elastic · jonathan-buttner · May 11, 2021 · May 4, 2021 · May 5, 2021 · May 5, 2021
diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
@@ -37,6 +37,7 @@ const onlyNotInCoverageTests = [
   require.resolve('../test/case_api_integration/security_and_spaces/config_basic.ts'),
   require.resolve('../test/case_api_integration/security_and_spaces/config_trial.ts'),
   require.resolve('../test/case_api_integration/spaces_only/config.ts'),
+  require.resolve('../test/case_api_integration/security_only/config.ts'),
   require.resolve('../test/apm_api_integration/basic/config.ts'),
   require.resolve('../test/apm_api_integration/trial/config.ts'),
   require.resolve('../test/apm_api_integration/rules/config.ts'),

diff --git a/x-pack/test/case_api_integration/common/lib/authentication/index.ts b/x-pack/test/case_api_integration/common/lib/authentication/index.ts
@@ -24,7 +24,15 @@ export const createSpaces = async (getService: CommonFtrProviderContext['getServ
   }
 };
 
-const createUsersAndRoles = async (getService: CommonFtrProviderContext['getService']) => {
+/**
+ * Creates the users and roles for use in the tests. Defaults to specific users and roles used by the security_and_spaces
+ * scenarios but can be passed specific ones as well.
+ */
+export const createUsersAndRoles = async (
+  getService: CommonFtrProviderContext['getService'],
+  usersToCreate: User[] = users,
+  rolesToCreate: Role[] = roles
+) => {
   const security = getService('security');
 
   const createRole = async ({ name, privileges }: Role) => {
@@ -42,11 +50,11 @@ const createUsersAndRoles = async (getService: CommonFtrProviderContext['getServ
     });
   };
 
-  for (const role of roles) {
+  for (const role of rolesToCreate) {
     await createRole(role);
   }
 
-  for (const user of users) {
+  for (const user of usersToCreate) {
     await createUser(user);
   }
 };
@@ -61,18 +69,23 @@ export const deleteSpaces = async (getService: CommonFtrProviderContext['getServ
     }
   }
 };
-const deleteUsersAndRoles = async (getService: CommonFtrProviderContext['getService']) => {
+
+export const deleteUsersAndRoles = async (
+  getService: CommonFtrProviderContext['getService'],
+  usersToDelete: User[] = users,
+  rolesToDelete: Role[] = roles
+) => {
   const security = getService('security');
 
-  for (const user of users) {
+  for (const user of usersToDelete) {
     try {
       await security.user.delete(user.username);
     } catch (error) {
       // ignore errors because if a migration is run it will delete the .kibana index which remove the spaces and users
     }
   }
 
-  for (const role of roles) {
+  for (const role of rolesToDelete) {
     try {
       await security.role.delete(role.name);
     } catch (error) {

diff --git a/x-pack/test/case_api_integration/common/lib/authentication/roles.ts b/x-pack/test/case_api_integration/common/lib/authentication/roles.ts
@@ -150,3 +150,117 @@ export const roles = [
   observabilityOnlyAll,
   observabilityOnlyRead,
 ];
+
+/**
+ * These roles have access to all spaces.
+ */
+
+export const securitySolutionOnlyAllSpacesAll: Role = {
+  name: 'sec_only_all',
+  privileges: {
+    elasticsearch: {
+      indices: [
+        {
+          names: ['*'],
+          privileges: ['all'],
+        },
+      ],
+    },
+    kibana: [
+      {
+        feature: {
+          securitySolutionFixture: ['all'],
+          actions: ['all'],
+          actionsSimulators: ['all'],
+        },
+        spaces: ['*'],
+      },
+    ],
+  },
+};
+
+export const securitySolutionOnlyReadSpacesAll: Role = {
+  name: 'sec_only_read',
+  privileges: {
+    elasticsearch: {
+      indices: [
+        {
+          names: ['*'],
+          privileges: ['all'],
+        },
+      ],
+    },
+    kibana: [
+      {
+        feature: {
+          securitySolutionFixture: ['read'],
+          actions: ['read'],
+          actionsSimulators: ['read'],
+        },
+        spaces: ['*'],
+      },
+    ],
+  },
+};
+
+export const observabilityOnlyAllSpacesAll: Role = {
+  name: 'obs_only_all',
+  privileges: {
+    elasticsearch: {
+      indices: [
+        {
+          names: ['*'],
+          privileges: ['all'],
+        },
+      ],
+    },
+    kibana: [
+      {
+        feature: {
+          observabilityFixture: ['all'],
+          actions: ['all'],
+          actionsSimulators: ['all'],
+        },
+        spaces: ['*'],
+      },
+    ],
+  },
+};
+
+export const observabilityOnlyReadSpacesAll: Role = {
+  name: 'obs_only_read',
+  privileges: {
+    elasticsearch: {
+      indices: [
+        {
+          names: ['*'],
+          privileges: ['all'],
+        },
+      ],
+    },
+    kibana: [
+      {
+        feature: {
+          observabilityFixture: ['read'],
+          actions: ['read'],
+          actionsSimulators: ['read'],
+        },
+        spaces: ['*'],
+      },
+    ],
+  },
+};
+
+/**
+ * These roles are specifically for the security_only tests where the spaces plugin is disabled. Most of the roles (except
+ * for noKibanaPrivileges) have spaces: ['*'] effectively giving it access to the default space since no other spaces
+ * will exist when the spaces plugin is disabled.
+ */
+export const rolesDefaultSpace = [
+  noKibanaPrivileges,
+  globalRead,
+  securitySolutionOnlyAllSpacesAll,
+  securitySolutionOnlyReadSpacesAll,
+  observabilityOnlyAllSpacesAll,
+  observabilityOnlyReadSpacesAll,
+];
diff --git a/x-pack/test/case_api_integration/common/lib/authentication/users.ts b/x-pack/test/case_api_integration/common/lib/authentication/users.ts
@@ -12,6 +12,10 @@ import {
   observabilityOnlyRead,
   globalRead as globalReadRole,
   noKibanaPrivileges as noKibanaPrivilegesRole,
+  securitySolutionOnlyAllSpacesAll,
+  securitySolutionOnlyReadSpacesAll,
+  observabilityOnlyAllSpacesAll,
+  observabilityOnlyReadSpacesAll,
 } from './roles';
 import { User } from './types';
 
@@ -80,3 +84,58 @@ export const users = [
   globalRead,
   noKibanaPrivileges,
 ];
+
+/**
+ * These users will have access to all spaces.
+ */
+
+export const secOnlySpacesAll: User = {
+  username: 'sec_only',
+  password: 'sec_only',
+  roles: [securitySolutionOnlyAllSpacesAll.name],
+};
+
+export const secOnlyReadSpacesAll: User = {
+  username: 'sec_only_read',
+  password: 'sec_only_read',
+  roles: [securitySolutionOnlyReadSpacesAll.name],
+};
+
+export const obsOnlySpacesAll: User = {
+  username: 'obs_only',
+  password: 'obs_only',
+  roles: [observabilityOnlyAllSpacesAll.name],
+};
+
+export const obsOnlyReadSpacesAll: User = {
+  username: 'obs_only_read',
+  password: 'obs_only_read',
+  roles: [observabilityOnlyReadSpacesAll.name],
+};
+
+export const obsSecSpacesAll: User = {
+  username: 'obs_sec',
+  password: 'obs_sec',
+  roles: [securitySolutionOnlyAllSpacesAll.name, observabilityOnlyAllSpacesAll.name],
+};
+
+export const obsSecReadSpacesAll: User = {
+  username: 'obs_sec_read',
+  password: 'obs_sec_read',
+  roles: [securitySolutionOnlyReadSpacesAll.name, observabilityOnlyReadSpacesAll.name],
+};
+
+/**
+ * These users are for the security_only tests because most of them have access to the default space instead of 'space1'
+ */
+export const usersDefaultSpace = [
+  superUser,
+  secOnlySpacesAll,
+  secOnlyReadSpacesAll,
+  obsOnlySpacesAll,
+  obsOnlyReadSpacesAll,
+  obsSecSpacesAll,
+  obsSecReadSpacesAll,
+  globalRead,
+  noKibanaPrivileges,
+];
diff --git a/x-pack/test/case_api_integration/common/lib/utils.ts b/x-pack/test/case_api_integration/common/lib/utils.ts
@@ -546,10 +546,19 @@ export const superUserSpace1Auth = getAuthWithSuperUser();
  * Returns an auth object with the specified space and user set as super user. The result can be passed to other utility
  * functions.
  */
-export function getAuthWithSuperUser(space: string = 'space1'): { user: User; space: string } {
+export function getAuthWithSuperUser(
+  space: string | null = 'space1'
+): { user: User; space: string | null } {
   return { user: superUser, space };
 }
 
+/**
+ * Converts the space into the appropriate string for use by the actions remover utility object.
+ */
+export function getActionsSpace(space: string | null) {
+  return space ?? 'default';
+}
+
 export const getSpaceUrlPrefix = (spaceId: string | undefined | null) => {
   return spaceId && spaceId !== 'default' ? `/s/${spaceId}` : ``;
 };

diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts
@@ -180,7 +180,7 @@ export default ({ getService }: FtrProviderContext): void => {
         );
 
         await deleteCases({
-          supertest,
+          supertest: supertestWithoutAuth,
           caseIDs: [postedCase.id],
           expectedHttpCode: 204,
           auth: { user: secOnly, space: 'space1' },

diff --git a/x-pack/test/case_api_integration/security_only/config.ts b/x-pack/test/case_api_integration/security_only/config.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../common/config';
+
+// eslint-disable-next-line import/no-default-export
+export default createTestConfig('security_only', {
+  disabledPlugins: ['spaces'],
+  license: 'trial',
+  ssl: true,
+  testFiles: [require.resolve('./tests/trial')],
+});