From 31e66979b97aeff24d090a3411e9bc4daecece46 Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Tue, 12 Jan 2021 13:51:54 +0100 Subject: [PATCH] Do not embedd credentials into ES URL and enable anonymous tests. (#87987) --- test/common/config.js | 9 ++++++++- x-pack/scripts/functional_tests.js | 1 + x-pack/test/functional/page_objects/security_page.ts | 11 +++++------ .../security_api_integration/tests/anonymous/login.ts | 6 +++--- .../tests/kerberos/kerberos_login.ts | 6 +++--- .../tests/oidc/authorization_code_flow/oidc_auth.ts | 9 ++++----- .../security_api_integration/tests/pki/pki_auth.ts | 7 +++---- .../security_api_integration/tests/saml/saml_login.ts | 6 +++--- .../tests/session_idle/cleanup.ts | 3 ++- .../tests/session_lifespan/cleanup.ts | 3 ++- 10 files changed, 34 insertions(+), 27 deletions(-) diff --git a/test/common/config.js b/test/common/config.js index 6c7d64e3e0bc0..6809b87bc807d 100644 --- a/test/common/config.js +++ b/test/common/config.js @@ -44,7 +44,14 @@ export default function () { '--logging.json=false', `--server.port=${kbnTestConfig.getPort()}`, '--status.allowAnonymous=true', - `--elasticsearch.hosts=${formatUrl(servers.elasticsearch)}`, + // We shouldn't embed credentials into the URL since Kibana requests to Elasticsearch should + // either include `kibanaServerTestUser` credentials, or credentials provided by the test + // user, or none at all in case anonymous access is used. + `--elasticsearch.hosts=${formatUrl( + Object.fromEntries( + Object.entries(servers.elasticsearch).filter(([key]) => key.toLowerCase() !== 'auth') + ) + )}`, `--elasticsearch.username=${kibanaServerTestUser.username}`, `--elasticsearch.password=${kibanaServerTestUser.password}`, `--home.disableWelcomeScreen=true`, diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js index 4067d70384eab..eff3a24a0ff3a 100644 --- a/x-pack/scripts/functional_tests.js +++ b/x-pack/scripts/functional_tests.js @@ -45,6 +45,7 @@ const onlyNotInCoverageTests = [ require.resolve('../test/security_api_integration/oidc_implicit_flow.config.ts'), require.resolve('../test/security_api_integration/token.config.ts'), require.resolve('../test/security_api_integration/anonymous.config.ts'), + require.resolve('../test/security_api_integration/anonymous_es_anonymous.config.ts'), require.resolve('../test/observability_api_integration/basic/config.ts'), require.resolve('../test/observability_api_integration/trial/config.ts'), require.resolve('../test/encrypted_saved_objects_api_integration/config.ts'), diff --git a/x-pack/test/functional/page_objects/security_page.ts b/x-pack/test/functional/page_objects/security_page.ts index aca37d3d058e7..cad5e29528e9c 100644 --- a/x-pack/test/functional/page_objects/security_page.ts +++ b/x-pack/test/functional/page_objects/security_page.ts @@ -4,6 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ +import { adminTestUser } from '@kbn/test'; import { FtrProviderContext } from '../ftr_provider_context'; import { AuthenticatedUser, Role } from '../../../plugins/security/common/model'; @@ -122,9 +123,8 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider await browser.setLocalStorageItem('home:welcome:show', 'false'); await waitForLoginForm(); - const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':'); - await testSubjects.setValue('loginUsername', username || superUsername); - await testSubjects.setValue('loginPassword', password || superPassword); + await testSubjects.setValue('loginUsername', username || adminTestUser.username); + await testSubjects.setValue('loginPassword', password || adminTestUser.password); await testSubjects.click('loginSubmit'); await waitForLoginResult( @@ -162,9 +162,8 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider if (providerType === 'basic' || providerType === 'token') { await waitForLoginForm(); - const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':'); - await testSubjects.setValue('loginUsername', options?.username ?? superUsername); - await testSubjects.setValue('loginPassword', options?.password ?? superPassword); + await testSubjects.setValue('loginUsername', options?.username ?? adminTestUser.username); + await testSubjects.setValue('loginPassword', options?.password ?? adminTestUser.password); await testSubjects.click('loginSubmit'); } diff --git a/x-pack/test/security_api_integration/tests/anonymous/login.ts b/x-pack/test/security_api_integration/tests/anonymous/login.ts index eaf999c509741..7698c61d64ae7 100644 --- a/x-pack/test/security_api_integration/tests/anonymous/login.ts +++ b/x-pack/test/security_api_integration/tests/anonymous/login.ts @@ -6,6 +6,7 @@ import expect from '@kbn/expect'; import request, { Cookie } from 'request'; +import { adminTestUser } from '@kbn/test'; import { FtrProviderContext } from '../../ftr_provider_context'; export default function ({ getService }: FtrProviderContext) { @@ -55,7 +56,6 @@ export default function ({ getService }: FtrProviderContext) { }); it('does not prevent basic login', async () => { - const [username, password] = config.get('servers.elasticsearch.auth').split(':'); const response = await supertest .post('/internal/security/login') .set('kbn-xsrf', 'xxx') @@ -63,7 +63,7 @@ export default function ({ getService }: FtrProviderContext) { providerType: 'basic', providerName: 'basic1', currentURL: '/', - params: { username, password }, + params: { username: adminTestUser.username, password: adminTestUser.password }, }) .expect(200); @@ -79,7 +79,7 @@ export default function ({ getService }: FtrProviderContext) { .set('Cookie', cookie.cookieString()) .expect(200); - expect(user.username).to.eql(username); + expect(user.username).to.eql(adminTestUser.username); expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic1' }); expect(user.authentication_type).to.eql('realm'); // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud diff --git a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts index 7e2e6647d7234..4a21cbd4b3943 100644 --- a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts +++ b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts @@ -7,6 +7,7 @@ import expect from '@kbn/expect'; import request, { Cookie } from 'request'; import { delay } from 'bluebird'; +import { adminTestUser } from '@kbn/test'; import { FtrProviderContext } from '../../ftr_provider_context'; import { getMutualAuthenticationResponseToken, @@ -54,7 +55,6 @@ export default function ({ getService }: FtrProviderContext) { }); it('does not prevent basic login', async () => { - const [username, password] = config.get('servers.elasticsearch.auth').split(':'); const response = await supertest .post('/internal/security/login') .set('kbn-xsrf', 'xxx') @@ -62,7 +62,7 @@ export default function ({ getService }: FtrProviderContext) { providerType: 'basic', providerName: 'basic', currentURL: '/', - params: { username, password }, + params: { username: adminTestUser.username, password: adminTestUser.password }, }) .expect(200); @@ -78,7 +78,7 @@ export default function ({ getService }: FtrProviderContext) { .set('Cookie', cookie.cookieString()) .expect(200); - expect(user.username).to.eql(username); + expect(user.username).to.eql(adminTestUser.username); expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' }); expect(user.authentication_type).to.eql('realm'); // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud diff --git a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts index ff7c211d38de2..efc307399d3f2 100644 --- a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts +++ b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts @@ -8,12 +8,12 @@ import expect from '@kbn/expect'; import request, { Cookie } from 'request'; import url from 'url'; import { delay } from 'bluebird'; +import { adminTestUser } from '@kbn/test'; import { getStateAndNonce } from '../../../fixtures/oidc/oidc_tools'; import { FtrProviderContext } from '../../../ftr_provider_context'; export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertestWithoutAuth'); - const config = getService('config'); describe('OpenID Connect authentication', () => { it('should reject API requests if client is not authenticated', async () => { @@ -21,7 +21,6 @@ export default function ({ getService }: FtrProviderContext) { }); it('does not prevent basic login', async () => { - const [username, password] = config.get('servers.elasticsearch.auth').split(':'); const response = await supertest .post('/internal/security/login') .set('kbn-xsrf', 'xxx') @@ -29,7 +28,7 @@ export default function ({ getService }: FtrProviderContext) { providerType: 'basic', providerName: 'basic', currentURL: '/', - params: { username, password }, + params: { username: adminTestUser.username, password: adminTestUser.password }, }) .expect(200); @@ -42,10 +41,10 @@ export default function ({ getService }: FtrProviderContext) { .set('Cookie', request.cookie(cookies[0])!.cookieString()) .expect(200); - expect(user.username).to.eql(username); + expect(user.username).to.eql(adminTestUser.username); expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' }); expect(user.authentication_type).to.be('realm'); - // Do not assert on the `authentication_realm`, as the value differes for on-prem vs cloud + // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud }); describe('initiating handshake', () => { diff --git a/x-pack/test/security_api_integration/tests/pki/pki_auth.ts b/x-pack/test/security_api_integration/tests/pki/pki_auth.ts index 0d630dab51cf7..4954bcddc2396 100644 --- a/x-pack/test/security_api_integration/tests/pki/pki_auth.ts +++ b/x-pack/test/security_api_integration/tests/pki/pki_auth.ts @@ -10,6 +10,7 @@ import { delay } from 'bluebird'; import { readFileSync } from 'fs'; import { resolve } from 'path'; import { CA_CERT_PATH } from '@kbn/dev-utils'; +import { adminTestUser } from '@kbn/test'; import { FtrProviderContext } from '../../ftr_provider_context'; const CA_CERT = readFileSync(CA_CERT_PATH); @@ -21,7 +22,6 @@ const UNTRUSTED_CLIENT_CERT = readFileSync( export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertestWithoutAuth'); - const config = getService('config'); function checkCookieIsSet(cookie: Cookie) { expect(cookie.value).to.not.be.empty(); @@ -64,7 +64,6 @@ export default function ({ getService }: FtrProviderContext) { }); it('does not prevent basic login', async () => { - const [username, password] = config.get('servers.elasticsearch.auth').split(':'); const response = await supertest .post('/internal/security/login') .ca(CA_CERT) @@ -74,7 +73,7 @@ export default function ({ getService }: FtrProviderContext) { providerType: 'basic', providerName: 'basic', currentURL: '/', - params: { username, password }, + params: { username: adminTestUser.username, password: adminTestUser.password }, }) .expect(200); @@ -92,7 +91,7 @@ export default function ({ getService }: FtrProviderContext) { .set('Cookie', cookie.cookieString()) .expect(200); - expect(user.username).to.eql(username); + expect(user.username).to.eql(adminTestUser.username); expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' }); // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud }); diff --git a/x-pack/test/security_api_integration/tests/saml/saml_login.ts b/x-pack/test/security_api_integration/tests/saml/saml_login.ts index c76b39a1ea772..d76da2023ddda 100644 --- a/x-pack/test/security_api_integration/tests/saml/saml_login.ts +++ b/x-pack/test/security_api_integration/tests/saml/saml_login.ts @@ -9,6 +9,7 @@ import url from 'url'; import { delay } from 'bluebird'; import expect from '@kbn/expect'; import request, { Cookie } from 'request'; +import { adminTestUser } from '@kbn/test'; import { getLogoutRequest, getSAMLRequestId, @@ -75,7 +76,6 @@ export default function ({ getService }: FtrProviderContext) { }); it('does not prevent basic login', async () => { - const [username, password] = config.get('servers.elasticsearch.auth').split(':'); const response = await supertest .post('/internal/security/login') .set('kbn-xsrf', 'xxx') @@ -83,7 +83,7 @@ export default function ({ getService }: FtrProviderContext) { providerType: 'basic', providerName: 'basic', currentURL: '/', - params: { username, password }, + params: { username: adminTestUser.username, password: adminTestUser.password }, }) .expect(200); @@ -96,7 +96,7 @@ export default function ({ getService }: FtrProviderContext) { .set('Cookie', request.cookie(cookies[0])!.cookieString()) .expect(200); - expect(user.username).to.eql(username); + expect(user.username).to.eql(adminTestUser.username); expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' }); expect(user.authentication_type).to.be('realm'); // Do not assert on the `authentication_realm`, as the value differes for on-prem vs cloud diff --git a/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts b/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts index a5fc0a2134fc0..bd9b66b48be50 100644 --- a/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts +++ b/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts @@ -7,6 +7,7 @@ import request, { Cookie } from 'request'; import { delay } from 'bluebird'; import expect from '@kbn/expect'; +import { adminTestUser } from '@kbn/test'; import type { AuthenticationProvider } from '../../../../plugins/security/common/model'; import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools'; import { FtrProviderContext } from '../../ftr_provider_context'; @@ -17,7 +18,7 @@ export default function ({ getService }: FtrProviderContext) { const config = getService('config'); const log = getService('log'); const randomness = getService('randomness'); - const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':'); + const { username: basicUsername, password: basicPassword } = adminTestUser; const kibanaServerConfig = config.get('servers.kibana'); async function checkSessionCookie( diff --git a/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts b/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts index 100fa3f21fe01..7abab0c0b2e15 100644 --- a/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts +++ b/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts @@ -7,6 +7,7 @@ import request, { Cookie } from 'request'; import { delay } from 'bluebird'; import expect from '@kbn/expect'; +import { adminTestUser } from '@kbn/test'; import type { AuthenticationProvider } from '../../../../plugins/security/common/model'; import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools'; import { FtrProviderContext } from '../../ftr_provider_context'; @@ -16,7 +17,7 @@ export default function ({ getService }: FtrProviderContext) { const es = getService('es'); const config = getService('config'); const randomness = getService('randomness'); - const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':'); + const { username: basicUsername, password: basicPassword } = adminTestUser; const kibanaServerConfig = config.get('servers.kibana'); async function checkSessionCookie(