Skip to content

Commit

Permalink
Do not embedd credentials into ES URL and enable anonymous tests. (el…
Browse files Browse the repository at this point in the history
  • Loading branch information
azasypkin committed Jan 12, 2021
1 parent 7f1fc0c commit 23ab04b
Show file tree
Hide file tree
Showing 10 changed files with 34 additions and 27 deletions.
9 changes: 8 additions & 1 deletion test/common/config.js
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,14 @@ export default function () {
'--logging.json=false',
`--server.port=${kbnTestConfig.getPort()}`,
'--status.allowAnonymous=true',
`--elasticsearch.hosts=${formatUrl(servers.elasticsearch)}`,
// We shouldn't embed credentials into the URL since Kibana requests to Elasticsearch should
// either include `kibanaServerTestUser` credentials, or credentials provided by the test
// user, or none at all in case anonymous access is used.
`--elasticsearch.hosts=${formatUrl(
Object.fromEntries(
Object.entries(servers.elasticsearch).filter(([key]) => key.toLowerCase() !== 'auth')
)
)}`,
`--elasticsearch.username=${kibanaServerTestUser.username}`,
`--elasticsearch.password=${kibanaServerTestUser.password}`,
`--home.disableWelcomeScreen=true`,
Expand Down
1 change: 1 addition & 0 deletions x-pack/scripts/functional_tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ require('@kbn/test').runTestsCli([
require.resolve('../test/security_api_integration/oidc_implicit_flow.config.ts'),
require.resolve('../test/security_api_integration/token.config.ts'),
require.resolve('../test/security_api_integration/anonymous.config.ts'),
require.resolve('../test/security_api_integration/anonymous_es_anonymous.config.ts'),
require.resolve('../test/observability_api_integration/basic/config.ts'),
require.resolve('../test/observability_api_integration/trial/config.ts'),
require.resolve('../test/encrypted_saved_objects_api_integration/config'),
Expand Down
11 changes: 5 additions & 6 deletions x-pack/test/functional/page_objects/security_page.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
* you may not use this file except in compliance with the Elastic License.
*/

import { adminTestUser } from '@kbn/test';
import { FtrProviderContext } from '../ftr_provider_context';
import { AuthenticatedUser, Role } from '../../../plugins/security/common/model';

Expand Down Expand Up @@ -122,9 +123,8 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider
await browser.setLocalStorageItem('home:welcome:show', 'false');
await waitForLoginForm();

const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':');
await testSubjects.setValue('loginUsername', username || superUsername);
await testSubjects.setValue('loginPassword', password || superPassword);
await testSubjects.setValue('loginUsername', username || adminTestUser.username);
await testSubjects.setValue('loginPassword', password || adminTestUser.password);
await testSubjects.click('loginSubmit');

await waitForLoginResult(
Expand Down Expand Up @@ -162,9 +162,8 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider
if (providerType === 'basic' || providerType === 'token') {
await waitForLoginForm();

const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':');
await testSubjects.setValue('loginUsername', options?.username ?? superUsername);
await testSubjects.setValue('loginPassword', options?.password ?? superPassword);
await testSubjects.setValue('loginUsername', options?.username ?? adminTestUser.username);
await testSubjects.setValue('loginPassword', options?.password ?? adminTestUser.password);
await testSubjects.click('loginSubmit');
}

Expand Down
6 changes: 3 additions & 3 deletions x-pack/test/security_api_integration/tests/anonymous/login.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

import expect from '@kbn/expect';
import request, { Cookie } from 'request';
import { adminTestUser } from '@kbn/test';
import { FtrProviderContext } from '../../ftr_provider_context';

export default function ({ getService }: FtrProviderContext) {
Expand Down Expand Up @@ -55,15 +56,14 @@ export default function ({ getService }: FtrProviderContext) {
});

it('does not prevent basic login', async () => {
const [username, password] = config.get('servers.elasticsearch.auth').split(':');
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic1',
currentURL: '/',
params: { username, password },
params: { username: adminTestUser.username, password: adminTestUser.password },
})
.expect(200);

Expand All @@ -79,7 +79,7 @@ export default function ({ getService }: FtrProviderContext) {
.set('Cookie', cookie.cookieString())
.expect(200);

expect(user.username).to.eql(username);
expect(user.username).to.eql(adminTestUser.username);
expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic1' });
expect(user.authentication_type).to.eql('realm');
// Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import expect from '@kbn/expect';
import request, { Cookie } from 'request';
import { delay } from 'bluebird';
import { adminTestUser } from '@kbn/test';
import { FtrProviderContext } from '../../ftr_provider_context';
import {
getMutualAuthenticationResponseToken,
Expand Down Expand Up @@ -54,15 +55,14 @@ export default function ({ getService }: FtrProviderContext) {
});

it('does not prevent basic login', async () => {
const [username, password] = config.get('servers.elasticsearch.auth').split(':');
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic',
currentURL: '/',
params: { username, password },
params: { username: adminTestUser.username, password: adminTestUser.password },
})
.expect(200);

Expand All @@ -78,7 +78,7 @@ export default function ({ getService }: FtrProviderContext) {
.set('Cookie', cookie.cookieString())
.expect(200);

expect(user.username).to.eql(username);
expect(user.username).to.eql(adminTestUser.username);
expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
expect(user.authentication_type).to.eql('realm');
// Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,28 +8,27 @@ import expect from '@kbn/expect';
import request, { Cookie } from 'request';
import url from 'url';
import { delay } from 'bluebird';
import { adminTestUser } from '@kbn/test';
import { getStateAndNonce } from '../../../fixtures/oidc/oidc_tools';
import { FtrProviderContext } from '../../../ftr_provider_context';

export default function ({ getService }: FtrProviderContext) {
const supertest = getService('supertestWithoutAuth');
const config = getService('config');

describe('OpenID Connect authentication', () => {
it('should reject API requests if client is not authenticated', async () => {
await supertest.get('/internal/security/me').set('kbn-xsrf', 'xxx').expect(401);
});

it('does not prevent basic login', async () => {
const [username, password] = config.get('servers.elasticsearch.auth').split(':');
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic',
currentURL: '/',
params: { username, password },
params: { username: adminTestUser.username, password: adminTestUser.password },
})
.expect(200);

Expand All @@ -42,10 +41,10 @@ export default function ({ getService }: FtrProviderContext) {
.set('Cookie', request.cookie(cookies[0])!.cookieString())
.expect(200);

expect(user.username).to.eql(username);
expect(user.username).to.eql(adminTestUser.username);
expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
expect(user.authentication_type).to.be('realm');
// Do not assert on the `authentication_realm`, as the value differes for on-prem vs cloud
// Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud
});

describe('initiating handshake', () => {
Expand Down
7 changes: 3 additions & 4 deletions x-pack/test/security_api_integration/tests/pki/pki_auth.ts
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import { delay } from 'bluebird';
import { readFileSync } from 'fs';
import { resolve } from 'path';
import { CA_CERT_PATH } from '@kbn/dev-utils';
import { adminTestUser } from '@kbn/test';
import { FtrProviderContext } from '../../ftr_provider_context';

const CA_CERT = readFileSync(CA_CERT_PATH);
Expand All @@ -21,7 +22,6 @@ const UNTRUSTED_CLIENT_CERT = readFileSync(

export default function ({ getService }: FtrProviderContext) {
const supertest = getService('supertestWithoutAuth');
const config = getService('config');

function checkCookieIsSet(cookie: Cookie) {
expect(cookie.value).to.not.be.empty();
Expand Down Expand Up @@ -64,7 +64,6 @@ export default function ({ getService }: FtrProviderContext) {
});

it('does not prevent basic login', async () => {
const [username, password] = config.get('servers.elasticsearch.auth').split(':');
const response = await supertest
.post('/internal/security/login')
.ca(CA_CERT)
Expand All @@ -74,7 +73,7 @@ export default function ({ getService }: FtrProviderContext) {
providerType: 'basic',
providerName: 'basic',
currentURL: '/',
params: { username, password },
params: { username: adminTestUser.username, password: adminTestUser.password },
})
.expect(200);

Expand All @@ -92,7 +91,7 @@ export default function ({ getService }: FtrProviderContext) {
.set('Cookie', cookie.cookieString())
.expect(200);

expect(user.username).to.eql(username);
expect(user.username).to.eql(adminTestUser.username);
expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
// Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud
});
Expand Down
6 changes: 3 additions & 3 deletions x-pack/test/security_api_integration/tests/saml/saml_login.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import url from 'url';
import { delay } from 'bluebird';
import expect from '@kbn/expect';
import request, { Cookie } from 'request';
import { adminTestUser } from '@kbn/test';
import {
getLogoutRequest,
getSAMLRequestId,
Expand Down Expand Up @@ -75,15 +76,14 @@ export default function ({ getService }: FtrProviderContext) {
});

it('does not prevent basic login', async () => {
const [username, password] = config.get('servers.elasticsearch.auth').split(':');
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic',
currentURL: '/',
params: { username, password },
params: { username: adminTestUser.username, password: adminTestUser.password },
})
.expect(200);

Expand All @@ -96,7 +96,7 @@ export default function ({ getService }: FtrProviderContext) {
.set('Cookie', request.cookie(cookies[0])!.cookieString())
.expect(200);

expect(user.username).to.eql(username);
expect(user.username).to.eql(adminTestUser.username);
expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
expect(user.authentication_type).to.be('realm');
// Do not assert on the `authentication_realm`, as the value differes for on-prem vs cloud
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import request, { Cookie } from 'request';
import { delay } from 'bluebird';
import expect from '@kbn/expect';
import { adminTestUser } from '@kbn/test';
import type { AuthenticationProvider } from '../../../../plugins/security/common/model';
import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools';
import { FtrProviderContext } from '../../ftr_provider_context';
Expand All @@ -17,7 +18,7 @@ export default function ({ getService }: FtrProviderContext) {
const config = getService('config');
const log = getService('log');
const randomness = getService('randomness');
const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':');
const { username: basicUsername, password: basicPassword } = adminTestUser;
const kibanaServerConfig = config.get('servers.kibana');

async function checkSessionCookie(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import request, { Cookie } from 'request';
import { delay } from 'bluebird';
import expect from '@kbn/expect';
import { adminTestUser } from '@kbn/test';
import type { AuthenticationProvider } from '../../../../plugins/security/common/model';
import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools';
import { FtrProviderContext } from '../../ftr_provider_context';
Expand All @@ -16,7 +17,7 @@ export default function ({ getService }: FtrProviderContext) {
const es = getService('es');
const config = getService('config');
const randomness = getService('randomness');
const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':');
const { username: basicUsername, password: basicPassword } = adminTestUser;
const kibanaServerConfig = config.get('servers.kibana');

async function checkSessionCookie(
Expand Down

0 comments on commit 23ab04b

Please sign in to comment.