elastic · jkakavas · Aug 20, 2018 · Aug 16, 2018 · Aug 16, 2018 · Aug 16, 2018
diff --git a/...rity/src/main/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheck.java b/...rity/src/main/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheck.java
@@ -13,12 +13,6 @@
 
 public class FIPS140JKSKeystoreBootstrapCheck implements BootstrapCheck {
 
-    private final boolean fipsModeEnabled;
-
-    FIPS140JKSKeystoreBootstrapCheck(Settings settings) {
-        this.fipsModeEnabled = XPackSettings.FIPS_MODE_ENABLED.get(settings);
-    }
-
     /**
      * Test if the node fails the check.
      *
@@ -28,7 +22,7 @@ public class FIPS140JKSKeystoreBootstrapCheck implements BootstrapCheck {
     @Override
     public BootstrapCheckResult check(BootstrapContext context) {
 
-        if (fipsModeEnabled) {
+        if (XPackSettings.FIPS_MODE_ENABLED.get(context.settings)) {
             final Settings settings = context.settings;
             Settings keystoreTypeSettings = settings.filter(k -> k.endsWith("keystore.type"))
                 .filter(k -> settings.get(k).equalsIgnoreCase("jks"));
@@ -50,6 +44,6 @@ public BootstrapCheckResult check(BootstrapContext context) {
 
     @Override
     public boolean alwaysEnforce() {
-        return fipsModeEnabled;
+        return true;
     }
 }
diff --git a/...security/src/main/java/org/elasticsearch/xpack/security/FIPS140LicenseBootstrapCheck.java b/...security/src/main/java/org/elasticsearch/xpack/security/FIPS140LicenseBootstrapCheck.java
@@ -10,6 +10,7 @@
 import org.elasticsearch.bootstrap.BootstrapContext;
 import org.elasticsearch.license.License;
 import org.elasticsearch.license.LicenseService;
+import org.elasticsearch.xpack.core.XPackSettings;
 
 import java.util.EnumSet;
 
@@ -21,15 +22,9 @@ final class FIPS140LicenseBootstrapCheck implements BootstrapCheck {
     static final EnumSet<License.OperationMode> ALLOWED_LICENSE_OPERATION_MODES =
         EnumSet.of(License.OperationMode.PLATINUM, License.OperationMode.TRIAL);
 
-    private final boolean isInFipsMode;
-
-    FIPS140LicenseBootstrapCheck(boolean isInFipsMode) {
-        this.isInFipsMode = isInFipsMode;
-    }
-
     @Override
     public BootstrapCheckResult check(BootstrapContext context) {
-        if (isInFipsMode) {
+        if (XPackSettings.FIPS_MODE_ENABLED.get(context.settings)) {
             License license = LicenseService.getLicense(context.metaData);
             if (license != null && ALLOWED_LICENSE_OPERATION_MODES.contains(license.operationMode()) == false) {
                 return BootstrapCheckResult.failure("FIPS mode is only allowed with a Platinum or Trial license");

diff --git a/.../java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java b/.../java/org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheck.java
@@ -7,19 +7,12 @@
 
 import org.elasticsearch.bootstrap.BootstrapCheck;
 import org.elasticsearch.bootstrap.BootstrapContext;
-import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.xpack.core.XPackSettings;
 
 import java.util.Locale;
 
 public class FIPS140PasswordHashingAlgorithmBootstrapCheck implements BootstrapCheck {
 
-    private final boolean fipsModeEnabled;
-
-    FIPS140PasswordHashingAlgorithmBootstrapCheck(final Settings settings) {
-        this.fipsModeEnabled = XPackSettings.FIPS_MODE_ENABLED.get(settings);
-    }
-
     /**
      * Test if the node fails the check.
      *
@@ -28,7 +21,7 @@ public class FIPS140PasswordHashingAlgorithmBootstrapCheck implements BootstrapC
      */
     @Override
     public BootstrapCheckResult check(final BootstrapContext context) {
-        if (fipsModeEnabled) {
+        if (XPackSettings.FIPS_MODE_ENABLED.get(context.settings)) {
             final String selectedAlgorithm = XPackSettings.PASSWORD_HASHING_ALGORITHM.get(context.settings);
             if (selectedAlgorithm.toLowerCase(Locale.ROOT).startsWith("pbkdf2") == false) {
                 return BootstrapCheckResult.failure("Only PBKDF2 is allowed for password hashing in a FIPS-140 JVM. Please set the " +

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -300,9 +300,9 @@ public Security(Settings settings, final Path configPath) {
                 new PkiRealmBootstrapCheck(getSslService()),
                 new TLSLicenseBootstrapCheck(),
                 new FIPS140SecureSettingsBootstrapCheck(settings, env),
-                new FIPS140JKSKeystoreBootstrapCheck(settings),
-                new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings),
-                new FIPS140LicenseBootstrapCheck(XPackSettings.FIPS_MODE_ENABLED.get(settings))));
+                new FIPS140JKSKeystoreBootstrapCheck(),
+                new FIPS140PasswordHashingAlgorithmBootstrapCheck(),
+                new FIPS140LicenseBootstrapCheck()));
             checks.addAll(InternalRealms.getBootstrapChecks(settings, env));
             this.bootstrapChecks = Collections.unmodifiableList(checks);
             Automatons.updateMaxDeterminizedStates(settings);

diff --git a/...src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java b/...src/test/java/org/elasticsearch/xpack/security/FIPS140JKSKeystoreBootstrapCheckTests.java
@@ -14,53 +14,53 @@ public class FIPS140JKSKeystoreBootstrapCheckTests extends ESTestCase {
     public void testNoKeystoreIsAllowed() {
         final Settings.Builder settings = Settings.builder()
             .put("xpack.security.fips_mode.enabled", "true");
-        assertFalse(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+        assertFalse(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
     }
 
     public void testSSLKeystoreTypeIsNotAllowed() {
         final Settings.Builder settings = Settings.builder()
             .put("xpack.security.fips_mode.enabled", "true")
             .put("xpack.ssl.keystore.path", "/this/is/the/path")
             .put("xpack.ssl.keystore.type", "JKS");
-        assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+        assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
     }
 
     public void testSSLImplicitKeystoreTypeIsNotAllowed() {
         final Settings.Builder settings = Settings.builder()
             .put("xpack.security.fips_mode.enabled", "true")
             .put("xpack.ssl.keystore.path", "/this/is/the/path")
             .put("xpack.ssl.keystore.type", "JKS");
-        assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+        assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
     }
 
     public void testTransportSSLKeystoreTypeIsNotAllowed() {
         final Settings.Builder settings = Settings.builder()
             .put("xpack.security.fips_mode.enabled", "true")
             .put("xpack.security.transport.ssl.keystore.path", "/this/is/the/path")
             .put("xpack.security.transport.ssl.keystore.type", "JKS");
-        assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+        assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
     }
 
     public void testHttpSSLKeystoreTypeIsNotAllowed() {
         final Settings.Builder settings = Settings.builder()
             .put("xpack.security.fips_mode.enabled", "true")
             .put("xpack.security.http.ssl.keystore.path", "/this/is/the/path")
             .put("xpack.security.http.ssl.keystore.type", "JKS");
-        assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+        assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
     }
 
     public void testRealmKeystoreTypeIsNotAllowed() {
         final Settings.Builder settings = Settings.builder()
             .put("xpack.security.fips_mode.enabled", "true")
             .put("xpack.security.authc.realms.ldap.ssl.keystore.path", "/this/is/the/path")
             .put("xpack.security.authc.realms.ldap.ssl.keystore.type", "JKS");
-        assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+        assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
     }
 
     public void testImplicitRealmKeystoreTypeIsNotAllowed() {
         final Settings.Builder settings = Settings.builder()
             .put("xpack.security.fips_mode.enabled", "true")
             .put("xpack.security.authc.realms.ldap.ssl.keystore.path", "/this/is/the/path");
-        assertTrue(new FIPS140JKSKeystoreBootstrapCheck(settings.build()).check(new BootstrapContext(settings.build(), null)).isFailure());
+        assertTrue(new FIPS140JKSKeystoreBootstrapCheck().check(new BootstrapContext(settings.build(), null)).isFailure());
     }
 }
diff --git a/...ity/src/test/java/org/elasticsearch/xpack/security/FIPS140LicenseBootstrapCheckTests.java b/...ity/src/test/java/org/elasticsearch/xpack/security/FIPS140LicenseBootstrapCheckTests.java
@@ -17,27 +17,29 @@
 public class FIPS140LicenseBootstrapCheckTests extends ESTestCase {
 
     public void testBootstrapCheck() throws Exception {
-        assertTrue(new FIPS140LicenseBootstrapCheck(false)
-            .check(new BootstrapContext(Settings.EMPTY, MetaData.EMPTY_META_DATA)).isSuccess());
-        assertTrue(new FIPS140LicenseBootstrapCheck(randomBoolean())
+        assertTrue(new FIPS140LicenseBootstrapCheck()
             .check(new BootstrapContext(Settings.EMPTY, MetaData.EMPTY_META_DATA)).isSuccess());
+        assertTrue(new FIPS140LicenseBootstrapCheck()
+            .check(new BootstrapContext(Settings.builder().put("xpack.security.fips_mode.enabled", randomBoolean()).build(), MetaData
+                .EMPTY_META_DATA)).isSuccess());
 
-        License license = TestUtils.generateSignedLicense(TimeValue.timeValueHours(24));
         MetaData.Builder builder = MetaData.builder();
+        License license = TestUtils.generateSignedLicense(TimeValue.timeValueHours(24));
         TestUtils.putLicense(builder, license);
         MetaData metaData = builder.build();
+
         if (FIPS140LicenseBootstrapCheck.ALLOWED_LICENSE_OPERATION_MODES.contains(license.operationMode())) {
-            assertTrue(new FIPS140LicenseBootstrapCheck(true).check(new BootstrapContext(
+            assertTrue(new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
                 Settings.builder().put("xpack.security.fips_mode.enabled", true).build(), metaData)).isSuccess());
-            assertTrue(new FIPS140LicenseBootstrapCheck(false).check(new BootstrapContext(
+            assertTrue(new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
                 Settings.builder().put("xpack.security.fips_mode.enabled", false).build(), metaData)).isSuccess());
         } else {
-            assertTrue(new FIPS140LicenseBootstrapCheck(false).check(new BootstrapContext(
+            assertTrue(new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
                 Settings.builder().put("xpack.security.fips_mode.enabled", false).build(), metaData)).isSuccess());
-            assertTrue(new FIPS140LicenseBootstrapCheck(true).check(new BootstrapContext(
+            assertTrue(new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
                 Settings.builder().put("xpack.security.fips_mode.enabled", true).build(), metaData)).isFailure());
             assertEquals("FIPS mode is only allowed with a Platinum or Trial license",
-                new FIPS140LicenseBootstrapCheck(true).check(new BootstrapContext(
+                new FIPS140LicenseBootstrapCheck().check(new BootstrapContext(
                     Settings.builder().put("xpack.security.fips_mode.enabled", true).build(), metaData)).getMessage());
         }
     }

diff --git a/.../org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java b/.../org/elasticsearch/xpack/security/FIPS140PasswordHashingAlgorithmBootstrapCheckTests.java
@@ -25,7 +25,7 @@ public void testPBKDF2AlgorithmIsAllowed() {
                     .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2_10000")
                     .build();
             final BootstrapCheck.BootstrapCheckResult result =
-                    new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+                    new FIPS140PasswordHashingAlgorithmBootstrapCheck().check(new BootstrapContext(settings, null));
             assertFalse(result.isFailure());
         }
 
@@ -35,7 +35,7 @@ public void testPBKDF2AlgorithmIsAllowed() {
                     .put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), "PBKDF2")
                     .build();
             final BootstrapCheck.BootstrapCheckResult result =
-                    new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+                    new FIPS140PasswordHashingAlgorithmBootstrapCheck().check(new BootstrapContext(settings, null));
             assertFalse(result.isFailure());
         }
     }
@@ -55,7 +55,7 @@ private void runBCRYPTTest(final boolean fipsModeEnabled, final String passwordH
         }
         final Settings settings = builder.build();
         final BootstrapCheck.BootstrapCheckResult result =
-                new FIPS140PasswordHashingAlgorithmBootstrapCheck(settings).check(new BootstrapContext(settings, null));
+                new FIPS140PasswordHashingAlgorithmBootstrapCheck().check(new BootstrapContext(settings, null));
         assertThat(result.isFailure(), equalTo(fipsModeEnabled));
     }