Add FIPS 140 mode to XPack Usage API (#47278)

jkakavas · web-flow · commit 869cd6cb79f9 · 2019-10-14T09:13:28.000+03:00
This change adds support for the FIPS 140 mode feature to be
retrieved via the XPack Usage API.
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java
@@ -27,6 +27,7 @@ public class SecurityFeatureSetUsage extends XPackFeatureSet.Usage {
     private static final String AUDIT_XFIELD = "audit";
     private static final String IP_FILTER_XFIELD = "ipfilter";
     private static final String ANONYMOUS_XFIELD = "anonymous";
+    private static final String FIPS_140_XFIELD = "fips_140";
 
     private Map<String, Object> realmsUsage;
     private Map<String, Object> rolesStoreUsage;
@@ -37,6 +38,7 @@ public class SecurityFeatureSetUsage extends XPackFeatureSet.Usage {
     private Map<String, Object> ipFilterUsage;
     private Map<String, Object> anonymousUsage;
     private Map<String, Object> roleMappingStoreUsage;
+    private Map<String, Object> fips140Usage;
 
     public SecurityFeatureSetUsage(StreamInput in) throws IOException {
         super(in);
@@ -51,13 +53,17 @@ public SecurityFeatureSetUsage(StreamInput in) throws IOException {
         ipFilterUsage = in.readMap();
         anonymousUsage = in.readMap();
         roleMappingStoreUsage = in.readMap();
+        if (in.getVersion().onOrAfter(Version.V_7_5_0)) {
+            fips140Usage = in.readMap();
+        }
     }
 
     public SecurityFeatureSetUsage(boolean available, boolean enabled, Map<String, Object> realmsUsage,
                                    Map<String, Object> rolesStoreUsage, Map<String, Object> roleMappingStoreUsage,
                                    Map<String, Object> sslUsage, Map<String, Object> auditUsage,
                                    Map<String, Object> ipFilterUsage, Map<String, Object> anonymousUsage,
-                                   Map<String, Object> tokenServiceUsage, Map<String, Object> apiKeyServiceUsage) {
+                                   Map<String, Object> tokenServiceUsage, Map<String, Object> apiKeyServiceUsage,
+                                   Map<String, Object> fips140Usage) {
         super(XPackField.SECURITY, available, enabled);
         this.realmsUsage = realmsUsage;
         this.rolesStoreUsage = rolesStoreUsage;
@@ -68,6 +74,7 @@ public SecurityFeatureSetUsage(boolean available, boolean enabled, Map<String, O
         this.auditUsage = auditUsage;
         this.ipFilterUsage = ipFilterUsage;
         this.anonymousUsage = anonymousUsage;
+        this.fips140Usage = fips140Usage;
     }
 
     @Override
@@ -84,6 +91,9 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeMap(ipFilterUsage);
         out.writeMap(anonymousUsage);
         out.writeMap(roleMappingStoreUsage);
+        if (out.getVersion().onOrAfter(Version.V_7_5_0)) {
+            out.writeMap(fips140Usage);
+        }
     }
 
     @Override
@@ -99,6 +109,7 @@ protected void innerXContent(XContentBuilder builder, Params params) throws IOEx
             builder.field(AUDIT_XFIELD, auditUsage);
             builder.field(IP_FILTER_XFIELD, ipFilterUsage);
             builder.field(ANONYMOUS_XFIELD, anonymousUsage);
+            builder.field(FIPS_140_XFIELD, fips140Usage);
         } else if (sslUsage.isEmpty() == false) {
             // A trial (or basic) license can have SSL without security.
             // This is because security defaults to disabled on that license, but that dynamic-default does not disable SSL.
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityUsageTransportAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityUsageTransportAction.java
@@ -39,6 +39,7 @@
 
 import static java.util.Collections.singletonMap;
 import static org.elasticsearch.xpack.core.XPackSettings.API_KEY_SERVICE_ENABLED_SETTING;
+import static org.elasticsearch.xpack.core.XPackSettings.FIPS_MODE_ENABLED;
 import static org.elasticsearch.xpack.core.XPackSettings.HTTP_SSL_ENABLED;
 import static org.elasticsearch.xpack.core.XPackSettings.TOKEN_SERVICE_ENABLED_SETTING;
 import static org.elasticsearch.xpack.core.XPackSettings.TRANSPORT_SSL_ENABLED;
@@ -77,6 +78,7 @@ protected void masterOperation(Task task, XPackUsageRequest request, ClusterStat
         Map<String, Object> auditUsage = auditUsage(settings);
         Map<String, Object> ipFilterUsage = ipFilterUsage(ipFilter);
         Map<String, Object> anonymousUsage = singletonMap("enabled", AnonymousUser.isAnonymousEnabled(settings));
+        Map<String, Object> fips140Usage = fips140Usage(settings);
 
         final AtomicReference<Map<String, Object>> rolesUsageRef = new AtomicReference<>();
         final AtomicReference<Map<String, Object>> roleMappingUsageRef = new AtomicReference<>();
@@ -87,7 +89,7 @@ protected void masterOperation(Task task, XPackUsageRequest request, ClusterStat
                 boolean enabled = enabledInSettings && licenseState.isSecurityDisabledByLicenseDefaults() == false;
                 var usage = new SecurityFeatureSetUsage(licenseState.isSecurityAvailable(), enabled,
                         realmsUsageRef.get(), rolesUsageRef.get(), roleMappingUsageRef.get(), sslUsage, auditUsage,
-                        ipFilterUsage, anonymousUsage, tokenServiceUsage, apiKeyServiceUsage);
+                        ipFilterUsage, anonymousUsage, tokenServiceUsage, apiKeyServiceUsage, fips140Usage);
                 listener.onResponse(new XPackUsageFeatureResponse(usage));
             }
         };
@@ -168,4 +170,8 @@ static Map<String, Object> ipFilterUsage(@Nullable IPFilter ipFilter) {
         }
         return ipFilter.usageStats();
     }
+
+    static Map<String, Object> fips140Usage(Settings settings) {
+        return singletonMap("enabled", FIPS_MODE_ENABLED.get(settings));
+    }
 }
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityInfoTransportActionTests.java
@@ -152,6 +152,11 @@ public void testUsage() throws Exception {
             settings.put(AnonymousUser.ROLES_SETTING.getKey(), "foo");
         }
 
+        final boolean fips140Enabled = randomBoolean();
+        if (fips140Enabled) {
+            settings.put("xpack.security.fips_mode.enabled", true);
+        }
+
         var usageAction = newUsageAction(settings.build());
         PlainActionFuture<XPackUsageFeatureResponse> future = new PlainActionFuture<>();
         usageAction.masterOperation(null, null, null, future);
@@ -217,6 +222,9 @@ public void testUsage() throws Exception {
 
                 // anonymous
                 assertThat(source.getValue("anonymous.enabled"), is(anonymousEnabled));
+
+                // FIPS 140
+                assertThat(source.getValue("fips_140.enabled"), is(fips140Enabled));
             } else {
                 assertThat(source.getValue("realms"), is(nullValue()));
                 assertThat(source.getValue("ssl"), is(nullValue()));
