-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] [Cypress] SAML for Serverless login and role testing #172655
Changes from all commits
8fda395
75001bc
4183b4d
8097ab8
f6005f6
4786b98
649094b
9eaaa29
19c88d5
191ad94
498e8b9
3b488d4
5215f31
32d9b04
5a6cca0
fa83e7c
618ad00
4dd7911
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -61,7 +61,7 @@ const DEFAULT_CONFIGURATION: Readonly<ProductType[]> = [ | |
|
||
const DEFAULT_REGION = 'aws-eu-west-1'; | ||
const PROJECT_NAME_PREFIX = 'kibana-cypress-security-solution-ephemeral'; | ||
const BASE_ENV_URL = 'https://global.qa.cld.elstc.co'; | ||
const BASE_ENV_URL = 'https://console.qa.cld.elstc.co'; | ||
let log: ToolingLog; | ||
const API_HEADERS = Object.freeze({ | ||
'kbn-xsrf': 'cypress-creds', | ||
|
@@ -571,6 +571,7 @@ ${JSON.stringify(cypressConfigFile, null, 2)} | |
KIBANA_PASSWORD: credentials.password, | ||
|
||
CLOUD_SERVERLESS: true, | ||
IS_SERVERLESS: true, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Cant we use only one of these two flags in lines 573 and 574? If this is not a big rework. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These flags represent two different things.
|
||
}; | ||
|
||
if (process.env.DEBUG && !process.env.CI) { | ||
|
@@ -582,6 +583,7 @@ ${JSON.stringify(cypressConfigFile, null, 2)} | |
---------------------------------------------- | ||
`); | ||
} | ||
process.env.TEST_CLOUD_HOST_NAME = new URL(BASE_ENV_URL).hostname; | ||
|
||
if (isOpen) { | ||
await cypress.open({ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -304,8 +304,51 @@ Store the saved key on `~/.elastic/cloud.json` using the following format: | |
} | ||
``` | ||
|
||
#### Known limitations | ||
- Currently RBAC cannot be tested. | ||
Store the email and password of the account you used to login in the QA Environment at the root directory of your Kibana project on `.ftr/role_users.json`, using the following format: | ||
|
||
```json | ||
{ | ||
"admin": { | ||
"email": "<email>", | ||
"password": "<password>" | ||
} | ||
} | ||
``` | ||
|
||
#### Testing with different roles | ||
|
||
If you want to execute a test using Cypress on visual mode with MKI, you need to make sure you have the user created in your organization, and add it tot he `.ftr/role_users.json`: | ||
|
||
```json | ||
{ | ||
"admin": { | ||
"email": "<email>", | ||
"password": "<password>" | ||
}, | ||
"<roleName>": { | ||
"email": "<email>", | ||
"password": "<password>" | ||
} | ||
} | ||
``` | ||
|
||
As role names please use: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should list of these role match ROLES enum? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is something I want to double check with @maximpn when he is back. The listed roles are the ones available on serverless and are the ones we can retrieve cookies from so I've the feeling we might be missing roles on that enum. |
||
- admin | ||
- detections_admin | ||
- editor | ||
- endpoint_operations_analyst | ||
- endpoint_policy_manager | ||
- none | ||
- platform_engineer | ||
- rule_author | ||
- soc_manager | ||
- t1_analyst | ||
- t2_analyst | ||
- t3_analyst | ||
- threat_intelligence_analyst | ||
- viewer | ||
|
||
The above should be the same used on the automation. | ||
|
||
#### PLIs | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { ToolingLog } from '@kbn/tooling-log'; | ||
|
||
import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; | ||
import { HostOptions, SamlSessionManager } from '@kbn/test'; | ||
|
||
export const samlAuthentication = async ( | ||
on: Cypress.PluginEvents, | ||
config: Cypress.PluginConfigOptions | ||
): Promise<void> => { | ||
const log = new ToolingLog({ level: 'verbose', writeTo: process.stdout }); | ||
|
||
const kbnHost = config.env.KIBANA_URL || config.env.BASE_URL; | ||
|
||
const kbnUrl = new URL(kbnHost); | ||
|
||
const hostOptions: HostOptions = { | ||
protocol: kbnUrl.protocol as 'http' | 'https', | ||
hostname: kbnUrl.hostname, | ||
port: parseInt(kbnUrl.port, 10), | ||
username: config.env.ELASTICSEARCH_USERNAME, | ||
password: config.env.ELASTICSEARCH_PASSWORD, | ||
}; | ||
|
||
on('task', { | ||
getSessionCookie: async (role: string | SecurityRoleName): Promise<string> => { | ||
const sessionManager = new SamlSessionManager({ | ||
hostOptions, | ||
log, | ||
isCloud: config.env.CLOUD_SERVERLESS, | ||
}); | ||
return sessionManager.getSessionCookieForRole(role); | ||
}, | ||
}); | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We recently implemented a change where we're accessing
vault
through a variable path. I think for this to be future-proof to some degree, we should also care for that branching in here. However, the utility function that we use cannot be parameterized with extra args in its current state.If this is urgent, we can go with this.
If you have some time to chisel the edges, I'll follow up with the details, so you can add it to this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dkirchan can you please take a look at @delanni comment and estimate how long is going to take to make the changes? Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@delanni as discussed private, lets unblock this PR and I will add these changes as part of my PR that I am preparing: #173005