Allow Filebeat modules to be excluded from FIPS-capable artifacts

filebeat/beater/crawler.go

@@ -140,6 +140,10 @@ func (c *crawler) startInput(
 		inputRunner.Once = c.once
 	}
 
+	if err := checkFIPSCapability(runner); err != nil {
+		return err
+	}
+
 	c.inputs[id] = runner
 
 	c.log.Infof("Starting input (ID: %d)", id)

filebeat/beater/crawler_fips.go

@@ -0,0 +1,43 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build requirefips
+
+package beater
+
+import (
+	"fmt"
+
+	v2 "github.com/elastic/beats/v7/filebeat/input/v2"
+	"github.com/elastic/beats/v7/libbeat/cfgfile"
+)
+
+func checkFIPSCapability(runner cfgfile.Runner) error {
+	fipsAwareInput, ok := runner.(v2.FIPSAwareInput)
+	if !ok {
+		// Input is not FIPS-aware; assume it's FIPS capable and proceed
+		// without error
+		return nil
+	}
+
+	if fipsAwareInput.IsFIPSCapable() {
+		// Input is FIPS-capable, proceed without error
+		return nil
+	}
+
+	return fmt.Errorf("running a FIPS-capable distribution but input %s is not FIPS capable", runner.String())
+}

filebeat/beater/crawler_nofips.go

@@ -0,0 +1,28 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !requirefips
+
+package beater
+
+import "github.com/elastic/beats/v7/libbeat/cfgfile"
+
+func checkFIPSCapability(_ cfgfile.Runner) error {
+	// In non-FIPS builds, we assume all inputs are FIPS capable
+	// and proceed without error
+	return nil
+}

filebeat/input/v2/compat/compat.go

@@ -229,3 +229,12 @@ func (f *factory) generateCheckConfig(config *conf.C) (*conf.C, error) {
 
 	return testCfg, nil
 }
+
+func (r *runner) IsFIPSCapable() bool {
+	if fipsAwareInput, ok := r.input.(v2.FIPSAwareInput); ok {
+		return fipsAwareInput.IsFIPSCapable()
+	}
+
+	// Input does not implement FIPSAwareInput, assume it is FIPS-capable
+	return true
+}

filebeat/input/v2/input-cursor/input.go

@@ -87,6 +87,13 @@
 	return nil
 }
 
+func (inp *managedInput) IsFIPSCapable() bool {
+	if fipsAware, ok := inp.input.(input.FIPSAwareInput); ok {
+		return fipsAware.IsFIPSCapable()
+	}
+	return true
+}
+
 func (inp *managedInput) testSource(ctx input.TestContext, source Source) (err error) {
 	defer func() {
 		if v := recover(); v != nil {
@@ -224,6 +231,6 @@
 		if n == 0 {
 			return
 		}
 		private[last].(*updateOp).Execute(n)
 	})
 }

filebeat/input/v2/input.go

@@ -78,6 +78,13 @@ type Input interface {
 	Run(Context, beat.PipelineConnector) error
 }
 
+// FIPSAwareInput is able to report if it is FIPS capable or not.
+type FIPSAwareInput interface {
+	// IsFIPSCapable returns true if the input is capable of running with
+	// FIPS-compliant algorithms; false, otherwise.
+	IsFIPSCapable() bool
+}
+
 // Context provides the Input Run function with common environmental
 // information and services.
 type Context struct {

x-pack/filebeat/input/o365audit/input.go

@@ -93,8 +93,12 @@
 
 func (inp *o365input) Name() string { return pluginName }
 
+func (inp *o365input) IsFIPSCapable() bool {
+	return false
+}
+
 func (inp *o365input) Test(src cursor.Source, ctx v2.TestContext) error {
 	tenantID := src.(*stream).tenantID
 	auth, err := inp.config.NewTokenProvider(tenantID)
 	if err != nil {
 		return err