Failing test: X-Pack Security API Integration Tests (Session Idle Timeout).x-pack/test/security_api_integration/tests/session_idle/cleanup·ts - security APIs - Session Idle Session Idle cleanup should properly clean up session expired because of idle timeout

[kibanamachine]

A test failed on a tracked branch

Error: expected 200 "OK", got 401 "Unauthorized"
    at Test._assertStatus (/opt/local-ssd/buildkite/builds/kb-n2-4-c3b96ff0bbb5ca35/elastic/kibana-hourly/kibana/node_modules/supertest/lib/test.js:268:12)
    at Test._assertFunction (/opt/local-ssd/buildkite/builds/kb-n2-4-c3b96ff0bbb5ca35/elastic/kibana-hourly/kibana/node_modules/supertest/lib/test.js:283:11)
    at Test.assert (/opt/local-ssd/buildkite/builds/kb-n2-4-c3b96ff0bbb5ca35/elastic/kibana-hourly/kibana/node_modules/supertest/lib/test.js:173:18)
    at assert (/opt/local-ssd/buildkite/builds/kb-n2-4-c3b96ff0bbb5ca35/elastic/kibana-hourly/kibana/node_modules/supertest/lib/test.js:131:12)
    at /opt/local-ssd/buildkite/builds/kb-n2-4-c3b96ff0bbb5ca35/elastic/kibana-hourly/kibana/node_modules/supertest/lib/test.js:128:5
    at Test.Request.callback (/opt/local-ssd/buildkite/builds/kb-n2-4-c3b96ff0bbb5ca35/elastic/kibana-hourly/kibana/node_modules/supertest/node_modules/superagent/lib/node/index.js:718:3)
    at /opt/local-ssd/buildkite/builds/kb-n2-4-c3b96ff0bbb5ca35/elastic/kibana-hourly/kibana/node_modules/supertest/node_modules/superagent/lib/node/index.js:906:18
    at IncomingMessage.<anonymous> (/opt/local-ssd/buildkite/builds/kb-n2-4-c3b96ff0bbb5ca35/elastic/kibana-hourly/kibana/node_modules/supertest/node_modules/superagent/lib/node/parsers/json.js:19:7)
    at IncomingMessage.emit (node:events:402:35)
    at endReadableNT (node:internal/streams/readable:1343:12)

First failure: CI Build - main

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

Error: expected 200 "OK", got 401 "Unauthorized"

I cannot think of any reason why we'd get error like that in this test. Here is the assertion that fails:

kibana/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts

Lines 86 to 95 in 788db0d

	const response = await supertest
	.post('/internal/security/login')
	.set('kbn-xsrf', 'xxx')
	.send({
	providerType: 'basic',
	providerName: 'basic1',
	currentURL: '/',
	params: { username: basicUsername, password: basicPassword },
	})
	.expect(200);

It's a simple basic login API request with the credentials of the pre-populated admin test user. I'll keep eye on this issue and either dig deeper if it happens again or close it as an intermittent if we don't see failures during next few weeks.

[kibanamachine]

New failure: CI Build - 8.0

[azasypkin]

Investigating the failure...

[azasypkin]

In this test we take the following steps:

1. Log in via '/internal/security/login'
2. Verify that session cookie is valid via '/internal/security/me'
3. Wait until session expires (idle timeout is 5s) and the cleanup job removes it
4. Verify that session is no longer valid via '/internal/security/me'

The test fails on the step 2 likely because sometimes Kibana is too slow on CI and it takes more than 5s between steps 1 and 2.

I'm doubling timeouts in configuration for these tests and will see if it helps: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/37

[kibanamachine]

New failure: CI Build - 8.0

[kibanamachine]

New failure: CI Build - 8.0

[azasypkin]

New failure: CI Build - 8.0

Closing again since 8.0/7.x backports haven't been merged yet due to merge conflicts (CI run pending).

[kibanamachine]

New failure: CI Build - main

[azasypkin]

New failure: CI Build - main

Before the fix, the symptom in all failed builds was Error: expected 200 "OK", got 401 "Unauthorized", now it's different: Error: expected 1 to equal 0. Let's wait and see if it's a transient issue or not. If not, we'll need to make sure that's not related to the recent changes in the cleanup logic in #122419

[kibanamachine]

New failure: CI Build - main

[azasypkin]

сс @thomheymann, just in case you can notice what can be the reason here.

[kibanamachine]

New failure: CI Build - 8.1

[jportner]

New failure: CI Build - 8.1

This is also the "new error":

└-: security APIs - Session Idle
--
  | └-> "before all" hook: beforeTestSuite.trigger in "security APIs - Session Idle"
  | └-: Session Idle cleanup
  | └-> "before all" hook: beforeTestSuite.trigger for "should properly clean up session expired because of idle timeout"
  | └-> should properly clean up session expired because of idle timeout
  | └-> "before each" hook: global before each for "should properly clean up session expired because of idle timeout"
  | └-> "before each" hook for "should properly clean up session expired because of idle timeout"
  | └- ✖ fail: security APIs - Session Idle Session Idle cleanup should properly clean up session expired because of idle timeout
  | │      Error: expected 1 to equal 0
  | │       at Assertion.assert (/opt/local-ssd/buildkite/builds/kb-n2-4-a6f049047d437185/elastic/kibana-hourly/kibana/node_modules/@kbn/expect/expect.js:100:11)
  | │       at Assertion.be.Assertion.equal (/opt/local-ssd/buildkite/builds/kb-n2-4-a6f049047d437185/elastic/kibana-hourly/kibana/node_modules/@kbn/expect/expect.js:227:8)
  | │       at Assertion.be (/opt/local-ssd/buildkite/builds/kb-n2-4-a6f049047d437185/elastic/kibana-hourly/kibana/node_modules/@kbn/expect/expect.js:69:22)
  | │       at Context.<anonymous> (test/security_api_integration/tests/session_idle/cleanup.ts:111:54)
  | │       at runMicrotasks (<anonymous>)
  | │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
  | │       at Object.apply (/opt/local-ssd/buildkite/builds/kb-n2-4-a6f049047d437185/elastic/kibana-hourly/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)

The assertion that's failing is on line 111 below:

kibana/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts

Lines 100 to 111 in 660023b

	const sessionCookie = parseCookie(response.headers['set-cookie'][0])!;
	await checkSessionCookie(sessionCookie, basicUsername, { type: 'basic', name: 'basic1' });
	expect(await getNumberOfSessionDocuments()).to.be(1);
	// Cleanup routine runs every 20s, and idle timeout threshold is three times larger than 10s
	// idle timeout, let's wait for 60s to make sure cleanup routine runs when idle timeout
	// threshold is exceeded.
	log.debug('Waiting for cleanup job to run...');
	await setTimeoutAsync(60000);
	// Session info is removed from the index and cookie isn't valid anymore
	expect(await getNumberOfSessionDocuments()).to.be(0);

I think I know what's causing the test failure. We changed deleteByQuery to use a combination of find + bulk-delete so that we can log audit records for each deleted session document. In the delete step, we intentionally use refresh: false to ensure it's as fast as possible in case we have to delete multiple batches of sessions:

kibana/x-pack/plugins/security/server/session_management/session_index.ts

Lines 460 to 467 in 6627bd8

	const bulkResponse = await this.options.elasticsearchClient.bulk(
	{
	index: this.indexName,
	operations,
	refresh: false,
	},
	{ ignore: [409, 404] }
	);

However, we don't appear to be triggering an index refresh after the whole cleanup process is finished. I believe we intended to add that but it got lost in the mix.

[kibanamachine]

New failure: CI Build - main

[kibanamachine]

New failure: CI Build - main

[kibanamachine]

New failure: CI Build - main

[kibanamachine]

New failure: CI Build - main

[kibanamachine]

New failure: CI Build - main

[jbudz]

/skip

[kibanamachine]

Skipped

main: 3dabc61

[kibanamachine]

New failure: CI Build - main

[kibanamachine]

New failure: CI Build - main

[kibanamachine]

New failure: CI Build - 8.8

[kibanamachine]

New failure: CI Build - 8.8

[jeramysoucy]

Ran another flaky test runner just to be sure, but this looks tied to a series of CI failures on Friday.

[kibanamachine]

New failure: kibana-on-merge - 7.17