Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare the Security domain HTTP APIs for Serverless #162087

Merged
Merged
Changes from 1 commit
Commits
Show all changes
71 commits
Select commit Hold shift + click to select a range
f7ba619
Disables spaces public APIs in serverless
jeramysoucy Jul 17, 2023
5203a0b
Updates tests and snapshots
jeramysoucy Jul 17, 2023
08146f0
Fixes more tests
jeramysoucy Jul 18, 2023
c10abc7
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Jul 19, 2023
dc727cd
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Jul 20, 2023
70f06f7
Uses build flavor to determine correct API access. Adds tests for int…
jeramysoucy Jul 24, 2023
8b0c93d
Fixes unit tests for access-configurable endpoints.
jeramysoucy Jul 24, 2023
7a346b6
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Jul 24, 2023
04f1c92
Reformatting
jeramysoucy Jul 24, 2023
6c53a54
Update to rely on default access in serverless.
jeramysoucy Jul 25, 2023
4f20016
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Jul 25, 2023
a44549d
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Jul 25, 2023
8f20ee0
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Jul 26, 2023
994654c
Disables security and encrypted saved objects APIs for serverless
jeramysoucy Jul 26, 2023
aa8c78e
Adds authentication API access tests
jeramysoucy Jul 27, 2023
e4f60db
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Jul 27, 2023
131a771
Adds API access tests for security and encrypted SOs
jeramysoucy Jul 27, 2023
e3bb1be
Merge remote-tracking branch 'upstream/main' into disable-spaces-publ…
jeramysoucy Jul 27, 2023
8bb3ca2
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Jul 28, 2023
074c0cc
Removes unnecessary comments
jeramysoucy Aug 1, 2023
2997135
Merge remote-tracking branch 'upstream/main' into disable-spaces-publ…
jeramysoucy Aug 1, 2023
78da626
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 1, 2023
ee8a12c
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 2, 2023
a366b54
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 4, 2023
6cb21ba
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 4, 2023
252cd72
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 7, 2023
d0b2364
Update x-pack/test_serverless/api_integration/services/svl_common_api.ts
jeramysoucy Aug 7, 2023
452ad5a
Adresses initial review feedback
jeramysoucy Aug 7, 2023
d1c3bdf
Additional comments for build flavor conditions
jeramysoucy Aug 7, 2023
a63d67b
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 7, 2023
14c00ae
Update x-pack/plugins/security/server/routes/authentication/common.ts
jeramysoucy Aug 8, 2023
9f0606d
Update x-pack/plugins/security/server/routes/authentication/common.ts
jeramysoucy Aug 8, 2023
ecb595c
Update x-pack/plugins/spaces/server/routes/api/external/index.ts
jeramysoucy Aug 8, 2023
4682542
Additional comment updates
jeramysoucy Aug 8, 2023
182273f
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 8, 2023
e7eec38
Temporarilty resolves failing test issues by registering the login en…
jeramysoucy Aug 8, 2023
0e43706
Adds basic authc http scheme to test config.
jeramysoucy Aug 8, 2023
5e54975
Fixes api key failing tests
jeramysoucy Aug 8, 2023
f69ff2f
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 8, 2023
8018d63
Temporarily allows access to login and role APIs. Skips user profiles…
jeramysoucy Aug 8, 2023
cf5dae0
Reverts temporary enabling of role APIs
jeramysoucy Aug 9, 2023
100ced7
Adds the basic authc provider to the base config temporarily.
jeramysoucy Aug 9, 2023
b94cc86
Removes override of HTTP schemes
jeramysoucy Aug 9, 2023
0e291c6
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 14, 2023
3608f85
Enables user and roles APIs to temporarily unblock cypress and UI tests
jeramysoucy Aug 15, 2023
b81b484
[CI] Auto-commit changed files from 'node scripts/precommit_hook.js -…
kibanamachine Aug 15, 2023
3478460
Updates serverless authc config to be compatible with existing tests.
jeramysoucy Aug 15, 2023
24e21f4
[CI] Auto-commit changed files from 'node scripts/precommit_hook.js -…
kibanamachine Aug 15, 2023
95b2f12
Uses existing user for user profile tests
jeramysoucy Aug 15, 2023
1edb353
Uses test user for user profile tests rather than admin user
jeramysoucy Aug 15, 2023
727b393
Enables login page routes.
jeramysoucy Aug 16, 2023
6ece943
Merge branch 'main' into disable-spaces-public-api-in-serverless
jeramysoucy Aug 16, 2023
761f23b
[CI] Auto-commit changed files from 'node scripts/precommit_hook.js -…
kibanamachine Aug 16, 2023
f0fbfdf
Adds saml tools for saml login.
jeramysoucy Aug 16, 2023
65c23e4
Added ftr context for shared
jeramysoucy Aug 16, 2023
3c24c33
Update import order
jeramysoucy Aug 16, 2023
0d22303
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Aug 16, 2023
5c535d6
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Aug 16, 2023
a979e58
Moves saml tools to api integration
jeramysoucy Aug 16, 2023
051cf71
Removes reference to getSAMLResponse
jeramysoucy Aug 16, 2023
4ca4924
[CI] Auto-commit changed files from 'node scripts/precommit_hook.js -…
kibanamachine Aug 16, 2023
305aa70
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Aug 16, 2023
ba78385
Moves saml tools back into shared.
jeramysoucy Aug 17, 2023
d2ee490
[CI] Auto-commit changed files from 'node scripts/precommit_hook.js -…
kibanamachine Aug 17, 2023
c552a53
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Aug 17, 2023
084e495
Merge branch 'main' into pr-162087-apis
azasypkin Aug 21, 2023
d0292f8
Merge branch 'main' into pr-162087-apis
azasypkin Aug 22, 2023
e8b0bef
Merge branch 'main' into pr-162087-apis
azasypkin Aug 22, 2023
5e953fa
Review#1: fix typos, disable Spaces Update API, make cookie an intern…
azasypkin Aug 22, 2023
573a552
Review#1: move Saml Tools service to API integrations services as it …
azasypkin Aug 22, 2023
710ca09
Merge branch 'main' into disable-spaces-public-api-in-serverless
azasypkin Aug 22, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Enables user and roles APIs to temporarily unblock cypress and UI tests
  • Loading branch information
jeramysoucy committed Aug 15, 2023

Verified

This commit was signed with the committer’s verified signature.
jeramysoucy Jeramy Soucy
commit 3608f85d4c0977f098c017544c40eeadc519810b
Original file line number Diff line number Diff line change
@@ -14,12 +14,13 @@ import type { RouteDefinitionParams } from '..';
export function defineAuthorizationRoutes(params: RouteDefinitionParams) {
// The reset session endpoint is registered with httpResources and should remain public in serverless
resetSessionPageRoutes(params);
defineRolesRoutes(params); // Temporarily allow role APIs (ToDo: move to non-serverless block below)

// In the serverless environment, roles, privileges, and permissions are managed internally and only
// exposed to users and administrators via control plane UI, eliminating the need for any public HTTP APIs.
if (params.buildFlavor !== 'serverless') {
definePrivilegesRoutes(params);
defineRolesRoutes(params);
// defineRolesRoutes(params);
defineShareSavedObjectPermissionRoutes(params);
}
}
3 changes: 2 additions & 1 deletion x-pack/plugins/security/server/routes/index.ts
Original file line number Diff line number Diff line change
@@ -65,6 +65,7 @@ export function defineRoutes(params: RouteDefinitionParams) {
defineAuthorizationRoutes(params);
defineSessionManagementRoutes(params);
defineUserProfileRoutes(params);
defineUsersRoutes(params); // Temporarily allow user APIs (ToDo: move to non-serverless block below)
defineViewRoutes(params);

// In the serverless environment...
@@ -74,6 +75,6 @@ export function defineRoutes(params: RouteDefinitionParams) {
defineIndicesRoutes(params); // the ES privileges form used to help define roles (only consumer) is disabled, so there is no need for these HTTP APIs
defineRoleMappingRoutes(params); // role mappings are managed internally, based on configurations in control plane, these HTTP APIs are not needed
defineSecurityCheckupGetStateRoutes(params); // security checkup is not applicable, these HTTP APIs are not needed
defineUsersRoutes(params); // the native realm is not enabled (there is only Elastic cloud SAML), no user HTTP API routes are needed
// defineUsersRoutes(params); // the native realm is not enabled (there is only Elastic cloud SAML), no user HTTP API routes are needed
}
}
Original file line number Diff line number Diff line change
@@ -15,13 +15,13 @@ export default function ({ getService }: FtrProviderContext) {
describe('security/authentication', function () {
describe('route access', () => {
describe('disabled', () => {
// We are temporarily allowing the login API for testing purposes
it.skip('login', async () => {
const { body, status } = await supertest
.post('/internal/security/login')
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
});
// ToDo: uncommment when we disable login
// it('login', async () => {
// const { body, status } = await supertest
// .post('/internal/security/login')
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

it('logout (deprecated)', async () => {
const { body, status } = await supertest
@@ -147,6 +147,14 @@ export default function ({ getService }: FtrProviderContext) {
});
expect(status).toBe(200);
});

// ToDo: remove when we disable login
it('login', async () => {
const { status } = await supertest
.post('/internal/security/login')
.set(svlCommonApi.getInternalRequestHeader());
expect(status).not.toBe(404);
});
});

describe('public', () => {
Original file line number Diff line number Diff line change
@@ -29,41 +29,73 @@ export default function ({ getService }: FtrProviderContext) {
svlCommonApi.assertApiNotFound(body, status);
});

it('create/update role', async () => {
// ToDo: Uncomment when we disable role APIs
// it('create/update role', async () => {
// const { body, status } = await supertest
// .put('/api/security/role/test')
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('get role', async () => {
// const { body, status } = await supertest
// .get('/api/security/role/superuser')
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('get all roles', async () => {
// const { body, status } = await supertest
// .get('/api/security/role')
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('delete role', async () => {
// const { body, status } = await supertest
// .delete('/api/security/role/superuser')
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

it('get shared saved object permissions', async () => {
const { body, status } = await supertest
.put('/api/security/role/test')
.get('/internal/security/_share_saved_object_permissions')
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
});
});

// ToDo: remove when we disable role APIs
describe('internal', () => {
it('create/update role', async () => {
const { status } = await supertest
.put('/api/security/role/test')
.set(svlCommonApi.getInternalRequestHeader());
expect(status).not.toBe(404);
});

it('get role', async () => {
const { body, status } = await supertest
const { status } = await supertest
.get('/api/security/role/superuser')
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});

it('get all roles', async () => {
const { body, status } = await supertest
const { status } = await supertest
.get('/api/security/role')
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});

it('delete role', async () => {
const { body, status } = await supertest
const { status } = await supertest
.delete('/api/security/role/superuser')
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
});

it('get shared saved object permissions', async () => {
const { body, status } = await supertest
.get('/internal/security/_share_saved_object_permissions')
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});
});
})

describe('public', () => {
it('reset session page', async () => {
Original file line number Diff line number Diff line change
@@ -12,32 +12,35 @@ export default function ({ getService }: FtrProviderContext) {
const svlCommonApi = getService('svlCommonApi');
const supertest = getService('supertest');

describe('security/user_profiles', function () {
describe.skip('security/user_profiles', function () {
describe('route access', () => {
describe.skip('internal', () => {
describe('internal', () => {
it('update', async () => {
const { status } = await supertest
const { body, status } = await supertest
.post(`/internal/security/user_profile/_data`)
.set(svlCommonApi.getInternalRequestHeader())
.send({ key: 'value' });
// Status should be 401, unauthorized
// expect(body).toEqual({});
expect(status).not.toBe(404);
});

it('get current', async () => {
const { status } = await supertest
const { body, status } = await supertest
.get(`/internal/security/user_profile`)
.set(svlCommonApi.getInternalRequestHeader());
// Status should be 401, unauthorized
// expect(body).toEqual({});
expect(status).not.toBe(404);
});

it('bulk get', async () => {
const { status } = await supertest
const { body, status } = await supertest
.get(`/internal/security/user_profile`)
.set(svlCommonApi.getInternalRequestHeader())
.send({ uids: ['12345678'] });
// Status should be 401, unauthorized
// expect(body).toEqual({});
expect(status).not.toBe(404);
});
});
Original file line number Diff line number Diff line change
@@ -5,6 +5,7 @@
* 2.0.
*/

import expect from 'expect';
import { FtrProviderContext } from '../../../ftr_provider_context';

export default function ({ getService }: FtrProviderContext) {
@@ -13,61 +14,119 @@ export default function ({ getService }: FtrProviderContext) {

describe('security/users', function () {
describe('route access', () => {
describe('disabled', () => {
// ToDo: uncomment when we disable user APIs
//describe('disabled', () => {
// it('get', async () => {
// const { body, status } = await supertest
// .get('/internal/security/users/elastic')
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('get all', async () => {
// const { body, status } = await supertest
// .get('/internal/security/users')
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('create/update', async () => {
// const { body, status } = await supertest
// .post(`/internal/security/users/some_testuser`)
// .set(svlCommonApi.getInternalRequestHeader())
// .send({ username: 'some_testuser', password: 'testpassword', roles: [] });
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('delete', async () => {
// const { body, status } = await supertest
// .delete(`/internal/security/users/elastic`)
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('disable', async () => {
// const { body, status } = await supertest
// .post(`/internal/security/users/elastic/_disable`)
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('enable', async () => {
// const { body, status } = await supertest
// .post(`/internal/security/users/elastic/_enable`)
// .set(svlCommonApi.getInternalRequestHeader());
// svlCommonApi.assertApiNotFound(body, status);
// });

// it('set password', async () => {
// const { body, status } = await supertest
// .post(`/internal/security/users/{username}/password`)
// .set(svlCommonApi.getInternalRequestHeader())
// .send({
// password: 'old_pw',
// newPassword: 'new_pw',
// });
// svlCommonApi.assertApiNotFound(body, status);
// });
//});

// ToDo: remove when we disable user APIs
describe('internal', () => {
it('get', async () => {
const { body, status } = await supertest
.get('/internal/security/users/elastic')
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});

it('get all', async () => {
const { body, status } = await supertest
const { status } = await supertest
.get('/internal/security/users')
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});

it('create/update', async () => {
const { body, status } = await supertest
const { status } = await supertest
.post(`/internal/security/users/some_testuser`)
.set(svlCommonApi.getInternalRequestHeader())
.send({ username: 'some_testuser', password: 'testpassword', roles: [] });
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});

it('delete', async () => {
const { body, status } = await supertest
const { status } = await supertest
.delete(`/internal/security/users/elastic`)
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});

it('disable', async () => {
const { body, status } = await supertest
const { status } = await supertest
.post(`/internal/security/users/elastic/_disable`)
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});

it('enable', async () => {
const { body, status } = await supertest
const { status } = await supertest
.post(`/internal/security/users/elastic/_enable`)
.set(svlCommonApi.getInternalRequestHeader());
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});

it('set password', async () => {
const { body, status } = await supertest
const { status } = await supertest
.post(`/internal/security/users/{username}/password`)
.set(svlCommonApi.getInternalRequestHeader())
.send({
password: 'old_pw',
newPassword: 'new_pw',
});
svlCommonApi.assertApiNotFound(body, status);
expect(status).not.toBe(404);
});
});
})
});
});
}
29 changes: 19 additions & 10 deletions x-pack/test_serverless/shared/config.base.ts
Original file line number Diff line number Diff line change
@@ -63,23 +63,32 @@ export default async () => {
// This ensures that we register the Security SAML API endpoints.
// In the real world the SAML config is injected by control plane.
// basic: { 'cloud-basic': { order: 0 } },
// anonymous: {
// anonymous1: {
// order: 1,
// credentials: {
// username: 'anonymous_service_account',
// password: 'anonymous_service_account_password',
// },
// },
// },
'--xpack.cloud.id=ftr_fake_cloud_id',
`--xpack.security.authc.providers=${JSON.stringify({
basic: { 'cloud-basic': { order: 0 } },
jeramysoucy marked this conversation as resolved.
Show resolved Hide resolved
saml: { 'cloud-saml-kibana': { order: 1, realm: 'cloud-saml-kibana' } },
})}`,
// This ensures we can attempt to access the disabled anonymous routes without getting a 401
// This ensures we can attempt to access the disabled routes without getting a 401
// `--xpack.security.authc.http.schemes=${JSON.stringify(['ApiKey', 'Basic', 'Bearer'])}`,
'--xpack.encryptedSavedObjects.encryptionKey="wuGNaIhoMpk5sO4UBxgr3NyW1sFcLgIf"',

// //// LOGGERS
// '--logging.appenders.file.type=file',
// `--logging.appenders.file.fileName=/users/jeramysoucy/GitHub/kibana-1/logs/kibana.log`,
// '--logging.appenders.file.layout.type=json',

// `--logging.loggers=${JSON.stringify([
// {
// name: 'plugins.security',
// level: 'debug',
// appenders: ['file'],
// },
// {
// name: 'http.server.response',
// level: 'all',
// appenders: ['file'],
// },
// ])}`,
],
},