feat(fips): remove keystore subcommand and config handling (#15545)

* feat(fips): remove keystore subcommand and config handling

the keystore is providing obfuscation of data on disk by using
an empty password by default.
This fails in fips only mode with the following error:

crypto/hmac: use of keys shorter than 112 bits is not allowed in FIPS 140-only mode

Disable the keystore subcommand and do not try to create one
when loading the config.

* Update config_nofips_test.go

---------

Co-authored-by: Kostiantyn Masliuk <[email protected]>

Author: kruskall

internal/beatcmd/cmd.go

@@ -74,7 +74,9 @@ func NewRootCommand(beatParams BeatParams) *cobra.Command {
 	// Register subcommands.
 	rootCommand.AddCommand(runCommand)
 	rootCommand.AddCommand(exportCommand)
-	rootCommand.AddCommand(keystoreCommand)
+	if keystoreCommand != nil {
+		rootCommand.AddCommand(keystoreCommand)
+	}
 	rootCommand.AddCommand(versionCommand)
 	rootCommand.AddCommand(genTestCmd(beatParams))
 

internal/beatcmd/config.go

@@ -23,7 +23,6 @@ import (
 
 	"github.com/elastic/beats/v7/libbeat/cfgfile"
 	"github.com/elastic/beats/v7/libbeat/cloudid"
-	"github.com/elastic/beats/v7/libbeat/common"
 	"github.com/elastic/beats/v7/libbeat/pprof"
 	"github.com/elastic/elastic-agent-libs/config"
 	libkeystore "github.com/elastic/elastic-agent-libs/keystore"
@@ -94,10 +93,14 @@ func LoadConfig(opts ...LoadConfigOption) (*Config, *config.C, libkeystore.Keyst
 		configOpts = append(configOpts, ucfg.ResolveNOOP)
 	} else {
 		configOpts = append(configOpts,
-			ucfg.Resolve(libkeystore.ResolverWrap(keystore)),
 			ucfg.ResolveEnv,
 			ucfg.VarExp,
 		)
+		if keystore != nil {
+			configOpts = append(configOpts,
+				ucfg.Resolve(libkeystore.ResolverWrap(keystore)),
+			)
+		}
 	}
 	config.OverwriteConfigOpts(configOpts)
 
@@ -138,13 +141,6 @@ func WithMergeConfig(cfg ...*config.C) LoadConfigOption {
 	}
 }
 
-// loadKeystore returns the appropriate keystore based on the configuration.
-func loadKeystore(cfg *config.C) (libkeystore.Keystore, error) {
-	keystoreCfg, _ := cfg.Child("keystore", -1)
-	defaultPathConfig := paths.Resolve(paths.Data, "apm-server.keystore")
-	return libkeystore.Factory(keystoreCfg, defaultPathConfig, common.IsStrictPerms())
-}
-
 func initPaths(cfg *config.C) error {
 	// To Fix the chicken-egg problem with the Keystore and the loading of the configuration
 	// files we are doing a partial unpack of the configuration file and only take into consideration

internal/beatcmd/config_fips.go

@@ -0,0 +1,30 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build requirefips
+
+package beatcmd
+
+import (
+	"github.com/elastic/elastic-agent-libs/config"
+	libkeystore "github.com/elastic/elastic-agent-libs/keystore"
+)
+
+// loadKeystore returns the appropriate keystore based on the configuration.
+func loadKeystore(cfg *config.C) (libkeystore.Keystore, error) {
+	return nil, nil
+}

internal/beatcmd/config_nofips.go

@@ -0,0 +1,34 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !requirefips
+
+package beatcmd
+
+import (
+	"github.com/elastic/beats/v7/libbeat/common"
+	"github.com/elastic/elastic-agent-libs/config"
+	libkeystore "github.com/elastic/elastic-agent-libs/keystore"
+	"github.com/elastic/elastic-agent-libs/paths"
+)
+
+// loadKeystore returns the appropriate keystore based on the configuration.
+func loadKeystore(cfg *config.C) (libkeystore.Keystore, error) {
+	keystoreCfg, _ := cfg.Child("keystore", -1)
+	defaultPathConfig := paths.Resolve(paths.Data, "apm-server.keystore")
+	return libkeystore.Factory(keystoreCfg, defaultPathConfig, common.IsStrictPerms())
+}

internal/beatcmd/config_nofips_test.go

@@ -0,0 +1,64 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !requirefips
+
+package beatcmd
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/elastic/elastic-agent-libs/keystore"
+)
+
+func TestLoadConfigKeystore(t *testing.T) {
+	initCfgfile(t, `
+apm-server:
+  auth.secret_token: ${APM_SECRET_TOKEN}
+  `)
+
+	cfg, _, _, err := LoadConfig(WithDisableConfigResolution())
+	require.NoError(t, err)
+	assertConfigEqual(t, map[string]interface{}{
+		"auth": map[string]interface{}{
+			"secret_token": "${APM_SECRET_TOKEN}",
+		},
+	}, cfg.APMServer)
+
+	cfg, _, ks, err := LoadConfig()
+	require.NoError(t, err)
+
+	err = cfg.APMServer.Unpack(new(map[string]interface{}))
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), `missing field accessing 'apm-server.auth'`)
+
+	wks, err := keystore.AsWritableKeystore(ks)
+	require.NoError(t, err)
+	err = wks.Store("APM_SECRET_TOKEN", []byte("abc123"))
+	require.NoError(t, err)
+	err = wks.Save()
+	require.NoError(t, err)
+
+	assertConfigEqual(t, map[string]interface{}{
+		"auth": map[string]interface{}{
+			"secret_token": "abc123",
+		},
+	}, cfg.APMServer)
+}

internal/beatcmd/config_test.go

@@ -28,7 +28,6 @@ import (
 
 	"github.com/elastic/beats/v7/libbeat/cfgfile"
 	"github.com/elastic/elastic-agent-libs/config"
-	"github.com/elastic/elastic-agent-libs/keystore"
 	"github.com/elastic/elastic-agent-libs/paths"
 )
 
@@ -37,11 +36,10 @@ func TestLoadConfig(t *testing.T) {
 apm-server:
   host: :8200
   `)
-	cfg, rawConfig, keystore, err := LoadConfig()
+	cfg, rawConfig, _, err := LoadConfig()
 	require.NoError(t, err)
 	assert.NotNil(t, cfg)
 	assert.NotNil(t, rawConfig)
-	assert.NotNil(t, keystore)
 
 	assertConfigEqual(t, map[string]interface{}{
 		"apm-server": map[string]interface{}{
@@ -75,41 +73,6 @@ apm-server:
 	}, cfg.APMServer)
 }
 
-func TestLoadConfigKeystore(t *testing.T) {
-	initCfgfile(t, `
-apm-server:
-  auth.secret_token: ${APM_SECRET_TOKEN}
-  `)
-
-	cfg, _, _, err := LoadConfig(WithDisableConfigResolution())
-	require.NoError(t, err)
-	assertConfigEqual(t, map[string]interface{}{
-		"auth": map[string]interface{}{
-			"secret_token": "${APM_SECRET_TOKEN}",
-		},
-	}, cfg.APMServer)
-
-	cfg, _, ks, err := LoadConfig()
-	require.NoError(t, err)
-
-	err = cfg.APMServer.Unpack(new(map[string]interface{}))
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), `missing field accessing 'apm-server.auth'`)
-
-	wks, err := keystore.AsWritableKeystore(ks)
-	require.NoError(t, err)
-	err = wks.Store("APM_SECRET_TOKEN", []byte("abc123"))
-	require.NoError(t, err)
-	err = wks.Save()
-	require.NoError(t, err)
-
-	assertConfigEqual(t, map[string]interface{}{
-		"auth": map[string]interface{}{
-			"secret_token": "abc123",
-		},
-	}, cfg.APMServer)
-}
-
 func assertConfigEqual(t testing.TB, expected map[string]interface{}, actual *config.C) {
 	t.Helper()
 	var m map[string]interface{}

internal/beatcmd/keystore_fips.go

@@ -0,0 +1,24 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build requirefips
+
+package beatcmd
+
+import "github.com/spf13/cobra"
+
+var keystoreCommand *cobra.Command = nil

internal/beatcmd/keystore.go internal/beatcmd/keystore_nofips.go

@@ -15,6 +15,8 @@
 // specific language governing permissions and limitations
 // under the License.
 
+//go:build !requirefips
+
 package beatcmd
 
 import (