x-pack: add fips validation plugin from x-pack

[yaauie]

Release notes

[rn: skip]

What does this PR do?

• adds a fips_validation feature inside of the existing x-pack plugin, to be optionally included in fips-only artifacts to make logstash refuse to start up when java security and/or bouncycastle are misconfigured.

After implementing, I am not confident that injecting into the current x-pack is desired, because it will always be present (and therefore always enforced) on source checkouts. I think a better approach would be to wrap this plugin in a source-local gem "module".

Why is it important/What is the impact to the user?

If/when we distribute an artifact for running in FIPS environments, a check like this ensures that Logstash, the JVM, and the security providers are all appropriately configured.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files (and/or docker env variables)
• I have added tests that prove my fix is effective or that my feature works

How to test this PR locally

Without configuring the FIPS specifics, launch Logstash and expect it to exit non-zero:

bin/logstash --log.level=debug -e ''

Logs

[2025-01-23T20:28:20,862][FATAL][logstash.runner          ] An unexpected error occurred! {:error=>#<LogStash::ConfigurationError: FIPS compliance issues: ["Java security providers are misconfigured (expected `[\"BCFIPS\", \"BCJSSE\", \"SUN\"]`, observed `[\"SUN\", \"SunRsaSign\", \"SunEC\", \"SunJSSE\", \"SunJCE\", \"SunJGSS\", \"SunSASL\", \"XMLDSig\", \"SunPCSC\", \"JdkLDAP\", \"JdkSASL\", \"Apple\", \"SunPKCS11\"]`)", "Java SecureRandom provider is misconfigured (expected `BCFIPS`; observed `SUN`)", "Bouncycastle Crypto is not in 'approved-only' mode"]>, :backtrace=>["/Users/rye/src/elastic/logstash@main/x-pack/lib/fips_validation/extension.rb:55:in `before_bootstrap_checks'", "org/logstash/execution/EventDispatcherExt.java:94:in `execute'", "/Users/rye/src/elastic/logstash@main/logstash-core/lib/logstash/runner.rb:363:in `execute'", "/Users/rye/src/elastic/logstash@main/vendor/bundle/jruby/3.1.0/gems/clamp-1.3.2/lib/clamp/command.rb:66:in `run'", "/Users/rye/src/elastic/logstash@main/logstash-core/lib/logstash/runner.rb:298:in `run'", "/Users/rye/src/elastic/logstash@main/vendor/bundle/jruby/3.1.0/gems/clamp-1.3.2/lib/clamp/command.rb:140:in `run'", "/Users/rye/src/elastic/logstash@main/lib/bootstrap/environment.rb:89:in `<main>'"]}
[2025-01-23T20:28:20,864][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit) exit

org.jruby.exceptions.SystemExit: (SystemExit) exit

    at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:924) ~[jruby.jar:?]
    at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:883) ~[jruby.jar:?]
    at Users.rye.src.elastic.logstash_at_40_main.lib.bootstrap.environment.<main>(/Users/rye/src/elastic/logstash@main/lib/bootstrap/environment.rb:90) ~[?:?]

[error: 1 (00:00:05)]

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 94d4e44

Failed CI Steps

• 🛂 License check
• 🛂 License check
• 🛂 License check
• 🛂 License check
• :rspec: Ruby unit tests
• :rspec: Ruby unit tests
• 🥼 Integration Tests / part 1
• 🥼 Integration Tests / part 1
• 🥼 Integration Tests / part 1
• 🥼 Integration Tests / part 1
• 🥼 Integration Tests / part 2
• 🥼 Integration Tests / part 2
• 🥼 Integration Tests / part 2
• 🥼 Integration Tests / part 2
• 🥼 IT Persistent Queues / part 1
• 🥼 IT Persistent Queues / part 1
• 🥼 IT Persistent Queues / part 1
• 🥼 IT Persistent Queues / part 1
• 🥼 IT Persistent Queues / part 2
• 🥼 IT Persistent Queues / part 2
• 🥼 IT Persistent Queues / part 2
• 🥼 IT Persistent Queues / part 2
• 🥼 x-pack integration
• 🥼 x-pack integration
• 🥼 x-pack integration
• 🥼 x-pack integration

History

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[donoghuc]

Suggested change

	if observed_security_providers != expected_security_providers
	if observed_security_providers[..2] != expected_security_providers

In the container env these are the first three (in that order) but there are more:

[2025-01-24T22:56:53,562][FATAL][logstash.runner          ] An unexpected error occurred! {:error=>#<LogStash::ConfigurationError: FIPS compliance issues: ["Java security providers are misconfigured (expected `[\"BCFIPS\", \"BCJSSE\", \"SUN\"]`, observed `[\"BCFIPS\", \"BCJSSE\", \"SUN\", \"SunJSSE\", \"SunJCE\", \"SunJGSS\", \"SunSASL\", \"XMLDSig\", \"SunPCSC\", \"JdkLDAP\", \"JdkSASL\", \"SunPKCS11\"]`)"]>, :backtrace=>["/logstash/x-pack/lib/fips_validation/extension.rb:55:in `before_bootstrap_checks'", "org/logstash/execution/EventDispatcherExt.java:94:in `execute'", "/logstash/logstash-core/lib/logstash/runner.rb:363:in `execute'", "/logstash/vendor/bundle/jruby/3.1.0/gems/clamp-1.3.2/lib/clamp/command.rb:66:in `run'", "/logstash/logstash-core/lib/logstash/runner.rb:298:in `run'", "/logstash/vendor/bundle/jruby/3.1.0/gems/clamp-1.3.2/lib/clamp/command.rb:140:in `run'", "/logstash/lib/bootstrap/environment.rb:89:in `<main>'"]}
[2025-01-24T22:56:53,564][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
	at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:924) ~[jruby.jar:?]
	at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:883) ~[jruby.jar:?]
	at logstash.lib.bootstrap.environment.<main>(/logstash/lib/bootstrap/environment.rb:90) ~[?:?]