From 8ea2846ae91b35a7d26838f27367302d33d27be3 Mon Sep 17 00:00:00 2001 From: Jeramy Soucy Date: Thu, 10 Oct 2024 13:38:43 +0200 Subject: [PATCH] Removes supertest and superuser from platform security serverless API tests (#194922) Closes #186467 ## Summary Removes remaining usages of `supertest` and `superuser` from platform security serverless API tests. Utilizes admin privileges when testing disabled routes, viewer privileges for all other routes. Uses cookie authentication for internal API calls. ### Tests - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts - Flaky test runner: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7089 --- .../platform_security/authentication.ts | 105 +++++++++--------- .../common/platform_security/authorization.ts | 4 +- 2 files changed, 57 insertions(+), 52 deletions(-) diff --git a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts index 7f31db43a3f00..041c005855d0f 100644 --- a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts +++ b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts @@ -6,51 +6,58 @@ */ import expect from 'expect'; +import { SupertestWithRoleScopeType } from '@kbn/test-suites-xpack/api_integration/deployment_agnostic/services'; import { FtrProviderContext } from '../../../ftr_provider_context'; -import { RoleCredentials } from '../../../../shared/services'; export default function ({ getService }: FtrProviderContext) { - const supertest = getService('supertest'); - const config = getService('config'); - + const roleScopedSupertest = getService('roleScopedSupertest'); const svlCommonApi = getService('svlCommonApi'); - const svlUserManager = getService('svlUserManager'); - const supertestWithoutAuth = getService('supertestWithoutAuth'); - let roleAuthc: RoleCredentials; + let supertestAdminWithApiKey: SupertestWithRoleScopeType; + let supertestViewerWithApiKey: SupertestWithRoleScopeType; + let supertestViewerWithCookieCredentials: SupertestWithRoleScopeType; + describe('security/authentication', function () { before(async () => { - roleAuthc = await svlUserManager.createM2mApiKeyWithRoleScope('admin'); + supertestAdminWithApiKey = await roleScopedSupertest.getSupertestWithRoleScope('admin'); + supertestViewerWithApiKey = await roleScopedSupertest.getSupertestWithRoleScope('viewer'); + supertestViewerWithCookieCredentials = await roleScopedSupertest.getSupertestWithRoleScope( + 'viewer', + { + useCookieHeader: true, + withCommonHeaders: true, + } + ); }); after(async () => { - await svlUserManager.invalidateM2mApiKeyWithRoleScope(roleAuthc); + await supertestAdminWithApiKey.destroy(); + await supertestViewerWithApiKey.destroy(); + await supertestViewerWithCookieCredentials.destroy(); }); describe('route access', () => { describe('disabled', () => { // ToDo: uncomment when we disable login // it('login', async () => { - // const { body, status } = await supertestWithoutAuth - // .post('/internal/security/login') - // .set(svlCommonApi.getInternalRequestHeader()).set(roleAuthc.apiKeyHeader) + // const { body, status } = await supertestAdminWithApiKey + // .post('/internal/security/login'); // svlCommonApi.assertApiNotFound(body, status); // }); it('logout (deprecated)', async () => { - const { body, status } = await supertestWithoutAuth + const { body, status } = await supertestAdminWithApiKey .get('/api/security/v1/logout') - .set(svlCommonApi.getInternalRequestHeader()) - .set(roleAuthc.apiKeyHeader); + .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('get current user (deprecated)', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .get('/internal/security/v1/me') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('acknowledge access agreement', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .post('/internal/security/access_agreement/acknowledge') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); @@ -58,56 +65,56 @@ export default function ({ getService }: FtrProviderContext) { describe('OIDC', () => { it('OIDC implicit', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .get('/api/security/oidc/implicit') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('OIDC implicit (deprecated)', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .get('/api/security/v1/oidc/implicit') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('OIDC implicit.js', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .get('/internal/security/oidc/implicit.js') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('OIDC callback', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .get('/api/security/oidc/callback') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('OIDC callback (deprecated)', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .get('/api/security/v1/oidc') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('OIDC login', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .post('/api/security/oidc/initiate_login') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('OIDC login (deprecated)', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .post('/api/security/v1/oidc') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); }); it('OIDC 3rd party login', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .get('/api/security/oidc/initiate_login') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); @@ -115,7 +122,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('SAML callback (deprecated)', async () => { - const { body, status } = await supertest + const { body, status } = await supertestAdminWithApiKey .post('/api/security/v1/saml') .set(svlCommonApi.getInternalRequestHeader()); svlCommonApi.assertApiNotFound(body, status); @@ -127,9 +134,9 @@ export default function ({ getService }: FtrProviderContext) { let body: any; let status: number; - ({ body, status } = await supertest - .get('/internal/security/me') - .set(svlCommonApi.getCommonRequestHeader())); + ({ body, status } = await supertestViewerWithCookieCredentials.get( + '/internal/security/me' + )); // expect a rejection because we're not using the internal header expect(body).toEqual({ statusCode: 400, @@ -140,24 +147,22 @@ export default function ({ getService }: FtrProviderContext) { }); expect(status).toBe(400); - ({ body, status } = await supertest + ({ body, status } = await supertestViewerWithCookieCredentials .get('/internal/security/me') .set(svlCommonApi.getInternalRequestHeader())); // expect success because we're using the internal header - expect(body).toEqual({ - authentication_provider: { name: '__http__', type: 'http' }, - authentication_realm: { name: 'file1', type: 'file' }, - authentication_type: 'realm', - elastic_cloud_user: false, - email: null, - enabled: true, - full_name: null, - lookup_realm: { name: 'file1', type: 'file' }, - metadata: {}, - operator: true, - roles: ['superuser'], - username: config.get('servers.kibana.username'), - }); + expect(body).toEqual( + expect.objectContaining({ + authentication_provider: { name: 'cloud-saml-kibana', type: 'saml' }, + authentication_type: 'token', + authentication_realm: { + name: 'cloud-saml-kibana', + type: 'saml', + }, + enabled: true, + full_name: 'test viewer', + }) + ); expect(status).toBe(200); }); @@ -166,9 +171,9 @@ export default function ({ getService }: FtrProviderContext) { let body: any; let status: number; - ({ body, status } = await supertest - .post('/internal/security/login') - .set(svlCommonApi.getCommonRequestHeader())); + ({ body, status } = await supertestViewerWithCookieCredentials.post( + '/internal/security/login' + )); // expect a rejection because we're not using the internal header expect(body).toEqual({ statusCode: 400, @@ -179,7 +184,7 @@ export default function ({ getService }: FtrProviderContext) { }); expect(status).toBe(400); - ({ body, status } = await supertest + ({ body, status } = await supertestViewerWithCookieCredentials .post('/internal/security/login') .set(svlCommonApi.getInternalRequestHeader())); expect(status).not.toBe(404); @@ -188,12 +193,12 @@ export default function ({ getService }: FtrProviderContext) { describe('public', () => { it('logout', async () => { - const { status } = await supertest.get('/api/security/logout'); + const { status } = await supertestViewerWithApiKey.get('/api/security/logout'); expect(status).toBe(302); }); it('SAML callback', async () => { - const { body, status } = await supertest + const { body, status } = await supertestViewerWithApiKey .post('/api/security/saml/callback') .set(svlCommonApi.getCommonRequestHeader()) .send({ diff --git a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts index bc01b14848eff..bd706132d4874 100644 --- a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts @@ -75,7 +75,7 @@ export default function ({ getService }: FtrProviderContext) { it('get role', async () => { const { body, status } = await supertestAdminWithApiKey.get( - '/api/security/role/superuser' + '/api/security/role/someRole' // mame of the role doesn't matter, we're checking the endpoint doesn't exist ); svlCommonApi.assertApiNotFound(body, status); }); @@ -87,7 +87,7 @@ export default function ({ getService }: FtrProviderContext) { it('delete role', async () => { const { body, status } = await supertestAdminWithApiKey.delete( - '/api/security/role/superuser' + '/api/security/role/someRole' // mame of the role doesn't matter, we're checking the endpoint doesn't exist ); svlCommonApi.assertApiNotFound(body, status); });