[FTR](platform-security) update common serverless api tests to use ap…

…i keys (elastic#184935) ## Summary - Update files within: `x-pack/test_serverless/api_integration/test_suites/common/platform_security/` Contributes to: elastic#180834 --------- Co-authored-by: Kibana Machine <[email protected]>
achyutjhunjhunwala · Jun 21, 2024 · 73ef3cf · 73ef3cf
1 parent c0eba7c
commit 73ef3cf
Show file tree

Hide file tree

Showing 18 changed files with 582 additions and 286 deletions.
diff --git a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/anonymous.ts b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/anonymous.ts
@@ -6,25 +6,38 @@
  */
 
 import { FtrProviderContext } from '../../../ftr_provider_context';
+import { InternalRequestHeader, RoleCredentials } from '../../../../shared/services';
 
 export default function ({ getService }: FtrProviderContext) {
   const svlCommonApi = getService('svlCommonApi');
-  const supertest = getService('supertest');
+  const svlUserManager = getService('svlUserManager');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  let roleAuthc: RoleCredentials;
+  let internalReqHeader: InternalRequestHeader;
 
   describe('security/anonymous', function () {
+    before(async () => {
+      roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+      internalReqHeader = svlCommonApi.getInternalRequestHeader();
+    });
+    after(async () => {
+      await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+    });
     describe('route access', () => {
       describe('disabled', () => {
         it('get access capabilities', async () => {
-          const { body, status } = await supertest
+          const { body, status } = await supertestWithoutAuth
             .get('/internal/security/anonymous_access/capabilities')
-            .set(svlCommonApi.getCommonRequestHeader());
+            .set(internalReqHeader)
+            .set(roleAuthc.apiKeyHeader);
           svlCommonApi.assertApiNotFound(body, status);
         });
 
         it('get access state', async () => {
-          const { body, status } = await supertest
+          const { body, status } = await supertestWithoutAuth
             .get('/internal/security/anonymous_access/state')
-            .set(svlCommonApi.getCommonRequestHeader());
+            .set(internalReqHeader)
+            .set(roleAuthc.apiKeyHeader);
           svlCommonApi.assertApiNotFound(body, status);
         });
       });

diff --git a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/api_keys.ts b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/api_keys.ts
@@ -7,18 +7,28 @@
 
 import expect from 'expect';
 import { FtrProviderContext } from '../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../shared/services';
 
 export default function ({ getService }: FtrProviderContext) {
-  const svlCommonApi = getService('svlCommonApi');
-  const supertest = getService('supertest');
   let roleMapping: { id: string; name: string; api_key: string; encoded: string };
-
+  const supertest = getService('supertest');
+  const svlCommonApi = getService('svlCommonApi');
+  const svlUserManager = getService('svlUserManager');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  let roleAuthc: RoleCredentials;
   describe('security/api_keys', function () {
+    before(async () => {
+      roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+    });
+    after(async () => {
+      await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+    });
     describe('route access', () => {
       describe('internal', () => {
         before(async () => {
-          const { body, status } = await supertest
+          const { body, status } = await supertestWithoutAuth
             .post('/internal/security/api_key')
+            .set(roleAuthc.cookieHeader)
             .set(svlCommonApi.getInternalRequestHeader())
             .send({
               name: 'test',
@@ -29,14 +39,16 @@ export default function ({ getService }: FtrProviderContext) {
           roleMapping = body;
         });
 
-        after(async () => {
-          const { body, status } = await supertest
+        after(async function invalidateAll() {
+          const { body, status } = await supertestWithoutAuth
             .get('/internal/security/api_key?isAdmin=true')
+            .set(roleAuthc.cookieHeader)
             .set(svlCommonApi.getInternalRequestHeader());
 
           if (status === 200) {
-            await supertest
+            await supertestWithoutAuth
               .post('/internal/security/api_key/invalidate')
+              .set(roleAuthc.cookieHeader)
               .set(svlCommonApi.getInternalRequestHeader())
               .send({
                 apiKeys: body?.apiKeys,
@@ -54,23 +66,22 @@ export default function ({ getService }: FtrProviderContext) {
             role_descriptors: {},
           };
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestWithoutAuth
             .post('/internal/security/api_key')
             .set(svlCommonApi.getCommonRequestHeader())
             .send(requestBody));
           // expect a rejection because we're not using the internal header
           expect(body).toEqual({
-            statusCode: 400,
-            error: 'Bad Request',
-            message: expect.stringContaining(
-              'method [post] exists but is not available with the current configuration'
-            ),
+            statusCode: 401,
+            error: 'Unauthorized',
+            message: expect.stringContaining('Unauthorized'),
           });
-          expect(status).toBe(400);
+          expect(status).toBe(401);
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestWithoutAuth
             .post('/internal/security/api_key')
             .set(svlCommonApi.getInternalRequestHeader())
+            .set(roleAuthc.cookieHeader)
             .send(requestBody));
           // expect success because we're using the internal header
           expect(body).toEqual(expect.objectContaining({ name: 'create_test' }));
@@ -86,9 +97,10 @@ export default function ({ getService }: FtrProviderContext) {
             role_descriptors: {},
           };
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestWithoutAuth
             .put('/internal/security/api_key')
             .set(svlCommonApi.getCommonRequestHeader())
+            .set(roleAuthc.cookieHeader)
             .send(requestBody));
           // expect a rejection because we're not using the internal header
           expect(body).toEqual({
@@ -100,9 +112,10 @@ export default function ({ getService }: FtrProviderContext) {
           });
           expect(status).toBe(400);
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestWithoutAuth
             .put('/internal/security/api_key')
             .set(svlCommonApi.getInternalRequestHeader())
+            .set(roleAuthc.cookieHeader)
             .send(requestBody));
           // expect success because we're using the internal header
           expect(body).toEqual(expect.objectContaining({ updated: true }));
@@ -115,7 +128,8 @@ export default function ({ getService }: FtrProviderContext) {
 
           ({ body, status } = await supertest
             .get('/internal/security/api_key/_enabled')
-            .set(svlCommonApi.getCommonRequestHeader()));
+            .set(svlCommonApi.getCommonRequestHeader())
+            .set(roleAuthc.cookieHeader));
           // expect a rejection because we're not using the internal header
           expect(body).toEqual({
             statusCode: 400,
@@ -126,8 +140,9 @@ export default function ({ getService }: FtrProviderContext) {
           });
           expect(status).toBe(400);
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestWithoutAuth
             .get('/internal/security/api_key/_enabled')
+            .set(roleAuthc.cookieHeader)
             .set(svlCommonApi.getInternalRequestHeader()));
           // expect success because we're using the internal header
           expect(body).toEqual({ apiKeysEnabled: true });
@@ -147,9 +162,10 @@ export default function ({ getService }: FtrProviderContext) {
             isAdmin: true,
           };
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestWithoutAuth
             .post('/internal/security/api_key/invalidate')
             .set(svlCommonApi.getCommonRequestHeader())
+            .set(roleAuthc.cookieHeader)
             .send(requestBody));
           // expect a rejection because we're not using the internal header
           expect(body).toEqual({
@@ -161,9 +177,10 @@ export default function ({ getService }: FtrProviderContext) {
           });
           expect(status).toBe(400);
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestWithoutAuth
             .post('/internal/security/api_key/invalidate')
             .set(svlCommonApi.getInternalRequestHeader())
+            .set(roleAuthc.cookieHeader)
             .send(requestBody));
           // expect success because we're using the internal header
           expect(body).toEqual({
@@ -188,9 +205,10 @@ export default function ({ getService }: FtrProviderContext) {
             size: 1,
           };
 
-          const { body } = await supertest
+          const { body } = await supertestWithoutAuth
             .post('/internal/security/api_key/_query')
             .set(svlCommonApi.getInternalRequestHeader())
+            .set(roleAuthc.cookieHeader)
             .send(requestBody)
             .expect(200);
 

diff --git a/...ck/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts b/...ck/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts
@@ -7,27 +7,38 @@
 
 import expect from 'expect';
 import { FtrProviderContext } from '../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../shared/services';
 
 export default function ({ getService }: FtrProviderContext) {
-  const svlCommonApi = getService('svlCommonApi');
   const supertest = getService('supertest');
   const config = getService('config');
 
+  const svlCommonApi = getService('svlCommonApi');
+  const svlUserManager = getService('svlUserManager');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  let roleAuthc: RoleCredentials;
   describe('security/authentication', function () {
+    before(async () => {
+      roleAuthc = await svlUserManager.createApiKeyForRole('admin');
+    });
+    after(async () => {
+      await svlUserManager.invalidateApiKeyForRole(roleAuthc);
+    });
     describe('route access', () => {
       describe('disabled', () => {
         // ToDo: uncomment when we disable login
         // it('login', async () => {
-        //   const { body, status } = await supertest
+        //   const { body, status } = await supertestWithoutAuth
         //     .post('/internal/security/login')
-        //     .set(svlCommonApi.getInternalRequestHeader());
+        //     .set(svlCommonApi.getInternalRequestHeader()).set(roleAuthc.apiKeyHeader)
         //   svlCommonApi.assertApiNotFound(body, status);
         // });
 
         it('logout (deprecated)', async () => {
-          const { body, status } = await supertest
+          const { body, status } = await supertestWithoutAuth
             .get('/api/security/v1/logout')
-            .set(svlCommonApi.getInternalRequestHeader());
+            .set(svlCommonApi.getInternalRequestHeader())
+            .set(roleAuthc.apiKeyHeader);
           svlCommonApi.assertApiNotFound(body, status);
         });
 

diff --git a/...st_serverless/api_integration/test_suites/common/platform_security/authentication_http.ts b/...st_serverless/api_integration/test_suites/common/platform_security/authentication_http.ts
@@ -9,7 +9,7 @@ import { FtrProviderContext } from '../../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
   const svlCommonApi = getService('svlCommonApi');
-  const supertest = getService('supertestWithoutAuth');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
 
   describe('security/authentication/http', function () {
     describe('JWT', () => {
@@ -28,7 +28,7 @@ export default function ({ getService }: FtrProviderContext) {
           '/internal/task_manager/_background_task_utilization',
           '/api/task_manager/metrics',
         ]) {
-          await supertest
+          await supertestWithoutAuth
             .get(allowedPath)
             .set('Authorization', `Bearer ${jsonWebToken}`)
             .set('ES-Client-Authentication', 'SharedSecret my_super_secret')
@@ -37,14 +37,14 @@ export default function ({ getService }: FtrProviderContext) {
         }
 
         // Make sure it's not possible to use JWT to have interactive sessions.
-        await supertest
+        await supertestWithoutAuth
           .get('/')
           .set('Authorization', `Bearer ${jsonWebToken}`)
           .set('ES-Client-Authentication', 'SharedSecret my_super_secret')
           .expect(401);
 
         // Make sure it's not possible to use JWT to access any other APIs.
-        await supertest
+        await supertestWithoutAuth
           .get('/internal/security/me')
           .set('Authorization', `Bearer ${jsonWebToken}`)
           .set('ES-Client-Authentication', 'SharedSecret my_super_secret')