[7.x] FTR configurable test users (elastic#52431) (elastic#60428)

* FTR configurable test users (elastic#52431) * initial implementation of configurable test users * user superuser by default to match master * referenced the configs in reporting and api integration * setting the minimum number of default roles * looking for x-pack tests with users and roles * add testUserService in dashboard mode tests * running only ciGroup7 * uncommenting - addign visualization * re-enabling all CI groups to run on CI * reinstating Jenkinsfile * disable Test user for OIDC config * improved logging and added Roles for OSS tests to get better info on the runs. * disable test_user for auth tests * don't fetch enabledPlugins when testuser disabled * fix es-lint * running oss tests with x-pack enabled * [revertme] build default dist for oss tests * updating NOTICE.txt file as it complained in the kibana intake tests * changed to pick OSS builds * trying a license change to trial * switch back to xpack builds * created a new sample data role and used it in homepage tests * revert test/scripts/jenkins_ci_group.sh * only refresh browser and wait for chrome if we are already on Kibana page * fix large_string test to use minimum set of roles and privileges * fix for date nanos custom timestamp with a configured role * changes to the files with addition of new roles for the test_user * reverting to OSS changes and few additions to the time_zone test to run as a test_user * changes to security * changes to the x-pack test to use elastic superuser * fix for chart_types test * fixes to area chart , input control test * fix for dashboard filtering test and a new config role * changes to handle the x-pack tests * additional role for date nanos mixed * added the logstash role to the accessibility tests * removed telemetry setting * docs+few changes to the tests * removed Page navigation * removed pageNavigation which was unused * test/accessibility/apps/management.ts * update management.ts * aria label, and other changes * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * accidentally checked in a piped file with results. * reverted * unloading of logstash data, fixing aria label * aria-label * added the required role * fix for tsvb chart * fix for sample data test reverted home_page pageobject file * changes to sample data test and visualize index file to incorporate OSS changes * changes to describe() and some more changes to incorporate in settings_page * re-adding the after() * removed unwanted roles * replaced kibana_user with kibana_admin * added the check of deprecated kibana_user * testing with kibana_admin role * fix for discover test * incorporated the review comments * incorporated the review comments * incorporate review comments and added restoreDefaults() * removed describe.only * reverted the OSS logic change I had here- pulled into seperate PR * incorporated the review comments * incorporated review changes * adding hidden=true to find hidden kibanaChrome * change field.test.tsx to be same as that of master branch Co-authored-by: spalger <[email protected]> Co-authored-by: Elastic Machine <[email protected]> * removed the accidentally added file Co-authored-by: spalger <[email protected]> Co-authored-by: Elastic Machine <[email protected]>
lcawl · Mar 18, 2020 · d7bb13a · d7bb13a
1 parent 48df13e
commit d7bb13a
Show file tree

Hide file tree

Showing 36 changed files with 426 additions and 32 deletions.
diff --git a/docs/developer/core/development-functional-tests.asciidoc b/docs/developer/core/development-functional-tests.asciidoc
@@ -177,6 +177,25 @@ To run tests on Firefox locally, use `config.firefox.js`:
 node scripts/functional_test_runner --config test/functional/config.firefox.js
 -----------
 
+[float]
+===== Using the test_user service
+
+Tests should run at the positive security boundry condition, meaning that they should be run with the mimimum privileges required (and documented) and not as the superuser.
+ This prevents the type of regression where additional privleges accidentally become required to perform the same action. 
+
+The functional UI tests now default to logging in with a user named `test_user` and the roles of this user can be changed dynamically without logging in and out.  
+
+In order to achieve this a new service was introduced called `createTestUserService` (see `test/common/services/security/test_user.ts`). The purpose of this test user service is to create roles defined in the test config files and setRoles() or restoreDefaults().
+
+An example of how to set the role like how its defined below:
+
+`await security.testUser.setRoles(['kibana_user', 'kibana_date_nanos']);`
+
+Here we are setting the `test_user` to have the `kibana_user` role and also role access to a specific data index (`kibana_date_nanos`).
+
+Tests should normally setRoles() in the before() and restoreDefaults() in the after().
+
+
 [float]
 ===== Anatomy of a test file
 

diff --git a/packages/kbn-test/src/functional_test_runner/lib/config/schema.ts b/packages/kbn-test/src/functional_test_runner/lib/config/schema.ts
@@ -255,5 +255,20 @@ export const schema = Joi.object()
         fixedHeaderHeight: Joi.number().default(50),
       })
       .default(),
+
+    // settings for the security service if there is no defaultRole defined, then default to superuser role.
+    security: Joi.object()
+      .keys({
+        roles: Joi.object().default(),
+        defaultRoles: Joi.array()
+          .items(Joi.string())
+          .when('$primary', {
+            is: true,
+            then: Joi.array().min(1),
+          })
+          .default(['superuser']),
+        disableTestUser: Joi.boolean(),
+      })
+      .default(),
   })
   .default();
diff --git a/test/common/services/security/role.ts b/test/common/services/security/role.ts
@@ -43,7 +43,6 @@ export class Role {
         `Expected status code of 204, received ${status} ${statusText}: ${util.inspect(data)}`
       );
     }
-    this.log.debug(`created role ${name}`);
   }
 
   public async delete(name: string) {
@@ -56,6 +55,5 @@ export class Role {
         )}`
       );
     }
-    this.log.debug(`deleted role ${name}`);
   }
 }
diff --git a/test/common/services/security/security.ts b/test/common/services/security/security.ts
@@ -23,15 +23,21 @@ import { Role } from './role';
 import { User } from './user';
 import { RoleMappings } from './role_mappings';
 import { FtrProviderContext } from '../../ftr_provider_context';
+import { createTestUserService } from './test_user';
 
-export function SecurityServiceProvider({ getService }: FtrProviderContext) {
+export async function SecurityServiceProvider(context: FtrProviderContext) {
+  const { getService } = context;
   const log = getService('log');
   const config = getService('config');
   const url = formatUrl(config.get('servers.kibana'));
+  const role = new Role(url, log);
+  const user = new User(url, log);
+  const testUser = await createTestUserService(role, user, context);
 
   return new (class SecurityService {
-    role = new Role(url, log);
     roleMappings = new RoleMappings(url, log);
-    user = new User(url, log);
+    testUser = testUser;
+    role = role;
+    user = user;
   })();
 }
diff --git a/test/common/services/security/test_user.ts b/test/common/services/security/test_user.ts
@@ -0,0 +1,92 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { Role } from './role';
+import { User } from './user';
+import { FtrProviderContext } from '../../ftr_provider_context';
+import { Browser } from '../../../functional/services/browser';
+import { TestSubjects } from '../../../functional/services/test_subjects';
+
+export async function createTestUserService(
+  role: Role,
+  user: User,
+  { getService, hasService }: FtrProviderContext
+) {
+  const log = getService('log');
+  const config = getService('config');
+  // @ts-ignore browser service is not normally available in common.
+  const browser: Browser | void = hasService('browser') && getService('browser');
+  const testSubjects: TestSubjects | void =
+    // @ts-ignore testSubject service is not normally available in common.
+    hasService('testSubjects') && getService('testSubjects');
+  const kibanaServer = getService('kibanaServer');
+
+  const enabledPlugins = config.get('security.disableTestUser')
+    ? []
+    : await kibanaServer.plugins.getEnabledIds();
+  const isEnabled = () => {
+    return enabledPlugins.includes('security') && !config.get('security.disableTestUser');
+  };
+  if (isEnabled()) {
+    log.debug('===============creating roles and users===============');
+    for (const [name, definition] of Object.entries(config.get('security.roles'))) {
+      // create the defined roles (need to map array to create roles)
+      await role.create(name, definition);
+    }
+    try {
+      // delete the test_user if present (will it error if the user doesn't exist?)
+      await user.delete('test_user');
+    } catch (exception) {
+      log.debug('no test user to delete');
+    }
+
+    // create test_user with username and pwd
+    log.debug(`default roles = ${config.get('security.defaultRoles')}`);
+    await user.create('test_user', {
+      password: 'changeme',
+      roles: config.get('security.defaultRoles'),
+      full_name: 'test user',
+    });
+  }
+
+  return new (class TestUser {
+    async restoreDefaults() {
+      if (isEnabled()) {
+        await this.setRoles(config.get('security.defaultRoles'));
+      }
+    }
+
+    async setRoles(roles: string[]) {
+      if (isEnabled()) {
+        log.debug(`set roles = ${roles}`);
+        await user.create('test_user', {
+          password: 'changeme',
+          roles,
+          full_name: 'test user',
+        });
+
+        if (browser && testSubjects) {
+          if (await testSubjects.exists('kibanaChrome', { allowHidden: true })) {
+            await browser.refresh();
+            await testSubjects.find('kibanaChrome', config.get('timeouts.find') * 10);
+          }
+        }
+      }
+    }
+  })();
+}
diff --git a/test/functional/apps/context/_date_nanos.js b/test/functional/apps/context/_date_nanos.js
@@ -26,11 +26,13 @@ const TEST_STEP_SIZE = 3;
 export default function({ getService, getPageObjects }) {
   const kibanaServer = getService('kibanaServer');
   const docTable = getService('docTable');
+  const security = getService('security');
   const PageObjects = getPageObjects(['common', 'context', 'timePicker', 'discover']);
   const esArchiver = getService('esArchiver');
 
   describe('context view for date_nanos', () => {
     before(async function() {
+      await security.testUser.setRoles(['kibana_admin', 'kibana_date_nanos']);
       await esArchiver.loadIfNeeded('date_nanos');
       await kibanaServer.uiSettings.replace({ defaultIndex: TEST_INDEX_PATTERN });
       await kibanaServer.uiSettings.update({
@@ -39,8 +41,9 @@ export default function({ getService, getPageObjects }) {
       });
     });
 
-    after(function unloadMakelogs() {
-      return esArchiver.unload('date_nanos');
+    after(async function unloadMakelogs() {
+      await security.testUser.restoreDefaults();
+      await esArchiver.unload('date_nanos');
     });
 
     it('displays predessors - anchor - successors in right order ', async function() {

diff --git a/test/functional/apps/dashboard/dashboard_filtering.js b/test/functional/apps/dashboard/dashboard_filtering.js
@@ -33,6 +33,7 @@ export default function({ getService, getPageObjects }) {
   const filterBar = getService('filterBar');
   const esArchiver = getService('esArchiver');
   const kibanaServer = getService('kibanaServer');
+  const security = getService('security');
   const dashboardPanelActions = getService('dashboardPanelActions');
   const PageObjects = getPageObjects(['common', 'dashboard', 'header', 'visualize', 'timePicker']);
 
@@ -41,6 +42,7 @@ export default function({ getService, getPageObjects }) {
 
     before(async () => {
       await esArchiver.load('dashboard/current/kibana');
+      await security.testUser.setRoles(['kibana_admin', 'test_logstash_reader', 'animals']);
       await kibanaServer.uiSettings.replace({
         defaultIndex: '0bf35f60-3dc9-11e8-8660-4d65aa086b3c',
       });
@@ -49,6 +51,10 @@ export default function({ getService, getPageObjects }) {
       await PageObjects.dashboard.gotoDashboardLandingPage();
     });
 
+    after(async () => {
+      await security.testUser.restoreDefaults();
+    });
+
     describe('adding a filter that excludes all data', () => {
       before(async () => {
         await PageObjects.dashboard.clickNewDashboard();

diff --git a/test/functional/apps/dashboard/index.js b/test/functional/apps/dashboard/index.js
@@ -23,6 +23,7 @@ export default function({ getService, loadTestFile }) {
 
   async function loadCurrentData() {
     await browser.setWindowSize(1300, 900);
+    await esArchiver.unload('logstash_functional');
     await esArchiver.loadIfNeeded('dashboard/current/data');
   }
 

diff --git a/test/functional/apps/dashboard/time_zones.js b/test/functional/apps/dashboard/time_zones.js
@@ -22,7 +22,6 @@ import expect from '@kbn/expect';
 
 export default function({ getService, getPageObjects }) {
   const pieChart = getService('pieChart');
-  const browser = getService('browser');
   const esArchiver = getService('esArchiver');
   const kibanaServer = getService('kibanaServer');
   const PageObjects = getPageObjects(['dashboard', 'timePicker', 'settings', 'common']);
@@ -48,7 +47,6 @@ export default function({ getService, getPageObjects }) {
 
     after(async () => {
       await kibanaServer.uiSettings.replace({ 'dateFormat:tz': 'UTC' });
-      await browser.refresh();
     });
 
     it('Exported dashboard adjusts EST time to UTC', async () => {

diff --git a/test/functional/apps/discover/_date_nanos.js b/test/functional/apps/discover/_date_nanos.js
@@ -23,19 +23,22 @@ export default function({ getService, getPageObjects }) {
   const esArchiver = getService('esArchiver');
   const PageObjects = getPageObjects(['common', 'timePicker', 'discover']);
   const kibanaServer = getService('kibanaServer');
+  const security = getService('security');
   const fromTime = 'Sep 22, 2019 @ 20:31:44.000';
   const toTime = 'Sep 23, 2019 @ 03:31:44.000';
 
   describe('date_nanos', function() {
     before(async function() {
       await esArchiver.loadIfNeeded('date_nanos');
       await kibanaServer.uiSettings.replace({ defaultIndex: 'date-nanos' });
+      await security.testUser.setRoles(['kibana_admin', 'kibana_date_nanos']);
       await PageObjects.common.navigateToApp('discover');
       await PageObjects.timePicker.setAbsoluteRange(fromTime, toTime);
     });
 
-    after(function unloadMakelogs() {
-      return esArchiver.unload('date_nanos');
+    after(async function unloadMakelogs() {
+      await security.testUser.restoreDefaults();
+      await esArchiver.unload('date_nanos');
     });
 
     it('should show a timestamp with nanoseconds in the first result row', async function() {

diff --git a/test/functional/apps/discover/_date_nanos_mixed.js b/test/functional/apps/discover/_date_nanos_mixed.js
@@ -23,19 +23,22 @@ export default function({ getService, getPageObjects }) {
   const esArchiver = getService('esArchiver');
   const PageObjects = getPageObjects(['common', 'timePicker', 'discover']);
   const kibanaServer = getService('kibanaServer');
+  const security = getService('security');
   const fromTime = 'Jan 1, 2019 @ 00:00:00.000';
   const toTime = 'Jan 1, 2019 @ 23:59:59.999';
 
   describe('date_nanos_mixed', function() {
     before(async function() {
       await esArchiver.loadIfNeeded('date_nanos_mixed');
       await kibanaServer.uiSettings.replace({ defaultIndex: 'timestamp-*' });
+      await security.testUser.setRoles(['kibana_admin', 'kibana_date_nanos_mixed']);
       await PageObjects.common.navigateToApp('discover');
       await PageObjects.timePicker.setAbsoluteRange(fromTime, toTime);
     });
 
-    after(function unloadMakelogs() {
-      return esArchiver.unload('date_nanos_mixed');
+    after(async () => {
+      await security.testUser.restoreDefaults();
+      esArchiver.unload('date_nanos_mixed');
     });
 
     it('shows a list of records of indices with date & date_nanos fields in the right order', async function() {

diff --git a/test/functional/apps/discover/_discover_histogram.js b/test/functional/apps/discover/_discover_histogram.js
@@ -25,6 +25,7 @@ export default function({ getService, getPageObjects }) {
   const browser = getService('browser');
   const elasticChart = getService('elasticChart');
   const kibanaServer = getService('kibanaServer');
+  const security = getService('security');
   const PageObjects = getPageObjects(['settings', 'common', 'discover', 'header', 'timePicker']);
   const defaultSettings = {
     defaultIndex: 'long-window-logstash-*',
@@ -35,6 +36,11 @@ export default function({ getService, getPageObjects }) {
     before(async function() {
       log.debug('load kibana index with default index pattern');
       await PageObjects.common.navigateToApp('home');
+      await security.testUser.setRoles([
+        'kibana_admin',
+        'test_logstash_reader',
+        'long_window_logstash',
+      ]);
       await esArchiver.loadIfNeeded('logstash_functional');
       await esArchiver.load('long_window_logstash');
       await esArchiver.load('visualize');
@@ -56,6 +62,7 @@ export default function({ getService, getPageObjects }) {
       await esArchiver.unload('long_window_logstash');
       await esArchiver.unload('visualize');
       await esArchiver.unload('discover');
+      await security.testUser.restoreDefaults();
     });
 
     it('should visualize monthly data with different day intervals', async () => {

diff --git a/test/functional/apps/discover/_large_string.js b/test/functional/apps/discover/_large_string.js
@@ -25,10 +25,12 @@ export default function({ getService, getPageObjects }) {
   const retry = getService('retry');
   const kibanaServer = getService('kibanaServer');
   const queryBar = getService('queryBar');
+  const security = getService('security');
   const PageObjects = getPageObjects(['common', 'home', 'settings', 'discover']);
 
   describe('test large strings', function() {
     before(async function() {
+      await security.testUser.setRoles(['kibana_admin', 'kibana_large_strings']);
       await esArchiver.load('empty_kibana');
       await esArchiver.loadIfNeeded('hamlet');
       await kibanaServer.uiSettings.replace({ defaultIndex: 'testlargestring' });
@@ -77,6 +79,7 @@ export default function({ getService, getPageObjects }) {
     });
 
     after(async () => {
+      await security.testUser.restoreDefaults();
       await esArchiver.unload('hamlet');
     });
   });

diff --git a/test/functional/apps/getting_started/_shakespeare.js b/test/functional/apps/getting_started/_shakespeare.js
@@ -23,6 +23,7 @@ export default function({ getService, getPageObjects }) {
   const log = getService('log');
   const esArchiver = getService('esArchiver');
   const retry = getService('retry');
+  const security = getService('security');
   const PageObjects = getPageObjects([
     'console',
     'common',
@@ -46,11 +47,16 @@ export default function({ getService, getPageObjects }) {
         'Load empty_kibana and Shakespeare Getting Started data\n' +
           'https://www.elastic.co/guide/en/kibana/current/tutorial-load-dataset.html'
       );
+      await security.testUser.setRoles(['kibana_admin', 'test_shakespeare_reader']);
       await esArchiver.load('empty_kibana', { skipExisting: true });
       log.debug('Load shakespeare data');
       await esArchiver.loadIfNeeded('getting_started/shakespeare');
     });
 
+    after(async () => {
+      await security.testUser.restoreDefaults();
+    });
+
     it('should create shakespeare index pattern', async function() {
       log.debug('Create shakespeare index pattern');
       await PageObjects.settings.createIndexPattern('shakes', null);