadata(&pod) assert.Len(t, indexers, 2) assert.Equal(t, ip, indexers[0].Index) - assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indexers[1].Index) + assert.Equal(t, net.JoinHostPort(ip, strconv.Itoa(int(port))), indexers[1].Index) indices = ipIndexer.GetIndexes(&pod) assert.Len(t, indices, 2) assert.Equal(t, ip, indices[0]) - assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indices[1]) + assert.Equal(t, net.JoinHostPort(ip, strconv.Itoa(int(port))), indices[1]) assert.Equal(t, expected.String(), indexers[0].Data.String()) expected.Put("kubernetes.container", diff --git a/metricbeat/helper/server/tcp/tcp_test.go b/metricbeat/helper/server/tcp/tcp_test.go index 07dcfea13f3c..80e0a51b1387 100644 --- a/metricbeat/helper/server/tcp/tcp_test.go +++ b/metricbeat/helper/server/tcp/tcp_test.go @@ -20,8 +20,8 @@ package tcp import ( - "fmt" "net" + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -31,7 +31,7 @@ import ( ) func GetTestTcpServer(host string, port int) (server.Server, error) { - addr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("%s:%d", host, port)) + addr, err := net.ResolveTCPAddr("tcp", net.JoinHostPort(host, strconv.Itoa(int(port)))) if err != nil { return nil, err @@ -80,7 +80,7 @@ func TestTcpServer(t *testing.T) { } func writeToServer(t *testing.T, message, host string, port int) { - servAddr := fmt.Sprintf("%s:%d", host, port) + servAddr := net.JoinHostPort(host, strconv.Itoa(int(port))) tcpAddr, err := net.ResolveTCPAddr("tcp", servAddr) if err != nil { t.Error(err) diff --git a/metricbeat/helper/server/udp/udp_test.go b/metricbeat/helper/server/udp/udp_test.go index 664c4dd23dca..47e5e4702fa3 100644 --- a/metricbeat/helper/server/udp/udp_test.go +++ b/metricbeat/helper/server/udp/udp_test.go @@ -31,7 +31,7 @@ import ( ) func GetTestUdpServer(host string, port int) (server.Server, error) { - addr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(host, strconv.Itoa(port))) + addr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(host, strconv.Itoa(int(port)))) if err != nil { return nil, err @@ -78,7 +78,8 @@ func TestUdpServer(t *testing.T) { } func writeToServer(t *testing.T, message, host string, port int) { - conn, err := net.Dial("udp", net.JoinHostPort(host, strconv.Itoa(port))) + servAddr := net.JoinHostPort(host, strconv.Itoa(int(port))) + conn, err := net.Dial("udp", servAddr) if err != nil { t.Error(err) t.FailNow() diff --git a/x-pack/metricbeat/module/airflow/statsd/data_test.go b/x-pack/metricbeat/module/airflow/statsd/data_test.go index da8ebc40f46d..d81f0b3fd880 100644 --- a/x-pack/metricbeat/module/airflow/statsd/data_test.go +++ b/x-pack/metricbeat/module/airflow/statsd/data_test.go @@ -8,6 +8,7 @@ import ( "fmt" "net" "runtime" + "strconv" "sync" "testing" @@ -43,7 +44,7 @@ func getConfig() map[string]interface{} { } func createEvent(data string, t *testing.T) { - udpAddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", STATSD_HOST, STATSD_PORT)) + udpAddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(STATSD_HOST, strconv.Itoa(int(STATSD_PORT)))) require.NoError(t, err) conn, err := net.DialUDP("udp", nil, udpAddr) From fc661e096aa62559f401b93bdc6dfe695644a0aa Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Thu, 25 Sep 2025 14:28:47 -0700 Subject: [PATCH 04/23] Remove references to the ms_tls13kdf build tag --- dev-tools/mage/fips-settings.yaml | 1 - dev-tools/mage/gotest.go | 4 ++-- dev-tools/packaging/package_test.go | 1 - testing/go-ech/ech.go | 1 - 4 files changed, 2 insertions(+), 5 deletions(-) diff --git a/dev-tools/mage/fips-settings.yaml b/dev-tools/mage/fips-settings.yaml index 212a3fb4b7b0..e851ec699f2c 100644 --- a/dev-tools/mage/fips-settings.yaml +++ b/dev-tools/mage/fips-settings.yaml @@ -10,7 +10,6 @@ compile: MS_GOTOOLCHAIN_TELEMETRY_ENABLED: "0" tags: - requirefips - - ms_tls13kdf platforms: # If the platform list changes, update the platforms for FIPS packaging in CI pipelines '.buildkite/**/pipeline..yml' and '.buildkite/packaging-pipeline.yml' - linux/amd64 diff --git a/dev-tools/mage/gotest.go b/dev-tools/mage/gotest.go index 720b57cd6a9e..556c44f64863 100644 --- a/dev-tools/mage/gotest.go +++ b/dev-tools/mage/gotest.go @@ -127,7 +127,7 @@ func fetchGoPackages(module string) ([]string, error) { // testTagsFromEnv gets a list of comma-separated tags from the TEST_TAGS // environment variables, e.g: TEST_TAGS=aws,azure. -// If the FIPS env var is set to true, the requirefips and ms_tls13kdf tags are injected. +// If the FIPS env var is set to true, the requirefips tag is injected. func testTagsFromEnv() []string { testTags := strings.Trim(os.Getenv("TEST_TAGS"), ", ") var tags []string @@ -135,7 +135,7 @@ func testTagsFromEnv() []string { tags = strings.Split(testTags, ",") } if FIPSBuild { - tags = append(tags, "requirefips", "ms_tls13kdf") + tags = append(tags, "requirefips") } return tags } diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go index 3473dfeb84c6..fb9cb0f167ec 100644 --- a/dev-tools/packaging/package_test.go +++ b/dev-tools/packaging/package_test.go @@ -842,7 +842,6 @@ func checkFIPS(t *testing.T, beatName, path string) { case "-tags": foundTags = true require.Contains(t, setting.Value, "requirefips") - require.Contains(t, setting.Value, "ms_tls13kdf") continue case "GOEXPERIMENT": foundExperiment = true diff --git a/testing/go-ech/ech.go b/testing/go-ech/ech.go index c37bad5ac105..0ff40eb03129 100644 --- a/testing/go-ech/ech.go +++ b/testing/go-ech/ech.go @@ -61,7 +61,6 @@ func VerifyFIPSBinary(t *testing.T, binaryPath string) { case "-tags": foundTags = true assert.Contains(t, setting.Value, "requirefips") - assert.Contains(t, setting.Value, "ms_tls13kdf") continue case "GOEXPERIMENT": foundExperiment = true From 073bcd2930f35a0bc16d942a5ebad8dd1fa7d150 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 03:49:37 -0700 Subject: [PATCH 05/23] Download go module dependencies before GODEBUG=fips140=only is set --- x-pack/metricbeat/magefile.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go index 82bda3e86691..939fba52ff39 100644 --- a/x-pack/metricbeat/magefile.go +++ b/x-pack/metricbeat/magefile.go @@ -91,6 +91,15 @@ func GoUnitTest(ctx context.Context) error { func GoFIPSOnlyUnitTest() error { ctx := context.Background() + // We pre-cache go module dependencies before running the unit tests with + // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests + // will try to download the dependencies and could fail because the TLS + // negotiation with the Go module proxy could use a non-FIPS compliant + // key exchange protocol, e.g. X25519. + if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { + return err + } + fipsArgs := devtools.DefaultGoFIPSOnlyTestArgs() if isWindows32bitRunner() { fipsArgs.ExtraFlags = append(fipsArgs.ExtraFlags, "-ldflags=-w") From d9fd7c65f05dc0402a67a15d4dd5580065d07781 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 04:48:07 -0700 Subject: [PATCH 06/23] Download go module dependencies before GODEBUG=fips140=only is set --- dev-tools/mage/target/unittest/unittest.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/dev-tools/mage/target/unittest/unittest.go b/dev-tools/mage/target/unittest/unittest.go index 8a78d74011dc..679e8a5e31a0 100644 --- a/dev-tools/mage/target/unittest/unittest.go +++ b/dev-tools/mage/target/unittest/unittest.go @@ -23,6 +23,7 @@ import ( "os/exec" "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/dev-tools/mage/target/test" @@ -56,6 +57,15 @@ func GoFIPSOnlyUnitTest() error { ctx := context.Background() mg.SerialCtxDeps(ctx, goTestDeps...) + // We pre-cache go module dependencies before running the unit tests with + // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests + // will try to download the dependencies and could fail because the TLS + // negotiation with the Go module proxy could use a non-FIPS compliant + // key exchange protocol, e.g. X25519. + if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { + return err + } + fipsArgs := devtools.DefaultGoFIPSOnlyTestArgs() return devtools.GoTest(ctx, fipsArgs) } From 2f1c0788a1f53d1f6d44191de80fc2f2aafc2518 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 05:08:31 -0700 Subject: [PATCH 07/23] Download go module dependencies before GODEBUG=fips140=only is set --- x-pack/metricbeat/magefile.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go index 939fba52ff39..a1823adb7162 100644 --- a/x-pack/metricbeat/magefile.go +++ b/x-pack/metricbeat/magefile.go @@ -276,6 +276,15 @@ func GoIntegTest(ctx context.Context) error { // Use TEST_TAGS=tag1,tag2 to add additional build tags. // Use MODULE=module to run only tests for `module`. func GoFIPSOnlyIntegTest(ctx context.Context) error { + // We pre-cache go module dependencies before running the unit tests with + // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests + // will try to download the dependencies and could fail because the TLS + // negotiation with the Go module proxy could use a non-FIPS compliant + // key exchange protocol, e.g. X25519. + if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { + return err + } + os.Setenv("GODEBUG", "fips140=only") return GoIntegTest(ctx) } From f730bfdd788d4036b67dbd7351a26c40d60032e9 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 06:11:34 -0700 Subject: [PATCH 08/23] Exclude X25519 curve types when testing in FIPS-140-only mode --- testing/testutils/skipFIPS140.go | 12 ++++++-- .../provider/jamf/jamf_test.go | 17 +++++++++++ .../provider/okta/internal/okta/okta_test.go | 30 +++++++++++++++++-- .../provider/okta/okta_test.go | 22 +++++++++++++- .../filebeat/input/lumberjack/server_test.go | 16 ++++++++-- 5 files changed, 87 insertions(+), 10 deletions(-) diff --git a/testing/testutils/skipFIPS140.go b/testing/testutils/skipFIPS140.go index 7f89f7bfc75a..25e5239034de 100644 --- a/testing/testutils/skipFIPS140.go +++ b/testing/testutils/skipFIPS140.go @@ -26,10 +26,16 @@ import ( // SkipIfFIPSOnly will mark the passed test as skipped if GODEBUG=fips140=only is detected. // If GODEBUG=fips140=on, go may call non-compliant algorithms and the test does not need to be skipped. func SkipIfFIPSOnly(t *testing.T, msg string) { + if IsFIPS140Only() { + t.Skip("GODEBUG=fips140=only detected, skipping test:", msg) + } +} + +// IsFIPS140Only returns true if GODEBUG=fips140=only is set. Note that +// we only set GODEBUG=fips140=only while testing. +func IsFIPS140Only() bool { // NOTE: This only checks env var; at the time of writing fips140 can only be set via env // other GODEBUG settings can be set via embedded comments or in go.mod, we may need to account for this in the future. s := os.Getenv("GODEBUG") - if strings.Contains(s, "fips140=only") { - t.Skip("GODEBUG=fips140=only detected, skipping test:", msg) - } + return strings.Contains(s, "fips140=only") } diff --git a/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go b/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go index 9ca7128d11c3..69ab16dde7de 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go @@ -6,6 +6,8 @@ package jamf import ( "context" + "crypto/tls" + "crypto/x509" "encoding/json" "flag" "fmt" @@ -21,6 +23,7 @@ import ( "github.com/google/go-cmp/cmp" "gopkg.in/natefinch/lumberjack.v2" + "github.com/elastic/beats/v7/testing/testutils" "github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/jamf/internal/jamf" "github.com/elastic/elastic-agent-libs/logp" ) @@ -149,6 +152,20 @@ func testContext() (tenant string, username string, password string, client *htt tenant = u.Host cli := srv.Client() + if testutils.IsFIPS140Only() { + // Exclude X25519 curves when in FIPS mode, otherwise we get the error: + // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, + // while testing. + certpool := x509.NewCertPool() + certpool.AddCert(srv.Certificate()) + cli.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: certpool, + CurvePreferences: []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}, + }, + } + } return tenant, username, password, cli, srv.Close, nil } diff --git a/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go b/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go index 2bebc5b6a94b..659e2ebe28a1 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go @@ -7,6 +7,8 @@ package okta import ( "context" + "crypto/tls" + "crypto/x509" "encoding/json" "errors" "flag" @@ -20,6 +22,8 @@ import ( "testing" "time" + "github.com/elastic/beats/v7/testing/testutils" + "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "golang.org/x/time/rate" @@ -366,7 +370,7 @@ func TestLocal(t *testing.T) { query := make(url.Values) query.Set("limit", "200") - got, h, err := test.fn(context.Background(), ts.Client(), host, key, test.id, query, limiter, logger) + got, h, err := test.fn(context.Background(), getTestClient(ts), host, key, test.id, query, limiter, logger) if err != nil { t.Fatalf("unexpected error from Get_Details: %v", err) } @@ -513,7 +517,7 @@ func TestRateLimitRetries(t *testing.T) { // retry until there's a non-429 response query := make(url.Values) query.Set("limit", "200") - got, _, err := GetUserDetails(context.Background(), ts.Client(), host, key, "", query, OmitNone, limiter, logger) + got, _, err := GetUserDetails(context.Background(), getTestClient(ts), host, key, "", query, OmitNone, limiter, logger) if err != nil { t.Fatalf("unexpected error from Get_Details: %v", err) } @@ -524,7 +528,7 @@ func TestRateLimitRetries(t *testing.T) { // stop trying after the maximum retries query = make(url.Values) query.Set("limit", "200") - _, _, err = GetUserDetails(context.Background(), ts.Client(), host, key, "", query, OmitNone, limiter, logger) + _, _, err = GetUserDetails(context.Background(), getTestClient(ts), host, key, "", query, OmitNone, limiter, logger) expectedErrMsg := "maximum retries (5) finished without success" if err == nil { t.Errorf("expected the error '%s', but got no error", expectedErrMsg) @@ -534,3 +538,23 @@ func TestRateLimitRetries(t *testing.T) { }) } + +func getTestClient(srv *httptest.Server) *http.Client { + client := srv.Client() + if testutils.IsFIPS140Only() { + // Exclude X25519 curves when in FIPS mode, otherwise we get the error: + // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, + // while testing. + certpool := x509.NewCertPool() + certpool.AddCert(srv.Certificate()) + client.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: certpool, + CurvePreferences: []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}, + }, + } + } + + return client +} diff --git a/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go b/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go index 5e9974ee6b8a..51700ee597f2 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go @@ -6,6 +6,8 @@ package okta import ( "context" + "crypto/tls" + "crypto/x509" "encoding/json" "flag" "fmt" @@ -20,6 +22,7 @@ import ( "gopkg.in/natefinch/lumberjack.v2" + "github.com/elastic/beats/v7/testing/testutils" "github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta" "github.com/elastic/elastic-agent-libs/logp" ) @@ -173,6 +176,23 @@ func TestOktaDoFetch(t *testing.T) { if err != nil { t.Errorf("failed to parse server URL: %v", err) } + + client := ts.Client() + if testutils.IsFIPS140Only() { + // Exclude X25519 curves when in FIPS mode, otherwise we get the error: + // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, + // while testing. + certpool := x509.NewCertPool() + certpool.AddCert(ts.Certificate()) + client.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: certpool, + CurvePreferences: []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}, + }, + } + } + rateLimiter := okta.NewRateLimiter(window, nil) a := oktaInput{ cfg: conf{ @@ -181,7 +201,7 @@ func TestOktaDoFetch(t *testing.T) { Dataset: test.dataset, EnrichWith: test.enrichWith, }, - client: ts.Client(), + client: client, lim: rateLimiter, logger: logp.L(), } diff --git a/x-pack/filebeat/input/lumberjack/server_test.go b/x-pack/filebeat/input/lumberjack/server_test.go index f3ff1ae8c773..3f244892481f 100644 --- a/x-pack/filebeat/input/lumberjack/server_test.go +++ b/x-pack/filebeat/input/lumberjack/server_test.go @@ -19,6 +19,7 @@ import ( "golang.org/x/sync/errgroup" "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/testing/testutils" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/transport/tlscommon" client "github.com/elastic/go-lumber/client/v2" @@ -215,10 +216,19 @@ func tlsSetup(t *testing.T) (clientConfig *tls.Config, serverConfig *tlscommon.S certPool := x509.NewCertPool() certPool.AppendCertsFromPEM(certData.ca.CertPEM(t)) + var tlsPreferredCurves []tls.CurveID + if testutils.IsFIPS140Only() { + // Exclude X25519 curves when in FIPS mode, otherwise we get the error: + // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, + // while testing. + tlsPreferredCurves = []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521} + } clientConfig = &tls.Config{ - RootCAs: certPool, - Certificates: []tls.Certificate{certData.client.TLSCertificate(t)}, - MinVersion: tls.VersionTLS12, + RootCAs: certPool, + Certificates: []tls.Certificate{certData.client.TLSCertificate(t)}, + MinVersion: tls.VersionTLS12, + CurvePreferences: tlsPreferredCurves, } var clientAuth = tlscommon.TLSClientAuthRequired From c12f443e0c9e96019c3465bdc75d8f566a477f3e Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 06:24:49 -0700 Subject: [PATCH 09/23] Only modify curve preferences --- .../input/entityanalytics/provider/jamf/jamf_test.go | 11 ++--------- .../input/entityanalytics/provider/okta/okta_test.go | 11 ++--------- 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go b/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go index 69ab16dde7de..eb9f758b4ee2 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go @@ -7,7 +7,6 @@ package jamf import ( "context" "crypto/tls" - "crypto/x509" "encoding/json" "flag" "fmt" @@ -157,14 +156,8 @@ func testContext() (tenant string, username string, password string, client *htt // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, // while testing. - certpool := x509.NewCertPool() - certpool.AddCert(srv.Certificate()) - cli.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: certpool, - CurvePreferences: []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}, - }, - } + transport := cli.Transport.(*http.Transport) + transport.TLSClientConfig.CurvePreferences = []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521} } return tenant, username, password, cli, srv.Close, nil diff --git a/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go b/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go index 51700ee597f2..88a6f2f6c7eb 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go @@ -7,7 +7,6 @@ package okta import ( "context" "crypto/tls" - "crypto/x509" "encoding/json" "flag" "fmt" @@ -183,14 +182,8 @@ func TestOktaDoFetch(t *testing.T) { // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, // while testing. - certpool := x509.NewCertPool() - certpool.AddCert(ts.Certificate()) - client.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: certpool, - CurvePreferences: []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}, - }, - } + transport := client.Transport.(*http.Transport) + transport.TLSClientConfig.CurvePreferences = []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521} } rateLimiter := okta.NewRateLimiter(window, nil) From 90a360ed6cbcb580fe710774ed0274d95c33f086 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 07:45:24 -0700 Subject: [PATCH 10/23] Fix up fips140=only integration tests --- filebeat/magefile.go | 10 ++++++++++ metricbeat/magefile.go | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/filebeat/magefile.go b/filebeat/magefile.go index fe7ec93a5dba..d462cbba48f2 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -202,6 +202,16 @@ func GoIntegTest(ctx context.Context) error { // GoFIPSOnlyIntegTest starts the docker containers and executes the Go integration tests with GODEBUG=fips140=only set. func GoFIPSOnlyIntegTest(ctx context.Context) error { mg.Deps(BuildSystemTestBinary) + + // We pre-cache go module dependencies before running the unit tests with + // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests + // will try to download the dependencies and could fail because the TLS + // negotiation with the Go module proxy could use a non-FIPS compliant + // key exchange protocol, e.g. X25519. + if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { + return err + } + return devtools.GoIntegTestFromHost(ctx, devtools.FIPSOnlyGoTestIntegrationFromHostArgs(ctx)) } diff --git a/metricbeat/magefile.go b/metricbeat/magefile.go index 36c1f9770c85..7307f5ad770a 100644 --- a/metricbeat/magefile.go +++ b/metricbeat/magefile.go @@ -238,6 +238,16 @@ func GoFIPSOnlyIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.SerialDeps(Fields, Dashboards) } + + // We pre-cache go module dependencies before running the unit tests with + // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests + // will try to download the dependencies and could fail because the TLS + // negotiation with the Go module proxy could use a non-FIPS compliant + // key exchange protocol, e.g. X25519. + if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { + return err + } + os.Setenv("GODEBUG", "fips140=only") return devtools.GoTestIntegrationForModule(ctx) } From 7e5ad68a7f88be8bed3e62d29cff7d5238eebfb6 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 08:57:20 -0700 Subject: [PATCH 11/23] Forgot import --- filebeat/magefile.go | 1 + 1 file changed, 1 insertion(+) diff --git a/filebeat/magefile.go b/filebeat/magefile.go index d462cbba48f2..63faa758f18e 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -25,6 +25,7 @@ import ( "time" "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/dev-tools/mage/target/build" From 3ca06ec54dd750ab86a8e9a4fa836fdb062b2fa3 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 10:56:17 -0700 Subject: [PATCH 12/23] Forgot import --- metricbeat/magefile.go | 1 + 1 file changed, 1 insertion(+) diff --git a/metricbeat/magefile.go b/metricbeat/magefile.go index 7307f5ad770a..928ddfc7013b 100644 --- a/metricbeat/magefile.go +++ b/metricbeat/magefile.go @@ -27,6 +27,7 @@ import ( "time" "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" devtools "github.com/elastic/beats/v7/dev-tools/mage" metricbeat "github.com/elastic/beats/v7/metricbeat/scripts/mage" From fe1231edade2656f283ff1ff4b27d99e9b1c1205 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 13:50:49 -0700 Subject: [PATCH 13/23] Fix TestConnectionTLS --- libbeat/esleg/eslegclient/connection_test.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libbeat/esleg/eslegclient/connection_test.go b/libbeat/esleg/eslegclient/connection_test.go index d08ff412ff60..3bd393a34b8f 100644 --- a/libbeat/esleg/eslegclient/connection_test.go +++ b/libbeat/esleg/eslegclient/connection_test.go @@ -34,11 +34,13 @@ import ( cfg "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/common/productorigin" "github.com/elastic/beats/v7/libbeat/version" + "github.com/elastic/beats/v7/testing/testutils" "github.com/elastic/elastic-agent-libs/logp/logptest" ) @@ -264,6 +266,18 @@ ssl: transport.TLS.CAs = []string{string(caCertPEM)} + if testutils.IsFIPS140Only() { + // Exclude X25519 curves when in FIPS mode, otherwise we get the error: + // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, + // while testing. + transport.TLS.CurveTypes = []tlscommon.TLSCurveType{ + tlscommon.TLSCurveType(tls.CurveP256), + tlscommon.TLSCurveType(tls.CurveP384), + tlscommon.TLSCurveType(tls.CurveP521), + } + } + log := logptest.NewTestingLogger(t, "TestConnectionTLS") conn, err := NewConnection(ConnectionSettings{ URL: server.URL, From 22e4131599d5964e6238f9b949e95a51a301a87b Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 14:49:11 -0700 Subject: [PATCH 14/23] Set GODEBUG=tlsmlkem=0 for tests --- dev-tools/mage/gotest.go | 16 ++++++++-- libbeat/esleg/eslegclient/connection_test.go | 15 ---------- metricbeat/magefile.go | 7 ++++- testing/testutils/skipFIPS140.go | 12 ++------ .../provider/jamf/jamf_test.go | 14 +-------- .../provider/okta/internal/okta/okta_test.go | 30 ++----------------- .../provider/okta/okta_test.go | 14 +-------- .../filebeat/input/lumberjack/server_test.go | 16 ++-------- x-pack/metricbeat/magefile.go | 7 ++++- 9 files changed, 37 insertions(+), 94 deletions(-) diff --git a/dev-tools/mage/gotest.go b/dev-tools/mage/gotest.go index 556c44f64863..301e3045e904 100644 --- a/dev-tools/mage/gotest.go +++ b/dev-tools/mage/gotest.go @@ -148,7 +148,13 @@ func DefaultGoTestUnitArgs() GoTestArgs { return makeGoTestArgs("Unit") } // fips140=only unit tests. func DefaultGoFIPSOnlyTestArgs() GoTestArgs { args := makeGoTestArgs("Unit-FIPS-only") - args.Env["GODEBUG"] = "fips140=only" + + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + args.Env["GODEBUG"] = "fips140=only,tlsmlkem=0" return args } @@ -211,7 +217,13 @@ func FIPSOnlyGoTestIntegrationFromHostArgs(ctx context.Context) GoTestArgs { args := DefaultGoTestIntegrationArgs(ctx) args.Tags = append(args.Tags, "requirefips") args.Env = WithGoIntegTestHostEnv(args.Env) - args.Env["GODEBUG"] = "fips140=only" + + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + args.Env["GODEBUG"] = "fips140=only,tlsmlkem=0" return args } diff --git a/libbeat/esleg/eslegclient/connection_test.go b/libbeat/esleg/eslegclient/connection_test.go index 3bd393a34b8f..79a9ac0c45ee 100644 --- a/libbeat/esleg/eslegclient/connection_test.go +++ b/libbeat/esleg/eslegclient/connection_test.go @@ -34,13 +34,10 @@ import ( cfg "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/transport/httpcommon" - "github.com/elastic/elastic-agent-libs/transport/tlscommon" - "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/common/productorigin" "github.com/elastic/beats/v7/libbeat/version" - "github.com/elastic/beats/v7/testing/testutils" "github.com/elastic/elastic-agent-libs/logp/logptest" ) @@ -266,18 +263,6 @@ ssl: transport.TLS.CAs = []string{string(caCertPEM)} - if testutils.IsFIPS140Only() { - // Exclude X25519 curves when in FIPS mode, otherwise we get the error: - // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode - // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, - // while testing. - transport.TLS.CurveTypes = []tlscommon.TLSCurveType{ - tlscommon.TLSCurveType(tls.CurveP256), - tlscommon.TLSCurveType(tls.CurveP384), - tlscommon.TLSCurveType(tls.CurveP521), - } - } - log := logptest.NewTestingLogger(t, "TestConnectionTLS") conn, err := NewConnection(ConnectionSettings{ URL: server.URL, diff --git a/metricbeat/magefile.go b/metricbeat/magefile.go index 928ddfc7013b..98331410fcb4 100644 --- a/metricbeat/magefile.go +++ b/metricbeat/magefile.go @@ -249,7 +249,12 @@ func GoFIPSOnlyIntegTest(ctx context.Context) error { return err } - os.Setenv("GODEBUG", "fips140=only") + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + os.Setenv("GODEBUG", "fips140=only,tlsmlkem=0") return devtools.GoTestIntegrationForModule(ctx) } diff --git a/testing/testutils/skipFIPS140.go b/testing/testutils/skipFIPS140.go index 25e5239034de..7f89f7bfc75a 100644 --- a/testing/testutils/skipFIPS140.go +++ b/testing/testutils/skipFIPS140.go @@ -26,16 +26,10 @@ import ( // SkipIfFIPSOnly will mark the passed test as skipped if GODEBUG=fips140=only is detected. // If GODEBUG=fips140=on, go may call non-compliant algorithms and the test does not need to be skipped. func SkipIfFIPSOnly(t *testing.T, msg string) { - if IsFIPS140Only() { - t.Skip("GODEBUG=fips140=only detected, skipping test:", msg) - } -} - -// IsFIPS140Only returns true if GODEBUG=fips140=only is set. Note that -// we only set GODEBUG=fips140=only while testing. -func IsFIPS140Only() bool { // NOTE: This only checks env var; at the time of writing fips140 can only be set via env // other GODEBUG settings can be set via embedded comments or in go.mod, we may need to account for this in the future. s := os.Getenv("GODEBUG") - return strings.Contains(s, "fips140=only") + if strings.Contains(s, "fips140=only") { + t.Skip("GODEBUG=fips140=only detected, skipping test:", msg) + } } diff --git a/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go b/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go index eb9f758b4ee2..e1d92167807c 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go @@ -6,7 +6,6 @@ package jamf import ( "context" - "crypto/tls" "encoding/json" "flag" "fmt" @@ -22,7 +21,6 @@ import ( "github.com/google/go-cmp/cmp" "gopkg.in/natefinch/lumberjack.v2" - "github.com/elastic/beats/v7/testing/testutils" "github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/jamf/internal/jamf" "github.com/elastic/elastic-agent-libs/logp" ) @@ -150,15 +148,5 @@ func testContext() (tenant string, username string, password string, client *htt } tenant = u.Host - cli := srv.Client() - if testutils.IsFIPS140Only() { - // Exclude X25519 curves when in FIPS mode, otherwise we get the error: - // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode - // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, - // while testing. - transport := cli.Transport.(*http.Transport) - transport.TLSClientConfig.CurvePreferences = []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521} - } - - return tenant, username, password, cli, srv.Close, nil + return tenant, username, password, srv.Client(), srv.Close, nil } diff --git a/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go b/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go index 659e2ebe28a1..2bebc5b6a94b 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go @@ -7,8 +7,6 @@ package okta import ( "context" - "crypto/tls" - "crypto/x509" "encoding/json" "errors" "flag" @@ -22,8 +20,6 @@ import ( "testing" "time" - "github.com/elastic/beats/v7/testing/testutils" - "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "golang.org/x/time/rate" @@ -370,7 +366,7 @@ func TestLocal(t *testing.T) { query := make(url.Values) query.Set("limit", "200") - got, h, err := test.fn(context.Background(), getTestClient(ts), host, key, test.id, query, limiter, logger) + got, h, err := test.fn(context.Background(), ts.Client(), host, key, test.id, query, limiter, logger) if err != nil { t.Fatalf("unexpected error from Get_Details: %v", err) } @@ -517,7 +513,7 @@ func TestRateLimitRetries(t *testing.T) { // retry until there's a non-429 response query := make(url.Values) query.Set("limit", "200") - got, _, err := GetUserDetails(context.Background(), getTestClient(ts), host, key, "", query, OmitNone, limiter, logger) + got, _, err := GetUserDetails(context.Background(), ts.Client(), host, key, "", query, OmitNone, limiter, logger) if err != nil { t.Fatalf("unexpected error from Get_Details: %v", err) } @@ -528,7 +524,7 @@ func TestRateLimitRetries(t *testing.T) { // stop trying after the maximum retries query = make(url.Values) query.Set("limit", "200") - _, _, err = GetUserDetails(context.Background(), getTestClient(ts), host, key, "", query, OmitNone, limiter, logger) + _, _, err = GetUserDetails(context.Background(), ts.Client(), host, key, "", query, OmitNone, limiter, logger) expectedErrMsg := "maximum retries (5) finished without success" if err == nil { t.Errorf("expected the error '%s', but got no error", expectedErrMsg) @@ -538,23 +534,3 @@ func TestRateLimitRetries(t *testing.T) { }) } - -func getTestClient(srv *httptest.Server) *http.Client { - client := srv.Client() - if testutils.IsFIPS140Only() { - // Exclude X25519 curves when in FIPS mode, otherwise we get the error: - // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode - // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, - // while testing. - certpool := x509.NewCertPool() - certpool.AddCert(srv.Certificate()) - client.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: certpool, - CurvePreferences: []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}, - }, - } - } - - return client -} diff --git a/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go b/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go index 88a6f2f6c7eb..fa705d4e5c81 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go @@ -6,7 +6,6 @@ package okta import ( "context" - "crypto/tls" "encoding/json" "flag" "fmt" @@ -21,7 +20,6 @@ import ( "gopkg.in/natefinch/lumberjack.v2" - "github.com/elastic/beats/v7/testing/testutils" "github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta" "github.com/elastic/elastic-agent-libs/logp" ) @@ -176,16 +174,6 @@ func TestOktaDoFetch(t *testing.T) { t.Errorf("failed to parse server URL: %v", err) } - client := ts.Client() - if testutils.IsFIPS140Only() { - // Exclude X25519 curves when in FIPS mode, otherwise we get the error: - // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode - // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, - // while testing. - transport := client.Transport.(*http.Transport) - transport.TLSClientConfig.CurvePreferences = []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521} - } - rateLimiter := okta.NewRateLimiter(window, nil) a := oktaInput{ cfg: conf{ @@ -194,7 +182,7 @@ func TestOktaDoFetch(t *testing.T) { Dataset: test.dataset, EnrichWith: test.enrichWith, }, - client: client, + client: ts.Client(), lim: rateLimiter, logger: logp.L(), } diff --git a/x-pack/filebeat/input/lumberjack/server_test.go b/x-pack/filebeat/input/lumberjack/server_test.go index 3f244892481f..f3ff1ae8c773 100644 --- a/x-pack/filebeat/input/lumberjack/server_test.go +++ b/x-pack/filebeat/input/lumberjack/server_test.go @@ -19,7 +19,6 @@ import ( "golang.org/x/sync/errgroup" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/testing/testutils" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/transport/tlscommon" client "github.com/elastic/go-lumber/client/v2" @@ -216,19 +215,10 @@ func tlsSetup(t *testing.T) (clientConfig *tls.Config, serverConfig *tlscommon.S certPool := x509.NewCertPool() certPool.AppendCertsFromPEM(certData.ca.CertPEM(t)) - var tlsPreferredCurves []tls.CurveID - if testutils.IsFIPS140Only() { - // Exclude X25519 curves when in FIPS mode, otherwise we get the error: - // crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode - // Note that we only use FIPS 140-only mode, set via GODEBUG=fips140=only, - // while testing. - tlsPreferredCurves = []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521} - } clientConfig = &tls.Config{ - RootCAs: certPool, - Certificates: []tls.Certificate{certData.client.TLSCertificate(t)}, - MinVersion: tls.VersionTLS12, - CurvePreferences: tlsPreferredCurves, + RootCAs: certPool, + Certificates: []tls.Certificate{certData.client.TLSCertificate(t)}, + MinVersion: tls.VersionTLS12, } var clientAuth = tlscommon.TLSClientAuthRequired diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go index a1823adb7162..5020c310be98 100644 --- a/x-pack/metricbeat/magefile.go +++ b/x-pack/metricbeat/magefile.go @@ -285,7 +285,12 @@ func GoFIPSOnlyIntegTest(ctx context.Context) error { return err } - os.Setenv("GODEBUG", "fips140=only") + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + os.Setenv("GODEBUG", "fips140=only,tlsmlkem=0") return GoIntegTest(ctx) } From e53f7f0b242b7bb70b6bb1f91eeff51d9dbceeea Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 15:27:40 -0700 Subject: [PATCH 15/23] Remove unnecessary changes --- libbeat/esleg/eslegclient/connection_test.go | 1 + .../filebeat/input/entityanalytics/provider/jamf/jamf_test.go | 4 +++- .../filebeat/input/entityanalytics/provider/okta/okta_test.go | 1 - 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libbeat/esleg/eslegclient/connection_test.go b/libbeat/esleg/eslegclient/connection_test.go index 79a9ac0c45ee..d08ff412ff60 100644 --- a/libbeat/esleg/eslegclient/connection_test.go +++ b/libbeat/esleg/eslegclient/connection_test.go @@ -34,6 +34,7 @@ import ( cfg "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/transport/httpcommon" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/common/productorigin" diff --git a/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go b/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go index e1d92167807c..9ca7128d11c3 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/jamf/jamf_test.go @@ -148,5 +148,7 @@ func testContext() (tenant string, username string, password string, client *htt } tenant = u.Host - return tenant, username, password, srv.Client(), srv.Close, nil + cli := srv.Client() + + return tenant, username, password, cli, srv.Close, nil } diff --git a/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go b/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go index fa705d4e5c81..5e9974ee6b8a 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go +++ b/x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go @@ -173,7 +173,6 @@ func TestOktaDoFetch(t *testing.T) { if err != nil { t.Errorf("failed to parse server URL: %v", err) } - rateLimiter := okta.NewRateLimiter(window, nil) a := oktaInput{ cfg: conf{ From 55ae97ab90e19c87c2260d475c3659c7e2718a97 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Mon, 29 Sep 2025 16:18:11 -0700 Subject: [PATCH 16/23] Remove pre-download of Go modules --- dev-tools/mage/target/unittest/unittest.go | 13 +------------ filebeat/magefile.go | 6 ++---- metricbeat/magefile.go | 13 +------------ x-pack/metricbeat/magefile.go | 18 ------------------ 4 files changed, 4 insertions(+), 46 deletions(-) diff --git a/dev-tools/mage/target/unittest/unittest.go b/dev-tools/mage/target/unittest/unittest.go index 679e8a5e31a0..fb5cd435a27f 100644 --- a/dev-tools/mage/target/unittest/unittest.go +++ b/dev-tools/mage/target/unittest/unittest.go @@ -22,11 +22,9 @@ import ( "fmt" "os/exec" - "github.com/magefile/mage/mg" - "github.com/magefile/mage/sh" - devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/dev-tools/mage/target/test" + "github.com/magefile/mage/mg" ) func init() { @@ -57,15 +55,6 @@ func GoFIPSOnlyUnitTest() error { ctx := context.Background() mg.SerialCtxDeps(ctx, goTestDeps...) - // We pre-cache go module dependencies before running the unit tests with - // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests - // will try to download the dependencies and could fail because the TLS - // negotiation with the Go module proxy could use a non-FIPS compliant - // key exchange protocol, e.g. X25519. - if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { - return err - } - fipsArgs := devtools.DefaultGoFIPSOnlyTestArgs() return devtools.GoTest(ctx, fipsArgs) } diff --git a/filebeat/magefile.go b/filebeat/magefile.go index 63faa758f18e..b602d596fae1 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -24,12 +24,10 @@ import ( "fmt" "time" - "github.com/magefile/mage/mg" - "github.com/magefile/mage/sh" - devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/dev-tools/mage/target/build" filebeat "github.com/elastic/beats/v7/filebeat/scripts/mage" + "github.com/magefile/mage/mg" //mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/common" @@ -212,7 +210,7 @@ func GoFIPSOnlyIntegTest(ctx context.Context) error { if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { return err } - + return devtools.GoIntegTestFromHost(ctx, devtools.FIPSOnlyGoTestIntegrationFromHostArgs(ctx)) } diff --git a/metricbeat/magefile.go b/metricbeat/magefile.go index 98331410fcb4..5e523ecd39c0 100644 --- a/metricbeat/magefile.go +++ b/metricbeat/magefile.go @@ -26,11 +26,9 @@ import ( "strconv" "time" - "github.com/magefile/mage/mg" - "github.com/magefile/mage/sh" - devtools "github.com/elastic/beats/v7/dev-tools/mage" metricbeat "github.com/elastic/beats/v7/metricbeat/scripts/mage" + "github.com/magefile/mage/mg" // register kubernetes runner _ "github.com/elastic/beats/v7/dev-tools/mage/kubernetes" @@ -240,15 +238,6 @@ func GoFIPSOnlyIntegTest(ctx context.Context) error { mg.SerialDeps(Fields, Dashboards) } - // We pre-cache go module dependencies before running the unit tests with - // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests - // will try to download the dependencies and could fail because the TLS - // negotiation with the Go module proxy could use a non-FIPS compliant - // key exchange protocol, e.g. X25519. - if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { - return err - } - // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key // exchange mechanism; without this setting and with the GODEBUG=fips140=only // setting, we get errors in tests like so: diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go index 5020c310be98..b047e0063e32 100644 --- a/x-pack/metricbeat/magefile.go +++ b/x-pack/metricbeat/magefile.go @@ -91,15 +91,6 @@ func GoUnitTest(ctx context.Context) error { func GoFIPSOnlyUnitTest() error { ctx := context.Background() - // We pre-cache go module dependencies before running the unit tests with - // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests - // will try to download the dependencies and could fail because the TLS - // negotiation with the Go module proxy could use a non-FIPS compliant - // key exchange protocol, e.g. X25519. - if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { - return err - } - fipsArgs := devtools.DefaultGoFIPSOnlyTestArgs() if isWindows32bitRunner() { fipsArgs.ExtraFlags = append(fipsArgs.ExtraFlags, "-ldflags=-w") @@ -276,15 +267,6 @@ func GoIntegTest(ctx context.Context) error { // Use TEST_TAGS=tag1,tag2 to add additional build tags. // Use MODULE=module to run only tests for `module`. func GoFIPSOnlyIntegTest(ctx context.Context) error { - // We pre-cache go module dependencies before running the unit tests with - // GODEBUG=fips140=only. Otherwise, the command that runs the unit tests - // will try to download the dependencies and could fail because the TLS - // negotiation with the Go module proxy could use a non-FIPS compliant - // key exchange protocol, e.g. X25519. - if err := sh.RunV(mg.GoCmd(), "mod", "download"); err != nil { - return err - } - // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key // exchange mechanism; without this setting and with the GODEBUG=fips140=only // setting, we get errors in tests like so: From ee229d660ac946c0f39321ad146cf7aee70c7c83 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Mon, 29 Sep 2025 16:19:40 -0700 Subject: [PATCH 17/23] Running mage fmt --- dev-tools/mage/target/unittest/unittest.go | 3 ++- filebeat/magefile.go | 3 ++- metricbeat/magefile.go | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dev-tools/mage/target/unittest/unittest.go b/dev-tools/mage/target/unittest/unittest.go index fb5cd435a27f..8a78d74011dc 100644 --- a/dev-tools/mage/target/unittest/unittest.go +++ b/dev-tools/mage/target/unittest/unittest.go @@ -22,9 +22,10 @@ import ( "fmt" "os/exec" + "github.com/magefile/mage/mg" + devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/dev-tools/mage/target/test" - "github.com/magefile/mage/mg" ) func init() { diff --git a/filebeat/magefile.go b/filebeat/magefile.go index b602d596fae1..65c81c1fff6d 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -24,10 +24,11 @@ import ( "fmt" "time" + "github.com/magefile/mage/mg" + devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/dev-tools/mage/target/build" filebeat "github.com/elastic/beats/v7/filebeat/scripts/mage" - "github.com/magefile/mage/mg" //mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/common" diff --git a/metricbeat/magefile.go b/metricbeat/magefile.go index 5e523ecd39c0..0193044b92d7 100644 --- a/metricbeat/magefile.go +++ b/metricbeat/magefile.go @@ -26,9 +26,10 @@ import ( "strconv" "time" + "github.com/magefile/mage/mg" + devtools "github.com/elastic/beats/v7/dev-tools/mage" metricbeat "github.com/elastic/beats/v7/metricbeat/scripts/mage" - "github.com/magefile/mage/mg" // register kubernetes runner _ "github.com/elastic/beats/v7/dev-tools/mage/kubernetes" From f59c2f86b4a6980f1e05c0d58547fc177124f59a Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Mon, 13 Oct 2025 12:59:50 -0700 Subject: [PATCH 18/23] Adding CHANGELOG --- .../1760385532-bump-golang-1.25.2.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 changelog/fragments/1760385532-bump-golang-1.25.2.yaml diff --git a/changelog/fragments/1760385532-bump-golang-1.25.2.yaml b/changelog/fragments/1760385532-bump-golang-1.25.2.yaml new file mode 100644 index 000000000000..c569deb7e927 --- /dev/null +++ b/changelog/fragments/1760385532-bump-golang-1.25.2.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: other + +# Change summary; a 80ish characters long description of the change. +summary: Update Go to 1.25.2 + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: all + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +#pr: https://github.com/owner/repo/1234 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 From d87576d9f63e258fb47b0aec435fad12ad0c6951 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Tue, 14 Oct 2025 16:36:44 -0700 Subject: [PATCH 19/23] Fixing IPv6 address --- metricbeat/module/apache/status/status_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metricbeat/module/apache/status/status_test.go b/metricbeat/module/apache/status/status_test.go index 192007baa334..34333033f23a 100644 --- a/metricbeat/module/apache/status/status_test.go +++ b/metricbeat/module/apache/status/status_test.go @@ -245,7 +245,7 @@ func TestHostParser(t *testing.T) { {"localhost/ServerStatus", "http://localhost/ServerStatus?auto=", ""}, {"127.0.0.1", "http://127.0.0.1/server-status?auto=", ""}, {"https://127.0.0.1", "https://127.0.0.1/server-status?auto=", ""}, - {"[2001:db8::1]:80", "http://[2001:db8::1]:80/server-status?auto=", ""}, + {"[2001:db8:0:1::]:80", "http://[2001:db8:0:1::]:80/server-status?auto=", ""}, {"https://admin:secret@127.0.0.1", "https://admin:secret@127.0.0.1/server-status?auto=", ""}, } From 9069a6a411bda30922292cfea406482b24874346 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Mon, 27 Oct 2025 16:46:19 -0700 Subject: [PATCH 20/23] Adding missed import --- filebeat/magefile.go | 1 + 1 file changed, 1 insertion(+) diff --git a/filebeat/magefile.go b/filebeat/magefile.go index 65c81c1fff6d..8317b4e1bc3a 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -25,6 +25,7 @@ import ( "time" "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/dev-tools/mage/target/build" From 76846f902c94b49be586874c5e8c2f9ac01f4df9 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 5 Nov 2025 13:39:22 -0800 Subject: [PATCH 21/23] Go version: s/1.25.2/1.25.4/g --- ...mp-golang-1.25.2.yaml => 1760385532-bump-golang-1.25.4.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename changelog/fragments/{1760385532-bump-golang-1.25.2.yaml => 1760385532-bump-golang-1.25.4.yaml} (98%) diff --git a/changelog/fragments/1760385532-bump-golang-1.25.2.yaml b/changelog/fragments/1760385532-bump-golang-1.25.4.yaml similarity index 98% rename from changelog/fragments/1760385532-bump-golang-1.25.2.yaml rename to changelog/fragments/1760385532-bump-golang-1.25.4.yaml index c569deb7e927..58838a7ad79c 100644 --- a/changelog/fragments/1760385532-bump-golang-1.25.2.yaml +++ b/changelog/fragments/1760385532-bump-golang-1.25.4.yaml @@ -11,7 +11,7 @@ kind: other # Change summary; a 80ish characters long description of the change. -summary: Update Go to 1.25.2 +summary: Update Go to 1.25.4 # Long description; in case the summary is not enough to describe the change # this field accommodate a description without length limits. From 458f432d200086a7bffe94157b03c8f4f039f179 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 6 Mar 2026 08:16:59 -0800 Subject: [PATCH 22/23] Rebasing, fixing conflicts, and bumping to Go version 1.25.8 --- .go-version | 2 +- auditbeat/Dockerfile | 2 +- ...mp-golang-1.25.4.yaml => 1760385532-bump-golang-1.25.8.yaml} | 2 +- dev-tools/kubernetes/filebeat/Dockerfile.debug | 2 +- dev-tools/kubernetes/heartbeat/Dockerfile.debug | 2 +- dev-tools/kubernetes/metricbeat/Dockerfile.debug | 2 +- go.mod | 2 +- heartbeat/Dockerfile | 2 +- libbeat/docs/version.asciidoc | 2 +- metricbeat/Dockerfile | 2 +- metricbeat/module/http/_meta/Dockerfile | 2 +- metricbeat/module/vsphere/_meta/Dockerfile | 2 +- packetbeat/Dockerfile | 2 +- x-pack/metricbeat/module/stan/_meta/Dockerfile | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) rename changelog/fragments/{1760385532-bump-golang-1.25.4.yaml => 1760385532-bump-golang-1.25.8.yaml} (98%) diff --git a/.go-version b/.go-version index 26a9e99b38be..e6a6e7cd3e99 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.25.4 +1.25.8 diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index 769fc2fa56b2..adb8ab4884aa 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.4-bookworm +FROM golang:1.25.8-bookworm RUN \ apt-get update \ diff --git a/changelog/fragments/1760385532-bump-golang-1.25.4.yaml b/changelog/fragments/1760385532-bump-golang-1.25.8.yaml similarity index 98% rename from changelog/fragments/1760385532-bump-golang-1.25.4.yaml rename to changelog/fragments/1760385532-bump-golang-1.25.8.yaml index 58838a7ad79c..6862cfc662f3 100644 --- a/changelog/fragments/1760385532-bump-golang-1.25.4.yaml +++ b/changelog/fragments/1760385532-bump-golang-1.25.8.yaml @@ -11,7 +11,7 @@ kind: other # Change summary; a 80ish characters long description of the change. -summary: Update Go to 1.25.4 +summary: Update Go to 1.25.8 # Long description; in case the summary is not enough to describe the change # this field accommodate a description without length limits. diff --git a/dev-tools/kubernetes/filebeat/Dockerfile.debug b/dev-tools/kubernetes/filebeat/Dockerfile.debug index 2af090c81ba0..1408b21c340d 100644 --- a/dev-tools/kubernetes/filebeat/Dockerfile.debug +++ b/dev-tools/kubernetes/filebeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.25.4-bookworm as builder +FROM golang:1.25.8-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/dev-tools/kubernetes/heartbeat/Dockerfile.debug b/dev-tools/kubernetes/heartbeat/Dockerfile.debug index d62210efd48a..77af6c8330fa 100644 --- a/dev-tools/kubernetes/heartbeat/Dockerfile.debug +++ b/dev-tools/kubernetes/heartbeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.25.4-bookworm as builder +FROM golang:1.25.8-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/dev-tools/kubernetes/metricbeat/Dockerfile.debug b/dev-tools/kubernetes/metricbeat/Dockerfile.debug index 95fd00aac058..afaba393f59a 100644 --- a/dev-tools/kubernetes/metricbeat/Dockerfile.debug +++ b/dev-tools/kubernetes/metricbeat/Dockerfile.debug @@ -1,4 +1,4 @@ -FROM golang:1.25.4-bookworm as builder +FROM golang:1.25.8-bookworm as builder ENV PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/go/bin:/usr/local/go/bin diff --git a/go.mod b/go.mod index 5a3908de1732..0ed44e3c0300 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/beats/v7 -go 1.25.4 +go 1.25.8 require ( cloud.google.com/go/bigquery v1.69.0 diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index ef290b488ceb..939174cc2f74 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.4-bookworm +FROM golang:1.25.8-bookworm RUN \ apt-get update \ diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index 2769e92862f0..036a42a9b67e 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 9.3.0 :doc-branch: current -:go-version: 1.25.4 +:go-version: 1.25.8 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index 5569f7c21b1e..12f15a24859e 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.4-bookworm +FROM golang:1.25.8-bookworm COPY --from=docker:26.0.0-alpine3.19 /usr/local/bin/docker /usr/local/bin/ COPY --from=docker:26.0.0-alpine3.19 /usr/local/libexec/docker/cli-plugins/docker-compose /usr/local/lib/docker/cli-plugins/docker-compose diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index 49a14654d482..06728dc25560 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.4-bookworm +FROM golang:1.25.8-bookworm COPY test/main.go main.go diff --git a/metricbeat/module/vsphere/_meta/Dockerfile b/metricbeat/module/vsphere/_meta/Dockerfile index 81eb9a401d7c..c8bd4e523344 100644 --- a/metricbeat/module/vsphere/_meta/Dockerfile +++ b/metricbeat/module/vsphere/_meta/Dockerfile @@ -1,5 +1,5 @@ ARG VSPHERE_GOLANG_VERSION -FROM golang:1.25.4-bookworm +FROM golang:1.25.8-bookworm RUN apt-get install curl git RUN go install github.com/vmware/govmomi/vcsim@v0.30.4 diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 03dbda9973b9..956fed1eef37 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.4-bookworm +FROM golang:1.25.8-bookworm RUN \ apt-get update \ diff --git a/x-pack/metricbeat/module/stan/_meta/Dockerfile b/x-pack/metricbeat/module/stan/_meta/Dockerfile index b3d589c444f8..71d7fbf6467e 100644 --- a/x-pack/metricbeat/module/stan/_meta/Dockerfile +++ b/x-pack/metricbeat/module/stan/_meta/Dockerfile @@ -2,7 +2,7 @@ ARG STAN_VERSION=0.15.1 FROM nats-streaming:$STAN_VERSION # build stage -FROM golang:1.25.4-bookworm AS build-env +FROM golang:1.25.8-bookworm AS build-env RUN apt-get install git mercurial gcc RUN git clone https://github.com/nats-io/stan.go.git /stan-go RUN cd /stan-go/examples/stan-bench && git checkout tags/v0.5.2 && go build . From aa4cd24e4296a502f7086cf8d8596606707c0a43 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 6 Mar 2026 09:19:18 -0800 Subject: [PATCH 23/23] Bump npcap version --- x-pack/packetbeat/scripts/mage/pcap.go | 2 +- x-pack/packetbeat/tests/system/app_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/packetbeat/scripts/mage/pcap.go b/x-pack/packetbeat/scripts/mage/pcap.go index 25bddbc269d4..247241b9e987 100644 --- a/x-pack/packetbeat/scripts/mage/pcap.go +++ b/x-pack/packetbeat/scripts/mage/pcap.go @@ -22,7 +22,7 @@ import ( // the packetbeat executable. It is used to specify which npcap builder crossbuild // image to use and the installer to obtain from the cloud store for testing. const ( - NpcapVersion = "1.83" + NpcapVersion = "1.87" installer = "npcap-" + NpcapVersion + "-oem.exe" ) diff --git a/x-pack/packetbeat/tests/system/app_test.go b/x-pack/packetbeat/tests/system/app_test.go index 7f78d57e77f1..88207128e386 100644 --- a/x-pack/packetbeat/tests/system/app_test.go +++ b/x-pack/packetbeat/tests/system/app_test.go @@ -24,7 +24,7 @@ import ( ) // Keep in sync with NpcapVersion in magefile.go. -const NpcapVersion = "1.83" +const NpcapVersion = "1.87" func TestWindowsNpcapInstaller(t *testing.T) { if runtime.GOOS != "windows" {