From e532bbe8d6c1daa74ce837203dfbcc89aacd7f7e Mon Sep 17 00:00:00 2001
From: kruskall <99559985+kruskall@users.noreply.github.com>
Date: Thu, 27 Feb 2025 21:22:56 +0100
Subject: [PATCH] feat(fips): return an error when validating kerberos cfg
 (#42887)

* feat(fips): return an error when validating kerberos cfg

setting kerberos config options should return an error

* Update config.go

* Update config_nofips.go

* Update client_nofips.go
---
 .../transport/kerberos/client_nofips.go       |  2 +-
 libbeat/common/transport/kerberos/config.go   | 23 +---------
 .../common/transport/kerberos/config_fips.go  | 28 ++++++++++++
 .../transport/kerberos/config_fips_test.go    | 32 ++++++++++++++
 .../transport/kerberos/config_nofips.go       | 43 +++++++++++++++++++
 .../transport/kerberos/config_nofips_test.go  | 36 ++++++++++++++++
 6 files changed, 141 insertions(+), 23 deletions(-)
 create mode 100644 libbeat/common/transport/kerberos/config_fips.go
 create mode 100644 libbeat/common/transport/kerberos/config_fips_test.go
 create mode 100644 libbeat/common/transport/kerberos/config_nofips.go
 create mode 100644 libbeat/common/transport/kerberos/config_nofips_test.go

diff --git a/libbeat/common/transport/kerberos/client_nofips.go b/libbeat/common/transport/kerberos/client_nofips.go
index f734cb750164..798aa4579560 100644
--- a/libbeat/common/transport/kerberos/client_nofips.go
+++ b/libbeat/common/transport/kerberos/client_nofips.go
@@ -46,7 +46,7 @@ func NewClient(config *Config, httpClient *http.Client, esurl string) (Client, e
 	case authPassword:
 		krbClient = krbclient.NewWithPassword(config.Username, config.Realm, config.Password, krbConf)
 	default:
-		return nil, InvalidAuthType
+		return nil, ErrInvalidAuthType
 	}
 
 	return spnego.NewClient(krbClient, httpClient, ""), nil
diff --git a/libbeat/common/transport/kerberos/config.go b/libbeat/common/transport/kerberos/config.go
index abea183f4d18..07ed3b68383a 100644
--- a/libbeat/common/transport/kerberos/config.go
+++ b/libbeat/common/transport/kerberos/config.go
@@ -33,7 +33,7 @@ const (
 )
 
 var (
-	InvalidAuthType = errors.New("invalid authentication type")
+	ErrInvalidAuthType = errors.New("invalid authentication type")
 
 	authTypes = map[string]AuthType{
 		authPasswordStr: authPassword,
@@ -69,24 +69,3 @@ func (t *AuthType) Unpack(value string) error {
 
 	return nil
 }
-
-func (c *Config) Validate() error {
-	switch c.AuthType {
-	case authPassword:
-		if c.Username == "" {
-			return fmt.Errorf("password authentication is selected for Kerberos, but username is not configured")
-		}
-		if c.Password == "" {
-			return fmt.Errorf("password authentication is selected for Kerberos, but password is not configured")
-		}
-
-	case authKeytab:
-		if c.KeyTabPath == "" {
-			return fmt.Errorf("keytab authentication is selected for Kerberos, but path to keytab is not configured")
-		}
-	default:
-		return InvalidAuthType
-	}
-
-	return nil
-}
diff --git a/libbeat/common/transport/kerberos/config_fips.go b/libbeat/common/transport/kerberos/config_fips.go
new file mode 100644
index 000000000000..92cf2314630b
--- /dev/null
+++ b/libbeat/common/transport/kerberos/config_fips.go
@@ -0,0 +1,28 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build requirefips
+
+package kerberos
+
+import (
+	"errors"
+)
+
+func (c *Config) Validate() error {
+	return errors.New("kerberos is not supported in fips mode")
+}
diff --git a/libbeat/common/transport/kerberos/config_fips_test.go b/libbeat/common/transport/kerberos/config_fips_test.go
new file mode 100644
index 000000000000..d8f9bedd88fa
--- /dev/null
+++ b/libbeat/common/transport/kerberos/config_fips_test.go
@@ -0,0 +1,32 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build requirefips
+
+package kerberos
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestConfigValidate(t *testing.T) {
+	cfg := &Config{}
+	err := cfg.Validate()
+	require.EqualError(t, err, "kerberos is not supported in fips mode")
+}
diff --git a/libbeat/common/transport/kerberos/config_nofips.go b/libbeat/common/transport/kerberos/config_nofips.go
new file mode 100644
index 000000000000..161f4c4a7beb
--- /dev/null
+++ b/libbeat/common/transport/kerberos/config_nofips.go
@@ -0,0 +1,43 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !requirefips
+
+package kerberos
+
+import "fmt"
+
+func (c *Config) Validate() error {
+	switch c.AuthType {
+	case authPassword:
+		if c.Username == "" {
+			return fmt.Errorf("password authentication is selected for Kerberos, but username is not configured")
+		}
+		if c.Password == "" {
+			return fmt.Errorf("password authentication is selected for Kerberos, but password is not configured")
+		}
+
+	case authKeytab:
+		if c.KeyTabPath == "" {
+			return fmt.Errorf("keytab authentication is selected for Kerberos, but path to keytab is not configured")
+		}
+	default:
+		return ErrInvalidAuthType
+	}
+
+	return nil
+}
diff --git a/libbeat/common/transport/kerberos/config_nofips_test.go b/libbeat/common/transport/kerberos/config_nofips_test.go
new file mode 100644
index 000000000000..5262f4c5f735
--- /dev/null
+++ b/libbeat/common/transport/kerberos/config_nofips_test.go
@@ -0,0 +1,36 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !requirefips
+
+package kerberos
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestConfigValidate(t *testing.T) {
+	cfg := &Config{
+		AuthType: authPassword,
+		Username: "username",
+		Password: "password",
+	}
+	err := cfg.Validate()
+	require.NoError(t, err)
+}