skip non-fips spec on fips-configured artifact, add spec details

yaauie · yaauie · commit a8011baf2824 · 2025-04-05T00:03:22.000Z
diff --git a/x-pack/qa/integration/fips-validation/logstash-integration-fips-validation_spec.rb b/x-pack/qa/integration/fips-validation/logstash-integration-fips-validation_spec.rb
@@ -2,32 +2,38 @@
 
 context "FipsValidation Integration Plugin" do
 
-  before(:all) do
-    logstash_home = Pathname.new(get_logstash_path).cleanpath
-    build_dir = (logstash_home / "build" / "gems")
-    gems = build_dir.glob("logstash-integration-fips_validation-*.gem")
-    fail("No FipsValidation Gem in #{build_dir}") if gems.none?
-    fail("Multiple FipsValidation Gems in #{build_dir}") if gems.size > 1
-    fips_validation_plugin = gems.first
+  context "when running on stock Logstash", :skip_fips do
+    # on non-FIPS Logstash, we need to install the plugin ourselves
+    before(:all) do
+      logstash_home = Pathname.new(get_logstash_path).cleanpath
+      build_dir = (logstash_home / "build" / "gems")
+      gems = build_dir.glob("logstash-integration-fips_validation-*.gem")
+      fail("No FipsValidation Gem in #{build_dir}") if gems.none?
+      fail("Multiple FipsValidation Gems in #{build_dir}") if gems.size > 1
+      fips_validation_plugin = gems.first
 
-    response = logstash_plugin("install", fips_validation_plugin.to_s)
-    aggregate_failures('setup') do
+      response = logstash_plugin("install", fips_validation_plugin.to_s)
+      aggregate_failures('setup') do
+        expect(response).to be_successful
+        expect(response.stdout_lines.map(&:chomp)).to include("Installation successful")
+      end
+    end
+    after(:all) do
+      response = logstash_plugin("remove", "logstash-integration-fips_validation")
       expect(response).to be_successful
-      expect(response.stdout_lines.map(&:chomp)).to include("Installation successful")
     end
-  end
-  after(:all) do
-    response = logstash_plugin("remove", "logstash-integration-fips_validation")
-    expect(response).to be_successful
-  end
-
-  context "when running on stock Logstash" do
-    it "prevents Logstash from running" do
-      process = logstash_with_empty_default("bin/logstash --log.level=debug -e 'generator { count => 1 }'", timeout: 60)
+    it "prevents Logstash from running and logs helpful guidance" do
+      process = logstash_with_empty_default("bin/logstash --log.level=debug -e 'input { generator { count => 1 } }'", timeout: 60)
 
       aggregate_failures do
         expect(process).to_not be_successful
-        expect(process.stdout_lines.join).to include("Logstash is not configured in a FIPS-compliant manner")
+        process.stdout_lines.join.tap do |stdout|
+          expect(stdout).to_not include("Pipeline started")
+          expect(stdout).to include("Java security providers are misconfigured")
+          expect(stdout).to include("Java SecureRandom provider is misconfigured")
+          expect(stdout).to include("Bouncycastle Crypto unavailable")
+          expect(stdout).to include("Logstash is not configured in a FIPS-compliant manner")
+        end
       end
     end
   end
diff --git a/x-pack/qa/integration/spec_helper.rb b/x-pack/qa/integration/spec_helper.rb
@@ -9,3 +9,9 @@
 require_relative "support/elasticsearch/api/actions/update_password"
 require "json"
 require "json-schema"
+
+RSpec.configure do |c|
+  if java.lang.System.getProperty("org.bouncycastle.fips.approved_only") == "true"
+    c.filter_run_excluding skip_fips: true
+  end
+end
