add integration spec for fips_validation plugin

yaauie · yaauie · commit 6623cb17ebdc · 2025-04-04T00:03:45.000Z
diff --git a/rakelib/artifacts.rake b/rakelib/artifacts.rake
@@ -565,8 +565,8 @@ namespace "artifact" do
       Rake::Task['bootstrap'].invoke
       Rake::Task['plugin:install-default'].invoke
       Rake::Task['plugin:install'].invoke('logstash-filter-age')
-      Rake::Task['plugin:install-fips-validation-plugin'].invoke
       Rake::Task['plugin:trim-for-observabilitySRE'].invoke
+      Rake::Task['plugin:install-fips-validation-plugin'].invoke
       Rake::Task['artifact:clean-bundle-config'].invoke
     end
   end
diff --git a/rakelib/plugin.rake b/rakelib/plugin.rake
@@ -124,7 +124,7 @@ namespace "plugin" do
     task.reenable # Allow this task to be run again
   end
 
-  task "install-fips-validation-plugin" do |task, _|
+  task "build-fips-validation-plugin" do |task, _|
     puts("[plugin:install-fips-validation-plugin] installing fips_validation plugin")
 
     with_merged_env("GEM_BUILD_VERSION" => get_versions.fetch("logstash")) do
@@ -134,12 +134,25 @@ namespace "plugin" do
       # ensure fresh GEM_BUILD_VERSION comes from the env
       path.glob("GEM_BUILD_VERSION").each(&:unlink)
 
-      Rake::Task["plugin:install-local-core-gem"].invoke(name, path.to_s)
+      Rake::Task["plugin:build-local-core-gem"].invoke(name, path.to_s)
     end
 
     task.reenable # Allow this task to be run again
   end
 
+  task "install-fips-validation-plugin" => "build-fips-validation-plugin" do |task, _|
+    puts("[plugin:install-fips-validation-plugin] installing fips_validation plugin")
+
+    path = "build/gems"
+    name = "logstash-integration-fips_validation"
+    gems = Dir[File.join(path, "#{name}-*.gem")]
+    abort("ERROR: #{name} gem not found in #{path}") if gems.size != 1
+    puts("[plugin:install-fips-validation-plugin] Installing #{gems.first}")
+    install_plugins("--no-verify", gems.first)
+
+    task.reenable # Allow this task to be run again
+  end
+
   task "clean-local-core-gem", [:name, :path] do |task, args|
     name = args[:name]
     path = args[:path]
diff --git a/x-pack/build.gradle b/x-pack/build.gradle
@@ -6,6 +6,9 @@
 
 description = """Logstash X-Pack"""
 
+project.ext.LOGSTASH_CORE_PATH = "${projectDir}/../logstash-core"
+apply from: "../rubyUtils.gradle"
+
 repositories {
   mavenCentral()
 }
@@ -56,9 +59,16 @@ tasks.register("rubyIntegrationTests", Test) {
     jvmArgs = ['--add-opens', 'java.base/sun.nio.ch=ALL-UNNAMED', '--add-opens', 'java.base/java.io=ALL-UNNAMED']
   }
   dependsOn (":copyEs")
+  dependsOn "buildFipsValidationGem"
   inputs.files fileTree("${projectDir}/qa")
   inputs.files fileTree("${projectDir}/lib")
   inputs.files fileTree("${projectDir}/modules")
   systemProperty 'logstash.root.dir', projectDir.parent
   include '/org/logstash/xpack/test/RSpecIntegrationTests.class'
 }
+
+tasks.register("buildFipsValidationGem") {
+  doLast {
+    rake(rootProject.projectDir, rootProject.buildDir, 'plugin:build-fips-validation-plugin')
+  }
+}
diff --git a/x-pack/distributions/internal/observabilitySRE/plugin/logstash-integration-fips_validation/logstash-integration-fips_validation.gemspec b/x-pack/distributions/internal/observabilitySRE/plugin/logstash-integration-fips_validation/logstash-integration-fips_validation.gemspec
@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
   # Files
   s.files = Dir::glob("lib/**/*.rb") |
             Dir::glob("*.gemspec") |
-            Dir.glob("VERSION")
+            Dir.glob("GEM_BUILD_VERSION")
 
   # Special flag to let us know this is actually a logstash plugin
   s.metadata = {
diff --git a/x-pack/qa/integration/fips-validation/logstash-integration-fips-validation_spec.rb b/x-pack/qa/integration/fips-validation/logstash-integration-fips-validation_spec.rb
@@ -0,0 +1,34 @@
+require_relative "../spec_helper"
+
+context "FipsValidation Integration Plugin" do
+
+  before(:all) do
+    logstash_home = Pathname.new(get_logstash_path).cleanpath
+    build_dir = (logstash_home / "build" / "gems")
+    gems = build_dir.glob("logstash-integration-fips_validation-*.gem")
+    fail("No FipsValidation Gem in #{build_dir}") if gems.none?
+    fail("Multiple FipsValidation Gems in #{build_dir}") if gems.size > 1
+    fips_validation_plugin = gems.first
+
+    response = logstash_plugin("install", fips_validation_plugin.to_s)
+    aggregate_failures('setup') do
+      expect(response).to be_successful
+      expect(response.stdout_lines.map(&:chomp)).to include("Installation successful")
+    end
+  end
+  after(:all) do
+    response = logstash_plugin("remove", "logstash-integration-fips_validation")
+    expect(response).to be_successful
+  end
+
+  context "when running on stock Logstash" do
+    it "prevents Logstash from running" do
+      process = logstash_with_empty_default("bin/logstash --log.level=debug -e 'generator { count => 1 }'", timeout: 60)
+
+      aggregate_failures do
+        expect(process).to_not be_successful
+        expect(process.stdout_lines.join).to include("Logstash is not configured in a FIPS-compliant manner")
+      end
+    end
+  end
+end
