[Security Solutions] Fixes and unskips tests (#94391) (#94623)

## Summary

Fixes and unskips tests. Also makes the tests less picky. Although I enjoy seeing the changes on ES promotions of error messages in case we see something really bad happening, it's too manual of a process to fix and puts too much of a burden on operations to skip the error messages. 

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Frank Hassanabad <[email protected]>

x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_index.ts

@@ -21,8 +21,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const supertestWithoutAuth = getService('supertestWithoutAuth');
 
-  // FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/94367
-  describe.skip('create_index', () => {
+  describe('create_index', () => {
     afterEach(async () => {
       await deleteSignalsIndex(supertest);
     });
@@ -90,11 +89,8 @@ export default ({ getService }: FtrProviderContext) => {
           .auth(role, 'changeme')
           .send()
           .expect(403);
-        expect(body).to.eql({
-          message:
-            'security_exception: action [cluster:admin/ilm/get] is unauthorized for user [t1_analyst], this action is granted by the cluster privileges [read_ilm,manage_ilm,manage,all]',
-          status_code: 403,
-        });
+        expect(body.message).to.match(/^security_exception/);
+        expect(body.status_code).to.eql(403);
       });
 
       it('should be able to read the index name and status as not being outdated', async () => {
@@ -140,11 +136,8 @@ export default ({ getService }: FtrProviderContext) => {
           .auth(role, 'changeme')
           .send()
           .expect(403);
-        expect(body).to.eql({
-          message:
-            'security_exception: action [cluster:admin/ilm/get] is unauthorized for user [t2_analyst], this action is granted by the cluster privileges [read_ilm,manage_ilm,manage,all]',
-          status_code: 403,
-        });
+        expect(body.message).to.match(/^security_exception/);
+        expect(body.status_code).to.eql(403);
       });
 
       it('should be able to read the index name and status as not being outdated', async () => {
@@ -240,11 +233,8 @@ export default ({ getService }: FtrProviderContext) => {
           .auth(role, 'changeme')
           .send()
           .expect(403);
-        expect(body).to.eql({
-          message:
-            'security_exception: action [cluster:admin/ilm/get] is unauthorized for user [soc_manager], this action is granted by the cluster privileges [read_ilm,manage_ilm,manage,all]',
-          status_code: 403,
-        });
+        expect(body.message).to.match(/^security_exception/);
+        expect(body.status_code).to.eql(403);
       });
 
       it('should be able to read the index name and status as not being outdated', async () => {
@@ -290,11 +280,8 @@ export default ({ getService }: FtrProviderContext) => {
           .auth(role, 'changeme')
           .send()
           .expect(403);
-        expect(body).to.eql({
-          message:
-            'security_exception: action [cluster:admin/ilm/get] is unauthorized for user [hunter], this action is granted by the cluster privileges [read_ilm,manage_ilm,manage,all]',
-          status_code: 403,
-        });
+        expect(body.message).to.match(/^security_exception/);
+        expect(body.status_code).to.eql(403);
       });
 
       it('should be able to read the index name and status as not being outdated', async () => {
@@ -390,11 +377,8 @@ export default ({ getService }: FtrProviderContext) => {
           .auth(role, 'changeme')
           .send()
           .expect(403);
-        expect(body).to.eql({
-          message:
-            'security_exception: action [cluster:admin/ilm/get] is unauthorized for user [reader], this action is granted by the cluster privileges [read_ilm,manage_ilm,manage,all]',
-          status_code: 403,
-        });
+        expect(body.message).to.match(/^security_exception/);
+        expect(body.status_code).to.eql(403);
       });
 
       it('should be able to read the index name and status as being outdated.', async () => {
@@ -440,11 +424,8 @@ export default ({ getService }: FtrProviderContext) => {
           .auth(role, 'changeme')
           .send()
           .expect(403);
-        expect(body).to.eql({
-          message:
-            'security_exception: action [cluster:admin/ilm/get] is unauthorized for user [rule_author], this action is granted by the cluster privileges [read_ilm,manage_ilm,manage,all]',
-          status_code: 403,
-        });
+        expect(body.message).to.match(/^security_exception/);
+        expect(body.status_code).to.eql(403);
       });
 
       it('should be able to read the index name and status as being outdated.', async () => {

x-pack/test/detection_engine_api_integration/security_and_spaces/tests/delete_signals_migrations.ts

@@ -35,8 +35,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const supertestWithoutAuth = getService('supertestWithoutAuth');
 
-  // FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/94367
-  describe.skip('deleting signals migrations', () => {
+  describe('deleting signals migrations', () => {
     let outdatedSignalsIndexName: string;
     let createdMigration: CreateResponse;
     let finalizedMigration: FinalizeResponse;
@@ -129,11 +128,8 @@ export default ({ getService }: FtrProviderContext): void => {
       const deletedMigration = body.migrations[0];
 
       expect(deletedMigration.id).to.eql(createdMigration.migration_id);
-      expect(deletedMigration.error).to.eql({
-        message:
-          'security_exception: action [indices:admin/settings/update] is unauthorized for user [t1_analyst] on indices [], this action is granted by the index privileges [manage,all]',
-        status_code: 403,
-      });
+      expect(deletedMigration.error.message).to.match(/^security_exception/);
+      expect(deletedMigration.error.status_code).to.eql(403);
     });
   });
 };

x-pack/test/detection_engine_api_integration/security_and_spaces/tests/finalize_signals_migrations.ts

@@ -47,8 +47,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const supertestWithoutAuth = getService('supertestWithoutAuth');
 
-  // FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/94367
-  describe.skip('Finalizing signals migrations', () => {
+  describe('Finalizing signals migrations', () => {
     let legacySignalsIndexName: string;
     let outdatedSignalsIndexName: string;
     let createdMigrations: CreateResponse[];
@@ -245,16 +244,14 @@ export default ({ getService }: FtrProviderContext): void => {
         .auth(ROLES.t1_analyst, 'changeme')
         .expect(200);
 
-      const finalizeResponse: FinalizeResponse = body.migrations[0];
+      const finalizeResponse: FinalizeResponse & {
+        error: { message: string; status_code: number };
+      } = body.migrations[0];
 
       expect(finalizeResponse.id).to.eql(createdMigration.migration_id);
       expect(finalizeResponse.completed).not.to.eql(true);
-      expect(finalizeResponse.error).to.eql({
-        message:
-          'security_exception: action [cluster:monitor/task/get] is unauthorized for user [t1_analyst], this action is granted by the cluster privileges [monitor,manage,all]',
-        status_code: 403,
-      });
-
+      expect(finalizeResponse.error.message).to.match(/^security_exception/);
+      expect(finalizeResponse.error.status_code).to.eql(403);
       await deleteUserAndRole(getService, ROLES.t1_analyst);
     });
   });